blob: 7e77a02642e58bafb6971565fe3b7a149b6a451b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
From b80803943388050cb870c95934fc52feeffb94ac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Sat, 3 May 2025 09:43:32 +0300
Subject: [PATCH] qtdemux: Check if enough bytes are available for each stsd
entry
There must be at least 8 bytes for the length / fourcc of each entry. After
reading those, the length is already validated against the remaining available
bytes.
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4407
Fixes CVE-2025-47219
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/9137>
CVE: CVE-2025-47219
Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/b80803943388050cb870c95934fc52feeffb94ac]
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
gst/isomp4/qtdemux.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
index 9844ac2..0a88fb9 100644
--- a/gst/isomp4/qtdemux.c
+++ b/gst/isomp4/qtdemux.c
@@ -11124,6 +11124,10 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak, guint32 * mvhd_matrix)
gchar *codec = NULL;
QtDemuxStreamStsdEntry *entry = &stream->stsd_entries[stsd_index];
+ /* needs at least length and fourcc */
+ if (remaining_stsd_len < 8)
+ goto corrupt_file;
+
/* and that entry should fit within stsd */
len = QT_UINT32 (stsd_entry_data);
if (len > remaining_stsd_len)
--
2.50.1
|
