diff options
Diffstat (limited to 'meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch')
-rw-r--r-- | meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch | 69 |
1 files changed, 69 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch new file mode 100644 index 0000000000..99dbb2b1b0 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch | |||
@@ -0,0 +1,69 @@ | |||
1 | From f503caad676971933dc0b52c4b313e5ef0d6dbb0 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com> | ||
3 | Date: Wed, 18 May 2022 12:00:48 +0300 | ||
4 | Subject: [PATCH] avidemux: Fix integer overflow resulting in heap corruption | ||
5 | in DIB buffer inversion code | ||
6 | |||
7 | Check that width*bpp/8 doesn't overflow a guint and also that | ||
8 | height*stride fits into the provided buffer without overflowing. | ||
9 | |||
10 | Thanks to Adam Doupe for analyzing and reporting the issue. | ||
11 | |||
12 | CVE: CVE-2022-1921 | ||
13 | |||
14 | See https://gstreamer.freedesktop.org/security/sa-2022-0001.html | ||
15 | |||
16 | Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1224 | ||
17 | |||
18 | Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2608> | ||
19 | |||
20 | https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/f503caad676971933dc0b52c4b313e5ef0d6dbb0 | ||
21 | Upstream-Status: Backport | ||
22 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
23 | --- | ||
24 | .../gst/avi/gstavidemux.c | 17 ++++++++++++++--- | ||
25 | 1 file changed, 14 insertions(+), 3 deletions(-) | ||
26 | |||
27 | diff --git a/gst/avi/gstavidemux.c b/gst/avi/gstavidemux.c | ||
28 | index eafe865494c..0d18a6495c7 100644 | ||
29 | --- a/gst/avi/gstavidemux.c | ||
30 | +++ b/gst/avi/gstavidemux.c | ||
31 | @@ -4973,8 +4973,8 @@ swap_line (guint8 * d1, guint8 * d2, guint8 * tmp, gint bytes) | ||
32 | static GstBuffer * | ||
33 | gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf) | ||
34 | { | ||
35 | - gint y, w, h; | ||
36 | - gint bpp, stride; | ||
37 | + guint y, w, h; | ||
38 | + guint bpp, stride; | ||
39 | guint8 *tmp = NULL; | ||
40 | GstMapInfo map; | ||
41 | guint32 fourcc; | ||
42 | @@ -5001,12 +5001,23 @@ gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf) | ||
43 | h = stream->strf.vids->height; | ||
44 | w = stream->strf.vids->width; | ||
45 | bpp = stream->strf.vids->bit_cnt ? stream->strf.vids->bit_cnt : 8; | ||
46 | + | ||
47 | + if ((guint64) w * ((guint64) bpp / 8) > G_MAXUINT - 4) { | ||
48 | + GST_WARNING ("Width x stride overflows"); | ||
49 | + return buf; | ||
50 | + } | ||
51 | + | ||
52 | + if (w == 0 || h == 0) { | ||
53 | + GST_WARNING ("Zero width or height"); | ||
54 | + return buf; | ||
55 | + } | ||
56 | + | ||
57 | stride = GST_ROUND_UP_4 (w * (bpp / 8)); | ||
58 | |||
59 | buf = gst_buffer_make_writable (buf); | ||
60 | |||
61 | gst_buffer_map (buf, &map, GST_MAP_READWRITE); | ||
62 | - if (map.size < (stride * h)) { | ||
63 | + if (map.size < ((guint64) stride * (guint64) h)) { | ||
64 | GST_WARNING ("Buffer is smaller than reported Width x Height x Depth"); | ||
65 | gst_buffer_unmap (buf, &map); | ||
66 | return buf; | ||
67 | -- | ||
68 | GitLab | ||
69 | |||