From 0e1e0d44a103783c7dc590f59b362a754594bf35 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 13 Dec 2023 21:01:48 +0000 Subject: [PATCH] import UBI gstreamer1-plugins-bad-free-1.22.1-2.el9_3 --- ...stMXFDemuxEssenceTrack-in-their-own-.patch | 323 ++++++++++++++++++ ...1-Clip-max-tile-rows-and-cols-values.patch | 65 ++++ SPECS/gstreamer1-plugins-bad-free.spec | 12 +- 3 files changed, 399 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0001-mxfdemux-Store-GstMXFDemuxEssenceTrack-in-their-own-.patch create mode 100644 SOURCES/0002-codecparsers-av1-Clip-max-tile-rows-and-cols-values.patch diff --git a/SOURCES/0001-mxfdemux-Store-GstMXFDemuxEssenceTrack-in-their-own-.patch b/SOURCES/0001-mxfdemux-Store-GstMXFDemuxEssenceTrack-in-their-own-.patch new file mode 100644 index 0000000..9467b26 --- /dev/null +++ b/SOURCES/0001-mxfdemux-Store-GstMXFDemuxEssenceTrack-in-their-own-.patch @@ -0,0 +1,323 @@ +From db2e5ccfcf4db7fc3d199d885b07e5eb34770c19 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 20 Oct 2023 00:09:57 +0300 +Subject: [PATCH 1/2] mxfdemux: Store GstMXFDemuxEssenceTrack in their own + fixed allocation + +Previously they were stored inline inside a GArray, but as references to +the tracks were stored in various other places although the array could +still be updated (and reallocated!), this could lead to dangling +references in various places. + +Instead now store them in a GPtrArray in their own allocation so each +track's memory position stays fixed. + +Fixes ZDI-CAN-22299 + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3055 + +Part-of: +--- + .../gst-plugins-bad/gst/mxf/mxfdemux.c | 116 ++++++++---------- + .../gst-plugins-bad/gst/mxf/mxfdemux.h | 2 +- + 2 files changed, 50 insertions(+), 68 deletions(-) + +diff --git a/subprojects/gst-plugins-bad/gst/mxf/mxfdemux.c b/subprojects/gst-plugins-bad/gst/mxf/mxfdemux.c +index d9eb9a5844..1b58989631 100644 +--- a/subprojects/gst-plugins-bad/gst/mxf/mxfdemux.c ++++ b/subprojects/gst-plugins-bad/gst/mxf/mxfdemux.c +@@ -170,10 +170,25 @@ gst_mxf_demux_partition_free (GstMXFDemuxPartition * partition) + } + + static void +-gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux) ++gst_mxf_demux_essence_track_free (GstMXFDemuxEssenceTrack * t) + { +- guint i; ++ if (t->offsets) ++ g_array_free (t->offsets, TRUE); ++ ++ g_free (t->mapping_data); ++ ++ if (t->tags) ++ gst_tag_list_unref (t->tags); ++ ++ if (t->caps) ++ gst_caps_unref (t->caps); ++ ++ g_free (t); ++} + ++static void ++gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux) ++{ + GST_DEBUG_OBJECT (demux, "Resetting MXF state"); + + g_list_foreach (demux->partitions, (GFunc) gst_mxf_demux_partition_free, +@@ -182,23 +197,7 @@ gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux) + demux->partitions = NULL; + + demux->current_partition = NULL; +- +- for (i = 0; i < demux->essence_tracks->len; i++) { +- GstMXFDemuxEssenceTrack *t = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); +- +- if (t->offsets) +- g_array_free (t->offsets, TRUE); +- +- g_free (t->mapping_data); +- +- if (t->tags) +- gst_tag_list_unref (t->tags); +- +- if (t->caps) +- gst_caps_unref (t->caps); +- } +- g_array_set_size (demux->essence_tracks, 0); ++ g_ptr_array_set_size (demux->essence_tracks, 0); + } + + static void +@@ -216,7 +215,7 @@ gst_mxf_demux_reset_linked_metadata (GstMXFDemux * demux) + + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *track = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); ++ g_ptr_array_index (demux->essence_tracks, i); + + track->source_package = NULL; + track->delta_id = -1; +@@ -419,7 +418,7 @@ gst_mxf_demux_partition_postcheck (GstMXFDemux * demux, + + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *cand = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); ++ g_ptr_array_index (demux->essence_tracks, i); + + if (cand->body_sid != partition->partition.body_sid) + continue; +@@ -866,8 +865,7 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux) + + for (k = 0; k < demux->essence_tracks->len; k++) { + GstMXFDemuxEssenceTrack *tmp = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, +- k); ++ g_ptr_array_index (demux->essence_tracks, k); + + if (tmp->track_number == track->parent.track_number && + tmp->body_sid == edata->body_sid) { +@@ -885,24 +883,23 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux) + } + + if (!etrack) { +- GstMXFDemuxEssenceTrack tmp; ++ GstMXFDemuxEssenceTrack *tmp = g_new0 (GstMXFDemuxEssenceTrack, 1); + +- memset (&tmp, 0, sizeof (tmp)); +- tmp.body_sid = edata->body_sid; +- tmp.index_sid = edata->index_sid; +- tmp.track_number = track->parent.track_number; +- tmp.track_id = track->parent.track_id; +- memcpy (&tmp.source_package_uid, &package->parent.package_uid, 32); ++ tmp->body_sid = edata->body_sid; ++ tmp->index_sid = edata->index_sid; ++ tmp->track_number = track->parent.track_number; ++ tmp->track_id = track->parent.track_id; ++ memcpy (&tmp->source_package_uid, &package->parent.package_uid, 32); + + if (demux->current_partition->partition.body_sid == edata->body_sid && + demux->current_partition->partition.body_offset == 0) +- tmp.position = 0; ++ tmp->position = 0; + else +- tmp.position = -1; ++ tmp->position = -1; + +- g_array_append_val (demux->essence_tracks, tmp); ++ g_ptr_array_add (demux->essence_tracks, tmp); + etrack = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, ++ g_ptr_array_index (demux->essence_tracks, + demux->essence_tracks->len - 1); + new = TRUE; + } +@@ -1050,13 +1047,7 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux) + + next: + if (new) { +- g_free (etrack->mapping_data); +- if (etrack->tags) +- gst_tag_list_unref (etrack->tags); +- if (etrack->caps) +- gst_caps_unref (etrack->caps); +- +- g_array_remove_index (demux->essence_tracks, ++ g_ptr_array_remove_index (demux->essence_tracks, + demux->essence_tracks->len - 1); + } + } +@@ -1069,7 +1060,7 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux) + + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *etrack = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); ++ g_ptr_array_index (demux->essence_tracks, i); + + if (!etrack->source_package || !etrack->source_track || !etrack->caps) { + GST_ERROR_OBJECT (demux, "Failed to update essence track %u", i); +@@ -1438,7 +1429,7 @@ gst_mxf_demux_update_tracks (GstMXFDemux * demux) + + for (k = 0; k < demux->essence_tracks->len; k++) { + GstMXFDemuxEssenceTrack *tmp = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, k); ++ g_ptr_array_index (demux->essence_tracks, k); + + if (tmp->source_package == source_package && + tmp->source_track == source_track) { +@@ -1927,8 +1918,7 @@ gst_mxf_demux_pad_set_component (GstMXFDemux * demux, GstMXFDemuxPad * pad, + pad->current_essence_track = NULL; + + for (k = 0; k < demux->essence_tracks->len; k++) { +- GstMXFDemuxEssenceTrack *tmp = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, k); ++ GstMXFDemuxEssenceTrack *tmp = g_ptr_array_index (demux->essence_tracks, k); + + if (tmp->source_package == source_package && + tmp->source_track == source_track) { +@@ -2712,7 +2702,7 @@ gst_mxf_demux_handle_generic_container_essence_element (GstMXFDemux * demux, + if (!etrack) { + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *tmp = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); ++ g_ptr_array_index (demux->essence_tracks, i); + + if (tmp->body_sid == demux->current_partition->partition.body_sid && + (tmp->track_number == track_number || tmp->track_number == 0)) { +@@ -3916,8 +3906,7 @@ from_track_offset: + gst_mxf_demux_set_partition_for_offset (demux, demux->offset); + + for (i = 0; i < demux->essence_tracks->len; i++) { +- GstMXFDemuxEssenceTrack *t = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); ++ GstMXFDemuxEssenceTrack *t = g_ptr_array_index (demux->essence_tracks, i); + + if (index_start_position != -1 && t == etrack) + t->position = index_start_position; +@@ -3941,8 +3930,7 @@ from_track_offset: + /* Handle EOS */ + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *t = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, +- i); ++ g_ptr_array_index (demux->essence_tracks, i); + + if (t->position > 0) + t->duration = t->position; +@@ -4180,8 +4168,7 @@ gst_mxf_demux_pull_and_handle_klv_packet (GstMXFDemux * demux) + guint i; + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *etrack = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, +- i); ++ g_ptr_array_index (demux->essence_tracks, i); + + if (etrack->body_sid != partition->partition.body_sid) + continue; +@@ -4652,9 +4639,8 @@ gst_mxf_demux_pad_to_track_and_position (GstMXFDemux * demux, + /* Get the corresponding essence track for the given source package and stream id */ + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *track = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); +- GST_LOG_OBJECT (pad, +- "Looking at essence track body_sid:%d index_sid:%d", ++ g_ptr_array_index (demux->essence_tracks, i); ++ GST_LOG_OBJECT (pad, "Looking at essence track body_sid:%d index_sid:%d", + track->body_sid, track->index_sid); + if (clip->source_track_id == 0 || (track->track_id == clip->source_track_id + && mxf_umid_is_equal (&clip->source_package_id, +@@ -4903,8 +4889,7 @@ gst_mxf_demux_seek_push (GstMXFDemux * demux, GstEvent * event) + } + + for (i = 0; i < demux->essence_tracks->len; i++) { +- GstMXFDemuxEssenceTrack *t = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); ++ GstMXFDemuxEssenceTrack *t = g_ptr_array_index (demux->essence_tracks, i); + t->position = -1; + } + +@@ -5342,8 +5327,7 @@ gst_mxf_demux_seek_pull (GstMXFDemux * demux, GstEvent * event) + } + + for (i = 0; i < demux->essence_tracks->len; i++) { +- GstMXFDemuxEssenceTrack *t = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); ++ GstMXFDemuxEssenceTrack *t = g_ptr_array_index (demux->essence_tracks, i); + t->position = -1; + } + +@@ -5642,7 +5626,7 @@ gst_mxf_demux_sink_event (GstPad * pad, GstObject * parent, GstEvent * event) + + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *t = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); ++ g_ptr_array_index (demux->essence_tracks, i); + + if (t->position > 0) + t->duration = t->position; +@@ -5683,8 +5667,7 @@ gst_mxf_demux_sink_event (GstPad * pad, GstObject * parent, GstEvent * event) + + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *etrack = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, +- i); ++ g_ptr_array_index (demux->essence_tracks, i); + etrack->position = -1; + } + ret = TRUE; +@@ -5708,8 +5691,7 @@ gst_mxf_demux_sink_event (GstPad * pad, GstObject * parent, GstEvent * event) + + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *t = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, +- i); ++ g_ptr_array_index (demux->essence_tracks, i); + t->position = -1; + } + demux->current_partition = NULL; +@@ -5982,7 +5964,7 @@ gst_mxf_demux_finalize (GObject * object) + + g_ptr_array_free (demux->src, TRUE); + demux->src = NULL; +- g_array_free (demux->essence_tracks, TRUE); ++ g_ptr_array_free (demux->essence_tracks, TRUE); + demux->essence_tracks = NULL; + + g_hash_table_destroy (demux->metadata); +@@ -6059,8 +6041,8 @@ gst_mxf_demux_init (GstMXFDemux * demux) + g_rw_lock_init (&demux->metadata_lock); + + demux->src = g_ptr_array_new (); +- demux->essence_tracks = +- g_array_new (FALSE, FALSE, sizeof (GstMXFDemuxEssenceTrack)); ++ demux->essence_tracks = g_ptr_array_new_with_free_func ((GDestroyNotify) ++ gst_mxf_demux_essence_track_free); + + gst_segment_init (&demux->segment, GST_FORMAT_TIME); + +diff --git a/subprojects/gst-plugins-bad/gst/mxf/mxfdemux.h b/subprojects/gst-plugins-bad/gst/mxf/mxfdemux.h +index d079a1de1a..1dc8a4edb5 100644 +--- a/subprojects/gst-plugins-bad/gst/mxf/mxfdemux.h ++++ b/subprojects/gst-plugins-bad/gst/mxf/mxfdemux.h +@@ -266,7 +266,7 @@ struct _GstMXFDemux + GList *partitions; + GstMXFDemuxPartition *current_partition; + +- GArray *essence_tracks; ++ GPtrArray *essence_tracks; + + GList *pending_index_table_segments; + GList *index_tables; /* one per BodySID / IndexSID */ +-- +2.43.0 + diff --git a/SOURCES/0002-codecparsers-av1-Clip-max-tile-rows-and-cols-values.patch b/SOURCES/0002-codecparsers-av1-Clip-max-tile-rows-and-cols-values.patch new file mode 100644 index 0000000..bfd8e34 --- /dev/null +++ b/SOURCES/0002-codecparsers-av1-Clip-max-tile-rows-and-cols-values.patch @@ -0,0 +1,65 @@ +From 73f1409447033b8e3291a51893d5a027e2be15fc Mon Sep 17 00:00:00 2001 +From: Benjamin Gaignard +Date: Tue, 21 Nov 2023 14:26:54 +0100 +Subject: [PATCH 2/2] codecparsers: av1: Clip max tile rows and cols values + +Clip tile rows and cols to 64 as describe in AV1 specification +to avoid writing outside array range but preserve sb_cols +and sb_rows value which are used to futher computation. + +Fixes ZDI-CAN-22226 / CVE-2023-44429 + +Part-of: +--- + .../gst-libs/gst/codecparsers/gstav1parser.