File 0001-asfdemux-Error-out-on-files-with-more-than-32-streams.patch of Package gstreamer-plugins-ugly.43092
From 37d7991168a223d0810fd1f4493ec6a8b6a510d3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Wed, 11 Feb 2026 19:27:09 +0200
Subject: [PATCH] asfdemux: Error out on files with more than 32 streams
This avoids overflowing the static streams array and overwriting
random other element state.
Fixes GST--SA-2026-0006, CVE-2026-2920, ZDI-CAN-28843.
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4900
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/10881>
---
.../gst-plugins-ugly/gst/asfdemux/gstasfdemux.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/gst/asfdemux/gstasfdemux.c b/gst/asfdemux/gstasfdemux.c
index ef5f4f771d7..9450744e15f 100644
--- a/gst/asfdemux/gstasfdemux.c
+++ b/gst/asfdemux/gstasfdemux.c
@@ -2616,6 +2616,9 @@ gst_asf_demux_setup_pad (GstASFDemux * demux, GstPad * src_pad,
{
AsfStream *stream;
+ /* Checked in the callers */
+ g_assert (demux->num_streams < G_N_ELEMENTS (demux->stream));
+
gst_pad_use_fixed_caps (src_pad);
gst_pad_set_caps (src_pad, caps);
@@ -3071,6 +3074,12 @@ gst_asf_demux_parse_stream_object (GstASFDemux * demux, guint8 * data,
case ASF_STREAM_AUDIO:{
asf_stream_audio audio_object;
+ if (demux->num_streams >= G_N_ELEMENTS (demux->stream)) {
+ GST_ELEMENT_ERROR (demux, STREAM, DEMUX, (NULL),
+ ("File has too many streams"));
+ return NULL;
+ }
+
if (!gst_asf_demux_get_stream_audio (&audio_object, &data, &size))
goto not_enough_data;
@@ -3149,6 +3158,12 @@ gst_asf_demux_parse_stream_object (GstASFDemux * demux, guint8 * data,
asf_stream_video video_object;
guint16 vsize;
+ if (demux->num_streams >= G_N_ELEMENTS (demux->stream)) {
+ GST_ELEMENT_ERROR (demux, STREAM, DEMUX, (NULL),
+ ("File has too many streams"));
+ return NULL;
+ }
+
if (!gst_asf_demux_get_stream_video (&video_object, &data, &size))
goto not_enough_data;
--
GitLab
