diff options
Diffstat (limited to 'meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch')
-rw-r--r-- | meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch new file mode 100644 index 0000000000..ee33c5564d --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | From cf887f1b8e228bff6e19829e6d03995d70ad739d Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com> | ||
3 | Date: Wed, 18 May 2022 10:23:15 +0300 | ||
4 | Subject: [PATCH] matroskademux: Avoid integer-overflow resulting in heap | ||
5 | corruption in WavPack header handling code | ||
6 | |||
7 | blocksize + WAVPACK4_HEADER_SIZE might overflow gsize, which then | ||
8 | results in allocating a very small buffer. Into that buffer blocksize | ||
9 | data is memcpy'd later which then causes out of bound writes and can | ||
10 | potentially lead to anything from crashes to remote code execution. | ||
11 | |||
12 | Thanks to Adam Doupe for analyzing and reporting the issue. | ||
13 | |||
14 | CVE: CVE-2022-1920 | ||
15 | |||
16 | https://gstreamer.freedesktop.org/security/sa-2022-0004.html | ||
17 | |||
18 | Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1226 | ||
19 | |||
20 | Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2612> | ||
21 | |||
22 | https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/0df0dd7fe388174e4835eda4526b47f470a56370 | ||
23 | Upstream-Status: Backport | ||
24 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
25 | --- | ||
26 | .../gst/matroska/matroska-demux.c | 10 +++++++++- | ||
27 | 1 file changed, 9 insertions(+), 1 deletion(-) | ||
28 | |||
29 | diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c | ||
30 | index 64cc6be60be..01d754c3eb9 100644 | ||
31 | --- a/gst/matroska/matroska-demux.c | ||
32 | +++ b/gst/matroska/matroska-demux.c | ||
33 | @@ -3933,7 +3933,8 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, | ||
34 | } else { | ||
35 | guint8 *outdata = NULL; | ||
36 | gsize buf_size, size; | ||
37 | - guint32 block_samples, flags, crc, blocksize; | ||
38 | + guint32 block_samples, flags, crc; | ||
39 | + gsize blocksize; | ||
40 | GstAdapter *adapter; | ||
41 | |||
42 | adapter = gst_adapter_new (); | ||
43 | @@ -3974,6 +3975,13 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, | ||
44 | return GST_FLOW_ERROR; | ||
45 | } | ||
46 | |||
47 | + if (blocksize > G_MAXSIZE - WAVPACK4_HEADER_SIZE) { | ||
48 | + GST_ERROR_OBJECT (element, "Too big wavpack buffer"); | ||
49 | + gst_buffer_unmap (*buf, &map); | ||
50 | + g_object_unref (adapter); | ||
51 | + return GST_FLOW_ERROR; | ||
52 | + } | ||
53 | + | ||
54 | g_assert (newbuf == NULL); | ||
55 | |||
56 | newbuf = | ||
57 | -- | ||
58 | GitLab | ||
59 | |||