tag: id3v2: fix frame size check and potential invalid reads

Check the right variable when checking if there's
enough data left to read the frame size. (CVE-2021-3522)

Closes https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/issues/876
Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/merge_requests/1065>

Change-Id: I4d054060dcac65b49832d629337a06d038f32386

diff --git a/gst-libs/gst/tag/id3v2frames.c b/gst-libs/gst/tag/id3v2frames.c
index 8e9f782..f39659b 100644 (file)
--- a/gst-libs/gst/tag/id3v2frames.c
+++ b/gst-libs/gst/tag/id3v2frames.c
@@ -109,7 +109,7 @@ id3v2_parse_frame (ID3TagsWorking * work)
 
   if (work->frame_flags & (ID3V2_FRAME_FORMAT_COMPRESSION |
           ID3V2_FRAME_FORMAT_DATA_LENGTH_INDICATOR)) {
-    if (work->hdr.frame_data_size <= 4)
+    if (frame_data_size <= 4)
       return FALSE;
     if (ID3V2_VER_MAJOR (work->hdr.version) == 3) {
       work->parse_size = GST_READ_UINT32_BE (frame_data);

diff --git a/packaging/gst-plugins-base.spec b/packaging/gst-plugins-base.spec
index 45d2a4c..bcb7cce 100644 (file)
--- a/packaging/gst-plugins-base.spec
+++ b/packaging/gst-plugins-base.spec
@@ -5,7 +5,7 @@
 
 Name:           gst-plugins-base
 Version:        1.16.2
-Release:        19
+Release:        20
 License:        LGPL-2.0+
 Summary:        GStreamer Streaming-Media Framework Plug-Ins
 Url:            http://gstreamer.freedesktop.org/