55 lines
1.9 KiB
Diff
55 lines
1.9 KiB
Diff
From cf887f1b8e228bff6e19829e6d03995d70ad739d Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
|
|
Date: Wed, 18 May 2022 10:23:15 +0300
|
|
Subject: [PATCH] matroskademux: Avoid integer-overflow resulting in heap
|
|
corruption in WavPack header handling code
|
|
|
|
blocksize + WAVPACK4_HEADER_SIZE might overflow gsize, which then
|
|
results in allocating a very small buffer. Into that buffer blocksize
|
|
data is memcpy'd later which then causes out of bound writes and can
|
|
potentially lead to anything from crashes to remote code execution.
|
|
|
|
Thanks to Adam Doupe for analyzing and reporting the issue.
|
|
|
|
CVE: CVE-2022-1920
|
|
|
|
https://gstreamer.freedesktop.org/security/sa-2022-0004.html
|
|
|
|
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1226
|
|
|
|
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2612>
|
|
---
|
|
gst/matroska/matroska-demux.c | 10 +++++++++-
|
|
1 file changed, 9 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
|
|
index 64cc6be60be..01d754c3eb9 100644
|
|
--- a/gst/matroska/matroska-demux.c
|
|
+++ b/gst/matroska/matroska-demux.c
|
|
@@ -3933,7 +3933,8 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
|
|
} else {
|
|
guint8 *outdata = NULL;
|
|
gsize buf_size, size;
|
|
- guint32 block_samples, flags, crc, blocksize;
|
|
+ guint32 block_samples, flags, crc;
|
|
+ gsize blocksize;
|
|
GstAdapter *adapter;
|
|
|
|
adapter = gst_adapter_new ();
|
|
@@ -3974,6 +3975,13 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
|
|
return GST_FLOW_ERROR;
|
|
}
|
|
|
|
+ if (blocksize > G_MAXSIZE - WAVPACK4_HEADER_SIZE) {
|
|
+ GST_ERROR_OBJECT (element, "Too big wavpack buffer");
|
|
+ gst_buffer_unmap (*buf, &map);
|
|
+ g_object_unref (adapter);
|
|
+ return GST_FLOW_ERROR;
|
|
+ }
|
|
+
|
|
g_assert (newbuf == NULL);
|
|
|
|
newbuf =
|
|
--
|
|
GitLab
|