41 lines
1.2 KiB
Diff
41 lines
1.2 KiB
Diff
From f8e398c46fc074f266edb3f20479c0ca31b52448 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
|
|
Date: Thu, 26 Sep 2024 22:16:06 +0300
|
|
Subject: [PATCH] qtdemux: Avoid integer overflow when parsing Theora extension
|
|
|
|
Thanks to Antonio Morales for finding and reporting the issue.
|
|
|
|
Fixes GHSL-2024-166
|
|
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3851
|
|
|
|
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8032>
|
|
---
|
|
gst/isomp4/qtdemux.c | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
|
|
index 5e3cb1b9e699..c2d8b5e0f134 100644
|
|
--- a/gst/isomp4/qtdemux.c
|
|
+++ b/gst/isomp4/qtdemux.c
|
|
@@ -8822,7 +8822,7 @@ qtdemux_parse_theora_extension (GstQTDemux * qtdemux, QtDemuxStream * stream,
|
|
end -= 8;
|
|
|
|
while (buf < end) {
|
|
- gint size;
|
|
+ guint32 size;
|
|
guint32 type;
|
|
|
|
size = QT_UINT32 (buf);
|
|
@@ -8830,7 +8830,7 @@ qtdemux_parse_theora_extension (GstQTDemux * qtdemux, QtDemuxStream * stream,
|
|
|
|
GST_LOG_OBJECT (qtdemux, "%p %p", buf, end);
|
|
|
|
- if (buf + size > end || size <= 0)
|
|
+ if (end - buf < size || size < 8)
|
|
break;
|
|
|
|
buf += 8;
|
|
--
|
|
GitLab
|
|
|