Patch CVE-2023-44429: AV1 codec parser heap-based buffer overflow

Patch CVE-2023-44446: MXF demuxer use-after-free

Resolves: RHEL-17030, RHEL-17039
This commit is contained in:
Wim Taymans 2023-12-12 15:53:00 +01:00
parent 01ecbe74e3
commit 67c714a792
3 changed files with 399 additions and 1 deletions

View File

@ -0,0 +1,323 @@
From db2e5ccfcf4db7fc3d199d885b07e5eb34770c19 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Fri, 20 Oct 2023 00:09:57 +0300
Subject: [PATCH 1/2] mxfdemux: Store GstMXFDemuxEssenceTrack in their own
fixed allocation
Previously they were stored inline inside a GArray, but as references to
the tracks were stored in various other places although the array could
still be updated (and reallocated!), this could lead to dangling
references in various places.
Instead now store them in a GPtrArray in their own allocation so each
track's memory position stays fixed.
Fixes ZDI-CAN-22299
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3055
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5638>
---
.../gst-plugins-bad/gst/mxf/mxfdemux.c | 116 ++++++++----------
.../gst-plugins-bad/gst/mxf/mxfdemux.h | 2 +-
2 files changed, 50 insertions(+), 68 deletions(-)
diff --git a/subprojects/gst-plugins-bad/gst/mxf/mxfdemux.c b/subprojects/gst-plugins-bad/gst/mxf/mxfdemux.c
index d9eb9a5844..1b58989631 100644
--- a/subprojects/gst-plugins-bad/gst/mxf/mxfdemux.c
+++ b/subprojects/gst-plugins-bad/gst/mxf/mxfdemux.c
@@ -170,10 +170,25 @@ gst_mxf_demux_partition_free (GstMXFDemuxPartition * partition)
}
static void
-gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux)
+gst_mxf_demux_essence_track_free (GstMXFDemuxEssenceTrack * t)
{
- guint i;
+ if (t->offsets)
+ g_array_free (t->offsets, TRUE);
+
+ g_free (t->mapping_data);
+
+ if (t->tags)
+ gst_tag_list_unref (t->tags);
+
+ if (t->caps)
+ gst_caps_unref (t->caps);
+
+ g_free (t);
+}
+static void
+gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux)
+{
GST_DEBUG_OBJECT (demux, "Resetting MXF state");
g_list_foreach (demux->partitions, (GFunc) gst_mxf_demux_partition_free,
@@ -182,23 +197,7 @@ gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux)
demux->partitions = NULL;
demux->current_partition = NULL;
-
- for (i = 0; i < demux->essence_tracks->len; i++) {
- GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
-
- if (t->offsets)
- g_array_free (t->offsets, TRUE);
-
- g_free (t->mapping_data);
-
- if (t->tags)
- gst_tag_list_unref (t->tags);
-
- if (t->caps)
- gst_caps_unref (t->caps);
- }
- g_array_set_size (demux->essence_tracks, 0);
+ g_ptr_array_set_size (demux->essence_tracks, 0);
}
static void
@@ -216,7 +215,7 @@ gst_mxf_demux_reset_linked_metadata (GstMXFDemux * demux)
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *track =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ g_ptr_array_index (demux->essence_tracks, i);
track->source_package = NULL;
track->delta_id = -1;
@@ -419,7 +418,7 @@ gst_mxf_demux_partition_postcheck (GstMXFDemux * demux,
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *cand =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ g_ptr_array_index (demux->essence_tracks, i);
if (cand->body_sid != partition->partition.body_sid)
continue;
@@ -866,8 +865,7 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
for (k = 0; k < demux->essence_tracks->len; k++) {
GstMXFDemuxEssenceTrack *tmp =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
- k);
+ g_ptr_array_index (demux->essence_tracks, k);
if (tmp->track_number == track->parent.track_number &&
tmp->body_sid == edata->body_sid) {
