exiftag: Prevent integer overflows and out of bounds reads when handling undefined tags

Fixes ZDI-CAN-23896
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3483

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/6766>
This commit is contained in:
Sebastian Dröge 2024-04-25 15:21:20 +03:00 committed by GStreamer Marge Bot
parent a92167ea6e
commit e68eccff10

View file

@ -1402,6 +1402,7 @@ parse_exif_undefined_tag (GstExifReader * reader, const GstExifTagMatch * tag,
if (count > 4) { if (count > 4) {
GstMapInfo info; GstMapInfo info;
gsize alloc_size;
if (offset < reader->base_offset) { if (offset < reader->base_offset) {
GST_WARNING ("Offset is smaller (%u) than base offset (%u)", offset, GST_WARNING ("Offset is smaller (%u) than base offset (%u)", offset,
@ -1423,14 +1424,28 @@ parse_exif_undefined_tag (GstExifReader * reader, const GstExifTagMatch * tag,
return; return;
} }
if (info.size - real_offset < count) {
GST_WARNING ("Invalid size %u for buffer of size %" G_GSIZE_FORMAT
", not adding tag %s", count, info.size, tag->gst_tag);
gst_buffer_unmap (reader->buffer, &info);
return;
}
if (!g_size_checked_add (&alloc_size, count, 1)) {
GST_WARNING ("Invalid size %u for buffer of size %" G_GSIZE_FORMAT
", not adding tag %s", real_offset, info.size, tag->gst_tag);
gst_buffer_unmap (reader->buffer, &info);
return;
}
/* +1 because it could be a string without the \0 */ /* +1 because it could be a string without the \0 */
data = malloc (sizeof (guint8) * count + 1); data = malloc (alloc_size);
memcpy (data, info.data + real_offset, count); memcpy (data, info.data + real_offset, count);
data[count] = 0; data[count] = 0;
gst_buffer_unmap (reader->buffer, &info); gst_buffer_unmap (reader->buffer, &info);
} else { } else {
data = malloc (sizeof (guint8) * count + 1); data = malloc (count + 1);
memcpy (data, (guint8 *) offset_as_data, count); memcpy (data, (guint8 *) offset_as_data, count);
data[count] = 0; data[count] = 0;
} }