rpms / gstreamer1-plugins-good

Clone
Source Code
GIT

Blame SOURCES/0001-avidemux-Fix-integer-overflow-resulting-in-heap-corr.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c8-containeronly-stream-flatpak c8s c9 c9-beta c9-containeronly-stream-flatpak
  1.   c9
  2.   SOURCES
  3.   0001-avidemux-Fix-integer-overflow-resulting-in-heap-corr.patch
Blob History Raw
eb6b57 
From bcfe7befea53869e7836be912ee7efe875877169 Mon Sep 17 00:00:00 2001
eb6b57 
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
eb6b57 
Date: Wed, 18 May 2022 12:00:48 +0300
eb6b57 
Subject: [PATCH 1/4] avidemux: Fix integer overflow resulting in heap
eb6b57 
 corruption in DIB buffer inversion code
eb6b57
eb6b57 
Check that width*bpp/8 doesn't overflow a guint and also that
eb6b57 
height*stride fits into the provided buffer without overflowing.
eb6b57
eb6b57 
Thanks to Adam Doupe for analyzing and reporting the issue.
eb6b57
eb6b57 
CVE: CVE-2022-1921
eb6b57
eb6b57 
See https://gstreamer.freedesktop.org/security/sa-2022-0001.html
eb6b57
eb6b57 
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1224
eb6b57
eb6b57 
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2608>
eb6b57 
---
eb6b57 
 gst/avi/gstavidemux.c | 17 ++++++++++++++---
eb6b57 
 1 file changed, 14 insertions(+), 3 deletions(-)
eb6b57
eb6b57 
diff --git a/gst/avi/gstavidemux.c b/gst/avi/gstavidemux.c
eb6b57 
index 25c97da03e..1c87c668d0 100644
eb6b57 
--- a/gst/avi/gstavidemux.c
eb6b57 
+++ b/gst/avi/gstavidemux.c
eb6b57 
@@ -4971,8 +4971,8 @@ swap_line (guint8 * d1, guint8 * d2, guint8 * tmp, gint bytes)
eb6b57 
 static GstBuffer *
eb6b57 
 gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf)
eb6b57 
 {
eb6b57 
-  gint y, w, h;
eb6b57 
-  gint bpp, stride;
eb6b57 
+  guint y, w, h;
eb6b57 
+  guint bpp, stride;
eb6b57 
   guint8 *tmp = NULL;
eb6b57 
   GstMapInfo map;
eb6b57 
   guint32 fourcc;
eb6b57 
@@ -4999,12 +4999,23 @@ gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf)
eb6b57 
   h = stream->strf.vids->height;
eb6b57 
   w = stream->strf.vids->width;
eb6b57 
   bpp = stream->strf.vids->bit_cnt ? stream->strf.vids->bit_cnt : 8;
eb6b57 
+
eb6b57 
+  if ((guint64) w * ((guint64) bpp / 8) > G_MAXUINT - 4) {
eb6b57 
+    GST_WARNING ("Width x stride overflows");
eb6b57 
+    return buf;
eb6b57 
+  }
eb6b57 
+
eb6b57 
+  if (w == 0 || h == 0) {
eb6b57 
+    GST_WARNING ("Zero width or height");
eb6b57 
+    return buf;
eb6b57 
+  }
eb6b57 
+
eb6b57 
   stride = GST_ROUND_UP_4 (w * (bpp / 8));
eb6b57
eb6b57 
   buf = gst_buffer_make_writable (buf);
eb6b57
eb6b57 
   gst_buffer_map (buf, &map, GST_MAP_READWRITE);
eb6b57 
-  if (map.size < (stride * h)) {
eb6b57 
+  if (map.size < ((guint64) stride * (guint64) h)) {
eb6b57 
     GST_WARNING ("Buffer is smaller than reported Width x Height x Depth");
eb6b57 
     gst_buffer_unmap (buf, &map);
eb6b57 
     return buf;
eb6b57 
--
eb6b57 
2.38.1
eb6b57

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation