rmdemux: Check for integer overflows when calculating the size of SIPR audio buffers

Fixes ZDI-CAN-21443 Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2782 Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5077>
author: Sebastian Dröge <sebastian@centricular.com> 2023-07-07 09:59:20 +0300
committer: Tim-Philipp Müller <tim@centricular.com> 2023-07-20 00:23:36 +0100
commit: 40440bce66af6ab43690d3ce7c4f4296a6b7e7b9 (patch)
tree: ef153e1a9ec6622600ee58050cf6898fd4ec1f88
parent: af2ec8e6066fdde74a5a79fe311759a94cac9d95 (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/subprojects/gst-plugins-ugly/gst/realmedia/rmdemux.c b/subprojects/gst-plugins-ugly/gst/realmedia/rmdemux.c
index 473aebe075..eaee9acdd1 100644
--- a/subprojects/gst-plugins-ugly/gst/realmedia/rmdemux.c
+++ b/subprojects/gst-plugins-ugly/gst/realmedia/rmdemux.c
@@ -2144,6 +2144,7 @@ gst_rmdemux_descramble_sipr_audio (GstRMDemux * rmdemux,
   GstMapInfo outmap;
   guint packet_size = stream->packet_size;
   guint height = stream->subpackets->len;
+  guint size;
   guint p;
 
   g_assert (stream->height == height);
@@ -2151,7 +2152,12 @@ gst_rmdemux_descramble_sipr_audio (GstRMDemux * rmdemux,
   GST_LOG_OBJECT (rmdemux, "packet_size = %u, leaf_size = %u, height= %u",
       packet_size, stream->leaf_size, height);
 
-  outbuf = gst_buffer_new_and_alloc (height * packet_size);
+  if (!g_uint_checked_mul (&size, height, packet_size)) {
+    GST_ERROR_OBJECT (rmdemux, "overflowing SIPR audio packet size");
+    return GST_FLOW_ERROR;
+  }
+
+  outbuf = gst_buffer_new_and_alloc (size);
   gst_buffer_map (outbuf, &outmap, GST_MAP_WRITE);
 
   for (p = 0; p < height; ++p) {
author	Sebastian Dröge <sebastian@centricular.com>	2023-07-07 09:59:20 +0300
committer	Tim-Philipp Müller <tim@centricular.com>	2023-07-20 00:23:36 +0100
commit	40440bce66af6ab43690d3ce7c4f4296a6b7e7b9 (patch)
tree	ef153e1a9ec6622600ee58050cf6898fd4ec1f88
parent	af2ec8e6066fdde74a5a79fe311759a94cac9d95 (diff)