gstreamer/subprojects
Jeremy Cline 3ddb4c6f0e tagdemux: Fix crash when presented with malformed files
There's a race condition in gsttagdemux.c between typefinding and the
end-of-stream event. If TYPE_FIND_MAX_SIZE is exceeded,
demux->priv->collect is set to NULL and an error is returned. However,
the end-of-stream event causes one last attempt at typefinding to occur.

This leads to gst_tag_demux_trim_buffer() being called with the NULL
demux->priv->collect buffer which it attempts to dereference, resulting
in a segfault.

The malicious MP3 can be created by:

printf "\x49\x44\x33\x04\x00\x00\x00\x00\x00\x00%s", \
    "$(dd if=/dev/urandom bs=1K count=200)" > malicious.mp3

This creates a valid ID3 header which gets us as far as typefinding. The
crash can then be reproduced with the following pipeline:

gst-launch-1.0 -e filesrc location=malicious.mp3 ! queue ! decodebin ! audioconvert ! vorbisenc ! oggmux ! filesink location=malicious.ogg

Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/967

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/1620>
2022-02-01 19:04:40 +00:00
..
gst-devtools Release 1.19.90 2022-01-28 14:28:42 +00:00
gst-docs docs: gst-libav: update cache and symbol index for FFmpeg 4.4 2022-02-01 14:11:45 +00:00
gst-editing-services Release 1.19.90 2022-01-28 14:28:42 +00:00
gst-examples Release 1.19.90 2022-01-28 14:28:42 +00:00
gst-integration-testsuites Release 1.19.90 2022-01-28 14:28:42 +00:00
gst-libav docs: gst-libav: update cache and symbol index for FFmpeg 4.4 2022-02-01 14:11:45 +00:00
gst-omx Release 1.19.90 2022-01-28 14:28:42 +00:00
gst-plugins-bad nvdecoder: Fix for display resolution setup 2022-02-01 17:58:06 +00:00
gst-plugins-base tagdemux: Fix crash when presented with malformed files 2022-02-01 19:04:40 +00:00
gst-plugins-good docs: Add objc and objcpp files to hotdoc gst_c_sources 2022-02-01 05:25:42 +05:30
gst-plugins-ugly Release 1.19.90 2022-01-28 14:28:42 +00:00
gst-python Release 1.19.90 2022-01-28 14:28:42 +00:00
gst-rtsp-server Release 1.19.90 2022-01-28 14:28:42 +00:00
gstreamer Release 1.19.90 2022-01-28 14:28:42 +00:00
gstreamer-sharp Release 1.19.90 2022-01-28 14:28:42 +00:00
gstreamer-vaapi vaapi: Disable Wayland if no libdrm 2022-01-31 13:33:31 +00:00
macos-bison-binary New subproject macos-bison-binary to provide bison on macOS 2021-08-28 23:44:52 +05:30
win-flex-bison-binaries win-flex-bison: Use gstreamer mirror as primary source 2020-01-18 17:54:48 +05:30
win-nasm win-nasm: Use gstreamer mirror as primary source 2020-01-18 17:54:48 +05:30
avtp.wrap Revert "Revert "Add libavtp wrap file"" 2020-06-30 15:47:18 -07:00
bindinator.wrap Pin all wrap files to closest tag or commit sha1 2021-10-14 22:34:49 +00:00
cairo.wrap meson: Build cairo subproject when unavailable on the system 2022-01-21 06:34:33 +00:00
dav1d.wrap Add dav1d wrap file 2020-05-02 09:55:12 +00:00
dssim.wrap Pin all wrap files to closest tag or commit sha1 2021-10-14 22:34:49 +00:00
dv.wrap subprojects: add libdv wrap 2021-01-14 19:16:01 +00:00
expat.wrap meson: Update expat.wrap for MSVC fix 2020-11-05 13:09:46 +05:30
fdk-aac.wrap subprojects: fdk-aac: add fallback_url 2021-10-28 23:29:27 +00:00
FFmpeg.wrap wraps:ffmpeg: Move to 4.4 2021-10-15 02:32:40 +00:00
fontconfig.wrap Pin all wrap files to closest tag or commit sha1 2021-10-14 22:34:49 +00:00
