diff --git a/0003-mxfdemux-Fix-integer-overflow-causing-out-of-bounds-.patch b/0003-mxfdemux-Fix-integer-overflow-causing-out-of-bounds-.patch new file mode 100644 index 0000000..c75b1df --- /dev/null +++ b/0003-mxfdemux-Fix-integer-overflow-causing-out-of-bounds-.patch @@ -0,0 +1,114 @@ +From b6353c44ca9f005d3b57ee07fda0570d80eecc0f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 10 Aug 2023 15:45:01 +0300 +Subject: [PATCH 3/5] mxfdemux: Fix integer overflow causing out of bounds + writes when handling invalid uncompressed video + +Check ahead of time when parsing the track information whether +width, height and bpp are valid and usable without overflows. + +Fixes ZDI-CAN-21660, CVE-2023-40474 + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2896 + +Part-of: +--- + gst/mxf/mxfup.c | 51 +++++++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 43 insertions(+), 8 deletions(-) + +diff --git a/gst/mxf/mxfup.c b/gst/mxf/mxfup.c +index d8b6664da..ba86255f2 100644 +--- a/gst/mxf/mxfup.c ++++ b/gst/mxf/mxfup.c +@@ -134,6 +134,8 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer, + gpointer mapping_data, GstBuffer ** outbuf) + { + MXFUPMappingData *data = mapping_data; ++ gsize expected_in_stride = 0, out_stride = 0; ++ gsize expected_in_size = 0, out_size = 0; + + /* SMPTE 384M 7.1 */ + if (key->u[12] != 0x15 || (key->u[14] != 0x01 && key->u[14] != 0x02 +@@ -162,22 +164,25 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer, + } + } + +- if (gst_buffer_get_size (buffer) != data->bpp * data->width * data->height) { ++ // Checked for overflows when parsing the descriptor ++ expected_in_stride = data->bpp * data->width; ++ out_stride = GST_ROUND_UP_4 (expected_in_stride); ++ expected_in_size = expected_in_stride * data->height; ++ out_size = out_stride * data->height; ++ ++ if (gst_buffer_get_size (buffer) != expected_in_size) { + GST_ERROR ("Invalid buffer size"); + gst_buffer_unref (buffer); + return GST_FLOW_ERROR; + } + +- if (data->bpp != 4 +- || GST_ROUND_UP_4 (data->width * data->bpp) != data->width * data->bpp) { ++ if (data->bpp != 4 || out_stride != expected_in_stride) { + guint y; + GstBuffer *ret; + GstMapInfo inmap, outmap; + guint8 *indata, *outdata; + +- ret = +- gst_buffer_new_and_alloc (GST_ROUND_UP_4 (data->width * data->bpp) * +- data->height); ++ ret = gst_buffer_new_and_alloc (out_size); + gst_buffer_map (buffer, &inmap, GST_MAP_READ); + gst_buffer_map (ret, &outmap, GST_MAP_WRITE); + indata = inmap.data; +@@ -185,8 +190,8 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer, + + for (y = 0; y < data->height; y++) { + memcpy (outdata, indata, data->width * data->bpp); +- outdata += GST_ROUND_UP_4 (data->width * data->bpp); +- indata += data->width * data->bpp; ++ outdata += out_stride; ++ indata += expected_in_stride; + } + + gst_buffer_unmap (buffer, &inmap); +@@ -394,6 +399,36 @@ mxf_up_create_caps (MXFMetadataTimelineTrack * track, GstTagList ** tags, + return NULL; + } + ++ if (caps) { ++ MXFUPMappingData *data = *mapping_data; ++ gsize expected_in_stride = 0, out_stride = 0; ++ gsize expected_in_size = 0, out_size = 0; ++ ++ // Do some checking of the parameters to see if they're valid and ++ // we can actually work with them. ++ if (data->image_start_offset > data->image_end_offset) { ++ GST_WARNING ("Invalid image start/end offset"); ++ g_free (data); ++ *mapping_data = NULL; ++ gst_clear_caps (&caps); ++ ++ return NULL; ++ } ++ ++ if (!g_size_checked_mul (&expected_in_stride, data->bpp, data->width) || ++ (out_stride = GST_ROUND_UP_4 (expected_in_stride)) < expected_in_stride ++ || !g_size_checked_mul (&expected_in_size, expected_in_stride, ++ data->height) ++ || !g_size_checked_mul (&out_size, out_stride, data->height)) { ++ GST_ERROR ("Invalid resolution or bit depth"); ++ g_free (data); ++ *mapping_data = NULL; ++ gst_clear_caps (&caps); ++ ++ return NULL; ++ } ++ } ++ + return caps; + } + +-- +2.43.0 + diff --git a/0004-mxfdemux-Check-number-of-channels-for-AES3-audio.patch b/0004-mxfdemux-Check-number-of-channels-for-AES3-audio.patch new file mode 100644 index 0000000..22b94bf --- /dev/null +++ b/0004-mxfdemux-Check-number-of-channels-for-AES3-audio.patch @@ -0,0 +1,45 @@ +From 706abb367ab366be142fbea4e454fdaa7e7e2bcb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 10 Aug 2023 15:47:03 +0300 +Subject: [PATCH 4/5] mxfdemux: Check number of channels for AES3 audio + +Only up to 8 channels are allowed and using a higher number would cause +integer overflows when copying the data, and lead to out of bound +writes. + +Also check that each buffer is at least 4 bytes long to avoid another +overflow. + +Fixes ZDI-CAN-21661, CVE-2023-40475 + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2897 + +Part-of: +--- + gst/mxf/mxfd10.