From c294e8f556ca555a6333636c8b96910ceafe18b4 Mon Sep 17 00:00:00 2001 From: caihongzhi Date: Tue, 7 Nov 2023 15:45:56 +0800 Subject: [PATCH] =?UTF-8?q?CVE-2023-40474=E3=80=8140475=E3=80=8140476?= =?UTF-8?q?=E6=BC=8F=E6=B4=9E=E4=BF=AE=E5=A4=8D?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: caihongzhi --- .../gst-libs/gst/codecparsers/gsth265parser.c | 2 + gstplugins_bad/gst/mxf/mxfd10.c | 3 +- gstplugins_bad/gst/mxf/mxfup.c | 51 ++++++++++++++++--- 3 files changed, 47 insertions(+), 9 deletions(-) diff --git a/gstplugins_bad/gst-libs/gst/codecparsers/gsth265parser.c b/gstplugins_bad/gst-libs/gst/codecparsers/gsth265parser.c index 74fc25c0..bda2acea 100644 --- a/gstplugins_bad/gst-libs/gst/codecparsers/gsth265parser.c +++ b/gstplugins_bad/gst-libs/gst/codecparsers/gsth265parser.c @@ -1670,6 +1670,7 @@ gst_h265_parse_vps (GstH265NalUnit * nalu, GstH265VPS * vps) READ_UINT8 (&nr, vps->max_layers_minus1, 6); READ_UINT8 (&nr, vps->max_sub_layers_minus1, 3); + CHECK_ALLOWED (vps->max_sub_layers_minus1, 0, 6); READ_UINT8 (&nr, vps->temporal_id_nesting_flag, 1); /* skip reserved_0xffff_16bits */ @@ -1848,6 +1849,7 @@ gst_h265_parse_sps (GstH265Parser * parser, GstH265NalUnit * nalu, sps->vps = vps; READ_UINT8 (&nr, sps->max_sub_layers_minus1, 3); + CHECK_ALLOWED (sps->max_sub_layers_minus1, 0, 6); READ_UINT8 (&nr, sps->temporal_id_nesting_flag, 1); if (!gst_h265_parse_profile_tier_level (&sps->profile_tier_level, &nr, diff --git a/gstplugins_bad/gst/mxf/mxfd10.c b/gstplugins_bad/gst/mxf/mxfd10.c index 66c07137..060d5a02 100644 --- a/gstplugins_bad/gst/mxf/mxfd10.c +++ b/gstplugins_bad/gst/mxf/mxfd10.c @@ -119,7 +119,7 @@ mxf_d10_sound_handle_essence_element (const MXFUL * key, GstBuffer * buffer, gst_buffer_map (buffer, &map, GST_MAP_READ); /* Now transform raw AES3 into raw audio, see SMPTE 331M */ - if ((map.size - 4) % 32 != 0) { + if (map.size < 4 || (map.size - 4) % 32 != 0) { gst_buffer_unmap (buffer, &map); GST_ERROR ("Invalid D10 sound essence buffer size"); return GST_FLOW_ERROR; @@ -219,6 +219,7 @@ mxf_d10_create_caps (MXFMetadataTimelineTrack * track, GstTagList ** tags, GstAudioFormat audio_format; if (s->channel_count == 0 || + s->channel_count > 8 || s->quantization_bits == 0 || s->audio_sampling_rate.n == 0 || s->audio_sampling_rate.d == 0) { GST_ERROR ("Invalid descriptor"); diff --git a/gstplugins_bad/gst/mxf/mxfup.c b/gstplugins_bad/gst/mxf/mxfup.c index d8b6664d..57506f2a 100644 --- a/gstplugins_bad/gst/mxf/mxfup.c +++ b/gstplugins_bad/gst/mxf/mxfup.c @@ -134,6 +134,8 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer, gpointer mapping_data, GstBuffer ** outbuf) { MXFUPMappingData *data = mapping_data; + gsize expected_in_stride = 0, out_stride = 0; + gsize expected_in_size = 0, out_size = 0; /* SMPTE 384M 7.1 */ if (key->u[12] != 0x15 || (key->u[14] != 0x01 && key->u[14] != 0x02 @@ -162,22 +164,25 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer, } } - if (gst_buffer_get_size (buffer) != data->bpp * data->width * data->height) { + // Checked for overflows when parsing the descriptor + expected_in_stride = data->bpp * data->width; + out_stride = GST_ROUND_UP_4 (expected_in_stride); + expected_in_size = expected_in_stride * data->height; + out_size = out_stride * data->height; + + if (gst_buffer_get_size (buffer) != expected_in_size) { GST_ERROR ("Invalid buffer size"); gst_buffer_unref (buffer); return GST_FLOW_ERROR; } - if (data->bpp != 4 - || GST_ROUND_UP_4 (data->width * data->bpp) != data->width * data->bpp) { + if (data->bpp != 4 || out_stride != expected_in_stride) { guint y; GstBuffer *ret; GstMapInfo inmap, outmap; guint8 *indata, *outdata; - ret = - gst_buffer_new_and_alloc (GST_ROUND_UP_4 (data->width * data->bpp) * - data->height); + ret = gst_buffer_new_and_alloc (out_size); gst_buffer_map (buffer, &inmap, GST_MAP_READ); gst_buffer_map (ret, &outmap, GST_MAP_WRITE); indata = inmap.data; @@ -185,8 +190,8 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer, for (y = 0; y < data->height; y++) { memcpy (outdata, indata, data->width * data->bpp); - outdata += GST_ROUND_UP_4 (data->width * data->bpp); - indata += data->width * data->bpp; + outdata += out_stride; + indata += expected_in_stride; } gst_buffer_unmap (buffer, &inmap); @@ -394,6 +399,36 @@ mxf_up_create_caps (MXFMetadataTimelineTrack * track, GstTagList ** tags, return NULL; } + if (caps) { + MXFUPMappingData *data = *mapping_data; + gsize expected_in_stride = 0, out_stride = 0; + gsize expected_in_size = 0, out_size = 0; + + // Do some checking of the parameters to see if they're valid and + // we can actually work with them. + if (data->image_start_offset > data->image_end_offset) { + GST_WARNING ("Invalid image start/end offset"); + g_free (data); + *mapping_data = NULL; + gst_clear_caps (&caps); + + return NULL; + } + + if (!g_size_checked_mul (&expected_in_stride, data->bpp, data->width) || + (out_stride = GST_ROUND_UP_4 (expected_in_stride)) < expected_in_stride + || !g_size_checked_mul (&expected_in_size, expected_in_stride, + data->height) + || !g_size_checked_mul (&out_size, out_stride, data->height)) { + GST_ERROR ("Invalid resolution or bit depth"); + g_free (data); + *mapping_data = NULL; + gst_clear_caps (&caps); + + return NULL; + } + } + return caps; } -- Gitee