Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:42.1:Update
gstreamer-0_10-plugins-bad
gstreamer-0_10-plugins-bad-vmncdec-sanity-check...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File gstreamer-0_10-plugins-bad-vmncdec-sanity-check.patch of Package gstreamer-0_10-plugins-bad
From 4cb1bcf1422bbcd79c0f683edb7ee85e3f7a31fe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com> Date: Wed, 16 Nov 2016 20:41:39 +0200 Subject: vmncdec: Sanity-check width/height before using it We will allocate a screen area of width*height*bpp bytes, however this calculation can easily overflow if too high width or height are given inside the stream. Nonetheless we would just assume that enough memory was allocated, try to fill it and overwrite as much memory as wanted. Also allocate the screen area filled with zeroes to ensure that we start with full-black and not any random (or not so random) data. https://scarybeastsecurity.blogspot.gr/2016/11/0day-poc-risky-design-decisions-in.html Ideally we should just remove this plugin in favour of the one in gst-libav, which generally seems to be of better code quality. https://bugzilla.gnome.org/show_bug.cgi?id=774533 diff --git a/gst/vmnc/vmncdec.c b/gst/vmnc/vmncdec.c index e8d498c..b3c9778 100644 --- a/gst/vmnc/vmncdec.c +++ b/gst/vmnc/vmncdec.c @@ -369,7 +369,7 @@ vmnc_handle_wmvi_rectangle (GstVMncDec * dec, struct RfbRectangle *rect, if (dec->imagedata) g_free (dec->imagedata); - dec->imagedata = g_malloc (dec->format.width * dec->format.height * + dec->imagedata = g_malloc0 (dec->format.width * dec->format.height * dec->format.bytes_per_pixel); GST_DEBUG_OBJECT (dec, "Allocated image data at %p", dec->imagedata); @@ -900,6 +900,10 @@ vmnc_handle_packet (GstVMncDec * dec, const guint8 * data, int len, GST_WARNING_OBJECT (dec, "Rectangle out of range, type %d", r.type); return ERROR_INVALID; } + } else if (r.width > 16384 || r.height > 16384) { + GST_WARNING_OBJECT (dec, "Width or height too high: %ux%u", r.width, + r.height); + return ERROR_INVALID; } switch (r.type) { -- cgit v0.10.2
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor