You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
128 lines
4.4 KiB
128 lines
4.4 KiB
From 96b6fa8e6f35a567e26e268e8c311f4c192eed40 Mon Sep 17 00:00:00 2001
|
|
From: tigro <arkadiy.sheyn@softline.com>
|
|
Date: Tue, 24 Oct 2023 08:49:39 +0300
|
|
Subject: [PATCH 1/2] Fixes ZDI-CAN-21660, CVE-2023-40474
|
|
|
|
---
|
|
gst/mxf/mxfd10.c | 3 ++-
|
|
gst/mxf/mxfup.c | 51 ++++++++++++++++++++++++++++++++++++++++--------
|
|
2 files changed, 45 insertions(+), 9 deletions(-)
|
|
|
|
diff --git a/gst/mxf/mxfd10.c b/gst/mxf/mxfd10.c
|
|
index 66c0713..060d5a0 100644
|
|
--- a/gst/mxf/mxfd10.c
|
|
+++ b/gst/mxf/mxfd10.c
|
|
@@ -119,7 +119,7 @@ mxf_d10_sound_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
|
|
gst_buffer_map (buffer, &map, GST_MAP_READ);
|
|
|
|
/* Now transform raw AES3 into raw audio, see SMPTE 331M */
|
|
- if ((map.size - 4) % 32 != 0) {
|
|
+ if (map.size < 4 || (map.size - 4) % 32 != 0) {
|
|
gst_buffer_unmap (buffer, &map);
|
|
GST_ERROR ("Invalid D10 sound essence buffer size");
|
|
return GST_FLOW_ERROR;
|
|
@@ -219,6 +219,7 @@ mxf_d10_create_caps (MXFMetadataTimelineTrack * track, GstTagList ** tags,
|
|
GstAudioFormat audio_format;
|
|
|
|
if (s->channel_count == 0 ||
|
|
+ s->channel_count > 8 ||
|
|
s->quantization_bits == 0 ||
|
|
s->audio_sampling_rate.n == 0 || s->audio_sampling_rate.d == 0) {
|
|
GST_ERROR ("Invalid descriptor");
|
|
diff --git a/gst/mxf/mxfup.c b/gst/mxf/mxfup.c
|
|
index d8b6664..ba86255 100644
|
|
--- a/gst/mxf/mxfup.c
|
|
+++ b/gst/mxf/mxfup.c
|
|
@@ -134,6 +134,8 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
|
|
gpointer mapping_data, GstBuffer ** outbuf)
|
|
{
|
|
MXFUPMappingData *data = mapping_data;
|
|
+ gsize expected_in_stride = 0, out_stride = 0;
|
|
+ gsize expected_in_size = 0, out_size = 0;
|
|
|
|
/* SMPTE 384M 7.1 */
|
|
if (key->u[12] != 0x15 || (key->u[14] != 0x01 && key->u[14] != 0x02
|
|
@@ -162,22 +164,25 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
|
|
}
|
|
}
|
|
|
|
- if (gst_buffer_get_size (buffer) != data->bpp * data->width * data->height) {
|
|
+ // Checked for overflows when parsing the descriptor
|
|
+ expected_in_stride = data->bpp * data->width;
|
|
+ out_stride = GST_ROUND_UP_4 (expected_in_stride);
|
|
+ expected_in_size = expected_in_stride * data->height;
|
|
+ out_size = out_stride * data->height;
|
|
+
|
|
+ if (gst_buffer_get_size (buffer) != expected_in_size) {
|
|
GST_ERROR ("Invalid buffer size");
|
|
gst_buffer_unref (buffer);
|
|
return GST_FLOW_ERROR;
|
|
}
|
|
|
|
- if (data->bpp != 4
|
|
- || GST_ROUND_UP_4 (data->width * data->bpp) != data->width * data->bpp) {
|
|
+ if (data->bpp != 4 || out_stride != expected_in_stride) {
|
|
guint y;
|
|
GstBuffer *ret;
|
|
GstMapInfo inmap, outmap;
|
|
guint8 *indata, *outdata;
|
|
|
|
- ret =
|
|
- gst_buffer_new_and_alloc (GST_ROUND_UP_4 (data->width * data->bpp) *
|
|
- data->height);
|
|
+ ret = gst_buffer_new_and_alloc (out_size);
|
|
gst_buffer_map (buffer, &inmap, GST_MAP_READ);
|
|
gst_buffer_map (ret, &outmap, GST_MAP_WRITE);
|
|
indata = inmap.data;
|
|
@@ -185,8 +190,8 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
|
|
|
|
for (y = 0; y < data->height; y++) {
|
|
memcpy (outdata, indata, data->width * data->bpp);
|
|
- outdata += GST_ROUND_UP_4 (data->width * data->bpp);
|
|
- indata += data->width * data->bpp;
|
|
+ outdata += out_stride;
|
|
+ indata += expected_in_stride;
|
|
}
|
|
|
|
gst_buffer_unmap (buffer, &inmap);
|
|
@@ -394,6 +399,36 @@ mxf_up_create_caps (MXFMetadataTimelineTrack * track, GstTagList ** tags,
|
|
return NULL;
|
|
}
|
|
|
|
+ if (caps) {
|
|
+ MXFUPMappingData *data = *mapping_data;
|
|
+ gsize expected_in_stride = 0, out_stride = 0;
|
|
+ gsize expected_in_size = 0, out_size = 0;
|
|
+
|
|
+ // Do some checking of the parameters to see if they're valid and
|
|
+ // we can actually work with them.
|
|
+ if (data->image_start_offset > data->image_end_offset) {
|
|
+ GST_WARNING ("Invalid image start/end offset");
|
|
+ g_free (data);
|
|
+ *mapping_data = NULL;
|
|
+ gst_clear_caps (&caps);
|
|
+
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
+ if (!g_size_checked_mul (&expected_in_stride, data->bpp, data->width) ||
|
|
+ (out_stride = GST_ROUND_UP_4 (expected_in_stride)) < expected_in_stride
|
|
+ || !g_size_checked_mul (&expected_in_size, expected_in_stride,
|
|
+ data->height)
|
|
+ || !g_size_checked_mul (&out_size, out_stride, data->height)) {
|
|
+ GST_ERROR ("Invalid resolution or bit depth");
|
|
+ g_free (data);
|
|
+ *mapping_data = NULL;
|
|
+ gst_clear_caps (&caps);
|
|
+
|
|
+ return NULL;
|
|
+ }
|
|
+ }
|
|
+
|
|
return caps;
|
|
}
|
|
|
|
--
|
|
2.41.0
|
|
|