Projects
Mega:24.03:SP1:Everything
gstreamer1-plugins-bad-free
_service:tar_scm:CVE-2023-37329.patch
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm:CVE-2023-37329.patch of Package gstreamer1-plugins-bad-free
From 7ed446dca9454dd66a0180823f57a34bc01845a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com> Date: Tue, 13 Jun 2023 14:23:47 +0300 Subject: [PATCH 1/2] dvdspu: Make sure enough data is allocated for the available data If the size read from the stream is smaller than the currently available data then the size is bogus and the data should simply be discarded. Fixes ZDI-CAN-20994 Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2660 Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4896> --- gst/dvdspu/gstspu-pgs.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/gst/dvdspu/gstspu-pgs.c b/gst/dvdspu/gstspu-pgs.c index e609a284df9..e29f4f18826 100644 --- a/gst/dvdspu/gstspu-pgs.c +++ b/gst/dvdspu/gstspu-pgs.c @@ -593,6 +593,9 @@ parse_set_object_data (GstDVDSpu * dvdspu, guint8 type, guint8 * payload, obj->rle_data_size = GST_READ_UINT24_BE (payload); payload += 3; + if (end - payload > obj->rle_data_size) + return 0; + PGS_DUMP ("%d bytes of RLE data, of %d bytes total.\n", (int) (end - payload), obj->rle_data_size); -- GitLab From 0dabf0eb00723a26b88e13dcb3030744e84569da Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com> Date: Tue, 13 Jun 2023 14:25:04 +0300 Subject: [PATCH 2/2] dvdspu: Avoid integer overflow when checking if enough data is available Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4896> --- subprojects/gst-plugins-bad/gst/dvdspu/gstspu-pgs.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/gst/dvdspu/gstspu-pgs.c b/gst/dvdspu/gstspu-pgs.c index e29f4f18826..49db6d13d8b 100644 --- a/gst/dvdspu/gstspu-pgs.c +++ b/gst/dvdspu/gstspu-pgs.c @@ -607,7 +607,8 @@ parse_set_object_data (GstDVDSpu * dvdspu, guint8 type, guint8 * payload, PGS_DUMP ("%d bytes of additional RLE data\n", (int) (end - payload)); /* Check that the data chunk is for this object version, and fits in the buffer */ if (obj->rle_data_ver == obj_ver && - obj->rle_data_used + end - payload <= obj->rle_data_size) { + end - payload <= obj->rle_data_size && + obj->rle_data_used <= obj->rle_data_size - (end - payload)) { memcpy (obj->rle_data + obj->rle_data_used, payload, end - payload); obj->rle_data_used += end - payload; -- GitLab
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2