1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Fri, 4 Oct 2024 13:51:00 +0300
Subject: wavparse: Check size before reading ds64 chunk
Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ba8476d3448eeaf016345ae0697b8447c0f62636
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47775
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-261
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3889
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8054>
---
subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/gst/wavparse/gstwavparse.c
+++ b/gst/wavparse/gstwavparse.c
@@ -1087,6 +1087,11 @@ parse_ds64 (GstWavParse * wav, GstBuffer
guint32 sampleCountLow, sampleCountHigh;
gst_buffer_map (buf, &map, GST_MAP_READ);
+ if (map.size < 6 * 4) {
+ GST_WARNING_OBJECT (wav, "Too small ds64 chunk (%" G_GSIZE_FORMAT ")",
+ map.size);
+ return FALSE;
+ }
dataSizeLow = GST_READ_UINT32_LE (map.data + 2 * 4);
dataSizeHigh = GST_READ_UINT32_LE (map.data + 3 * 4);
sampleCountLow = GST_READ_UINT32_LE (map.data + 4 * 4);
|
