Commit cf887f1b authored by Sebastian Dröge's avatar Sebastian Dröge 🍵 Committed by GStreamer Marge Bot
Browse files

matroskademux: Avoid integer-overflow resulting in heap corruption in WavPack header handling code

blocksize + WAVPACK4_HEADER_SIZE might overflow gsize, which then
results in allocating a very small buffer. Into that buffer blocksize
data is memcpy'd later which then causes out of bound writes and can
potentially lead to anything from crashes to remote code execution.

Thanks to Adam Doupe for analyzing and reporting the issue.

CVE: CVE-2022-1920

https://gstreamer.freedesktop.org/security/sa-2022-0004.html

Fixes #1226

Part-of: <!2612>
parent 14d306da
Pipeline #613664 waiting for manual action with stages
in 6 minutes and 28 seconds
......@@ -3933,7 +3933,8 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
} else {
guint8 *outdata = NULL;
gsize buf_size, size;
guint32 block_samples, flags, crc, blocksize;
guint32 block_samples, flags, crc;
gsize blocksize;
GstAdapter *adapter;
adapter = gst_adapter_new ();
......@@ -3974,6 +3975,13 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
return GST_FLOW_ERROR;
}
if (blocksize > G_MAXSIZE - WAVPACK4_HEADER_SIZE) {
GST_ERROR_OBJECT (element, "Too big wavpack buffer");
gst_buffer_unmap (*buf, &map);
g_object_unref (adapter);
return GST_FLOW_ERROR;
}
g_assert (newbuf == NULL);
newbuf =
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment