import gstreamer1-plugins-base-1.22.1-3.el9_5

SOURCES/0001-missing-plugins-Remove-the-mpegaudioversion-field.patch

@@ -1,21 +1,21 @@
-From 06ca82cad9898f5df40011fe0614ee1dfd89f1ae Mon Sep 17 00:00:00 2001
+From cd9358bdbae7e0cbaac4c235dead2e819b033d2f Mon Sep 17 00:00:00 2001
 From: Bastien Nocera <hadess@hadess.net>
-Date: Fri, 3 Aug 2012 17:50:24 +0100
-Subject: [PATCH 1/2] missing-plugins: Remove the mpegaudioversion field
+Date: Wed, 17 Jan 2024 16:19:30 +0100
+Subject: [PATCH 1/8] missing-plugins: Remove the mpegaudioversion field
 
 From missing plugins requests as it's a duplicate of mpegversion
 and its presence would break codec discovery when using RPM.
 
 https://bugzilla.redhat.com/show_bug.cgi?id=680809
 ---
- gst-libs/gst/pbutils/missing-plugins.c | 3 +++
+ .../gst-plugins-base/gst-libs/gst/pbutils/missing-plugins.c    | 3 +++
  1 file changed, 3 insertions(+)
 
-diff --git a/gst-libs/gst/pbutils/missing-plugins.c b/gst-libs/gst/pbutils/missing-plugins.c
-index a08803b18..cdce4bf05 100644
---- a/gst-libs/gst/pbutils/missing-plugins.c
-+++ b/gst-libs/gst/pbutils/missing-plugins.c
-@@ -151,6 +151,9 @@ copy_and_clean_caps (const GstCaps * caps)
+diff --git a/subprojects/gst-plugins-base/gst-libs/gst/pbutils/missing-plugins.c b/subprojects/gst-plugins-base/gst-libs/gst/pbutils/missing-plugins.c
+index 69330b933b..c4fd3e6737 100644
+--- a/subprojects/gst-plugins-base/gst-libs/gst/pbutils/missing-plugins.c
++++ b/subprojects/gst-plugins-base/gst-libs/gst/pbutils/missing-plugins.c
+@@ -191,6 +191,9 @@ copy_and_clean_caps (const GstCaps * caps)
    gst_structure_remove_field (s, "play-speed");
    gst_structure_remove_field (s, "play-scale");
    gst_structure_remove_field (s, "dynamic_range");
@@ -26,5 +26,5 @@ index a08803b18..cdce4bf05 100644
    return ret;
  }
 -- 
-2.14.3
+2.47.0
 

SOURCES/0002-gl-fix-compilation.patch

@@ -0,0 +1,25 @@
+From 2ede3bc75535b7445db836fdcb6a6c85c5f47dbe Mon Sep 17 00:00:00 2001
+From: Wim Taymans <wtaymans@redhat.com>
+Date: Wed, 17 Jan 2024 16:20:46 +0100
+Subject: [PATCH 2/8] gl: fix compilation
+
+---
+ .../gst-libs/gst/gl/wayland/gstglwindow_wayland_egl.h           | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/subprojects/gst-plugins-base/gst-libs/gst/gl/wayland/gstglwindow_wayland_egl.h b/subprojects/gst-plugins-base/gst-libs/gst/gl/wayland/gstglwindow_wayland_egl.h
+index 0212744b74..58299473d9 100644
+--- a/subprojects/gst-plugins-base/gst-libs/gst/gl/wayland/gstglwindow_wayland_egl.h
++++ b/subprojects/gst-plugins-base/gst-libs/gst/gl/wayland/gstglwindow_wayland_egl.h
+@@ -22,7 +22,7 @@
+ #define __GST_GL_WINDOW_WAYLAND_EGL_H__
+ 
+ #include <wayland-client.h>
+-#include "xdg-shell-client-protocol.h"
++#include "../xdg-shell-client-protocol.h"
+ #include <wayland-egl.h>
+ #include <wayland-cursor.h>
+ 
+-- 
+2.47.0
+

