- Fixes ZDI-CAN-22226 CVE-2023-44429i9r changed/i9e/gstreamer1-plugins-bad-freeworld-1.22.1-3.el9.inferit
parent
ea692a1cea
commit
04e6cb64eb
GPG Key ID:
9C7900103E1C4F8B
@ -1 +1 @@
|
||||
SOURCES/gst-plugins-bad-1.18.4.tar.xz
|
||||
SOURCES/gst-plugins-bad-1.22.1.tar.xz
|
||||
|
||||
@ -1 +1 @@
|
||||
1d7205aab58fed7ede5992f9f42f964842c0379c SOURCES/gst-plugins-bad-1.18.4.tar.xz
|
||||
d61beffd9936a47ed32b0c5c93f50a10adfede3e SOURCES/gst-plugins-bad-1.22.1.tar.xz
|
||||
|
||||
@ -0,0 +1,323 @@
|
||||
From 274551d450e443a8c71baa95e3f8d5dad212737f Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
|
||||
Date: Fri, 20 Oct 2023 00:09:57 +0300
|
||||
Subject: [PATCH] mxfdemux: Store GstMXFDemuxEssenceTrack in their own fixed
|
||||
allocation
|
||||
|
||||
Previously they were stored inline inside a GArray, but as references to
|
||||
the tracks were stored in various other places although the array could
|
||||
still be updated (and reallocated!), this could lead to dangling
|
||||
references in various places.
|
||||
|
||||
Instead now store them in a GPtrArray in their own allocation so each
|
||||
track's memory position stays fixed.
|
||||
|
||||
Fixes ZDI-CAN-22299
|
||||
|
||||
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3055
|
||||
|
||||
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5635>
|
||||
---
|
||||
.../gst-plugins-bad/gst/mxf/mxfdemux.c | 116 ++++++++----------
|
||||
.../gst-plugins-bad/gst/mxf/mxfdemux.h | 2 +-
|
||||
2 files changed, 50 insertions(+), 68 deletions(-)
|
||||
|
||||
diff --git a/gst/mxf/mxfdemux.c b/gst/mxf/mxfdemux.c
|
||||
index 7ae4a7b54cf..6153e89a207 100644
|
||||
--- a/gst/mxf/mxfdemux.c
|
||||
+++ b/gst/mxf/mxfdemux.c
|
||||
@@ -170,10 +170,25 @@ gst_mxf_demux_partition_free (GstMXFDemuxPartition * partition)
|
||||
}
|
||||
|
||||
static void
|
||||
-gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux)
|
||||
+gst_mxf_demux_essence_track_free (GstMXFDemuxEssenceTrack * t)
|
||||
{
|
||||
- guint i;
|
||||
+ if (t->offsets)
|
||||
+ g_array_free (t->offsets, TRUE);
|
||||
+
|
||||
+ g_free (t->mapping_data);
|
||||
+
|
||||
+ if (t->tags)
|
||||
+ gst_tag_list_unref (t->tags);
|
||||
+
|
||||
+ if (t->caps)
|
||||
+ gst_caps_unref (t->caps);
|
||||
+
|
||||
+ g_free (t);
|
||||
+}
|
||||
|
||||
+static void
|
||||
+gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux)
|
||||
+{
|
||||
GST_DEBUG_OBJECT (demux, "Resetting MXF state");
|
||||
|
||||
g_list_foreach (demux->partitions, (GFunc) gst_mxf_demux_partition_free,
|
||||
@@ -182,23 +197,7 @@ gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux)
|
||||
demux->partitions = NULL;
|
||||
|
||||
demux->current_partition = NULL;
|
||||
-
|
||||
- for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||
- GstMXFDemuxEssenceTrack *t =
|
||||
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
|
||||
-
|
||||
- if (t->offsets)
|
||||
- g_array_free (t->offsets, TRUE);
|
||||
-
|
||||
- g_free (t->mapping_data);
|
||||
-
|
||||
- if (t->tags)
|
||||
- gst_tag_list_unref (t->tags);
|
||||
-
|
||||
- if (t->caps)
|
||||
- gst_caps_unref (t->caps);
|
||||
- }
|
||||
- g_array_set_size (demux->essence_tracks, 0);
|
||||
+ g_ptr_array_set_size (demux->essence_tracks, 0);
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -216,7 +215,7 @@ gst_mxf_demux_reset_linked_metadata (GstMXFDemux * demux)
|
||||
|
||||
for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||
GstMXFDemuxEssenceTrack *track =
|
||||
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
|
||||
+ g_ptr_array_index (demux->essence_tracks, i);
|
||||
|
||||
track->source_package = NULL;
|
||||
track->delta_id = -1;
|
||||
@@ -419,7 +418,7 @@ gst_mxf_demux_partition_postcheck (GstMXFDemux * demux,
|
||||
|
||||
