https://bugs.gentoo.org/970993

From a46fc929efe909d98d983abe2dc60d196432fc3f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?V=C3=ADctor=20Manuel=20J=C3=A1quez=20Leal?=
 <vjaquez@igalia.com>
Date: Wed, 11 Feb 2026 22:07:49 +0100
Subject: [PATCH] libs: jpegparser: boundary checks before copying it

READ_BYTES macro reads data from a byte reader and then copy it to a storage
variable. This patch adds a validation that the length to read cannot be bigger
than the storage size.

This macro right now is used only for storage variables of guint8 arrays.

We have validated in the specification (sections F.1.2.1.2 and F.1.2.2.1 in ITU
T.81) that Huffman tables (both AC and DC) aren't bigger than 256.

Fixes SA-2026-0003, CVE-2026-3082, ZDI-CAN-28840.

Fixes: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4899>

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/10885>
--- a/gst-libs/gst/codecparsers/gstjpegparser.c
+++ b/gst-libs/gst/codecparsers/gstjpegparser.c
@@ -77,6 +77,10 @@ ensure_debug_category (void)
 
 #define READ_BYTES(reader, buf, length) G_STMT_START {          \
     const guint8 *vals;                                         \
+    if (length > sizeof (buf)) {                                \
+      GST_WARNING ("data size is bigger than its storage");     \
+      goto failed;                                              \
+    }                                                           \
     if (!gst_byte_reader_get_data (reader, length, &vals)) {    \
       GST_WARNING ("failed to read bytes, size:%d", length);    \
       goto failed;                                              \
-- 
GitLab