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/gst/mxf/mxfd10.c b/gst/mxf/mxfd10.c +index 21401cf52..99c197ab9 100644 +--- a/gst/mxf/mxfd10.c ++++ b/gst/mxf/mxfd10.c +@@ -119,7 +119,7 @@ mxf_d10_sound_handle_essence_element (const MXFUL * key, GstBuffer * buffer, + gst_buffer_map (buffer, &map, GST_MAP_READ); + + /* Now transform raw AES3 into raw audio, see SMPTE 331M */ +- if ((map.size - 4) % 32 != 0) { ++ if (map.size < 4 || (map.size - 4) % 32 != 0) { + gst_buffer_unmap (buffer, &map); + GST_ERROR ("Invalid D10 sound essence buffer size"); + return GST_FLOW_ERROR; +@@ -219,6 +219,7 @@ mxf_d10_create_caps (MXFMetadataTimelineTrack * track, GstTagList ** tags, + GstAudioFormat audio_format; + + if (s->channel_count == 0 || ++ s->channel_count > 8 || + s->quantization_bits == 0 || + s->audio_sampling_rate.n == 0 || s->audio_sampling_rate.d == 0) { + GST_ERROR ("Invalid descriptor"); +-- +2.43.0 + diff --git a/0005-h265parser-Fix-possible-overflow-using-max_sub_layer.patch b/0005-h265parser-Fix-possible-overflow-using-max_sub_layer.patch new file mode 100644 index 0000000..62819b0 --- /dev/null +++ b/0005-h265parser-Fix-possible-overflow-using-max_sub_layer.patch @@ -0,0 +1,42 @@ +From 33868442087aac6f26f18aeafd527c1a75946f34 Mon Sep 17 00:00:00 2001 +From: Nicolas Dufresne +Date: Wed, 17 Jan 2024 12:50:34 +0100 +Subject: [PATCH 5/5] h265parser: Fix possible overflow using + max_sub_layers_minus1 + +This fixes a possible overflow that can be triggered by an invalid value of +max_sub_layers_minus1 being set in the bitstream. The bitstream uses 3 bits, +but the allowed range is 0 to 6 only. + +Fixes ZDI-CAN-21768, CVE-2023-40476 + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2895 + +Part-of: +--- + gst-libs/gst/codecparsers/gsth265parser.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/gst-libs/gst/codecparsers/gsth265parser.c b/gst-libs/gst/codecparsers/gsth265parser.c +index 16fce006b..2e8ef182b 100644 +--- a/gst-libs/gst/codecparsers/gsth265parser.c ++++ b/gst-libs/gst/codecparsers/gsth265parser.c +@@ -1490,6 +1490,7 @@ gst_h265_parse_vps (GstH265NalUnit * nalu, GstH265VPS * vps) + + READ_UINT8 (&nr, vps->max_layers_minus1, 6); + READ_UINT8 (&nr, vps->max_sub_layers_minus1, 3); ++ CHECK_ALLOWED (vps->max_sub_layers_minus1, 0, 6); + READ_UINT8 (&nr, vps->temporal_id_nesting_flag, 1); + + /* skip reserved_0xffff_16bits */ +@@ -1669,6 +1670,7 @@ gst_h265_parse_sps (GstH265Parser * parser, GstH265NalUnit * nalu, + sps->vps = vps; + + READ_UINT8 (&nr, sps->max_sub_layers_minus1, 3); ++ CHECK_ALLOWED (sps->max_sub_layers_minus1, 0, 6); + READ_UINT8 (&nr, sps->temporal_id_nesting_flag, 1); + + if (!gst_h265_parse_profile_tier_level (&sps->profile_tier_level, &nr, +-- +2.43.0 + diff --git a/gstreamer1-plugins-bad-free.spec b/gstreamer1-plugins-bad-free.spec index 6f5c0bd..6ed73c5 100644 --- a/gstreamer1-plugins-bad-free.spec +++ b/gstreamer1-plugins-bad-free.spec @@ -14,7 +14,7 @@ Name: gstreamer1-plugins-bad-free Version: 1.16.1 -Release: 3%{?gitcommit:.git%{shortcommit}}%{?dist} +Release: 4%{?gitcommit:.git%{shortcommit}}%{?dist} Summary: GStreamer streaming media framework "bad" plugins License: LGPLv2+ and LGPLv2 @@ -33,6 +33,9 @@ Source1: gst-p-bad-cleanup.sh #upstream patches Patch0: 0001-mxfdemux-Store-GstMXFDemuxEssenceTrack-in-their-own-.patch +Patch1: 0003-mxfdemux-Fix-integer-overflow-causing-out-of-bounds-.patch +Patch2: 0004-mxfdemux-Check-number-of-channels-for-AES3-audio.patch +Patch3: 0005-h265parser-Fix-possible-overflow-using-max_sub_layer.patch BuildRequires: gstreamer1-devel >= %{version} BuildRequires: gstreamer1-plugins-base-devel >= %{version} @@ -186,6 +189,9 @@ aren't tested well enough, or the code is not of good enough quality. %prep %setup -q -n gst-plugins-bad-%{version} %patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 %build %configure --disable-silent-rules --disable-fatal-warnings \ @@ -474,6 +480,12 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -fv {} ';' %changelog +* Wed Jan 17 2024 Wim Taymans - 1.16.1-4 +- Patch CVE-2023-40474: Integer overflow +- Patch CVE-2023-40475: Integer overflow +- Patch CVE-2023-40476: Integer overflow in H.265 video parser +- Resolves: RHEL-19500, RHEL-19504, RHEL-19507 + * Thu Jan 11 2024 Wim Taymans - 1.16.1-3 - Bump to avoid conflict with z stream. - Resolves: RHEL-16794