diff options
author | Archana Polampalli <archana.polampalli@windriver.com> | 2023-09-22 12:19:09 +0000 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-09-25 07:11:14 -1000 |
commit | d0c8e2f78c8003ad383cc63cff32147156412650 (patch) | |
tree | 44b79c0826b84f7ee3d82920566ccff664570d6b /meta/recipes-multimedia | |
parent | 1d169e50f28c93434461aa3ecbc47c21509143e9 (diff) | |
download | openembedded-core-contrib-d0c8e2f78c8003ad383cc63cff32147156412650.tar.gz |
gstreamer1.0-plugins-bad: fix CVE-2023-40474
gst-plugins-bad: Heap-based buffer overflow in the MXF file demuxer when handling
malformed files with uncompressed video in GStreamer versions before 1.22.6
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-multimedia')
-rw-r--r-- | meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40474.patch | 118 | ||||
-rw-r--r-- | meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb | 1 |
2 files changed, 119 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40474.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40474.patch new file mode 100644 index 0000000000..dd5886863d --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40474.patch @@ -0,0 +1,118 @@ +From ce17e968e4cf900d28ca5b46f6e095febc42b4f0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com> +Date: Thu, 10 Aug 2023 15:45:01 +0300 +Subject: [PATCH] mxfdemux: Fix integer overflow causing out of bounds writes + when handling invalid uncompressed video + +Check ahead of time when parsing the track information whether +width, height and bpp are valid and usable without overflows. + +Fixes ZDI-CAN-21660, CVE-2023-40474 + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2896 + +Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5362> + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ce17e968e4cf900d28ca5b46f6e095febc42b4f0] +CVE: CVE-2023-40474 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + gst/mxf/mxfup.c | 51 +++++++++++++++++---- + 1 file changed, 43 insertions(+), 8 deletions(-) + +diff --git a/gst/mxf/mxfup.c b/gst/mxf/mxfup.c +index d72ed22cb7..0c0178c1c9 100644 +--- a/gst/mxf/mxfup.c ++++ b/gst/mxf/mxfup.c +@@ -118,6 +118,8 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer, + gpointer mapping_data, GstBuffer ** outbuf) + { + MXFUPMappingData *data = mapping_data; ++ gsize expected_in_stride = 0, out_stride = 0; ++ gsize expected_in_size = 0, out_size = 0; + + /* SMPTE 384M 7.1 */ + if (key->u[12] != 0x15 || (key->u[14] != 0x01 && key->u[14] != 0x02 +@@ -146,22 +148,25 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer, + } + } + +- if (gst_buffer_get_size (buffer) != data->bpp * data->width * data->height) { ++ // Checked for overflows when parsing the descriptor ++ expected_in_stride = data->bpp * data->width; ++ out_stride = GST_ROUND_UP_4 (expected_in_stride); ++ expected_in_size = expected_in_stride * data->height; ++ out_size = out_stride * data->height; ++ ++ if (gst_buffer_get_size (buffer) != expected_in_size) { + GST_ERROR ("Invalid buffer size"); + gst_buffer_unref (buffer); + return GST_FLOW_ERROR; + } + +- if (data->bpp != 4 +- || GST_ROUND_UP_4 (data->width * data->bpp) != data->width * data->bpp) { ++ if (data->bpp != 4 || out_stride != expected_in_stride) { + guint y; + GstBuffer *ret; + GstMapInfo inmap, outmap; + guint8 *indata, *outdata; + +- ret = +- gst_buffer_new_and_alloc (GST_ROUND_UP_4 (data->width * data->bpp) * +- data->height); ++ ret = gst_buffer_new_and_alloc (out_size); + gst_buffer_map (buffer, &inmap, GST_MAP_READ); + gst_buffer_map (ret, &outmap, GST_MAP_WRITE); + indata = inmap.data; +@@ -169,8 +174,8 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer, + + for (y = 0; y < data->height; y++) { + memcpy (outdata, indata, data->width * data->bpp); +- outdata += GST_ROUND_UP_4 (data->width * data->bpp); +- indata += data->width * data->bpp; ++ outdata += out_stride; ++ indata += expected_in_stride; + } + + gst_buffer_unmap (buffer, &inmap); +@@ -378,6 +383,36 @@ mxf_up_create_caps (MXFMetadataTimelineTrack * track, GstTagList ** tags, + return NULL; + } + ++ if (caps) { ++ MXFUPMappingData *data = *mapping_data; ++ gsize expected_in_stride = 0, out_stride = 0; ++ gsize expected_in_size = 0, out_size = 0; ++ ++ // Do some checking of the parameters to see if they're valid and ++ // we can actually work with them. ++ if (data->image_start_offset > data->image_end_offset) { ++ GST_WARNING ("Invalid image start/end offset"); ++ g_free (data); ++ *mapping_data = NULL; ++ gst_clear_caps (&caps); ++ ++ return NULL; ++ } ++ ++ if (!g_size_checked_mul (&expected_in_stride, data->bpp, data->width) || ++ (out_stride = GST_ROUND_UP_4 (expected_in_stride)) < expected_in_stride ++ || !g_size_checked_mul (&expected_in_size, expected_in_stride, ++ data->height) ++ || !g_size_checked_mul (&out_size, out_stride, data->height)) { ++ GST_ERROR ("Invalid resolution or bit depth"); ++ g_free (data); ++ *mapping_data = NULL; ++ gst_clear_caps (&caps); ++ ++ return NULL; ++ } ++ } ++ + return caps; + } + +-- +2.40.0 diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb index 86b5301d8e..52acb30d74 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb @@ -10,6 +10,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad file://0002-avoid-including-sys-poll.h-directly.patch \ file://0003-ensure-valid-sentinals-for-gst_structure_get-etc.patch \ file://0004-opencv-resolve-missing-opencv-data-dir-in-yocto-buil.patch \ + file://CVE-2023-40474.patch \ " SRC_URI[sha256sum] = "87251beebfd1325e5118cc67774061f6e8971761ca65a9e5957919610080d195" |