diff options
Diffstat (limited to 'meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch')
-rw-r--r-- | meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch | 214 |
1 files changed, 214 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch new file mode 100644 index 0000000000..ebffbc473d --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch | |||
@@ -0,0 +1,214 @@ | |||
1 | From ad6012159acf18c6b5c0f4edf037e8c9a2dbc966 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com> | ||
3 | Date: Wed, 18 May 2022 11:24:37 +0300 | ||
4 | Subject: [PATCH] matroskademux: Fix integer overflows in zlib/bz2/etc | ||
5 | decompression code | ||
6 | |||
7 | Various variables were of smaller types than needed and there were no | ||
8 | checks for any overflows when doing additions on the sizes. This is all | ||
9 | checked now. | ||
10 | |||
11 | In addition the size of the decompressed data is limited to 120MB now as | ||
12 | any larger sizes are likely pathological and we can avoid out of memory | ||
13 | situations in many cases like this. | ||
14 | |||
15 | Also fix a bug where the available output size on the next iteration in | ||
16 | the zlib/bz2 decompression code was provided too large and could | ||
17 | potentially lead to out of bound writes. | ||
18 | |||
19 | Thanks to Adam Doupe for analyzing and reporting the issue. | ||
20 | |||
21 | CVE: CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 | ||
22 | |||
23 | https://gstreamer.freedesktop.org/security/sa-2022-0002.html | ||
24 | |||
25 | Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225 | ||
26 | |||
27 | Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2610> | ||
28 | |||
29 | CVE: CVE-2022-1922 CVE-2022-1923 CVE-2022-1924 CVE-2022-1925 | ||
30 | https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ad6012159acf18c6b5c0f4edf037e8c9a2dbc966 | ||
31 | Upstream-Status: Backport | ||
32 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
33 | --- | ||
34 | .../gst/matroska/matroska-read-common.c | 76 +++++++++++++++---- | ||
35 | 1 file changed, 61 insertions(+), 15 deletions(-) | ||
36 | |||
37 | diff --git a/gst/matroska/matroska-read-common.c b/gst/matroska/matroska-read-common.c | ||
38 | index eb317644cc5..6fadbba9567 100644 | ||
39 | --- a/gst/matroska/matroska-read-common.c | ||
40 | +++ b/gst/matroska/matroska-read-common.c | ||
41 | @@ -70,6 +70,10 @@ typedef struct | ||
42 | gboolean audio_only; | ||
43 | } TargetTypeContext; | ||
44 | |||
45 | +/* 120MB as maximum decompressed data size. Anything bigger is likely | ||
46 | + * pathological, and like this we avoid out of memory situations in many cases | ||
47 | + */ | ||
48 | +#define MAX_DECOMPRESS_SIZE (120 * 1024 * 1024) | ||
49 | |||
50 | static gboolean | ||
51 | gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, | ||
52 | @@ -77,19 +81,23 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, | ||
53 | GstMatroskaTrackCompressionAlgorithm algo) | ||
54 | { | ||
55 | guint8 *new_data = NULL; | ||
56 | - guint new_size = 0; | ||
57 | + gsize new_size = 0; | ||
58 | guint8 *data = *data_out; | ||
59 | - guint size = *size_out; | ||
60 | + const gsize size = *size_out; | ||
61 | gboolean ret = TRUE; | ||
62 | |||
63 | + if (size > G_MAXUINT32) { | ||
64 | + GST_WARNING ("too large compressed data buffer."); | ||
65 | + ret = FALSE; | ||
66 | + goto out; | ||
67 | + } | ||
68 | + | ||
69 | if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_ZLIB) { | ||
70 | #ifdef HAVE_ZLIB | ||
71 | /* zlib encoded data */ | ||
72 | z_stream zstream; | ||
73 | - guint orig_size; | ||
74 | int result; | ||
75 | |||
76 | - orig_size = size; | ||
77 | zstream.zalloc = (alloc_func) 0; | ||
78 | zstream.zfree = (free_func) 0; | ||
79 | zstream.opaque = (voidpf) 0; | ||
80 | @@ -99,8 +107,8 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, | ||
81 | goto out; | ||
82 | } | ||
83 | zstream.next_in = (Bytef *) data; | ||
84 | - zstream.avail_in = orig_size; | ||
85 | - new_size = orig_size; | ||
86 | + zstream.avail_in = size; | ||
87 | + new_size = size; | ||
88 | new_data = g_malloc (new_size); | ||
89 | zstream.avail_out = new_size; | ||
90 | zstream.next_out = (Bytef *) new_data; | ||
91 | @@ -114,10 +122,18 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, | ||
92 | break; | ||
93 | } | ||
94 | |||
95 | + if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) { | ||
96 | + GST_WARNING ("too big decompressed data"); | ||
97 | + result = Z_MEM_ERROR; | ||
98 | + break; | ||
99 | + } | ||
100 | + | ||
101 | new_size += 4096; | ||
102 | new_data = g_realloc (new_data, new_size); | ||
103 | zstream.next_out = (Bytef *) (new_data + zstream.total_out); | ||
104 | - zstream.avail_out += 4096; | ||
105 | + /* avail_out is an unsigned int */ | ||
106 | + g_assert (new_size - zstream.total_out <= G_MAXUINT); | ||
107 | + zstream.avail_out = new_size - zstream.total_out; | ||
108 | } while (zstream.avail_in > 0); | ||
109 | |||
110 | if (result != Z_STREAM_END) { | ||
111 | @@ -137,13 +153,11 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, | ||
112 | #ifdef HAVE_BZ2 | ||
113 | /* bzip2 encoded data */ | ||
114 | bz_stream bzstream; | ||
115 | - guint orig_size; | ||
116 | int result; | ||
117 | |||
118 | bzstream.bzalloc = NULL; | ||
119 | bzstream.bzfree = NULL; | ||
120 | bzstream.opaque = NULL; | ||
121 | - orig_size = size; | ||
122 | |||
123 | if (BZ2_bzDecompressInit (&bzstream, 0, 0) != BZ_OK) { | ||
124 | GST_WARNING ("bzip2 initialization failed."); | ||
125 | @@ -152,8 +166,8 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, | ||
126 | } | ||
127 | |||
128 | bzstream.next_in = (char *) data; | ||
129 | - bzstream.avail_in = orig_size; | ||
130 | - new_size = orig_size; | ||
131 | + bzstream.avail_in = size; | ||
132 | + new_size = size; | ||
133 | new_data = g_malloc (new_size); | ||
134 | bzstream.avail_out = new_size; | ||
135 | bzstream.next_out = (char *) new_data; | ||
136 | @@ -167,17 +181,31 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, | ||
137 | break; | ||
138 | } | ||
139 | |||
140 | + if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) { | ||
141 | + GST_WARNING ("too big decompressed data"); | ||
142 | + result = BZ_MEM_ERROR; | ||
143 | + break; | ||
144 | + } | ||
145 | + | ||
146 | new_size += 4096; | ||
147 | new_data = g_realloc (new_data, new_size); | ||
148 | - bzstream.next_out = (char *) (new_data + bzstream.total_out_lo32); | ||
149 | - bzstream.avail_out += 4096; | ||
150 | + bzstream.next_out = | ||
151 | + (char *) (new_data + ((guint64) bzstream.total_out_hi32 << 32) + | ||
152 | + bzstream.total_out_lo32); | ||
153 | + /* avail_out is an unsigned int */ | ||
154 | + g_assert (new_size - ((guint64) bzstream.total_out_hi32 << 32) + | ||
155 | + bzstream.total_out_lo32 <= G_MAXUINT); | ||
156 | + bzstream.avail_out = | ||
157 | + new_size - ((guint64) bzstream.total_out_hi32 << 32) + | ||
158 | + bzstream.total_out_lo32; | ||
159 | } while (bzstream.avail_in > 0); | ||
160 | |||
161 | if (result != BZ_STREAM_END) { | ||
162 | ret = FALSE; | ||
163 | g_free (new_data); | ||
164 | } else { | ||
165 | - new_size = bzstream.total_out_lo32; | ||
166 | + new_size = | ||
167 | + ((guint64) bzstream.total_out_hi32 << 32) + bzstream.total_out_lo32; | ||
168 | } | ||
169 | BZ2_bzDecompressEnd (&bzstream); | ||
170 | |||
171 | @@ -189,7 +217,13 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, | ||
172 | } else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_LZO1X) { | ||
173 | /* lzo encoded data */ | ||
174 | int result; | ||
175 | - int orig_size, out_size; | ||
176 | + gint orig_size, out_size; | ||
177 | + | ||
178 | + if (size > G_MAXINT) { | ||
179 | + GST_WARNING ("too large compressed data buffer."); | ||
180 | + ret = FALSE; | ||
181 | + goto out; | ||
182 | + } | ||
183 | |||
184 | orig_size = size; | ||
185 | out_size = size; | ||
186 | @@ -203,6 +237,11 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, | ||
187 | result = lzo1x_decode (new_data, &out_size, data, &orig_size); | ||
188 | |||
189 | if (orig_size > 0) { | ||
190 | + if (new_size > G_MAXINT - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) { | ||
191 | + GST_WARNING ("too big decompressed data"); | ||
192 | + result = LZO_ERROR; | ||
193 | + break; | ||
194 | + } | ||
195 | new_size += 4096; | ||
196 | new_data = g_realloc (new_data, new_size); | ||
197 | } | ||
198 | @@ -221,6 +260,13 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, | ||
199 | } else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_HEADERSTRIP) { | ||
200 | /* header stripped encoded data */ | ||
201 | if (enc->comp_settings_length > 0) { | ||
202 | + if (size > G_MAXSIZE - enc->comp_settings_length | ||
203 | + || size + enc->comp_settings_length > MAX_DECOMPRESS_SIZE) { | ||
204 | + GST_WARNING ("too big decompressed data"); | ||
205 | + ret = FALSE; | ||
206 | + goto out; | ||
207 | + } | ||
208 | + | ||
209 | new_data = g_malloc (size + enc->comp_settings_length); | ||
210 | new_size = size + enc->comp_settings_length; | ||
211 | |||
212 | -- | ||
213 | GitLab | ||
214 | |||