rpms/gstreamer1-plugins-bad-free
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import CS gstreamer1-plugins-bad-free-1.22.1-4.el9

Browse Source
This commit is contained in:
eabdullin 2024-03-28 10:32:29 +00:00
parent 69cc5a3f62
commit 51cfd131c1
7 changed files with 686 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

114
SOURCES/0001-mxfdemux-Fix-integer-overflow-causing-out-of-bounds-.patch Normal file
View File

@ -0,0 +1,114 @@
From 27959a895db3949dee1c93cc05cb73465e2a1fbe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Thu, 10 Aug 2023 15:45:01 +0300
Subject: [PATCH 1/4] mxfdemux: Fix integer overflow causing out of bounds
writes when handling invalid uncompressed video
Check ahead of time when parsing the track information whether
width, height and bpp are valid and usable without overflows.
Fixes ZDI-CAN-21660, CVE-2023-40474
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2896
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5362>
---
subprojects/gst-plugins-bad/gst/mxf/mxfup.c | 51 +++++++++++++++++----
1 file changed, 43 insertions(+), 8 deletions(-)
diff --git a/subprojects/gst-plugins-bad/gst/mxf/mxfup.c b/subprojects/gst-plugins-bad/gst/mxf/mxfup.c
index d8b6664dab..ba86255f20 100644
--- a/subprojects/gst-plugins-bad/gst/mxf/mxfup.c
+++ b/subprojects/gst-plugins-bad/gst/mxf/mxfup.c
@@ -134,6 +134,8 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
gpointer mapping_data, GstBuffer ** outbuf)
{
MXFUPMappingData *data = mapping_data;
+ gsize expected_in_stride = 0, out_stride = 0;
+ gsize expected_in_size = 0, out_size = 0;
/* SMPTE 384M 7.1 */
if (key->u[12] != 0x15 || (key->u[14] != 0x01 && key->u[14] != 0x02
@@ -162,22 +164,25 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
}
}
- if (gst_buffer_get_size (buffer) != data->bpp * data->width * data->height) {
+ // Checked for overflows when parsing the descriptor
+ expected_in_stride = data->bpp * data->width;
+ out_stride = GST_ROUND_UP_4 (expected_in_stride);
+ expected_in_size = expected_in_stride * data->height;
+ out_size = out_stride * data->height;
+
+ if (gst_buffer_get_size (buffer) != expected_in_size) {
GST_ERROR ("Invalid buffer size");
gst_buffer_unref (buffer);
return GST_FLOW_ERROR;
}
- if (data->bpp != 4
- || GST_ROUND_UP_4 (data->width * data->bpp) != data->width * data->bpp) {
+ if (data->bpp != 4 || out_stride != expected_in_stride) {
guint y;
GstBuffer *ret;
GstMapInfo inmap, outmap;
guint8 *indata, *outdata;
- ret =
- gst_buffer_new_and_alloc (GST_ROUND_UP_4 (data->width * data->bpp) *
- data->height);
+ ret = gst_buffer_new_and_alloc (out_size);
gst_buffer_map (buffer, &inmap, GST_MAP_READ);
gst_buffer_map (ret, &outmap, GST_MAP_WRITE);
indata = inmap.data;
@@ -185,8 +190,8 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
for (y = 0; y < data->height; y++) {
memcpy (outdata, indata, data->width * data->bpp);
- outdata += GST_ROUND_UP_4 (data->width * data->bpp);
- indata += data->width * data->bpp;
+ outdata += out_stride;
+ indata += expected_in_stride;
}
gst_buffer_unmap (buffer, &inmap);
@@ -394,6 +399,36 @@ mxf_up_create_caps (MXFMetadataTimelineTrack * track, GstTagList ** tags,
return NULL;
}
+ if (caps) {
+ MXFUPMappingData *data = *mapping_data;
+ gsize expected_in_stride = 0, out_stride = 0;
+ gsize expected_in_size = 0, out_size = 0;
+
+ // Do some checking of the parameters to see if they're valid and
+ // we can actually work with them.
+ if (data->image_start_offset > data->image_end_offset) {
+ GST_WARNING ("Invalid image start/end offset");
+ g_free (data);
+ *mapping_data = NULL;
+ gst_clear_caps (&caps);
+
+ return NULL;
+ }
+
+ if (!g_size_checked_mul (&expected_in_stride, data->bpp, data->width) ||
+ (out_stride = GST_ROUND_UP_4 (expected_in_stride)) < expected_in_stride
+ || !g_size_checked_mul (&expected_in_size, expected_in_stride,
+ data->height)
+ || !g_size_checked_mul (&out_size, out_stride, data->height)) {
+ GST_ERROR ("Invalid resolution or bit depth");
+ g_free (data);
+ *mapping_data = NULL;
+ gst_clear_caps (&caps);
+
+ return NULL;
+ }
+ }
+
return caps;
}
--
2.43.0

323
SOURCES/0001-mxfdemux-Store-GstMXFDemuxEssenceTrack-in-their-own-.patch Normal file
View File

@ -0,0 +1,323 @@
From db2e5ccfcf4db7fc3d199d885b07e5eb34770c19 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Fri, 20 Oct 2023 00:09:57 +0300
Subject: [PATCH 1/2] mxfdemux: Store GstMXFDemuxEssenceTrack in their own
fixed allocation
Previously they were stored inline inside a GArray, but as references to
the tracks were stored in various other places although the array could
still be updated (and reallocated!), this could lead to dangling
references in various places.
Instead now store them in a GPtrArray in their own allocation so each
track's memory position stays fixed.
Fixes ZDI-CAN-22299
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3055
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5638>
---
.../gst-plugins-bad/gst/mxf/mxfdemux.c | 116 ++++++++----------
.../gst-plugins-bad/gst/mxf/mxfdemux.h | 2 +-
2 files changed, 50 insertions(+), 68 deletions(-)
diff --git a/subprojects/gst-plugins-bad/gst/mxf/mxfdemux.c b/subprojects/gst-plugins-bad/gst/mxf/mxfdemux.c
index d9eb9a5844..1b58989631 100644
--- a/subprojects/gst-plugins-bad/gst/mxf/mxfdemux.c
+++ b/subprojects/gst-plugins-bad/gst/mxf/mxfdemux.c
@@ -170,10 +170,25 @@ gst_mxf_demux_partition_free (GstMXFDemuxPartition * partition)
}
static void
-gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux)
+gst_mxf_demux_essence_track_free (GstMXFDemuxEssenceTrack * t)
{
- guint i;
+ if (t->offsets)
+ g_array_free (t->offsets, TRUE);
+
+ g_free (t->mapping_data);
+
+ if (t->tags)
+ gst_tag_list_unref (t->tags);
+
+ if (t->caps)
+ gst_caps_unref (t->caps);
+
+ g_free (t);
+}
+static void
+gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux)
+{
GST_DEBUG_OBJECT (demux, "Resetting MXF state");
g_list_foreach (demux->partitions, (GFunc) gst_mxf_demux_partition_free,
@@ -182,23 +197,7 @@ gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux)
demux->partitions = NULL;
demux->current_partition = NULL;
-
- for (i = 0; i < demux->essence_tracks->len; i++) {
- GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
-
- if (t->offsets)
- g_array_free (t->offsets, TRUE);
-
- g_free (t->mapping_data);
-
- if (t->tags)
- gst_tag_list_unref (t->tags);
-
- if (t->caps)
- gst_caps_unref (t->caps);
- }
- g_array_set_size (demux->essence_tracks, 0);
+ g_ptr_array_set_size (demux->essence_tracks, 0);
}
static void
@@ -216,7 +215,7 @@ gst_mxf_demux_reset_linked_metadata (GstMXFDemux * demux)
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *track =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ g_ptr_array_index (demux->essence_tracks, i);
track->source_package = NULL;
track->delta_id = -1;
@@ -419,7 +418,7 @@ gst_mxf_demux_partition_postcheck (GstMXFDemux * demux,
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *cand =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ g_ptr_array_index (demux->essence_tracks, i);
if (cand->body_sid != partition->partition.body_sid)
continue;
@@ -866,8 +865,7 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
for (k = 0; k < demux->essence_tracks->len; k++) {
GstMXFDemuxEssenceTrack *tmp =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
- k);
+ g_ptr_array_index (demux->essence_tracks, k);
if (tmp->track_number == track->parent.track_number &&
tmp->body_sid == edata->body_sid) {
@@ -885,24 +883,23 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
}
if (!etrack) {
- GstMXFDemuxEssenceTrack tmp;
