1 |
tester 09/03/30 04:38:14 |
2 |
|
3 |
Added: gst-plugins-base-0.10.22-CVE-2009-0586.patch |
4 |
Log: |
5 |
Version bump, also fix CVE-2009-0586 (bug #261594) |
6 |
(Portage version: 2.1.6.7/cvs/Linux i686) |
7 |
|
8 |
Revision Changes Path |
9 |
1.1 media-libs/gst-plugins-base/files/gst-plugins-base-0.10.22-CVE-2009-0586.patch |
10 |
|
11 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-libs/gst-plugins-base/files/gst-plugins-base-0.10.22-CVE-2009-0586.patch?rev=1.1&view=markup |
12 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-libs/gst-plugins-base/files/gst-plugins-base-0.10.22-CVE-2009-0586.patch?rev=1.1&content-type=text/plain |
13 |
|
14 |
Index: gst-plugins-base-0.10.22-CVE-2009-0586.patch |
15 |
=================================================================== |
16 |
From 566583e87147f774e7fc4c78b5f7e61d427e40a9 Mon Sep 17 00:00:00 2001 |
17 |
From: Jan Schmidt <thaytan@××××××××.net> |
18 |
Date: Tue, 24 Feb 2009 15:58:42 +0000 |
19 |
Subject: vorbistag: Protect memory allocation calculation from overflow. |
20 |
|
21 |
Patch by: Tomas Hoger <thoger@××××××.com> Fixes CVE-2009-0586 |
22 |
--- |
23 |
diff --git a/gst-libs/gst/tag/gstvorbistag.c b/gst-libs/gst/tag/gstvorbistag.c |
24 |
index 0999368..9401e61 100644 |
25 |
--- a/gst-libs/gst/tag/gstvorbistag.c |
26 |
+++ b/gst-libs/gst/tag/gstvorbistag.c |
27 |
@@ -305,30 +305,32 @@ gst_vorbis_tag_add (GstTagList * list, const gchar * tag, const gchar * value) |
28 |
} |
29 |
|
30 |
static void |
31 |
-gst_vorbis_tag_add_coverart (GstTagList * tags, const gchar * img_data_base64, |
32 |
+gst_vorbis_tag_add_coverart (GstTagList * tags, gchar * img_data_base64, |
33 |
gint base64_len) |
34 |
{ |
35 |
GstBuffer *img; |
36 |
- guchar *img_data; |
37 |
gsize img_len; |
38 |
+ guchar *out; |
39 |
guint save = 0; |
40 |
gint state = 0; |
41 |
|
42 |
if (base64_len < 2) |
43 |
goto not_enough_data; |
44 |
|
45 |
- img_data = g_try_malloc0 (base64_len * 3 / 4); |
46 |
- |
47 |
- if (img_data == NULL) |
48 |
- goto alloc_failed; |
49 |
- |
50 |
- img_len = g_base64_decode_step (img_data_base64, base64_len, img_data, |
51 |
- &state, &save); |
52 |
+ /* img_data_base64 points to a temporary copy of the base64 encoded data, so |
53 |
+ * it's safe to do inpace decoding here |
54 |
+ * TODO: glib 2.20 and later provides g_base64_decode_inplace, so change this |
55 |
+ * to use glib's API instead once it's in wider use: |
56 |
+ * http://bugzilla.gnome.org/show_bug.cgi?id=564728 |
57 |
+ * http://svn.gnome.org/viewvc/glib?view=revision&revision=7807 */ |
58 |
+ out = (guchar *) img_data_base64; |
59 |
+ img_len = g_base64_decode_step (img_data_base64, base64_len, |
60 |
+ out, &state, &save); |
61 |
|
62 |
if (img_len == 0) |
63 |
goto decode_failed; |
64 |
|
65 |
- img = gst_tag_image_data_to_image_buffer (img_data, img_len, |
66 |
+ img = gst_tag_image_data_to_image_buffer (out, img_len, |
67 |
GST_TAG_IMAGE_TYPE_NONE); |
68 |
|
69 |
if (img == NULL) |
70 |
@@ -338,7 +340,6 @@ gst_vorbis_tag_add_coverart (GstTagList * tags, const gchar * img_data_base64, |
71 |
GST_TAG_PREVIEW_IMAGE, img, NULL); |
72 |
|
73 |
gst_buffer_unref (img); |
74 |
- g_free (img_data); |
75 |
return; |
76 |
|
77 |
/* ERRORS */ |
78 |
@@ -347,21 +348,14 @@ not_enough_data: |
79 |
GST_WARNING ("COVERART tag with too little base64-encoded data"); |
80 |
return; |
81 |
} |
82 |
-alloc_failed: |
83 |
- { |
84 |
- GST_WARNING ("Couldn't allocate enough memory to decode COVERART tag"); |
85 |
- return; |
86 |
- } |
87 |
decode_failed: |
88 |
{ |
89 |
- GST_WARNING ("Couldn't decode bas64 image data from COVERART tag"); |
90 |
- g_free (img_data); |
91 |
+ GST_WARNING ("Couldn't decode base64 image data from COVERART tag"); |
92 |
return; |
93 |
} |
94 |
convert_failed: |
95 |
{ |
96 |
GST_WARNING ("Couldn't extract image or image type from COVERART tag"); |
97 |
- g_free (img_data); |
98 |
return; |
99 |
} |
100 |
} |
101 |
@@ -457,6 +451,7 @@ error: |
102 |
return NULL; |
103 |
#undef ADVANCE |
104 |
} |
105 |
+ |
106 |
typedef struct |
107 |
{ |
108 |
guint count; |
109 |
-- |
110 |
cgit v0.8.2 |