From: Sebastian Dröge <sebastian@centricular.com>
Date: Tue, 13 Jun 2023 10:22:57 +0000 (+0300)
Subject: tags: Don't allow image tags with G_MAXUINT32 length
X-Git-Tag: 1.22.7~190
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=7bcd791fabe03b9ab1c72f494fc86cd0c06c3556;p=platform%2Fupstream%2Fgstreamer.git

tags: Don't allow image tags with G_MAXUINT32 length

This will cause an integer overflow a little bit further down because we
allocate a bit more memory to allow for a NUL-terminator.

The caller should've avoided passing that much data in already as it's
not going to be a valid image and there's likely not even that much data
available.

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4897>
---

diff --git a/subprojects/gst-plugins-base/gst-libs/gst/tag/tags.c b/subprojects/gst-plugins-base/gst-libs/gst/tag/tags.c
index 73e6bb4..d38a0c9 100644
--- a/subprojects/gst-plugins-base/gst-libs/gst/tag/tags.c
+++ b/subprojects/gst-plugins-base/gst-libs/gst/tag/tags.c
@@ -530,7 +530,8 @@ gst_tag_image_data_to_image_sample (const guint8 * image_data,
   GstStructure *image_info = NULL;
 
   g_return_val_if_fail (image_data != NULL, NULL);
-  g_return_val_if_fail (image_data_len > 0, NULL);
+  g_return_val_if_fail (image_data_len > 0
+      || image_data_len == G_MAXUINT32, NULL);
   g_return_val_if_fail (gst_tag_image_type_is_valid (image_type), NULL);
 
   GST_DEBUG ("image data len: %u bytes", image_data_len);