From 1f9bbfb926a2aa7e3089c714a9cc27613fa348af Mon Sep 17 00:00:00 2001 From: Maintainers of GStreamer packages Date: Fri, 27 Oct 2023 22:55:02 +0200 Subject: [PATCH] CVE-2023-40475 MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit commit 1edd1c38dcc5d27e7c5649d999ee8278872a16d4 Author: Sebastian Dröge Date: Thu Aug 10 15:47:03 2023 +0300 mxfdemux: Check number of channels for AES3 audio Only up to 8 channels are allowed and using a higher number would cause integer overflows when copying the data, and lead to out of bound writes. Also check that each buffer is at least 4 bytes long to avoid another overflow. Fixes ZDI-CAN-21661, CVE-2023-40475 Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2897 Part-of: Gbp-Pq: Name CVE-2023-40475.patch --- gst/mxf/mxfd10.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/gst/mxf/mxfd10.c b/gst/mxf/mxfd10.c index 21401cf..99c197a 100644 --- a/gst/mxf/mxfd10.c +++ b/gst/mxf/mxfd10.c @@ -119,7 +119,7 @@ mxf_d10_sound_handle_essence_element (const MXFUL * key, GstBuffer * buffer, gst_buffer_map (buffer, &map, GST_MAP_READ); /* Now transform raw AES3 into raw audio, see SMPTE 331M */ - if ((map.size - 4) % 32 != 0) { + if (map.size < 4 || (map.size - 4) % 32 != 0) { gst_buffer_unmap (buffer, &map); GST_ERROR ("Invalid D10 sound essence buffer size"); return GST_FLOW_ERROR; @@ -219,6 +219,7 @@ mxf_d10_create_caps (MXFMetadataTimelineTrack * track, GstTagList ** tags, GstAudioFormat audio_format; if (s->channel_count == 0 || + s->channel_count > 8 || s->quantization_bits == 0 || s->audio_sampling_rate.n == 0 || s->audio_sampling_rate.d == 0) { GST_ERROR ("Invalid descriptor"); -- 2.30.2