1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
| | Fix out of bounds reads when parsing audio and video packets:
https://security-tracker.debian.org/tracker/TEMP-0000000-4DAA44
https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/issues/37
Patch copied from upstream source repository:
https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/commit/3aba7d1e625554b2407bc77b3d09b4928b937d5f
From 3aba7d1e625554b2407bc77b3d09b4928b937d5f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Wed, 3 Mar 2021 11:05:14 +0200
Subject: [PATCH] rmdemux: Make sure we have enough data available when parsing
audio/video packets
Otherwise there will be out-of-bounds reads and potential crashes.
Thanks to Natalie Silvanovich for reporting.
Fixes https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/issues/37
Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/merge_requests/74>
---
gst/realmedia/rmdemux.c | 35 +++++++++++++++++++++++++++++++++++
1 file changed, 35 insertions(+)
diff --git a/gst/realmedia/rmdemux.c b/gst/realmedia/rmdemux.c
index 6cc659a1..68b0736b 100644
--- a/gst/realmedia/rmdemux.c
+++ b/gst/realmedia/rmdemux.c
@@ -2223,6 +2223,9 @@ gst_rmdemux_parse_video_packet (GstRMDemux * rmdemux, GstRMDemuxStream * stream,
gst_buffer_map (in, &map, GST_MAP_READ);
+ if (map.size < offset)
+ goto not_enough_data;
+
data = map.data + offset;
size = map.size - offset;
@@ -2289,6 +2292,9 @@ gst_rmdemux_parse_video_packet (GstRMDemux * rmdemux, GstRMDemuxStream * stream,
}
GST_DEBUG_OBJECT (rmdemux, "fragment size %d", fragment_size);
+ if (map.size < (data - map.data) + fragment_size)
+ goto not_enough_data;
+
/* get the fragment */
fragment =
gst_buffer_copy_region (in, GST_BUFFER_COPY_ALL, data - map.data,
@@ -2437,6 +2443,9 @@ gst_rmdemux_parse_audio_packet (GstRMDemux * rmdemux, GstRMDemuxStream * stream,
GstFlowReturn ret;
GstBuffer *buffer;
+ if (gst_buffer_get_size (in) < offset)
+ goto not_enough_data;
+
buffer = gst_buffer_copy_region (in, GST_BUFFER_COPY_MEMORY, offset, -1);
if (rmdemux->first_ts != -1 && timestamp > rmdemux->first_ts)
@@ -2467,9 +2476,19 @@ gst_rmdemux_parse_audio_packet (GstRMDemux * rmdemux, GstRMDemuxStream * stream,
ret = gst_pad_push (stream->pad, buffer);
}
+done:
gst_buffer_unref (in);
return ret;
+
+ /* ERRORS */
+not_enough_data:
+ {
+ GST_ELEMENT_WARNING (rmdemux, STREAM, DECODE, ("Skipping bad packet."),
+ (NULL));
+ ret = GST_FLOW_OK;
+ goto done;
+ }
}
static GstFlowReturn
@@ -2490,6 +2509,9 @@ gst_rmdemux_parse_packet (GstRMDemux * rmdemux, GstBuffer * in, guint16 version)
data = map.data;
size = map.size;
+ if (size < 4 + 6 + 1 + 2)
+ goto not_enough_data;
+
/* stream number */
id = RMDEMUX_GUINT16_GET (data);
@@ -2525,6 +2547,9 @@ gst_rmdemux_parse_packet (GstRMDemux * rmdemux, GstBuffer * in, guint16 version)
/* version 1 has an extra byte */
if (version == 1) {
+ if (size < 1)
+ goto not_enough_data;
+
data += 1;
size -= 1;
}
@@ -2596,6 +2621,16 @@ unknown_stream:
gst_buffer_unref (in);
return GST_FLOW_OK;
}
+
+ /* ERRORS */
+not_enough_data:
+ {
+ GST_ELEMENT_WARNING (rmdemux, STREAM, DECODE, ("Skipping bad packet."),
+ (NULL));
+ gst_buffer_unmap (in, &map);
+ gst_buffer_unref (in);
+ return GST_FLOW_OK;
+ }
}
gboolean
--
2.31.1
|