CVE-2023-40475

commit 1edd1c38dcc5d27e7c5649d999ee8278872a16d4
Author: Sebastian Dröge <sebastian@centricular.com>
Date:   Thu Aug 10 15:47:03 2023 +0300

    mxfdemux: Check number of channels for AES3 audio

    Only up to 8 channels are allowed and using a higher number would cause
    integer overflows when copying the data, and lead to out of bound
    writes.

    Also check that each buffer is at least 4 bytes long to avoid another
    overflow.

    Fixes ZDI-CAN-21661, CVE-2023-40475

    Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2897

    Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5365>

Gbp-Pq: Name CVE-2023-40475.patch

diff --git a/gst/mxf/mxfd10.c b/gst/mxf/mxfd10.c
index 21401cf52541913e764b8c38f12d2cf2ebb48883..99c197ab9e4ca6ba5b6f7a9557e2adcc4a76a620 100644 (file)
--- a/gst/mxf/mxfd10.c
+++ b/gst/mxf/mxfd10.c
@@ -119,7 +119,7 @@ mxf_d10_sound_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
   gst_buffer_map (buffer, &map, GST_MAP_READ);
 
   /* Now transform raw AES3 into raw audio, see SMPTE 331M */
-  if ((map.size - 4) % 32 != 0) {
+  if (map.size < 4 || (map.size - 4) % 32 != 0) {
     gst_buffer_unmap (buffer, &map);
     GST_ERROR ("Invalid D10 sound essence buffer size");
     return GST_FLOW_ERROR;
@@ -219,6 +219,7 @@ mxf_d10_create_caps (MXFMetadataTimelineTrack * track, GstTagList ** tags,
     GstAudioFormat audio_format;
 
     if (s->channel_count == 0 ||
+        s->channel_count > 8 ||
         s->quantization_bits == 0 ||
         s->audio_sampling_rate.n == 0 || s->audio_sampling_rate.d == 0) {
       GST_ERROR ("Invalid descriptor");