From 0e04088e4811c8bf0094a77be149383184557bf7 Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Wed, 7 Dec 2016 11:21:03 +0100
Subject: [PATCH] vmncdec: Sanity-check width/height before using it

- h264parse: Ensure codec_data has the required size when reading number of SPS
  (#1401945)
---
 ...y-check-width-height-before-using-it.patch | 50 +++++++++++++++++++
 ...-codec_data-has-the-required-size-wh.patch | 28 +++++++++++
 gstreamer-plugins-bad-free.spec               |  9 +++-
 3 files changed, 86 insertions(+), 1 deletion(-)
 create mode 100644 0001-vmncdec-Sanity-check-width-height-before-using-it.patch
 create mode 100644 0002-h264parse-Ensure-codec_data-has-the-required-size-wh.patch

diff --git a/0001-vmncdec-Sanity-check-width-height-before-using-it.patch b/0001-vmncdec-Sanity-check-width-height-before-using-it.patch
new file mode 100644
index 0000000..c7e2f32
--- /dev/null
+++ b/0001-vmncdec-Sanity-check-width-height-before-using-it.patch
@@ -0,0 +1,50 @@
+From 26f4b2c203d6d0ef0c8204a48dba504870c2cfdf Mon Sep 17 00:00:00 2001
+From: Wim Taymans <wtaymans@redhat.com>
+Date: Tue, 6 Dec 2016 10:24:03 +0100
+Subject: [PATCH 1/2] vmncdec: Sanity-check width/height before using it
+
+We will allocate a screen area of width*height*bpp bytes, however this
+calculation can easily overflow if too high width or height are given
+inside the stream. Nonetheless we would just assume that enough memory
+was allocated, try to fill it and overwrite as much memory as wanted.
+
+Also allocate the screen area filled with zeroes to ensure that we start
+with full-black and not any random (or not so random) data.
+
+https://scarybeastsecurity.blogspot.gr/2016/11/0day-poc-risky-design-decisions-in.html
+
+Ideally we should just remove this plugin in favour of the one in
+gst-libav, which generally seems to be of better code quality.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=774533
+---
+ gst/vmnc/vmncdec.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/gst/vmnc/vmncdec.c b/gst/vmnc/vmncdec.c
+index 08085b5..c83e315 100644
+--- a/gst/vmnc/vmncdec.c
++++ b/gst/vmnc/vmncdec.c
+@@ -370,7 +370,7 @@ vmnc_handle_wmvi_rectangle (GstVMncDec * dec, struct RfbRectangle *rect,
+ 
+   if (dec->imagedata)
+     g_free (dec->imagedata);
+-  dec->imagedata = g_malloc (dec->format.width * dec->format.height *
++  dec->imagedata = g_malloc0 (dec->format.width * dec->format.height *
+       dec->format.bytes_per_pixel);
+   GST_DEBUG_OBJECT (dec, "Allocated image data at %p", dec->imagedata);
+ 
+@@ -901,6 +901,10 @@ vmnc_handle_packet (GstVMncDec * dec, const guint8 * data, int len,
+             GST_WARNING_OBJECT (dec, "Rectangle out of range, type %d", r.type);
+             return ERROR_INVALID;
+           }
++        } else if (r.width > 16384 || r.height > 16384) {
++          GST_WARNING_OBJECT (dec, "Width or height too high: %ux%u", r.width,
++              r.height);
++          return ERROR_INVALID;
+         }
+ 
+         switch (r.type) {
+-- 
+2.9.3
+
diff --git a/0002-h264parse-Ensure-codec_data-has-the-required-size-wh.patch b/0002-h264parse-Ensure-codec_data-has-the-required-size-wh.patch
new file mode 100644
index 0000000..1028b01
--- /dev/null
+++ b/0002-h264parse-Ensure-codec_data-has-the-required-size-wh.patch
@@ -0,0 +1,28 @@
+From 3003cbe1624cc6daa416caba9c1dce0180f3837c Mon Sep 17 00:00:00 2001
+From: Wim Taymans <wtaymans@redhat.com>
+Date: Wed, 7 Dec 2016 09:37:10 +0100
+Subject: [PATCH 2/2] h264parse: Ensure codec_data has the required size when
+ reading number of SPS
+
+https://bugzilla.gnome.org/show_bug.cgi?id=774896
+---
+ gst/videoparsers/gsth264parse.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/gst/videoparsers/gsth264parse.c b/gst/videoparsers/gsth264parse.c
+index cf81657..4c14f2b 100644
+--- a/gst/videoparsers/gsth264parse.c
++++ b/gst/videoparsers/gsth264parse.c
+@@ -1605,6 +1605,9 @@ gst_h264_parse_set_caps (GstBaseParse * parse, GstCaps * caps)
+       off = nalu.offset + nalu.size;
+     }
+ 
++    if (off >= size) {
++      goto avcc_too_small;
++    }
+     num_pps = data[off];
+     off++;
+ 
+-- 
+2.9.3
+
diff --git a/gstreamer-plugins-bad-free.spec b/gstreamer-plugins-bad-free.spec
index 555836b..94408e6 100644
--- a/gstreamer-plugins-bad-free.spec
+++ b/gstreamer-plugins-bad-free.spec
@@ -14,7 +14,7 @@
 Summary: GStreamer streaming media framework "bad" plug-ins
 Name: gstreamer-plugins-bad-free
 Version: 0.10.23
-Release: 37%{?dist}
+Release: 38%{?dist}
 # The freeze and nfs plugins are LGPLv2 (only)
 License: LGPLv2+ and LGPLv2
 Group: Applications/Multimedia
@@ -42,6 +42,8 @@ Patch9: gst-plugins-bad-0.10.23-drop-vpx-compat-defines.patch
 Patch10: gst-plugins-bad-0.10.23-docbuild.patch
 # Fix for libtimidity-0.2.x
 Patch11: gst-plugins-bad-0.10.23-timidity2.diff
+Patch12: 0001-vmncdec-Sanity-check-width-height-before-using-it.patch
+Patch13: 0002-h264parse-Ensure-codec_data-has-the-required-size-wh.patch
 
 Requires: %{gstreamer} >= %{gst_minver}
 BuildRequires: %{gstreamer}-devel >= %{gst_minver}
@@ -360,6 +362,11 @@ rm $RPM_BUILD_ROOT%{_libdir}/*.la
 
 
 %changelog
+* Wed Dec 07 2016 Wim Taymans <wtaymans@redhat.com> - 0.10.23-38
+- vmncdec: Sanity-check width/height before using it
+- h264parse: Ensure codec_data has the required size when reading number of SPS
+  (#1401945)
+
 * Sat Dec 03 2016 Rex Dieter <rdieter@fedoraproject.org> - 0.10.23-37
 - rebuild (jasper)