rpms
/
gstreamer1-plugins-bad-freeworld
21
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: rpms:i9r
Branches Tags
rpms:i10fe
rpms:i8cr
rpms:i9r
rpms:i9-beta
rpms:i9cr
rpms:el9
rpms:el8
...
pull from: rpms:el9
Branches Tags
rpms:i10fe
rpms:i8cr
rpms:i9r
rpms:i9-beta
rpms:i9cr
rpms:el9
rpms:el8

No commits in common. 'i9r' and 'el9' have entirely different histories.
i9r ... el9

10 changed files with 8 additions and 603 deletions
Show Stats

3
.gitignore vendored
Unescape View File

@ -1 +1,2 @@
SOURCES/gst-plugins-bad-1.22.1.tar.xz /gst-plugins-bad-*.tar.xz
/gstreamer1-plugins-bad-freeworld-*.src.rpm

1
.gstreamer1-plugins-bad-freeworld.metadata
Unescape View File

@ -1 +0,0 @@
d61beffd9936a47ed32b0c5c93f50a10adfede3e SOURCES/gst-plugins-bad-1.22.1.tar.xz

127
SOURCES/0001-Fixes-ZDI-CAN-21660-CVE-2023-40474.patch
Unescape View File

@ -1,127 +0,0 @@
From 96b6fa8e6f35a567e26e268e8c311f4c192eed40 Mon Sep 17 00:00:00 2001
From: tigro <arkadiy.sheyn@softline.com>
Date: Tue, 24 Oct 2023 08:49:39 +0300
Subject: [PATCH 1/2] Fixes ZDI-CAN-21660, CVE-2023-40474
---
gst/mxf/mxfd10.c | 3 ++-
gst/mxf/mxfup.c | 51 ++++++++++++++++++++++++++++++++++++++++--------
2 files changed, 45 insertions(+), 9 deletions(-)
diff --git a/gst/mxf/mxfd10.c b/gst/mxf/mxfd10.c
index 66c0713..060d5a0 100644
--- a/gst/mxf/mxfd10.c
+++ b/gst/mxf/mxfd10.c
@@ -119,7 +119,7 @@ mxf_d10_sound_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
gst_buffer_map (buffer, &map, GST_MAP_READ);
/* Now transform raw AES3 into raw audio, see SMPTE 331M */
- if ((map.size - 4) % 32 != 0) {
+ if (map.size < 4 || (map.size - 4) % 32 != 0) {
gst_buffer_unmap (buffer, &map);
GST_ERROR ("Invalid D10 sound essence buffer size");
return GST_FLOW_ERROR;
@@ -219,6 +219,7 @@ mxf_d10_create_caps (MXFMetadataTimelineTrack * track, GstTagList ** tags,
GstAudioFormat audio_format;
if (s->channel_count == 0 ||
+ s->channel_count > 8 ||
s->quantization_bits == 0 ||
s->audio_sampling_rate.n == 0 || s->audio_sampling_rate.d == 0) {
GST_ERROR ("Invalid descriptor");
diff --git a/gst/mxf/mxfup.c b/gst/mxf/mxfup.c
index d8b6664..ba86255 100644
--- a/gst/mxf/mxfup.c
+++ b/gst/mxf/mxfup.c
@@ -134,6 +134,8 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
gpointer mapping_data, GstBuffer ** outbuf)
{
MXFUPMappingData *data = mapping_data;
+ gsize expected_in_stride = 0, out_stride = 0;
+ gsize expected_in_size = 0, out_size = 0;
/* SMPTE 384M 7.1 */
if (key->u[12] != 0x15 || (key->u[14] != 0x01 && key->u[14] != 0x02
@@ -162,22 +164,25 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
}
}
- if (gst_buffer_get_size (buffer) != data->bpp * data->width * data->height) {
+ // Checked for overflows when parsing the descriptor
+ expected_in_stride = data->bpp * data->width;
+ out_stride = GST_ROUND_UP_4 (expected_in_stride);
+ expected_in_size = expected_in_stride * data->height;
+ out_size = out_stride * data->height;
+
+ if (gst_buffer_get_size (buffer) != expected_in_size) {
GST_ERROR ("Invalid buffer size");
gst_buffer_unref (buffer);
return GST_FLOW_ERROR;
}
- if (data->bpp != 4
- || GST_ROUND_UP_4 (data->width * data->bpp) != data->width * data->bpp) {
+ if (data->bpp != 4 || out_stride != expected_in_stride) {
guint y;
GstBuffer *ret;
GstMapInfo inmap, outmap;
guint8 *indata, *outdata;
- ret =
- gst_buffer_new_and_alloc (GST_ROUND_UP_4 (data->width * data->bpp) *
- data->height);
+ ret = gst_buffer_new_and_alloc (out_size);
gst_buffer_map (buffer, &inmap, GST_MAP_READ);
gst_buffer_map (ret, &outmap, GST_MAP_WRITE);
indata = inmap.data;
@@ -185,8 +190,8 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
for (y = 0; y < data->height; y++) {
memcpy (outdata, indata, data->width * data->bpp);
- outdata += GST_ROUND_UP_4 (data->width * data->bpp);
- indata += data->width * data->bpp;
+ outdata += out_stride;
+ indata += expected_in_stride;
}
gst_buffer_unmap (buffer, &inmap);
@@ -394,6 +399,36 @@ mxf_up_create_caps (MXFMetadataTimelineTrack * track, GstTagList ** tags,
return NULL;
}
+ if (caps) {
+ MXFUPMappingData *data = *mapping_data;
+ gsize expected_in_stride = 0, out_stride = 0;
+ gsize expected_in_size = 0, out_size = 0;
+
+ // Do some checking of the parameters to see if they're valid and
+ // we can actually work with them.
+ if (data->image_start_offset > data->image_end_offset) {
+ GST_WARNING ("Invalid image start/end offset");
+ g_free (data);
+ *mapping_data = NULL;
+ gst_clear_caps (&caps);
+
+ return NULL;
+ }
+
+ if (!g_size_checked_mul (&expected_in_stride, data->bpp, data->width) ||
+ (out_stride = GST_ROUND_UP_4 (expected_in_stride)) < expected_in_stride
+ || !g_size_checked_mul (&expected_in_size, expected_in_stride,
+ data->height)
+ || !g_size_checked_mul (&out_size, out_stride, data->height)) {
+ GST_ERROR ("Invalid resolution or bit depth");
+ g_free (data);
+ *mapping_data = NULL;
+ gst_clear_caps (&caps);
+
+ return NULL;
+ }
+ }
+
return caps;
}
--
2.41.0

