Compare commits
No commits in common. "c8" and "c8-beta" have entirely different histories.
@ -1,97 +0,0 @@
|
||||
From fba19d6c4975c1628ce47473a72b95e4e17992b4 Mon Sep 17 00:00:00 2001
|
||||
From: Wim Taymans <wtaymans@redhat.com>
|
||||
Date: Mon, 26 May 2025 15:42:55 +0200
|
||||
Subject: [PATCH] h265parser: Fix max_dec_pic_buffering_minus1 bound check
|
||||
|
||||
Allowed max value is MaxDpbSize - 1
|
||||
---
|
||||
gst-libs/gst/codecparsers/gsth265parser.c | 32 ++++++++++++++++++++---
|
||||
1 file changed, 28 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/gst-libs/gst/codecparsers/gsth265parser.c b/gst-libs/gst/codecparsers/gsth265parser.c
|
||||
index 2e8ef182b..200a06796 100644
|
||||
--- a/gst-libs/gst/codecparsers/gsth265parser.c
|
||||
+++ b/gst-libs/gst/codecparsers/gsth265parser.c
|
||||
@@ -75,6 +75,8 @@
|
||||
GST_DEBUG_CATEGORY_STATIC (h265_parser_debug);
|
||||
#define GST_CAT_DEFAULT h265_parser_debug
|
||||
|
||||
+#define MAX_DPB_SIZE 16
|
||||
+
|
||||
static gboolean initialized = FALSE;
|
||||
#define INITIALIZE_DEBUG_CATEGORY \
|
||||
if (!initialized) { \
|
||||
@@ -1506,7 +1508,7 @@ gst_h265_parse_vps (GstH265NalUnit * nalu, GstH265VPS * vps)
|
||||
for (i =
|
||||
(vps->sub_layer_ordering_info_present_flag ? 0 :
|
||||
vps->max_sub_layers_minus1); i <= vps->max_sub_layers_minus1; i++) {
|
||||
- READ_UE_MAX (&nr, vps->max_dec_pic_buffering_minus1[i], G_MAXUINT32 - 1);
|
||||
+ READ_UE_MAX (&nr, vps->max_dec_pic_buffering_minus1[i], MAX_DPB_SIZE - 1);
|
||||
READ_UE_MAX (&nr, vps->max_num_reorder_pics[i],
|
||||
vps->max_dec_pic_buffering_minus1[i]);
|
||||
READ_UE_MAX (&nr, vps->max_latency_increase_plus1[i], G_MAXUINT32 - 1);
|
||||
@@ -1702,7 +1704,7 @@ gst_h265_parse_sps (GstH265Parser * parser, GstH265NalUnit * nalu,
|
||||
for (i =
|
||||
(sps->sub_layer_ordering_info_present_flag ? 0 :
|
||||
sps->max_sub_layers_minus1); i <= sps->max_sub_layers_minus1; i++) {
|
||||
- READ_UE_MAX (&nr, sps->max_dec_pic_buffering_minus1[i], 16);
|
||||
+ READ_UE_MAX (&nr, sps->max_dec_pic_buffering_minus1[i], MAX_DPB_SIZE - 1);
|
||||
READ_UE_MAX (&nr, sps->max_num_reorder_pics[i],
|
||||
sps->max_dec_pic_buffering_minus1[i]);
|
||||
READ_UE_MAX (&nr, sps->max_latency_increase_plus1[i], G_MAXUINT32 - 1);
|
||||
@@ -2107,6 +2109,8 @@ gst_h265_parser_parse_slice_hdr (GstH265Parser * parser,
|
||||
|
||||
if ((nalu->type != GST_H265_NAL_SLICE_IDR_W_RADL)
|
||||
&& (nalu->type != GST_H265_NAL_SLICE_IDR_N_LP)) {
|
||||
+ const GstH265ShortTermRefPicSet *ref_pic_sets = NULL;
|
||||
+
|
||||
READ_UINT16 (&nr, slice->pic_order_cnt_lsb,
|
||||
(sps->log2_max_pic_order_cnt_lsb_minus4 + 4));
|
||||
|
||||
@@ -2116,21 +2120,41 @@ gst_h265_parser_parse_slice_hdr (GstH265Parser * parser,
|
||||
(&slice->short_term_ref_pic_sets, &nr,
|
||||
sps->num_short_term_ref_pic_sets, sps))
|
||||
goto error;
|
||||
+ ref_pic_sets = &slice->short_term_ref_pic_sets;
|
||||
} else if (sps->num_short_term_ref_pic_sets > 1) {
|
||||
const guint n = ceil_log2 (sps->num_short_term_ref_pic_sets);
|
||||
READ_UINT8 (&nr, slice->short_term_ref_pic_set_idx, n);
|
||||
CHECK_ALLOWED_MAX (slice->short_term_ref_pic_set_idx,
|
||||
sps->num_short_term_ref_pic_sets - 1);
|
||||
+ ref_pic_sets =
|
||||
+ &sps->short_term_ref_pic_set[slice->short_term_ref_pic_set_idx];
|
||||
+ } else {
|
||||
+ ref_pic_sets = &sps->short_term_ref_pic_set[0];
|
||||
}
|
||||
|
||||
if (sps->long_term_ref_pics_present_flag) {
|
||||
guint32 limit;
|
||||
+ gint max_num_long_term_pics = 0;
|
||||
|
||||
- if (sps->num_long_term_ref_pics_sps > 0)
|
||||
+ if (sps->num_long_term_ref_pics_sps > 0) {
|
||||
READ_UE_MAX (&nr, slice->num_long_term_sps,
|
||||
sps->num_long_term_ref_pics_sps);
|
||||
+ }
|
||||
+
|
||||
+ /* Calculated upper bound num_long_term_pics can have. 7.4.7.1 */
|
||||
+ max_num_long_term_pics =
|
||||
+ /* sps_max_dec_pic_buffering_minus1[TemporalId], allowed max is
|
||||
+ * MaxDpbSize - 1 */
|
||||
+ MAX_DPB_SIZE - 1
|
||||
+ - (gint) slice->num_long_term_sps
|
||||
+ - (gint) ref_pic_sets->NumNegativePics
|
||||
+ - (gint) ref_pic_sets->NumPositivePics;
|
||||
+ if (max_num_long_term_pics < 0) {
|
||||
+ GST_WARNING ("Invalid stream, too many reference pictures");
|
||||
+ goto error;
|
||||
+ }
|
||||
|
||||
- READ_UE_MAX (&nr, slice->num_long_term_pics, 16);
|
||||
+ READ_UE_MAX (&nr, slice->num_long_term_pics, max_num_long_term_pics);
|
||||
limit = slice->num_long_term_sps + slice->num_long_term_pics;
|
||||
for (i = 0; i < limit; i++) {
|
||||
if (i < slice->num_long_term_sps) {
|
||||
--
|
||||
2.49.0
|
||||
|
||||
@ -1,237 +0,0 @@
|
||||
From 64a0ffdc0bff2d55269c7e763824867d976506e0 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
|
||||
Date: Sun, 14 Jun 2026 22:03:25 +0300
|
||||
Subject: [PATCH] librfb: Validate framebuffer update rectangles against the
|
||||
framebuffer size
|
||||
|
||||
Patch provided by Junyi Liu, who also reported this.
