diff options
Diffstat (limited to 'meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2024-0444.patch')
-rw-r--r-- | meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2024-0444.patch | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2024-0444.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2024-0444.patch new file mode 100644 index 0000000000..6265f4293e --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2024-0444.patch @@ -0,0 +1,42 @@ +From 394d5066f8a7b728df02fe9084e955b2f7d7f6fe Mon Sep 17 00:00:00 2001 +From: Seungha Yang <seungha@centricular.com> +Date: Wed, 10 Jan 2024 03:33:59 +0900 +Subject: [PATCH] av1parser: Fix potential stack overflow during tile list + parsing + +The tile_count_minus_1 must be less than or equal to 511 as specified +in spec "6.11.1 General tile list OBU semantics" + +Fixes #3214 / CVE-2024-0444 / ZDI-CAN-22873 + +Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5971> + +CVE: CVE-2024-0444 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/394d5066f8a7b728] + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + gst-libs/gst/codecparsers/gstav1parser.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/gst-libs/gst/codecparsers/gstav1parser.c b/gst-libs/gst/codecparsers/gstav1parser.c +index 68f8a76..bab404e 100644 +--- a/gst-libs/gst/codecparsers/gstav1parser.c ++++ b/gst-libs/gst/codecparsers/gstav1parser.c +@@ -4352,6 +4352,13 @@ gst_av1_parser_parse_tile_list_obu (GstAV1Parser * parser, + tile_list->output_frame_width_in_tiles_minus_1 = AV1_READ_BITS (br, 8); + tile_list->output_frame_height_in_tiles_minus_1 = AV1_READ_BITS (br, 8); + tile_list->tile_count_minus_1 = AV1_READ_BITS (br, 16); ++ if (tile_list->tile_count_minus_1 + 1 > GST_AV1_MAX_TILE_COUNT) { ++ GST_WARNING ("Invalid tile_count_minus_1 %d", ++ tile_list->tile_count_minus_1); ++ retval = GST_AV1_PARSER_BITSTREAM_ERROR; ++ goto error; ++ } ++ + for (tile = 0; tile <= tile_list->tile_count_minus_1; tile++) { + if (AV1_REMAINING_BITS (br) < 8 + 8 + 8 + 16) { + retval = GST_AV1_PARSER_NO_MORE_DATA; +-- +2.40.0 |