diff --git a/.gstreamer1-plugins-bad-free.metadata b/.gstreamer1-plugins-bad-free.metadata new file mode 100644 index 0000000..fa18a83 --- /dev/null +++ b/.gstreamer1-plugins-bad-free.metadata @@ -0,0 +1 @@ +fb0172c16d7e8ab7c7c6497f302d64a6e0ff974b gst-plugins-bad-free-1.22.1.tar.xz diff --git a/0001-mxfdemux-Fix-integer-overflow-causing-out-of-bounds-.patch b/0001-mxfdemux-Fix-integer-overflow-causing-out-of-bounds-.patch new file mode 100644 index 0000000..b9f0f61 --- /dev/null +++ b/0001-mxfdemux-Fix-integer-overflow-causing-out-of-bounds-.patch @@ -0,0 +1,114 @@ +From 27959a895db3949dee1c93cc05cb73465e2a1fbe Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 10 Aug 2023 15:45:01 +0300 +Subject: [PATCH 1/4] mxfdemux: Fix integer overflow causing out of bounds + writes when handling invalid uncompressed video + +Check ahead of time when parsing the track information whether +width, height and bpp are valid and usable without overflows. + +Fixes ZDI-CAN-21660, CVE-2023-40474 + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2896 + +Part-of: +--- + subprojects/gst-plugins-bad/gst/mxf/mxfup.c | 51 +++++++++++++++++---- + 1 file changed, 43 insertions(+), 8 deletions(-) + +diff --git a/subprojects/gst-plugins-bad/gst/mxf/mxfup.c b/subprojects/gst-plugins-bad/gst/mxf/mxfup.c +index d8b6664dab..ba86255f20 100644 +--- a/subprojects/gst-plugins-bad/gst/mxf/mxfup.c ++++ b/subprojects/gst-plugins-bad/gst/mxf/mxfup.c +@@ -134,6 +134,8 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer, + gpointer mapping_data, GstBuffer ** outbuf) + { + MXFUPMappingData *data = mapping_data; ++ gsize expected_in_stride = 0, out_stride = 0; ++ gsize expected_in_size = 0, out_size = 0; + + /* SMPTE 384M 7.1 */ + if (key->u[12] != 0x15 || (key->u[14] != 0x01 && key->u[14] != 0x02 +@@ -162,22 +164,25 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer, + } + } + +- if (gst_buffer_get_size (buffer) != data->bpp * data->width * data->height) { ++ // Checked for overflows when parsing the descriptor ++ expected_in_stride = data->bpp * data->width; ++ out_stride = GST_ROUND_UP_4 (expected_in_stride); ++ expected_in_size = expected_in_stride * data->height; ++ out_size = out_stride * data->height; ++ ++ if (gst_buffer_get_size (buffer) != expected_in_size) { + GST_ERROR ("Invalid buffer size"); + gst_buffer_unref (buffer); + return GST_FLOW_ERROR; + } + +- if (data->bpp != 4 +- || GST_ROUND_UP_4 (data->width * data->bpp) != data->width * data->bpp) { ++ if (data->bpp != 4 || out_stride != expected_in_stride) { + guint y; + GstBuffer *ret; + GstMapInfo inmap, outmap; + guint8 *indata, *outdata; + +- ret = +- gst_buffer_new_and_alloc (GST_ROUND_UP_4 (data->width * data->bpp) * +- data->height); ++ ret = gst_buffer_new_and_alloc (out_size); + gst_buffer_map (buffer, &inmap, GST_MAP_READ); + gst_buffer_map (ret, &outmap, GST_MAP_WRITE); + indata = inmap.data; +@@ -185,8 +190,8 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer, + + for (y = 0; y < data->height; y++) { + memcpy (outdata, indata, data->width * data->bpp); +- outdata += GST_ROUND_UP_4 (data->width * data->bpp); +- indata += data->width * data->bpp; ++ outdata += out_stride; ++ indata += expected_in_stride; + } + + gst_buffer_unmap (buffer, &inmap); +@@ -394,6 +399,36 @@ mxf_up_create_caps (MXFMetadataTimelineTrack * track, GstTagList ** tags, + return NULL; + } + ++ if (caps) { ++ MXFUPMappingData *data = *mapping_data; ++ gsize expected_in_stride = 0, out_stride = 0; ++ gsize expected_in_size = 0, out_size = 0; ++ ++ // Do some checking of the parameters to see if they're valid and ++ // we can actually work with them. ++ if (data->image_start_offset > data->image_end_offset) { ++ GST_WARNING ("Invalid image start/end offset"); ++ g_free (data); ++ *mapping_data = NULL; ++ gst_clear_caps (&caps); ++ ++ return NULL; ++ } ++ ++ if (!g_size_checked_mul (&expected_in_stride, data->bpp, data->width) || ++ (out_stride = GST_ROUND_UP_4 (expected_in_stride)) < expected_in_stride ++ || !g_size_checked_mul (&expected_in_size, expected_in_stride, ++ data->height) ++ || !g_size_checked_mul (&out_size, out_stride, data->height)) { ++ GST_ERROR ("Invalid resolution or bit depth"); ++ g_free (data); ++ *mapping_data = NULL; ++ gst_clear_caps (&caps); ++ ++ return NULL; ++ } ++ } ++ + return caps; + } + +-- +2.43.0 + diff --git a/0002-mxfdemux-Check-number-of-channels-for-AES3-audio.patch b/0002-mxfdemux-Check-number-of-channels-for-AES3-audio.patch new file mode 100644 index 0000000..3c55bb3 --- /dev/null +++ b/0002-mxfdemux-Check-number-of-channels-for-AES3-audio.patch @@ -0,0 +1,45 @@ +From cfccf4b36197359271c95f20bfcda854f6c812cc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 10 Aug 2023 15:47:03 +0300 +Subject: [PATCH 2/4] mxfdemux: Check number of channels for AES3 audio + +Only up to 8 channels are allowed and using a higher number would cause +integer overflows when copying the data, and lead to out of bound +writes. + +Also check that each buffer is at least 4 bytes long to avoid another +overflow. + +Fixes ZDI-CAN-21661, CVE-2023-40475 + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2897 + +Part-of: +--- + subprojects/gst-plugins-bad/gst/mxf/mxfd10.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/subprojects/gst-plugins-bad/gst/mxf/mxfd10.c b/subprojects/gst-plugins-bad/gst/mxf/mxfd10.c +index 66c071372a..060d5a02de 100644 +--- a/subprojects/gst-plugins-bad/gst/mxf/mxfd10.c ++++ b/subprojects/gst-plugins-bad/gst/mxf/mxfd10.c +@@ -119,7 +119,7 @@ mxf_d10_sound_handle_essence_element (const MXFUL * key, GstBuffer * buffer, + gst_buffer_map (buffer, &map, GST_MAP_READ); + + /* Now transform raw AES3 into raw audio, see SMPTE 331M */ +- if ((map.size - 4) % 32 != 0) { ++ if (map.size < 4 || (map.size - 4) % 32 != 0) { + gst_buffer_unmap (buffer, &map); + GST_ERROR ("Invalid D10 sound essence buffer size"); + return GST_FLOW_ERROR; +@@ -219,6 +219,7 @@ mxf_d10_create_caps (MXFMetadataTimelineTrack * track, GstTagList ** tags, + GstAudioFormat audio_format; + + if (s->channel_count == 0 || ++ s->channel_count > 8 || + s->quantization_bits == 0 || + s->audio_sampling_rate.n == 0 || s->audio_sampling_rate.d == 0) { + GST_ERROR ("Invalid descriptor"); +-- +2.43.0 + diff --git a/0003-av1parser-Fix-array-sizes-in-scalability-structure.patch b/0003-av1parser-Fix-array-sizes-in-scalability-structure.patch new file mode 100644 index 0000000..7bc4204 --- /dev/null +++ b/0003-av1parser-Fix-array-sizes-in-scalability-structure.patch @@ -0,0 +1,66 @@ +From 0ded5a6d028ad40604093690c44eb022ef793531 Mon Sep 17 00:00:00 2001 +From: Seungha Yang +Date: Thu, 23 Nov 2023 20:24:42 +0900 +Subject: [PATCH 3/4] av1parser: Fix array sizes in scalability structure + +Since the AV1 specification is not explicitly mentioning about +the array size bounds, array sizes in scalability structure +should be defined as possible maximum sizes that can have. + +Also, this commit removes GST_AV1_MAX_SPATIAL_LAYERS define from +public header which is API break but the define is misleading +and this patch is introducing ABI break already + +ZDI-CAN-22300 + +Part-of: +--- + .../gst-libs/gst/codecparsers/gstav1parser.h | 11 +++++------ + .../gst-plugins-bad/gst/videoparsers/gstav1parse.c | 2 +- + 2 files changed, 6 insertions(+), 7 deletions(-) + +diff --git a/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.h b/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.h +index a5f1c761f6..7d2ec69fb5 100644 +--- a/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.h ++++ b/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.h +@@ -71,9 +71,8 @@ G_BEGIN_DECLS + #define GST_AV1_MAX_TILE_COUNT 512 + #define GST_AV1_MAX_OPERATING_POINTS \ + (GST_AV1_MAX_NUM_TEMPORAL_LAYERS * GST_AV1_MAX_NUM_SPATIAL_LAYERS) +-#define GST_AV1_MAX_SPATIAL_LAYERS 2 /* correct? */ +-#define GST_AV1_MAX_TEMPORAL_GROUP_SIZE 8 /* correct? */ +-#define GST_AV1_MAX_TEMPORAL_GROUP_REFERENCES 8 /* correct? */ ++#define GST_AV1_MAX_TEMPORAL_GROUP_SIZE 255 ++#define GST_AV1_MAX_TEMPORAL_GROUP_REFERENCES 7 + #define GST_AV1_MAX_NUM_Y_POINTS 16 + #define GST_AV1_MAX_NUM_CB_POINTS 16 + #define GST_AV1_MAX_NUM_CR_POINTS 16 +@@ -968,9 +967,9 @@ struct _GstAV1MetadataScalability { + gboolean spatial_layer_dimensions_present_flag; + gboolean spatial_layer_description_present_flag; + gboolean temporal_group_description_present_flag; +- guint16 spatial_layer_max_width[GST_AV1_MAX_SPATIAL_LAYERS]; +- guint16 spatial_layer_max_height[GST_AV1_MAX_SPATIAL_LAYERS]; +- guint8 spatial_layer_ref_id[GST_AV1_MAX_SPATIAL_LAYERS]; ++ guint16 spatial_layer_max_width[GST_AV1_MAX_NUM_SPATIAL_LAYERS]; ++ guint16 spatial_layer_max_height[GST_AV1_MAX_NUM_SPATIAL_LAYERS]; ++ guint8 spatial_layer_ref_id[GST_AV1_MAX_NUM_SPATIAL_LAYERS]; + guint8 temporal_group_size; + + guint8 temporal_group_temporal_id[GST_AV1_MAX_TEMPORAL_GROUP_SIZE]; +diff --git a/subprojects/gst-plugins-bad/gst/videoparsers/gstav1parse.c b/subprojects/gst-plugins-bad/gst/videoparsers/gstav1parse.c +index 923bc5d70a..9eaa1f47d9 100644 +--- a/subprojects/gst-plugins-bad/gst/videoparsers/gstav1parse.c ++++ b/subprojects/gst-plugins-bad/gst/videoparsers/gstav1parse.c +@@ -1271,7 +1271,7 @@ gst_av1_parse_handle_sequence_obu (GstAV1Parse * self, GstAV1OBU * obu) + } + + val = (self->parser->state.operating_point_idc >> 8) & 0x0f; +- for (i = 0; i < (1 << GST_AV1_MAX_SPATIAL_LAYERS); i++) { ++ for (i = 0; i < GST_AV1_MAX_NUM_SPATIAL_LAYERS; i++) { + if (val & (1 << i)) + self->highest_spatial_id = i; + } +-- +2.43.0 + diff --git a/0004-h265parser-Fix-possible-overflow-using-max_sub_layer.patch b/0004-h265parser-Fix-possible-overflow-using-max_sub_layer.patch new file mode 100644 index 0000000..fa91de3 --- /dev/null +++ b/0004-h265parser-Fix-possible-overflow-using-max_sub_layer.patch @@ -0,0 +1,42 @@ +From 6780451f22c87e926ebf60fe55e1a9e10517f6d1 Mon Sep 17 00:00:00 2001 +From: Nicolas Dufresne +Date: Wed, 9 Aug 2023 12:49:19 -0400 +Subject: [PATCH 4/4] h265parser: Fix possible overflow using + max_sub_layers_minus1 + +This fixes a possible overflow that can be triggered by an invalid value of +max_sub_layers_minus1 being set in the bitstream. The bitstream uses 3 bits, +but the allowed range is 0 to 6 only. + +Fixes ZDI-CAN-21768, CVE-2023-40476 + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2895 + +Part-of: +--- + .../gst-plugins-bad/gst-libs/gst/codecparsers/gsth265parser.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gsth265parser.c b/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gsth265parser.c +index fe775a86cd..44b723737a 100644 +--- a/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gsth265parser.c ++++ b/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gsth265parser.c +@@ -1845,6 +1845,7 @@ gst_h265_parse_vps (GstH265NalUnit * nalu, GstH265VPS * vps) + + READ_UINT8 (&nr, vps->max_layers_minus1, 6); + READ_UINT8 (&nr, vps->max_sub_layers_minus1, 3); ++ CHECK_ALLOWED (vps->max_sub_layers_minus1, 0, 6); + READ_UINT8 (&nr, vps->temporal_id_nesting_flag, 1); + + /* skip reserved_0xffff_16bits */ +@@ -2015,6 +2016,7 @@ gst_h265_parse_sps (GstH265Parser * parser, GstH265NalUnit * nalu, + READ_UINT8 (&nr, sps->vps_id, 4); + + READ_UINT8 (&nr, sps->max_sub_layers_minus1, 3); ++ CHECK_ALLOWED (sps->max_sub_layers_minus1, 0, 6); + READ_UINT8 (&nr, sps->temporal_id_nesting_flag, 1); + + if (!gst_h265_parse_profile_tier_level (&sps->profile_tier_level, &nr, +-- +2.43.0 + diff --git a/gstreamer1-plugins-bad-free.spec b/gstreamer1-plugins-bad-free.spec index 50a2f33..4bc0a9c 100644 --- a/gstreamer1-plugins-bad-free.spec +++ b/gstreamer1-plugins-bad-free.spec @@ -14,7 +14,7 @@ Name: gstreamer1-plugins-bad-free Version: 1.22.1 -Release: 3%{?gitcommit:.git%{shortcommit}}%{?dist} +Release: 4%{?gitcommit:.git%{shortcommit}}%{?dist} Summary: GStreamer streaming media framework "bad" plugins License: LGPLv2+ and LGPLv2 @@ -33,6 +33,11 @@ Source1: gst-p-bad-cleanup.sh Patch0: 0001-mxfdemux-Store-GstMXFDemuxEssenceTrack-in-their-own-.patch Patch1: 0002-codecparsers-av1-Clip-max-tile-rows-and-cols-values.patch +Patch2: 0001-mxfdemux-Fix-integer-overflow-causing-out-of-bounds-.patch +Patch3: 0002-mxfdemux-Check-number-of-channels-for-AES3-audio.patch +Patch4: 0003-av1parser-Fix-array-sizes-in-scalability-structure.patch +Patch5: 0004-h265parser-Fix-possible-overflow-using-max_sub_layer.patch + BuildRequires: meson >= 0.48.0 BuildRequires: gcc-c++ @@ -236,6 +241,10 @@ aren't tested well enough, or the code is not of good enough quality. %setup -q -n gst-plugins-bad-%{version} %patch0 -p3 %patch1 -p3 +%patch2 -p3 +%patch3 -p3 +%patch4 -p3 +%patch5 -p3 %build %meson \ @@ -670,6 +679,13 @@ rm $RPM_BUILD_ROOT%{_bindir}/playout %changelog +* Wed Jan 17 2024 Wim Taymans - 1.22.1-4 +- CVE-2023-40474: Integer overflow leading to heap overwrite in MXF +- CVE-2023-40475: Integer overflow leading to heap overwrite in MXF +- CVE-2023-40476: Integer overflow in H.265 video parser +- ZDI-CAN-22300: buffer overflow vulnerability +- Resolves: RHEL-19501, RHEL-19505, RHEL-19506, RHEL-20201 + * Thu Jan 11 2024 Wim Taymans - 1.22.1-3 - Bump version - Resolves: RHEL-16795, RHEL-16788