|
 |
168060d |
From 99534e367d78ce7b3fd602bf568304428cb8c62e Mon Sep 17 00:00:00 2001
|
|
|
168060d |
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
|
|
|
168060d |
Date: Wed, 16 Nov 2016 20:41:39 +0200
|
|
|
168060d |
Subject: [PATCH] vmncdec: Sanity-check width/height before using it
|
|
|
168060d |
|
|
|
168060d |
We will allocate a screen area of width*height*bpp bytes, however this
|
|
|
168060d |
calculation can easily overflow if too high width or height are given
|
|
|
168060d |
inside the stream. Nonetheless we would just assume that enough memory
|
|
|
168060d |
was allocated, try to fill it and overwrite as much memory as wanted.
|
|
|
168060d |
|
|
|
168060d |
Also allocate the screen area filled with zeroes to ensure that we start
|
|
|
168060d |
with full-black and not any random (or not so random) data.
|
|
|
168060d |
|
|
|
168060d |
https://scarybeastsecurity.blogspot.gr/2016/11/0day-poc-risky-design-decisions-in.html
|
|
|
168060d |
|
|
|
168060d |
Ideally we should just remove this plugin in favour of the one in
|
|
|
168060d |
gst-libav, which generally seems to be of better code quality.
|
|
|
168060d |
|
|
|
168060d |
https://bugzilla.gnome.org/show_bug.cgi?id=774533
|
|
|
168060d |
---
|
|
|
168060d |
gst/vmnc/vmncdec.c | 6 +++++-
|
|
|
168060d |
1 file changed, 5 insertions(+), 1 deletion(-)
|
|
|
168060d |
|
|
|
168060d |
diff --git a/gst/vmnc/vmncdec.c b/gst/vmnc/vmncdec.c
|
|
|
168060d |
index 5504302..a843136 100644
|
|
|
168060d |
--- a/gst/vmnc/vmncdec.c
|
|
|
168060d |
+++ b/gst/vmnc/vmncdec.c
|
|
|
168060d |
@@ -261,7 +261,7 @@ vmnc_handle_wmvi_rectangle (GstVMncDec * dec, struct RfbRectangle *rect,
|
|
|
168060d |
gst_video_codec_state_unref (state);
|
|
|
168060d |
|
|
|
168060d |
g_free (dec->imagedata);
|
|
|
168060d |
- dec->imagedata = g_malloc (dec->format.width * dec->format.height *
|
|
|
168060d |
+ dec->imagedata = g_malloc0 (dec->format.width * dec->format.height *
|
|
|
168060d |
dec->format.bytes_per_pixel);
|
|
|
168060d |
GST_DEBUG_OBJECT (dec, "Allocated image data at %p", dec->imagedata);
|
|
|
168060d |
|
|
|
168060d |
@@ -791,6 +791,10 @@ vmnc_handle_packet (GstVMncDec * dec, const guint8 * data, int len,
|
|
|
168060d |
GST_WARNING_OBJECT (dec, "Rectangle out of range, type %d", r.type);
|
|
|
168060d |
return ERROR_INVALID;
|
|
|
168060d |
}
|
|
|
168060d |
+ } else if (r.width > 16384 || r.height > 16384) {
|
|
|
168060d |
+ GST_WARNING_OBJECT (dec, "Width or height too high: %ux%u", r.width,
|
|
|
168060d |
+ r.height);
|
|
|
168060d |
+ return ERROR_INVALID;
|
|
|
168060d |
}
|
|
|
168060d |
|
|
|
168060d |
switch (r.type) {
|
|
|
168060d |
--
|
|
|
168060d |
2.7.4
|
|
|
168060d |
|