import gstreamer1-plugins-base-1.16.1-4.el8_10

SOURCES/0001-exiftag-Prevent-integer-overflows-and-out-of-bounds-.patch

@@ -0,0 +1,69 @@
+From 58deb2c68fda0cf46a03643aefa28efdc0753efa Mon Sep 17 00:00:00 2001
+From: Wim Taymans <wtaymans@redhat.com>
+Date: Fri, 8 Nov 2024 10:45:07 +0100
+Subject: [PATCH] exiftag: Prevent integer overflows and out of bounds reads
+ when handling undefined tags
+
+Fixes ZDI-CAN-23896
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3483
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/6768>
+---
+ gst-libs/gst/tag/gstexiftag.c | 21 +++++++++++++++++++--
+ 1 file changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/gst-libs/gst/tag/gstexiftag.c b/gst-libs/gst/tag/gstexiftag.c
+index b615779be..558996b42 100644
+--- a/gst-libs/gst/tag/gstexiftag.c
++++ b/gst-libs/gst/tag/gstexiftag.c
+@@ -1372,6 +1372,8 @@ parse_exif_long_tag (GstExifReader * reader, const GstExifTagMatch * tag,
+   }
+ }
+ 
++static inline gboolean size_checked_add(gsize *dest, gsize a, gsize b) {
++  *dest = a + b; return *dest >= a; }
+ 
+ static void
+ parse_exif_undefined_tag (GstExifReader * reader, const GstExifTagMatch * tag,
+@@ -1383,6 +1385,7 @@ parse_exif_undefined_tag (GstExifReader * reader, const GstExifTagMatch * tag,
+ 
+   if (count > 4) {
+     GstMapInfo info;
++    gsize alloc_size;
+ 
+     if (offset < reader->base_offset) {
+       GST_WARNING ("Offset is smaller (%u) than base offset (%u)", offset,
+@@ -1404,14 +1407,28 @@ parse_exif_undefined_tag (GstExifReader * reader, const GstExifTagMatch * tag,
+       return;
+     }
+ 
++    if (info.size - real_offset < count) {
++      GST_WARNING ("Invalid size %u for buffer of size %" G_GSIZE_FORMAT
++          ", not adding tag %s", count, info.size, tag->gst_tag);
++      gst_buffer_unmap (reader->buffer, &info);
++      return;
++    }
++
++    if (!size_checked_add (&alloc_size, count, 1)) {
++      GST_WARNING ("Invalid size %u for buffer of size %" G_GSIZE_FORMAT
++          ", not adding tag %s", real_offset, info.size, tag->gst_tag);
++      gst_buffer_unmap (reader->buffer, &info);
++      return;
++    }
++
+     /* +1 because it could be a string without the \0 */
+-    data = malloc (sizeof (guint8) * count + 1);
++    data = malloc (alloc_size);
+     memcpy (data, info.data + real_offset, count);
+     data[count] = 0;
+ 
+     gst_buffer_unmap (reader->buffer, &info);
+   } else {
+-    data = malloc (sizeof (guint8) * count + 1);
++    data = malloc (count + 1);
+     memcpy (data, (guint8 *) offset_as_data, count);
+     data[count] = 0;
+   }
+-- 
+2.47.0
+

