FaSTTUBe/GST-Tensordecoder-ov_ep
37
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

mxfdemux: Add various missing bounds checks, NULL checks and integer overflow protection for error cases

Browse Source
This commit is contained in:
Sebastian Dröge 2016-11-24 23:36:22 +02:00
parent 2a66653bdc
commit b5bb6e3b38
6 changed files with 46 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
gst/mxf/mxfaes-bwf.c
View File

@ -643,11 +643,14 @@ mxf_metadata_aes3_audio_essence_descriptor_handle_tag (MXFMetadataBase *
tag_data += 8; tag_data += 8;
tag_size -= 8; tag_size -= 8;
if (tag_size != len * 24) if (tag_size / 24 != len)
goto error;
if (G_MAXINT / (24 + sizeof (guint8 *)) < len)
goto error; goto error;
self->fixed_channel_status_data = self->fixed_channel_status_data =
g_malloc0 (len * sizeof (guint8 *) + len * 24); g_malloc0 (len * (sizeof (guint8 *) + 24));
for (i = 0; i < len; i++) { for (i = 0; i < len; i++) {
self->fixed_channel_status_data[i] = self->fixed_channel_status_data[i] =
@ -738,10 +741,13 @@ mxf_metadata_aes3_audio_essence_descriptor_handle_tag (MXFMetadataBase *
tag_data += 8; tag_data += 8;
tag_size -= 8; tag_size -= 8;
if (tag_size != len * 24) if (tag_size / 24 != len)
goto error; goto error;
self->fixed_user_data = g_malloc0 (len * sizeof (guint8 *) + len * 24); if (G_MAXINT / (24 + sizeof (guint8 *)) < len)
goto error;
self->fixed_user_data = g_malloc0 (len * (sizeof (guint8 *) + 24));
for (i = 0; i < len; i++) { for (i = 0; i < len; i++) {
self->fixed_user_data[i] = self->fixed_user_data[i] =

9
gst/mxf/mxfdemux.c
View File

@ -3556,11 +3556,18 @@ collect_index_table_segments (GstMXFDemux * demux)
start = segment->index_start_position; start = segment->index_start_position;
end = start + segment->index_duration; end = start + segment->index_duration;
if (end > G_MAXINT / sizeof (GstMXFDemuxIndex)) {
demux->index_tables = g_list_remove (demux->index_tables, t);
g_array_free (t->offsets, TRUE);
g_free (t);
continue;
}
if (t->offsets->len < end) if (t->offsets->len < end)
g_array_set_size (t->offsets, end); g_array_set_size (t->offsets, end);
for (i = 0; i < segment->n_index_entries; i++) { for (i = 0; i < segment->n_index_entries && start + i < t->offsets->len;
i++) {
GstMXFDemuxIndex *index = GstMXFDemuxIndex *index =
&g_array_index (t->offsets, GstMXFDemuxIndex, start + i); &g_array_index (t->offsets, GstMXFDemuxIndex, start + i);
guint64 offset = segment->index_entries[i].stream_offset; guint64 offset = segment->index_entries[i].stream_offset;

2
gst/mxf/mxfdms1.c
View File

@ -3109,7 +3109,7 @@ mxf_dms1_shot_handle_tag (MXFMetadataBase * metadata, MXFPrimerPack * primer,
tag_data += 8; tag_data += 8;
tag_size -= 8; tag_size -= 8;
if (tag_size < 4 * len) if (tag_size / 4 < len)
goto error; goto error;
self->n_shot_track_ids = len; self->n_shot_track_ids = len;

