matroskademux, qtdemux: Fix integer overflows in zlib/bz2/etc decompression code (!2610) · Merge requests · GStreamer / gstreamer

Tim-Philipp Müller requested to merge tpm/gstreamer:sec-1225-matroskademux-qtdemux into main Jun 15, 2022

Various variables were of smaller types than needed and there were no checks for any overflows when doing additions on the sizes. This is all checked now.

In addition the size of the decompressed data is limited to 120MB now as any larger sizes are likely pathological and we can avoid out of memory situations in many cases like this.

Also fix a bug where the available output size on the next iteration in the zlib/bz2 decompression code was provided too large and could potentially lead to out of bound writes.

Thanks to Adam Doupe for analyzing and reporting the issue.

Fixes #1225 (closed)

matroskademux, qtdemux: Fix integer overflows in zlib/bz2/etc decompression code

Merge request reports