- Fixes ZDI-CAN-21660 CVE-2023-40474

- Fixes ZDI-CAN-21661 CVE-2023-40475
- Fixes ZDI-CAN-21768 CVE-2023-40476
i9r
Arkady L. Shane 1 year ago
parent 990082556b
commit 64474e4612
Signed by: tigro
GPG Key ID: 9C7900103E1C4F8B

@ -0,0 +1,127 @@
From 96b6fa8e6f35a567e26e268e8c311f4c192eed40 Mon Sep 17 00:00:00 2001
From: tigro <arkadiy.sheyn@softline.com>
Date: Tue, 24 Oct 2023 08:49:39 +0300
Subject: [PATCH 1/2] Fixes ZDI-CAN-21660, CVE-2023-40474
---
gst/mxf/mxfd10.c | 3 ++-
gst/mxf/mxfup.c | 51 ++++++++++++++++++++++++++++++++++++++++--------
2 files changed, 45 insertions(+), 9 deletions(-)
diff --git a/gst/mxf/mxfd10.c b/gst/mxf/mxfd10.c
index 66c0713..060d5a0 100644
--- a/gst/mxf/mxfd10.c
+++ b/gst/mxf/mxfd10.c
@@ -119,7 +119,7 @@ mxf_d10_sound_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
gst_buffer_map (buffer, &map, GST_MAP_READ);
/* Now transform raw AES3 into raw audio, see SMPTE 331M */
- if ((map.size - 4) % 32 != 0) {
+ if (map.size < 4 || (map.size - 4) % 32 != 0) {
gst_buffer_unmap (buffer, &map);
GST_ERROR ("Invalid D10 sound essence buffer size");
return GST_FLOW_ERROR;
@@ -219,6 +219,7 @@ mxf_d10_create_caps (MXFMetadataTimelineTrack * track, GstTagList ** tags,
GstAudioFormat audio_format;
if (s->channel_count == 0 ||
+ s->channel_count > 8 ||
s->quantization_bits == 0 ||
s->audio_sampling_rate.n == 0 || s->audio_sampling_rate.d == 0) {
GST_ERROR ("Invalid descriptor");
diff --git a/gst/mxf/mxfup.c b/gst/mxf/mxfup.c
index d8b6664..ba86255 100644
--- a/gst/mxf/mxfup.c
+++ b/gst/mxf/mxfup.c
@@ -134,6 +134,8 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
gpointer mapping_data, GstBuffer ** outbuf)
{
MXFUPMappingData *data = mapping_data;
+ gsize expected_in_stride = 0, out_stride = 0;
+ gsize expected_in_size = 0, out_size = 0;
/* SMPTE 384M 7.1 */
if (key->u[12] != 0x15 || (key->u[14] != 0x01 && key->u[14] != 0x02
@@ -162,22 +164,25 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
}
}
- if (gst_buffer_get_size (buffer) != data->bpp * data->width * data->height) {
+ // Checked for overflows when parsing the descriptor
+ expected_in_stride = data->bpp * data->width;
+ out_stride = GST_ROUND_UP_4 (expected_in_stride);
+ expected_in_size = expected_in_stride * data->height;
+ out_size = out_stride * data->height;
+
+ if (gst_buffer_get_size (buffer) != expected_in_size) {
GST_ERROR ("Invalid buffer size");
gst_buffer_unref (buffer);
return GST_FLOW_ERROR;
}
- if (data->bpp != 4
- || GST_ROUND_UP_4 (data->width * data->bpp) != data->width * data->bpp) {
+ if (data->bpp != 4 || out_stride != expected_in_stride) {
guint y;
GstBuffer *ret;
GstMapInfo inmap, outmap;
guint8 *indata, *outdata;
- ret =
- gst_buffer_new_and_alloc (GST_ROUND_UP_4 (data->width * data->bpp) *
- data->height);
+ ret = gst_buffer_new_and_alloc (out_size);
gst_buffer_map (buffer, &inmap, GST_MAP_READ);
gst_buffer_map (ret, &outmap, GST_MAP_WRITE);
indata = inmap.data;
@@ -185,8 +190,8 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
for (y = 0; y < data->height; y++) {
memcpy (outdata, indata, data->width * data->bpp);
- outdata += GST_ROUND_UP_4 (data->width * data->bpp);
- indata += data->width * data->bpp;
+ outdata += out_stride;
+ indata += expected_in_stride;
}
gst_buffer_unmap (buffer, &inmap);
@@ -394,6 +399,36 @@ mxf_up_create_caps (MXFMetadataTimelineTrack * track, GstTagList ** tags,
return NULL;
}
+ if (caps) {
+ MXFUPMappingData *data = *mapping_data;
+ gsize expected_in_stride = 0, out_stride = 0;
+ gsize expected_in_size = 0, out_size = 0;
+
+ // Do some checking of the parameters to see if they're valid and
+ // we can actually work with them.
+ if (data->image_start_offset > data->image_end_offset) {
+ GST_WARNING ("Invalid image start/end offset");
+ g_free (data);
+ *mapping_data = NULL;
+ gst_clear_caps (&caps);
+
+ return NULL;
+ }
+
+ if (!g_size_checked_mul (&expected_in_stride, data->bpp, data->width) ||
+ (out_stride = GST_ROUND_UP_4 (expected_in_stride)) < expected_in_stride
+ || !g_size_checked_mul (&expected_in_size, expected_in_stride,
+ data->height)
+ || !g_size_checked_mul (&out_size, out_stride, data->height)) {
+ GST_ERROR ("Invalid resolution or bit depth");
+ g_free (data);
+ *mapping_data = NULL;
+ gst_clear_caps (&caps);
+
+ return NULL;
+ }
+ }
+
return caps;
}
--
2.41.0

@ -0,0 +1,32 @@
From 1f9a7c6b4f658e0bbc6cb3638a8932680dbcff54 Mon Sep 17 00:00:00 2001
From: tigro <arkadiy.sheyn@softline.com>
Date: Tue, 24 Oct 2023 08:50:09 +0300
Subject: [PATCH 2/2] Fixes ZDI-CAN-21768, CVE-2023-40476
---
gst-libs/gst/codecparsers/gsth265parser.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/gst-libs/gst/codecparsers/gsth265parser.c b/gst-libs/gst/codecparsers/gsth265parser.c
index fe775a8..44b7237 100644
--- a/gst-libs/gst/codecparsers/gsth265parser.c
+++ b/gst-libs/gst/codecparsers/gsth265parser.c
@@ -1845,6 +1845,7 @@ gst_h265_parse_vps (GstH265NalUnit * nalu, GstH265VPS * vps)
READ_UINT8 (&nr, vps->max_layers_minus1, 6);
READ_UINT8 (&nr, vps->max_sub_layers_minus1, 3);
+ CHECK_ALLOWED (vps->max_sub_layers_minus1, 0, 6);
READ_UINT8 (&nr, vps->temporal_id_nesting_flag, 1);
/* skip reserved_0xffff_16bits */
@@ -2015,6 +2016,7 @@ gst_h265_parse_sps (GstH265Parser * parser, GstH265NalUnit * nalu,
READ_UINT8 (&nr, sps->vps_id, 4);
READ_UINT8 (&nr, sps->max_sub_layers_minus1, 3);
+ CHECK_ALLOWED (sps->max_sub_layers_minus1, 0, 6);
READ_UINT8 (&nr, sps->temporal_id_nesting_flag, 1);
if (!gst_h265_parse_profile_tier_level (&sps->profile_tier_level, &nr,
--
2.41.0

@ -1,11 +1,13 @@
Summary: GStreamer 1.0 streaming media framework "bad" plug-ins Summary: GStreamer 1.0 streaming media framework "bad" plug-ins
Name: gstreamer1-plugins-bad-freeworld Name: gstreamer1-plugins-bad-freeworld
Version: 1.18.4 Version: 1.18.4
Release: 1%{?dist} Release: 2%{?dist}.inferit
License: LGPLv2+ License: LGPLv2+
URL: https://gstreamer.freedesktop.org/ URL: https://gstreamer.freedesktop.org/
Source0: %{url}/src/gst-plugins-bad/gst-plugins-bad-%{version}.tar.xz Source0: %{url}/src/gst-plugins-bad/gst-plugins-bad-%{version}.tar.xz
Patch0: build_what_we_need_only.patch Patch0: build_what_we_need_only.patch
Patch1: 0001-Fixes-ZDI-CAN-21660-CVE-2023-40474.patch
Patch2: 0002-Fixes-ZDI-CAN-21768-CVE-2023-40476.patch
BuildRequires: gcc-objc++ BuildRequires: gcc-objc++
BuildRequires: meson BuildRequires: meson
@ -96,6 +98,11 @@ rm -rf %{buildroot}%{_datadir}/gstreamer-1.0/encoding-profiles/
%changelog %changelog
* Tue Oct 24 2023 Arkady L. Shane <tigro@msvsphere-os.ru> - 1.18.4-2.inferit
- Fixes ZDI-CAN-21660 CVE-2023-40474
- Fixes ZDI-CAN-21661 CVE-2023-40475
- Fixes ZDI-CAN-21768 CVE-2023-40476
* Tue Jul 18 2023 Arkady L. Shane <ashejn@msvsphere.ru> - 1.18.4-1 * Tue Jul 18 2023 Arkady L. Shane <ashejn@msvsphere.ru> - 1.18.4-1
- Rebuilt for MSVSphere 9.2 - Rebuilt for MSVSphere 9.2

Loading…
Cancel
Save