riff: error out on nonsensical chunk sizes instead of aborting

When encountering a nonsensical chunk size such as (guint)-1, error out cleanly instead of
continuing and trying to g_memdup() 4GB of data that doesn't exist, which will either abort
in g_malloc() or crash.

Fixes #553295, crash with fuzzed AVI file.

diff --git a/gst-libs/gst/riff/riff-read.c b/gst-libs/gst/riff/riff-read.c
index b39ba2c..fe0aa74 100644 (file)
--- a/gst-libs/gst/riff/riff-read.c
+++ b/gst-libs/gst/riff/riff-read.c
@@ -153,6 +153,10 @@ gst_riff_parse_chunk (GstElement * element, GstBuffer * buf,
   GST_DEBUG_OBJECT (element, "fourcc=%" GST_FOURCC_FORMAT ", size=%u",
       GST_FOURCC_ARGS (fourcc), size);
 
+  /* be paranoid: size may be nonsensical value here, such as (guint) -1 */
+  if (G_UNLIKELY (size > G_MAXINT))
+    goto bogus_size;
+
   if (bufsize < size + 8 + offset) {
     GST_DEBUG_OBJECT (element,
         "Needed chunk data (%d) is more than available (%d), shortcutting",
@@ -183,6 +187,11 @@ too_small:
         offset, bufsize, 8);
     return FALSE;
   }
+bogus_size:
+  {
+    GST_ERROR_OBJECT (element, "Broken file: bogus chunk size %u", size);
+    return FALSE;
+  }
 }
 
 /**