|
||||
|
||||
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/work_items/5105
|
||||
|
||||
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11866>
|
||||
---
|
||||
gst/librfb/rfbdecoder.c | 136 +++++++++++++++++++++++++++++++++-------
|
||||
1 file changed, 115 insertions(+), 21 deletions(-)
|
||||
|
||||
diff --git a/gst/librfb/rfbdecoder.c b/gst/librfb/rfbdecoder.c
|
||||
index fa76331..efa3a84 100644
|
||||
--- a/gst/librfb/rfbdecoder.c
|
||||
+++ b/gst/librfb/rfbdecoder.c
|
||||
@@ -45,6 +45,10 @@ static gboolean rfb_decoder_corre_encoding (RfbDecoder * decoder, gint start_x,
|
||||
gint start_y, gint rect_w, gint rect_h);
|
||||
static gboolean rfb_decoder_hextile_encoding (RfbDecoder * decoder,
|
||||
gint start_x, gint start_y, gint rect_w, gint rect_h);
|
||||
+static gboolean rfb_decoder_clip_rectangle (RfbDecoder * decoder, gint * x,
|
||||
+ gint * y, gint * w, gint * h, gint * skip_x, gint * skip_y);
|
||||
+static gboolean rfb_decoder_clip_copyrect (RfbDecoder * decoder, gint * dst_x,
|
||||
+ gint * dst_y, gint * src_x, gint * src_y, gint * w, gint * h);
|
||||
|
||||
RfbDecoder *
|
||||
rfb_decoder_new (void)
|
||||
@@ -801,23 +805,20 @@ rfb_decoder_state_framebuffer_update_rectangle (RfbDecoder * decoder)
|
||||
if (!rfb_decoder_read (decoder, 12))
|
||||
return FALSE;
|
||||
|
||||
- x = RFB_GET_UINT16 (decoder->data + 0) - decoder->offset_x;
|
||||
- y = RFB_GET_UINT16 (decoder->data + 2) - decoder->offset_y;
|
||||
+ x = RFB_GET_UINT16 (decoder->data + 0);
|
||||
+ y = RFB_GET_UINT16 (decoder->data + 2);
|
||||
w = RFB_GET_UINT16 (decoder->data + 4);
|
||||
h = RFB_GET_UINT16 (decoder->data + 6);
|
||||
encoding = RFB_GET_UINT32 (decoder->data + 8);
|
||||
|
||||
+ x -= (gint) decoder->offset_x;
|
||||
+ y -= (gint) decoder->offset_y;
|
||||
+
|
||||
GST_DEBUG ("update recieved");
|
||||
GST_DEBUG ("x:%d y:%d", x, y);
|
||||
GST_DEBUG ("w:%d h:%d", w, h);
|
||||
GST_DEBUG ("encoding: %d", encoding);
|
||||
|
||||
- if (((w * h) + (x * y)) > (decoder->width * decoder->height)) {
|
||||
- GST_ERROR ("Desktop resize is unsupported.");
|
||||
- decoder->state = NULL;
|
||||
- return TRUE;
|
||||
- }
|
||||
-
|
||||
switch (encoding) {
|
||||
case ENCODING_TYPE_RAW:
|
||||
ret = rfb_decoder_raw_encoding (decoder, x, y, w, h);
|
||||
@@ -856,11 +857,20 @@ static gboolean
|
||||
rfb_decoder_raw_encoding (RfbDecoder * decoder, gint start_x, gint start_y,
|
||||
gint rect_w, gint rect_h)
|
||||
{
|
||||
- gint size;
|
||||
+ gint copy_x, copy_y, copy_w, copy_h;
|
||||
+ gint skip_x = 0, skip_y = 0;
|
||||
+ guint32 size;
|
||||
guint8 *frame, *p;
|
||||
guint32 raw_line_size;
|
||||
+ guint32 copy_line_size;
|
||||
+
|
||||
+ if (rect_w <= 0 || rect_h <= 0)
|
||||
+ return TRUE;
|
||||
|
||||
raw_line_size = rect_w * decoder->bytespp;
|
||||
+ if (rect_h > 0 && raw_line_size > G_MAXUINT32 / rect_h)
|
||||
+ return FALSE;
|
||||
+
|
||||
size = rect_h * raw_line_size;
|
||||
|
||||
GST_DEBUG ("Reading %d bytes (%dx%d)", size, rect_w, rect_h);
|
||||
@@ -868,13 +878,23 @@ rfb_decoder_raw_encoding (RfbDecoder * decoder, gint start_x, gint start_y,
|
||||
if (!rfb_decoder_read (decoder, size))
|
||||
return FALSE;
|
||||
|
||||
+ copy_x = start_x;
|
||||
+ copy_y = start_y;
|
||||
+ copy_w = rect_w;
|
||||
+ copy_h = rect_h;
|
||||
+
|
||||
+ if (!rfb_decoder_clip_rectangle (decoder, ©_x, ©_y, ©_w, ©_h,
|
||||
+ &skip_x, &skip_y))
|
||||
+ return TRUE;
|
||||
+
|
||||
frame =
|
||||
- decoder->frame + (((start_y * decoder->rect_width) +
|
||||
- start_x) * decoder->bytespp);
|
||||
- p = decoder->data;
|
||||
+ decoder->frame + (((copy_y * decoder->rect_width) +
|
||||
+ copy_x) * decoder->bytespp);
|
||||
+ p = decoder->data + (skip_y * raw_line_size) + (skip_x * decoder->bytespp);
|
||||
+ copy_line_size = copy_w * decoder->bytespp;
|
||||
|
||||
- while (rect_h--) {
|
||||
- memcpy (frame, p, raw_line_size);
|
||||
+ while (copy_h--) {
|
||||
+ memcpy (frame, p, copy_line_size);
|
||||
p += raw_line_size;
|
||||
frame += decoder->line_size;
|
||||
}
|
||||
@@ -886,7 +906,8 @@ static gboolean
|
||||
rfb_decoder_copyrect_encoding (RfbDecoder * decoder, gint start_x, gint start_y,
|
||||
gint rect_w, gint rect_h)
|
||||
{
|
||||
- guint16 src_x, src_y;
|
||||
+ gint src_x, src_y;
|
||||
+ gint copy_x, copy_y, copy_w, copy_h;
|
||||
gint line_width, copyrect_width;
|
||||
guint8 *src, *dst;
|
||||
|
||||
@@ -894,20 +915,28 @@ rfb_decoder_copyrect_encoding (RfbDecoder * decoder, gint start_x, gint start_y,
|
||||
return FALSE;
|
||||
|
||||
/* don't forget the offset */
|
||||
- src_x = RFB_GET_UINT16 (decoder->data) - decoder->offset_x;
|
||||
- src_y = RFB_GET_UINT16 (decoder->data + 2) - decoder->offset_y;
|
||||
+ src_x = RFB_GET_UINT16 (decoder->data) - (gint) decoder->offset_x;
|
||||
+ src_y = RFB_GET_UINT16 (decoder->data + 2) - (gint) decoder->offset_y;
|
||||
GST_DEBUG ("Copyrect from %d %d", src_x, src_y);
|
||||
|
||||
- copyrect_width = rect_w * decoder->bytespp;
|
||||
+ copy_x = start_x;
|
||||
+ copy_y = start_y;
|
||||
+ copy_w = rect_w;
|
||||
+ copy_h = rect_h;
|
||||
+ if (!rfb_decoder_clip_copyrect (decoder, ©_x, ©_y, &src_x, &src_y,
|
||||
+ ©_w, ©_h))
|
||||
+ return TRUE;
|
||||
+
|
||||
+ copyrect_width = copy_w * decoder->bytespp;
|
||||
line_width = decoder->line_size;
|
||||
src =
|
||||
decoder->prev_frame + ((src_y * decoder->rect_width) +
|
||||
src_x) * decoder->bytespp;
|
||||
dst =
|
||||
- decoder->frame + ((start_y * decoder->rect_width) +
|
||||
- start_x) * decoder->bytespp;
|
||||
+ decoder->frame + ((copy_y * decoder->rect_width) +
|
||||
+ copy_x) * decoder->bytespp;
|
||||
|
||||
- while (rect_h--) {
|
||||
+ while (copy_h--) {
|
||||
memcpy (dst, src, copyrect_width);
|
||||
src += line_width;
|
||||
dst += line_width;
|
||||
@@ -925,6 +954,9 @@ rfb_decoder_fill_rectangle (RfbDecoder * decoder, gint x, gint y, gint w,
|
||||
guint32 *offset;
|
||||
gint i, j;
|
||||
|
||||
+ if (!rfb_decoder_clip_rectangle (decoder, &x, &y, &w, &h, NULL, NULL))
|
||||
+ return;
