Compare commits

..

No commits in common. 'el9' and 'i9r' have entirely different histories.
el9 ... i9r

3
.gitignore vendored

@ -1,2 +1 @@
/gst-plugins-bad-*.tar.xz
/gstreamer1-plugins-bad-freeworld-*.src.rpm
SOURCES/gst-plugins-bad-1.22.1.tar.xz

@ -0,0 +1 @@
d61beffd9936a47ed32b0c5c93f50a10adfede3e SOURCES/gst-plugins-bad-1.22.1.tar.xz

@ -0,0 +1,127 @@
From 96b6fa8e6f35a567e26e268e8c311f4c192eed40 Mon Sep 17 00:00:00 2001
From: tigro <arkadiy.sheyn@softline.com>
Date: Tue, 24 Oct 2023 08:49:39 +0300
Subject: [PATCH 1/2] Fixes ZDI-CAN-21660, CVE-2023-40474
---
gst/mxf/mxfd10.c | 3 ++-
gst/mxf/mxfup.c | 51 ++++++++++++++++++++++++++++++++++++++++--------
2 files changed, 45 insertions(+), 9 deletions(-)
diff --git a/gst/mxf/mxfd10.c b/gst/mxf/mxfd10.c
index 66c0713..060d5a0 100644
--- a/gst/mxf/mxfd10.c
+++ b/gst/mxf/mxfd10.c
@@ -119,7 +119,7 @@ mxf_d10_sound_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
gst_buffer_map (buffer, &map, GST_MAP_READ);
/* Now transform raw AES3 into raw audio, see SMPTE 331M */
- if ((map.size - 4) % 32 != 0) {
+ if (map.size < 4 || (map.size - 4) % 32 != 0) {
gst_buffer_unmap (buffer, &map);
GST_ERROR ("Invalid D10 sound essence buffer size");
return GST_FLOW_ERROR;
@@ -219,6 +219,7 @@ mxf_d10_create_caps (MXFMetadataTimelineTrack * track, GstTagList ** tags,
GstAudioFormat audio_format;
if (s->channel_count == 0 ||
+ s->channel_count > 8 ||
s->quantization_bits == 0 ||
s->audio_sampling_rate.n == 0 || s->audio_sampling_rate.d == 0) {
GST_ERROR ("Invalid descriptor");
diff --git a/gst/mxf/mxfup.c b/gst/mxf/mxfup.c
index d8b6664..ba86255 100644
--- a/gst/mxf/mxfup.c
+++ b/gst/mxf/mxfup.c
@@ -134,6 +134,8 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
gpointer mapping_data, GstBuffer ** outbuf)
{
MXFUPMappingData *data = mapping_data;
+ gsize expected_in_stride = 0, out_stride = 0;
+ gsize expected_in_size = 0, out_size = 0;
/* SMPTE 384M 7.1 */
if (key->u[12] != 0x15 || (key->u[14] != 0x01 && key->u[14] != 0x02
@@ -162,22 +164,25 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
}
}
- if (gst_buffer_get_size (buffer) != data->bpp * data->width * data->height) {
+ // Checked for overflows when parsing the descriptor
+ expected_in_stride = data->bpp * data->width;
+ out_stride = GST_ROUND_UP_4 (expected_in_stride);
+ expected_in_size = expected_in_stride * data->height;
+ out_size = out_stride * data->height;
+
+ if (gst_buffer_get_size (buffer) != expected_in_size) {
GST_ERROR ("Invalid buffer size");
gst_buffer_unref (buffer);
return GST_FLOW_ERROR;
}
- if (data->bpp != 4
- || GST_ROUND_UP_4 (data->width * data->bpp) != data->width * data->bpp) {
+ if (data->bpp != 4 || out_stride != expected_in_stride) {
guint y;
GstBuffer *ret;
GstMapInfo inmap, outmap;
guint8 *indata, *outdata;
- ret =
- gst_buffer_new_and_alloc (GST_ROUND_UP_4 (data->width * data->bpp) *
- data->height);
+ ret = gst_buffer_new_and_alloc (out_size);
gst_buffer_map (buffer, &inmap, GST_MAP_READ);
gst_buffer_map (ret, &outmap, GST_MAP_WRITE);
indata = inmap.data;
@@ -185,8 +190,8 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
for (y = 0; y < data->height; y++) {
memcpy (outdata, indata, data->width * data->bpp);
- outdata += GST_ROUND_UP_4 (data->width * data->bpp);
- indata += data->width * data->bpp;
+ outdata += out_stride;
+ indata += expected_in_stride;
}
gst_buffer_unmap (buffer, &inmap);
@@ -394,6 +399,36 @@ mxf_up_create_caps (MXFMetadataTimelineTrack * track, GstTagList ** tags,
return NULL;
}
+ if (caps) {
+ MXFUPMappingData *data = *mapping_data;
+ gsize expected_in_stride = 0, out_stride = 0;
+ gsize expected_in_size = 0, out_size = 0;
+
+ // Do some checking of the parameters to see if they're valid and
+ // we can actually work with them.
+ if (data->image_start_offset > data->image_end_offset) {
+ GST_WARNING ("Invalid image start/end offset");
+ g_free (data);
+ *mapping_data = NULL;
+ gst_clear_caps (&caps);
+
+ return NULL;
+ }
+
+ if (!g_size_checked_mul (&expected_in_stride, data->bpp, data->width) ||
+ (out_stride = GST_ROUND_UP_4 (expected_in_stride)) < expected_in_stride
+ || !g_size_checked_mul (&expected_in_size, expected_in_stride,
+ data->height)
+ || !g_size_checked_mul (&out_size, out_stride, data->height)) {
+ GST_ERROR ("Invalid resolution or bit depth");
+ g_free (data);
+ *mapping_data = NULL;
+ gst_clear_caps (&caps);
+
+ return NULL;
+ }
+ }
+
return caps;
}
--
2.41.0

