Skip to content

qtdemux: header and sample table parsing fixes

Tim-Philipp Müller requested to merge tpm/gstreamer:sec-mp4-combined into main

List

  • qtdemux: Fix integer overflow when allocating the samples table for fragmented MP4
  • qtdemux: Check sizes of stsc/stco/stts before trying to merge entries
  • qtdemux: Make sure only an even number of bytes is processed when handling CEA608 data
  • qtdemux: Make sure enough data is available before reading wave header node
  • qtdemux: Fix length checks and offsets in stsd entry parsing
  • qtdemux: Fix error handling when parsing cenc sample groups fails
  • qtdemux: Make sure there are enough offsets to read when parsing samples
  • qtdemux: Check for invalid atom length when extracting Closed Caption data
  • qtdemux: Add size check for parsing SMI / SEQH atom

qtdemux: Fix integer overflow when allocating the samples table for fragmented MP4

This can lead to out of bounds writes and NULL pointer dereferences.

Fixes GHSL-2024-094, GHSL-2024-237, GHSL-2024-241 Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3839


qtdemux: Check sizes of stsc/stco/stts before trying to merge entries

Thanks to Antonio Morales for finding and reporting the issue.

Fixes GHSL-2024-246 Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3854


qtdemux: Make sure only an even number of bytes is processed when handling CEA608 data

An odd number of bytes would lead to out of bound reads and writes, and doesn't make any sense as CEA608 comes in byte pairs.

Strip off any leftover bytes and assume everything before that is valid.

Thanks to Antonio Morales for finding and reporting the issue.

Fixes GHSL-2024-195

Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3841


qtdemux: Make sure enough data is available before reading wave header node

Thanks to Antonio Morales for finding and reporting the issue.

Fixes GHSL-2024-236

Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3843


qtdemux: Fix length checks and offsets in stsd entry parsing

Thanks to Antonio Morales for finding and reporting the issue.

Fixes GHSL-2024-242

Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3845


qtdemux: Fix error handling when parsing cenc sample groups fails

Thanks to Antonio Morales for finding and reporting the issue.

Fixes GHSL-2024-238, GHSL-2024-239, GHSL-2024-240

Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3846


qtdemux: Make sure there are enough offsets to read when parsing samples

While this specific case is also caught when initializing co_chunk, the error is ignored in various places and calling into the function would lead to out of bounds reads if the error message doesn't cause the pipeline to be shut down fast enough.

To avoid this, no matter what, make sure enough offsets are available when parsing them. While this is potentially slower, the same is already done in the non-chunks_are_samples case.

Thanks to Antonio Morales for finding and reporting the issue.

Fixes GHSL-2024-245

Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3847


qtdemux: Check for invalid atom length when extracting Closed Caption data

Thanks to Antonio Morales for finding and reporting the issue.

Fixes GHSL-2024-243

Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3849


qtdemux: Add size check for parsing SMI / SEQH atom

Thanks to Antonio Morales for finding and reporting the issue.

Fixes GHSL-2024-244

Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3853


Merge request reports

Loading