File CVE-2024-47606.patch of Package gstreamer.36899

From f1cdc6f24340f6cce4cc7020628002f5c70dd6c7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Thu, 26 Sep 2024 22:07:22 +0300
Subject: [PATCH 1/2] allocator: Avoid integer overflow when allocating sysmem

Thanks to Antonio Morales for finding and reporting the issue.

Fixes GHSL-2024-166
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3851

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8032>
---
diff -urp gstreamer-1.24.7.orig/gst/gstallocator.c gstreamer-1.24.7/gst/gstallocator.c
--- gstreamer-1.24.7.orig/gst/gstallocator.c	2024-08-21 07:25:15.000000000 -0400
+++ gstreamer-1.24.7/gst/gstallocator.c	2024-12-16 03:03:33.735196509 -0500
@@ -427,8 +427,20 @@ _sysmem_new_block (GstMemoryFlags flags,
   /* ensure configured alignment */
   align |= gst_memory_alignment;
   /* allocate more to compensate for alignment */
+  if (align > G_MAXSIZE || maxsize > G_MAXSIZE - align) {
+    GST_CAT_WARNING (GST_CAT_MEMORY,
+        "Allocating %" G_GSIZE_FORMAT " bytes with alignment %" G_GSIZE_FORMAT
+        "x overflows", maxsize, align);
+    return NULL;
+  }
   maxsize += align;
   /* alloc header and data in one block */
+  if (maxsize > G_MAXSIZE - sizeof (GstMemorySystem)) {
+    GST_CAT_WARNING (GST_CAT_MEMORY,
+        "Allocating %" G_GSIZE_FORMAT " bytes with alignment %" G_GSIZE_FORMAT
+        "x overflows", maxsize, align);
+    return NULL;
+  }
   slice_size = sizeof (GstMemorySystem) + maxsize;
 
   mem = g_malloc (slice_size);
@@ -478,6 +490,8 @@ _sysmem_copy (GstMemorySystem * mem, gss
     size = mem->mem.size > offset ? mem->mem.size - offset : 0;
 
   copy = _sysmem_new_block (0, size, mem->mem.align, 0, size);
+  if (!copy)
+    return NULL;
   GST_CAT_DEBUG (GST_CAT_PERFORMANCE,
       "memcpy %" G_GSIZE_FORMAT " memory %p -> %p", size, mem, copy);
   memcpy (copy->data, mem->data + mem->mem.offset + offset, size);