GNOME Bugzilla – Bug 752495
[SECURITY] _fallback_mem_copy may read before and after valid data
Last modified: 2015-10-13 10:12:42 UTC
_fallback_mem_copy in gstallocator.c does not check the bounds of the requested copy. 1. The offset of the copy may be negative so reads starting before the valid data are possible. 2. (offset + size) are not checked to see if the sum falls outside the valid data region so data can be read from after the end of the buffer. This lack of bounds checking poses a security risk as well as making gstreamer less robust.
Also forgot the obvious: Since size parameter is signed then when passed to gst_allocator_alloc with a negative value - we may try to allocate huge amounts of memory which will probably crash the calling application
This would IMHO be a bug in other code that creates invalid memories. Did you run into this somehow? Having some assertion in the fallback_mem_copy might still be useful, want to provide a patch?
I ran into this when trying to properly understand allocations for my own plugins and allocators. I didn't encounter any actual problems. Unfortunately I don't know gstreamer well enough to suggest a patch that will fix this at all places that it needs to be fixed (I later found out that it is probably not just _fallback_mem_copy that assumes about memory pointers). And unfortunately I don't have the time to do it properly.
Ok, I think there's not really a problem per-se in fallback_mem_copy() here. It's as much a problem as passing wrong parameters to memcpy(). If someone wants to add some assertions that's ok, if not then so be it :)