From 24267889a717e1e799037a0f1841d5416eb56e75 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>

Date: Mon, 30 May 2022 10:15:37 +0300

Subject: [PATCH 3/4] qtdemux: Fix integer overflows in zlib decompression code

Various variables were of smaller types than needed and there were no

checks for any overflows when doing additions on the sizes. This is all

checked now.

In addition the size of the decompressed data is limited to 200MB now as

any larger sizes are likely pathological and we can avoid out of memory

situations in many cases like this.

Also fix a bug where the available output size on the next iteration in

the zlib decompression code was provided too large and could

potentially lead to out of bound writes.

Thanks to Adam Doupe for analyzing and reporting the issue.

CVE: tbd

https://gstreamer.freedesktop.org/security/sa-2022-0003.html

Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2610>

---

 gst/isomp4/qtdemux.c | 8 +++++++-

 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c

index 182d0bc06f..a9cbbd4cd3 100644

--- a/gst/isomp4/qtdemux.c

+++ b/gst/isomp4/qtdemux.c

@@ -7611,10 +7611,16 @@ qtdemux_inflate (void *z_buffer, guint z_length, guint * length)

       break;

     }

+    if (*length > G_MAXUINT - 4096 || *length > QTDEMUX_MAX_SAMPLE_INDEX_SIZE) {

+      GST_WARNING ("too big decompressed data");

+      ret = Z_MEM_ERROR;

+      break;

+    }

+

     *length += 4096;

     buffer = (guint8 *) g_realloc (buffer, *length);

     z.next_out = (Bytef *) (buffer + z.total_out);

-    z.avail_out += 4096;

+    z.avail_out += *length - z.total_out;

   } while (z.avail_in > 0);

   if (ret != Z_STREAM_END) {

-- 

2.38.1