32
SOURCES/0002-Fixes-ZDI-CAN-21768-CVE-2023-40476.patch
Unescape View File

@ -1,32 +0,0 @@
From 1f9a7c6b4f658e0bbc6cb3638a8932680dbcff54 Mon Sep 17 00:00:00 2001
From: tigro <arkadiy.sheyn@softline.com>
Date: Tue, 24 Oct 2023 08:50:09 +0300
Subject: [PATCH 2/2] Fixes ZDI-CAN-21768, CVE-2023-40476
---
gst-libs/gst/codecparsers/gsth265parser.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/gst-libs/gst/codecparsers/gsth265parser.c b/gst-libs/gst/codecparsers/gsth265parser.c
index fe775a8..44b7237 100644
--- a/gst-libs/gst/codecparsers/gsth265parser.c
+++ b/gst-libs/gst/codecparsers/gsth265parser.c
@@ -1845,6 +1845,7 @@ gst_h265_parse_vps (GstH265NalUnit * nalu, GstH265VPS * vps)
READ_UINT8 (&nr, vps->max_layers_minus1, 6);
READ_UINT8 (&nr, vps->max_sub_layers_minus1, 3);
+ CHECK_ALLOWED (vps->max_sub_layers_minus1, 0, 6);
READ_UINT8 (&nr, vps->temporal_id_nesting_flag, 1);
/* skip reserved_0xffff_16bits */
@@ -2015,6 +2016,7 @@ gst_h265_parse_sps (GstH265Parser * parser, GstH265NalUnit * nalu,
READ_UINT8 (&nr, sps->vps_id, 4);
READ_UINT8 (&nr, sps->max_sub_layers_minus1, 3);
+ CHECK_ALLOWED (sps->max_sub_layers_minus1, 0, 6);
READ_UINT8 (&nr, sps->temporal_id_nesting_flag, 1);
if (!gst_h265_parse_profile_tier_level (&sps->profile_tier_level, &nr,
--
2.41.0

