File gstreamer-plugins-bad-CVE-2023-40475.patch of Package gstreamer-plugins-bad.35548
commit 72742dee30cce7bf909639f82de119871566ce39 (HEAD -> 3_2023.8.10_CVE-2023-40475_72742dee30cce7bf909639f82de119871566ce39)
Author: Sebastian Dröge <sebastian@centricular.com>
Date: Thu Aug 10 15:47:03 2023 +0300
mxfdemux: Check number of channels for AES3 audio
Only up to 8 channels are allowed and using a higher number would cause
integer overflows when copying the data, and lead to out of bound
writes.
Also check that each buffer is at least 4 bytes long to avoid another
overflow.
Fixes ZDI-CAN-21661, CVE-2023-40475
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2897
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5362>
diff -Nura gst-plugins-bad-1.16.3/gst/mxf/mxfd10.c gst-plugins-bad-1.16.3_new/gst/mxf/mxfd10.c
--- gst-plugins-bad-1.16.3/gst/mxf/mxfd10.c 2019-04-19 17:16:36.000000000 +0800
+++ gst-plugins-bad-1.16.3_new/gst/mxf/mxfd10.c 2023-12-14 20:29:16.612945114 +0800
@@ -119,7 +119,7 @@
gst_buffer_map (buffer, &map, GST_MAP_READ);
/* Now transform raw AES3 into raw audio, see SMPTE 331M */
- if ((map.size - 4) % 32 != 0) {
+ if (map.size < 4 || (map.size - 4) % 32 != 0) {
gst_buffer_unmap (buffer, &map);
GST_ERROR ("Invalid D10 sound essence buffer size");
return GST_FLOW_ERROR;
@@ -219,6 +219,7 @@
GstAudioFormat audio_format;
if (s->channel_count == 0 ||
+ s->channel_count > 8 ||
s->quantization_bits == 0 ||
s->audio_sampling_rate.n == 0 || s->audio_sampling_rate.d == 0) {
GST_ERROR ("Invalid descriptor");