You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
64 lines
2.4 KiB
64 lines
2.4 KiB
From 7ed446dca9454dd66a0180823f57a34bc01845a4 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
|
|
Date: Tue, 13 Jun 2023 14:23:47 +0300
|
|
Subject: [PATCH 1/2] dvdspu: Make sure enough data is allocated for the
|
|
available data
|
|
|
|
If the size read from the stream is smaller than the currently available
|
|
data then the size is bogus and the data should simply be discarded.
|
|
|
|
Fixes ZDI-CAN-20994
|
|
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2660
|
|
|
|
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4896>
|
|
---
|
|
gst/dvdspu/gstspu-pgs.c | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
diff --git a/gst/dvdspu/gstspu-pgs.c b/gst/dvdspu/gstspu-pgs.c
|
|
index e609a284df9..e29f4f18826 100644
|
|
--- a/gst/dvdspu/gstspu-pgs.c
|
|
+++ b/gst/dvdspu/gstspu-pgs.c
|
|
@@ -593,6 +593,9 @@ parse_set_object_data (GstDVDSpu * dvdspu, guint8 type, guint8 * payload,
|
|
obj->rle_data_size = GST_READ_UINT24_BE (payload);
|
|
payload += 3;
|
|
|
|
+ if (end - payload > obj->rle_data_size)
|
|
+ return 0;
|
|
+
|
|
PGS_DUMP ("%d bytes of RLE data, of %d bytes total.\n",
|
|
(int) (end - payload), obj->rle_data_size);
|
|
|
|
--
|
|
GitLab
|
|
|
|
|
|
From 0dabf0eb00723a26b88e13dcb3030744e84569da Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
|
|
Date: Tue, 13 Jun 2023 14:25:04 +0300
|
|
Subject: [PATCH 2/2] dvdspu: Avoid integer overflow when checking if enough
|
|
data is available
|
|
|
|
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4896>
|
|
---
|
|
gst/dvdspu/gstspu-pgs.c | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/gst/dvdspu/gstspu-pgs.c b/gst/dvdspu/gstspu-pgs.c
|
|
index e29f4f18826..49db6d13d8b 100644
|
|
--- a/gst/dvdspu/gstspu-pgs.c
|
|
+++ b/gst/dvdspu/gstspu-pgs.c
|
|
@@ -607,7 +607,8 @@ parse_set_object_data (GstDVDSpu * dvdspu, guint8 type, guint8 * payload,
|
|
PGS_DUMP ("%d bytes of additional RLE data\n", (int) (end - payload));
|
|
/* Check that the data chunk is for this object version, and fits in the buffer */
|
|
if (obj->rle_data_ver == obj_ver &&
|
|
- obj->rle_data_used + end - payload <= obj->rle_data_size) {
|
|
+ end - payload <= obj->rle_data_size &&
|
|
+ obj->rle_data_used <= obj->rle_data_size - (end - payload)) {
|
|
|
|
memcpy (obj->rle_data + obj->rle_data_used, payload, end - payload);
|
|
obj->rle_data_used += end - payload;
|
|
--
|
|
GitLab
|
|
|