meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69

From f503caad676971933dc0b52c4b313e5ef0d6dbb0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Wed, 18 May 2022 12:00:48 +0300
Subject: [PATCH] avidemux: Fix integer overflow resulting in heap corruption
 in DIB buffer inversion code

Check that width*bpp/8 doesn't overflow a guint and also that
height*stride fits into the provided buffer without overflowing.

Thanks to Adam Doupe for analyzing and reporting the issue.

CVE: CVE-2022-1921

See https://gstreamer.freedesktop.org/security/sa-2022-0001.html

Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1224

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2608>

https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/f503caad676971933dc0b52c4b313e5ef0d6dbb0
Upstream-Status: Backport
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
---
 .../gst/avi/gstavidemux.c      | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/gst/avi/gstavidemux.c b/gst/avi/gstavidemux.c
index eafe865494c..0d18a6495c7 100644
--- a/gst/avi/gstavidemux.c
+++ b/gst/avi/gstavidemux.c
@@ -4973,8 +4973,8 @@ swap_line (guint8 * d1, guint8 * d2, guint8 * tmp, gint bytes)
 static GstBuffer *
 gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf)
 {
-  gint y, w, h;
-  gint bpp, stride;
+  guint y, w, h;
+  guint bpp, stride;
   guint8 *tmp = NULL;
   GstMapInfo map;
   guint32 fourcc;
@@ -5001,12 +5001,23 @@ gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf)
   h = stream->strf.vids->height;
   w = stream->strf.vids->width;
   bpp = stream->strf.vids->bit_cnt ? stream->strf.vids->bit_cnt : 8;
+
+  if ((guint64) w * ((guint64) bpp / 8) > G_MAXUINT - 4) {
+    GST_WARNING ("Width x stride overflows");
+    return buf;
+  }
+
+  if (w == 0 || h == 0) {
+    GST_WARNING ("Zero width or height");
+    return buf;
+  }
+
   stride = GST_ROUND_UP_4 (w * (bpp / 8));
 
   buf = gst_buffer_make_writable (buf);
 
   gst_buffer_map (buf, &map, GST_MAP_READWRITE);
-  if (map.size < (stride * h)) {
+  if (map.size < ((guint64) stride * (guint64) h)) {
     GST_WARNING ("Buffer is smaller than reported Width x Height x Depth");
     gst_buffer_unmap (buf, &map);
     return buf;
-- 
GitLab