diff options
Diffstat (limited to 'meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch')
-rw-r--r-- | meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch new file mode 100644 index 0000000000..f4d38c270e --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch | |||
@@ -0,0 +1,60 @@ | |||
1 | From 14d306da6da51a762c4dc701d161bb52ab66d774 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com> | ||
3 | Date: Mon, 30 May 2022 10:15:37 +0300 | ||
4 | Subject: [PATCH] qtdemux: Fix integer overflows in zlib decompression code | ||
5 | |||
6 | Various variables were of smaller types than needed and there were no | ||
7 | checks for any overflows when doing additions on the sizes. This is all | ||
8 | checked now. | ||
9 | |||
10 | In addition the size of the decompressed data is limited to 200MB now as | ||
11 | any larger sizes are likely pathological and we can avoid out of memory | ||
12 | situations in many cases like this. | ||
13 | |||
14 | Also fix a bug where the available output size on the next iteration in | ||
15 | the zlib decompression code was provided too large and could | ||
16 | potentially lead to out of bound writes. | ||
17 | |||
18 | Thanks to Adam Doupe for analyzing and reporting the issue. | ||
19 | |||
20 | CVE: tbd | ||
21 | |||
22 | https://gstreamer.freedesktop.org/security/sa-2022-0003.html | ||
23 | |||
24 | Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225 | ||
25 | |||
26 | Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2610> | ||
27 | |||
28 | https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/14d306da6da51a762c4dc701d161bb52ab66d774 | ||
29 | CVE: CVE-2022-2122 | ||
30 | Upstream-Status: Backport | ||
31 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
32 | --- | ||
33 | gst/isomp4/qtdemux.c | 8 +++++++- | ||
34 | 1 file changed, 7 insertions(+), 1 deletion(-) | ||
35 | |||
36 | diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c | ||
37 | index 7cc346b1e63..97ba0799a8d 100644 | ||
38 | --- a/gst/isomp4/qtdemux.c | ||
39 | +++ b/gst/isomp4/qtdemux.c | ||
40 | @@ -7905,10 +7905,16 @@ qtdemux_inflate (void *z_buffer, guint z_length, guint * length) | ||
41 | break; | ||
42 | } | ||
43 | |||
44 | + if (*length > G_MAXUINT - 4096 || *length > QTDEMUX_MAX_SAMPLE_INDEX_SIZE) { | ||
45 | + GST_WARNING ("too big decompressed data"); | ||
46 | + ret = Z_MEM_ERROR; | ||
47 | + break; | ||
48 | + } | ||
49 | + | ||
50 | *length += 4096; | ||
51 | buffer = (guint8 *) g_realloc (buffer, *length); | ||
52 | z.next_out = (Bytef *) (buffer + z.total_out); | ||
53 | - z.avail_out += 4096; | ||
54 | + z.avail_out += *length - z.total_out; | ||
55 | } while (z.avail_in > 0); | ||
56 | |||
57 | if (ret != Z_STREAM_END) { | ||
58 | -- | ||
59 | GitLab | ||
60 | |||