Fixes ZDI-CAN-20994 CVE-2023-37329

SOURCES/0005-Fixes-ZDI-CAN-20994-CVE-2023-37329.patch

@@ -0,0 +1,63 @@
+From 7ed446dca9454dd66a0180823f57a34bc01845a4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Tue, 13 Jun 2023 14:23:47 +0300
+Subject: [PATCH 1/2] dvdspu: Make sure enough data is allocated for the
+ available data
+
+If the size read from the stream is smaller than the currently available
+data then the size is bogus and the data should simply be discarded.
+
+Fixes ZDI-CAN-20994
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2660
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4896>
+---
+ gst/dvdspu/gstspu-pgs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/gst/dvdspu/gstspu-pgs.c b/gst/dvdspu/gstspu-pgs.c
+index e609a284df9..e29f4f18826 100644
+--- a/gst/dvdspu/gstspu-pgs.c
++++ b/gst/dvdspu/gstspu-pgs.c
+@@ -593,6 +593,9 @@ parse_set_object_data (GstDVDSpu * dvdspu, guint8 type, guint8 * payload,
+     obj->rle_data_size = GST_READ_UINT24_BE (payload);
+     payload += 3;
+ 
++    if (end - payload > obj->rle_data_size)
++      return 0;
++
+     PGS_DUMP ("%d bytes of RLE data, of %d bytes total.\n",
+         (int) (end - payload), obj->rle_data_size);
+ 
+-- 
+GitLab
+
+
+From 0dabf0eb00723a26b88e13dcb3030744e84569da Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Tue, 13 Jun 2023 14:25:04 +0300
+Subject: [PATCH 2/2] dvdspu: Avoid integer overflow when checking if enough
+ data is available
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4896>
+---
+ gst/dvdspu/gstspu-pgs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/gst/dvdspu/gstspu-pgs.c b/gst/dvdspu/gstspu-pgs.c
+index e29f4f18826..49db6d13d8b 100644
+--- a/gst/dvdspu/gstspu-pgs.c
++++ b/gst/dvdspu/gstspu-pgs.c
+@@ -607,7 +607,8 @@ parse_set_object_data (GstDVDSpu * dvdspu, guint8 type, guint8 * payload,
+     PGS_DUMP ("%d bytes of additional RLE data\n", (int) (end - payload));
+     /* Check that the data chunk is for this object version, and fits in the buffer */
+     if (obj->rle_data_ver == obj_ver &&
+-        obj->rle_data_used + end - payload <= obj->rle_data_size) {
++        end - payload <= obj->rle_data_size &&
++        obj->rle_data_used <= obj->rle_data_size - (end - payload)) {
+ 
+       memcpy (obj->rle_data + obj->rle_data_used, payload, end - payload);
+       obj->rle_data_used += end - payload;
+-- 
+GitLab
+

SPECS/gstreamer1-plugins-bad-freeworld.spec

@@ -6,7 +6,7 @@ Summary:        GStreamer 1.0 streaming media framework "bad" plug-ins
 Name:           gstreamer1-plugins-bad-freeworld
 Epoch:          1
 Version:        1.22.1
-Release:        3%{?dist}.inferit
+Release:        4%{?dist}.inferit
 License:        LGPLv2+
 URL:            https://gstreamer.freedesktop.org/
 Source0:        %{url}/src/gst-plugins-bad/gst-plugins-bad-%{version}.tar.xz
@@ -15,6 +15,7 @@ Patch1:         0001-Fixes-ZDI-CAN-21660-CVE-2023-40474.patch
 Patch2:         0002-Fixes-ZDI-CAN-21768-CVE-2023-40476.patch
 Patch3:         0003-Fixes-ZDI-CAN-22299-CVE-2023-44446.patch
 Patch4:         0004-Fixes-ZDI-CAN-22226-CVE-2023-44429.patch
+Patch5:         0005-Fixes-ZDI-CAN-20994-CVE-2023-37329.patch
 
 BuildRequires:  gcc-objc++
 BuildRequires:  meson
@@ -107,6 +108,9 @@ rm -rf %{buildroot}%{_libdir}/pkgconfig
 
 
 %changelog
+* Wed Nov 29 2023 Arkady L. Shane <tigro@msvsphere-os.ru> - 1:1.22.1-4.inferit
+- Fixes ZDI-CAN-20994 CVE-2023-37329
+
 * Wed Nov 29 2023 Arkady L. Shane <tigro@msvsphere-os.ru> - 1:1.22.1-3.inferit
 - Fixes ZDI-CAN-22299 CVE-2023-44446
 - Fixes ZDI-CAN-22226 CVE-2023-44429