@@ -885,24 +883,23 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
}
if (!etrack) {
- GstMXFDemuxEssenceTrack tmp;
+ GstMXFDemuxEssenceTrack *tmp = g_new0 (GstMXFDemuxEssenceTrack, 1);
- memset (&tmp, 0, sizeof (tmp));
- tmp.body_sid = edata->body_sid;
- tmp.index_sid = edata->index_sid;
- tmp.track_number = track->parent.track_number;
- tmp.track_id = track->parent.track_id;
- memcpy (&tmp.source_package_uid, &package->parent.package_uid, 32);
+ tmp->body_sid = edata->body_sid;
+ tmp->index_sid = edata->index_sid;
+ tmp->track_number = track->parent.track_number;
+ tmp->track_id = track->parent.track_id;
+ memcpy (&tmp->source_package_uid, &package->parent.package_uid, 32);
if (demux->current_partition->partition.body_sid == edata->body_sid &&
demux->current_partition->partition.body_offset == 0)
- tmp.position = 0;
+ tmp->position = 0;
else
- tmp.position = -1;
+ tmp->position = -1;
- g_array_append_val (demux->essence_tracks, tmp);
+ g_ptr_array_add (demux->essence_tracks, tmp);
etrack =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
+ g_ptr_array_index (demux->essence_tracks,
demux->essence_tracks->len - 1);
new = TRUE;
}
@@ -1050,13 +1047,7 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
next:
if (new) {
- g_free (etrack->mapping_data);
- if (etrack->tags)
- gst_tag_list_unref (etrack->tags);
- if (etrack->caps)
- gst_caps_unref (etrack->caps);
-
- g_array_remove_index (demux->essence_tracks,
+ g_ptr_array_remove_index (demux->essence_tracks,
demux->essence_tracks->len - 1);
}
}
@@ -1069,7 +1060,7 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *etrack =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ g_ptr_array_index (demux->essence_tracks, i);
if (!etrack->source_package || !etrack->source_track || !etrack->caps) {
GST_ERROR_OBJECT (demux, "Failed to update essence track %u", i);
@@ -1438,7 +1429,7 @@ gst_mxf_demux_update_tracks (GstMXFDemux * demux)
for (k = 0; k < demux->essence_tracks->len; k++) {
GstMXFDemuxEssenceTrack *tmp =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, k);
+ g_ptr_array_index (demux->essence_tracks, k);
if (tmp->source_package == source_package &&
tmp->source_track == source_track) {
@@ -1927,8 +1918,7 @@ gst_mxf_demux_pad_set_component (GstMXFDemux * demux, GstMXFDemuxPad * pad,
pad->current_essence_track = NULL;
for (k = 0; k < demux->essence_tracks->len; k++) {
- GstMXFDemuxEssenceTrack *tmp =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, k);
+ GstMXFDemuxEssenceTrack *tmp = g_ptr_array_index (demux->essence_tracks, k);
if (tmp->source_package == source_package &&
tmp->source_track == source_track) {
@@ -2712,7 +2702,7 @@ gst_mxf_demux_handle_generic_container_essence_element (GstMXFDemux * demux,
if (!etrack) {
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *tmp =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ g_ptr_array_index (demux->essence_tracks, i);
if (tmp->body_sid == demux->current_partition->partition.body_sid &&
(tmp->track_number == track_number || tmp->track_number == 0)) {
@@ -3916,8 +3906,7 @@ from_track_offset:
gst_mxf_demux_set_partition_for_offset (demux, demux->offset);
for (i = 0; i < demux->essence_tracks->len; i++) {
- GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ GstMXFDemuxEssenceTrack *t = g_ptr_array_index (demux->essence_tracks, i);
if (index_start_position != -1 && t == etrack)
t->position = index_start_position;
@@ -3941,8 +3930,7 @@ from_track_offset:
/* Handle EOS */
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
- i);
+ g_ptr_array_index (demux->essence_tracks, i);
if (t->position > 0)