+ GstMXFDemuxEssenceTrack *tmp = g_new0 (GstMXFDemuxEssenceTrack, 1);
- memset (&tmp, 0, sizeof (tmp));
- tmp.body_sid = edata->body_sid;
- tmp.index_sid = edata->index_sid;
- tmp.track_number = track->parent.track_number;
- tmp.track_id = track->parent.track_id;
- memcpy (&tmp.source_package_uid, &package->parent.package_uid, 32);
+ tmp->body_sid = edata->body_sid;
+ tmp->index_sid = edata->index_sid;
+ tmp->track_number = track->parent.track_number;
+ tmp->track_id = track->parent.track_id;
+ memcpy (&tmp->source_package_uid, &package->parent.package_uid, 32);
if (demux->current_partition->partition.body_sid == edata->body_sid &&
demux->current_partition->partition.body_offset == 0)
- tmp.position = 0;
+ tmp->position = 0;
else
- tmp.position = -1;
+ tmp->position = -1;
- g_array_append_val (demux->essence_tracks, tmp);
+ g_ptr_array_add (demux->essence_tracks, tmp);
etrack =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
+ g_ptr_array_index (demux->essence_tracks,
demux->essence_tracks->len - 1);
new = TRUE;
}
@@ -1050,13 +1047,7 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
next:
if (new) {
- g_free (etrack->mapping_data);
- if (etrack->tags)
- gst_tag_list_unref (etrack->tags);
- if (etrack->caps)
- gst_caps_unref (etrack->caps);
-
- g_array_remove_index (demux->essence_tracks,
+ g_ptr_array_remove_index (demux->essence_tracks,
demux->essence_tracks->len - 1);
}
}
@@ -1069,7 +1060,7 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *etrack =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ g_ptr_array_index (demux->essence_tracks, i);
if (!etrack->source_package || !etrack->source_track || !etrack->caps) {
GST_ERROR_OBJECT (demux, "Failed to update essence track %u", i);
@@ -1438,7 +1429,7 @@ gst_mxf_demux_update_tracks (GstMXFDemux * demux)
for (k = 0; k < demux->essence_tracks->len; k++) {
GstMXFDemuxEssenceTrack *tmp =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, k);
+ g_ptr_array_index (demux->essence_tracks, k);
if (tmp->source_package == source_package &&
tmp->source_track == source_track) {
@@ -1927,8 +1918,7 @@ gst_mxf_demux_pad_set_component (GstMXFDemux * demux, GstMXFDemuxPad * pad,
pad->current_essence_track = NULL;
for (k = 0; k < demux->essence_tracks->len; k++) {
- GstMXFDemuxEssenceTrack *tmp =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, k);
+ GstMXFDemuxEssenceTrack *tmp = g_ptr_array_index (demux->essence_tracks, k);
if (tmp->source_package == source_package &&
tmp->source_track == source_track) {
@@ -2712,7 +2702,7 @@ gst_mxf_demux_handle_generic_container_essence_element (GstMXFDemux * demux,
if (!etrack) {
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *tmp =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ g_ptr_array_index (demux->essence_tracks, i);
if (tmp->body_sid == demux->current_partition->partition.body_sid &&
(tmp->track_number == track_number || tmp->track_number == 0)) {
@@ -3916,8 +3906,7 @@ from_track_offset:
gst_mxf_demux_set_partition_for_offset (demux, demux->offset);
for (i = 0; i < demux->essence_tracks->len; i++) {
- GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ GstMXFDemuxEssenceTrack *t = g_ptr_array_index (demux->essence_tracks, i);
if (index_start_position != -1 && t == etrack)
t->position = index_start_position;
@@ -3941,8 +3930,7 @@ from_track_offset:
/* Handle EOS */
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
- i);
+ g_ptr_array_index (demux->essence_tracks, i);
if (t->position > 0)
t->duration = t->position;
@@ -4180,8 +4168,7 @@ gst_mxf_demux_pull_and_handle_klv_packet (GstMXFDemux * demux)