for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||
GstMXFDemuxEssenceTrack *cand =
|
||||
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
|
||||
+ g_ptr_array_index (demux->essence_tracks, i);
|
||||
|
||||
if (cand->body_sid != partition->partition.body_sid)
|
||||
continue;
|
||||
@@ -861,8 +860,7 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
|
||||
|
||||
for (k = 0; k < demux->essence_tracks->len; k++) {
|
||||
GstMXFDemuxEssenceTrack *tmp =
|
||||
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
|
||||
- k);
|
||||
+ g_ptr_array_index (demux->essence_tracks, k);
|
||||
|
||||
if (tmp->track_number == track->parent.track_number &&
|
||||
tmp->body_sid == edata->body_sid) {
|
||||
@@ -880,24 +878,23 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
|
||||
}
|
||||
|
||||
if (!etrack) {
|
||||
- GstMXFDemuxEssenceTrack tmp;
|
||||
+ GstMXFDemuxEssenceTrack *tmp = g_new0 (GstMXFDemuxEssenceTrack, 1);
|
||||
|
||||
- memset (&tmp, 0, sizeof (tmp));
|
||||
- tmp.body_sid = edata->body_sid;
|
||||
- tmp.index_sid = edata->index_sid;
|
||||
- tmp.track_number = track->parent.track_number;
|
||||
- tmp.track_id = track->parent.track_id;
|
||||
- memcpy (&tmp.source_package_uid, &package->parent.package_uid, 32);
|
||||
+ tmp->body_sid = edata->body_sid;
|
||||
+ tmp->index_sid = edata->index_sid;
|
||||
+ tmp->track_number = track->parent.track_number;
|
||||
+ tmp->track_id = track->parent.track_id;
|
||||
+ memcpy (&tmp->source_package_uid, &package->parent.package_uid, 32);
|
||||
|
||||
if (demux->current_partition->partition.body_sid == edata->body_sid &&
|
||||
demux->current_partition->partition.body_offset == 0)
|
||||
- tmp.position = 0;
|
||||
+ tmp->position = 0;
|
||||
else
|
||||
- tmp.position = -1;
|
||||
+ tmp->position = -1;
|
||||
|
||||
- g_array_append_val (demux->essence_tracks, tmp);
|
||||
+ g_ptr_array_add (demux->essence_tracks, tmp);
|
||||
etrack =
|
||||
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
|
||||
+ g_ptr_array_index (demux->essence_tracks,
|
||||
demux->essence_tracks->len - 1);
|
||||
new = TRUE;
|
||||
}
|
||||
@@ -1045,13 +1042,7 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
|
||||
|
||||
next:
|
||||
if (new) {
|
||||
- g_free (etrack->mapping_data);
|
||||
- if (etrack->tags)
|
||||
- gst_tag_list_unref (etrack->tags);
|
||||
- if (etrack->caps)
|
||||
- gst_caps_unref (etrack->caps);
|
||||
-
|
||||
- g_array_remove_index (demux->essence_tracks,
|
||||
+ g_ptr_array_remove_index (demux->essence_tracks,
|
||||
demux->essence_tracks->len - 1);
|
||||
}
|
||||
}
|
||||
@@ -1064,7 +1055,7 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
|
||||
|
||||
for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||
GstMXFDemuxEssenceTrack *etrack =
|
||||
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
|
||||
+ g_ptr_array_index (demux->essence_tracks, i);
|
||||
|
||||
if (!etrack->source_package || !etrack->source_track || !etrack->caps) {
|
||||
GST_ERROR_OBJECT (demux, "Failed to update essence track %u", i);
|
||||
@@ -1450,7 +1441,7 @@ gst_mxf_demux_update_tracks (GstMXFDemux * demux)
|
||||
|
||||
for (k = 0; k < demux->essence_tracks->len; k++) {
|
||||
GstMXFDemuxEssenceTrack *tmp =
|
||||
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, k);
|
||||
+ g_ptr_array_index (demux->essence_tracks, k);
|
||||
|
||||
if (tmp->source_package == source_package &&
|
||||
tmp->source_track == source_track) {
|
||||
@@ -1939,8 +1930,7 @@ gst_mxf_demux_pad_set_component (GstMXFDemux * demux, GstMXFDemuxPad * pad,
|
||||
pad->current_essence_track = NULL;
|
||||
|
||||
for (k = 0; k < demux->essence_tracks->len; k++) {
|
||||
- GstMXFDemuxEssenceTrack *tmp =
|
||||
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, k);
|
||||
+ GstMXFDemuxEssenceTrack *tmp = g_ptr_array_index (demux->essence_tracks, k);
|
||||
|
||||
if (tmp->source_package == source_package &&
|
||||
tmp->source_track == source_track) {
|
||||
@@ -2724,7 +2714,7 @@ gst_mxf_demux_handle_generic_container_essence_element (GstMXFDemux * demux,
|
||||
if (!etrack) {
|
||||
for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||
GstMXFDemuxEssenceTrack *tmp =
|
||||
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
|
||||
+ g_ptr_array_index (demux->essence_tracks, i);
|
||||
|
||||
if (tmp->body_sid == demux->current_partition->partition.body_sid &&
|
||||
(tmp->track_number == track_number || tmp->track_number == 0)) {
|
||||
@@ -3928,8 +3918,7 @@ from_track_offset:
|
||||
gst_mxf_demux_set_partition_for_offset (demux, demux->offset);
|
||||
|
||||
for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||
- GstMXFDemuxEssenceTrack *t =
|
||||
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
|
||||
+ GstMXFDemuxEssenceTrack *t = g_ptr_array_index (demux->essence_tracks, i);
|
||||
|
||||
if (index_start_position != -1 && t == etrack)
|
||||
t->position = index_start_position;
|
||||
@@ -3953,8 +3942,7 @@ from_track_offset:
|
||||
/* Handle EOS */
|
||||
for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||
GstMXFDemuxEssenceTrack *t =
|
||||
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
|
||||
- i);
|
||||
+ g_ptr_array_index (demux->essence_tracks, i);
|
||||
|
||||
if (t->position > 0)
|
||||
t->duration = t->position;
|
||||
@@ -4192,8 +4180,7 @@ gst_mxf_demux_pull_and_handle_klv_packet (GstMXFDemux * demux)
|
||||
guint i;
|
||||
for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||
GstMXFDemuxEssenceTrack *etrack =
|
||||
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
|
||||
- i);
|
||||
+ g_ptr_array_index (demux->essence_tracks, i);
|
||||
|
||||
if (etrack->body_sid != partition->partition.body_sid)
|
||||
continue;
|
||||
@@ -4664,9 +4651,8 @@ gst_mxf_demux_pad_to_track_and_position (GstMXFDemux * demux,
|
||||
/* Get the corresponding essence track for the given source package and stream id */
|
||||
for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||
GstMXFDemuxEssenceTrack *track =
|
||||
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
|
||||
- GST_LOG_OBJECT (pad,
|
||||
- "Looking at essence track body_sid:%d index_sid:%d",
|
||||
+ g_ptr_array_index (demux->essence_tracks, i);
|
||||
+ GST_LOG_OBJECT (pad, "Looking at essence track body_sid:%d index_sid:%d",
|
||||
track->body_sid, track->index_sid);
|
||||
if (clip->source_track_id == 0 || (track->track_id == clip->source_track_id
|
||||
&& mxf_umid_is_equal (&clip->source_package_id,
|
||||
@@ -4915,8 +4901,7 @@ gst_mxf_demux_seek_push (GstMXFDemux * demux, GstEvent * event)
|
||||
}
|
||||
|
||||
for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||
- GstMXFDemuxEssenceTrack *t =
|
||||
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
|
||||
+ GstMXFDemuxEssenceTrack *t = g_ptr_array_index (demux->essence_tracks, i);
|
||||
t->position = -1;
|
||||
}
|
||||
|
||||
@@ -5354,8 +5339,7 @@ gst_mxf_demux_seek_pull (GstMXFDemux * demux, GstEvent * event)
|
||||
}
|
||||
|
||||
for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||
- GstMXFDemuxEssenceTrack *t =
|
||||
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
|
||||
+ GstMXFDemuxEssenceTrack *t = g_ptr_array_index (demux->essence_tracks, i);
|
||||
t->position = -1;
|
||||
}
|
||||
|
||||
@@ -5654,7 +5638,7 @@ gst_mxf_demux_sink_event (GstPad * pad, GstObject * parent, GstEvent * event)
|
||||
|
||||
for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||
GstMXFDemuxEssenceTrack *t =
|
||||
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
|
||||
