qtdemux: Make sure there are enough offsets to read when parsing samples

While this specific case is also caught when initializing co_chunk, the error
is ignored in various places and calling into the function would lead to out of
bounds reads if the error message doesn't cause the pipeline to be shut down
fast enough.

To avoid this, no matter what, make sure enough offsets are available when
parsing them. While this is potentially slower, the same is already done in the
non-chunks_are_samples case.

Thanks to Antonio Morales for finding and reporting the issue.

Fixes GHSL-2024-245
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3847

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8060>

diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c
index 187f9aa3b2693c7d51b26851e7a7b467ab83b736..a7a774a04f5ac4922c559e70c6e191c00bcee25b 100644 (file)
--- a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c
+++ b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c
@@ -10628,9 +10628,9 @@ qtdemux_parse_samples (GstQTDemux * qtdemux, QtDemuxStream * stream, guint32 n)
           goto done;
         }
 
-        cur->offset =
-            qt_atom_parser_get_offset_unchecked (&stream->co_chunk,
-            stream->co_size);
+        if (!qt_atom_parser_get_offset (&stream->co_chunk,
+                stream->co_size, &cur->offset))
+          goto corrupt_file;
 
         GST_LOG_OBJECT (qtdemux, "Created entry %d with offset "
             "%" G_GUINT64_FORMAT, j, cur->offset);