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.c b/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.c +index 22ffefd168..7ef583c7f5 100644 +--- a/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.c ++++ b/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.c +@@ -2243,7 +2243,9 @@ gst_av1_parse_tile_info (GstAV1Parser * parser, GstBitReader * br, + tile_width_sb = (sb_cols + (1 << parser->state.tile_cols_log2) - + 1) >> parser->state.tile_cols_log2; + i = 0; +- for (start_sb = 0; start_sb < sb_cols; start_sb += tile_width_sb) { ++ /* Fill mi_col_starts[] and make sure to not exceed array range */ ++ for (start_sb = 0; start_sb < sb_cols && i < GST_AV1_MAX_TILE_COLS; ++ start_sb += tile_width_sb) { + parser->state.mi_col_starts[i] = start_sb << sb_shift; + i += 1; + } +@@ -2272,7 +2274,9 @@ gst_av1_parse_tile_info (GstAV1Parser * parser, GstBitReader * br, + tile_height_sb = (sb_rows + (1 << parser->state.tile_rows_log2) - + 1) >> parser->state.tile_rows_log2; + i = 0; +- for (start_sb = 0; start_sb < sb_rows; start_sb += tile_height_sb) { ++ /* Fill mi_row_starts[] and make sure to not exceed array range */ ++ for (start_sb = 0; start_sb < sb_rows && i < GST_AV1_MAX_TILE_ROWS; ++ start_sb += tile_height_sb) { + parser->state.mi_row_starts[i] = start_sb << sb_shift; + i += 1; + } +@@ -2287,7 +2291,8 @@ gst_av1_parse_tile_info (GstAV1Parser * parser, GstBitReader * br, + } else { + widest_tile_sb = 0; + start_sb = 0; +- for (i = 0; start_sb < sb_cols; i++) { ++ /* Fill mi_col_starts[] and make sure to not exceed array range */ ++ for (i = 0; start_sb < sb_cols && i < GST_AV1_MAX_TILE_COLS; i++) { + parser->state.mi_col_starts[i] = start_sb << sb_shift; + max_width = MIN (sb_cols - start_sb, max_tile_width_sb); + tile_info->width_in_sbs_minus_1[i] = +@@ -2312,7 +2317,8 @@ gst_av1_parse_tile_info (GstAV1Parser * parser, GstBitReader * br, + max_tile_height_sb = MAX (max_tile_area_sb / widest_tile_sb, 1); + + start_sb = 0; +- for (i = 0; start_sb < sb_rows; i++) { ++ /* Fill mi_row_starts[] and make sure to not exceed array range */ ++ for (i = 0; start_sb < sb_rows && i < GST_AV1_MAX_TILE_ROWS; i++) { + parser->state.mi_row_starts[i] = start_sb << sb_shift; + max_height = MIN (sb_rows - start_sb, max_tile_height_sb); + tile_info->height_in_sbs_minus_1[i] = +-- +2.43.0 + diff --git a/SPECS/gstreamer1-plugins-bad-free.spec b/SPECS/gstreamer1-plugins-bad-free.spec index 82907b5..2debd73 100644 --- a/SPECS/gstreamer1-plugins-bad-free.spec +++ b/SPECS/gstreamer1-plugins-bad-free.spec @@ -14,7 +14,7 @@ Name: gstreamer1-plugins-bad-free Version: 1.22.1 -Release: 1%{?gitcommit:.git%{shortcommit}}%{?dist} +Release: 2%{?gitcommit:.git%{shortcommit}}%{?dist} Summary: GStreamer streaming media framework "bad" plugins License: LGPLv2+ and LGPLv2 @@ -31,6 +31,9 @@ URL: http://gstreamer.freedesktop.org/ Source0: gst-plugins-bad-free-%{version}.tar.xz Source1: gst-p-bad-cleanup.sh +Patch0: 0001-mxfdemux-Store-GstMXFDemuxEssenceTrack-in-their-own-.patch +Patch1: 0002-codecparsers-av1-Clip-max-tile-rows-and-cols-values.patch + BuildRequires: meson >= 0.48.0 BuildRequires: gcc-c++ BuildRequires: gstreamer1-devel >= %{version} @@ -231,6 +234,8 @@ aren't tested well enough, or the code is not of good enough quality. %prep %setup -q -n gst-plugins-bad-%{version} +%patch0 -p3 +%patch1 -p3 %build %meson \ @@ -665,6 +670,11 @@ rm $RPM_BUILD_ROOT%{_bindir}/playout %changelog +* Tue Dec 12 2023 Wim Taymans - 1.22.1-2 +- Patch CVE-2023-44429: AV1 codec parser heap-based buffer overflow +- Patch CVE-2023-44446: MXF demuxer use-after-free +- Resolves: RHEL-17030, RHEL-17039 + * Thu Apr 13 2023 Wim Taymans - 1.22.1-1 - Update to 1.22.1