guint i;
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *etrack =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
- i);
+ g_ptr_array_index (demux->essence_tracks, i);
if (etrack->body_sid != partition->partition.body_sid)
continue;
@@ -4652,9 +4639,8 @@ gst_mxf_demux_pad_to_track_and_position (GstMXFDemux * demux,
/* Get the corresponding essence track for the given source package and stream id */
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *track =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
- GST_LOG_OBJECT (pad,
- "Looking at essence track body_sid:%d index_sid:%d",
+ g_ptr_array_index (demux->essence_tracks, i);
+ GST_LOG_OBJECT (pad, "Looking at essence track body_sid:%d index_sid:%d",
track->body_sid, track->index_sid);
if (clip->source_track_id == 0 || (track->track_id == clip->source_track_id
&& mxf_umid_is_equal (&clip->source_package_id,
@@ -4903,8 +4889,7 @@ gst_mxf_demux_seek_push (GstMXFDemux * demux, GstEvent * event)
}
for (i = 0; i < demux->essence_tracks->len; i++) {
- GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ GstMXFDemuxEssenceTrack *t = g_ptr_array_index (demux->essence_tracks, i);
t->position = -1;
}
@@ -5342,8 +5327,7 @@ gst_mxf_demux_seek_pull (GstMXFDemux * demux, GstEvent * event)
}
for (i = 0; i < demux->essence_tracks->len; i++) {
- GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ GstMXFDemuxEssenceTrack *t = g_ptr_array_index (demux->essence_tracks, i);
t->position = -1;
}
@@ -5642,7 +5626,7 @@ gst_mxf_demux_sink_event (GstPad * pad, GstObject * parent, GstEvent * event)
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ g_ptr_array_index (demux->essence_tracks, i);
if (t->position > 0)
t->duration = t->position;
@@ -5683,8 +5667,7 @@ gst_mxf_demux_sink_event (GstPad * pad, GstObject * parent, GstEvent * event)
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *etrack =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
- i);
+ g_ptr_array_index (demux->essence_tracks, i);
etrack->position = -1;
}
ret = TRUE;
@@ -5708,8 +5691,7 @@ gst_mxf_demux_sink_event (GstPad * pad, GstObject * parent, GstEvent * event)
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
- i);
+ g_ptr_array_index (demux->essence_tracks, i);
t->position = -1;
}
demux->current_partition = NULL;
@@ -5982,7 +5964,7 @@ gst_mxf_demux_finalize (GObject * object)
g_ptr_array_free (demux->src, TRUE);
demux->src = NULL;
- g_array_free (demux->essence_tracks, TRUE);
+ g_ptr_array_free (demux->essence_tracks, TRUE);
demux->essence_tracks = NULL;
g_hash_table_destroy (demux->metadata);
@@ -6059,8 +6041,8 @@ gst_mxf_demux_init (GstMXFDemux * demux)
g_rw_lock_init (&demux->metadata_lock);
demux->src = g_ptr_array_new ();
- demux->essence_tracks =
- g_array_new (FALSE, FALSE, sizeof (GstMXFDemuxEssenceTrack));
+ demux->essence_tracks = g_ptr_array_new_with_free_func ((GDestroyNotify)
+ gst_mxf_demux_essence_track_free);
gst_segment_init (&demux->segment, GST_FORMAT_TIME);
diff --git a/subprojects/gst-plugins-bad/gst/mxf/mxfdemux.h b/subprojects/gst-plugins-bad/gst/mxf/mxfdemux.h
index d079a1de1a..1dc8a4edb5 100644
--- a/subprojects/gst-plugins-bad/gst/mxf/mxfdemux.h
+++ b/subprojects/gst-plugins-bad/gst/mxf/mxfdemux.h
@@ -266,7 +266,7 @@ struct _GstMXFDemux
GList *partitions;
GstMXFDemuxPartition *current_partition;
- GArray *essence_tracks;
+ GPtrArray *essence_tracks;
GList *pending_index_table_segments;
GList *index_tables; /* one per BodySID / IndexSID */
--
2.43.0

