34 lines
1.3 KiB
Diff
34 lines
1.3 KiB
Diff
From 519d86d9f36d80eb64148cd2d330b28a28be2755 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
|
|
Date: Fri, 27 Sep 2024 00:31:36 +0300
|
|
Subject: [PATCH 12/12] qtdemux: Add size check for parsing SMI / SEQH atom
|
|
|
|
Thanks to Antonio Morales for finding and reporting the issue.
|
|
|
|
Fixes GHSL-2024-244
|
|
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3853
|
|
|
|
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059>
|
|
---
|
|
gst/isomp4/qtdemux.c | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
|
|
index 7731b2c2c93b..5422e9f1d6f8 100644
|
|
--- a/gst/isomp4/qtdemux.c
|
|
+++ b/gst/isomp4/qtdemux.c
|
|
@@ -11198,8 +11198,9 @@ qtdemux_parse_svq3_stsd_data (GstQTDemux * qtdemux,
|
|
GST_WARNING_OBJECT (qtdemux, "Unexpected second SEQH SMI atom "
|
|
" found, ignoring");
|
|
} else {
|
|
+ /* Note: The size does *not* include the fourcc and the size field itself */
|
|
seqh_size = QT_UINT32 (data + 4);
|
|
- if (seqh_size > 0) {
|
|
+ if (seqh_size > 0 && seqh_size <= size - 8) {
|
|
_seqh = gst_buffer_new_and_alloc (seqh_size);
|
|
gst_buffer_fill (_seqh, 0, data + 8, seqh_size);
|
|
}
|
|
--
|
|
GitLab
|
|
|