SOURCES/0003-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch

@@ -0,0 +1,36 @@
+From f7f24aed62178dc1deb581a512029dcb20727137 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Tue, 13 Jun 2023 12:53:13 +0300
+Subject: [PATCH 3/8] subparse: Look for the closing `>` of a tag after the
+ opening `<`
+
+Previously when fixing up subrip markip, we were looking from the start
+of the remaining buffer instead. Due to how skipping over closing tags
+works, the remaining buffer will still contain the closing `>` of the
+previous tag so if a unexpected closing tag is found after another
+closing tag, we would potentially do an out of bounds memmove().
+
+Fixes ZDI-CAN-20968
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2662
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4895>
+---
+ subprojects/gst-plugins-base/gst/subparse/gstsubparse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
+index 7aa922cdd8..d0960a971a 100644
+--- a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
++++ b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
+@@ -779,7 +779,7 @@ subrip_fix_up_markup (gchar ** p_txt, gconstpointer allowed_tags_ptr)
+     }
+ 
+     if (*next_tag == '<' && *(next_tag + 1) == '/') {
+-      end_tag = strchr (cur, '>');
++      end_tag = strchr (next_tag, '>');
+       if (end_tag) {
+         const gchar *last = NULL;
+         if (num_open_tags > 0)
+-- 
+2.47.0
+

SOURCES/0004-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch

@@ -0,0 +1,33 @@
+From 997e8b0a485a22a9e44d503d7a1c6aa1970061e0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Tue, 13 Jun 2023 12:58:26 +0300
+Subject: [PATCH 4/8] subparse: Skip after the end of a valid closing tag
+ instead of only skipping `<`
+
+This is a small optimization and avoids restarting the next parsing
+iteration on already accepted data.
+
+On its own it would also fix ZDI-CAN-20968 (see previous commit) but the
+previous commit independently is also a valid fix for it.
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4895>
+---
+ subprojects/gst-plugins-base/gst/subparse/gstsubparse.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
+index d0960a971a..b33ddbb2a7 100644
+--- a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
++++ b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
+@@ -794,6 +794,8 @@ subrip_fix_up_markup (gchar ** p_txt, gconstpointer allowed_tags_ptr)
+         } else {
+           --num_open_tags;
+           g_ptr_array_remove_index (open_tags, num_open_tags);
++          cur = end_tag + 1;
++          continue;
+         }
+       }
+     }
+-- 
+2.47.0
+

SOURCES/0005-tags-Don-t-allow-image-tags-with-G_MAXUINT32-length.patch

@@ -0,0 +1,34 @@
+From 1ac83c63d28d02d2dbed663cd6eda4009d6b717e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Tue, 13 Jun 2023 13:22:57 +0300
+Subject: [PATCH 5/8] tags: Don't allow image tags with G_MAXUINT32 length
+
+This will cause an integer overflow a little bit further down because we
+allocate a bit more memory to allow for a NUL-terminator.
+
+The caller should've avoided passing that much data in already as it's
+not going to be a valid image and there's likely not even that much data
+available.
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4894>
+---
+ subprojects/gst-plugins-base/gst-libs/gst/tag/tags.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/subprojects/gst-plugins-base/gst-libs/gst/tag/tags.c b/subprojects/gst-plugins-base/gst-libs/gst/tag/tags.c
+index 73e6bb4a36..d38a0c97f4 100644
+--- a/subprojects/gst-plugins-base/gst-libs/gst/tag/tags.c
++++ b/subprojects/gst-plugins-base/gst-libs/gst/tag/tags.c
+@@ -530,7 +530,8 @@ gst_tag_image_data_to_image_sample (const guint8 * image_data,
+   GstStructure *image_info = NULL;
+ 
+   g_return_val_if_fail (image_data != NULL, NULL);
+-  g_return_val_if_fail (image_data_len > 0, NULL);
++  g_return_val_if_fail (image_data_len > 0
++      || image_data_len == G_MAXUINT32, NULL);
+   g_return_val_if_fail (gst_tag_image_type_is_valid (image_type), NULL);
+ 
+   GST_DEBUG ("image data len: %u bytes", image_data_len);
+-- 
+2.47.0
+