+ g_ptr_array_index (demux->essence_tracks, i);
|
||||
|
||||
if (t->position > 0)
|
||||
t->duration = t->position;
|
||||
@@ -5695,8 +5679,7 @@ gst_mxf_demux_sink_event (GstPad * pad, GstObject * parent, GstEvent * event)
|
||||
|
||||
for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||
GstMXFDemuxEssenceTrack *etrack =
|
||||
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
|
||||
- i);
|
||||
+ g_ptr_array_index (demux->essence_tracks, i);
|
||||
etrack->position = -1;
|
||||
}
|
||||
ret = TRUE;
|
||||
@@ -5720,8 +5703,7 @@ gst_mxf_demux_sink_event (GstPad * pad, GstObject * parent, GstEvent * event)
|
||||
|
||||
for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||
GstMXFDemuxEssenceTrack *t =
|
||||
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
|
||||
- i);
|
||||
+ g_ptr_array_index (demux->essence_tracks, i);
|
||||
t->position = -1;
|
||||
}
|
||||
demux->current_partition = NULL;
|
||||
@@ -5994,7 +5976,7 @@ gst_mxf_demux_finalize (GObject * object)
|
||||
|
||||
g_ptr_array_free (demux->src, TRUE);
|
||||
demux->src = NULL;
|
||||
- g_array_free (demux->essence_tracks, TRUE);
|
||||
+ g_ptr_array_free (demux->essence_tracks, TRUE);
|
||||
demux->essence_tracks = NULL;
|
||||
|
||||
g_hash_table_destroy (demux->metadata);
|
||||
@@ -6071,8 +6053,8 @@ gst_mxf_demux_init (GstMXFDemux * demux)
|
||||
g_rw_lock_init (&demux->metadata_lock);
|
||||
|
||||
demux->src = g_ptr_array_new ();
|
||||
- demux->essence_tracks =
|
||||
- g_array_new (FALSE, FALSE, sizeof (GstMXFDemuxEssenceTrack));
|
||||
+ demux->essence_tracks = g_ptr_array_new_with_free_func ((GDestroyNotify)
|
||||
+ gst_mxf_demux_essence_track_free);
|
||||
|
||||
gst_segment_init (&demux->segment, GST_FORMAT_TIME);
|
||||
|
||||
diff --git a/gst/mxf/mxfdemux.h b/gst/mxf/mxfdemux.h
|
||||
index d079a1de1aa..1dc8a4edb5b 100644
|
||||
--- a/gst/mxf/mxfdemux.h
|
||||
+++ b/gst/mxf/mxfdemux.h
|
||||
@@ -266,7 +266,7 @@ struct _GstMXFDemux
|
||||
GList *partitions;
|
||||
GstMXFDemuxPartition *current_partition;
|
||||
|
||||
- GArray *essence_tracks;
|
||||
+ GPtrArray *essence_tracks;
|
||||
|
||||
GList *pending_index_table_segments;
|
||||
GList *index_tables; /* one per BodySID / IndexSID */
|
||||
--
|
||||
GitLab
|
||||
|
||||
@ -0,0 +1,32 @@
|
||||
From 1db83d3f745332cbda6adf954b2c53a10caa205e Mon Sep 17 00:00:00 2001
|
||||
From: Benjamin Gaignard <benjamin.gaignard@collabora.com>
|
||||
Date: Wed, 4 Oct 2023 11:14:38 +0200
|
||||
Subject: [PATCH] codecparsers: av1: Clip max tile rows and cols values
|
||||
|
||||
Clip tile rows and cols to 64 as describe in AV1 specification.
|
||||
|
||||
Fixes ZDI-CAN-22226 / CVE-2023-44429
|
||||
|
||||
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3015
|
||||
|
||||
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5634>
|
||||
---
|
||||
.../gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/gst-libs/gst/codecparsers/gstav1parser.c b/gst-libs/gst/codecparsers/gstav1parser.c
|
||||
index 0b4ce34488f..291a2c96367 100644
|
||||
--- a/gst-libs/gst/codecparsers/gstav1parser.c
|
||||
+++ b/gst-libs/gst/codecparsers/gstav1parser.c
|
||||
@@ -2229,6 +2229,8 @@ gst_av1_parse_tile_info (GstAV1Parser * parser, GstBitReader * br,
|
||||
((parser->state.mi_cols + 31) >> 5) : ((parser->state.mi_cols + 15) >> 4);
|
||||
sb_rows = seq_header->use_128x128_superblock ? ((parser->state.mi_rows +
|
||||
31) >> 5) : ((parser->state.mi_rows + 15) >> 4);
|
||||
+ sb_cols = MIN (GST_AV1_MAX_TILE_COLS, sb_cols);
|
||||
+ sb_rows = MIN (GST_AV1_MAX_TILE_ROWS, sb_rows);
|
||||
sb_shift = seq_header->use_128x128_superblock ? 5 : 4;
|
||||
sb_size = sb_shift + 2;
|
||||
max_tile_width_sb = GST_AV1_MAX_TILE_WIDTH >> sb_size;
|
||||
--
|
||||
GitLab
|
||||
|
||||
Loading…
Reference in new issue