wavparse: Check size before reading ds64 chunk

Thanks to Antonio Morales for finding and reporting the issue.

Fixes GHSL-2024-261
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3889

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8054>

diff --git a/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c b/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c
index 2499416a76dbebc9608e9a20d23a04f693d5a3eb..f2fa1e45c578bf19ba9c60a6583ce658973ffc64 100644 (file)
--- a/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c
+++ b/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c
@@ -1087,6 +1087,11 @@ parse_ds64 (GstWavParse * wav, GstBuffer * buf)
   guint32 sampleCountLow, sampleCountHigh;
 
   gst_buffer_map (buf, &map, GST_MAP_READ);
+  if (map.size < 6 * 4) {
+    GST_WARNING_OBJECT (wav, "Too small ds64 chunk (%" G_GSIZE_FORMAT ")",
+        map.size);
+    return FALSE;
+  }
   dataSizeLow = GST_READ_UINT32_LE (map.data + 2 * 4);
   dataSizeHigh = GST_READ_UINT32_LE (map.data + 3 * 4);
   sampleCountLow = GST_READ_UINT32_LE (map.data + 4 * 4);