@ -0,0 +1,32 @@
From 1f9a7c6b4f658e0bbc6cb3638a8932680dbcff54 Mon Sep 17 00:00:00 2001
From: tigro <arkadiy.sheyn@softline.com>
Date: Tue, 24 Oct 2023 08:50:09 +0300
Subject: [PATCH 2/2] Fixes ZDI-CAN-21768, CVE-2023-40476
---
gst-libs/gst/codecparsers/gsth265parser.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/gst-libs/gst/codecparsers/gsth265parser.c b/gst-libs/gst/codecparsers/gsth265parser.c
index fe775a8..44b7237 100644
--- a/gst-libs/gst/codecparsers/gsth265parser.c
+++ b/gst-libs/gst/codecparsers/gsth265parser.c
@@ -1845,6 +1845,7 @@ gst_h265_parse_vps (GstH265NalUnit * nalu, GstH265VPS * vps)
READ_UINT8 (&nr, vps->max_layers_minus1, 6);
READ_UINT8 (&nr, vps->max_sub_layers_minus1, 3);
+ CHECK_ALLOWED (vps->max_sub_layers_minus1, 0, 6);
READ_UINT8 (&nr, vps->temporal_id_nesting_flag, 1);
/* skip reserved_0xffff_16bits */
@@ -2015,6 +2016,7 @@ gst_h265_parse_sps (GstH265Parser * parser, GstH265NalUnit * nalu,
READ_UINT8 (&nr, sps->vps_id, 4);
READ_UINT8 (&nr, sps->max_sub_layers_minus1, 3);
+ CHECK_ALLOWED (sps->max_sub_layers_minus1, 0, 6);
READ_UINT8 (&nr, sps->temporal_id_nesting_flag, 1);
if (!gst_h265_parse_profile_tier_level (&sps->profile_tier_level, &nr,
--
2.41.0

