import gstreamer1-plugins-bad-free-1.16.1-2.el8_9

c8 imports/c8/gstreamer1-plugins-bad-free-1.16.1-2.el8_9
MSVSphere Packaging Team 1 year ago
parent 383ab493ff
commit ba176658b8

@ -0,0 +1,321 @@
From 24e891568537f4447d1c212dcb355a766296bdbb Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Tue, 12 Dec 2023 18:00:58 +0100
Subject: [PATCH] mxfdemux: Store GstMXFDemuxEssenceTrack in their own fixed
allocation
Previously they were stored inline inside a GArray, but as references to
the tracks were stored in various other places although the array could
still be updated (and reallocated!), this could lead to dangling
references in various places.
Instead now store them in a GPtrArray in their own allocation so each
track's memory position stays fixed.
Fixes ZDI-CAN-22299
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3055
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5638>
---
gst/mxf/mxfdemux.c | 114 +++++++++++++++++++++------------------------
gst/mxf/mxfdemux.h | 2 +-
2 files changed, 53 insertions(+), 63 deletions(-)
diff --git a/gst/mxf/mxfdemux.c b/gst/mxf/mxfdemux.c
index f6e5ac048..b97dce1ad 100644
--- a/gst/mxf/mxfdemux.c
+++ b/gst/mxf/mxfdemux.c
@@ -154,10 +154,25 @@ gst_mxf_demux_partition_free (GstMXFDemuxPartition * partition)
}
static void
-gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux)
+gst_mxf_demux_essence_track_free (GstMXFDemuxEssenceTrack * t)
{
- guint i;
+ if (t->offsets)
+ g_array_free (t->offsets, TRUE);
+
+ g_free (t->mapping_data);
+
+ if (t->tags)
+ gst_tag_list_unref (t->tags);
+
+ if (t->caps)
+ gst_caps_unref (t->caps);
+
+ g_free (t);
+}
+static void
+gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux)
+{
GST_DEBUG_OBJECT (demux, "Resetting MXF state");
g_list_foreach (demux->partitions, (GFunc) gst_mxf_demux_partition_free,
@@ -167,22 +182,7 @@ gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux)
demux->current_partition = NULL;
- for (i = 0; i < demux->essence_tracks->len; i++) {
- GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
-
- if (t->offsets)
- g_array_free (t->offsets, TRUE);
-
- g_free (t->mapping_data);
-
- if (t->tags)
- gst_tag_list_unref (t->tags);
-
- if (t->caps)
- gst_caps_unref (t->caps);
- }
- g_array_set_size (demux->essence_tracks, 0);
+ g_ptr_array_set_size (demux->essence_tracks, 0);
}
static void
@@ -200,7 +200,7 @@ gst_mxf_demux_reset_linked_metadata (GstMXFDemux * demux)
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *track =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ g_ptr_array_index (demux->essence_tracks, i);
track->source_package = NULL;
track->source_track = NULL;
@@ -713,8 +713,7 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
for (k = 0; k < demux->essence_tracks->len; k++) {
GstMXFDemuxEssenceTrack *tmp =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
- k);
+ g_ptr_array_index (demux->essence_tracks, k);
if (tmp->track_number == track->parent.track_number &&
tmp->body_sid == edata->body_sid) {
@@ -732,24 +731,23 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
}
if (!etrack) {
- GstMXFDemuxEssenceTrack tmp;
+ GstMXFDemuxEssenceTrack *tmp = g_new0 (GstMXFDemuxEssenceTrack, 1);
- memset (&tmp, 0, sizeof (tmp));
- tmp.body_sid = edata->body_sid;
- tmp.index_sid = edata->index_sid;
- tmp.track_number = track->parent.track_number;
- tmp.track_id = track->parent.track_id;
- memcpy (&tmp.source_package_uid, &package->parent.package_uid, 32);
+ tmp->body_sid = edata->body_sid;
+ tmp->index_sid = edata->index_sid;
+ tmp->track_number = track->parent.track_number;
+ tmp->track_id = track->parent.track_id;
+ memcpy (&tmp->source_package_uid, &package->parent.package_uid, 32);
if (demux->current_partition->partition.body_sid == edata->body_sid &&
demux->current_partition->partition.body_offset == 0)
- tmp.position = 0;
+ tmp->position = 0;
else
- tmp.position = -1;
+ tmp->position = -1;
- g_array_append_val (demux->essence_tracks, tmp);
+ g_ptr_array_add (demux->essence_tracks, tmp);
etrack =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
+ g_ptr_array_index (demux->essence_tracks,
demux->essence_tracks->len - 1);
new = TRUE;
}
@@ -876,13 +874,7 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
next:
if (new) {
- g_free (etrack->mapping_data);
- if (etrack->tags)
- gst_tag_list_unref (etrack->tags);
- if (etrack->caps)
- gst_caps_unref (etrack->caps);
-
- g_array_remove_index (demux->essence_tracks,
+ g_ptr_array_remove_index (demux->essence_tracks,
demux->essence_tracks->len - 1);
}
}
@@ -895,7 +887,7 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *etrack =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ g_ptr_array_index (demux->essence_tracks, i);
if (!etrack->source_package || !etrack->source_track || !etrack->caps) {
GST_ERROR_OBJECT (demux, "Failed to update essence track %u", i);
@@ -1117,7 +1109,7 @@ gst_mxf_demux_update_tracks (GstMXFDemux * demux)
for (k = 0; k < demux->essence_tracks->len; k++) {
GstMXFDemuxEssenceTrack *tmp =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, k);
+ g_ptr_array_index (demux->essence_tracks, k);
if (tmp->source_package == source_package &&
tmp->source_track == source_track) {
@@ -1598,8 +1590,7 @@ gst_mxf_demux_pad_set_component (GstMXFDemux * demux, GstMXFDemuxPad * pad,
pad->current_essence_track = NULL;
for (k = 0; k < demux->essence_tracks->len; k++) {
- GstMXFDemuxEssenceTrack *tmp =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, k);
+ GstMXFDemuxEssenceTrack *tmp = g_ptr_array_index (demux->essence_tracks, k);
if (tmp->source_package == source_package &&
tmp->source_track == source_track) {
@@ -1731,7 +1722,7 @@ gst_mxf_demux_handle_generic_container_essence_element (GstMXFDemux * demux,
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *tmp =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ g_ptr_array_index (demux->essence_tracks, i);
if (tmp->body_sid == demux->current_partition->partition.body_sid &&
(tmp->track_number == track_number || tmp->track_number == 0)) {
@@ -2656,7 +2647,7 @@ gst_mxf_demux_handle_klv_packet (GstMXFDemux * demux, const MXFUL * key,
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *etrack =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ g_ptr_array_index (demux->essence_tracks, i);
if (etrack->body_sid != demux->current_partition->partition.body_sid)
continue;
@@ -2719,7 +2710,7 @@ gst_mxf_demux_handle_klv_packet (GstMXFDemux * demux, const MXFUL * key,
guint i;
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *etrack =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ g_ptr_array_index (demux->essence_tracks, i);
if (etrack->body_sid != demux->current_partition->partition.body_sid)
continue;
@@ -2914,7 +2905,7 @@ from_index:
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ g_ptr_array_index (demux->essence_tracks, i);
if (index_start_position != -1 && t == etrack)
t->position = index_start_position;
@@ -2937,8 +2928,7 @@ from_index:
if (ret == GST_FLOW_EOS) {
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
- i);
+ g_ptr_array_index (demux->essence_tracks, i);
if (t->position > 0)
t->duration = t->position;
@@ -3020,7 +3010,7 @@ gst_mxf_demux_pull_and_handle_klv_packet (GstMXFDemux * demux)
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ g_ptr_array_index (demux->essence_tracks, i);
if (t->position > 0)
t->duration = t->position;
@@ -3627,8 +3617,8 @@ gst_mxf_demux_seek_push (GstMXFDemux * demux, GstEvent * event)
}
for (i = 0; i < demux->essence_tracks->len; i++) {
- GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ GstMXFDemuxEssenceTrack *t = g_ptr_array_index (demux->essence_tracks, i);
+
t->position = -1;
}