|
||||
+
|
||||
for (i = 0; i < h; i++) {
|
||||
offset =
|
||||
(guint32 *) (decoder->frame + ((x + (y +
|
||||
@@ -1100,6 +1132,68 @@ rfb_decoder_hextile_encoding (RfbDecoder * decoder, gint start_x, gint start_y,
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
+static gboolean
|
||||
+rfb_decoder_clip_rectangle (RfbDecoder * decoder, gint * x, gint * y, gint * w,
|
||||
+ gint * h, gint * skip_x, gint * skip_y)
|
||||
+{
|
||||
+ gint x1, y1, x2, y2;
|
||||
+ gint orig_x, orig_y;
|
||||
+
|
||||
+ if (*w <= 0 || *h <= 0)
|
||||
+ return FALSE;
|
||||
+
|
||||
+ orig_x = *x;
|
||||
+ orig_y = *y;
|
||||
+ x1 = MAX (orig_x, 0);
|
||||
+ y1 = MAX (orig_y, 0);
|
||||
+ x2 = MIN (orig_x + *w, (gint) decoder->rect_width);
|
||||
+ y2 = MIN (orig_y + *h, (gint) decoder->rect_height);
|
||||
+
|
||||
+ if (x2 <= x1 || y2 <= y1)
|
||||
+ return FALSE;
|
||||
+
|
||||
+ *x = x1;
|
||||
+ *y = y1;
|
||||
+ *w = x2 - x1;
|
||||
+ *h = y2 - y1;
|
||||
+
|
||||
+ if (skip_x)
|
||||
+ *skip_x = x1 - orig_x;
|
||||
+ if (skip_y)
|
||||
+ *skip_y = y1 - orig_y;
|
||||
+
|
||||
+ return TRUE;
|
||||
+}
|
||||
+
|
||||
+static gboolean
|
||||
+rfb_decoder_clip_copyrect (RfbDecoder * decoder, gint * dst_x, gint * dst_y,
|
||||
+ gint * src_x, gint * src_y, gint * w, gint * h)
|
||||
+{
|
||||
+ gint left, top, right, bottom;
|
||||
+
|
||||
+ if (*w <= 0 || *h <= 0)
|
||||
+ return FALSE;
|
||||
+
|
||||
+ left = MAX (0, MAX (-*dst_x, -*src_x));
|
||||
+ top = MAX (0, MAX (-*dst_y, -*src_y));
|
||||
+ right = MIN (*w, MIN ((gint) decoder->rect_width - *dst_x,
|
||||
+ (gint) decoder->rect_width - *src_x));
|
||||
+ bottom = MIN (*h, MIN ((gint) decoder->rect_height - *dst_y,
|
||||
+ (gint) decoder->rect_height - *src_y));
|
||||
+
|
||||
+ if (right <= left || bottom <= top)
|
||||
+ return FALSE;
|
||||
+
|
||||
+ *dst_x += left;
|
||||
+ *dst_y += top;
|
||||
+ *src_x += left;
|
||||
+ *src_y += top;
|
||||
+ *w = right - left;
|
||||
+ *h = bottom - top;
|
||||
+
|
||||
+ return TRUE;
|
||||
+}
|
||||
+
|
||||
static gboolean
|
||||
rfb_decoder_state_set_colour_map_entries (RfbDecoder * decoder)
|
||||
{
|
||||
--
|
||||
2.52.0
|
||||
|
||||
@ -1,42 +0,0 @@
|
||||
From 8131f29e035f8b66d597a891a678b118d3158f29 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?V=C3=ADctor=20Manuel=20J=C3=A1quez=20Leal?=
|
||||
<vjaquez@igalia.com>
|
||||
Date: Wed, 11 Feb 2026 22:07:49 +0100
|
||||
Subject: [PATCH] libs: jpegparser: boundary checks before copying it
|
||||
|
||||
READ_BYTES macro reads data from a byte reader and then copy it to a storage
|
||||
variable. This patch adds a validation that the length to read cannot be bigger
|
||||
than the storage size.
|
||||
|
||||
This macro right now is used only for storage variables of guint8 arrays.
|
||||
|
||||
We have validated in the specification (sections F.1.2.1.2 and F.1.2.2.1 in ITU
|
||||
T.81) that Huffman tables (both AC and DC) aren't bigger than 256.
|
||||
|
||||
Fixes SA-2026-0003, CVE-2026-3082, ZDI-CAN-28840.
