matroskademux: Avoid integer-overflow resulting in heap corruption in WavPack header...

blocksize + WAVPACK4_HEADER_SIZE might overflow gsize, which then
results in allocating a very small buffer. Into that buffer blocksize
data is memcpy'd later which then causes out of bound writes and can
potentially lead to anything from crashes to remote code execution.

Thanks to Adam Doupe for analyzing and reporting the issue.

CVE: CVE-2022-1920

https://gstreamer.freedesktop.org/security/sa-2022-0004.html

Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1226

Change-Id: I3a219aec1695d5e369548d7422f7f837e8824b41
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2612>

diff --git a/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c b/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c
index 83fb9f06b98d73931fac7e6a0bb5f68fa96dbf7c..fd60be9edb0e4bbeee6cf40823555d5e99c3b927 100644 (file)
--- a/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c
+++ b/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c
@@ -3932,7 +3932,8 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
   } else {
     guint8 *outdata = NULL;
     gsize buf_size, size;
-    guint32 block_samples, flags, crc, blocksize;
+    guint32 block_samples, flags, crc;
+    gsize blocksize;
     GstAdapter *adapter;
 
     adapter = gst_adapter_new ();
@@ -3973,6 +3974,13 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
         return GST_FLOW_ERROR;
       }
 
+      if (blocksize > G_MAXSIZE - WAVPACK4_HEADER_SIZE) {
+        GST_ERROR_OBJECT (element, "Too big wavpack buffer");
+        gst_buffer_unmap (*buf, &map);
+        g_object_unref (adapter);
+        return GST_FLOW_ERROR;
+      }
+
       g_assert (newbuf == NULL);
 
       newbuf =