From: Leo Famulari <leo@famulari.name>
To: 48000@debbugs.gnu.org
Subject: [bug#48000] [PATCH 5/5] gnu: gst-plugins-ugly: Fix some out-of-bounds reads.
Date: Sat, 24 Apr 2021 15:14:35 -0400 [thread overview]
Message-ID: <4f9f296c16eb42b46f565d70028cdb67d412fff7.1619291675.git.leo@famulari.name> (raw)
In-Reply-To: <06babf269cf58ba83c67efd7fd905f9d5a6bb5b5.1619291675.git.leo@famulari.name>
* gnu/packages/patches/gst-plugins-ugly-fix-out-of-bound-reads.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/gstreamer.scm (gst-plugins-ugly)[source]: Use it.
---
gnu/local.mk | 1 +
gnu/packages/gstreamer.scm | 1 +
...-plugins-ugly-fix-out-of-bound-reads.patch | 119 ++++++++++++++++++
3 files changed, 121 insertions(+)
create mode 100644 gnu/packages/patches/gst-plugins-ugly-fix-out-of-bound-reads.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index a57f1996ff..a820bbfd1a 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1175,6 +1175,7 @@ dist_patch_DATA = \
%D%/packages/patches/gst-plugins-good-fix-test.patch \
%D%/packages/patches/gst-plugins-good-CVE-2021-3497.patch \
%D%/packages/patches/gst-plugins-good-CVE-2021-3498.patch \
+ %D%/packages/patches/gst-plugins-ugly-fix-out-of-bound-reads.patch \
%D%/packages/patches/guile-1.8-cpp-4.5.patch \
%D%/packages/patches/guile-2.2-skip-oom-test.patch \
%D%/packages/patches/guile-2.2-skip-so-test.patch \
diff --git a/gnu/packages/gstreamer.scm b/gnu/packages/gstreamer.scm
index 7d9c5c993f..9e70961655 100644
--- a/gnu/packages/gstreamer.scm
+++ b/gnu/packages/gstreamer.scm
@@ -793,6 +793,7 @@ par compared to the rest.")
(uri
(string-append "https://gstreamer.freedesktop.org/src/"
name "/" name "-" version ".tar.xz"))
+ (patches (search-patches "gst-plugins-ugly-fix-out-of-bound-reads.patch"))
(sha256
(base32 "1nwbcv5yaib3d8icvyja3zf6lyjf5zf1hndbijrhj8j7xlia0dx3"))))
(build-system meson-build-system)
diff --git a/gnu/packages/patches/gst-plugins-ugly-fix-out-of-bound-reads.patch b/gnu/packages/patches/gst-plugins-ugly-fix-out-of-bound-reads.patch
new file mode 100644
index 0000000000..3c6a96f45d
--- /dev/null
+++ b/gnu/packages/patches/gst-plugins-ugly-fix-out-of-bound-reads.patch
@@ -0,0 +1,119 @@
+Fix out of bounds reads when parsing audio and video packets:
+
+https://security-tracker.debian.org/tracker/TEMP-0000000-4DAA44
+https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/issues/37
+
+Patch copied from upstream source repository:
+
+https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/commit/3aba7d1e625554b2407bc77b3d09b4928b937d5f
+From 3aba7d1e625554b2407bc77b3d09b4928b937d5f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Wed, 3 Mar 2021 11:05:14 +0200
+Subject: [PATCH] rmdemux: Make sure we have enough data available when parsing
+ audio/video packets
+
+Otherwise there will be out-of-bounds reads and potential crashes.
+
+Thanks to Natalie Silvanovich for reporting.
