components/encumbered/gst-plugins-bad/patches/buffer-overflow-vmncdec.patch

   1 vmncdec: Sanity-check width/height before using it
   2
   3 We will allocate a screen area of width*height*bpp bytes, however this
   4 calculation can easily overflow if too high width or height are given
   5 inside the stream. Nonetheless we would just assume that enough memory
   6 was allocated, try to fill it and overwrite as much memory as wanted.
   7
   8 Also allocate the screen area filled with zeroes to ensure that we start
   9 with full-black and not any random (or not so random) data.
  10
  11 https://scarybeastsecurity.blogspot.gr/2016/11/0day-poc-risky-design-decisions-in.html
  12
  13 Ideally we should just remove this plugin in favour of the one in
  14 gst-libav, which generally seems to be of better code quality.
  15
  16 https://bugzilla.gnome.org/show_bug.cgi?id=774533
  17
  18 --- gst-plugins-bad-0.10.23/gst/vmnc/vmncdec.c.1        2016-11-23 14:57:36.448172925 +0300
  19 +++ gst-plugins-bad-0.10.23/gst/vmnc/vmncdec.c  2016-11-23 14:59:22.942244683 +0300
  20 @@ -370,7 +370,7 @@
  21
  22    if (dec->imagedata)
  23      g_free (dec->imagedata);
  24 -  dec->imagedata = g_malloc (dec->format.width * dec->format.height *
  25 +  dec->imagedata = g_malloc0 (dec->format.width * dec->format.height *
  26        dec->format.bytes_per_pixel);
  27    GST_DEBUG_OBJECT (dec, "Allocated image data at %p", dec->imagedata);
  28
  29 @@ -901,7 +901,11 @@
  30              GST_WARNING_OBJECT (dec, "Rectangle out of range, type %d", r.type);
  31              return ERROR_INVALID;
  32            }
  33 -        }
  34 +        } else if (r.width > 16384 || r.height > 16384) {
  35 +          GST_WARNING_OBJECT (dec, "Width or height too high: %ux%u", r.width,
  36 +            r.height);
  37 +          return ERROR_INVALID;
  38 +        }
  39
  40          switch (r.type) {
  41            case TYPE_WMVd: