diff --git a/gstplugins_good/gst/avi/gstavidemux.c b/gstplugins_good/gst/avi/gstavidemux.c index 834af76cb4d0e4fc4629742e1325d12e519f7d0d..4e49044b170ca9ebef50810535c796bd356bcebb 100644 --- a/gstplugins_good/gst/avi/gstavidemux.c +++ b/gstplugins_good/gst/avi/gstavidemux.c @@ -4966,8 +4966,17 @@ swap_line (guint8 * d1, guint8 * d2, guint8 * tmp, gint bytes) static GstBuffer * gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf) { +#ifdef OHOS_OPT_CVE + /* + * ohos.opt.cve.0001 + * CVE-2022-1921 : https://gstreamer.freedesktop.org/security/sa-2022-0001.html + */ + guint y, w, h; + guint bpp, stride; +#else gint y, w, h; gint bpp, stride; +#endif guint8 *tmp = NULL; GstMapInfo map; guint32 fourcc; @@ -4994,12 +5003,36 @@ gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf) h = stream->strf.vids->height; w = stream->strf.vids->width; bpp = stream->strf.vids->bit_cnt ? stream->strf.vids->bit_cnt : 8; +#ifdef OHOS_OPT_CVE + /* + * ohos.opt.cve.0001 + * CVE-2022-1921 : https://gstreamer.freedesktop.org/security/sa-2022-0001.html + */ + if ((guint64) w * ((guint64) bpp / 8) > G_MAXUINT - 4) { + GST_WARNING ("Width x stride overflows"); + return buf; + } + + if (w == 0 || h == 0) { + GST_WARNING ("Zero width or height"); + return buf; + } + +#endif stride = GST_ROUND_UP_4 (w * (bpp / 8)); buf = gst_buffer_make_writable (buf); gst_buffer_map (buf, &map, GST_MAP_READWRITE); +#ifdef OHOS_OPT_CVE + /* + * ohos.opt.cve.0001 + * CVE-2022-1921 : https://gstreamer.freedesktop.org/security/sa-2022-0001.html + */ + if (map.size < ((guint64) stride * (guint64) h)) { +#else if (map.size < (stride * h)) { +#endif GST_WARNING ("Buffer is smaller than reported Width x Height x Depth"); gst_buffer_unmap (buf, &map); return buf; diff --git a/gstplugins_good/gst/isomp4/qtdemux.c b/gstplugins_good/gst/isomp4/qtdemux.c index f1c5fe981eee5439e7168f9b7130d39f1dc947f4..1b356925f5d00ac688c4fcd391ba4f6b9a2f730a 100644 --- a/gstplugins_good/gst/isomp4/qtdemux.c +++ b/gstplugins_good/gst/isomp4/qtdemux.c @@ -7699,10 +7699,30 @@ qtdemux_inflate (void *z_buffer, guint z_length, guint * length) break; } +#ifdef OHOS_OPT_CVE + /* + * ohos.opt.cve.0001 + * CVE-2022-2122 : https://gstreamer.freedesktop.org/security/sa-2022-0003.html + */ + if (*length > G_MAXUINT - 4096 || *length > QTDEMUX_MAX_SAMPLE_INDEX_SIZE) { + GST_WARNING ("too big decompressed data"); + ret = Z_MEM_ERROR; + break; + } + +#endif *length += 4096; buffer = (guint8 *) g_realloc (buffer, *length); z.next_out = (Bytef *) (buffer + z.total_out); +#ifdef OHOS_OPT_CVE + /* + * ohos.opt.cve.0001 + * CVE-2022-2122 : https://gstreamer.freedesktop.org/security/sa-2022-0003.html + */ + z.avail_out += *length - z.total_out; +#else z.avail_out += 4096; +#endif } while (z.avail_in > 0); if (ret != Z_STREAM_END) { diff --git a/gstplugins_good/gst/matroska/matroska-demux.c b/gstplugins_good/gst/matroska/matroska-demux.c index fd4ec0d0368f47f957e71abbb36c1c369c2cd73e..5f9a63a851716ccd88f1587ff392b31d7a93e7c8 100644 --- a/gstplugins_good/gst/matroska/matroska-demux.c +++ b/gstplugins_good/gst/matroska/matroska-demux.c @@ -3748,7 +3748,16 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, } else { guint8 *outdata = NULL; gsize buf_size, size; +#ifdef OHOS_OPT_CVE + /* + * ohos.opt.cve.0001 + * CVE-2022-1920 : https://gstreamer.freedesktop.org/security/sa-2022-0004.html + */ + guint32 block_samples, flags, crc; + gsize blocksize; +#else guint32 block_samples, flags, crc, blocksize; +#endif GstAdapter *adapter; adapter = gst_adapter_new (); @@ -3788,7 +3797,19 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, g_object_unref (adapter); return GST_FLOW_ERROR; } +#ifdef OHOS_OPT_CVE + /* + * ohos.opt.cve.0001 + * CVE-2022-1920 : https://gstreamer.freedesktop.org/security/sa-2022-0004.html + */ + if (blocksize > G_MAXSIZE - WAVPACK4_HEADER_SIZE) { + GST_ERROR_OBJECT (element, "Too big wavpack buffer"); + gst_buffer_unmap (*buf, &map); + g_object_unref (adapter); + return GST_FLOW_ERROR; + } +#endif g_assert (newbuf == NULL); newbuf = diff --git a/gstplugins_good/gst/matroska/matroska-read-common.c b/gstplugins_good/gst/matroska/matroska-read-common.c index a952e740da3bf2e7b146d1d9ead10d3a0c8fc775..623bfb1e9ecbb4ffa5a10da8df9bccc374625150 100644 --- a/gstplugins_good/gst/matroska/matroska-read-common.c +++ b/gstplugins_good/gst/matroska/matroska-read-common.c @@ -70,6 +70,16 @@ typedef struct gboolean audio_only; } TargetTypeContext; +#ifdef OHOS_OPT_CVE +/* + * ohos.opt.cve.0001 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html + */ +/* 120MB as maximum decompressed data size. Anything bigger is likely + * pathological, and like this we avoid out of memory situations in many cases + */ +#define MAX_DECOMPRESS_SIZE (120 * 1024 * 1024) +#endif static gboolean gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, @@ -77,19 +87,49 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, GstMatroskaTrackCompressionAlgorithm algo) { guint8 *new_data = NULL; +#ifdef OHOS_OPT_CVE + /* + * ohos.opt.cve.0001 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html + */ + gsize new_size = 0; + guint8 *data = *data_out; + const gsize size = *size_out; +#else guint new_size = 0; guint8 *data = *data_out; guint size = *size_out; +#endif gboolean ret = TRUE; +#ifdef OHOS_OPT_CVE + /* + * ohos.opt.cve.0001 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html + */ + if (size > G_MAXUINT32) { + GST_WARNING ("too large compressed data buffer."); + ret = FALSE; + goto out; + } + +#endif if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_ZLIB) { #ifdef HAVE_ZLIB /* zlib encoded data */ z_stream zstream; +#ifdef OHOS_OPT_CVE + /* + * ohos.opt.cve.0001 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html + */ + int result; +#else guint orig_size; int result; orig_size = size; +#endif zstream.zalloc = (alloc_func) 0; zstream.zfree = (free_func) 0; zstream.opaque = (voidpf) 0; @@ -99,8 +139,17 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, goto out; } zstream.next_in = (Bytef *) data; +#ifdef OHOS_OPT_CVE + /* + * ohos.opt.cve.0001 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html + */ + zstream.avail_in = size; + new_size = size; +#else zstream.avail_in = orig_size; new_size = orig_size; +#endif new_data = g_malloc (new_size); zstream.avail_out = new_size; zstream.next_out = (Bytef *) new_data; @@ -114,10 +163,32 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, break; } +#ifdef OHOS_OPT_CVE + /* + * ohos.opt.cve.0001 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html + */ + if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) { + GST_WARNING ("too big decompressed data"); + result = Z_MEM_ERROR; + break; + } + +#endif new_size += 4096; new_data = g_realloc (new_data, new_size); zstream.next_out = (Bytef *) (new_data + zstream.total_out); +#ifdef OHOS_OPT_CVE + /* + * ohos.opt.cve.0001 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html + */ + /* avail_out is an unsigned int */ + g_assert (new_size - zstream.total_out <= G_MAXUINT); + zstream.avail_out = new_size - zstream.total_out; +#else zstream.avail_out += 4096; +#endif } while (zstream.avail_in > 0); if (result != Z_STREAM_END) { @@ -137,6 +208,18 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, #ifdef HAVE_BZ2 /* bzip2 encoded data */ bz_stream bzstream; +#ifdef OHOS_OPT_CVE + /* + * ohos.opt.cve.0001 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html + */ + int result; + + bzstream.bzalloc = NULL; + bzstream.bzfree = NULL; + bzstream.opaque = NULL; + +#else guint orig_size; int result; @@ -145,6 +228,7 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, bzstream.opaque = NULL; orig_size = size; +#endif if (BZ2_bzDecompressInit (&bzstream, 0, 0) != BZ_OK) { GST_WARNING ("bzip2 initialization failed."); ret = FALSE; @@ -152,8 +236,17 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, } bzstream.next_in = (char *) data; +#ifdef OHOS_OPT_CVE + /* + * ohos.opt.cve.0001 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html + */ + bzstream.avail_in = size; + new_size = size; +#else bzstream.avail_in = orig_size; new_size = orig_size; +#endif new_data = g_malloc (new_size); bzstream.avail_out = new_size; bzstream.next_out = (char *) new_data; @@ -167,17 +260,50 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, break; } +#ifdef OHOS_OPT_CVE + /* + * ohos.opt.cve.0001 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html + */ + if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) { + GST_WARNING ("too big decompressed data"); + result = BZ_MEM_ERROR; + break; + } + + new_size += 4096; + new_data = g_realloc (new_data, new_size); + bzstream.next_out = + (char *) (new_data + ((guint64) bzstream.total_out_hi32 << 32) + + bzstream.total_out_lo32); + /* avail_out is an unsigned int */ + g_assert (new_size - ((guint64) bzstream.total_out_hi32 << 32) + + bzstream.total_out_lo32 <= G_MAXUINT); + bzstream.avail_out = + new_size - ((guint64) bzstream.total_out_hi32 << 32) + + bzstream.total_out_lo32; +#else new_size += 4096; new_data = g_realloc (new_data, new_size); bzstream.next_out = (char *) (new_data + bzstream.total_out_lo32); bzstream.avail_out += 4096; +#endif } while (bzstream.avail_in > 0); if (result != BZ_STREAM_END) { ret = FALSE; g_free (new_data); } else { +#ifdef OHOS_OPT_CVE + /* + * ohos.opt.cve.0001 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html + */ + new_size = + ((guint64) bzstream.total_out_hi32 << 32) + bzstream.total_out_lo32; +#else new_size = bzstream.total_out_lo32; +#endif } BZ2_bzDecompressEnd (&bzstream); @@ -189,7 +315,22 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, } else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_LZO1X) { /* lzo encoded data */ int result; +#ifdef OHOS_OPT_CVE + /* + * ohos.opt.cve.0001 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html + */ + gint orig_size, out_size; + + if (size > G_MAXINT) { + GST_WARNING ("too large compressed data buffer."); + ret = FALSE; + goto out; + } + +#else int orig_size, out_size; +#endif orig_size = size; out_size = size; @@ -203,6 +344,17 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, result = lzo1x_decode (new_data, &out_size, data, &orig_size); if (orig_size > 0) { +#ifdef OHOS_OPT_CVE + /* + * ohos.opt.cve.0001 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html + */ + if (new_size > G_MAXINT - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) { + GST_WARNING ("too big decompressed data"); + result = LZO_ERROR; + break; + } +#endif new_size += 4096; new_data = g_realloc (new_data, new_size); } @@ -221,6 +373,19 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, } else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_HEADERSTRIP) { /* header stripped encoded data */ if (enc->comp_settings_length > 0) { +#ifdef OHOS_OPT_CVE + /* + * ohos.opt.cve.0001 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html + */ + if (size > G_MAXSIZE - enc->comp_settings_length + || size + enc->comp_settings_length > MAX_DECOMPRESS_SIZE) { + GST_WARNING ("too big decompressed data"); + ret = FALSE; + goto out; + } + +#endif new_data = g_malloc (size + enc->comp_settings_length); new_size = size + enc->comp_settings_length;