mxfdemux: Fix integer overflow causing out of bounds writes when handling invalid uncompressed video and check channels for AES3 (!5362) · Merge requests · GStreamer / gstreamer

Tim-Philipp Müller requested to merge tpm/gstreamer:mxf-fixes into main Sep 20, 2023

Author: Sebastian Dröge <sebastian@centricular.com>
Date:   Thu Aug 10 15:47:03 2023 +0300

    mxfdemux: Check number of channels for AES3 audio
    
    Only up to 8 channels are allowed and using a higher number would cause
    integer overflows when copying the data, and lead to out of bound
    writes.
    
    Also check that each buffer is at least 4 bytes long to avoid another
    overflow.
    
    Fixes ZDI-CAN-21661, CVE-2023-40475

Author: Sebastian Dröge <sebastian@centricular.com>
Date:   Thu Aug 10 15:45:01 2023 +0300

    mxfdemux: Fix integer overflow causing out of bounds writes when handling invalid uncompressed video
    
    Check ahead of time when parsing the track information whether
    width, height and bpp are valid and usable without overflows.
    
    Fixes ZDI-CAN-21660, CVE-2023-40474

Admin message

mxfdemux: Fix integer overflow causing out of bounds writes when handling invalid uncompressed video and check channels for AES3

Merge request reports