search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
librewolf: update to 134.0-1
[oi-userland.git] / components / multimedia / gst-plugins-good / patches / 10-CVE-2016-10199.patch
blobff1441642ca88186b4569e4584e74f11ee5dfd05
1 Backport of:
2
3 From d0949baf3dadea6021d54abef6802fed5a06af75 Mon Sep 17 00:00:00 2001
4 From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
5 Date: Thu, 1 Dec 2016 13:32:22 +0200
6 Subject: [PATCH] qtdemux: Fix out of bounds read in tag parsing code
7
8 We can't simply assume that the length of the tag value as given
9 inside the stream is correct but should also check against the amount of
10 data we have actually available.
11
12 https://bugzilla.gnome.org/show_bug.cgi?id=775451
13 ---
14 gst/isomp4/qtdemux.c | 4 ++--
15 1 file changed, 2 insertions(+), 2 deletions(-)
16
17 Index: gst-plugins-good0.10-0.10.31/gst/isomp4/qtdemux.c
18 ===================================================================
19 --- gst-plugins-good0.10-0.10.31.orig/gst/isomp4/qtdemux.c 2017-03-23 10:53:50.101755883 -0400
20 +++ gst-plugins-good0.10-0.10.31/gst/isomp4/qtdemux.c 2017-03-23 10:53:50.093755784 -0400
21 @@ -7916,7 +7916,7 @@
22 } else {
23 len = QT_UINT32 (node->data);
24 type = QT_UINT32 ((guint8 *) node->data + 4);
25 - if ((type >> 24) == 0xa9) {
26 + if ((type >> 24) == 0xa9 && len > 8 + 4) {
27 /* Type starts with the (C) symbol, so the next 32 bits are
28 * the language code, which we ignore */
29 offset = 12;