SOURCES/0001-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch

@@ -0,0 +1,36 @@
+From 5e8fa4cb835a938aba72f2b7ccd3e784e5886df8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Tue, 13 Jun 2023 12:53:13 +0300
+Subject: [PATCH 1/2] subparse: Look for the closing `>` of a tag after the
+ opening `<`
+
+Previously when fixing up subrip markip, we were looking from the start
+of the remaining buffer instead. Due to how skipping over closing tags
+works, the remaining buffer will still contain the closing `>` of the
+previous tag so if a unexpected closing tag is found after another
+closing tag, we would potentially do an out of bounds memmove().
+
+Fixes ZDI-CAN-20968
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2662
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4895>
+---
+ gst/subparse/gstsubparse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/gst/subparse/gstsubparse.c b/gst/subparse/gstsubparse.c
+index 425415874..e8d3ecaef 100644
+--- a/gst/subparse/gstsubparse.c
++++ b/gst/subparse/gstsubparse.c
+@@ -814,7 +814,7 @@ subrip_fix_up_markup (gchar ** p_txt, gconstpointer allowed_tags_ptr)
+     }
+ 
+     if (*next_tag == '<' && *(next_tag + 1) == '/') {
+-      end_tag = strchr (cur, '>');
++      end_tag = strchr (next_tag, '>');
+       if (end_tag) {
+         const gchar *last = NULL;
+         if (num_open_tags > 0)
+-- 
+2.43.0
+

SOURCES/0002-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch

@@ -0,0 +1,33 @@
+From 889e0b00c2b3b4ecb8ab8116d6192ee7f3b37909 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Tue, 13 Jun 2023 12:58:26 +0300
+Subject: [PATCH 2/2] subparse: Skip after the end of a valid closing tag
+ instead of only skipping `<`
+
+This is a small optimization and avoids restarting the next parsing
+iteration on already accepted data.
+
+On its own it would also fix ZDI-CAN-20968 (see previous commit) but the
+previous commit independently is also a valid fix for it.
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4895>
+---
+ gst/subparse/gstsubparse.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/gst/subparse/gstsubparse.c b/gst/subparse/gstsubparse.c
+index e8d3ecaef..9336419e1 100644
+--- a/gst/subparse/gstsubparse.c
++++ b/gst/subparse/gstsubparse.c
+@@ -827,6 +827,8 @@ subrip_fix_up_markup (gchar ** p_txt, gconstpointer allowed_tags_ptr)
+         } else {
+           --num_open_tags;
+           g_ptr_array_remove_index (open_tags, num_open_tags);
++          cur = end_tag + 1;
++          continue;
+         }
+       }
+     }
+-- 
+2.43.0
+

SPECS/gstreamer1-plugins-base.spec

@@ -6,7 +6,7 @@
 
 Name:           gstreamer1-plugins-base
 Version:        1.16.1
-Release:        2%{?gitcommit:.git%{shortcommit}}%{?dist}
+Release:        4%{?gitcommit:.git%{shortcommit}}%{?dist}
 Summary:        GStreamer streaming media framework base plugins
 
 License:        LGPLv2+
@@ -20,6 +20,9 @@ Source0:        http://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugin
 %endif
 Patch0:         0001-missing-plugins-Remove-the-mpegaudioversion-field.patch
 Patch1:         0002-video-disable-ORC_RESTRICT.patch
+Patch2:		0001-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch
+Patch3:		0002-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch
+Patch4:		0001-exiftag-Prevent-integer-overflows-and-out-of-bounds-.patch
 
 BuildRequires:  gcc-c++
 BuildRequires:  gstreamer1-devel >= %{version}
@@ -116,6 +119,9 @@ for the GStreamer Base Plugins library.
 %setup -q -n gst-plugins-base-%{version}
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
 
 %build
 # die rpath (method of modifying libtool fails here)
@@ -483,6 +489,14 @@ chrpath --delete $RPM_BUILD_ROOT%{_bindir}/gst-play-1.0
 
 
 %changelog
+* Fri Nov 08 2024 Wim Taymans <wtaymans@redhat.com> - 1.16.1-4
+- CVE-2024-4453 gstreamer1: EXIF Metadata Parsing Integer Overflow
+- Resolves: RHEL-38509
+
+* Wed Jan 17 2024 Wim Taymans <wtaymans@redhat.com> - 1.16.1-3
+- CVE-2023-37328 gstreamer1-plugins-base: heap overwrite in subtitle parsing
+- Resolves: RHEL-19472
+
 * Wed Dec 9 2020 Wim Taymans <wtaymans@redhat.com> - 1.16.1-2
 - Fix man file names for Flatpak builds
 - Resolves: rhbz#1895935