Commit f503caad authored by Sebastian Dröge's avatar Sebastian Dröge 🍵 Committed by GStreamer Marge Bot
Browse files

avidemux: Fix integer overflow resulting in heap corruption in DIB buffer inversion code

Check that width*bpp/8 doesn't overflow a guint and also that
height*stride fits into the provided buffer without overflowing.

Thanks to Adam Doupe for analyzing and reporting the issue.

CVE: CVE-2022-1921

See https://gstreamer.freedesktop.org/security/sa-2022-0001.html

Fixes #1224

Part-of: <!2608>
parent e77ed17f
Pipeline #613584 waiting for manual action with stages
in 7 minutes and 3 seconds
......@@ -4973,8 +4973,8 @@ swap_line (guint8 * d1, guint8 * d2, guint8 * tmp, gint bytes)
static GstBuffer *
gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf)
{
gint y, w, h;
gint bpp, stride;
guint y, w, h;
guint bpp, stride;
guint8 *tmp = NULL;
GstMapInfo map;
guint32 fourcc;
......@@ -5001,12 +5001,23 @@ gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf)
h = stream->strf.vids->height;
w = stream->strf.vids->width;
bpp = stream->strf.vids->bit_cnt ? stream->strf.vids->bit_cnt : 8;
if ((guint64) w * ((guint64) bpp / 8) > G_MAXUINT - 4) {
GST_WARNING ("Width x stride overflows");
return buf;
}
if (w == 0 || h == 0) {
GST_WARNING ("Zero width or height");
return buf;
}
stride = GST_ROUND_UP_4 (w * (bpp / 8));
buf = gst_buffer_make_writable (buf);
gst_buffer_map (buf, &map, GST_MAP_READWRITE);
if (map.size < (stride * h)) {
if (map.size < ((guint64) stride * (guint64) h)) {
GST_WARNING ("Buffer is smaller than reported Width x Height x Depth");
gst_buffer_unmap (buf, &map);
return buf;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment