Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12:Update
gstreamer-plugins-good.4238
0001-qtdemux-Fix-out-of-bounds-read-in-tag-pars...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0001-qtdemux-Fix-out-of-bounds-read-in-tag-parsing-code.patch of Package gstreamer-plugins-good.4238
Based on the following patch from upstream but added also other code from a more recent version from upstream. From d0949baf3dadea6021d54abef6802fed5a06af75 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com> Date: Thu, 1 Dec 2016 13:32:22 +0200 Subject: [PATCH] qtdemux: Fix out of bounds read in tag parsing code We can't simply assume that the length of the tag value as given inside the stream is correct but should also check against the amount of data we have actually available. https://bugzilla.gnome.org/show_bug.cgi?id=775451 --- gst/isomp4/qtdemux.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Index: gst-plugins-good-1.2.4/gst/isomp4/qtdemux.c =================================================================== --- gst-plugins-good-1.2.4.orig/gst/isomp4/qtdemux.c +++ gst-plugins-good-1.2.4/gst/isomp4/qtdemux.c @@ -8923,6 +8923,7 @@ qtdemux_tag_add_str_full (GstQTDemux * q guint32 type; int offset; gboolean ret = TRUE; + const gchar *charset = NULL; data = qtdemux_tree_get_child_by_type (node, FOURCC_data); if (data) { @@ -8943,12 +8944,33 @@ qtdemux_tag_add_str_full (GstQTDemux * q } else { len = QT_UINT32 (node->data); type = QT_UINT32 ((guint8 *) node->data + 4); - if ((type >> 24) == 0xa9) { - /* Type starts with the (C) symbol, so the next 32 bits are - * the language code, which we ignore */ + if ((type >> 24) == 0xa9 && len > 8 + 4) { + gint str_len; + gint lang_code; + + /* Type starts with the (C) symbol, so the next data is a list + * of (string size(16), language code(16), string) */ + + str_len = QT_UINT16 ((guint8 *) node->data + 8); + lang_code = QT_UINT16 ((guint8 *) node->data + 10); + + /* the string + fourcc + size + 2 16bit fields, + * means that there are more tags in this atom */ + if (len > str_len + 8 + 4) { + /* TODO how to represent the same tag in different languages? */ + GST_WARNING_OBJECT (qtdemux, "Ignoring metadata entry with multiple " + "text alternatives, reading only first one"); + } + offset = 12; + len = MIN (len, str_len + 8 + 4); /* remove trailing strings that we don't use */ GST_DEBUG_OBJECT (qtdemux, "found international text tag"); + + if (lang_code < 0x800) { /* MAC encoded string */ + charset = "mac"; + } } else if (len > 14 && qtdemux_is_string_tag_3gp (qtdemux, + QT_FOURCC ((guint8 *) node->data + 4))) { guint32 type = QT_UINT32 ((guint8 *) node->data + 8); @@ -8969,8 +8991,21 @@ qtdemux_tag_add_str_full (GstQTDemux * q GST_DEBUG_OBJECT (qtdemux, "found normal text tag"); ret = FALSE; /* may have to fallback */ } - s = gst_tag_freeform_string_to_utf8 ((char *) node->data + offset, - len - offset, env_vars); + if (charset) { + GError *err = NULL; + + s = g_convert ((gchar *) node->data + offset, len - offset, "utf8", + charset, NULL, NULL, &err); + if (err) { + GST_DEBUG_OBJECT (qtdemux, "Failed to convert string from charset %s:" + " %s(%d): %s", charset, g_quark_to_string (err->domain), err->code, + err->message); + g_error_free (err); + } + } else { + s = gst_tag_freeform_string_to_utf8 ((char *) node->data + offset, + len - offset, env_vars); + } if (s) { GST_DEBUG_OBJECT (qtdemux, "adding tag %s", GST_STR_NULL (s)); gst_tag_list_add (qtdemux->tag_list, GST_TAG_MERGE_REPLACE, tag, s, NULL);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor