242 lines
7.1 KiB
Diff
242 lines
7.1 KiB
Diff
From 006047a23a4e4c146e40e5dab765bc6318a94744 Mon Sep 17 00:00:00 2001
|
|
From: Mathieu Duponchelle <mathieu@centricular.com>
|
|
Date: Wed, 2 Oct 2024 15:16:30 +0200
|
|
Subject: [PATCH 1/2] vorbis_parse: check writes to
|
|
GstOggStream.vorbis_mode_sizes
|
|
|
|
Thanks to Antonio Morales for finding and reporting the issue.
|
|
|
|
Fixes GHSL-2024-117 Fixes gstreamer#3875
|
|
|
|
Also perform out-of-bounds check for accesses to op->packet
|
|
|
|
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8038>
|
|
---
|
|
.../gst-plugins-base/ext/ogg/vorbis_parse.c | 21 +++++++++++++++++++
|
|
1 file changed, 21 insertions(+)
|
|
|
|
diff --git a/subprojects/gst-plugins-base/ext/ogg/vorbis_parse.c b/subprojects/gst-plugins-base/ext/ogg/vorbis_parse.c
|
|
index 65ef463808e1..757c7cd82b8d 100644
|
|
--- a/subprojects/gst-plugins-base/ext/ogg/vorbis_parse.c
|
|
+++ b/subprojects/gst-plugins-base/ext/ogg/vorbis_parse.c
|
|
@@ -165,6 +165,10 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op)
|
|
if (offset == 0) {
|
|
offset = 8;
|
|
current_pos -= 1;
|
|
+
|
|
+ /* have we underrun? */
|
|
+ if (current_pos < op->packet)
|
|
+ return -1;
|
|
}
|
|
}
|
|
|
|
@@ -178,6 +182,10 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op)
|
|
if (offset == 7)
|
|
current_pos -= 1;
|
|
|
|
+ /* have we underrun? */
|
|
+ if (current_pos < op->packet + 5)
|
|
+ return -1;
|
|
+
|
|
if (((current_pos[-5] & ~((1 << (offset + 1)) - 1)) != 0)
|
|
||
|
|
current_pos[-4] != 0
|
|
@@ -199,9 +207,18 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op)
|
|
/* Give ourselves a chance to recover if we went back too far by using
|
|
* the size check. */
|
|
for (ii = 0; ii < 2; ii++) {
|
|
+
|
|
if (offset > 4) {
|
|
+ /* have we underrun? */
|
|
+ if (current_pos < op->packet)
|
|
+ return -1;
|
|
+
|
|
size_check = (current_pos[0] >> (offset - 5)) & 0x3F;
|
|
} else {
|
|
+ /* have we underrun? */
|
|
+ if (current_pos < op->packet + 1)
|
|
+ return -1;
|
|
+
|
|
/* mask part of byte from current_pos */
|
|
size_check = (current_pos[0] & ((1 << (offset + 1)) - 1));
|
|
/* shift to appropriate position */
|
|
@@ -233,6 +250,10 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op)
|
|
|
|
mode_size_ptr = pad->vorbis_mode_sizes;
|
|
|
|
+ if (size > G_N_ELEMENTS (pad->vorbis_mode_sizes)) {
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
for (i = 0; i < size; i++) {
|
|
offset = (offset + 1) % 8;
|
|
if (offset == 0)
|
|
--
|
|
GitLab
|
|
|
|
|
|
From e633ec642825466b91fc12da6629c307906fa206 Mon Sep 17 00:00:00 2001
|
|
From: Mathieu Duponchelle <mathieu@centricular.com>
|
|
Date: Wed, 2 Oct 2024 16:52:51 +0200
|
|
Subject: [PATCH 2/2] oggstream: review and fix per-format min_packet_size
|
|
|
|
This addresses all manually detected invalid reads in setup functions.
|
|
|
|
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8038>
|
|
---
|
|
.../gst-plugins-base/ext/ogg/gstoggstream.c | 40 ++++++-------------
|
|
1 file changed, 12 insertions(+), 28 deletions(-)
|
|
|
|
diff --git a/subprojects/gst-plugins-base/ext/ogg/gstoggstream.c b/subprojects/gst-plugins-base/ext/ogg/gstoggstream.c
|
|
index a8883304a5c0..ab6be238dc48 100644
|
|
--- a/subprojects/gst-plugins-base/ext/ogg/gstoggstream.c
|
|
+++ b/subprojects/gst-plugins-base/ext/ogg/gstoggstream.c
|
|
@@ -665,11 +665,6 @@ setup_vp8_mapper (GstOggStream * pad, ogg_packet * packet)
|
|
{
|
|
gint width, height, par_n, par_d, fps_n, fps_d;
|
|
|
|
- if (packet->bytes < 26) {
|
|
- GST_DEBUG ("Failed to parse VP8 BOS page");
|
|
- return FALSE;
|
|
- }
|
|
-
|
|
width = GST_READ_UINT16_BE (packet->packet + 8);
|
|
height = GST_READ_UINT16_BE (packet->packet + 10);
|
|
