vmncdec: Sanity-check width/height before using it
- h264parse: Ensure codec_data has the required size when reading number of SPS (#1401945)
This commit is contained in:
parent
d930d1b842
commit
fdf0595fe2
50
0001-vmncdec-Sanity-check-width-height-before-using-it.patch
Normal file
50
0001-vmncdec-Sanity-check-width-height-before-using-it.patch
Normal file
@ -0,0 +1,50 @@
|
|||||||
|
From 26f4b2c203d6d0ef0c8204a48dba504870c2cfdf Mon Sep 17 00:00:00 2001
|
||||||
|
From: Wim Taymans <wtaymans@redhat.com>
|
||||||
|
Date: Tue, 6 Dec 2016 10:24:03 +0100
|
||||||
|
Subject: [PATCH 1/2] vmncdec: Sanity-check width/height before using it
|
||||||
|
|
||||||
|
We will allocate a screen area of width*height*bpp bytes, however this
|
||||||
|
calculation can easily overflow if too high width or height are given
|
||||||
|
inside the stream. Nonetheless we would just assume that enough memory
|
||||||
|
was allocated, try to fill it and overwrite as much memory as wanted.
|
||||||
|
|
||||||
|
Also allocate the screen area filled with zeroes to ensure that we start
|
||||||
|
with full-black and not any random (or not so random) data.
|
||||||
|
|
||||||
|
https://scarybeastsecurity.blogspot.gr/2016/11/0day-poc-risky-design-decisions-in.html
|
||||||
|
|
||||||
|
Ideally we should just remove this plugin in favour of the one in
|
||||||
|
gst-libav, which generally seems to be of better code quality.
|
||||||
|
|
||||||
|
https://bugzilla.gnome.org/show_bug.cgi?id=774533
|
||||||
|
---
|
||||||
|
gst/vmnc/vmncdec.c | 6 +++++-
|
||||||
|
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/gst/vmnc/vmncdec.c b/gst/vmnc/vmncdec.c
|
||||||
|
index 08085b5..c83e315 100644
|
||||||
|
--- a/gst/vmnc/vmncdec.c
|
||||||
|
+++ b/gst/vmnc/vmncdec.c
|
||||||
|
@@ -370,7 +370,7 @@ vmnc_handle_wmvi_rectangle (GstVMncDec * dec, struct RfbRectangle *rect,
|
||||||
|
|
||||||
|
if (dec->imagedata)
|
||||||
|
g_free (dec->imagedata);
|
||||||
|
- dec->imagedata = g_malloc (dec->format.width * dec->format.height *
|
||||||
|
+ dec->imagedata = g_malloc0 (dec->format.width * dec->format.height *
|
||||||
|
dec->format.bytes_per_pixel);
|
||||||
|
GST_DEBUG_OBJECT (dec, "Allocated image data at %p", dec->imagedata);
|
||||||
|
|
||||||
|
@@ -901,6 +901,10 @@ vmnc_handle_packet (GstVMncDec * dec, const guint8 * data, int len,
|
||||||
|
GST_WARNING_OBJECT (dec, "Rectangle out of range, type %d", r.type);
|
||||||
|
return ERROR_INVALID;
|
||||||
|
}
|
||||||
|
+ } else if (r.width > 16384 || r.height > 16384) {
|
||||||
|
+ GST_WARNING_OBJECT (dec, "Width or height too high: %ux%u", r.width,
|
||||||
|
+ r.height);
|
||||||
|
+ return ERROR_INVALID;
|
||||||
|
}
|
||||||
|
|
||||||
|
switch (r.type) {
|
||||||
|
--
|
||||||
|
2.9.3
|
||||||
|
|
@ -0,0 +1,28 @@
|
|||||||
|
From 3003cbe1624cc6daa416caba9c1dce0180f3837c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Wim Taymans <wtaymans@redhat.com>
|
||||||
|
Date: Wed, 7 Dec 2016 09:37:10 +0100
|
||||||
|
Subject: [PATCH 2/2] h264parse: Ensure codec_data has the required size when
|
||||||
|
reading number of SPS
|
||||||
|
|
||||||
|
https://bugzilla.gnome.org/show_bug.cgi?id=774896
|
||||||
|
---
|
||||||
|
gst/videoparsers/gsth264parse.c | 3 +++
|
||||||
|
1 file changed, 3 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/gst/videoparsers/gsth264parse.c b/gst/videoparsers/gsth264parse.c
|
||||||
|
index cf81657..4c14f2b 100644
|
||||||
|
--- a/gst/videoparsers/gsth264parse.c
|
||||||
|
+++ b/gst/videoparsers/gsth264parse.c
|
||||||
|
@@ -1605,6 +1605,9 @@ gst_h264_parse_set_caps (GstBaseParse * parse, GstCaps * caps)
|
||||||
|
off = nalu.offset + nalu.size;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (off >= size) {
|
||||||
|
+ goto avcc_too_small;
|
||||||
|
+ }
|
||||||
|
num_pps = data[off];
|
||||||
|
off++;
|
||||||
|
|
||||||
|
--
|
||||||
|
2.9.3
|
||||||
|
|
@ -14,7 +14,7 @@
|
|||||||
Summary: GStreamer streaming media framework "bad" plug-ins
|
Summary: GStreamer streaming media framework "bad" plug-ins
|
||||||
Name: gstreamer-plugins-bad-free
|
Name: gstreamer-plugins-bad-free
|
||||||
Version: 0.10.23
|
Version: 0.10.23
|
||||||
Release: 33%{?dist}
|
Release: 34%{?dist}
|
||||||
# The freeze and nfs plugins are LGPLv2 (only)
|
# The freeze and nfs plugins are LGPLv2 (only)
|
||||||
License: LGPLv2+ and LGPLv2
|
License: LGPLv2+ and LGPLv2
|
||||||
Group: Applications/Multimedia
|
Group: Applications/Multimedia
|
||||||
@ -39,6 +39,8 @@ Patch8: 0001-modplug-Specify-directory-when-including-stdafx.h.patch
|
|||||||
# No longer needed, actually break build if we have them now.
|
# No longer needed, actually break build if we have them now.
|
||||||
Patch9: gst-plugins-bad-0.10.23-drop-vpx-compat-defines.patch
|
Patch9: gst-plugins-bad-0.10.23-drop-vpx-compat-defines.patch
|
||||||
Patch10: put-api-version-in-html-book-name.patch
|
Patch10: put-api-version-in-html-book-name.patch
|
||||||
|
Patch11: 0001-vmncdec-Sanity-check-width-height-before-using-it.patch
|
||||||
|
Patch12: 0002-h264parse-Ensure-codec_data-has-the-required-size-wh.patch
|
||||||
|
|
||||||
Requires: %{gstreamer} >= %{gst_minver}
|
Requires: %{gstreamer} >= %{gst_minver}
|
||||||
BuildRequires: %{gstreamer}-devel >= %{gst_minver}
|
BuildRequires: %{gstreamer}-devel >= %{gst_minver}
|
||||||
@ -173,6 +175,8 @@ aren't tested well enough, or the code is not of good enough quality.
|
|||||||
%patch8 -p1
|
%patch8 -p1
|
||||||
%patch9 -p1
|
%patch9 -p1
|
||||||
%patch10 -p1
|
%patch10 -p1
|
||||||
|
%patch11 -p1
|
||||||
|
%patch12 -p1
|
||||||
sed -i 's/opencv <= 2.3.1/opencv <= 2.4.3/g' configure
|
sed -i 's/opencv <= 2.3.1/opencv <= 2.4.3/g' configure
|
||||||
|
|
||||||
|
|
||||||
@ -367,6 +371,11 @@ rm $RPM_BUILD_ROOT%{_libdir}/*.la
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Dec 07 2016 Wim Taymans <wtaymans@redhat.com> - 0.10.23-34
|
||||||
|
- vmncdec: Sanity-check width/height before using it
|
||||||
|
- h264parse: Ensure codec_data has the required size when reading number of SPS
|
||||||
|
(#1401945)
|
||||||
|
|
||||||
* Wed Nov 30 2016 Wim Taymans <wtaymans@redhat.com> - 0.10.23-33
|
* Wed Nov 30 2016 Wim Taymans <wtaymans@redhat.com> - 0.10.23-33
|
||||||
- Remove insecure nsf plugin (#1395126)
|
- Remove insecure nsf plugin (#1395126)
|
||||||
- Put api version in doc modules to fix doc build
|
- Put api version in doc modules to fix doc build
|
||||||
|
Loading…
Reference in New Issue
Block a user