323
SOURCES/0003-Fixes-ZDI-CAN-22299-CVE-2023-44446.patch
Unescape View File

@ -1,323 +0,0 @@
From 274551d450e443a8c71baa95e3f8d5dad212737f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Fri, 20 Oct 2023 00:09:57 +0300
Subject: [PATCH] mxfdemux: Store GstMXFDemuxEssenceTrack in their own fixed
allocation
Previously they were stored inline inside a GArray, but as references to
the tracks were stored in various other places although the array could
still be updated (and reallocated!), this could lead to dangling
references in various places.
Instead now store them in a GPtrArray in their own allocation so each
track's memory position stays fixed.
Fixes ZDI-CAN-22299
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3055
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5635>
---
.../gst-plugins-bad/gst/mxf/mxfdemux.c | 116 ++++++++----------
.../gst-plugins-bad/gst/mxf/mxfdemux.h | 2 +-
2 files changed, 50 insertions(+), 68 deletions(-)
diff --git a/gst/mxf/mxfdemux.c b/gst/mxf/mxfdemux.c
index 7ae4a7b54cf..6153e89a207 100644
--- a/gst/mxf/mxfdemux.c
+++ b/gst/mxf/mxfdemux.c
@@ -170,10 +170,25 @@ gst_mxf_demux_partition_free (GstMXFDemuxPartition * partition)
}
static void
-gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux)
+gst_mxf_demux_essence_track_free (GstMXFDemuxEssenceTrack * t)
{
- guint i;
+ if (t->offsets)
+ g_array_free (t->offsets, TRUE);
+
+ g_free (t->mapping_data);
+
+ if (t->tags)
+ gst_tag_list_unref (t->tags);
+
+ if (t->caps)
+ gst_caps_unref (t->caps);
+
+ g_free (t);
+}
+static void
+gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux)
+{
GST_DEBUG_OBJECT (demux, "Resetting MXF state");
g_list_foreach (demux->partitions, (GFunc) gst_mxf_demux_partition_free,
@@ -182,23 +197,7 @@ gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux)
demux->partitions = NULL;
demux->current_partition = NULL;
-
- for (i = 0; i < demux->essence_tracks->len; i++) {
- GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
-
- if (t->offsets)
- g_array_free (t->offsets, TRUE);
-
- g_free (t->mapping_data);
-
- if (t->tags)
- gst_tag_list_unref (t->tags);
-
- if (t->caps)
- gst_caps_unref (t->caps);
- }
- g_array_set_size (demux->essence_tracks, 0);
+ g_ptr_array_set_size (demux->essence_tracks, 0);
}
static void
@@ -216,7 +215,7 @@ gst_mxf_demux_reset_linked_metadata (GstMXFDemux * demux)
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *track =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ g_ptr_array_index (demux->essence_tracks, i);
track->source_package = NULL;
track->delta_id = -1;
@@ -419,7 +418,7 @@ gst_mxf_demux_partition_postcheck (GstMXFDemux * demux,
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *cand =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ g_ptr_array_index (demux->essence_tracks, i);
if (cand->body_sid != partition->partition.body_sid)
continue;
@@ -861,8 +860,7 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
for (k = 0; k < demux->essence_tracks->len; k++) {
GstMXFDemuxEssenceTrack *tmp =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
- k);
+ g_ptr_array_index (demux->essence_tracks, k);
if (tmp->track_number == track->parent.track_number &&
tmp->body_sid == edata->body_sid) {
@@ -880,24 +878,23 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
}
if (!etrack) {
- GstMXFDemuxEssenceTrack tmp;
+ GstMXFDemuxEssenceTrack *tmp = g_new0 (GstMXFDemuxEssenceTrack, 1);
- memset (&tmp, 0, sizeof (tmp));
- tmp.body_sid = edata->body_sid;
- tmp.index_sid = edata->index_sid;
- tmp.track_number = track->parent.track_number;
- tmp.track_id = track->parent.track_id;
- memcpy (&tmp.source_package_uid, &package->parent.package_uid, 32);
+ tmp->body_sid = edata->body_sid;
+ tmp->index_sid = edata->index_sid;
+ tmp->track_number = track->parent.track_number;
+ tmp->track_id = track->parent.track_id;
+ memcpy (&tmp->source_package_uid, &package->parent.package_uid, 32);
if (demux->current_partition->partition.body_sid == edata->body_sid &&
demux->current_partition->partition.body_offset == 0)
- tmp.position = 0;
+ tmp->position = 0;
else
- tmp.position = -1;
+ tmp->position = -1;
- g_array_append_val (demux->essence_tracks, tmp);
+ g_ptr_array_add (demux->essence_tracks, tmp);
etrack =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
+ g_ptr_array_index (demux->essence_tracks,
demux->essence_tracks->len - 1);
new = TRUE;
}
@@ -1045,13 +1042,7 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
next:
if (new) {
- g_free (etrack->mapping_data);
- if (etrack->tags)
- gst_tag_list_unref (etrack->tags);
- if (etrack->caps)
- gst_caps_unref (etrack->caps);
-
- g_array_remove_index (demux->essence_tracks,
+ g_ptr_array_remove_index (demux->essence_tracks,
demux->essence_tracks->len - 1);
}
}
@@ -1064,7 +1055,7 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *etrack =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ g_ptr_array_index (demux->essence_tracks, i);
if (!etrack->source_package || !etrack->source_track || !etrack->caps) {
GST_ERROR_OBJECT (demux, "Failed to update essence track %u", i);
@@ -1450,7 +1441,7 @@ gst_mxf_demux_update_tracks (GstMXFDemux * demux)
