File: qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch

package info (click to toggle)
gst-plugins-good1.0 1.22.0-5%2Bdeb12u2
  • links: PTS, VCS
  • area: main
  • in suites: bookworm
  • size: 33,952 kB
  • sloc: ansic: 397,094; cpp: 6,924; asm: 3,140; objc: 1,529; yacc: 1,210; pascal: 506; python: 409; sh: 259; lex: 94; makefile: 58
file content (55 lines) | stat: -rw-r--r-- 2,362 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
From: Antonio Morales <antonio-morales@github.com>
Date: Thu, 26 Sep 2024 18:39:37 +0300
Subject: qtdemux: Fix integer overflow when allocating the samples table for
 fragmented MP4
Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/c3a2af94c652513ac1b1858295688ac88c5cc737
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47537

This can lead to out of bounds writes and NULL pointer dereferences.

Fixes GHSL-2024-094, GHSL-2024-237, GHSL-2024-241
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3839

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8060>
---
 subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

--- a/gst/isomp4/qtdemux.c
+++ b/gst/isomp4/qtdemux.c
@@ -3332,6 +3332,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux
   gint i;
   guint8 *data;
   guint entry_size, dur_offset, size_offset, flags_offset = 0, ct_offset = 0;
+  guint new_n_samples;
   QtDemuxSample *sample;
   gboolean ismv = FALSE;
   gint64 initial_offset;
@@ -3432,14 +3433,13 @@ qtdemux_parse_trun (GstQTDemux * qtdemux
     goto fail;
   data = (guint8 *) gst_byte_reader_peek_data_unchecked (trun);
 
-  if (stream->n_samples + samples_count >=
-      QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof (QtDemuxSample))
+  if (!g_uint_checked_add (&new_n_samples, stream->n_samples, samples_count) ||
+      new_n_samples >= QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof (QtDemuxSample))
     goto index_too_big;
 
   GST_DEBUG_OBJECT (qtdemux, "allocating n_samples %u * %u (%.2f MB)",
-      stream->n_samples + samples_count, (guint) sizeof (QtDemuxSample),
-      (stream->n_samples + samples_count) *
-      sizeof (QtDemuxSample) / (1024.0 * 1024.0));
+      new_n_samples, (guint) sizeof (QtDemuxSample),
+      (new_n_samples) * sizeof (QtDemuxSample) / (1024.0 * 1024.0));
 
   /* create a new array of samples if it's the first sample parsed */
   if (stream->n_samples == 0) {
@@ -3448,7 +3448,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux
     /* or try to reallocate it with space enough to insert the new samples */
   } else
     stream->samples = g_try_renew (QtDemuxSample, stream->samples,
-        stream->n_samples + samples_count);
+        new_n_samples);
   if (stream->samples == NULL)
     goto out_of_memory;