File gstreamer-plugins-base-CVE-2024-4453.patch of Package gstreamer-plugins-base.30546
commit e68eccff103ab0e91e6d77a892f57131b33902f5
Author: Sebastian Dröge <sebastian@centricular.com>
Date: Thu Apr 25 15:21:20 2024 +0300
exiftag: Prevent integer overflows and out of bounds reads when handling undefined tags
Fixes ZDI-CAN-23896
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3483
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/6766>
diff -Nura gst-plugins-base-1.16.3/gst-libs/gst/tag/gstexiftag.c gst-plugins-base-1.16.3_new/gst-libs/gst/tag/gstexiftag.c
--- gst-plugins-base-1.16.3/gst-libs/gst/tag/gstexiftag.c 2019-04-19 17:16:20.000000000 +0800
+++ gst-plugins-base-1.16.3_new/gst-libs/gst/tag/gstexiftag.c 2024-05-28 17:44:11.722541126 +0800
@@ -1383,6 +1383,7 @@
if (count > 4) {
GstMapInfo info;
+ gsize alloc_size;
if (offset < reader->base_offset) {
GST_WARNING ("Offset is smaller (%u) than base offset (%u)", offset,
@@ -1404,14 +1405,28 @@
return;
}
+ if (info.size - real_offset < count) {
+ GST_WARNING ("Invalid size %u for buffer of size %" G_GSIZE_FORMAT
+ ", not adding tag %s", count, info.size, tag->gst_tag);
+ gst_buffer_unmap (reader->buffer, &info);
+ return;
+ }
+
+ if (!g_size_checked_add (&alloc_size, count, 1)) {
+ GST_WARNING ("Invalid size %u for buffer of size %" G_GSIZE_FORMAT
+ ", not adding tag %s", real_offset, info.size, tag->gst_tag);
+ gst_buffer_unmap (reader->buffer, &info);
+ return;
+ }
+
/* +1 because it could be a string without the \0 */
- data = malloc (sizeof (guint8) * count + 1);
+ data = malloc (alloc_size);
memcpy (data, info.data + real_offset, count);
data[count] = 0;
gst_buffer_unmap (reader->buffer, &info);
} else {
- data = malloc (sizeof (guint8) * count + 1);
+ data = malloc (count + 1);
memcpy (data, (guint8 *) offset_as_data, count);
data[count] = 0;
}