for (k = 0; k < demux->essence_tracks->len; k++) {
GstMXFDemuxEssenceTrack *tmp =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, k);
+ g_ptr_array_index (demux->essence_tracks, k);
if (tmp->source_package == source_package &&
tmp->source_track == source_track) {
@@ -1939,8 +1930,7 @@ gst_mxf_demux_pad_set_component (GstMXFDemux * demux, GstMXFDemuxPad * pad,
pad->current_essence_track = NULL;
for (k = 0; k < demux->essence_tracks->len; k++) {
- GstMXFDemuxEssenceTrack *tmp =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, k);
+ GstMXFDemuxEssenceTrack *tmp = g_ptr_array_index (demux->essence_tracks, k);
if (tmp->source_package == source_package &&
tmp->source_track == source_track) {
@@ -2724,7 +2714,7 @@ gst_mxf_demux_handle_generic_container_essence_element (GstMXFDemux * demux,
if (!etrack) {
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *tmp =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ g_ptr_array_index (demux->essence_tracks, i);
if (tmp->body_sid == demux->current_partition->partition.body_sid &&
(tmp->track_number == track_number || tmp->track_number == 0)) {
@@ -3928,8 +3918,7 @@ from_track_offset:
gst_mxf_demux_set_partition_for_offset (demux, demux->offset);
for (i = 0; i < demux->essence_tracks->len; i++) {
- GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ GstMXFDemuxEssenceTrack *t = g_ptr_array_index (demux->essence_tracks, i);
if (index_start_position != -1 && t == etrack)
t->position = index_start_position;
@@ -3953,8 +3942,7 @@ from_track_offset:
/* Handle EOS */
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
- i);
+ g_ptr_array_index (demux->essence_tracks, i);
if (t->position > 0)
t->duration = t->position;
@@ -4192,8 +4180,7 @@ gst_mxf_demux_pull_and_handle_klv_packet (GstMXFDemux * demux)
guint i;
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *etrack =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
- i);
+ g_ptr_array_index (demux->essence_tracks, i);
if (etrack->body_sid != partition->partition.body_sid)
continue;
@@ -4664,9 +4651,8 @@ gst_mxf_demux_pad_to_track_and_position (GstMXFDemux * demux,
/* Get the corresponding essence track for the given source package and stream id */
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *track =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
- GST_LOG_OBJECT (pad,
- "Looking at essence track body_sid:%d index_sid:%d",
+ g_ptr_array_index (demux->essence_tracks, i);
+ GST_LOG_OBJECT (pad, "Looking at essence track body_sid:%d index_sid:%d",
track->body_sid, track->index_sid);
if (clip->source_track_id == 0 || (track->track_id == clip->source_track_id
&& mxf_umid_is_equal (&clip->source_package_id,
@@ -4915,8 +4901,7 @@ gst_mxf_demux_seek_push (GstMXFDemux * demux, GstEvent * event)
}
for (i = 0; i < demux->essence_tracks->len; i++) {
- GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ GstMXFDemuxEssenceTrack *t = g_ptr_array_index (demux->essence_tracks, i);
t->position = -1;
}
@@ -5354,8 +5339,7 @@ gst_mxf_demux_seek_pull (GstMXFDemux * demux, GstEvent * event)
}
for (i = 0; i < demux->essence_tracks->len; i++) {
- GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ GstMXFDemuxEssenceTrack *t = g_ptr_array_index (demux->essence_tracks, i);
t->position = -1;
}
@@ -5654,7 +5638,7 @@ gst_mxf_demux_sink_event (GstPad * pad, GstObject * parent, GstEvent * event)
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ g_ptr_array_index (demux->essence_tracks, i);
if (t->position > 0)
t->duration = t->position;
@@ -5695,8 +5679,7 @@ gst_mxf_demux_sink_event (GstPad * pad, GstObject * parent, GstEvent * event)
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *etrack =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
- i);
+ g_ptr_array_index (demux->essence_tracks, i);
etrack->position = -1;
}
ret = TRUE;
@@ -5720,8 +5703,7 @@ gst_mxf_demux_sink_event (GstPad * pad, GstObject * parent, GstEvent * event)
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
- i);
+ g_ptr_array_index (demux->essence_tracks, i);
t->position = -1;
}
demux->current_partition = NULL;
@@ -5994,7 +5976,7 @@ gst_mxf_demux_finalize (GObject * object)
g_ptr_array_free (demux->src, TRUE);
demux->src = NULL;
- g_array_free (demux->essence_tracks, TRUE);
+ g_ptr_array_free (demux->essence_tracks, TRUE);
demux->essence_tracks = NULL;
g_hash_table_destroy (demux->metadata);
@@ -6071,8 +6053,8 @@ gst_mxf_demux_init (GstMXFDemux * demux)
g_rw_lock_init (&demux->metadata_lock);
demux->src = g_ptr_array_new ();
- demux->essence_tracks =
- g_array_new (FALSE, FALSE, sizeof (GstMXFDemuxEssenceTrack));
+ demux->essence_tracks = g_ptr_array_new_with_free_func ((GDestroyNotify)
+ gst_mxf_demux_essence_track_free);
gst_segment_init (&demux->segment, GST_FORMAT_TIME);
diff --git a/gst/mxf/mxfdemux.h b/gst/mxf/mxfdemux.h
index d079a1de1aa..1dc8a4edb5b 100644
--- a/gst/mxf/mxfdemux.h
+++ b/gst/mxf/mxfdemux.h
@@ -266,7 +266,7 @@ struct _GstMXFDemux
GList *partitions;
GstMXFDemuxPartition *current_partition;
- GArray *essence_tracks;
+ GPtrArray *essence_tracks;
GList *pending_index_table_segments;
GList *index_tables; /* one per BodySID / IndexSID */
--
GitLab

