!27 Fix CVE-2023-37327

From: @wk333 Reviewed-by: @wang--ge Signed-off-by: @wang--ge
2023-12-15 07:25:40 +00:00 · 2023-12-15 07:25:40 +00:00 · d13c438412
commit d13c438412
parent 76bffaf110 54b4ee3ad9
2 changed files with 60 additions and 1 deletions
--- a/CVE-2023-37327.patch
+++ b/CVE-2023-37327.patch
@ -0,0 +1,54 @@
 From dbbfc917fe616ff3343a03fc8e9533d39777ce6e Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
 Date: Tue, 13 Jun 2023 13:20:16 +0300
 Subject: [PATCH 1/2] flacparse: Avoid integer overflow in available data check
 for image tags
 If the image length as stored in the file is some bogus integer then
 adding it to the current byte readers position can overflow and wrongly
 have the check for enough available data succeed.
 This then later can cause NULL pointer dereferences or out of bounds
 reads/writes when actually reading the image data.
 Fixes ZDI-CAN-20775
 Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2661
 Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4894>
 ---
 .../gst/audioparsers/gstflacparse.c        | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 diff --git a/gst/audioparsers/gstflacparse.c b/gst/audioparsers/gstflacparse.c
 index a53b7ebc776..8ee450c65ac 100644
 --- a/gst/audioparsers/gstflacparse.c
 +++ b/gst/audioparsers/gstflacparse.c
@@ -1111,6 +1111,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer)
   GstMapInfo map;
   guint32 img_len = 0, img_type = 0;
   guint32 img_mimetype_len = 0, img_description_len = 0;
 +  const guint8 *img_data;
   gst_buffer_map (buffer, &map, GST_MAP_READ);
   gst_byte_reader_init (&reader, map.data, map.size);
@@ -1137,7 +1138,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer)
   if (!gst_byte_reader_get_uint32_be (&reader, &img_len))
     goto error;
 -  if (gst_byte_reader_get_pos (&reader) + img_len > map.size)
 +  if (!gst_byte_reader_get_data (&reader, img_len, &img_data))
     goto error;
   GST_INFO_OBJECT (flacparse, "Got image of %d bytes", img_len);
@@ -1146,8 +1147,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer)
     if (flacparse->tags == NULL)
       flacparse->tags = gst_tag_list_new_empty ();
 -    gst_tag_list_add_id3_image (flacparse->tags,
 -        map.data + gst_byte_reader_get_pos (&reader), img_len, img_type);
 +    gst_tag_list_add_id3_image (flacparse->tags, img_data, img_len, img_type);
   }
   gst_buffer_unmap (buffer, &map);
 -- 
 GitLab
--- a/gstreamer1-plugins-good.spec
+++ b/gstreamer1-plugins-good.spec
@ -3,7 +3,7 @@
 Name:		    gstreamer1-plugins-good		
 Version:	    1.16.2
-Release:	    5
+Release:	    6
 Summary:	    GStreamer plugins with good code and licensing
 License:	    LGPLv2+	
 URL:		    http://gstreamer.freedesktop.org/
@ -20,6 +20,8 @@ Patch6003:          CVE-2022-1921.patch
 Patch0004:          CVE-2022-2122.patch
 #https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225
 Patch0005:          CVE-2022-1922_CVE-2022-1923_CVE-2022-1924_CVE-2022-1925.patch
 #https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4894.patch
 Patch0006:          CVE-2023-37327.patch
 BuildRequires:	gcc gcc-c++ gstreamer1-devel gstreamer1-plugins-base-devel flac-devel
 BuildRequires:  gdk-pixbuf2-devel libjpeg-devel libpng-devel libshout-devel orc-devel
@ -104,6 +106,9 @@ echo "%{_libdir}" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf
 %doc %{_datadir}/gtk-doc/html/*
 %changelog
 * Fri Dec 15 2023 wangkai <13474090681@163.com> - 1.16.2-6
 - Fix CVE-2023-37327
 * Mon Jun 27 2022 yaoxin <yaoxin30@h-partners.com> - 1.16.2-5
 - Fix CVE-2022-2122 CVE-2022-1920-to-CVE-2022-1925