mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-05-08 05:09:24 +00:00
Code Issues Projects Releases Wiki Activity

gstreamer1.0-plugins-bad: fix CVE-2023-40474

Browse Source 
gst-plugins-bad: Heap-based buffer overflow in the MXF file demuxer when handling
malformed files with uncompressed video in GStreamer versions before 1.22.6

(From OE-Core rev: d0c8e2f78c8003ad383cc63cff32147156412650)

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Archana Polampalli
2023-09-22 12:19:09 +00:00
committed by Steve Sakoman
parent df7a37d54f
commit 226bc34085
2 changed files with 119 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40474.patch
+118
View File
@@ -0,0 +1,118 @@
From ce17e968e4cf900d28ca5b46f6e095febc42b4f0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Thu, 10 Aug 2023 15:45:01 +0300
Subject: [PATCH] mxfdemux: Fix integer overflow causing out of bounds writes
when handling invalid uncompressed video
Check ahead of time when parsing the track information whether
width, height and bpp are valid and usable without overflows.
Fixes ZDI-CAN-21660, CVE-2023-40474
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2896
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5362>
Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ce17e968e4cf900d28ca5b46f6e095febc42b4f0]
CVE: CVE-2023-40474
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
gst/mxf/mxfup.c | 51 +++++++++++++++++----
1 file changed, 43 insertions(+), 8 deletions(-)
diff --git a/gst/mxf/mxfup.c b/gst/mxf/mxfup.c
index d72ed22cb7..0c0178c1c9 100644
--- a/gst/mxf/mxfup.c
+++ b/gst/mxf/mxfup.c
@@ -118,6 +118,8 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
gpointer mapping_data, GstBuffer ** outbuf)
{
MXFUPMappingData *data = mapping_data;
+ gsize expected_in_stride = 0, out_stride = 0;
+ gsize expected_in_size = 0, out_size = 0;
/* SMPTE 384M 7.1 */
if (key->u[12] != 0x15 || (key->u[14] != 0x01 && key->u[14] != 0x02
@@ -146,22 +148,25 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
}
}
- if (gst_buffer_get_size (buffer) != data->bpp * data->width * data->height) {
+ // Checked for overflows when parsing the descriptor
+ expected_in_stride = data->bpp * data->width;
+ out_stride = GST_ROUND_UP_4 (expected_in_stride);
+ expected_in_size = expected_in_stride * data->height;
+ out_size = out_stride * data->height;
+
+ if (gst_buffer_get_size (buffer) != expected_in_size) {
GST_ERROR ("Invalid buffer size");
gst_buffer_unref (buffer);
return GST_FLOW_ERROR;
}
- if (data->bpp != 4
- || GST_ROUND_UP_4 (data->width * data->bpp) != data->width * data->bpp) {
+ if (data->bpp != 4 || out_stride != expected_in_stride) {
guint y;
GstBuffer *ret;
GstMapInfo inmap, outmap;
guint8 *indata, *outdata;
- ret =
- gst_buffer_new_and_alloc (GST_ROUND_UP_4 (data->width * data->bpp) *
- data->height);
+ ret = gst_buffer_new_and_alloc (out_size);
gst_buffer_map (buffer, &inmap, GST_MAP_READ);
gst_buffer_map (ret, &outmap, GST_MAP_WRITE);
indata = inmap.data;
@@ -169,8 +174,8 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
for (y = 0; y < data->height; y++) {
memcpy (outdata, indata, data->width * data->bpp);
- outdata += GST_ROUND_UP_4 (data->width * data->bpp);
- indata += data->width * data->bpp;
+ outdata += out_stride;
+ indata += expected_in_stride;
}
gst_buffer_unmap (buffer, &inmap);
@@ -378,6 +383,36 @@ mxf_up_create_caps (MXFMetadataTimelineTrack * track, GstTagList ** tags,
return NULL;
}
+ if (caps) {
+ MXFUPMappingData *data = *mapping_data;
+ gsize expected_in_stride = 0, out_stride = 0;
+ gsize expected_in_size = 0, out_size = 0;
+
+ // Do some checking of the parameters to see if they're valid and
+ // we can actually work with them.
+ if (data->image_start_offset > data->image_end_offset) {
+ GST_WARNING ("Invalid image start/end offset");
+ g_free (data);
+ *mapping_data = NULL;
+ gst_clear_caps (&caps);
+
+ return NULL;
+ }
+
+ if (!g_size_checked_mul (&expected_in_stride, data->bpp, data->width) ||
+ (out_stride = GST_ROUND_UP_4 (expected_in_stride)) < expected_in_stride
+ || !g_size_checked_mul (&expected_in_size, expected_in_stride,
+ data->height)
+ || !g_size_checked_mul (&out_size, out_stride, data->height)) {
+ GST_ERROR ("Invalid resolution or bit depth");
+ g_free (data);
+ *mapping_data = NULL;
+ gst_clear_caps (&caps);
+
+ return NULL;
+ }
+ }
+
return caps;
}
--
2.40.0
meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
+1
View File
@@ -10,6 +10,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad
file://0002-avoid-including-sys-poll.h-directly.patch \
file://0003-ensure-valid-sentinals-for-gst_structure_get-etc.patch \
file://0004-opencv-resolve-missing-opencv-data-dir-in-yocto-buil.patch \
file://CVE-2023-40474.patch \
"
SRC_URI[sha256sum] = "87251beebfd1325e5118cc67774061f6e8971761ca65a9e5957919610080d195"