32
SOURCES/0004-Fixes-ZDI-CAN-22226-CVE-2023-44429.patch
Unescape View File

@ -1,32 +0,0 @@
From 1db83d3f745332cbda6adf954b2c53a10caa205e Mon Sep 17 00:00:00 2001
From: Benjamin Gaignard <benjamin.gaignard@collabora.com>
Date: Wed, 4 Oct 2023 11:14:38 +0200
Subject: [PATCH] codecparsers: av1: Clip max tile rows and cols values
Clip tile rows and cols to 64 as describe in AV1 specification.
Fixes ZDI-CAN-22226 / CVE-2023-44429
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3015
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5634>
---
.../gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/gst-libs/gst/codecparsers/gstav1parser.c b/gst-libs/gst/codecparsers/gstav1parser.c
index 0b4ce34488f..291a2c96367 100644
--- a/gst-libs/gst/codecparsers/gstav1parser.c
+++ b/gst-libs/gst/codecparsers/gstav1parser.c
@@ -2229,6 +2229,8 @@ gst_av1_parse_tile_info (GstAV1Parser * parser, GstBitReader * br,
((parser->state.mi_cols + 31) >> 5) : ((parser->state.mi_cols + 15) >> 4);
sb_rows = seq_header->use_128x128_superblock ? ((parser->state.mi_rows +
31) >> 5) : ((parser->state.mi_rows + 15) >> 4);
+ sb_cols = MIN (GST_AV1_MAX_TILE_COLS, sb_cols);
+ sb_rows = MIN (GST_AV1_MAX_TILE_ROWS, sb_rows);
sb_shift = seq_header->use_128x128_superblock ? 5 : 4;
sb_size = sb_shift + 2;
max_tile_width_sb = GST_AV1_MAX_TILE_WIDTH >> sb_size;
--
GitLab

63
SOURCES/0005-Fixes-ZDI-CAN-20994-CVE-2023-37329.patch
Unescape View File

@ -1,63 +0,0 @@
From 7ed446dca9454dd66a0180823f57a34bc01845a4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Tue, 13 Jun 2023 14:23:47 +0300
Subject: [PATCH 1/2] dvdspu: Make sure enough data is allocated for the
available data
If the size read from the stream is smaller than the currently available
data then the size is bogus and the data should simply be discarded.
Fixes ZDI-CAN-20994
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2660
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4896>
---
gst/dvdspu/gstspu-pgs.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/gst/dvdspu/gstspu-pgs.c b/gst/dvdspu/gstspu-pgs.c
index e609a284df9..e29f4f18826 100644
--- a/gst/dvdspu/gstspu-pgs.c
+++ b/gst/dvdspu/gstspu-pgs.c
@@ -593,6 +593,9 @@ parse_set_object_data (GstDVDSpu * dvdspu, guint8 type, guint8 * payload,
obj->rle_data_size = GST_READ_UINT24_BE (payload);
payload += 3;
+ if (end - payload > obj->rle_data_size)
+ return 0;
+
PGS_DUMP ("%d bytes of RLE data, of %d bytes total.\n",
(int) (end - payload), obj->rle_data_size);
--
GitLab
From 0dabf0eb00723a26b88e13dcb3030744e84569da Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Tue, 13 Jun 2023 14:25:04 +0300
Subject: [PATCH 2/2] dvdspu: Avoid integer overflow when checking if enough
data is available
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4896>
---
gst/dvdspu/gstspu-pgs.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/gst/dvdspu/gstspu-pgs.c b/gst/dvdspu/gstspu-pgs.c
index e29f4f18826..49db6d13d8b 100644
--- a/gst/dvdspu/gstspu-pgs.c
+++ b/gst/dvdspu/gstspu-pgs.c
@@ -607,7 +607,8 @@ parse_set_object_data (GstDVDSpu * dvdspu, guint8 type, guint8 * payload,
PGS_DUMP ("%d bytes of additional RLE data\n", (int) (end - payload));
/* Check that the data chunk is for this object version, and fits in the buffer */
if (obj->rle_data_ver == obj_ver &&
- obj->rle_data_used + end - payload <= obj->rle_data_size) {
+ end - payload <= obj->rle_data_size &&
+ obj->rle_data_used <= obj->rle_data_size - (end - payload)) {
memcpy (obj->rle_data + obj->rle_data_used, payload, end - payload);
obj->rle_data_used += end - payload;
--
GitLab

4
SOURCES/build_what_we_need_only.patch → build_what_we_need_only.patch
Unescape View File

@ -1,7 +1,7 @@
diff -uNrp a/ext/meson.build b/ext/meson.build diff -uNrp a/ext/meson.build b/ext/meson.build
--- a/ext/meson.build 2023-01-23 19:29:34.000000000 +0000 --- a/ext/meson.build 2023-01-23 19:29:34.000000000 +0000
+++ b/ext/meson.build 2023-02-19 12:17:51.741137633 +0000 +++ b/ext/meson.build 2023-02-19 12:17:51.741137633 +0000
@@ -1,75 +1,8 @@ @@ -1,75 +1,9 @@
-subdir('aes') -subdir('aes')
-subdir('assrender') -subdir('assrender')
-subdir('aom') -subdir('aom')
@ -66,7 +66,7 @@ diff -uNrp a/ext/meson.build b/ext/meson.build
-subdir('teletextdec') -subdir('teletextdec')
-subdir('ttml') -subdir('ttml')
-subdir('voaacenc') -subdir('voaacenc')
-subdir('voamrwbenc') subdir('voamrwbenc')
-subdir('vulkan') -subdir('vulkan')
-subdir('wayland') -subdir('wayland')
-subdir('webrtc') -subdir('webrtc')