par_n = GST_READ_UINT24_BE (packet->packet + 12);
|
|
@@ -1221,11 +1216,6 @@ setup_fishead_mapper (GstOggStream * pad, ogg_packet * packet)
|
|
gint64 prestime_n, prestime_d;
|
|
gint64 basetime_n, basetime_d;
|
|
|
|
- if (packet->bytes < 44) {
|
|
- GST_DEBUG ("Not enough data for fishead header");
|
|
- return FALSE;
|
|
- }
|
|
-
|
|
data = packet->packet;
|
|
|
|
data += 8; /* header */
|
|
@@ -1256,8 +1246,8 @@ setup_fishead_mapper (GstOggStream * pad, ogg_packet * packet)
|
|
pad->prestime = -1;
|
|
|
|
/* Ogg Skeleton 3.3+ streams provide additional information in the header */
|
|
- if (packet->bytes >= SKELETON_FISHEAD_3_3_MIN_SIZE && pad->skeleton_major == 3
|
|
- && pad->skeleton_minor > 0) {
|
|
+ if (packet->bytes - 44 >= SKELETON_FISHEAD_3_3_MIN_SIZE
|
|
+ && pad->skeleton_major == 3 && pad->skeleton_minor > 0) {
|
|
gint64 firstsampletime_n, firstsampletime_d;
|
|
gint64 lastsampletime_n, lastsampletime_d;
|
|
gint64 firstsampletime, lastsampletime;
|
|
@@ -1296,7 +1286,7 @@ setup_fishead_mapper (GstOggStream * pad, ogg_packet * packet)
|
|
|
|
GST_INFO ("skeleton fishead parsed total: %" GST_TIME_FORMAT,
|
|
GST_TIME_ARGS (pad->total_time));
|
|
- } else if (packet->bytes >= SKELETON_FISHEAD_4_0_MIN_SIZE
|
|
+ } else if (packet->bytes - 44 >= SKELETON_FISHEAD_4_0_MIN_SIZE
|
|
&& pad->skeleton_major == 4) {
|
|
guint64 segment_length, content_offset;
|
|
|
|
@@ -1980,9 +1970,6 @@ setup_kate_mapper (GstOggStream * pad, ogg_packet * packet)
|
|
guint8 *data = packet->packet;
|
|
const char *category;
|
|
|
|
- if (packet->bytes < 64)
|
|
- return FALSE;
|
|
-
|
|
pad->granulerate_n = GST_READ_UINT32_LE (data + 24);
|
|
pad->granulerate_d = GST_READ_UINT32_LE (data + 28);
|
|
pad->granuleshift = GST_READ_UINT8 (data + 15);
|
|
@@ -2111,9 +2098,6 @@ setup_opus_mapper (GstOggStream * pad, ogg_packet * packet)
|
|
{
|
|
GstBuffer *buffer;
|
|
|
|
- if (packet->bytes < 19)
|
|
- return FALSE;
|
|
-
|
|
pad->granulerate_n = 48000;
|
|
pad->granulerate_d = 1;
|
|
pad->granuleshift = 0;
|
|
@@ -2394,7 +2378,7 @@ const GstOggMap mappers[] = {
|
|
NULL
|
|
},
|
|
{
|
|
- "\001vorbis", 7, 22,
|
|
+ "\001vorbis", 7, 29,
|
|
"audio/x-vorbis",
|
|
setup_vorbis_mapper,
|
|
NULL,
|
|
@@ -2426,7 +2410,7 @@ const GstOggMap mappers[] = {
|
|
NULL
|
|
},
|
|
{
|
|
- "PCM ", 8, 0,
|
|
+ "PCM ", 8, 28,
|
|
"audio/x-raw",
|
|
setup_pcm_mapper,
|
|
NULL,
|
|
@@ -2442,7 +2426,7 @@ const GstOggMap mappers[] = {
|
|
NULL
|
|
},
|
|
{
|
|
- "CMML\0\0\0\0", 8, 0,
|
|
+ "CMML\0\0\0\0", 8, 29,
|
|
"text/x-cmml",
|
|
setup_cmml_mapper,
|
|
NULL,
|
|
@@ -2458,7 +2442,7 @@ const GstOggMap mappers[] = {
|
|
NULL
|
|
},
|
|
{
|
|
- "Annodex", 7, 0,
|
|
+ "Annodex", 7, 44,
|
|
"application/x-annodex",
|
|
setup_fishead_mapper,
|
|
NULL,
|
|
@@ -2537,7 +2521,7 @@ const GstOggMap mappers[] = {
|
|
NULL
|
|
},
|
|
{
|
|
- "CELT ", 8, 0,
|
|
+ "CELT ", 8, 60,
|
|
"audio/x-celt",
|
|
setup_celt_mapper,
|
|
NULL,
|
|
@@ -2553,7 +2537,7 @@ const GstOggMap mappers[] = {
|
|
NULL
|
|
},
|
|
{
|
|
- "\200kate\0\0\0", 8, 0,
|
|
+ "\200kate\0\0\0", 8, 64,
|
|
"text/x-kate",
|
|
setup_kate_mapper,
|
|
NULL,
|
|
@@ -2585,7 +2569,7 @@ const GstOggMap mappers[] = {
|
|
NULL
|
|
},
|
|
{
|
|
- "OVP80\1\1", 7, 4,
|
|
+ "OVP80\1\1", 7, 26,
|
|
"video/x-vp8",
|
|
setup_vp8_mapper,
|
|
setup_vp8_mapper_from_caps,
|
|
@@ -2601,7 +2585,7 @@ const GstOggMap mappers[] = {
|
|
update_stats_vp8
|
|
},
|
|
{
|
|
- "OpusHead", 8, 0,
|
|
+ "OpusHead", 8, 19,
|
|
"audio/x-opus",
|
|
setup_opus_mapper,
|
|
NULL,
|
|
@@ -2649,7 +2633,7 @@ const GstOggMap mappers[] = {
|
|
NULL
|
|
},
|
|
{
|
|
- "\001text\0\0\0", 9, 9,
|
|
+ "\001text\0\0\0", 9, 25,
|
|
"application/x-ogm-text",
|
|
setup_ogmtext_mapper,
|
|
NULL,
|
|
--
|
|
GitLab
|
|
|