freetype2.wrap Pin all wrap files to closest tag or commit sha1 2021-10-14 22:34:49 +00:00
fribidi.wrap Pin all wrap files to closest tag or commit sha1 2021-10-14 22:34:49 +00:00
gl-headers.wrap Move files from gst-plugins-base into the "subprojects/gst-plugins-base/" subdir 2021-09-24 16:13:26 -03:00
glib-networking.wrap Pin all wrap files to closest tag or commit sha1 2021-10-14 22:34:49 +00:00
glib.wrap meson: Update subprojects to fix warnings 2022-01-25 14:25:19 +05:30
graphene.wrap Pin all wrap files to closest tag or commit sha1 2021-10-14 22:34:49 +00:00
gst-plugins-rs.wrap re-add gst-plugins-rs.wrap 2021-11-02 10:15:42 +01:00
gtk-sharp.wrap Pin all wrap files to closest tag or commit sha1 2021-10-14 22:34:49 +00:00
harfbuzz.wrap harfbuzz.wrap: Use the latest tag instead of tip of git 2021-07-02 17:08:48 +03:00
json-glib.wrap Pin all wrap files to closest tag or commit sha1 2021-10-14 22:34:49 +00:00
lame.wrap subprojects/lame: Update to latest wrap 2022-01-28 02:01:39 +05:30
libdrm.wrap meson: Update subprojects to fix warnings 2022-01-25 14:25:19 +05:30
libffi.wrap subprojects: use libffi and gl-headers from gstreamer gitlab repos 2019-01-28 23:19:19 +01:00
libjpeg-turbo.wrap subprojects: Bump libjpeg-turbo version to 2.1.0-2 for x86 MSVC build 2021-08-04 19:22:30 +09:00
libmicrodns.wrap subprojects: libmicrodns: pin to 0.1.2 release 2020-07-07 15:23:29 +01:00
libnice.wrap Pin all wrap files to closest tag or commit sha1 2021-10-14 22:34:49 +00:00
libopenjp2.wrap wrap: libopenjp2: use patch version 7 2021-10-22 19:47:27 +00:00
libpng.wrap subprojects/libpng: Update to latest wrap file 2022-01-28 02:01:39 +05:30
libpsl.wrap libpsl.wrap: pin to 0.21.1 tag 2020-10-26 12:13:12 +00:00
libsoup.wrap Pin all wrap files to closest tag or commit sha1 2021-10-14 22:34:49 +00:00
libwpe.wrap subprojects: Update libwpe and wpebackend-fdo for fallback support 2020-10-12 12:29:01 +00:00
libxml2.wrap libxml2: update wrap path to 2.9.7-6 2020-02-19 13:45:52 +01:00
ogg.wrap subprojects: Update ogg and vorbis wraps 2021-10-19 17:42:21 +00:00
openh264.wrap openh264: update to v2.1.1 2020-05-31 11:11:18 +01:00
opus.wrap Pin all wrap files to closest tag or commit sha1 2021-10-14 22:34:49 +00:00
orc.wrap Pin all wrap files to closest tag or commit sha1 2021-10-14 22:34:49 +00:00
pango.wrap subprojects: pin pango wrap to tag 2021-08-08 19:42:24 +01:00
pcre.wrap subprojects/pcre: Add the wrap so it's cached in the image 2022-01-28 02:01:39 +05:30
pixman.wrap meson: Update subprojects to fix warnings 2022-01-25 14:25:19 +05:30
proxy-libintl.wrap subprojects: proxy-libintl: fix push-url 2019-08-14 18:51:43 +01:00
pycairo.wrap {pygobject,pycairo}.wrap: point to stable refs 2020-09-15 15:51:42 +03:00
pygobject.wrap Pin all wrap files to closest tag or commit sha1 2021-10-14 22:34:49 +00:00
sqlite3.wrap Update to sqlite3 from wrapdb 2021-08-24 20:52:06 +00:00
vorbis.wrap subprojects: Update ogg and vorbis wraps 2021-10-19 17:42:21 +00:00
webrtc-audio-processing.wrap Pin all wrap files to closest tag or commit sha1 2021-10-14 22:34:49 +00:00
wpebackend-fdo.wrap subprojects: Update libwpe and wpebackend-fdo for fallback support 2020-10-12 12:29:01 +00:00
x264.wrap x264: update to latest stable 160.3011 2020-07-30 15:52:38 +01:00
zlib.wrap meson: Update zlib.wrap to use wrapdb instead of github fork 2021-01-13 12:55:06 +00:00