@ -0,0 +1,323 @@
From 274551d450e443a8c71baa95e3f8d5dad212737f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Fri, 20 Oct 2023 00:09:57 +0300
Subject: [PATCH] mxfdemux: Store GstMXFDemuxEssenceTrack in their own fixed
allocation
Previously they were stored inline inside a GArray, but as references to
the tracks were stored in various other places although the array could
still be updated (and reallocated!), this could lead to dangling
references in various places.
Instead now store them in a GPtrArray in their own allocation so each
track's memory position stays fixed.
Fixes ZDI-CAN-22299
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3055
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5635>
---
.../gst-plugins-bad/gst/mxf/mxfdemux.c | 116 ++++++++----------
.../gst-plugins-bad/gst/mxf/mxfdemux.h | 2 +-
2 files changed, 50 insertions(+), 68 deletions(-)
diff --git a/gst/mxf/mxfdemux.c b/gst/mxf/mxfdemux.c
index 7ae4a7b54cf..6153e89a207 100644
--- a/gst/mxf/mxfdemux.c
+++ b/gst/mxf/mxfdemux.c
@@ -170,10 +170,25 @@ gst_mxf_demux_partition_free (GstMXFDemuxPartition * partition)
}
static void
-gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux)
+gst_mxf_demux_essence_track_free (GstMXFDemuxEssenceTrack * t)
{
- guint i;
+ if (t->offsets)
+ g_array_free (t->offsets, TRUE);
+
+ g_free (t->mapping_data);
+
+ if (t->tags)
+ gst_tag_list_unref (t->tags);
+
+ if (t->caps)
+ gst_caps_unref (t->caps);
+
+ g_free (t);
+}
+static void
+gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux)
+{
GST_DEBUG_OBJECT (demux, "Resetting MXF state");
g_list_foreach (demux->partitions, (GFunc) gst_mxf_demux_partition_free,
@@ -182,23 +197,7 @@ gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux)
demux->partitions = NULL;
demux->current_partition = NULL;
-
- for (i = 0; i < demux->essence_tracks->len; i++) {
- GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
-
- if (t->offsets)
- g_array_free (t->offsets, TRUE);
-
- g_free (t->mapping_data);
-
- if (t->tags)
- gst_tag_list_unref (t->tags);
-
- if (t->caps)
- gst_caps_unref (t->caps);
- }
- g_array_set_size (demux->essence_tracks, 0);
+ g_ptr_array_set_size (demux->essence_tracks, 0);
}
static void
@@ -216,7 +215,7 @@ gst_mxf_demux_reset_linked_metadata (GstMXFDemux * demux)
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *track =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ g_ptr_array_index (demux->essence_tracks, i);
track->source_package = NULL;
track->delta_id = -1;
@@ -419,7 +418,7 @@ gst_mxf_demux_partition_postcheck (GstMXFDemux * demux,
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *cand =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ g_ptr_array_index (demux->essence_tracks, i);
if (cand->body_sid != partition->partition.body_sid)
continue;
@@ -861,8 +860,7 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
for (k = 0; k < demux->essence_tracks->len; k++) {
GstMXFDemuxEssenceTrack *tmp =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
- k);
+ g_ptr_array_index (demux->essence_tracks, k);
if (tmp->track_number == track->parent.track_number &&
tmp->body_sid == edata->body_sid) {
@@ -880,24 +878,23 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
}
if (!etrack) {
- GstMXFDemuxEssenceTrack tmp;
+ GstMXFDemuxEssenceTrack *tmp = g_new0 (GstMXFDemuxEssenceTrack, 1);
- memset (&tmp, 0, sizeof (tmp));
- tmp.body_sid = edata->body_sid;
- tmp.index_sid = edata->index_sid;
- tmp.track_number = track->parent.track_number;
- tmp.track_id = track->parent.track_id;
- memcpy (&tmp.source_package_uid, &package->parent.package_uid, 32);
+ tmp->body_sid = edata->body_sid;
+ tmp->index_sid = edata->index_sid;
+ tmp->track_number = track->parent.track_number;
+ tmp->track_id = track->parent.track_id;
+ memcpy (&tmp->source_package_uid, &package->parent.package_uid, 32);
if (demux->current_partition->partition.body_sid == edata->body_sid &&
demux->current_partition->partition.body_offset == 0)
- tmp.position = 0;
+ tmp->position = 0;
else
- tmp.position = -1;
+ tmp->position = -1;
- g_array_append_val (demux->essence_tracks, tmp);
+ g_ptr_array_add (demux->essence_tracks, tmp);
etrack =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
+ g_ptr_array_index (demux->essence_tracks,
demux->essence_tracks->len - 1);
new = TRUE;
}
@@ -1045,13 +1042,7 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
next:
if (new) {
- g_free (etrack->mapping_data);
- if (etrack->tags)
- gst_tag_list_unref (etrack->tags);
- if (etrack->caps)
- gst_caps_unref (etrack->caps);
-
- g_array_remove_index (demux->essence_tracks,
+ g_ptr_array_remove_index (demux->essence_tracks,
demux->essence_tracks->len - 1);
}
}
@@ -1064,7 +1055,7 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *etrack =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ g_ptr_array_index (demux->essence_tracks, i);
if (!etrack->source_package || !etrack->source_track || !etrack->caps) {
GST_ERROR_OBJECT (demux, "Failed to update essence track %u", i);
@@ -1450,7 +1441,7 @@ gst_mxf_demux_update_tracks (GstMXFDemux * demux)
for (k = 0; k < demux->essence_tracks->len; k++) {
GstMXFDemuxEssenceTrack *tmp =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, k);
+ g_ptr_array_index (demux->essence_tracks, k);
if (tmp->source_package == source_package &&
tmp->source_track == source_track) {
@@ -1939,8 +1930,7 @@ gst_mxf_demux_pad_set_component (GstMXFDemux * demux, GstMXFDemuxPad * pad,
pad->current_essence_track = NULL;
for (k = 0; k < demux->essence_tracks->len; k++) {
- GstMXFDemuxEssenceTrack *tmp =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, k);
+ GstMXFDemuxEssenceTrack *tmp = g_ptr_array_index (demux->essence_tracks, k);
if (tmp->source_package == source_package &&
tmp->source_track == source_track) {
@@ -2724,7 +2714,7 @@ gst_mxf_demux_handle_generic_container_essence_element (GstMXFDemux * demux,
if (!etrack) {
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *tmp =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ g_ptr_array_index (demux->essence_tracks, i);
if (tmp->body_sid == demux->current_partition->partition.body_sid &&
(tmp->track_number == track_number || tmp->track_number == 0)) {
@@ -3928,8 +3918,7 @@ from_track_offset:
gst_mxf_demux_set_partition_for_offset (demux, demux->offset);
for (i = 0; i < demux->essence_tracks->len; i++) {
- GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ GstMXFDemuxEssenceTrack *t = g_ptr_array_index (demux->essence_tracks, i);
if (index_start_position != -1 && t == etrack)
t->position = index_start_position;
@@ -3953,8 +3942,7 @@ from_track_offset:
/* Handle EOS */
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
- i);
+ g_ptr_array_index (demux->essence_tracks, i);
if (t->position > 0)
t->duration = t->position;
@@ -4192,8 +4180,7 @@ gst_mxf_demux_pull_and_handle_klv_packet (GstMXFDemux * demux)
guint i;
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *etrack =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
- i);
+ g_ptr_array_index (demux->essence_tracks, i);
if (etrack->body_sid != partition->partition.body_sid)
continue;
@@ -4664,9 +4651,8 @@ gst_mxf_demux_pad_to_track_and_position (GstMXFDemux * demux,
/* Get the corresponding essence track for the given source package and stream id */
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *track =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
- GST_LOG_OBJECT (pad,
- "Looking at essence track body_sid:%d index_sid:%d",
+ g_ptr_array_index (demux->essence_tracks, i);
+ GST_LOG_OBJECT (pad, "Looking at essence track body_sid:%d index_sid:%d",
track->body_sid, track->index_sid);
if (clip->source_track_id == 0 || (track->track_id == clip->source_track_id
&& mxf_umid_is_equal (&clip->source_package_id,
@@ -4915,8 +4901,7 @@ gst_mxf_demux_seek_push (GstMXFDemux * demux, GstEvent * event)
}
for (i = 0; i < demux->essence_tracks->len; i++) {
- GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ GstMXFDemuxEssenceTrack *t = g_ptr_array_index (demux->essence_tracks, i);
t->position = -1;
}
@@ -5354,8 +5339,7 @@ gst_mxf_demux_seek_pull (GstMXFDemux * demux, GstEvent * event)
}
for (i = 0; i < demux->essence_tracks->len; i++) {
- GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ GstMXFDemuxEssenceTrack *t = g_ptr_array_index (demux->essence_tracks, i);
t->position = -1;
}
@@ -5654,7 +5638,7 @@ gst_mxf_demux_sink_event (GstPad * pad, GstObject * parent, GstEvent * event)
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ g_ptr_array_index (demux->essence_tracks, i);
if (t->position > 0)
t->duration = t->position;
@@ -5695,8 +5679,7 @@ gst_mxf_demux_sink_event (GstPad * pad, GstObject * parent, GstEvent * event)
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *etrack =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
- i);
+ g_ptr_array_index (demux->essence_tracks, i);
etrack->position = -1;
}
ret = TRUE;
@@ -5720,8 +5703,7 @@ gst_mxf_demux_sink_event (GstPad * pad, GstObject * parent, GstEvent * event)
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
- i);
+ g_ptr_array_index (demux->essence_tracks, i);
t->position = -1;
}
demux->current_partition = NULL;
@@ -5994,7 +5976,7 @@ gst_mxf_demux_finalize (GObject * object)
g_ptr_array_free (demux->src, TRUE);
demux->src = NULL;
- g_array_free (demux->essence_tracks, TRUE);
+ g_ptr_array_free (demux->essence_tracks, TRUE);
demux->essence_tracks = NULL;
g_hash_table_destroy (demux->metadata);
@@ -6071,8 +6053,8 @@ gst_mxf_demux_init (GstMXFDemux * demux)
g_rw_lock_init (&demux->metadata_lock);
demux->src = g_ptr_array_new ();
- demux->essence_tracks =
- g_array_new (FALSE, FALSE, sizeof (GstMXFDemuxEssenceTrack));
+ demux->essence_tracks = g_ptr_array_new_with_free_func ((GDestroyNotify)
+ gst_mxf_demux_essence_track_free);
gst_segment_init (&demux->segment, GST_FORMAT_TIME);
diff --git a/gst/mxf/mxfdemux.h b/gst/mxf/mxfdemux.h
index d079a1de1aa..1dc8a4edb5b 100644
--- a/gst/mxf/mxfdemux.h
+++ b/gst/mxf/mxfdemux.h
@@ -266,7 +266,7 @@ struct _GstMXFDemux
GList *partitions;
GstMXFDemuxPartition *current_partition;
- GArray *essence_tracks;
+ GPtrArray *essence_tracks;
GList *pending_index_table_segments;
GList *index_tables; /* one per BodySID / IndexSID */
--
GitLab

