diff options
Diffstat (limited to 'meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0002-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch')
| -rw-r--r-- | meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0002-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0002-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0002-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch new file mode 100644 index 0000000000..4eacb4e198 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0002-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch | |||
| @@ -0,0 +1,63 @@ | |||
| 1 | From 0e58b2f7ad7b310201eada442a6782aaebe8e2bd Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Antonio Morales <antonio-morales@github.com> | ||
| 3 | Date: Thu, 26 Sep 2024 18:39:37 +0300 | ||
| 4 | Subject: [PATCH 02/13] qtdemux: Fix integer overflow when allocating the | ||
| 5 | samples table for fragmented MP4 | ||
| 6 | |||
| 7 | This can lead to out of bounds writes and NULL pointer dereferences. | ||
| 8 | |||
| 9 | Fixes GHSL-2024-094, GHSL-2024-237, GHSL-2024-241 | ||
| 10 | Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3839 | ||
| 11 | |||
| 12 | Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8109> | ||
| 13 | |||
| 14 | CVE: CVE-2024-47537 | ||
| 15 | Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/0e58b2f7ad7b310201eada442a6782aaebe8e2bd] | ||
| 16 | Signed-off-by: Peter Marko <peter.marko@siemens.com> | ||
| 17 | --- | ||
| 18 | gst/isomp4/qtdemux.c | 12 ++++++------ | ||
| 19 | 1 file changed, 6 insertions(+), 6 deletions(-) | ||
| 20 | |||
| 21 | diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c | ||
| 22 | index 2ccc9f3595..54f2dfead3 100644 | ||
| 23 | --- a/gst/isomp4/qtdemux.c | ||
| 24 | +++ b/gst/isomp4/qtdemux.c | ||
| 25 | @@ -3342,6 +3342,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun, | ||
| 26 | gint i; | ||
| 27 | guint8 *data; | ||
| 28 | guint entry_size, dur_offset, size_offset, flags_offset = 0, ct_offset = 0; | ||
| 29 | + guint new_n_samples; | ||
| 30 | QtDemuxSample *sample; | ||
| 31 | gboolean ismv = FALSE; | ||
| 32 | gint64 initial_offset; | ||
| 33 | @@ -3442,14 +3443,13 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun, | ||
| 34 | goto fail; | ||
| 35 | data = (guint8 *) gst_byte_reader_peek_data_unchecked (trun); | ||
| 36 | |||
| 37 | - if (stream->n_samples + samples_count >= | ||
| 38 | - QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof (QtDemuxSample)) | ||
| 39 | + if (!g_uint_checked_add (&new_n_samples, stream->n_samples, samples_count) || | ||
| 40 | + new_n_samples >= QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof (QtDemuxSample)) | ||
| 41 | goto index_too_big; | ||
| 42 | |||
| 43 | GST_DEBUG_OBJECT (qtdemux, "allocating n_samples %u * %u (%.2f MB)", | ||
| 44 | - stream->n_samples + samples_count, (guint) sizeof (QtDemuxSample), | ||
| 45 | - (stream->n_samples + samples_count) * | ||
| 46 | - sizeof (QtDemuxSample) / (1024.0 * 1024.0)); | ||
| 47 | + new_n_samples, (guint) sizeof (QtDemuxSample), | ||
| 48 | + (new_n_samples) * sizeof (QtDemuxSample) / (1024.0 * 1024.0)); | ||
| 49 | |||
| 50 | /* create a new array of samples if it's the first sample parsed */ | ||
| 51 | if (stream->n_samples == 0) { | ||
| 52 | @@ -3458,7 +3458,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun, | ||
| 53 | /* or try to reallocate it with space enough to insert the new samples */ | ||
| 54 | } else | ||
| 55 | stream->samples = g_try_renew (QtDemuxSample, stream->samples, | ||
| 56 | - stream->n_samples + samples_count); | ||
| 57 | + new_n_samples); | ||
| 58 | if (stream->samples == NULL) | ||
| 59 | goto out_of_memory; | ||
| 60 | |||
| 61 | -- | ||
| 62 | 2.30.2 | ||
| 63 | |||