matroskademux: Avoid integer-overflow resulting in heap corruption in WavPack header handling code (!2612) · Merge requests · GStreamer / gstreamer

Tim-Philipp Müller requested to merge tpm/gstreamer:sec-1226-matroskademux-wvpk-header into main Jun 15, 2022

blocksize + WAVPACK4_HEADER_SIZE might overflow gsize, which then results in allocating a very small buffer. Into that buffer blocksize data is memcpy'd later which then causes out of bound writes and can potentially lead to anything from crashes to remote code execution.

Thanks to Adam Doupe for analyzing and reporting the issue.

CVE: CVE-2022-1920

https://gstreamer.freedesktop.org/security/sa-2022-0004.html

Fixes #1226 (closed)

matroskademux: Avoid integer-overflow resulting in heap corruption in WavPack header handling code

Merge request reports