Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:15.5:Update
gstreamer-plugins-good.20668
gstreamer-CVE-2022-1921.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File gstreamer-CVE-2022-1921.patch of Package gstreamer-plugins-good.20668
From f503caad676971933dc0b52c4b313e5ef0d6dbb0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com> Date: Wed, 18 May 2022 12:00:48 +0300 Subject: [PATCH] avidemux: Fix integer overflow resulting in heap corruption in DIB buffer inversion code Check that width*bpp/8 doesn't overflow a guint and also that height*stride fits into the provided buffer without overflowing. Thanks to Adam Doupe for analyzing and reporting the issue. CVE: CVE-2022-1921 See https://gstreamer.freedesktop.org/security/sa-2022-0001.html Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1224 Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2608> --- .../gst-plugins-good/gst/avi/gstavidemux.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/gst/avi/gstavidemux.c b/gst/avi/gstavidemux.c index eafe865494..0d18a6495c 100644 --- a/gst/avi/gstavidemux.c +++ b/gst/avi/gstavidemux.c @@ -4973,8 +4973,8 @@ swap_line (guint8 * d1, guint8 * d2, guint8 * tmp, gint bytes) static GstBuffer * gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf) { - gint y, w, h; - gint bpp, stride; + guint y, w, h; + guint bpp, stride; guint8 *tmp = NULL; GstMapInfo map; guint32 fourcc; @@ -5001,12 +5001,23 @@ gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf) h = stream->strf.vids->height; w = stream->strf.vids->width; bpp = stream->strf.vids->bit_cnt ? stream->strf.vids->bit_cnt : 8; + + if ((guint64) w * ((guint64) bpp / 8) > G_MAXUINT - 4) { + GST_WARNING ("Width x stride overflows"); + return buf; + } + + if (w == 0 || h == 0) { + GST_WARNING ("Zero width or height"); + return buf; + } + stride = GST_ROUND_UP_4 (w * (bpp / 8)); buf = gst_buffer_make_writable (buf); gst_buffer_map (buf, &map, GST_MAP_READWRITE); - if (map.size < (stride * h)) { + if (map.size < ((guint64) stride * (guint64) h)) { GST_WARNING ("Buffer is smaller than reported Width x Height x Depth"); gst_buffer_unmap (buf, &map); return buf; -- 2.37.1
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor