summary refs log tree commit diff
path: root/gnu
diff options
context:
space:
mode:
authorLeo Famulari <leo@famulari.name>2021-04-24 14:47:54 -0400
committerLeo Famulari <leo@famulari.name>2021-04-27 01:58:56 -0400
commit32db6f504473c118e875f54c6a08b9c6884a3123 (patch)
tree79e372b636d7925da96c0bf3fb2138f8363d8014 /gnu
parent5a918564e17b5549ee58dc626e7b6709d4ac9aab (diff)
downloadguix-32db6f504473c118e875f54c6a08b9c6884a3123.tar.gz
gnu: gst-plugins-ugly: Fix some out-of-bounds reads.
* gnu/packages/patches/gst-plugins-ugly-fix-out-of-bound-reads.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/gstreamer.scm (gst-plugins-ugly)[source]: Use it.
Diffstat (limited to 'gnu')
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/gstreamer.scm1
-rw-r--r--gnu/packages/patches/gst-plugins-ugly-fix-out-of-bound-reads.patch119
3 files changed, 121 insertions, 0 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index 18ebbcd0ce..6e4a06cc34 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1175,6 +1175,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/gst-plugins-good-fix-test.patch		\
   %D%/packages/patches/gst-plugins-good-CVE-2021-3497.patch	\
   %D%/packages/patches/gst-plugins-good-CVE-2021-3498.patch	\
+  %D%/packages/patches/gst-plugins-ugly-fix-out-of-bound-reads.patch	\
   %D%/packages/patches/guile-1.8-cpp-4.5.patch			\
   %D%/packages/patches/guile-2.2-skip-oom-test.patch            \
   %D%/packages/patches/guile-2.2-skip-so-test.patch             \
diff --git a/gnu/packages/gstreamer.scm b/gnu/packages/gstreamer.scm
index 7d9c5c993f..9e70961655 100644
--- a/gnu/packages/gstreamer.scm
+++ b/gnu/packages/gstreamer.scm
@@ -793,6 +793,7 @@ par compared to the rest.")
        (uri
         (string-append "https://gstreamer.freedesktop.org/src/"
                        name "/" name "-" version ".tar.xz"))
+       (patches (search-patches "gst-plugins-ugly-fix-out-of-bound-reads.patch"))
        (sha256
         (base32 "1nwbcv5yaib3d8icvyja3zf6lyjf5zf1hndbijrhj8j7xlia0dx3"))))
     (build-system meson-build-system)
diff --git a/gnu/packages/patches/gst-plugins-ugly-fix-out-of-bound-reads.patch b/gnu/packages/patches/gst-plugins-ugly-fix-out-of-bound-reads.patch
new file mode 100644
index 0000000000..3c6a96f45d
--- /dev/null
+++ b/gnu/packages/patches/gst-plugins-ugly-fix-out-of-bound-reads.patch
@@ -0,0 +1,119 @@
+Fix out of bounds reads when parsing audio and video packets:
+
+https://security-tracker.debian.org/tracker/TEMP-0000000-4DAA44
+https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/issues/37
+
+Patch copied from upstream source repository:
+
+https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/commit/3aba7d1e625554b2407bc77b3d09b4928b937d5f
+From 3aba7d1e625554b2407bc77b3d09b4928b937d5f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Wed, 3 Mar 2021 11:05:14 +0200
+Subject: [PATCH] rmdemux: Make sure we have enough data available when parsing
+ audio/video packets
+
+Otherwise there will be out-of-bounds reads and potential crashes.
+
+Thanks to Natalie Silvanovich for reporting.
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/issues/37
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/merge_requests/74>
+---
+ gst/realmedia/rmdemux.c | 35 +++++++++++++++++++++++++++++++++++
+ 1 file changed, 35 insertions(+)
+
+diff --git a/gst/realmedia/rmdemux.c b/gst/realmedia/rmdemux.c
+index 6cc659a1..68b0736b 100644
+--- a/gst/realmedia/rmdemux.c
++++ b/gst/realmedia/rmdemux.c
+@@ -2223,6 +2223,9 @@ gst_rmdemux_parse_video_packet (GstRMDemux * rmdemux, GstRMDemuxStream * stream,
+ 
+   gst_buffer_map (in, &map, GST_MAP_READ);
+ 
++  if (map.size < offset)
++    goto not_enough_data;
++
+   data = map.data + offset;
+   size = map.size - offset;
+ 
+@@ -2289,6 +2292,9 @@ gst_rmdemux_parse_video_packet (GstRMDemux * rmdemux, GstRMDemuxStream * stream,
+     }
+     GST_DEBUG_OBJECT (rmdemux, "fragment size %d", fragment_size);
+ 
++    if (map.size < (data - map.data) + fragment_size)
++      goto not_enough_data;
++
+     /* get the fragment */
+     fragment =
+         gst_buffer_copy_region (in, GST_BUFFER_COPY_ALL, data - map.data,
+@@ -2437,6 +2443,9 @@ gst_rmdemux_parse_audio_packet (GstRMDemux * rmdemux, GstRMDemuxStream * stream,
+   GstFlowReturn ret;
+   GstBuffer *buffer;
+ 
++  if (gst_buffer_get_size (in) < offset)
++    goto not_enough_data;
++
+   buffer = gst_buffer_copy_region (in, GST_BUFFER_COPY_MEMORY, offset, -1);
+ 
+   if (rmdemux->first_ts != -1 && timestamp > rmdemux->first_ts)
+@@ -2467,9 +2476,19 @@ gst_rmdemux_parse_audio_packet (GstRMDemux * rmdemux, GstRMDemuxStream * stream,
+     ret = gst_pad_push (stream->pad, buffer);
+   }
+ 
++done:
+   gst_buffer_unref (in);
+ 
+   return ret;
++
++  /* ERRORS */
++not_enough_data:
++  {
++    GST_ELEMENT_WARNING (rmdemux, STREAM, DECODE, ("Skipping bad packet."),
++        (NULL));
++    ret = GST_FLOW_OK;
++    goto done;
++  }
+ }
+ 
+ static GstFlowReturn
+@@ -2490,6 +2509,9 @@ gst_rmdemux_parse_packet (GstRMDemux * rmdemux, GstBuffer * in, guint16 version)
+   data = map.data;
+   size = map.size;
+ 
++  if (size < 4 + 6 + 1 + 2)
++    goto not_enough_data;
++
+   /* stream number */
+   id = RMDEMUX_GUINT16_GET (data);
+ 
+@@ -2525,6 +2547,9 @@ gst_rmdemux_parse_packet (GstRMDemux * rmdemux, GstBuffer * in, guint16 version)
+ 
+   /* version 1 has an extra byte */
+   if (version == 1) {
++    if (size < 1)
++      goto not_enough_data;
++
+     data += 1;
+     size -= 1;
+   }
+@@ -2596,6 +2621,16 @@ unknown_stream:
+     gst_buffer_unref (in);
+     return GST_FLOW_OK;
+   }
++
++  /* ERRORS */
++not_enough_data:
++  {
++    GST_ELEMENT_WARNING (rmdemux, STREAM, DECODE, ("Skipping bad packet."),
++        (NULL));
++    gst_buffer_unmap (in, &map);
++    gst_buffer_unref (in);
++    return GST_FLOW_OK;
++  }
+ }
+ 
+ gboolean
+-- 
+2.31.1
+