Patch CVE-2023-44446: MXF demuxer use-after-free
Resolves: RHEL-16794
This commit is contained in:
parent
fa54b2613d
commit
968399f6ee
321
0001-mxfdemux-Store-GstMXFDemuxEssenceTrack-in-their-own-.patch
Normal file
321
0001-mxfdemux-Store-GstMXFDemuxEssenceTrack-in-their-own-.patch
Normal file
@ -0,0 +1,321 @@
|
|||||||
|
From 24e891568537f4447d1c212dcb355a766296bdbb Mon Sep 17 00:00:00 2001
|
||||||
|
From: Wim Taymans <wtaymans@redhat.com>
|
||||||
|
Date: Tue, 12 Dec 2023 18:00:58 +0100
|
||||||
|
Subject: [PATCH] mxfdemux: Store GstMXFDemuxEssenceTrack in their own fixed
|
||||||
|
allocation
|
||||||
|
|
||||||
|
Previously they were stored inline inside a GArray, but as references to
|
||||||
|
the tracks were stored in various other places although the array could
|
||||||
|
still be updated (and reallocated!), this could lead to dangling
|
||||||
|
references in various places.
|
||||||
|
|
||||||
|
Instead now store them in a GPtrArray in their own allocation so each
|
||||||
|
track's memory position stays fixed.
|
||||||
|
|
||||||
|
Fixes ZDI-CAN-22299
|
||||||
|
|
||||||
|
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3055
|
||||||
|
|
||||||
|
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5638>
|
||||||
|
---
|
||||||
|
gst/mxf/mxfdemux.c | 114 +++++++++++++++++++++------------------------
|
||||||
|
gst/mxf/mxfdemux.h | 2 +-
|
||||||
|
2 files changed, 53 insertions(+), 63 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/gst/mxf/mxfdemux.c b/gst/mxf/mxfdemux.c
|
||||||
|
index f6e5ac048..b97dce1ad 100644
|
||||||
|
--- a/gst/mxf/mxfdemux.c
|
||||||
|
+++ b/gst/mxf/mxfdemux.c
|
||||||
|
@@ -154,10 +154,25 @@ gst_mxf_demux_partition_free (GstMXFDemuxPartition * partition)
|
||||||
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
-gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux)
|
||||||
|
+gst_mxf_demux_essence_track_free (GstMXFDemuxEssenceTrack * t)
|
||||||
|
{
|
||||||
|
- guint i;
|
||||||
|
+ if (t->offsets)
|
||||||
|
+ g_array_free (t->offsets, TRUE);
|
||||||
|
+
|
||||||
|
+ g_free (t->mapping_data);
|
||||||
|
+
|
||||||
|
+ if (t->tags)
|
||||||
|
+ gst_tag_list_unref (t->tags);
|
||||||
|
+
|
||||||
|
+ if (t->caps)
|
||||||
|
+ gst_caps_unref (t->caps);
|
||||||
|
+
|
||||||
|
+ g_free (t);
|
||||||
|
+}
|
||||||
|
|
||||||
|
+static void
|
||||||
|
+gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux)
|
||||||
|
+{
|
||||||
|
GST_DEBUG_OBJECT (demux, "Resetting MXF state");
|
||||||
|
|
||||||
|
g_list_foreach (demux->partitions, (GFunc) gst_mxf_demux_partition_free,
|
||||||
|
@@ -167,22 +182,7 @@ gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux)
|
||||||
|
|
||||||
|
demux->current_partition = NULL;
|
||||||
|
|
||||||
|
- for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||||
|
- GstMXFDemuxEssenceTrack *t =
|
||||||
|
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
|
||||||
|
-
|
||||||
|
- if (t->offsets)
|
||||||
|
- g_array_free (t->offsets, TRUE);
|
||||||
|
-
|
||||||
|
- g_free (t->mapping_data);
|
||||||
|
-
|
||||||
|
- if (t->tags)
|
||||||
|
- gst_tag_list_unref (t->tags);
|
||||||
|
-
|
||||||
|
- if (t->caps)
|
||||||
|
- gst_caps_unref (t->caps);
|
||||||
|
- }
|
||||||
|
- g_array_set_size (demux->essence_tracks, 0);
|
||||||
|
+ g_ptr_array_set_size (demux->essence_tracks, 0);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
@@ -200,7 +200,7 @@ gst_mxf_demux_reset_linked_metadata (GstMXFDemux * demux)
|
||||||
|
|
||||||
|
for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||||
|
GstMXFDemuxEssenceTrack *track =
|
||||||
|
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
|
||||||
|
+ g_ptr_array_index (demux->essence_tracks, i);
|
||||||
|
|
||||||
|
track->source_package = NULL;
|
||||||
|
track->source_track = NULL;
|
||||||
|
@@ -713,8 +713,7 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
|
||||||
|
|
||||||
|
for (k = 0; k < demux->essence_tracks->len; k++) {
|
||||||
|
GstMXFDemuxEssenceTrack *tmp =
|
||||||
|
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
|
||||||
|
- k);
|
||||||
|
+ g_ptr_array_index (demux->essence_tracks, k);
|
||||||
|
|
||||||
|
if (tmp->track_number == track->parent.track_number &&
|
||||||
|
tmp->body_sid == edata->body_sid) {
|
||||||
|
@@ -732,24 +731,23 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!etrack) {
|
||||||
|
- GstMXFDemuxEssenceTrack tmp;
|
||||||
|
+ GstMXFDemuxEssenceTrack *tmp = g_new0 (GstMXFDemuxEssenceTrack, 1);
|
||||||
|
|
||||||
|
- memset (&tmp, 0, sizeof (tmp));
|
||||||
|
- tmp.body_sid = edata->body_sid;
|
||||||
|
- tmp.index_sid = edata->index_sid;
|
||||||
|
- tmp.track_number = track->parent.track_number;
|
||||||
|
- tmp.track_id = track->parent.track_id;
|
||||||
|
- memcpy (&tmp.source_package_uid, &package->parent.package_uid, 32);
|
||||||
|
+ tmp->body_sid = edata->body_sid;
|
||||||
|
+ tmp->index_sid = edata->index_sid;
|
||||||
|
+ tmp->track_number = track->parent.track_number;
|
||||||
|
+ tmp->track_id = track->parent.track_id;
|
||||||
|
+ memcpy (&tmp->source_package_uid, &package->parent.package_uid, 32);
|
||||||
|
|
||||||
|
if (demux->current_partition->partition.body_sid == edata->body_sid &&
|
||||||
|
demux->current_partition->partition.body_offset == 0)
|
||||||
|
- tmp.position = 0;
|
||||||
|
+ tmp->position = 0;
|
||||||
|
else
|
||||||
|
- tmp.position = -1;
|
||||||
|
+ tmp->position = -1;
|
||||||
|
|
||||||
|
- g_array_append_val (demux->essence_tracks, tmp);
|
||||||
|
+ g_ptr_array_add (demux->essence_tracks, tmp);
|
||||||
|
etrack =
|
||||||
|
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
|
||||||
|
+ g_ptr_array_index (demux->essence_tracks,
|
||||||
|
demux->essence_tracks->len - 1);
|
||||||
|
new = TRUE;
|
||||||
|
}
|
||||||
|
@@ -876,13 +874,7 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
|
||||||
|
|
||||||
|
next:
|
||||||
|
if (new) {
|
||||||
|
- g_free (etrack->mapping_data);
|
||||||
|
- if (etrack->tags)
|
||||||
|
- gst_tag_list_unref (etrack->tags);
|
||||||
|
- if (etrack->caps)
|
||||||
|
- gst_caps_unref (etrack->caps);
|
||||||
|
-
|
||||||
|
- g_array_remove_index (demux->essence_tracks,
|
||||||
|
+ g_ptr_array_remove_index (demux->essence_tracks,
|
||||||
|
demux->essence_tracks->len - 1);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -895,7 +887,7 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
|
||||||
|
|
||||||
|
for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||||
|
GstMXFDemuxEssenceTrack *etrack =
|
||||||
|
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
|
||||||
|
+ g_ptr_array_index (demux->essence_tracks, i);
|
||||||
|
|
||||||
|
if (!etrack->source_package || !etrack->source_track || !etrack->caps) {
|
||||||
|
GST_ERROR_OBJECT (demux, "Failed to update essence track %u", i);
|
||||||
|
@@ -1117,7 +1109,7 @@ gst_mxf_demux_update_tracks (GstMXFDemux * demux)
|
||||||
|
|
||||||
|
for (k = 0; k < demux->essence_tracks->len; k++) {
|
||||||
|
GstMXFDemuxEssenceTrack *tmp =
|
||||||
|
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, k);
|
||||||
|
+ g_ptr_array_index (demux->essence_tracks, k);
|
||||||
|
|
||||||
|
if (tmp->source_package == source_package &&
|
||||||
|
tmp->source_track == source_track) {
|
||||||
|
@@ -1598,8 +1590,7 @@ gst_mxf_demux_pad_set_component (GstMXFDemux * demux, GstMXFDemuxPad * pad,
|
||||||
|
pad->current_essence_track = NULL;
|
||||||
|
|
||||||
|
for (k = 0; k < demux->essence_tracks->len; k++) {
|
||||||
|
- GstMXFDemuxEssenceTrack *tmp =
|
||||||
|
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, k);
|
||||||
|
+ GstMXFDemuxEssenceTrack *tmp = g_ptr_array_index (demux->essence_tracks, k);
|
||||||
|
|
||||||
|
if (tmp->source_package == source_package &&
|
||||||
|
tmp->source_track == source_track) {
|
||||||
|
@@ -1731,7 +1722,7 @@ gst_mxf_demux_handle_generic_container_essence_element (GstMXFDemux * demux,
|
||||||
|
|
||||||
|
for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||||
|
GstMXFDemuxEssenceTrack *tmp =
|
||||||
|
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
|
||||||
|
+ g_ptr_array_index (demux->essence_tracks, i);
|
||||||
|
|
||||||
|
if (tmp->body_sid == demux->current_partition->partition.body_sid &&
|
||||||
|
(tmp->track_number == track_number || tmp->track_number == 0)) {
|
||||||
|
@@ -2656,7 +2647,7 @@ gst_mxf_demux_handle_klv_packet (GstMXFDemux * demux, const MXFUL * key,
|
||||||
|
|
||||||
|
for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||||
|
GstMXFDemuxEssenceTrack *etrack =
|
||||||
|
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
|
||||||
|
+ g_ptr_array_index (demux->essence_tracks, i);
|
||||||
|
|
||||||
|
if (etrack->body_sid != demux->current_partition->partition.body_sid)
|
||||||
|
continue;
|
||||||
|
@@ -2719,7 +2710,7 @@ gst_mxf_demux_handle_klv_packet (GstMXFDemux * demux, const MXFUL * key,
|
||||||
|
guint i;
|
||||||
|
for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||||
|
GstMXFDemuxEssenceTrack *etrack =
|
||||||
|
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
|
||||||
|
+ g_ptr_array_index (demux->essence_tracks, i);
|
||||||
|
|
||||||
|
if (etrack->body_sid != demux->current_partition->partition.body_sid)
|
||||||
|
continue;
|
||||||
|
@@ -2914,7 +2905,7 @@ from_index:
|
||||||
|
|
||||||
|
for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||||
|
GstMXFDemuxEssenceTrack *t =
|
||||||
|
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
|
||||||
|
+ g_ptr_array_index (demux->essence_tracks, i);
|
||||||
|
|
||||||
|
if (index_start_position != -1 && t == etrack)
|
||||||
|
t->position = index_start_position;
|
||||||
|
@@ -2937,8 +2928,7 @@ from_index:
|
||||||
|
if (ret == GST_FLOW_EOS) {
|
||||||
|
for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||||
|
GstMXFDemuxEssenceTrack *t =
|
||||||
|
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
|
||||||
|
- i);
|
||||||
|
+ g_ptr_array_index (demux->essence_tracks, i);
|
||||||
|
|
||||||
|
if (t->position > 0)
|
||||||
|
t->duration = t->position;
|
||||||
|
@@ -3020,7 +3010,7 @@ gst_mxf_demux_pull_and_handle_klv_packet (GstMXFDemux * demux)
|
||||||
|
|
||||||
|
for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||||
|
GstMXFDemuxEssenceTrack *t =
|
||||||
|
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
|
||||||
|
+ g_ptr_array_index (demux->essence_tracks, i);
|
||||||
|
|
||||||
|
if (t->position > 0)
|
||||||
|
t->duration = t->position;
|
||||||
|
@@ -3627,8 +3617,8 @@ gst_mxf_demux_seek_push (GstMXFDemux * demux, GstEvent * event)
|
||||||
|
}
|
||||||
|
|
||||||
|
for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||||
|
- GstMXFDemuxEssenceTrack *t =
|
||||||
|
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
|
||||||
|
+ GstMXFDemuxEssenceTrack *t = g_ptr_array_index (demux->essence_tracks, i);
|
||||||
|
+
|
||||||
|
t->position = -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -4001,8 +3991,8 @@ gst_mxf_demux_seek_pull (GstMXFDemux * demux, GstEvent * event)
|
||||||
|
}
|
||||||
|
|
||||||
|
for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||||
|
- GstMXFDemuxEssenceTrack *t =
|
||||||
|
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
|
||||||
|
+ GstMXFDemuxEssenceTrack *t = g_ptr_array_index (demux->essence_tracks, i);
|
||||||
|
+
|
||||||
|
t->position = -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -4284,7 +4274,7 @@ gst_mxf_demux_sink_event (GstPad * pad, GstObject * parent, GstEvent * event)
|
||||||
|
|
||||||
|
for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||||
|
GstMXFDemuxEssenceTrack *t =
|
||||||
|
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
|
||||||
|
+ g_ptr_array_index (demux->essence_tracks, i);
|
||||||
|
|
||||||
|
if (t->position > 0)
|
||||||
|
t->duration = t->position;
|
||||||
|
@@ -4325,8 +4315,8 @@ gst_mxf_demux_sink_event (GstPad * pad, GstObject * parent, GstEvent * event)
|
||||||
|
|
||||||
|
for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||||
|
GstMXFDemuxEssenceTrack *etrack =
|
||||||
|
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
|
||||||
|
- i);
|
||||||
|
+ g_ptr_array_index (demux->essence_tracks, i);
|
||||||
|
+
|
||||||
|
etrack->position = -1;
|
||||||
|
}
|
||||||
|
ret = TRUE;
|
||||||
|
@@ -4350,8 +4340,8 @@ gst_mxf_demux_sink_event (GstPad * pad, GstObject * parent, GstEvent * event)
|
||||||
|
|
||||||
|
for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||||
|
GstMXFDemuxEssenceTrack *t =
|
||||||
|
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
|
||||||
|
- i);
|
||||||
|
+ g_ptr_array_index (demux->essence_tracks, i);
|
||||||
|
+
|
||||||
|
t->position = -1;
|
||||||
|
}
|
||||||
|
demux->current_partition = NULL;
|
||||||
|
@@ -4624,7 +4614,7 @@ gst_mxf_demux_finalize (GObject * object)
|
||||||
|
|
||||||
|
g_ptr_array_free (demux->src, TRUE);
|
||||||
|
demux->src = NULL;
|
||||||
|
- g_array_free (demux->essence_tracks, TRUE);
|
||||||
|
+ g_ptr_array_free (demux->essence_tracks, TRUE);
|
||||||
|
demux->essence_tracks = NULL;
|
||||||
|
|
||||||
|
g_hash_table_destroy (demux->metadata);
|
||||||
|
@@ -4701,8 +4691,8 @@ gst_mxf_demux_init (GstMXFDemux * demux)
|
||||||
|
g_rw_lock_init (&demux->metadata_lock);
|
||||||
|
|
||||||
|
demux->src = g_ptr_array_new ();
|
||||||
|
- demux->essence_tracks =
|
||||||
|
- g_array_new (FALSE, FALSE, sizeof (GstMXFDemuxEssenceTrack));
|
||||||
|
+ demux->essence_tracks = g_ptr_array_new_with_free_func ((GDestroyNotify)
|
||||||
|
+ gst_mxf_demux_essence_track_free);
|
||||||
|
|
||||||
|
gst_segment_init (&demux->segment, GST_FORMAT_TIME);
|
||||||
|
|
||||||
|
diff --git a/gst/mxf/mxfdemux.h b/gst/mxf/mxfdemux.h
|
||||||
|
index aac3e67d0..a452980ee 100644
|
||||||
|
--- a/gst/mxf/mxfdemux.h
|
||||||
|
+++ b/gst/mxf/mxfdemux.h
|
||||||
|
@@ -182,7 +182,7 @@ struct _GstMXFDemux
|
||||||
|
GList *partitions;
|
||||||
|
GstMXFDemuxPartition *current_partition;
|
||||||
|
|
||||||
|
- GArray *essence_tracks;
|
||||||
|
+ GPtrArray *essence_tracks;
|
||||||
|
|
||||||
|
GList *pending_index_table_segments;
|
||||||
|
GList *index_tables; /* one per BodySID / IndexSID */
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
@ -14,7 +14,7 @@
|
|||||||
|
|
||||||
Name: gstreamer1-plugins-bad-free
|
Name: gstreamer1-plugins-bad-free
|
||||||
Version: 1.16.1
|
Version: 1.16.1
|
||||||
Release: 1%{?gitcommit:.git%{shortcommit}}%{?dist}
|
Release: 2%{?gitcommit:.git%{shortcommit}}%{?dist}
|
||||||
Summary: GStreamer streaming media framework "bad" plugins
|
Summary: GStreamer streaming media framework "bad" plugins
|
||||||
|
|
||||||
License: LGPLv2+ and LGPLv2
|
License: LGPLv2+ and LGPLv2
|
||||||
@ -32,6 +32,7 @@ Source0: gst-plugins-bad-free-%{version}.tar.xz
|
|||||||
Source1: gst-p-bad-cleanup.sh
|
Source1: gst-p-bad-cleanup.sh
|
||||||
|
|
||||||
#upstream patches
|
#upstream patches
|
||||||
|
Patch0: 0001-mxfdemux-Store-GstMXFDemuxEssenceTrack-in-their-own-.patch
|
||||||
|
|
||||||
BuildRequires: gstreamer1-devel >= %{version}
|
BuildRequires: gstreamer1-devel >= %{version}
|
||||||
BuildRequires: gstreamer1-plugins-base-devel >= %{version}
|
BuildRequires: gstreamer1-plugins-base-devel >= %{version}
|
||||||
@ -184,6 +185,7 @@ aren't tested well enough, or the code is not of good enough quality.
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q -n gst-plugins-bad-%{version}
|
%setup -q -n gst-plugins-bad-%{version}
|
||||||
|
%patch0 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%configure --disable-silent-rules --disable-fatal-warnings \
|
%configure --disable-silent-rules --disable-fatal-warnings \
|
||||||
@ -472,6 +474,10 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -fv {} ';'
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Dec 13 2023 Wim Taymans <wtaymans@redhat.com> - 1.16.1-2
|
||||||
|
- Patch CVE-2023-44446: MXF demuxer use-after-free
|
||||||
|
- Resolves: RHEL-16794
|
||||||
|
|
||||||
* Mon Nov 18 2019 Wim Taymans <wtaymans@redhat.com> - 1.16.1-1
|
* Mon Nov 18 2019 Wim Taymans <wtaymans@redhat.com> - 1.16.1-1
|
||||||
- Update to 1.16.1
|
- Update to 1.16.1
|
||||||
- Remove upstreamed patches
|
- Remove upstreamed patches
|
||||||
|
Loading…
Reference in New Issue
Block a user