diff options
Diffstat (limited to 'media-libs/gst-plugins-bad/files/gst-plugins-bad-0.10.23-CVE-2015-0797.patch')
-rw-r--r-- | media-libs/gst-plugins-bad/files/gst-plugins-bad-0.10.23-CVE-2015-0797.patch | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/media-libs/gst-plugins-bad/files/gst-plugins-bad-0.10.23-CVE-2015-0797.patch b/media-libs/gst-plugins-bad/files/gst-plugins-bad-0.10.23-CVE-2015-0797.patch new file mode 100644 index 000000000000..b1e323b9c0ec --- /dev/null +++ b/media-libs/gst-plugins-bad/files/gst-plugins-bad-0.10.23-CVE-2015-0797.patch @@ -0,0 +1,30 @@ +From: Ralph Giles <giles@mozilla.com> +Subject: Fix buffer overflow in mp4 parsing + +--- gst-plugins-bad0.10-0.10.23.orig/gst/videoparsers/gsth264parse.c ++++ gst-plugins-bad0.10-0.10.23/gst/videoparsers/gsth264parse.c +@@ -384,6 +384,11 @@ gst_h264_parse_wrap_nal (GstH264Parse * + + GST_DEBUG_OBJECT (h264parse, "nal length %d", size); + ++ if (size > G_MAXUINT32 - nl) { ++ GST_ELEMENT_ERROR (h264parse, STREAM, FAILED, (NULL), ++ ("overflow in nal size")); ++ return NULL; ++ } + buf = gst_buffer_new_and_alloc (size + nl + 4); + if (format == GST_H264_PARSE_FORMAT_AVC) { + GST_WRITE_UINT32_BE (GST_BUFFER_DATA (buf), size << (32 - 8 * nl)); +@@ -452,6 +457,11 @@ gst_h264_parse_process_nal (GstH264Parse + GST_DEBUG_OBJECT (h264parse, "not processing nal size %u", nalu->size); + return; + } ++ if (G_UNLIKELY (nalu->size > 20 * 1024 * 1024)) { ++ GST_DEBUG_OBJECT (h264parse, "not processing nal size %u (too big)", ++ nalu->size); ++ return; ++ } + + /* we have a peek as well */ + nal_type = nalu->type; + |