37 lines
1.3 KiB
Diff
37 lines
1.3 KiB
Diff
|
Description: Fix buffer overflow in mp4 parsing
|
||
|
|
Author: Ralph Giles <giles@mozilla.com>
|
||
|
|
---
|
||
|
|
Backport patch from debian to fix CVE-2015-0797.
|
||
|
|
https://sources.debian.net/data/main/g/gst-plugins-bad0.10/0.10.23-7.1+deb7u2/debian/patches/buffer-overflow-mp4.patch
|
||
|
|
|
||
|
|
Upstream-Status: Backport
|
||
|
|
|
||
|
|
Signed-off-by: Kai Kang <kai.kang@windriver.com>
|
||
|
|
---
|
||
|
|
--- gst-plugins-bad0.10-0.10.23.orig/gst/videoparsers/gsth264parse.c
|
||
|
|
+++ gst-plugins-bad0.10-0.10.23/gst/videoparsers/gsth264parse.c
|
||
|
|
@@ -384,6 +384,11 @@ gst_h264_parse_wrap_nal (GstH264Parse *
|
||
|
|
|
||
|
|
GST_DEBUG_OBJECT (h264parse, "nal length %d", size);
|
||
|
|
|
||
|
|
+ if (size > G_MAXUINT32 - nl) {
|
||
|
|
+ GST_ELEMENT_ERROR (h264parse, STREAM, FAILED, (NULL),
|
||
|
|
+ ("overflow in nal size"));
|
||
|
|
+ return NULL;
|
||
|
|
+ }
|
||
|
|
buf = gst_buffer_new_and_alloc (size + nl + 4);
|
||
|
|
if (format == GST_H264_PARSE_FORMAT_AVC) {
|
||
|
|
GST_WRITE_UINT32_BE (GST_BUFFER_DATA (buf), size << (32 - 8 * nl));
|
||
|
|
@@ -452,6 +457,11 @@ gst_h264_parse_process_nal (GstH264Parse
|
||
|
|
GST_DEBUG_OBJECT (h264parse, "not processing nal size %u", nalu->size);
|
||
|
|
return;
|
||
|
|
}
|
||
|
|
+ if (G_UNLIKELY (nalu->size > 20 * 1024 * 1024)) {
|
||
|
|
+ GST_DEBUG_OBJECT (h264parse, "not processing nal size %u (too big)",
|
||
|
|
+ nalu->size);
|
||
|
|
+ return;
|
||
|
|
+ }
|
||
|
|
|
||
|
|
/* we have a peek as well */
|
||
|
|
nal_type = nalu->type;
|