t->duration = t->position;
@@ -4180,8 +4168,7 @@ gst_mxf_demux_pull_and_handle_klv_packet (GstMXFDemux * demux)
guint i;
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *etrack =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
- i);
+ g_ptr_array_index (demux->essence_tracks, i);
if (etrack->body_sid != partition->partition.body_sid)
continue;
@@ -4652,9 +4639,8 @@ gst_mxf_demux_pad_to_track_and_position (GstMXFDemux * demux,
/* Get the corresponding essence track for the given source package and stream id */
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *track =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
- GST_LOG_OBJECT (pad,
- "Looking at essence track body_sid:%d index_sid:%d",
+ g_ptr_array_index (demux->essence_tracks, i);
+ GST_LOG_OBJECT (pad, "Looking at essence track body_sid:%d index_sid:%d",
track->body_sid, track->index_sid);
if (clip->source_track_id == 0 || (track->track_id == clip->source_track_id
&& mxf_umid_is_equal (&clip->source_package_id,
@@ -4903,8 +4889,7 @@ gst_mxf_demux_seek_push (GstMXFDemux * demux, GstEvent * event)
}
for (i = 0; i < demux->essence_tracks->len; i++) {
- GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ GstMXFDemuxEssenceTrack *t = g_ptr_array_index (demux->essence_tracks, i);
t->position = -1;
}
@@ -5342,8 +5327,7 @@ gst_mxf_demux_seek_pull (GstMXFDemux * demux, GstEvent * event)
}
for (i = 0; i < demux->essence_tracks->len; i++) {
- GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ GstMXFDemuxEssenceTrack *t = g_ptr_array_index (demux->essence_tracks, i);
t->position = -1;
}
@@ -5642,7 +5626,7 @@ gst_mxf_demux_sink_event (GstPad * pad, GstObject * parent, GstEvent * event)
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ g_ptr_array_index (demux->essence_tracks, i);
if (t->position > 0)
t->duration = t->position;
@@ -5683,8 +5667,7 @@ gst_mxf_demux_sink_event (GstPad * pad, GstObject * parent, GstEvent * event)
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *etrack =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
- i);
+ g_ptr_array_index (demux->essence_tracks, i);
etrack->position = -1;
}
ret = TRUE;
@@ -5708,8 +5691,7 @@ gst_mxf_demux_sink_event (GstPad * pad, GstObject * parent, GstEvent * event)
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
- i);
+ g_ptr_array_index (demux->essence_tracks, i);
t->position = -1;
}
demux->current_partition = NULL;
@@ -5982,7 +5964,7 @@ gst_mxf_demux_finalize (GObject * object)
g_ptr_array_free (demux->src, TRUE);
demux->src = NULL;
- g_array_free (demux->essence_tracks, TRUE);
+ g_ptr_array_free (demux->essence_tracks, TRUE);
demux->essence_tracks = NULL;
g_hash_table_destroy (demux->metadata);
@@ -6059,8 +6041,8 @@ gst_mxf_demux_init (GstMXFDemux * demux)
g_rw_lock_init (&demux->metadata_lock);
demux->src = g_ptr_array_new ();
- demux->essence_tracks =
- g_array_new (FALSE, FALSE, sizeof (GstMXFDemuxEssenceTrack));
+ demux->essence_tracks = g_ptr_array_new_with_free_func ((GDestroyNotify)
+ gst_mxf_demux_essence_track_free);
gst_segment_init (&demux->segment, GST_FORMAT_TIME);
diff --git a/subprojects/gst-plugins-bad/gst/mxf/mxfdemux.h b/subprojects/gst-plugins-bad/gst/mxf/mxfdemux.h
index d079a1de1a..1dc8a4edb5 100644
--- a/subprojects/gst-plugins-bad/gst/mxf/mxfdemux.h
+++ b/subprojects/gst-plugins-bad/gst/mxf/mxfdemux.h
@@ -266,7 +266,7 @@ struct _GstMXFDemux
GList *partitions;
GstMXFDemuxPartition *current_partition;
- GArray *essence_tracks;
+ GPtrArray *essence_tracks;
GList *pending_index_table_segments;
GList *index_tables; /* one per BodySID / IndexSID */
--
2.43.0

View File

@ -0,0 +1,65 @@
From 73f1409447033b8e3291a51893d5a027e2be15fc Mon Sep 17 00:00:00 2001
From: Benjamin Gaignard <benjamin.gaignard@collabora.com>
Date: Tue, 21 Nov 2023 14:26:54 +0100
Subject: [PATCH 2/2] codecparsers: av1: Clip max tile rows and cols values
Clip tile rows and cols to 64 as describe in AV1 specification
to avoid writing outside array range but preserve sb_cols
and sb_rows value which are used to futher computation.
Fixes ZDI-CAN-22226 / CVE-2023-44429
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5734>
---
.../gst-libs/gst/codecparsers/gstav1parser.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.c b/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.c
index 22ffefd168..7ef583c7f5 100644
--- a/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.c
+++ b/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.c
@@ -2243,7 +2243,9 @@ gst_av1_parse_tile_info (GstAV1Parser * parser, GstBitReader * br,
tile_width_sb = (sb_cols + (1 << parser->state.tile_cols_log2) -
1) >> parser->state.tile_cols_log2;
i = 0;
- for (start_sb = 0; start_sb < sb_cols; start_sb += tile_width_sb) {
+ /* Fill mi_col_starts[] and make sure to not exceed array range */
+ for (start_sb = 0; start_sb < sb_cols && i < GST_AV1_MAX_TILE_COLS;
+ start_sb += tile_width_sb) {
parser->state.mi_col_starts[i] = start_sb << sb_shift;
i += 1;
}
@@ -2272,7 +2274,9 @@ gst_av1_parse_tile_info (GstAV1Parser * parser, GstBitReader * br,
tile_height_sb = (sb_rows + (1 << parser->state.tile_rows_log2) -
1) >> parser->state.tile_rows_log2;
i = 0;
- for (start_sb = 0; start_sb < sb_rows; start_sb += tile_height_sb) {
+ /* Fill mi_row_starts[] and make sure to not exceed array range */
+ for (start_sb = 0; start_sb < sb_rows && i < GST_AV1_MAX_TILE_ROWS;
+ start_sb += tile_height_sb) {
parser->state.mi_row_starts[i] = start_sb << sb_shift;
i += 1;
}
@@ -2287,7 +2291,8 @@ gst_av1_parse_tile_info (GstAV1Parser * parser, GstBitReader * br,
} else {
widest_tile_sb = 0;
start_sb = 0;
- for (i = 0; start_sb < sb_cols; i++) {
+ /* Fill mi_col_starts[] and make sure to not exceed array range */
+ for (i = 0; start_sb < sb_cols && i < GST_AV1_MAX_TILE_COLS; i++) {
parser->state.mi_col_starts[i] = start_sb << sb_shift;
max_width = MIN (sb_cols - start_sb, max_tile_width_sb);
tile_info->width_in_sbs_minus_1[i] =
@@ -2312,7 +2317,8 @@ gst_av1_parse_tile_info (GstAV1Parser * parser, GstBitReader * br,
max_tile_height_sb = MAX (max_tile_area_sb / widest_tile_sb, 1);
start_sb = 0;
- for (i = 0; start_sb < sb_rows; i++) {
+ /* Fill mi_row_starts[] and make sure to not exceed array range */
+ for (i = 0; start_sb < sb_rows && i < GST_AV1_MAX_TILE_ROWS; i++) {
parser->state.mi_row_starts[i] = start_sb << sb_shift;
max_height = MIN (sb_rows - start_sb, max_tile_height_sb);
tile_info->height_in_sbs_minus_1[i] =
--
2.43.0

View File

@ -14,7 +14,7 @@
Name: gstreamer1-plugins-bad-free Name: gstreamer1-plugins-bad-free
Version: 1.22.1 Version: 1.22.1
Release: 1%{?gitcommit:.git%{shortcommit}}%{?dist} Release: 2%{?gitcommit:.git%{shortcommit}}%{?dist}
Summary: GStreamer streaming media framework "bad" plugins Summary: GStreamer streaming media framework "bad" plugins
License: LGPLv2+ and LGPLv2 License: LGPLv2+ and LGPLv2
@ -31,6 +31,9 @@ URL: http://gstreamer.freedesktop.org/
Source0: gst-plugins-bad-free-%{version}.tar.xz Source0: gst-plugins-bad-free-%{version}.tar.xz
Source1: gst-p-bad-cleanup.sh Source1: gst-p-bad-cleanup.sh
Patch0: 0001-mxfdemux-Store-GstMXFDemuxEssenceTrack-in-their-own-.patch
Patch1: 0002-codecparsers-av1-Clip-max-tile-rows-and-cols-values.patch
BuildRequires: meson >= 0.48.0 BuildRequires: meson >= 0.48.0
BuildRequires: gcc-c++ BuildRequires: gcc-c++
BuildRequires: gstreamer1-devel >= %{version} BuildRequires: gstreamer1-devel >= %{version}
@ -231,6 +234,8 @@ aren't tested well enough, or the code is not of good enough quality.
%prep %prep
%setup -q -n gst-plugins-bad-%{version} %setup -q -n gst-plugins-bad-%{version}
%patch0 -p3
%patch1 -p3
%build %build
%meson \ %meson \
@ -665,6 +670,11 @@ rm $RPM_BUILD_ROOT%{_bindir}/playout
%changelog %changelog
* Tue Dec 12 2023 Wim Taymans <wtaymans@redhat.com> - 1.22.1-2
- Patch CVE-2023-44429: AV1 codec parser heap-based buffer overflow
- Patch CVE-2023-44446: MXF demuxer use-after-free
- Resolves: RHEL-17030, RHEL-17039
* Thu Apr 13 2023 Wim Taymans <wtaymans@redhat.com> - 1.22.1-1 * Thu Apr 13 2023 Wim Taymans <wtaymans@redhat.com> - 1.22.1-1
- Update to 1.22.1 - Update to 1.22.1