[Buildroot] [PATCH] gst1-plugins-bad: add upstream patch to fix security issue in vmnc decoder

From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH] gst1-plugins-bad: add upstream patch to fix security issue in vmnc decoder
Date: Mon, 28 Nov 2016 22:55:38 +0100	[thread overview]
Message-ID: <20161128215538.9863-1-peter@korsgaard.com> (raw)

As detailed by Chris Evans, the vmnc decoder contains an integer overflow which
can be exploited:

https://scarybeastsecurity.blogspot.be/2016/11/0day-poc-risky-design-decisions-in.html

Fixes CVE-2016-9445 and CVE-2016-9446.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 ...Sanity-check-width-height-before-using-it.patch | 51 ++++++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 package/gstreamer1/gst1-plugins-bad/0001-vmncdec-Sanity-check-width-height-before-using-it.patch

diff --git a/package/gstreamer1/gst1-plugins-bad/0001-vmncdec-Sanity-check-width-height-before-using-it.patch b/package/gstreamer1/gst1-plugins-bad/0001-vmncdec-Sanity-check-width-height-before-using-it.patch
new file mode 100644
index 0000000..ebc87bb
--- /dev/null
+++ b/package/gstreamer1/gst1-plugins-bad/0001-vmncdec-Sanity-check-width-height-before-using-it.patch
@@ -0,0 +1,51 @@
+From 465091253bb3c3198d055b2e9f02d95237204663 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Wed, 16 Nov 2016 20:41:39 +0200
+Subject: [PATCH] vmncdec: Sanity-check width/height before using it
+
+We will allocate a screen area of width*height*bpp bytes, however this
+calculation can easily overflow if too high width or height are given
+inside the stream. Nonetheless we would just assume that enough memory
+was allocated, try to fill it and overwrite as much memory as wanted.
+
+Also allocate the screen area filled with zeroes to ensure that we start
+with full-black and not any random (or not so random) data.
+
+https://scarybeastsecurity.blogspot.gr/2016/11/0day-poc-risky-design-decisions-in.html
+
+Ideally we should just remove this plugin in favour of the one in
+gst-libav, which generally seems to be of better code quality.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=774533
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ gst/vmnc/vmncdec.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/gst/vmnc/vmncdec.c b/gst/vmnc/vmncdec.c
+index 5504302..a843136 100644
+--- a/gst/vmnc/vmncdec.c
++++ b/gst/vmnc/vmncdec.c
+@@ -261,7 +261,7 @@ vmnc_handle_wmvi_rectangle (GstVMncDec * dec, struct RfbRectangle *rect,
+   gst_video_codec_state_unref (state);
+ 
+   g_free (dec->imagedata);
+-  dec->imagedata = g_malloc (dec->format.width * dec->format.height *
++  dec->imagedata = g_malloc0 (dec->format.width * dec->format.height *
+       dec->format.bytes_per_pixel);
+   GST_DEBUG_OBJECT (dec, "Allocated image data at %p", dec->imagedata);
+ 
+@@ -791,6 +791,10 @@ vmnc_handle_packet (GstVMncDec * dec, const guint8 * data, int len,
+             GST_WARNING_OBJECT (dec, "Rectangle out of range, type %d", r.type);
+             return ERROR_INVALID;
+           }
++        } else if (r.width > 16384 || r.height > 16384) {
++          GST_WARNING_OBJECT (dec, "Width or height too high: %ux%u", r.width,
++              r.height);
++          return ERROR_INVALID;
+         }
+ 
+         switch (r.type) {
+-- 
+2.10.2
+
-- 
2.10.2
