https://bugs.gentoo.org/970989 https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/10881 https://gstreamer.freedesktop.org/security/sa-2026-0006.html CVE-2026-2920 ZDI-26-164 ZDI-CAN-28843 From 37d7991168a223d0810fd1f4493ec6a8b6a510d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= Date: Wed, 11 Feb 2026 19:27:09 +0200 Subject: [PATCH] asfdemux: Error out on files with more than 32 streams This avoids overflowing the static streams array and overwriting random other element state. Fixes GST--SA-2026-0006, CVE-2026-2920, ZDI-CAN-28843. Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4900 Part-of: --- a/gst/asfdemux/gstasfdemux.c +++ b/gst/asfdemux/gstasfdemux.c @@ -2616,6 +2616,9 @@ gst_asf_demux_setup_pad (GstASFDemux * demux, GstPad * src_pad, { AsfStream *stream; + /* Checked in the callers */ + g_assert (demux->num_streams < G_N_ELEMENTS (demux->stream)); + gst_pad_use_fixed_caps (src_pad); gst_pad_set_caps (src_pad, caps); @@ -3071,6 +3074,12 @@ gst_asf_demux_parse_stream_object (GstASFDemux * demux, guint8 * data, case ASF_STREAM_AUDIO:{ asf_stream_audio audio_object; + if (demux->num_streams >= G_N_ELEMENTS (demux->stream)) { + GST_ELEMENT_ERROR (demux, STREAM, DEMUX, (NULL), + ("File has too many streams")); + return NULL; + } + if (!gst_asf_demux_get_stream_audio (&audio_object, &data, &size)) goto not_enough_data; @@ -3149,6 +3158,12 @@ gst_asf_demux_parse_stream_object (GstASFDemux * demux, guint8 * data, asf_stream_video video_object; guint16 vsize; + if (demux->num_streams >= G_N_ELEMENTS (demux->stream)) { + GST_ELEMENT_ERROR (demux, STREAM, DEMUX, (NULL), + ("File has too many streams")); + return NULL; + } + if (!gst_asf_demux_get_stream_video (&video_object, &data, &size)) goto not_enough_data; -- GitLab