@ -0,0 +1,32 @@
From 1db83d3f745332cbda6adf954b2c53a10caa205e Mon Sep 17 00:00:00 2001
From: Benjamin Gaignard <benjamin.gaignard@collabora.com>
Date: Wed, 4 Oct 2023 11:14:38 +0200
Subject: [PATCH] codecparsers: av1: Clip max tile rows and cols values
Clip tile rows and cols to 64 as describe in AV1 specification.
Fixes ZDI-CAN-22226 / CVE-2023-44429
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3015
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5634>
---
.../gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/gst-libs/gst/codecparsers/gstav1parser.c b/gst-libs/gst/codecparsers/gstav1parser.c
index 0b4ce34488f..291a2c96367 100644
--- a/gst-libs/gst/codecparsers/gstav1parser.c
+++ b/gst-libs/gst/codecparsers/gstav1parser.c
@@ -2229,6 +2229,8 @@ gst_av1_parse_tile_info (GstAV1Parser * parser, GstBitReader * br,
((parser->state.mi_cols + 31) >> 5) : ((parser->state.mi_cols + 15) >> 4);
sb_rows = seq_header->use_128x128_superblock ? ((parser->state.mi_rows +
31) >> 5) : ((parser->state.mi_rows + 15) >> 4);
+ sb_cols = MIN (GST_AV1_MAX_TILE_COLS, sb_cols);
+ sb_rows = MIN (GST_AV1_MAX_TILE_ROWS, sb_rows);
sb_shift = seq_header->use_128x128_superblock ? 5 : 4;
sb_size = sb_shift + 2;
max_tile_width_sb = GST_AV1_MAX_TILE_WIDTH >> sb_size;
--
GitLab

@ -0,0 +1,63 @@
From 7ed446dca9454dd66a0180823f57a34bc01845a4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Tue, 13 Jun 2023 14:23:47 +0300
Subject: [PATCH 1/2] dvdspu: Make sure enough data is allocated for the
available data
If the size read from the stream is smaller than the currently available
data then the size is bogus and the data should simply be discarded.
Fixes ZDI-CAN-20994
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2660
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4896>
---
gst/dvdspu/gstspu-pgs.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/gst/dvdspu/gstspu-pgs.c b/gst/dvdspu/gstspu-pgs.c
index e609a284df9..e29f4f18826 100644
--- a/gst/dvdspu/gstspu-pgs.c
+++ b/gst/dvdspu/gstspu-pgs.c
@@ -593,6 +593,9 @@ parse_set_object_data (GstDVDSpu * dvdspu, guint8 type, guint8 * payload,
obj->rle_data_size = GST_READ_UINT24_BE (payload);
payload += 3;
+ if (end - payload > obj->rle_data_size)
+ return 0;
+
PGS_DUMP ("%d bytes of RLE data, of %d bytes total.\n",
(int) (end - payload), obj->rle_data_size);
--
GitLab
From 0dabf0eb00723a26b88e13dcb3030744e84569da Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Tue, 13 Jun 2023 14:25:04 +0300
Subject: [PATCH 2/2] dvdspu: Avoid integer overflow when checking if enough
data is available
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4896>
---
gst/dvdspu/gstspu-pgs.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/gst/dvdspu/gstspu-pgs.c b/gst/dvdspu/gstspu-pgs.c
index e29f4f18826..49db6d13d8b 100644
--- a/gst/dvdspu/gstspu-pgs.c
+++ b/gst/dvdspu/gstspu-pgs.c
@@ -607,7 +607,8 @@ parse_set_object_data (GstDVDSpu * dvdspu, guint8 type, guint8 * payload,
PGS_DUMP ("%d bytes of additional RLE data\n", (int) (end - payload));
/* Check that the data chunk is for this object version, and fits in the buffer */
if (obj->rle_data_ver == obj_ver &&
- obj->rle_data_used + end - payload <= obj->rle_data_size) {
+ end - payload <= obj->rle_data_size &&
+ obj->rle_data_used <= obj->rle_data_size - (end - payload)) {
memcpy (obj->rle_data + obj->rle_data_used, payload, end - payload);
obj->rle_data_used += end - payload;
--
GitLab

