gnu/packages/patches/gst-plugins-ugly-fix-out-of-bound-reads.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119

Fix out of bounds reads when parsing audio and video packets:

https://security-tracker.debian.org/tracker/TEMP-0000000-4DAA44
https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/issues/37

Patch copied from upstream source repository:

https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/commit/3aba7d1e625554b2407bc77b3d09b4928b937d5f
From 3aba7d1e625554b2407bc77b3d09b4928b937d5f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Wed, 3 Mar 2021 11:05:14 +0200
Subject: [PATCH] rmdemux: Make sure we have enough data available when parsing
 audio/video packets

Otherwise there will be out-of-bounds reads and potential crashes.

Thanks to Natalie Silvanovich for reporting.

Fixes https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/issues/37

Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/merge_requests/74>
---
 gst/realmedia/rmdemux.c | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/gst/realmedia/rmdemux.c b/gst/realmedia/rmdemux.c
index 6cc659a1..68b0736b 100644
--- a/gst/realmedia/rmdemux.c
+++ b/gst/realmedia/rmdemux.c
@@ -2223,6 +2223,9 @@ gst_rmdemux_parse_video_packet (GstRMDemux * rmdemux, GstRMDemuxStream * stream,
 
   gst_buffer_map (in, &map, GST_MAP_READ);
 
+  if (map.size < offset)
+    goto not_enough_data;
+
   data = map.data + offset;
   size = map.size - offset;
 
@@ -2289,6 +2292,9 @@ gst_rmdemux_parse_video_packet (GstRMDemux * rmdemux, GstRMDemuxStream * stream,
     }
     GST_DEBUG_OBJECT (rmdemux, "fragment size %d", fragment_size);
 
+    if (map.size < (data - map.data) + fragment_size)
+      goto not_enough_data;
+
     /* get the fragment */
     fragment =
         gst_buffer_copy_region (in, GST_BUFFER_COPY_ALL, data - map.data,
@@ -2437,6 +2443,9 @@ gst_rmdemux_parse_audio_packet (GstRMDemux * rmdemux, GstRMDemuxStream * stream,
   GstFlowReturn ret;
   GstBuffer *buffer;
 
+  if (gst_buffer_get_size (in) < offset)
+    goto not_enough_data;
+
   buffer = gst_buffer_copy_region (in, GST_BUFFER_COPY_MEMORY, offset, -1);
 
   if (rmdemux->first_ts != -1 && timestamp > rmdemux->first_ts)
@@ -2467,9 +2476,19 @@ gst_rmdemux_parse_audio_packet (GstRMDemux * rmdemux, GstRMDemuxStream * stream,
     ret = gst_pad_push (stream->pad, buffer);
   }
 
+done:
   gst_buffer_unref (in);
 
   return ret;
+
+  /* ERRORS */
+not_enough_data:
+  {
+    GST_ELEMENT_WARNING (rmdemux, STREAM, DECODE, ("Skipping bad packet."),
+        (NULL));
+    ret = GST_FLOW_OK;
+    goto done;
+  }
 }
 
 static GstFlowReturn
@@ -2490,6 +2509,9 @@ gst_rmdemux_parse_packet (GstRMDemux * rmdemux, GstBuffer * in, guint16 version)
   data = map.data;
   size = map.size;
 
+  if (size < 4 + 6 + 1 + 2)
+    goto not_enough_data;
+
   /* stream number */
   id = RMDEMUX_GUINT16_GET (data);
 
@@ -2525,6 +2547,9 @@ gst_rmdemux_parse_packet (GstRMDemux * rmdemux, GstBuffer * in, guint16 version)
 
   /* version 1 has an extra byte */
   if (version == 1) {
+    if (size < 1)
+      goto not_enough_data;
+
     data += 1;
     size -= 1;
   }
@@ -2596,6 +2621,16 @@ unknown_stream:
     gst_buffer_unref (in);
     return GST_FLOW_OK;
   }
+
+  /* ERRORS */
+not_enough_data:
+  {
+    GST_ELEMENT_WARNING (rmdemux, STREAM, DECODE, ("Skipping bad packet."),
+        (NULL));
+    gst_buffer_unmap (in, &map);
+    gst_buffer_unref (in);
+    return GST_FLOW_OK;
+  }
 }
 
 gboolean
-- 
2.31.1