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/issues/37
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/merge_requests/74>
+---
+ gst/realmedia/rmdemux.c | 35 +++++++++++++++++++++++++++++++++++
+ 1 file changed, 35 insertions(+)
+
+diff --git a/gst/realmedia/rmdemux.c b/gst/realmedia/rmdemux.c
+index 6cc659a1..68b0736b 100644
+--- a/gst/realmedia/rmdemux.c
++++ b/gst/realmedia/rmdemux.c
+@@ -2223,6 +2223,9 @@ gst_rmdemux_parse_video_packet (GstRMDemux * rmdemux, GstRMDemuxStream * stream,
+
+ gst_buffer_map (in, &map, GST_MAP_READ);
+
++ if (map.size < offset)
++ goto not_enough_data;
++
+ data = map.data + offset;
+ size = map.size - offset;
+
+@@ -2289,6 +2292,9 @@ gst_rmdemux_parse_video_packet (GstRMDemux * rmdemux, GstRMDemuxStream * stream,
+ }
+ GST_DEBUG_OBJECT (rmdemux, "fragment size %d", fragment_size);
+
++ if (map.size < (data - map.data) + fragment_size)
++ goto not_enough_data;
++
+ /* get the fragment */
+ fragment =
+ gst_buffer_copy_region (in, GST_BUFFER_COPY_ALL, data - map.data,
+@@ -2437,6 +2443,9 @@ gst_rmdemux_parse_audio_packet (GstRMDemux * rmdemux, GstRMDemuxStream * stream,
+ GstFlowReturn ret;
+ GstBuffer *buffer;
+
++ if (gst_buffer_get_size (in) < offset)
++ goto not_enough_data;
++
+ buffer = gst_buffer_copy_region (in, GST_BUFFER_COPY_MEMORY, offset, -1);
+
+ if (rmdemux->first_ts != -1 && timestamp > rmdemux->first_ts)
+@@ -2467,9 +2476,19 @@ gst_rmdemux_parse_audio_packet (GstRMDemux * rmdemux, GstRMDemuxStream * stream,
+ ret = gst_pad_push (stream->pad, buffer);
+ }
+
++done:
+ gst_buffer_unref (in);
+
+ return ret;
++
++ /* ERRORS */
++not_enough_data:
++ {
++ GST_ELEMENT_WARNING (rmdemux, STREAM, DECODE, ("Skipping bad packet."),
++ (NULL));
++ ret = GST_FLOW_OK;
++ goto done;
++ }
+ }
+
+ static GstFlowReturn
+@@ -2490,6 +2509,9 @@ gst_rmdemux_parse_packet (GstRMDemux * rmdemux, GstBuffer * in, guint16 version)
+ data = map.data;
+ size = map.size;
+
++ if (size < 4 + 6 + 1 + 2)
++ goto not_enough_data;
++
+ /* stream number */
+ id = RMDEMUX_GUINT16_GET (data);
+
+@@ -2525,6 +2547,9 @@ gst_rmdemux_parse_packet (GstRMDemux * rmdemux, GstBuffer * in, guint16 version)
+
+ /* version 1 has an extra byte */
+ if (version == 1) {
++ if (size < 1)
++ goto not_enough_data;
++
+ data += 1;
+ size -= 1;
+ }
+@@ -2596,6 +2621,16 @@ unknown_stream:
+ gst_buffer_unref (in);
+ return GST_FLOW_OK;
+ }
++
++ /* ERRORS */
++not_enough_data:
++ {
++ GST_ELEMENT_WARNING (rmdemux, STREAM, DECODE, ("Skipping bad packet."),
++ (NULL));
++ gst_buffer_unmap (in, &map);
++ gst_buffer_unref (in);
++ return GST_FLOW_OK;
++ }
+ }
+
+ gboolean
+--
+2.31.1
+
--
2.31.1
next prev parent reply other threads:[~2021-04-24 19:16 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-24 19:12 [bug#48000] GStreamer security updates Leo Famulari
2021-04-24 19:14 ` [bug#48000] [PATCH 1/5] gnu: gst-plugins-good: Fix CVE-2021-3497 and CVE-2021-3498 Leo Famulari
2021-04-24 19:14 ` [bug#48000] [PATCH 2/5] gnu: gst-libav: Fix a stack corruption bug Leo Famulari
2021-04-24 19:14 ` [bug#48000] [PATCH 3/5] gnu: gst-plugins-bad: Fix an overflow when processing video files Leo Famulari
2021-04-24 19:14 ` [bug#48000] [PATCH 4/5] gnu: gst-plugins-base: Fix an invalid read when parsing ID3v2 tags Leo Famulari
2021-04-24 19:14 ` Leo Famulari [this message]
2021-04-25 8:45 ` [bug#48000] GStreamer security updates Maxime Devos
2021-04-27 6:01 ` bug#48000: " Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4f9f296c16eb42b46f565d70028cdb67d412fff7.1619291675.git.leo@famulari.name \
--to=leo@famulari.name \
--cc=48000@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).