From febe0a820be595be5a9df800a0452bea482176d3 Mon Sep 17 00:00:00 2001 From: Helmut Pozimski Date: Fri, 18 Nov 2016 08:48:28 +0100 Subject: [PATCH] gst-plugins-bad: add fix-CESA-2016-0002.patch patch taken from the upstream master branch from the following commit https://cgit.freedesktop.org/gstreamer/gst-plugins-bad/commit/?id=4cb1bcf1422bbcd79c0f683edb7ee85e3f7a31fe This fixes the vulnerability currently known as CESA-2016-0002, full details available at: https://scarybeastsecurity.blogspot.de/2016/11/0day-poc-risky-design-decisions-in.html --- .../patches/fix-CESA-2016-0002.patch | 22 +++++++++++++++++++ srcpkgs/gst-plugins-bad/template | 2 +- 2 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 srcpkgs/gst-plugins-bad/patches/fix-CESA-2016-0002.patch diff --git a/srcpkgs/gst-plugins-bad/patches/fix-CESA-2016-0002.patch b/srcpkgs/gst-plugins-bad/patches/fix-CESA-2016-0002.patch new file mode 100644 index 00000000000..b9f3839c0ad --- /dev/null +++ b/srcpkgs/gst-plugins-bad/patches/fix-CESA-2016-0002.patch @@ -0,0 +1,22 @@ +--- gst/vmnc/vmncdec.c ++++ gst/vmnc/vmncdec.c +@@ -370,7 +370,7 @@ vmnc_handle_wmvi_rectangle (GstVMncDec * + + if (dec->imagedata) + g_free (dec->imagedata); +- dec->imagedata = g_malloc (dec->format.width * dec->format.height * ++ dec->imagedata = g_malloc0 (dec->format.width * dec->format.height * + dec->format.bytes_per_pixel); + GST_DEBUG_OBJECT (dec, "Allocated image data at %p", dec->imagedata); + +@@ -901,6 +901,10 @@ vmnc_handle_packet (GstVMncDec * dec, co + GST_WARNING_OBJECT (dec, "Rectangle out of range, type %d", r.type); + return ERROR_INVALID; + } ++ } else if (r.width > 16384 || r.height > 16384) { ++ GST_WARNING_OBJECT (dec, "Width or height too high: %ux%u", r.width, ++ r.height); ++ return ERROR_INVALID; + } + + switch (r.type) { diff --git a/srcpkgs/gst-plugins-bad/template b/srcpkgs/gst-plugins-bad/template index a4f75a0f9ff..60f3a2a56ae 100644 --- a/srcpkgs/gst-plugins-bad/template +++ b/srcpkgs/gst-plugins-bad/template @@ -1,7 +1,7 @@ # Template file for 'gst-plugins-bad'. pkgname=gst-plugins-bad version=0.10.23 -revision=19 +revision=20 lib32disabled=yes build_style=gnu-configure configure_args="--enable-experimental --disable-static --disable-nsf"