From 34cfd6b82c3ae6772b9b43b3f6243f85cea35c38 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Sebastian=20Dr=C3=B6ge?= Date: Fri, 4 Oct 2024 13:27:27 +0300 Subject: [PATCH] wavparse: Fix clipping of size to the file size The size does not include the 8 bytes tag and length, so an additional 8 bytes must be removed here. 8 bytes are always available at this point because otherwise the parsing of the tag and length right above would've failed. Thanks to Antonio Morales for finding and reporting the issue. Fixes GHSL-2024-260 Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3888 Part-of: --- subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c b/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c index e42bb24b9b..2499416a76 100644 --- a/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c +++ b/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c @@ -1337,10 +1337,11 @@ gst_wavparse_stream_headers (GstWavParse * wav) } /* Clip to upstream size if known */ - if (upstream_size > 0 && size + wav->offset > upstream_size) { + if (upstream_size > 0 && size + 8 + wav->offset > upstream_size) { GST_WARNING_OBJECT (wav, "Clipping chunk size to file size"); g_assert (upstream_size >= wav->offset); - size = upstream_size - wav->offset; + g_assert (upstream_size - wav->offset >= 8); + size = upstream_size - wav->offset - 8; } /* wav is a st00pid format, we don't know for sure where data starts. -- 2.34.1