SOURCES/0006-opusdec-Set-at-most-64-channels-to-NONE-position.patch

@@ -0,0 +1,37 @@
+From 854ad98510462c560ede6539157ce53bebdebf15 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Tue, 1 Oct 2024 13:22:50 +0300
+Subject: [PATCH 6/8] opusdec: Set at most 64 channels to NONE position
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-116
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3871
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8096>
+---
+ subprojects/gst-plugins-base/ext/opus/gstopusdec.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/subprojects/gst-plugins-base/ext/opus/gstopusdec.c b/subprojects/gst-plugins-base/ext/opus/gstopusdec.c
+index 60f8879dc5..03d061ad00 100644
+--- a/subprojects/gst-plugins-base/ext/opus/gstopusdec.c
++++ b/subprojects/gst-plugins-base/ext/opus/gstopusdec.c
+@@ -440,12 +440,12 @@ gst_opus_dec_parse_header (GstOpusDec * dec, GstBuffer * buf)
+         posn = gst_opus_channel_positions[dec->n_channels - 1];
+         break;
+       default:{
+-        gint i;
++        guint i, max_pos = MIN (dec->n_channels, 64);
+ 
+         GST_ELEMENT_WARNING (GST_ELEMENT (dec), STREAM, DECODE,
+             (NULL), ("Using NONE channel layout for more than 8 channels"));
+ 
+-        for (i = 0; i < dec->n_channels; i++)
++        for (i = 0; i < max_pos; i++)
+           pos[i] = GST_AUDIO_CHANNEL_POSITION_NONE;
+ 
+         posn = pos;
+-- 
+2.47.0
+

SOURCES/0007-vorbis_parse-check-writes-to-GstOggStream.vorbis_mod.patch

@@ -0,0 +1,76 @@
+From 99cc78f36aa11642e88cad83a9f0a068c91532eb Mon Sep 17 00:00:00 2001
+From: Mathieu Duponchelle <mathieu@centricular.com>
+Date: Wed, 2 Oct 2024 15:16:30 +0200
+Subject: [PATCH 7/8] vorbis_parse: check writes to
+ GstOggStream.vorbis_mode_sizes
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-117 Fixes gstreamer#3875
+
+Also perform out-of-bounds check for accesses to op->packet
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8097>
+---
+ .../gst-plugins-base/ext/ogg/vorbis_parse.c   | 21 +++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/subprojects/gst-plugins-base/ext/ogg/vorbis_parse.c b/subprojects/gst-plugins-base/ext/ogg/vorbis_parse.c
+index 65ef463808..757c7cd82b 100644
+--- a/subprojects/gst-plugins-base/ext/ogg/vorbis_parse.c
++++ b/subprojects/gst-plugins-base/ext/ogg/vorbis_parse.c
+@@ -165,6 +165,10 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op)
+     if (offset == 0) {
+       offset = 8;
+       current_pos -= 1;
++
++      /* have we underrun? */
++      if (current_pos < op->packet)
++        return -1;
+     }
+   }
+ 
+@@ -178,6 +182,10 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op)
+     if (offset == 7)
+       current_pos -= 1;
+ 
++    /* have we underrun? */
++    if (current_pos < op->packet + 5)
++      return -1;
++
+     if (((current_pos[-5] & ~((1 << (offset + 1)) - 1)) != 0)
+         ||
+         current_pos[-4] != 0
+@@ -199,9 +207,18 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op)
+   /* Give ourselves a chance to recover if we went back too far by using
+    * the size check. */
+   for (ii = 0; ii < 2; ii++) {
++
+     if (offset > 4) {
++      /* have we underrun? */
++      if (current_pos < op->packet)
++        return -1;
++
+       size_check = (current_pos[0] >> (offset - 5)) & 0x3F;
+     } else {
++      /* have we underrun? */
++      if (current_pos < op->packet + 1)
++        return -1;
++
+       /* mask part of byte from current_pos */
+       size_check = (current_pos[0] & ((1 << (offset + 1)) - 1));
+       /* shift to appropriate position */
+@@ -233,6 +250,10 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op)
+ 
+   mode_size_ptr = pad->vorbis_mode_sizes;
+ 
++  if (size > G_N_ELEMENTS (pad->vorbis_mode_sizes)) {
++    return -1;
++  }
++
+   for (i = 0; i < size; i++) {
+     offset = (offset + 1) % 8;
+     if (offset == 0)
+-- 
+2.47.0
+

SOURCES/0008-vorbisdec-Set-at-most-64-channels-to-NONE-position.patch

@@ -0,0 +1,31 @@
+From 60cd489c12b46b63c6e6b95e24cacd53fef739ef Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Mon, 30 Sep 2024 21:35:07 +0300
+Subject: [PATCH 8/8] vorbisdec: Set at most 64 channels to NONE position
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-115
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3869
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8101>
+---
+ subprojects/gst-plugins-base/ext/vorbis/gstvorbisdec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/subprojects/gst-plugins-base/ext/vorbis/gstvorbisdec.c b/subprojects/gst-plugins-base/ext/vorbis/gstvorbisdec.c
+index 6a410ed858..1fc4fa883e 100644
+--- a/subprojects/gst-plugins-base/ext/vorbis/gstvorbisdec.c
++++ b/subprojects/gst-plugins-base/ext/vorbis/gstvorbisdec.c
+@@ -204,7 +204,7 @@ vorbis_handle_identification_packet (GstVorbisDec * vd)
+     }
+     default:{
+       GstAudioChannelPosition position[64];
+-      gint i, max_pos = MAX (vd->vi.channels, 64);
++      gint i, max_pos = MIN (vd->vi.channels, 64);
+ 
+       GST_ELEMENT_WARNING (vd, STREAM, DECODE,
+           (NULL), ("Using NONE channel layout for more than 8 channels"));
+-- 
+2.47.0
+

