| Description: Fix buffer overflow in mp4 parsing |
| Author: Ralph Giles <giles@mozilla.com> |
| --- |
| Backport patch from debian to fix CVE-2015-0797. |
| https://sources.debian.net/data/main/g/gst-plugins-bad0.10/0.10.23-7.1+deb7u2/debian/patches/buffer-overflow-mp4.patch |
| |
| Upstream-Status: Backport |
| |
| Signed-off-by: Kai Kang <kai.kang@windriver.com> |
| --- |
| --- gst-plugins-bad0.10-0.10.23.orig/gst/videoparsers/gsth264parse.c |
| +++ gst-plugins-bad0.10-0.10.23/gst/videoparsers/gsth264parse.c |
| @@ -384,6 +384,11 @@ gst_h264_parse_wrap_nal (GstH264Parse * |
| |
| GST_DEBUG_OBJECT (h264parse, "nal length %d", size); |
| |
| + if (size > G_MAXUINT32 - nl) { |
| + GST_ELEMENT_ERROR (h264parse, STREAM, FAILED, (NULL), |
| + ("overflow in nal size")); |
| + return NULL; |
| + } |
| buf = gst_buffer_new_and_alloc (size + nl + 4); |
| if (format == GST_H264_PARSE_FORMAT_AVC) { |
| GST_WRITE_UINT32_BE (GST_BUFFER_DATA (buf), size << (32 - 8 * nl)); |
| @@ -452,6 +457,11 @@ gst_h264_parse_process_nal (GstH264Parse |
| GST_DEBUG_OBJECT (h264parse, "not processing nal size %u", nalu->size); |
| return; |
| } |
| + if (G_UNLIKELY (nalu->size > 20 * 1024 * 1024)) { |
| + GST_DEBUG_OBJECT (h264parse, "not processing nal size %u (too big)", |
| + nalu->size); |
| + return; |
| + } |
| |
| /* we have a peek as well */ |
| nal_type = nalu->type; |