25
SPECS/gstreamer1-plugins-bad-freeworld.spec → gstreamer1-plugins-bad-freeworld.spec
Unescape View File

@ -6,16 +6,11 @@ Summary: GStreamer 1.0 streaming media framework "bad" plug-ins
Name: gstreamer1-plugins-bad-freeworld Name: gstreamer1-plugins-bad-freeworld
Epoch: 1 Epoch: 1
Version: 1.22.1 Version: 1.22.1
Release: 4%{?dist}.inferit Release: 1%{?dist}
License: LGPLv2+ License: LGPLv2+
URL: https://gstreamer.freedesktop.org/ URL: https://gstreamer.freedesktop.org/
Source0: %{url}/src/gst-plugins-bad/gst-plugins-bad-%{version}.tar.xz Source0: %{url}/src/gst-plugins-bad/gst-plugins-bad-%{version}.tar.xz
Patch0: build_what_we_need_only.patch Patch0: build_what_we_need_only.patch
Patch1: 0001-Fixes-ZDI-CAN-21660-CVE-2023-40474.patch
Patch2: 0002-Fixes-ZDI-CAN-21768-CVE-2023-40476.patch
Patch3: 0003-Fixes-ZDI-CAN-22299-CVE-2023-44446.patch
Patch4: 0004-Fixes-ZDI-CAN-22226-CVE-2023-44429.patch
Patch5: 0005-Fixes-ZDI-CAN-20994-CVE-2023-37329.patch
BuildRequires: gcc-objc++ BuildRequires: gcc-objc++
BuildRequires: meson BuildRequires: meson
@ -37,7 +32,7 @@ Provides: gstreamer1-svt-hevc = %{version}-%{release}
Provides: gstreamer1-svt-hevc%{?_isa} = %{version}-%{release} Provides: gstreamer1-svt-hevc%{?_isa} = %{version}-%{release}
Obsoletes: gstreamer1-svt-hevc < %{version}-%{release} Obsoletes: gstreamer1-svt-hevc < %{version}-%{release}
%endif %endif
#BuildRequires: vo-amrwbenc-devel BuildRequires: vo-amrwbenc-devel
#BuildRequires: vo-aacenc-devel #BuildRequires: vo-aacenc-devel
BuildRequires: libusbx-devel BuildRequires: libusbx-devel
BuildRequires: x265-devel BuildRequires: x265-devel
@ -103,25 +98,11 @@ rm -rf %{buildroot}%{_libdir}/pkgconfig
%{_libdir}/gstreamer-1.0/libgstsvthevcenc.so %{_libdir}/gstreamer-1.0/libgstsvthevcenc.so
%endif %endif
#%%{_libdir}/gstreamer-1.0/libgstvoaacenc.so #%%{_libdir}/gstreamer-1.0/libgstvoaacenc.so
#%%{_libdir}/gstreamer-1.0/libgstvoamrwbenc.so %{_libdir}/gstreamer-1.0/libgstvoamrwbenc.so
%{_libdir}/gstreamer-1.0/libgstx265.so %{_libdir}/gstreamer-1.0/libgstx265.so
%changelog %changelog
* Wed Nov 29 2023 Arkady L. Shane <tigro@msvsphere-os.ru> - 1:1.22.1-4.inferit
- Fixes ZDI-CAN-20994 CVE-2023-37329
* Wed Nov 29 2023 Arkady L. Shane <tigro@msvsphere-os.ru> - 1:1.22.1-3.inferit
- Fixes ZDI-CAN-22299 CVE-2023-44446
- Fixes ZDI-CAN-22226 CVE-2023-44429
* Sun Oct 22 2023 Arkady L. Shane <tigro@msvsphere-os.ru> - 1:1.22.1-2.inferit
- Fixes ZDI-CAN-21660 CVE-2023-40474
- Fixes ZDI-CAN-21768 CVE-2023-40476
* Sun Oct 22 2023 Arkady L. Shane <tigro@msvsphere-os.ru> - 1:1.22.1-1
- Rebuilt for MSVSphere 9.2
* Wed Mar 29 2023 Vitaly Zaitsev <vitaly@easycoding.org> - 1:1.22.1-1 * Wed Mar 29 2023 Vitaly Zaitsev <vitaly@easycoding.org> - 1:1.22.1-1
- Updated to version 1.22.1. - Updated to version 1.22.1.

1
sources
Unescape View File

@ -0,0 +1 @@
SHA512 (gst-plugins-bad-1.22.1.tar.xz) = e380418ed9ab024a54ec62ef96d23263ff935a9c0e7a917e1aaa193067eafb3f6a9567b9af6d011a0407954bd5e9812f662f99728e3fcb68bb67e401d5b5d79c
Write Preview
Loading…
Cancel
Save