65
SOURCES/0002-codecparsers-av1-Clip-max-tile-rows-and-cols-values.patch Normal file
View File

@ -0,0 +1,65 @@
From 73f1409447033b8e3291a51893d5a027e2be15fc Mon Sep 17 00:00:00 2001
From: Benjamin Gaignard <benjamin.gaignard@collabora.com>
Date: Tue, 21 Nov 2023 14:26:54 +0100
Subject: [PATCH 2/2] codecparsers: av1: Clip max tile rows and cols values
Clip tile rows and cols to 64 as describe in AV1 specification
to avoid writing outside array range but preserve sb_cols
and sb_rows value which are used to futher computation.
Fixes ZDI-CAN-22226 / CVE-2023-44429
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5734>
---
.../gst-libs/gst/codecparsers/gstav1parser.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.c b/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.c
index 22ffefd168..7ef583c7f5 100644
--- a/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.c
+++ b/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.c
@@ -2243,7 +2243,9 @@ gst_av1_parse_tile_info (GstAV1Parser * parser, GstBitReader * br,
tile_width_sb = (sb_cols + (1 << parser->state.tile_cols_log2) -
1) >> parser->state.tile_cols_log2;
i = 0;
- for (start_sb = 0; start_sb < sb_cols; start_sb += tile_width_sb) {
+ /* Fill mi_col_starts[] and make sure to not exceed array range */
+ for (start_sb = 0; start_sb < sb_cols && i < GST_AV1_MAX_TILE_COLS;
+ start_sb += tile_width_sb) {
parser->state.mi_col_starts[i] = start_sb << sb_shift;
i += 1;
}
@@ -2272,7 +2274,9 @@ gst_av1_parse_tile_info (GstAV1Parser * parser, GstBitReader * br,
tile_height_sb = (sb_rows + (1 << parser->state.tile_rows_log2) -
1) >> parser->state.tile_rows_log2;
i = 0;
- for (start_sb = 0; start_sb < sb_rows; start_sb += tile_height_sb) {
+ /* Fill mi_row_starts[] and make sure to not exceed array range */
+ for (start_sb = 0; start_sb < sb_rows && i < GST_AV1_MAX_TILE_ROWS;
+ start_sb += tile_height_sb) {
parser->state.mi_row_starts[i] = start_sb << sb_shift;
i += 1;
}
@@ -2287,7 +2291,8 @@ gst_av1_parse_tile_info (GstAV1Parser * parser, GstBitReader * br,
} else {
widest_tile_sb = 0;
start_sb = 0;
- for (i = 0; start_sb < sb_cols; i++) {
+ /* Fill mi_col_starts[] and make sure to not exceed array range */
+ for (i = 0; start_sb < sb_cols && i < GST_AV1_MAX_TILE_COLS; i++) {
parser->state.mi_col_starts[i] = start_sb << sb_shift;
max_width = MIN (sb_cols - start_sb, max_tile_width_sb);
tile_info->width_in_sbs_minus_1[i] =
@@ -2312,7 +2317,8 @@ gst_av1_parse_tile_info (GstAV1Parser * parser, GstBitReader * br,
max_tile_height_sb = MAX (max_tile_area_sb / widest_tile_sb, 1);
start_sb = 0;
- for (i = 0; start_sb < sb_rows; i++) {
+ /* Fill mi_row_starts[] and make sure to not exceed array range */
+ for (i = 0; start_sb < sb_rows && i < GST_AV1_MAX_TILE_ROWS; i++) {
parser->state.mi_row_starts[i] = start_sb << sb_shift;
max_height = MIN (sb_rows - start_sb, max_tile_height_sb);
tile_info->height_in_sbs_minus_1[i] =
--
2.43.0

45
SOURCES/0002-mxfdemux-Check-number-of-channels-for-AES3-audio.patch Normal file
View File

@ -0,0 +1,45 @@
From cfccf4b36197359271c95f20bfcda854f6c812cc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Thu, 10 Aug 2023 15:47:03 +0300
Subject: [PATCH 2/4] mxfdemux: Check number of channels for AES3 audio
Only up to 8 channels are allowed and using a higher number would cause
integer overflows when copying the data, and lead to out of bound
writes.
Also check that each buffer is at least 4 bytes long to avoid another
overflow.
Fixes ZDI-CAN-21661, CVE-2023-40475
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2897
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5362>
---
subprojects/gst-plugins-bad/gst/mxf/mxfd10.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/subprojects/gst-plugins-bad/gst/mxf/mxfd10.c b/subprojects/gst-plugins-bad/gst/mxf/mxfd10.c
index 66c071372a..060d5a02de 100644
--- a/subprojects/gst-plugins-bad/gst/mxf/mxfd10.c
+++ b/subprojects/gst-plugins-bad/gst/mxf/mxfd10.c
@@ -119,7 +119,7 @@ mxf_d10_sound_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
gst_buffer_map (buffer, &map, GST_MAP_READ);
/* Now transform raw AES3 into raw audio, see SMPTE 331M */
- if ((map.size - 4) % 32 != 0) {
+ if (map.size < 4 || (map.size - 4) % 32 != 0) {
gst_buffer_unmap (buffer, &map);
GST_ERROR ("Invalid D10 sound essence buffer size");
return GST_FLOW_ERROR;
@@ -219,6 +219,7 @@ mxf_d10_create_caps (MXFMetadataTimelineTrack * track, GstTagList ** tags,
GstAudioFormat audio_format;
if (s->channel_count == 0 ||
+ s->channel_count > 8 ||
s->quantization_bits == 0 ||
s->audio_sampling_rate.n == 0 || s->audio_sampling_rate.d == 0) {
GST_ERROR ("Invalid descriptor");
--
2.43.0

66
SOURCES/0003-av1parser-Fix-array-sizes-in-scalability-structure.patch Normal file
View File

@ -0,0 +1,66 @@
From 0ded5a6d028ad40604093690c44eb022ef793531 Mon Sep 17 00:00:00 2001
From: Seungha Yang <seungha@centricular.com>
Date: Thu, 23 Nov 2023 20:24:42 +0900
Subject: [PATCH 3/4] av1parser: Fix array sizes in scalability structure
Since the AV1 specification is not explicitly mentioning about
the array size bounds, array sizes in scalability structure
should be defined as possible maximum sizes that can have.
Also, this commit removes GST_AV1_MAX_SPATIAL_LAYERS define from
public header which is API break but the define is misleading
and this patch is introducing ABI break already
ZDI-CAN-22300
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5824>
---
.../gst-libs/gst/codecparsers/gstav1parser.h | 11 +++++------
.../gst-plugins-bad/gst/videoparsers/gstav1parse.c | 2 +-
2 files changed, 6 insertions(+), 7 deletions(-)
diff --git a/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.h b/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.h
index a5f1c761f6..7d2ec69fb5 100644
--- a/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.h
+++ b/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.h
@@ -71,9 +71,8 @@ G_BEGIN_DECLS
#define GST_AV1_MAX_TILE_COUNT 512
#define GST_AV1_MAX_OPERATING_POINTS \
(GST_AV1_MAX_NUM_TEMPORAL_LAYERS * GST_AV1_MAX_NUM_SPATIAL_LAYERS)
-#define GST_AV1_MAX_SPATIAL_LAYERS 2 /* correct? */
-#define GST_AV1_MAX_TEMPORAL_GROUP_SIZE 8 /* correct? */
-#define GST_AV1_MAX_TEMPORAL_GROUP_REFERENCES 8 /* correct? */
+#define GST_AV1_MAX_TEMPORAL_GROUP_SIZE 255
+#define GST_AV1_MAX_TEMPORAL_GROUP_REFERENCES 7
#define GST_AV1_MAX_NUM_Y_POINTS 16
#define GST_AV1_MAX_NUM_CB_POINTS 16
#define GST_AV1_MAX_NUM_CR_POINTS 16
@@ -968,9 +967,9 @@ struct _GstAV1MetadataScalability {
gboolean spatial_layer_dimensions_present_flag;
gboolean spatial_layer_description_present_flag;
gboolean temporal_group_description_present_flag;
- guint16 spatial_layer_max_width[GST_AV1_MAX_SPATIAL_LAYERS];
- guint16 spatial_layer_max_height[GST_AV1_MAX_SPATIAL_LAYERS];
- guint8 spatial_layer_ref_id[GST_AV1_MAX_SPATIAL_LAYERS];
+ guint16 spatial_layer_max_width[GST_AV1_MAX_NUM_SPATIAL_LAYERS];
+ guint16 spatial_layer_max_height[GST_AV1_MAX_NUM_SPATIAL_LAYERS];
+ guint8 spatial_layer_ref_id[GST_AV1_MAX_NUM_SPATIAL_LAYERS];
guint8 temporal_group_size;
guint8 temporal_group_temporal_id[GST_AV1_MAX_TEMPORAL_GROUP_SIZE];
diff --git a/subprojects/gst-plugins-bad/gst/videoparsers/gstav1parse.c b/subprojects/gst-plugins-bad/gst/videoparsers/gstav1parse.c
index 923bc5d70a..9eaa1f47d9 100644
--- a/subprojects/gst-plugins-bad/gst/videoparsers/gstav1parse.c
+++ b/subprojects/gst-plugins-bad/gst/videoparsers/gstav1parse.c
@@ -1271,7 +1271,7 @@ gst_av1_parse_handle_sequence_obu (GstAV1Parse * self, GstAV1OBU * obu)
}
val = (self->parser->state.operating_point_idc >> 8) & 0x0f;
- for (i = 0; i < (1 << GST_AV1_MAX_SPATIAL_LAYERS); i++) {
+ for (i = 0; i < GST_AV1_MAX_NUM_SPATIAL_LAYERS; i++) {
if (val & (1 << i))
self->highest_spatial_id = i;
}
--
2.43.0

