File: exiftag-Prevent-integer-overflows-and-out-of-bounds-.patch

package info (click to toggle)
gst-plugins-base1.0 1.22.0-3%2Bdeb12u5
  • links: PTS, VCS
  • area: main
  • in suites: bookworm
  • size: 23,968 kB
  • sloc: ansic: 379,461; cpp: 3,963; objc: 2,236; python: 294; sh: 66; makefile: 52
file content (62 lines) | stat: -rw-r--r-- 2,340 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
 
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Thu, 25 Apr 2024 15:21:20 +0300
Subject: exiftag: Prevent integer overflows and out of bounds reads when
 handling undefined tags
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/e33578a3c2b85a68962003bd053abda9409e73a2
Bug: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3483
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-4453

Fixes ZDI-CAN-23896
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3483

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/6768>
---
 .../gst-libs/gst/tag/gstexiftag.c             | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/gst-libs/gst/tag/gstexiftag.c b/gst-libs/gst/tag/gstexiftag.c
index 45dfa00f36ae..fc4f830e9208 100644
--- a/gst-libs/gst/tag/gstexiftag.c
+++ b/gst-libs/gst/tag/gstexiftag.c
@@ -1383,6 +1383,7 @@ parse_exif_undefined_tag (GstExifReader * reader, const GstExifTagMatch * tag,

   if (count > 4) {
     GstMapInfo info;
+    gsize alloc_size;

     if (offset < reader->base_offset) {
       GST_WARNING ("Offset is smaller (%u) than base offset (%u)", offset,
@@ -1404,14 +1405,28 @@ parse_exif_undefined_tag (GstExifReader * reader, const GstExifTagMatch * tag,
       return;
     }

+    if (info.size - real_offset < count) {
+      GST_WARNING ("Invalid size %u for buffer of size %" G_GSIZE_FORMAT
+          ", not adding tag %s", count, info.size, tag->gst_tag);
+      gst_buffer_unmap (reader->buffer, &info);
+      return;
+    }
+
+    if (!g_size_checked_add (&alloc_size, count, 1)) {
+      GST_WARNING ("Invalid size %u for buffer of size %" G_GSIZE_FORMAT
+          ", not adding tag %s", real_offset, info.size, tag->gst_tag);
+      gst_buffer_unmap (reader->buffer, &info);
+      return;
+    }
+
     /* +1 because it could be a string without the \0 */
-    data = malloc (sizeof (guint8) * count + 1);
+    data = malloc (alloc_size);
     memcpy (data, info.data + real_offset, count);
     data[count] = 0;

     gst_buffer_unmap (reader->buffer, &info);
   } else {
-    data = malloc (sizeof (guint8) * count + 1);
+    data = malloc (count + 1);
     memcpy (data, (guint8 *) offset_as_data, count);
     data[count] = 0;
   }
--
2.45.1