|
||||
|
||||
Fixes: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4899>
|
||||
|
||||
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/10885>
|
||||
---
|
||||
gst-libs/gst/codecparsers/gstjpegparser.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/gst-libs/gst/codecparsers/gstjpegparser.c b/gst-libs/gst/codecparsers/gstjpegparser.c
|
||||
index 64110763f..86125b374 100644
|
||||
--- a/gst-libs/gst/codecparsers/gstjpegparser.c
|
||||
+++ b/gst-libs/gst/codecparsers/gstjpegparser.c
|
||||
@@ -79,6 +79,10 @@ ensure_debug_category (void)
|
||||
|
||||
#define READ_BYTES(reader, buf, length) G_STMT_START { \
|
||||
const guint8 *vals; \
|
||||
+ if (length > sizeof (buf)) { \
|
||||
+ GST_WARNING ("data size is bigger than its storage"); \
|
||||
+ goto failed; \
|
||||
+ } \
|
||||
if (!gst_byte_reader_get_data (reader, length, &vals)) { \
|
||||
GST_WARNING ("failed to read bytes, size:%d", length); \
|
||||
goto failed; \
|
||||
--
|
||||
2.53.0
|
||||
|
||||
@ -1,102 +0,0 @@
|
||||
From 7087e0683b53a10492d9b7cc0bbfd7876a333e06 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
|
||||
Date: Tue, 16 Jun 2026 10:30:54 +0300
|
||||
Subject: [PATCH] vnmdec: Avoid integer overflows when rectangle positions and
|
||||
sizes
|
||||
|
||||
Patch based on a patch by Junyi Liu, who also reported this.
|
||||
|
||||
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/work_items/5107
|
||||
|
||||
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11869>
|
||||
---
|
||||
gst/vmnc/vmncdec.c | 40 ++++++++++++++++++++++++++++++++--------
|
||||
1 file changed, 32 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/gst/vmnc/vmncdec.c b/gst/vmnc/vmncdec.c
|
||||
index cbbaeb6..fe26d47 100644
|
||||
--- a/gst/vmnc/vmncdec.c
|
||||
+++ b/gst/vmnc/vmncdec.c
|
||||
@@ -153,6 +153,20 @@ struct RfbRectangle
|
||||
typedef int (*rectangle_handler) (GstVMncDec * dec, struct RfbRectangle * rect,
|
||||
const guint8 * data, int len, gboolean decode);
|
||||
|
||||
+static gboolean
|
||||
+vmnc_rect_payload_size (struct RfbRectangle *rect, guint bytes_per_pixel,
|
||||
+ gsize * size)
|
||||
+{
|
||||
+ gsize pixels;
|
||||
+
|
||||
+ if (!g_size_checked_mul (&pixels, rect->width, rect->height))
|
||||
+ return FALSE;
|
||||
+ if (!g_size_checked_mul (size, pixels, bytes_per_pixel))
|
||||
+ return FALSE;
|
||||
+
|
||||
+ return TRUE;
|
||||
+}
|
||||
+
|
||||
static int
|
||||
vmnc_handle_wmvi_rectangle (GstVMncDec * dec, struct RfbRectangle *rect,
|
||||
const guint8 * data, int len, gboolean decode)
|
||||
@@ -393,7 +407,8 @@ vmnc_handle_wmvd_rectangle (GstVMncDec * dec, struct RfbRectangle *rect,
|
||||
{
|
||||
/* Cursor data. */
|
||||
int datalen = 2;
|
||||
- int type, size;
|
||||
+ int type;
|
||||
+ gsize size;
|
||||
|
||||
if (len < datalen) {
|
||||
GST_LOG_OBJECT (dec, "Cursor data too short");
|
||||
@@ -403,9 +418,19 @@ vmnc_handle_wmvd_rectangle (GstVMncDec * dec, struct RfbRectangle *rect,
|
||||
type = RFB_GET_UINT8 (data);
|
||||
|
||||
if (type == CURSOR_COLOUR) {
|
||||
- datalen += rect->width * rect->height * dec->format.bytes_per_pixel * 2;
|