14
gst/mxf/mxfmetadata.c
View File

@ -2244,6 +2244,9 @@ mxf_metadata_source_package_resolve (MXFMetadataBase * m, GHashTable * metadata)
d = MXF_METADATA_FILE_DESCRIPTOR (current); d = MXF_METADATA_FILE_DESCRIPTOR (current);
for (i = 0; i < package->n_tracks; i++) { for (i = 0; i < package->n_tracks; i++) {
if (!package->tracks[i])
continue;
if (!MXF_IS_METADATA_MULTIPLE_DESCRIPTOR (d)) { if (!MXF_IS_METADATA_MULTIPLE_DESCRIPTOR (d)) {
if (d->linked_track_id == package->tracks[i]->track_id || if (d->linked_track_id == package->tracks[i]->track_id ||
(d->linked_track_id == 0 && package->n_essence_tracks == 1 && (d->linked_track_id == 0 && package->n_essence_tracks == 1 &&
@ -3552,12 +3555,12 @@ mxf_metadata_dm_source_clip_handle_tag (MXFMetadataBase * metadata,
if (GST_READ_UINT32_BE (tag_data + 4) != 4) if (GST_READ_UINT32_BE (tag_data + 4) != 4)
goto error; goto error;
if (tag_size < 8 + 4 * len)
goto error;
tag_data += 8; tag_data += 8;
tag_size -= 8; tag_size -= 8;
if (tag_size / 4 < len)
goto error;
self->n_track_ids = len; self->n_track_ids = len;
self->track_ids = g_new0 (guint32, len); self->track_ids = g_new0 (guint32, len);
@ -3725,7 +3728,10 @@ mxf_metadata_dm_segment_handle_tag (MXFMetadataBase * metadata,
if (GST_READ_UINT32_BE (tag_data + 4) != 4) if (GST_READ_UINT32_BE (tag_data + 4) != 4)
goto error; goto error;
if (len * 4 + 8 < tag_size) tag_data += 8;
tag_size -= 8;
if (len < tag_size / 4)
goto error; goto error;
self->n_track_ids = len; self->n_track_ids = len;

25
gst/mxf/mxftypes.c
View File

@ -351,7 +351,7 @@ mxf_uuid_array_parse (MXFUUID ** array, guint32 * count, const guint8 * data,
return FALSE; return FALSE;
} }
if (16 * element_count < size) { if (element_count > size / 16) {
*array = NULL; *array = NULL;
*count = 0; *count = 0;
return FALSE; return FALSE;
@ -1167,7 +1167,7 @@ mxf_index_table_segment_parse (const MXFUL * ul,
tag_data += 4; tag_data += 4;
tag_size -= 4; tag_size -= 4;
if (tag_size < len * 6) if (tag_size / 6 < len)
goto error; goto error;
segment->delta_entries = g_new (MXFDeltaEntry, len); segment->delta_entries = g_new (MXFDeltaEntry, len);
@ -1216,7 +1216,7 @@ mxf_index_table_segment_parse (const MXFUL * ul,
tag_data += 4; tag_data += 4;
tag_size -= 4; tag_size -= 4;
if (tag_size < len * 11) if (tag_size / 11 < len)
goto error; goto error;
segment->index_entries = g_new0 (MXFIndexEntry, len); segment->index_entries = g_new0 (MXFIndexEntry, len);
@ -1289,9 +1289,11 @@ mxf_index_table_segment_reset (MXFIndexTableSegment * segment)
g_return_if_fail (segment != NULL); g_return_if_fail (segment != NULL);
for (i = 0; i < segment->n_index_entries; i++) { if (segment->index_entries) {
g_free (segment->index_entries[i].slice_offset); for (i = 0; i < segment->n_index_entries; i++) {
g_free (segment->index_entries[i].pos_table); g_free (segment->index_entries[i].slice_offset);
g_free (segment->index_entries[i].pos_table);
}
} }
g_free (segment->index_entries); g_free (segment->index_entries);
@ -1447,14 +1449,16 @@ mxf_primer_pack_parse (const MXFUL * ul, MXFPrimerPack * pack,
n = GST_READ_UINT32_BE (data); n = GST_READ_UINT32_BE (data);
data += 4; data += 4;
size -= 4;
GST_DEBUG (" number of mappings = %u", n); GST_DEBUG (" number of mappings = %u", n);
if (GST_READ_UINT32_BE (data) != 18) if (GST_READ_UINT32_BE (data) != 18)
goto error; goto error;
data += 4; data += 4;
size -= 4;
if (size < 8 + n * 18) if (size / 18 < n)
goto error; goto error;
for (i = 0; i < n; i++) { for (i = 0; i < n; i++) {
@ -1618,10 +1622,13 @@ mxf_local_tag_parse (const guint8 * data, guint size, guint16 * tag,
*tag = GST_READ_UINT16_BE (data); *tag = GST_READ_UINT16_BE (data);
*tag_size = GST_READ_UINT16_BE (data + 2); *tag_size = GST_READ_UINT16_BE (data + 2);
if (size < 4 + *tag_size) data += 4;
size -= 4;
if (size < *tag_size)
return FALSE; return FALSE;
*tag_data = data + 4; *tag_data = data;
return TRUE; return TRUE;
} }

2
gst/mxf/mxful.c
View File

@ -641,7 +641,7 @@ mxf_ul_array_parse (MXFUL ** array, guint32 * count, const guint8 * data,
return FALSE; return FALSE;
} }
if (16 * element_count < size) { if (element_count > size / 16) {
*array = NULL; *array = NULL;
*count = 0; *count = 0;
return FALSE; return FALSE;