mirror of
https://gitlab.freedesktop.org/gstreamer/gstreamer.git
synced 2024-11-26 03:31:05 +00:00
flacparse: Avoid integer overflow in available data check for image tags
If the image length as stored in the file is some bogus integer then adding it to the current byte readers position can overflow and wrongly have the check for enough available data succeed. This then later can cause NULL pointer dereferences or out of bounds reads/writes when actually reading the image data. Fixes ZDI-CAN-20775 Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2661 Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4894>
This commit is contained in:
parent
069065adc4
commit
dbbfc917fe
1 changed files with 3 additions and 3 deletions
|
@ -1111,6 +1111,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer)
|
|||
GstMapInfo map;
|
||||
guint32 img_len = 0, img_type = 0;
|
||||
guint32 img_mimetype_len = 0, img_description_len = 0;
|
||||
const guint8 *img_data;
|
||||
|
||||
gst_buffer_map (buffer, &map, GST_MAP_READ);
|
||||
gst_byte_reader_init (&reader, map.data, map.size);
|
||||
|
@ -1137,7 +1138,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer)
|
|||
if (!gst_byte_reader_get_uint32_be (&reader, &img_len))
|
||||
goto error;
|
||||
|
||||
if (gst_byte_reader_get_pos (&reader) + img_len > map.size)
|
||||
if (!gst_byte_reader_get_data (&reader, img_len, &img_data))
|
||||
goto error;
|
||||
|
||||
GST_INFO_OBJECT (flacparse, "Got image of %d bytes", img_len);
|
||||
|
@ -1146,8 +1147,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer)
|
|||
if (flacparse->tags == NULL)
|
||||
flacparse->tags = gst_tag_list_new_empty ();
|
||||
|
||||
gst_tag_list_add_id3_image (flacparse->tags,
|
||||
map.data + gst_byte_reader_get_pos (&reader), img_len, img_type);
|
||||
gst_tag_list_add_id3_image (flacparse->tags, img_data, img_len, img_type);
|
||||
}
|
||||
|
||||
gst_buffer_unmap (buffer, &map);
|
||||
|
|
Loading…
Reference in a new issue