@ -1,7 +1,7 @@
diff -uNrp a/ext/meson.build b/ext/meson.build
--- a/ext/meson.build 2023-01-23 19:29:34.000000000 +0000
+++ b/ext/meson.build 2023-02-19 12:17:51.741137633 +0000
@@ -1,75 +1,9 @@
@@ -1,75 +1,8 @@
-subdir('aes')
-subdir('assrender')
-subdir('aom')
@ -66,7 +66,7 @@ diff -uNrp a/ext/meson.build b/ext/meson.build
-subdir('teletextdec')
-subdir('ttml')
-subdir('voaacenc')
subdir('voamrwbenc')
-subdir('voamrwbenc')
-subdir('vulkan')
-subdir('wayland')
-subdir('webrtc')

@ -6,11 +6,16 @@ Summary: GStreamer 1.0 streaming media framework "bad" plug-ins
Name: gstreamer1-plugins-bad-freeworld
Epoch: 1
Version: 1.22.1
Release: 1%{?dist}
Release: 4%{?dist}.inferit
License: LGPLv2+
URL: https://gstreamer.freedesktop.org/
Source0: %{url}/src/gst-plugins-bad/gst-plugins-bad-%{version}.tar.xz
Patch0: build_what_we_need_only.patch
Patch1: 0001-Fixes-ZDI-CAN-21660-CVE-2023-40474.patch
Patch2: 0002-Fixes-ZDI-CAN-21768-CVE-2023-40476.patch
Patch3: 0003-Fixes-ZDI-CAN-22299-CVE-2023-44446.patch
Patch4: 0004-Fixes-ZDI-CAN-22226-CVE-2023-44429.patch
Patch5: 0005-Fixes-ZDI-CAN-20994-CVE-2023-37329.patch
BuildRequires: gcc-objc++
BuildRequires: meson
@ -32,7 +37,7 @@ Provides: gstreamer1-svt-hevc = %{version}-%{release}
Provides: gstreamer1-svt-hevc%{?_isa} = %{version}-%{release}
Obsoletes: gstreamer1-svt-hevc < %{version}-%{release}
%endif
BuildRequires: vo-amrwbenc-devel
#BuildRequires: vo-amrwbenc-devel
#BuildRequires: vo-aacenc-devel
BuildRequires: libusbx-devel
BuildRequires: x265-devel
@ -98,11 +103,25 @@ rm -rf %{buildroot}%{_libdir}/pkgconfig
%{_libdir}/gstreamer-1.0/libgstsvthevcenc.so
%endif
#%%{_libdir}/gstreamer-1.0/libgstvoaacenc.so
%{_libdir}/gstreamer-1.0/libgstvoamrwbenc.so
#%%{_libdir}/gstreamer-1.0/libgstvoamrwbenc.so
%{_libdir}/gstreamer-1.0/libgstx265.so
%changelog
* Wed Nov 29 2023 Arkady L. Shane <tigro@msvsphere-os.ru> - 1:1.22.1-4.inferit
- Fixes ZDI-CAN-20994 CVE-2023-37329
* Wed Nov 29 2023 Arkady L. Shane <tigro@msvsphere-os.ru> - 1:1.22.1-3.inferit
- Fixes ZDI-CAN-22299 CVE-2023-44446
- Fixes ZDI-CAN-22226 CVE-2023-44429
* Sun Oct 22 2023 Arkady L. Shane <tigro@msvsphere-os.ru> - 1:1.22.1-2.inferit
- Fixes ZDI-CAN-21660 CVE-2023-40474
- Fixes ZDI-CAN-21768 CVE-2023-40476
* Sun Oct 22 2023 Arkady L. Shane <tigro@msvsphere-os.ru> - 1:1.22.1-1
- Rebuilt for MSVSphere 9.2
* Wed Mar 29 2023 Vitaly Zaitsev <vitaly@easycoding.org> - 1:1.22.1-1
- Updated to version 1.22.1.

@ -1 +0,0 @@
SHA512 (gst-plugins-bad-1.22.1.tar.xz) = e380418ed9ab024a54ec62ef96d23263ff935a9c0e7a917e1aaa193067eafb3f6a9567b9af6d011a0407954bd5e9812f662f99728e3fcb68bb67e401d5b5d79c
Loading…
Cancel
Save