42
SOURCES/0004-h265parser-Fix-possible-overflow-using-max_sub_layer.patch Normal file
View File

@ -0,0 +1,42 @@
From 6780451f22c87e926ebf60fe55e1a9e10517f6d1 Mon Sep 17 00:00:00 2001
From: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Date: Wed, 9 Aug 2023 12:49:19 -0400
Subject: [PATCH 4/4] h265parser: Fix possible overflow using
max_sub_layers_minus1
This fixes a possible overflow that can be triggered by an invalid value of
max_sub_layers_minus1 being set in the bitstream. The bitstream uses 3 bits,
but the allowed range is 0 to 6 only.
Fixes ZDI-CAN-21768, CVE-2023-40476
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2895
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5364>
---
.../gst-plugins-bad/gst-libs/gst/codecparsers/gsth265parser.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gsth265parser.c b/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gsth265parser.c
index fe775a86cd..44b723737a 100644
--- a/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gsth265parser.c
+++ b/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gsth265parser.c
@@ -1845,6 +1845,7 @@ gst_h265_parse_vps (GstH265NalUnit * nalu, GstH265VPS * vps)
READ_UINT8 (&nr, vps->max_layers_minus1, 6);
READ_UINT8 (&nr, vps->max_sub_layers_minus1, 3);
+ CHECK_ALLOWED (vps->max_sub_layers_minus1, 0, 6);
READ_UINT8 (&nr, vps->temporal_id_nesting_flag, 1);
/* skip reserved_0xffff_16bits */
@@ -2015,6 +2016,7 @@ gst_h265_parse_sps (GstH265Parser * parser, GstH265NalUnit * nalu,
READ_UINT8 (&nr, sps->vps_id, 4);
READ_UINT8 (&nr, sps->max_sub_layers_minus1, 3);
+ CHECK_ALLOWED (sps->max_sub_layers_minus1, 0, 6);
READ_UINT8 (&nr, sps->temporal_id_nesting_flag, 1);
if (!gst_h265_parse_profile_tier_level (&sps->profile_tier_level, &nr,
--
2.43.0

32
SPECS/gstreamer1-plugins-bad-free.spec
View File

@ -14,7 +14,7 @@
Name: gstreamer1-plugins-bad-free
Version: 1.22.1
Release: 1%{?gitcommit:.git%{shortcommit}}%{?dist}
Release: 4%{?gitcommit:.git%{shortcommit}}%{?dist}
Summary: GStreamer streaming media framework "bad" plugins
License: LGPLv2+ and LGPLv2
@ -31,6 +31,14 @@ URL: http://gstreamer.freedesktop.org/
Source0: gst-plugins-bad-free-%{version}.tar.xz
Source1: gst-p-bad-cleanup.sh
Patch0: 0001-mxfdemux-Store-GstMXFDemuxEssenceTrack-in-their-own-.patch
Patch1: 0002-codecparsers-av1-Clip-max-tile-rows-and-cols-values.patch
Patch2: 0001-mxfdemux-Fix-integer-overflow-causing-out-of-bounds-.patch
Patch3: 0002-mxfdemux-Check-number-of-channels-for-AES3-audio.patch
Patch4: 0003-av1parser-Fix-array-sizes-in-scalability-structure.patch
Patch5: 0004-h265parser-Fix-possible-overflow-using-max_sub_layer.patch
BuildRequires: meson >= 0.48.0
BuildRequires: gcc-c++
BuildRequires: gstreamer1-devel >= %{version}
@ -231,6 +239,12 @@ aren't tested well enough, or the code is not of good enough quality.
%prep
%setup -q -n gst-plugins-bad-%{version}
%patch0 -p3
%patch1 -p3
%patch2 -p3
%patch3 -p3
%patch4 -p3
%patch5 -p3
%build
%meson \
@ -665,6 +679,22 @@ rm $RPM_BUILD_ROOT%{_bindir}/playout
%changelog
* Wed Jan 17 2024 Wim Taymans <wtaymans@redhat.com> - 1.22.1-4
- CVE-2023-40474: Integer overflow leading to heap overwrite in MXF
- CVE-2023-40475: Integer overflow leading to heap overwrite in MXF
- CVE-2023-40476: Integer overflow in H.265 video parser
- ZDI-CAN-22300: buffer overflow vulnerability
- Resolves: RHEL-19501, RHEL-19505, RHEL-19506, RHEL-20201
* Thu Jan 11 2024 Wim Taymans <wtaymans@redhat.com> - 1.22.1-3
- Bump version
- Resolves: RHEL-16795, RHEL-16788
* Tue Dec 12 2023 Wim Taymans <wtaymans@redhat.com> - 1.22.1-2
- Patch CVE-2023-44429: AV1 codec parser heap-based buffer overflow
- Patch CVE-2023-44446: MXF demuxer use-after-free
- Resolves: RHEL-17030, RHEL-17039
* Thu Apr 13 2023 Wim Taymans <wtaymans@redhat.com> - 1.22.1-1
- Update to 1.22.1