gstreamer multiple issues

[Hanno Böck <hanno () hboeck de>]

Hi,

After the blogposts from Chris Evans about gstreamer insecurities I had
a look.

https://bugzilla.gnome.org/show_bug.cgi?id=774859
Invalid memory read in flx_decode_chunks (gst-plugins-good)
The fix is a larger rewrite of the affected code paths and probably
fixed a bunch of other issues on the way. It also fixes the second flic
bug reported by Chris Evans described here:
https://scarybeastsecurity.blogspot.dk/2016/11/0day-poc-incorrect-fix-for-gstreamer.html

https://bugzilla.gnome.org/show_bug.cgi?id=774896
h264: one byte heap off by one read in gst_h264_parse_set_caps
(gst-plugins-bad)

https://bugzilla.gnome.org/show_bug.cgi?id=774897
Invalid memory read in glib caused by one invalid unref call in the
flxdec decoder. (gst-plugins-good)

https://bugzilla.gnome.org/show_bug.cgi?id=774902
4 byte heap out of bounds read in windows_icon_typefind
(gst-plugins-base)

https://bugzilla.gnome.org/show_bug.cgi?id=775048
2 byte heap out of bounds read in gst_mpegts_section_new
(gst-plugins-bad).

https://bugzilla.gnome.org/show_bug.cgi?id=775120
null pointer deref (segfault) in mpegts decoder / _parse_pat
(gst-plugins-bad)

A note about the memory access bugs: glib's slice allocator can hide
them, so finding them with asan sometimes only works if one sets
G_SLICE=always-malloc


Stuff that's probably not security relevant:

Asserts / traps only:

https://bugzilla.gnome.org/show_bug.cgi?id=775130
h264 decoder assert (gst-plugins-bad)

https://bugzilla.gnome.org/show_bug.cgi?id=775219
avidemux trap on invalid utf-8



The gstreamer devs were very quick in fixing all issues. The release
1.10.2 should contain all the fixes.
https://gstreamer.freedesktop.org/releases/gstreamer/1.10.2.html


-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno () hboeck de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42