SOURCES/xdg-compile.patch

@@ -1,12 +0,0 @@
-diff -ru gst-plugins-base-1.18.4/gst-libs/gst/gl/wayland/gstglwindow_wayland_egl.h gst-plugins-base-1.18.4.new/gst-libs/gst/gl/wayland/gstglwindow_wayland_egl.h
---- gst-plugins-base-1.18.4/gst-libs/gst/gl/wayland/gstglwindow_wayland_egl.h	2021-03-15 18:48:01.251275800 +0100
-+++ gst-plugins-base-1.18.4.new/gst-libs/gst/gl/wayland/gstglwindow_wayland_egl.h	2022-01-14 16:53:07.235319602 +0100
-@@ -22,7 +22,7 @@
- #define __GST_GL_WINDOW_WAYLAND_EGL_H__
- 
- #include <wayland-client.h>
--#include "xdg-shell-client-protocol.h"
-+#include "../xdg-shell-client-protocol.h"
- #include <wayland-egl.h>
- #include <wayland-cursor.h>
- 

SPECS/gstreamer1-plugins-base.spec

@@ -6,7 +6,7 @@
 
 Name:           gstreamer1-plugins-base
 Version:        1.22.1
-Release:        1%{?gitcommit:.git%{shortcommit}}%{?dist}
+Release:        3%{?gitcommit:.git%{shortcommit}}%{?dist}
 Summary:        GStreamer streaming media framework base plugins
 
 License:        LGPLv2+
@@ -18,9 +18,14 @@ Source0:        gst-plugins-base-%{version}.tar.xz
 %else
 Source0:        http://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-base-%{version}.tar.xz
 %endif
-Patch0:         0001-missing-plugins-Remove-the-mpegaudioversion-field.patch
-
-Patch1:	        xdg-compile.patch
+Patch0:		0001-missing-plugins-Remove-the-mpegaudioversion-field.patch
+Patch1:		0002-gl-fix-compilation.patch
+Patch2:		0003-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch
+Patch3:		0004-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch
+Patch4:		0005-tags-Don-t-allow-image-tags-with-G_MAXUINT32-length.patch
+Patch5:		0006-opusdec-Set-at-most-64-channels-to-NONE-position.patch
+Patch6:		0007-vorbis_parse-check-writes-to-GstOggStream.vorbis_mod.patch
+Patch7:		0008-vorbisdec-Set-at-most-64-channels-to-NONE-position.patch
 
 BuildRequires:  meson >= 0.48.0
 BuildRequires:  gcc
@@ -117,8 +122,14 @@ for the GStreamer Base Plugins library.
 
 %prep
 %setup -q -n gst-plugins-base-%{version}
-%patch0 -p1
-%patch1 -p1
+%patch0 -p3
+%patch1 -p3
+%patch2 -p3
+%patch3 -p3
+%patch4 -p3
+%patch5 -p3
+%patch6 -p3
+%patch7 -p3
 
 %build
 %meson \
@@ -483,6 +494,14 @@ chrpath --delete $RPM_BUILD_ROOT%{_bindir}/gst-play-1.0
 %endif
 
 %changelog
+* Mon Dec 16 2024 Wim Taymans <wtaymans@redhat.com> - 1.22.1-3
+- Fixes for CVE-2024-47538, CVE-2024-47607, CVE-2024-47615
+  Resolves: RHEL-70979, RHEL-71015, RHEL-70991
+
+* Wed Jan 17 2024 Wim Taymans <wtaymans@redhat.com> - 1.22.1-2
+- CVE-2023-37328: heap overwrite in subtitle parsing
+- Resolves: RHEL-19475
+
 * Wed Apr 12 2021 Wim Taymans <wtaymans@redhat.com> - 1.22.1-1
 - Update to 1.22.1
 - Resolves: rhbz#2144557