File gstreamer-CVE-2022-1920.patch of Package gstreamer-plugins-good.30114

Overview Repositories Revisions Requests Users Attributes Meta

File gstreamer-CVE-2022-1920.patch of Package gstreamer-plugins-good.30114

From cf887f1b8e228bff6e19829e6d03995d70ad739d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Wed, 18 May 2022 10:23:15 +0300
Subject: [PATCH] matroskademux: Avoid integer-overflow resulting in heap
 corruption in WavPack header handling code

blocksize + WAVPACK4_HEADER_SIZE might overflow gsize, which then
results in allocating a very small buffer. Into that buffer blocksize
data is memcpy'd later which then causes out of bound writes and can
potentially lead to anything from crashes to remote code execution.

Thanks to Adam Doupe for analyzing and reporting the issue.

CVE: CVE-2022-1920

https://gstreamer.freedesktop.org/security/sa-2022-0004.html

Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1226

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2612>
---
 .../gst-plugins-good/gst/matroska/matroska-demux.c     | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
index 64cc6be60b..01d754c3eb 100644
--- a/gst/matroska/matroska-demux.c
+++ b/gst/matroska/matroska-demux.c
@@ -3933,7 +3933,8 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
   } else {
     guint8 *outdata = NULL;
     gsize buf_size, size;
-    guint32 block_samples, flags, crc, blocksize;
+    guint32 block_samples, flags, crc;
+    gsize blocksize;
     GstAdapter *adapter;
 
     adapter = gst_adapter_new ();
@@ -3974,6 +3975,13 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
         return GST_FLOW_ERROR;
       }
 
+      if (blocksize > G_MAXSIZE - WAVPACK4_HEADER_SIZE) {
+        GST_ERROR_OBJECT (element, "Too big wavpack buffer");
+        gst_buffer_unmap (*buf, &map);
+        g_object_unref (adapter);
+        return GST_FLOW_ERROR;
+      }
+
       g_assert (newbuf == NULL);
 
       newbuf =
-- 
2.37.1

Places

File gstreamer-CVE-2022-1920.patch of Package gstreamer-plugins-good.30114

Places