Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP4:Update
gstreamer-plugins-bad
gstreamer-plugins-bad-CVE-2023-40474.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File gstreamer-plugins-bad-CVE-2023-40474.patch of Package gstreamer-plugins-bad
diff -Nura gst-plugins-bad-1.8.3/gst/mxf/mxfup.c gst-plugins-bad-1.8.3_new/gst/mxf/mxfup.c --- gst-plugins-bad-1.8.3/gst/mxf/mxfup.c 2016-03-24 19:36:40.000000000 +0800 +++ gst-plugins-bad-1.8.3_new/gst/mxf/mxfup.c 2023-11-14 23:30:57.884131880 +0800 @@ -134,6 +134,8 @@ gpointer mapping_data, GstBuffer ** outbuf) { MXFUPMappingData *data = mapping_data; + gsize expected_in_stride = 0, out_stride = 0; + gsize expected_in_size = 0, out_size = 0; /* SMPTE 384M 7.1 */ if (key->u[12] != 0x15 || (key->u[14] != 0x01 && key->u[14] != 0x02 @@ -162,22 +164,25 @@ } } - if (gst_buffer_get_size (buffer) != data->bpp * data->width * data->height) { + // Checked for overflows when parsing the descriptor + expected_in_stride = data->bpp * data->width; + out_stride = GST_ROUND_UP_4 (expected_in_stride); + expected_in_size = expected_in_stride * data->height; + out_size = out_stride * data->height; + + if (gst_buffer_get_size (buffer) != expected_in_size) { GST_ERROR ("Invalid buffer size"); gst_buffer_unref (buffer); return GST_FLOW_ERROR; } - if (data->bpp != 4 - || GST_ROUND_UP_4 (data->width * data->bpp) != data->width * data->bpp) { + if (data->bpp != 4 || out_stride != expected_in_stride) { guint y; GstBuffer *ret; GstMapInfo inmap, outmap; guint8 *indata, *outdata; - ret = - gst_buffer_new_and_alloc (GST_ROUND_UP_4 (data->width * data->bpp) * - data->height); + ret = gst_buffer_new_and_alloc (out_size); gst_buffer_map (buffer, &inmap, GST_MAP_READ); gst_buffer_map (ret, &outmap, GST_MAP_WRITE); indata = inmap.data; @@ -185,8 +190,8 @@ for (y = 0; y < data->height; y++) { memcpy (outdata, indata, data->width * data->bpp); - outdata += GST_ROUND_UP_4 (data->width * data->bpp); - indata += data->width * data->bpp; + outdata += out_stride; + indata += expected_in_stride; } gst_buffer_unmap (buffer, &inmap); @@ -385,6 +390,36 @@ return NULL; } + if (caps) { + MXFUPMappingData *data = *mapping_data; + gsize expected_in_stride = 0, out_stride = 0; + gsize expected_in_size = 0, out_size = 0; + + // Do some checking of the parameters to see if they're valid and + // we can actually work with them. + if (data->image_start_offset > data->image_end_offset) { + GST_WARNING ("Invalid image start/end offset"); + g_free (data); + *mapping_data = NULL; + gst_clear_caps (&caps); + + return NULL; + } + + if (!g_size_checked_mul (&expected_in_stride, data->bpp, data->width) || + (out_stride = GST_ROUND_UP_4 (expected_in_stride)) < expected_in_stride + || !g_size_checked_mul (&expected_in_size, expected_in_stride, + data->height) + || !g_size_checked_mul (&out_size, out_stride, data->height)) { + GST_ERROR ("Invalid resolution or bit depth"); + g_free (data); + *mapping_data = NULL; + gst_clear_caps (&caps); + + return NULL; + } + } + return caps; }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor