From: Leo Famulari <leo@famulari.name>
To: 48000@debbugs.gnu.org
Subject: [bug#48000] [PATCH 3/5] gnu: gst-plugins-bad: Fix an overflow when processing video files.
Date: Sat, 24 Apr 2021 15:14:33 -0400 [thread overview]
Message-ID: <e4d2798393c64500047962eeb90f78fd25eb5774.1619291675.git.leo@famulari.name> (raw)
In-Reply-To: <06babf269cf58ba83c67efd7fd905f9d5a6bb5b5.1619291675.git.leo@famulari.name>
* gnu/packages/patches/gst-plugins-bad-fix-overflow.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/gstreamer.scm (gst-plugins-bad)[source]: Use it.
---
gnu/local.mk | 1 +
gnu/packages/gstreamer.scm | 1 +
.../gst-plugins-bad-fix-overflow.patch | 263 ++++++++++++++++++
3 files changed, 265 insertions(+)
create mode 100644 gnu/packages/patches/gst-plugins-bad-fix-overflow.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index b3e84be598..94d7daf910 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1170,6 +1170,7 @@ dist_patch_DATA = \
%D%/packages/patches/grub-verifiers-Blocklist-fallout-cleanup.patch \
%D%/packages/patches/gspell-dash-test.patch \
%D%/packages/patches/gst-libav-64channels-stack-corruption.patch \
+ %D%/packages/patches/gst-plugins-bad-fix-overflow.patch \
%D%/packages/patches/gst-plugins-good-fix-test.patch \
%D%/packages/patches/gst-plugins-good-CVE-2021-3497.patch \
%D%/packages/patches/gst-plugins-good-CVE-2021-3498.patch \
diff --git a/gnu/packages/gstreamer.scm b/gnu/packages/gstreamer.scm
index 81ac0a2f5f..58a02119c6 100644
--- a/gnu/packages/gstreamer.scm
+++ b/gnu/packages/gstreamer.scm
@@ -681,6 +681,7 @@ model to base your own plug-in on, here it is.")
(method url-fetch)
(uri (string-append "https://gstreamer.freedesktop.org/src/"
name "/" name "-" version ".tar.xz"))
+ (patches (search-patches "gst-plugins-bad-fix-overflow.patch"))
(sha256
(base32
"06ildd4rl6cynirv3p00d2ddf5is9svj4i7mkahldzhq24pq5mca"))))
diff --git a/gnu/packages/patches/gst-plugins-bad-fix-overflow.patch b/gnu/packages/patches/gst-plugins-bad-fix-overflow.patch
new file mode 100644
index 0000000000..95ab13db51
--- /dev/null
+++ b/gnu/packages/patches/gst-plugins-bad-fix-overflow.patch
@@ -0,0 +1,263 @@
+Fix an overflow when calculating something for AVC/HEVC videos:
+
+https://security-tracker.debian.org/tracker/TEMP-0000000-C6AAE1
+
+Patch copied from upstream source repository:
+
+https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/commit/0cfbf7ad91c7f121192c8ce135769f8eb276c41d
+From 0cfbf7ad91c7f121192c8ce135769f8eb276c41d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Tue, 23 Mar 2021 19:19:14 +0200
+Subject: [PATCH] h2645parser: Catch overflows in AVC/HEVC NAL unit length
+ calculations
+
+Offset and size are stored as 32 bit guint and might overflow when
+adding the nal_length_size, so let's avoid that.
+
+For the size this would happen if the AVC/HEVC NAL unit size happens to
+be stored in 4 bytes and is 4294967292 or higher, which is likely
+corrupted data anyway.
+
+For the offset this is something for the caller of these functions to
+take care of but is unlikely to happen as it would require parsing on a
+>4GB buffer.
+
+Allowing these overflows causes all kinds of follow-up bugs in the
+h2645parse elements, ranging from infinite loops and memory leaks to
+potential memory corruptions.
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/merge_requests/2107>
+---
+ gst-libs/gst/codecparsers/gsth264parser.c | 16 +++++-
+ gst-libs/gst/codecparsers/gsth265parser.c | 16 +++++-
+ tests/check/libs/h264parser.c | 60 +++++++++++++++++++++++
+ tests/check/libs/h265parser.c | 60 +++++++++++++++++++++++
+ 4 files changed, 150 insertions(+), 2 deletions(-)
+
+diff --git a/gst-libs/gst/codecparsers/gsth264parser.c b/gst-libs/gst/codecparsers/gsth264parser.c
+index 012f1d0d7..68aa25068 100644
+--- a/gst-libs/gst/codecparsers/gsth264parser.c
++++ b/gst-libs/gst/codecparsers/gsth264parser.c
+@@ -1556,6 +1556,14 @@ gst_h264_parser_identify_nalu_avc (GstH264NalParser * nalparser,
+
+ memset (nalu, 0, sizeof (*nalu));
+
++ /* Would overflow guint below otherwise: the callers needs to ensure that
++ * this never happens */
++ if (offset > G_MAXUINT32 - nal_length_size) {
++ GST_WARNING ("offset + nal_length_size overflow");
++ nalu->size = 0;
++ return GST_H264_PARSER_BROKEN_DATA;
++ }
++
+ if (size < offset + nal_length_size) {
+ GST_DEBUG ("Can't parse, buffer has too small size %" G_GSIZE_FORMAT
+ ", offset %u", size, offset);
+@@ -1570,7 +1578,13 @@ gst_h264_parser_identify_nalu_avc (GstH264NalParser * nalparser,
+ nalu->sc_offset = offset;
+ nalu->offset = offset + nal_length_size;
+
+- if (size < nalu->size + nal_length_size) {
++ if (nalu->size > G_MAXUINT32 - nal_length_size) {
++ GST_WARNING ("NALU size + nal_length_size overflow");
++ nalu->size = 0;
++ return GST_H264_PARSER_BROKEN_DATA;
++ }
++
++ if (size < (gsize) nalu->size + nal_length_size) {
+ nalu->size = 0;
+
+ return GST_H264_PARSER_NO_NAL_END;
+diff --git a/gst-libs/gst/codecparsers/gsth265parser.c b/gst-libs/gst/codecparsers/gsth265parser.c
+index 26e68b276..dc7f27aa9 100644
+--- a/gst-libs/gst/codecparsers/gsth265parser.c
++++ b/gst-libs/gst/codecparsers/gsth265parser.c
+@@ -1531,6 +1531,14 @@ gst_h265_parser_identify_nalu_hevc (GstH265Parser * parser,
+
+ memset (nalu, 0, sizeof (*nalu));
+
++ /* Would overflow guint below otherwise: the callers needs to ensure that
++ * this never happens */
++ if (offset > G_MAXUINT32 - nal_length_size) {
++ GST_WARNING ("offset + nal_length_size overflow");
++ nalu->size = 0;
++ return GST_H265_PARSER_BROKEN_DATA;
++ }
++
+ if (size < offset + nal_length_size) {
+ GST_DEBUG ("Can't parse, buffer has too small size %" G_GSIZE_FORMAT
+ ", offset %u", size, offset);
+@@ -1545,7 +1553,13 @@ gst_h265_parser_identify_nalu_hevc (GstH265Parser * parser,
+ nalu->sc_offset = offset;
+ nalu->offset = offset + nal_length_size;
+
+- if (size < nalu->size + nal_length_size) {
++ if (nalu->size > G_MAXUINT32 - nal_length_size) {
++ GST_WARNING ("NALU size + nal_length_size overflow");
++ nalu->size = 0;
++ return GST_H265_PARSER_BROKEN_DATA;
++ }
++
++ if (size < (gsize) nalu->size + nal_length_size) {
+ nalu->size = 0;
+
+ return GST_H265_PARSER_NO_NAL_END;
+diff --git a/tests/check/libs/h264parser.c b/tests/check/libs/h264parser.c
+index c7c46d9a2..d322dd8db 100644
+--- a/tests/check/libs/h264parser.c
++++ b/tests/check/libs/h264parser.c
+@@ -229,6 +229,65 @@ GST_START_TEST (test_h264_parse_slice_5bytes)
+
+ GST_END_TEST;
+
++GST_START_TEST (test_h264_parse_identify_nalu_avc)
++{
++ GstH264ParserResult res;
++ GstH264NalUnit nalu;
++ GstH264NalParser *const parser = gst_h264_nal_parser_new ();
++ /* Skip 3 bytes for the start code */
++ const gsize nal_size = sizeof (slice_dpa) - 3;
++ const gsize buf_size = 4 + nal_size;
++ guint8 *buf = g_new (guint8, buf_size);
++
++ memcpy (buf + 4, slice_dpa + 3, nal_size);
++
++ GST_WRITE_UINT16_BE (buf + 2, nal_size);
++ res = gst_h264_parser_identify_nalu_avc (parser, buf, 2, buf_size, 2, &nalu);
++
++ assert_equals_int (res, GST_H264_PARSER_OK);
++ assert_equals_int (nalu.type, GST_H264_NAL_SLICE_DPA);
++ assert_equals_int (nalu.offset, 4);
++ assert_equals_int (nalu.size, nal_size);
++
++ GST_WRITE_UINT32_BE (buf, nal_size);
++ res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu);
++
++ assert_equals_int (res, GST_H264_PARSER_OK);
++ assert_equals_int (nalu.type, GST_H264_NAL_SLICE_DPA);
++ assert_equals_int (nalu.offset, 4);
++ assert_equals_int (nalu.size, nal_size);
++
++ GST_WRITE_UINT32_BE (buf, G_MAXUINT32);
++ res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu);
++
++ assert_equals_int (res, GST_H264_PARSER_BROKEN_DATA);
++
++ GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 2);
++ res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu);
++
++ assert_equals_int (res, GST_H264_PARSER_BROKEN_DATA);
++
++ GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 3);
++ res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu);
++
++ assert_equals_int (res, GST_H264_PARSER_BROKEN_DATA);
++
++ GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 4);
++ res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu);
++
++ assert_equals_int (res, GST_H264_PARSER_NO_NAL_END);
++
++ GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 6);
++ res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu);
++
++ assert_equals_int (res, GST_H264_PARSER_NO_NAL_END);
++
++ g_free (buf);
++ gst_h264_nal_parser_free (parser);
++}
++
++GST_END_TEST;
++
+ static guint8 nalu_sps_with_vui[] = {
+ 0x00, 0x00, 0x00, 0x01, 0x67, 0x64, 0x00, 0x28,
+ 0xac, 0xd9, 0x40, 0x78, 0x04, 0x4f, 0xde, 0x03,
+@@ -666,6 +725,7 @@ h264parser_suite (void)
+ tcase_add_test (tc_chain, test_h264_parse_slice_dpa);
+ tcase_add_test (tc_chain, test_h264_parse_slice_eoseq_slice);
+ tcase_add_test (tc_chain, test_h264_parse_slice_5bytes);
++ tcase_add_test (tc_chain, test_h264_parse_identify_nalu_avc);
+ tcase_add_test (tc_chain, test_h264_parse_invalid_sei);
+ tcase_add_test (tc_chain, test_h264_create_sei);
+
+diff --git a/tests/check/libs/h265parser.c b/tests/check/libs/h265parser.c
+index 0a0e4db97..5b6a215ec 100644
+--- a/tests/check/libs/h265parser.c
++++ b/tests/check/libs/h265parser.c
+@@ -255,6 +255,65 @@ GST_START_TEST (test_h265_parse_slice_6bytes)
+
+ GST_END_TEST;
+
++GST_START_TEST (test_h265_parse_identify_nalu_hevc)
++{
++ GstH265ParserResult res;
++ GstH265NalUnit nalu;
++ GstH265Parser *parser = gst_h265_parser_new ();
++ /* Skip 4 bytes for the start code */
++ const gsize nal_size = sizeof (slice_eos_slice_eob) - 4;
++ const gsize buf_size = 4 + nal_size;
++ guint8 *buf = g_new (guint8, buf_size);
++
++ memcpy (buf + 4, slice_eos_slice_eob + 4, nal_size);
++
++ GST_WRITE_UINT16_BE (buf + 2, nal_size);
++ res = gst_h265_parser_identify_nalu_hevc (parser, buf, 2, buf_size, 2, &nalu);
++
++ assert_equals_int (res, GST_H265_PARSER_OK);
++ assert_equals_int (nalu.type, GST_H265_NAL_SLICE_IDR_W_RADL);
++ assert_equals_int (nalu.offset, 4);
++ assert_equals_int (nalu.size, nal_size);
++
++ GST_WRITE_UINT32_BE (buf, nal_size);
++ res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu);
++
++ assert_equals_int (res, GST_H265_PARSER_OK);
++ assert_equals_int (nalu.type, GST_H265_NAL_SLICE_IDR_W_RADL);
++ assert_equals_int (nalu.offset, 4);
++ assert_equals_int (nalu.size, nal_size);
++
++ GST_WRITE_UINT32_BE (buf, G_MAXUINT32);
++ res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu);
++
++ assert_equals_int (res, GST_H265_PARSER_BROKEN_DATA);
++
++ GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 2);
++ res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu);
++
++ assert_equals_int (res, GST_H265_PARSER_BROKEN_DATA);
++
++ GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 3);
++ res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu);
++
++ assert_equals_int (res, GST_H265_PARSER_BROKEN_DATA);
++
++ GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 4);
++ res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu);
++
++ assert_equals_int (res, GST_H265_PARSER_NO_NAL_END);
++
++ GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 6);
++ res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu);
++
++ assert_equals_int (res, GST_H265_PARSER_NO_NAL_END);
++
++ g_free (buf);
++ gst_h265_parser_free (parser);
++}
++
++GST_END_TEST;
++
+ GST_START_TEST (test_h265_base_profiles)
+ {
+ GstH265ProfileTierLevel ptl;
+@@ -1101,6 +1160,7 @@ h265parser_suite (void)
+ tcase_add_test (tc_chain, test_h265_parse_slice_eos_slice_eob);
+ tcase_add_test (tc_chain, test_h265_parse_pic_timing);
+ tcase_add_test (tc_chain, test_h265_parse_slice_6bytes);
++ tcase_add_test (tc_chain, test_h265_parse_identify_nalu_hevc);
+ tcase_add_test (tc_chain, test_h265_base_profiles);
+ tcase_add_test (tc_chain, test_h265_base_profiles_compat);
+ tcase_add_test (tc_chain, test_h265_format_range_profiles_exact_match);
+--
+2.31.1
+
--
2.31.1
next prev parent reply other threads:[~2021-04-24 19:15 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-24 19:12 [bug#48000] GStreamer security updates Leo Famulari
2021-04-24 19:14 ` [bug#48000] [PATCH 1/5] gnu: gst-plugins-good: Fix CVE-2021-3497 and CVE-2021-3498 Leo Famulari
2021-04-24 19:14 ` [bug#48000] [PATCH 2/5] gnu: gst-libav: Fix a stack corruption bug Leo Famulari
2021-04-24 19:14 ` Leo Famulari [this message]
2021-04-24 19:14 ` [bug#48000] [PATCH 4/5] gnu: gst-plugins-base: Fix an invalid read when parsing ID3v2 tags Leo Famulari
2021-04-24 19:14 ` [bug#48000] [PATCH 5/5] gnu: gst-plugins-ugly: Fix some out-of-bounds reads Leo Famulari
2021-04-25 8:45 ` [bug#48000] GStreamer security updates Maxime Devos
2021-04-27 6:01 ` bug#48000: " Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e4d2798393c64500047962eeb90f78fd25eb5774.1619291675.git.leo@famulari.name \
--to=leo@famulari.name \
--cc=48000@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).