@@ -4001,8 +3991,8 @@ gst_mxf_demux_seek_pull (GstMXFDemux * demux, GstEvent * event)
}
for (i = 0; i < demux->essence_tracks->len; i++) {
- GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ GstMXFDemuxEssenceTrack *t = g_ptr_array_index (demux->essence_tracks, i);
+
t->position = -1;
}
@@ -4284,7 +4274,7 @@ gst_mxf_demux_sink_event (GstPad * pad, GstObject * parent, GstEvent * event)
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ g_ptr_array_index (demux->essence_tracks, i);
if (t->position > 0)
t->duration = t->position;
@@ -4325,8 +4315,8 @@ gst_mxf_demux_sink_event (GstPad * pad, GstObject * parent, GstEvent * event)
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *etrack =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
- i);
+ g_ptr_array_index (demux->essence_tracks, i);
+
etrack->position = -1;
}
ret = TRUE;
@@ -4350,8 +4340,8 @@ gst_mxf_demux_sink_event (GstPad * pad, GstObject * parent, GstEvent * event)
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
- i);
+ g_ptr_array_index (demux->essence_tracks, i);
+
t->position = -1;
}
demux->current_partition = NULL;
@@ -4624,7 +4614,7 @@ gst_mxf_demux_finalize (GObject * object)
g_ptr_array_free (demux->src, TRUE);
demux->src = NULL;
- g_array_free (demux->essence_tracks, TRUE);
+ g_ptr_array_free (demux->essence_tracks, TRUE);
demux->essence_tracks = NULL;
g_hash_table_destroy (demux->metadata);
@@ -4701,8 +4691,8 @@ gst_mxf_demux_init (GstMXFDemux * demux)
g_rw_lock_init (&demux->metadata_lock);
demux->src = g_ptr_array_new ();
- demux->essence_tracks =
- g_array_new (FALSE, FALSE, sizeof (GstMXFDemuxEssenceTrack));
+ demux->essence_tracks = g_ptr_array_new_with_free_func ((GDestroyNotify)
+ gst_mxf_demux_essence_track_free);
gst_segment_init (&demux->segment, GST_FORMAT_TIME);
diff --git a/gst/mxf/mxfdemux.h b/gst/mxf/mxfdemux.h
index aac3e67d0..a452980ee 100644
--- a/gst/mxf/mxfdemux.h
+++ b/gst/mxf/mxfdemux.h
@@ -182,7 +182,7 @@ struct _GstMXFDemux
GList *partitions;
GstMXFDemuxPartition *current_partition;
- GArray *essence_tracks;
+ GPtrArray *essence_tracks;
GList *pending_index_table_segments;
GList *index_tables; /* one per BodySID / IndexSID */
--
2.43.0

@ -14,7 +14,7 @@
Name: gstreamer1-plugins-bad-free Name: gstreamer1-plugins-bad-free
Version: 1.16.1 Version: 1.16.1
Release: 1%{?gitcommit:.git%{shortcommit}}%{?dist} Release: 2%{?gitcommit:.git%{shortcommit}}%{?dist}
Summary: GStreamer streaming media framework "bad" plugins Summary: GStreamer streaming media framework "bad" plugins
License: LGPLv2+ and LGPLv2 License: LGPLv2+ and LGPLv2
@ -32,6 +32,7 @@ Source0: gst-plugins-bad-free-%{version}.tar.xz
Source1: gst-p-bad-cleanup.sh Source1: gst-p-bad-cleanup.sh
#upstream patches #upstream patches
Patch0: 0001-mxfdemux-Store-GstMXFDemuxEssenceTrack-in-their-own-.patch
BuildRequires: gstreamer1-devel >= %{version} BuildRequires: gstreamer1-devel >= %{version}
BuildRequires: gstreamer1-plugins-base-devel >= %{version} BuildRequires: gstreamer1-plugins-base-devel >= %{version}
@ -184,6 +185,7 @@ aren't tested well enough, or the code is not of good enough quality.
%prep %prep
%setup -q -n gst-plugins-bad-%{version} %setup -q -n gst-plugins-bad-%{version}
%patch0 -p1
%build %build
%configure --disable-silent-rules --disable-fatal-warnings \ %configure --disable-silent-rules --disable-fatal-warnings \
@ -472,6 +474,10 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -fv {} ';'
%changelog %changelog
* Wed Dec 13 2023 Wim Taymans <wtaymans@redhat.com> - 1.16.1-2
- Patch CVE-2023-44446: MXF demuxer use-after-free
- Resolves: RHEL-17036
* Mon Nov 18 2019 Wim Taymans <wtaymans@redhat.com> - 1.16.1-1 * Mon Nov 18 2019 Wim Taymans <wtaymans@redhat.com> - 1.16.1-1
- Update to 1.16.1 - Update to 1.16.1
- Remove upstreamed patches - Remove upstreamed patches

Loading…
Cancel
Save