Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP4:GA
gstreamer-0_10-plugins-good
gstreamer-CVE-2022-1922-qt.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File gstreamer-CVE-2022-1922-qt.patch of Package gstreamer-0_10-plugins-good
From 14d306da6da51a762c4dc701d161bb52ab66d774 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com> Date: Mon, 30 May 2022 10:15:37 +0300 Subject: [PATCH] qtdemux: Fix integer overflows in zlib decompression code Various variables were of smaller types than needed and there were no checks for any overflows when doing additions on the sizes. This is all checked now. In addition the size of the decompressed data is limited to 200MB now as any larger sizes are likely pathological and we can avoid out of memory situations in many cases like this. Also fix a bug where the available output size on the next iteration in the zlib decompression code was provided too large and could potentially lead to out of bound writes. Thanks to Adam Doupe for analyzing and reporting the issue. CVE: tbd https://gstreamer.freedesktop.org/security/sa-2022-0003.html Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225 Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2610> --- gst/isomp4/qtdemux.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff -urp gst-plugins-good-1.8.3.orig/gst/isomp4/qtdemux.c gst-plugins-good-1.8.3/gst/isomp4/qtdemux.c --- gst-plugins-good-1.8.3.orig/gst/isomp4/qtdemux.c 2022-07-28 16:07:53.961508448 -0500 +++ gst-plugins-good-1.8.3/gst/isomp4/qtdemux.c 2022-08-05 15:17:39.033716040 -0500 @@ -6463,10 +6463,15 @@ qtdemux_inflate (void *z_buffer, guint z ret = inflateInit (z); while (z->avail_in > 0) { if (z->avail_out == 0) { + if (length > G_MAXUINT - 1024 || length > QTDEMUX_MAX_SAMPLE_INDEX_SIZE) { + GST_WARNING ("too big decompressed data"); + ret = Z_MEM_ERROR; + break; + } length += 1024; buffer = (guint8 *) g_realloc (buffer, length); z->next_out = buffer + z->total_out; - z->avail_out = 1024; + z->avail_out = length - z->total_out; } ret = inflate (z, Z_SYNC_FLUSH); if (ret != Z_OK)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor