From e6a18c0e1ad6f13151f915e49b93377808e4885d Mon Sep 17 00:00:00 2001 From: sqwlly Date: Thu, 23 Jun 2022 20:42:14 +0800 Subject: [PATCH 1/5] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=E5=AE=89=E5=85=A8CVE?= =?UTF-8?q?=E6=BC=8F=E6=B4=9ECVE-2022-1920=E3=80=81CVE-2022-1925=E3=80=81C?= =?UTF-8?q?VE-2022-2122=EF=BC=8CCVE-2022-1922=EF=BC=8CCVE-2022-1923?= =?UTF-8?q?=EF=BC=8CCVE-2022-1924=EF=BC=8CCVE-2022-1921=20Signed-off-by:?= =?UTF-8?q?=20s30029175=20?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: sqwlly Change-Id: I1771a8112aab44533ec92d24400475a0729d7e30 --- gstplugins_good/gst/avi/gstavidemux.c | 34 ++++ gstplugins_good/gst/isomp4/qtdemux.c | 20 +++ gstplugins_good/gst/matroska/matroska-demux.c | 21 +++ .../gst/matroska/matroska-read-common.c | 154 ++++++++++++++++++ 4 files changed, 229 insertions(+) diff --git a/gstplugins_good/gst/avi/gstavidemux.c b/gstplugins_good/gst/avi/gstavidemux.c index 834af76c..c28a1930 100644 --- a/gstplugins_good/gst/avi/gstavidemux.c +++ b/gstplugins_good/gst/avi/gstavidemux.c @@ -4966,8 +4966,17 @@ swap_line (guint8 * d1, guint8 * d2, guint8 * tmp, gint bytes) static GstBuffer * gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf) { +#ifdef OHOS_OPT_COMPAT + /* + * ohos.opt.compat.0031 + * CVE-2022-1921 + */ + guint y, w, h; + guint bpp, stride; +#else gint y, w, h; gint bpp, stride; +#endif guint8 *tmp = NULL; GstMapInfo map; guint32 fourcc; @@ -4994,12 +5003,37 @@ gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf) h = stream->strf.vids->height; w = stream->strf.vids->width; bpp = stream->strf.vids->bit_cnt ? stream->strf.vids->bit_cnt : 8; +#ifdef OHOS_OPT_COMPAT + /* + * ohos.opt.compat.0031 + * CVE-2022-1921 + */ + + if ((guint64) w * ((guint64) bpp / 8) > G_MAXUINT - 4) { + GST_WARNING ("Width x stride overflows"); + return buf; + } + + if (w == 0 || h == 0) { + GST_WARNING ("Zero width or height"); + return buf; + } + +#endif stride = GST_ROUND_UP_4 (w * (bpp / 8)); buf = gst_buffer_make_writable (buf); gst_buffer_map (buf, &map, GST_MAP_READWRITE); +#ifdef OHOS_OPT_COMPAT + /* + * ohos.opt.compat.0031 + * CVE-2022-1921 + */ + if (map.size < ((guint64) stride * (guint64) h)) { +#else if (map.size < (stride * h)) { +#endif GST_WARNING ("Buffer is smaller than reported Width x Height x Depth"); gst_buffer_unmap (buf, &map); return buf; diff --git a/gstplugins_good/gst/isomp4/qtdemux.c b/gstplugins_good/gst/isomp4/qtdemux.c index f1c5fe98..89b4caa5 100644 --- a/gstplugins_good/gst/isomp4/qtdemux.c +++ b/gstplugins_good/gst/isomp4/qtdemux.c @@ -7699,10 +7699,30 @@ qtdemux_inflate (void *z_buffer, guint z_length, guint * length) break; } +#ifdef OHOS_OPT_COMPAT + /* + * ohos.opt.compat.0031 + * CVE-2022-2122 + */ + if (*length > G_MAXUINT - 4096 || *length > QTDEMUX_MAX_SAMPLE_INDEX_SIZE) { + GST_WARNING ("too big decompressed data"); + ret = Z_MEM_ERROR; + break; + } + +#endif *length += 4096; buffer = (guint8 *) g_realloc (buffer, *length); z.next_out = (Bytef *) (buffer + z.total_out); +#ifdef OHOS_OPT_COMPAT + /* + * ohos.opt.compat.0031 + * CVE-2022-2122 + */ + z.avail_out += *length - z.total_out; +#else z.avail_out += 4096; +#endif } while (z.avail_in > 0); if (ret != Z_STREAM_END) { diff --git a/gstplugins_good/gst/matroska/matroska-demux.c b/gstplugins_good/gst/matroska/matroska-demux.c index fd4ec0d0..43383cce 100644 --- a/gstplugins_good/gst/matroska/matroska-demux.c +++ b/gstplugins_good/gst/matroska/matroska-demux.c @@ -3748,7 +3748,16 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, } else { guint8 *outdata = NULL; gsize buf_size, size; +#ifdef OHOS_OPT_COMPAT + /* + * ohos.opt.compat.0031 + * CVE-2022-1920 + */ + guint32 block_samples, flags, crc; + gsize blocksize; +#else guint32 block_samples, flags, crc, blocksize; +#endif GstAdapter *adapter; adapter = gst_adapter_new (); @@ -3763,7 +3772,19 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, g_object_unref (adapter); return GST_FLOW_ERROR; } +#ifdef OHOS_OPT_COMPAT + /* + * ohos.opt.compat.0031 + * CVE-2022-1920 + */ + if (blocksize > G_MAXSIZE - WAVPACK4_HEADER_SIZE) { + GST_ERROR_OBJECT (element, "Too big wavpack buffer"); + gst_buffer_unmap (*buf, &map); + g_object_unref (adapter); + return GST_FLOW_ERROR; + } +#endif data = buf_data; size = buf_size; diff --git a/gstplugins_good/gst/matroska/matroska-read-common.c b/gstplugins_good/gst/matroska/matroska-read-common.c index a952e740..03be299e 100644 --- a/gstplugins_good/gst/matroska/matroska-read-common.c +++ b/gstplugins_good/gst/matroska/matroska-read-common.c @@ -70,6 +70,16 @@ typedef struct gboolean audio_only; } TargetTypeContext; +#ifdef OHOS_OPT_COMPAT +/* + * ohos.opt.compat.0031 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 + */ +/* 120MB as maximum decompressed data size. Anything bigger is likely + * pathological, and like this we avoid out of memory situations in many cases + */ +#define MAX_DECOMPRESS_SIZE (120 * 1024 * 1024) +#endif static gboolean gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, @@ -77,19 +87,49 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, GstMatroskaTrackCompressionAlgorithm algo) { guint8 *new_data = NULL; +#ifdef OHOS_OPT_COMPAT +/* + * ohos.opt.compat.0031 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 + */ + gsize new_size = 0; + guint8 *data = *data_out; + const gsize size = *size_out; +#else guint new_size = 0; guint8 *data = *data_out; guint size = *size_out; +#endif gboolean ret = TRUE; +#ifdef OHOS_OPT_COMPAT +/* + * ohos.opt.compat.0031 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 + */ + if (size > G_MAXUINT32) { + GST_WARNING ("too large compressed data buffer."); + ret = FALSE; + goto out; + } + +#endif if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_ZLIB) { #ifdef HAVE_ZLIB /* zlib encoded data */ z_stream zstream; +#ifdef OHOS_OPT_COMPAT + /* + * ohos.opt.compat.0031 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 + */ + int result; +#else guint orig_size; int result; orig_size = size; +#endif zstream.zalloc = (alloc_func) 0; zstream.zfree = (free_func) 0; zstream.opaque = (voidpf) 0; @@ -99,8 +139,17 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, goto out; } zstream.next_in = (Bytef *) data; +#ifdef OHOS_OPT_COMPAT + /* + * ohos.opt.compat.0031 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 + */ + zstream.avail_in = size; + new_size = size; +#else zstream.avail_in = orig_size; new_size = orig_size; +#endif new_data = g_malloc (new_size); zstream.avail_out = new_size; zstream.next_out = (Bytef *) new_data; @@ -114,10 +163,32 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, break; } +#ifdef OHOS_OPT_COMPAT + /* + * ohos.opt.compat.0031 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 + */ + if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) { + GST_WARNING ("too big decompressed data"); + result = Z_MEM_ERROR; + break; + } + +#endif new_size += 4096; new_data = g_realloc (new_data, new_size); zstream.next_out = (Bytef *) (new_data + zstream.total_out); +#ifdef OHOS_OPT_COMPAT + /* + * ohos.opt.compat.0031 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 + */ + /* avail_out is an unsigned int */ + g_assert (new_size - zstream.total_out <= G_MAXUINT); + zstream.avail_out = new_size - zstream.total_out; +#else zstream.avail_out += 4096; +#endif } while (zstream.avail_in > 0); if (result != Z_STREAM_END) { @@ -137,6 +208,18 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, #ifdef HAVE_BZ2 /* bzip2 encoded data */ bz_stream bzstream; +#ifdef OHOS_OPT_COMPAT + /* + * ohos.opt.compat.0031 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 + */ + int result; + + bzstream.bzalloc = NULL; + bzstream.bzfree = NULL; + bzstream.opaque = NULL; + +#else guint orig_size; int result; @@ -145,6 +228,7 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, bzstream.opaque = NULL; orig_size = size; +#endif if (BZ2_bzDecompressInit (&bzstream, 0, 0) != BZ_OK) { GST_WARNING ("bzip2 initialization failed."); ret = FALSE; @@ -152,8 +236,17 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, } bzstream.next_in = (char *) data; +#ifdef OHOS_OPT_COMPAT + /* + * ohos.opt.compat.0031 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 + */ + bzstream.avail_in = size; + new_size = size; +#else bzstream.avail_in = orig_size; new_size = orig_size; +#endif new_data = g_malloc (new_size); bzstream.avail_out = new_size; bzstream.next_out = (char *) new_data; @@ -167,17 +260,50 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, break; } +#ifdef OHOS_OPT_COMPAT + /* + * ohos.opt.compat.0031 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 + */ + if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) { + GST_WARNING ("too big decompressed data"); + result = BZ_MEM_ERROR; + break; + } + + new_size += 4096; + new_data = g_realloc (new_data, new_size); + bzstream.next_out = + (char *) (new_data + ((guint64) bzstream.total_out_hi32 << 32) + + bzstream.total_out_lo32); + /* avail_out is an unsigned int */ + g_assert (new_size - ((guint64) bzstream.total_out_hi32 << 32) + + bzstream.total_out_lo32 <= G_MAXUINT); + bzstream.avail_out = + new_size - ((guint64) bzstream.total_out_hi32 << 32) + + bzstream.total_out_lo32; +#else new_size += 4096; new_data = g_realloc (new_data, new_size); bzstream.next_out = (char *) (new_data + bzstream.total_out_lo32); bzstream.avail_out += 4096; +#endif } while (bzstream.avail_in > 0); if (result != BZ_STREAM_END) { ret = FALSE; g_free (new_data); } else { +#ifdef OHOS_OPT_COMPAT + /* + * ohos.opt.compat.0031 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 + */ + new_size = + ((guint64) bzstream.total_out_hi32 << 32) + bzstream.total_out_lo32; +#else new_size = bzstream.total_out_lo32; +#endif } BZ2_bzDecompressEnd (&bzstream); @@ -189,7 +315,22 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, } else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_LZO1X) { /* lzo encoded data */ int result; +#ifdef OHOS_OPT_COMPAT + /* + * ohos.opt.compat.0031 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 + */ + gint orig_size, out_size; + + if (size > G_MAXINT) { + GST_WARNING ("too large compressed data buffer."); + ret = FALSE; + goto out; + } + +#else int orig_size, out_size; +#endif orig_size = size; out_size = size; @@ -221,6 +362,19 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, } else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_HEADERSTRIP) { /* header stripped encoded data */ if (enc->comp_settings_length > 0) { +#ifdef OHOS_OPT_COMPAT + /* + * ohos.opt.compat.0031 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 + */ + if (size > G_MAXSIZE - enc->comp_settings_length + || size + enc->comp_settings_length > MAX_DECOMPRESS_SIZE) { + GST_WARNING ("too big decompressed data"); + ret = FALSE; + goto out; + } + +#endif new_data = g_malloc (size + enc->comp_settings_length); new_size = size + enc->comp_settings_length; -- Gitee From 2f644e9a45e67b1122b387064d3aaca39a0b0054 Mon Sep 17 00:00:00 2001 From: sqwlly Date: Fri, 24 Jun 2022 09:15:51 +0800 Subject: [PATCH 2/5] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=E5=AE=89=E5=85=A8CVE?= =?UTF-8?q?=E6=BC=8F=E6=B4=9ECVE-2022-1920=E3=80=81CVE-2022-1925=E3=80=81C?= =?UTF-8?q?VE-2022-2122=EF=BC=8CCVE-2022-1922=EF=BC=8CCVE-2022-1923?= =?UTF-8?q?=EF=BC=8CCVE-2022-1924=EF=BC=8CCVE-2022-1921=20Signed-off-by:?= =?UTF-8?q?=20s30029175=20?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: sqwlly Change-Id: I1bb6d5c02ebe5c51d1f06adc98b1a8aa193754b9 --- gstplugins_good/gst/matroska/matroska-demux.c | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/gstplugins_good/gst/matroska/matroska-demux.c b/gstplugins_good/gst/matroska/matroska-demux.c index 43383cce..810011df 100644 --- a/gstplugins_good/gst/matroska/matroska-demux.c +++ b/gstplugins_good/gst/matroska/matroska-demux.c @@ -3772,19 +3772,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, g_object_unref (adapter); return GST_FLOW_ERROR; } -#ifdef OHOS_OPT_COMPAT - /* - * ohos.opt.compat.0031 - * CVE-2022-1920 - */ - if (blocksize > G_MAXSIZE - WAVPACK4_HEADER_SIZE) { - GST_ERROR_OBJECT (element, "Too big wavpack buffer"); - gst_buffer_unmap (*buf, &map); - g_object_unref (adapter); - return GST_FLOW_ERROR; - } -#endif data = buf_data; size = buf_size; @@ -3809,7 +3797,19 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, g_object_unref (adapter); return GST_FLOW_ERROR; } +#ifdef OHOS_OPT_COMPAT + /* + * ohos.opt.compat.0031 + * CVE-2022-1920 + */ + if (blocksize > G_MAXSIZE - WAVPACK4_HEADER_SIZE) { + GST_ERROR_OBJECT (element, "Too big wavpack buffer"); + gst_buffer_unmap (*buf, &map); + g_object_unref (adapter); + return GST_FLOW_ERROR; + } +#endif g_assert (newbuf == NULL); newbuf = -- Gitee From e49d4403f7f974576663e35ff6f66a16e3debe93 Mon Sep 17 00:00:00 2001 From: sqwlly Date: Fri, 24 Jun 2022 11:01:34 +0800 Subject: [PATCH 3/5] =?UTF-8?q?=E8=A1=A5=E5=85=85=E6=BC=8F=E6=8E=89?= =?UTF-8?q?=E7=9A=84=E8=A1=A5=E4=B8=81Signed-off-by:=20s30029175=20?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: sqwlly Change-Id: I0fbe17a65d775c7a9845b0afbfc29fdd4f2b3767 --- gstplugins_good/gst/avi/gstavidemux.c | 1 - .../gst/matroska/matroska-read-common.c | 27 +++++++++++++------ 2 files changed, 19 insertions(+), 9 deletions(-) diff --git a/gstplugins_good/gst/avi/gstavidemux.c b/gstplugins_good/gst/avi/gstavidemux.c index c28a1930..41147ed0 100644 --- a/gstplugins_good/gst/avi/gstavidemux.c +++ b/gstplugins_good/gst/avi/gstavidemux.c @@ -5008,7 +5008,6 @@ gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf) * ohos.opt.compat.0031 * CVE-2022-1921 */ - if ((guint64) w * ((guint64) bpp / 8) > G_MAXUINT - 4) { GST_WARNING ("Width x stride overflows"); return buf; diff --git a/gstplugins_good/gst/matroska/matroska-read-common.c b/gstplugins_good/gst/matroska/matroska-read-common.c index 03be299e..1f14e1d8 100644 --- a/gstplugins_good/gst/matroska/matroska-read-common.c +++ b/gstplugins_good/gst/matroska/matroska-read-common.c @@ -88,10 +88,10 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, { guint8 *new_data = NULL; #ifdef OHOS_OPT_COMPAT -/* - * ohos.opt.compat.0031 - * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 - */ + /* + * ohos.opt.compat.0031 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 + */ gsize new_size = 0; guint8 *data = *data_out; const gsize size = *size_out; @@ -103,10 +103,10 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, gboolean ret = TRUE; #ifdef OHOS_OPT_COMPAT -/* - * ohos.opt.compat.0031 - * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 - */ + /* + * ohos.opt.compat.0031 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 + */ if (size > G_MAXUINT32) { GST_WARNING ("too large compressed data buffer."); ret = FALSE; @@ -344,6 +344,17 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, result = lzo1x_decode (new_data, &out_size, data, &orig_size); if (orig_size > 0) { +#ifdef OHOS_OPT_COMPAT + /* + * ohos.opt.compat.0031 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 + */ + if (new_size > G_MAXINT - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) { + GST_WARNING ("too big decompressed data"); + result = LZO_ERROR; + break; + } +#endif new_size += 4096; new_data = g_realloc (new_data, new_size); } -- Gitee From 1da7007e2c8d3b234d81b47fe0e5ce5ec59b9aff Mon Sep 17 00:00:00 2001 From: sqwlly Date: Fri, 24 Jun 2022 11:15:39 +0800 Subject: [PATCH 4/5] =?UTF-8?q?=E8=A1=A5=E5=85=85=E6=BC=8F=E6=8E=89?= =?UTF-8?q?=E7=9A=84=E8=A1=A5=E4=B8=81=E5=9C=B0=E5=9D=80Signed-off-by:=20s?= =?UTF-8?q?30029175=20?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: sqwlly Change-Id: I8ba7632ccd4baa52f8dece546b55b93641c6063e --- gstplugins_good/gst/avi/gstavidemux.c | 6 ++-- gstplugins_good/gst/isomp4/qtdemux.c | 4 +-- gstplugins_good/gst/matroska/matroska-demux.c | 4 +-- .../gst/matroska/matroska-read-common.c | 28 +++++++++---------- 4 files changed, 21 insertions(+), 21 deletions(-) diff --git a/gstplugins_good/gst/avi/gstavidemux.c b/gstplugins_good/gst/avi/gstavidemux.c index 41147ed0..f4fbf188 100644 --- a/gstplugins_good/gst/avi/gstavidemux.c +++ b/gstplugins_good/gst/avi/gstavidemux.c @@ -4969,7 +4969,7 @@ gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf) #ifdef OHOS_OPT_COMPAT /* * ohos.opt.compat.0031 - * CVE-2022-1921 + * CVE-2022-1921 : https://gstreamer.freedesktop.org/security/sa-2022-0001.html */ guint y, w, h; guint bpp, stride; @@ -5006,7 +5006,7 @@ gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf) #ifdef OHOS_OPT_COMPAT /* * ohos.opt.compat.0031 - * CVE-2022-1921 + * CVE-2022-1921 : https://gstreamer.freedesktop.org/security/sa-2022-0001.html */ if ((guint64) w * ((guint64) bpp / 8) > G_MAXUINT - 4) { GST_WARNING ("Width x stride overflows"); @@ -5027,7 +5027,7 @@ gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf) #ifdef OHOS_OPT_COMPAT /* * ohos.opt.compat.0031 - * CVE-2022-1921 + * CVE-2022-1921 : https://gstreamer.freedesktop.org/security/sa-2022-0001.html */ if (map.size < ((guint64) stride * (guint64) h)) { #else diff --git a/gstplugins_good/gst/isomp4/qtdemux.c b/gstplugins_good/gst/isomp4/qtdemux.c index 89b4caa5..7e2c7899 100644 --- a/gstplugins_good/gst/isomp4/qtdemux.c +++ b/gstplugins_good/gst/isomp4/qtdemux.c @@ -7702,7 +7702,7 @@ qtdemux_inflate (void *z_buffer, guint z_length, guint * length) #ifdef OHOS_OPT_COMPAT /* * ohos.opt.compat.0031 - * CVE-2022-2122 + * CVE-2022-2122 : https://gstreamer.freedesktop.org/security/sa-2022-0003.html */ if (*length > G_MAXUINT - 4096 || *length > QTDEMUX_MAX_SAMPLE_INDEX_SIZE) { GST_WARNING ("too big decompressed data"); @@ -7717,7 +7717,7 @@ qtdemux_inflate (void *z_buffer, guint z_length, guint * length) #ifdef OHOS_OPT_COMPAT /* * ohos.opt.compat.0031 - * CVE-2022-2122 + * CVE-2022-2122 : https://gstreamer.freedesktop.org/security/sa-2022-0003.html */ z.avail_out += *length - z.total_out; #else diff --git a/gstplugins_good/gst/matroska/matroska-demux.c b/gstplugins_good/gst/matroska/matroska-demux.c index 810011df..8680afae 100644 --- a/gstplugins_good/gst/matroska/matroska-demux.c +++ b/gstplugins_good/gst/matroska/matroska-demux.c @@ -3751,7 +3751,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, #ifdef OHOS_OPT_COMPAT /* * ohos.opt.compat.0031 - * CVE-2022-1920 + * CVE-2022-1920 : https://gstreamer.freedesktop.org/security/sa-2022-0004.html */ guint32 block_samples, flags, crc; gsize blocksize; @@ -3800,7 +3800,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, #ifdef OHOS_OPT_COMPAT /* * ohos.opt.compat.0031 - * CVE-2022-1920 + * CVE-2022-1920 : https://gstreamer.freedesktop.org/security/sa-2022-0004.html */ if (blocksize > G_MAXSIZE - WAVPACK4_HEADER_SIZE) { GST_ERROR_OBJECT (element, "Too big wavpack buffer"); diff --git a/gstplugins_good/gst/matroska/matroska-read-common.c b/gstplugins_good/gst/matroska/matroska-read-common.c index 1f14e1d8..9c1c7b6e 100644 --- a/gstplugins_good/gst/matroska/matroska-read-common.c +++ b/gstplugins_good/gst/matroska/matroska-read-common.c @@ -73,7 +73,7 @@ typedef struct #ifdef OHOS_OPT_COMPAT /* * ohos.opt.compat.0031 - * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html */ /* 120MB as maximum decompressed data size. Anything bigger is likely * pathological, and like this we avoid out of memory situations in many cases @@ -90,7 +90,7 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, #ifdef OHOS_OPT_COMPAT /* * ohos.opt.compat.0031 - * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html */ gsize new_size = 0; guint8 *data = *data_out; @@ -105,7 +105,7 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, #ifdef OHOS_OPT_COMPAT /* * ohos.opt.compat.0031 - * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html */ if (size > G_MAXUINT32) { GST_WARNING ("too large compressed data buffer."); @@ -121,7 +121,7 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, #ifdef OHOS_OPT_COMPAT /* * ohos.opt.compat.0031 - * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html */ int result; #else @@ -142,7 +142,7 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, #ifdef OHOS_OPT_COMPAT /* * ohos.opt.compat.0031 - * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html */ zstream.avail_in = size; new_size = size; @@ -166,7 +166,7 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, #ifdef OHOS_OPT_COMPAT /* * ohos.opt.compat.0031 - * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html */ if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) { GST_WARNING ("too big decompressed data"); @@ -181,7 +181,7 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, #ifdef OHOS_OPT_COMPAT /* * ohos.opt.compat.0031 - * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html */ /* avail_out is an unsigned int */ g_assert (new_size - zstream.total_out <= G_MAXUINT); @@ -211,7 +211,7 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, #ifdef OHOS_OPT_COMPAT /* * ohos.opt.compat.0031 - * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html */ int result; @@ -239,7 +239,7 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, #ifdef OHOS_OPT_COMPAT /* * ohos.opt.compat.0031 - * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html */ bzstream.avail_in = size; new_size = size; @@ -263,7 +263,7 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, #ifdef OHOS_OPT_COMPAT /* * ohos.opt.compat.0031 - * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html */ if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) { GST_WARNING ("too big decompressed data"); @@ -297,7 +297,7 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, #ifdef OHOS_OPT_COMPAT /* * ohos.opt.compat.0031 - * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html */ new_size = ((guint64) bzstream.total_out_hi32 << 32) + bzstream.total_out_lo32; @@ -318,7 +318,7 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, #ifdef OHOS_OPT_COMPAT /* * ohos.opt.compat.0031 - * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html */ gint orig_size, out_size; @@ -347,7 +347,7 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, #ifdef OHOS_OPT_COMPAT /* * ohos.opt.compat.0031 - * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html */ if (new_size > G_MAXINT - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) { GST_WARNING ("too big decompressed data"); @@ -376,7 +376,7 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, #ifdef OHOS_OPT_COMPAT /* * ohos.opt.compat.0031 - * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 + * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html */ if (size > G_MAXSIZE - enc->comp_settings_length || size + enc->comp_settings_length > MAX_DECOMPRESS_SIZE) { -- Gitee From c895f6a686f76e2627fd6637bcdfb459f2633354 Mon Sep 17 00:00:00 2001 From: sqwlly Date: Fri, 24 Jun 2022 17:14:26 +0800 Subject: [PATCH 5/5] =?UTF-8?q?=E4=BF=AE=E6=94=B9=E5=AE=8F=E4=B8=BAOHOS=5F?= =?UTF-8?q?OPT=5FCVESigned-off-by:=20s30029175=20?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: sqwlly Change-Id: Ibc42dc612e428b0fac4de13415c28858ceffc994 Signed-off-by: sqwlly --- gstplugins_good/gst/avi/gstavidemux.c | 12 ++-- gstplugins_good/gst/isomp4/qtdemux.c | 8 +-- gstplugins_good/gst/matroska/matroska-demux.c | 8 +-- .../gst/matroska/matroska-read-common.c | 56 +++++++++---------- 4 files changed, 42 insertions(+), 42 deletions(-) diff --git a/gstplugins_good/gst/avi/gstavidemux.c b/gstplugins_good/gst/avi/gstavidemux.c index f4fbf188..4e49044b 100644 --- a/gstplugins_good/gst/avi/gstavidemux.c +++ b/gstplugins_good/gst/avi/gstavidemux.c @@ -4966,9 +4966,9 @@ swap_line (guint8 * d1, guint8 * d2, guint8 * tmp, gint bytes) static GstBuffer * gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf) { -#ifdef OHOS_OPT_COMPAT +#ifdef OHOS_OPT_CVE /* - * ohos.opt.compat.0031 + * ohos.opt.cve.0001 * CVE-2022-1921 : https://gstreamer.freedesktop.org/security/sa-2022-0001.html */ guint y, w, h; @@ -5003,9 +5003,9 @@ gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf) h = stream->strf.vids->height; w = stream->strf.vids->width; bpp = stream->strf.vids->bit_cnt ? stream->strf.vids->bit_cnt : 8; -#ifdef OHOS_OPT_COMPAT +#ifdef OHOS_OPT_CVE /* - * ohos.opt.compat.0031 + * ohos.opt.cve.0001 * CVE-2022-1921 : https://gstreamer.freedesktop.org/security/sa-2022-0001.html */ if ((guint64) w * ((guint64) bpp / 8) > G_MAXUINT - 4) { @@ -5024,9 +5024,9 @@ gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf) buf = gst_buffer_make_writable (buf); gst_buffer_map (buf, &map, GST_MAP_READWRITE); -#ifdef OHOS_OPT_COMPAT +#ifdef OHOS_OPT_CVE /* - * ohos.opt.compat.0031 + * ohos.opt.cve.0001 * CVE-2022-1921 : https://gstreamer.freedesktop.org/security/sa-2022-0001.html */ if (map.size < ((guint64) stride * (guint64) h)) { diff --git a/gstplugins_good/gst/isomp4/qtdemux.c b/gstplugins_good/gst/isomp4/qtdemux.c index 7e2c7899..1b356925 100644 --- a/gstplugins_good/gst/isomp4/qtdemux.c +++ b/gstplugins_good/gst/isomp4/qtdemux.c @@ -7699,9 +7699,9 @@ qtdemux_inflate (void *z_buffer, guint z_length, guint * length) break; } -#ifdef OHOS_OPT_COMPAT +#ifdef OHOS_OPT_CVE /* - * ohos.opt.compat.0031 + * ohos.opt.cve.0001 * CVE-2022-2122 : https://gstreamer.freedesktop.org/security/sa-2022-0003.html */ if (*length > G_MAXUINT - 4096 || *length > QTDEMUX_MAX_SAMPLE_INDEX_SIZE) { @@ -7714,9 +7714,9 @@ qtdemux_inflate (void *z_buffer, guint z_length, guint * length) *length += 4096; buffer = (guint8 *) g_realloc (buffer, *length); z.next_out = (Bytef *) (buffer + z.total_out); -#ifdef OHOS_OPT_COMPAT +#ifdef OHOS_OPT_CVE /* - * ohos.opt.compat.0031 + * ohos.opt.cve.0001 * CVE-2022-2122 : https://gstreamer.freedesktop.org/security/sa-2022-0003.html */ z.avail_out += *length - z.total_out; diff --git a/gstplugins_good/gst/matroska/matroska-demux.c b/gstplugins_good/gst/matroska/matroska-demux.c index 8680afae..5f9a63a8 100644 --- a/gstplugins_good/gst/matroska/matroska-demux.c +++ b/gstplugins_good/gst/matroska/matroska-demux.c @@ -3748,9 +3748,9 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, } else { guint8 *outdata = NULL; gsize buf_size, size; -#ifdef OHOS_OPT_COMPAT +#ifdef OHOS_OPT_CVE /* - * ohos.opt.compat.0031 + * ohos.opt.cve.0001 * CVE-2022-1920 : https://gstreamer.freedesktop.org/security/sa-2022-0004.html */ guint32 block_samples, flags, crc; @@ -3797,9 +3797,9 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, g_object_unref (adapter); return GST_FLOW_ERROR; } -#ifdef OHOS_OPT_COMPAT +#ifdef OHOS_OPT_CVE /* - * ohos.opt.compat.0031 + * ohos.opt.cve.0001 * CVE-2022-1920 : https://gstreamer.freedesktop.org/security/sa-2022-0004.html */ if (blocksize > G_MAXSIZE - WAVPACK4_HEADER_SIZE) { diff --git a/gstplugins_good/gst/matroska/matroska-read-common.c b/gstplugins_good/gst/matroska/matroska-read-common.c index 9c1c7b6e..623bfb1e 100644 --- a/gstplugins_good/gst/matroska/matroska-read-common.c +++ b/gstplugins_good/gst/matroska/matroska-read-common.c @@ -70,9 +70,9 @@ typedef struct gboolean audio_only; } TargetTypeContext; -#ifdef OHOS_OPT_COMPAT +#ifdef OHOS_OPT_CVE /* - * ohos.opt.compat.0031 + * ohos.opt.cve.0001 * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html */ /* 120MB as maximum decompressed data size. Anything bigger is likely @@ -87,9 +87,9 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, GstMatroskaTrackCompressionAlgorithm algo) { guint8 *new_data = NULL; -#ifdef OHOS_OPT_COMPAT +#ifdef OHOS_OPT_CVE /* - * ohos.opt.compat.0031 + * ohos.opt.cve.0001 * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html */ gsize new_size = 0; @@ -102,9 +102,9 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, #endif gboolean ret = TRUE; -#ifdef OHOS_OPT_COMPAT +#ifdef OHOS_OPT_CVE /* - * ohos.opt.compat.0031 + * ohos.opt.cve.0001 * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html */ if (size > G_MAXUINT32) { @@ -118,9 +118,9 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, #ifdef HAVE_ZLIB /* zlib encoded data */ z_stream zstream; -#ifdef OHOS_OPT_COMPAT +#ifdef OHOS_OPT_CVE /* - * ohos.opt.compat.0031 + * ohos.opt.cve.0001 * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html */ int result; @@ -139,9 +139,9 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, goto out; } zstream.next_in = (Bytef *) data; -#ifdef OHOS_OPT_COMPAT +#ifdef OHOS_OPT_CVE /* - * ohos.opt.compat.0031 + * ohos.opt.cve.0001 * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html */ zstream.avail_in = size; @@ -163,9 +163,9 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, break; } -#ifdef OHOS_OPT_COMPAT +#ifdef OHOS_OPT_CVE /* - * ohos.opt.compat.0031 + * ohos.opt.cve.0001 * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html */ if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) { @@ -178,9 +178,9 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, new_size += 4096; new_data = g_realloc (new_data, new_size); zstream.next_out = (Bytef *) (new_data + zstream.total_out); -#ifdef OHOS_OPT_COMPAT +#ifdef OHOS_OPT_CVE /* - * ohos.opt.compat.0031 + * ohos.opt.cve.0001 * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html */ /* avail_out is an unsigned int */ @@ -208,9 +208,9 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, #ifdef HAVE_BZ2 /* bzip2 encoded data */ bz_stream bzstream; -#ifdef OHOS_OPT_COMPAT +#ifdef OHOS_OPT_CVE /* - * ohos.opt.compat.0031 + * ohos.opt.cve.0001 * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html */ int result; @@ -236,9 +236,9 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, } bzstream.next_in = (char *) data; -#ifdef OHOS_OPT_COMPAT +#ifdef OHOS_OPT_CVE /* - * ohos.opt.compat.0031 + * ohos.opt.cve.0001 * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html */ bzstream.avail_in = size; @@ -260,9 +260,9 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, break; } -#ifdef OHOS_OPT_COMPAT +#ifdef OHOS_OPT_CVE /* - * ohos.opt.compat.0031 + * ohos.opt.cve.0001 * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html */ if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) { @@ -294,9 +294,9 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, ret = FALSE; g_free (new_data); } else { -#ifdef OHOS_OPT_COMPAT +#ifdef OHOS_OPT_CVE /* - * ohos.opt.compat.0031 + * ohos.opt.cve.0001 * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html */ new_size = @@ -315,9 +315,9 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, } else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_LZO1X) { /* lzo encoded data */ int result; -#ifdef OHOS_OPT_COMPAT +#ifdef OHOS_OPT_CVE /* - * ohos.opt.compat.0031 + * ohos.opt.cve.0001 * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html */ gint orig_size, out_size; @@ -344,9 +344,9 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, result = lzo1x_decode (new_data, &out_size, data, &orig_size); if (orig_size > 0) { -#ifdef OHOS_OPT_COMPAT +#ifdef OHOS_OPT_CVE /* - * ohos.opt.compat.0031 + * ohos.opt.cve.0001 * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html */ if (new_size > G_MAXINT - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) { @@ -373,9 +373,9 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, } else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_HEADERSTRIP) { /* header stripped encoded data */ if (enc->comp_settings_length > 0) { -#ifdef OHOS_OPT_COMPAT +#ifdef OHOS_OPT_CVE /* - * ohos.opt.compat.0031 + * ohos.opt.cve.0001 * CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 : https://gstreamer.freedesktop.org/security/sa-2022-0002.html */ if (size > G_MAXSIZE - enc->comp_settings_length -- Gitee