||||
+ if (!vmnc_rect_payload_size (rect, dec->format.bytes_per_pixel, &size) ||
|
||||
+ size > ((gsize) G_MAXINT - datalen) / 2) {
|
||||
+ GST_WARNING_OBJECT (dec, "Cursor data size overflow");
|
||||
+ return ERROR_INVALID;
|
||||
+ }
|
||||
+ datalen += size * 2;
|
||||
} else if (type == CURSOR_ALPHA) {
|
||||
- datalen += rect->width * rect->height * 4;
|
||||
+ if (!vmnc_rect_payload_size (rect, 4, &size) ||
|
||||
+ size > (gsize) G_MAXINT - datalen) {
|
||||
+ GST_WARNING_OBJECT (dec, "Cursor data size overflow");
|
||||
+ return ERROR_INVALID;
|
||||
+ }
|
||||
+ datalen += size;
|
||||
} else {
|
||||
GST_WARNING_OBJECT (dec, "Unknown cursor type: %d", type);
|
||||
return ERROR_INVALID;
|
||||
@@ -420,22 +445,21 @@ vmnc_handle_wmvd_rectangle (GstVMncDec * dec, struct RfbRectangle *rect,
|
||||
dec->cursor.type = type;
|
||||
dec->cursor.width = rect->width;
|
||||
dec->cursor.height = rect->height;
|
||||
- dec->cursor.type = type;
|
||||
dec->cursor.hot_x = rect->x;
|
||||
dec->cursor.hot_y = rect->y;
|
||||
|
||||
g_free (dec->cursor.cursordata);
|
||||
g_free (dec->cursor.cursormask);
|
||||
|
||||
- if (type == 0) {
|
||||
- size = rect->width * rect->height * dec->format.bytes_per_pixel;
|
||||
+ if (type == CURSOR_COLOUR) {
|
||||
dec->cursor.cursordata = g_malloc (size);
|
||||
dec->cursor.cursormask = g_malloc (size);
|
||||
memcpy (dec->cursor.cursordata, data + 2, size);
|
||||
memcpy (dec->cursor.cursormask, data + 2 + size, size);
|
||||
} else {
|
||||
- dec->cursor.cursordata = g_malloc (rect->width * rect->height * 4);
|
||||
- memcpy (dec->cursor.cursordata, data + 2, rect->width * rect->height * 4);
|
||||
+ dec->cursor.cursordata = g_malloc (size);
|
||||
+ memcpy (dec->cursor.cursordata, data + 2, size);
|
||||
+ dec->cursor.cursormask = NULL;
|
||||
}
|
||||
|
||||
return datalen;
|
||||
--
|
||||
2.52.0
|
||||
|
||||
@ -14,7 +14,7 @@
|
||||
|
||||
Name: gstreamer1-plugins-bad-free
|
||||
Version: 1.16.1
|
||||
Release: 8%{?gitcommit:.git%{shortcommit}}%{?dist}
|
||||
Release: 4%{?gitcommit:.git%{shortcommit}}%{?dist}
|
||||
Summary: GStreamer streaming media framework "bad" plugins
|
||||
|
||||
License: LGPLv2+ and LGPLv2
|
||||
@ -36,12 +36,6 @@ Patch0: 0001-mxfdemux-Store-GstMXFDemuxEssenceTrack-in-their-own-.patch
|
||||
Patch1: 0003-mxfdemux-Fix-integer-overflow-causing-out-of-bounds-.patch
|
||||
Patch2: 0004-mxfdemux-Check-number-of-channels-for-AES3-audio.patch
|
||||
Patch3: 0005-h265parser-Fix-possible-overflow-using-max_sub_layer.patch
|
||||
Patch4: 0001-h265parser-Fix-max_dec_pic_buffering_minus1-bound-ch.patch
|
||||
Patch5: 0001-libs-jpegparser-boundary-checks-before-copying-it.patch
|
||||
# https://github.com/GStreamer/gstreamer/commit/6c146775d784bbe91ff7afc6701ba351306282ce
|
||||
Patch6: 0001-vnmdec-Avoid-integer-overflows-when-rectangle-positi.patch
|
||||
# https://github.com/GStreamer/gstreamer/commit/f3b66928a194b32b27fac3c3379d3d20e5966442
|
||||
Patch7: 0001-librfb-Validate-framebuffer-update-rectangles-agains.patch
|
||||
|
||||
BuildRequires: gstreamer1-devel >= %{version}
|
||||
BuildRequires: gstreamer1-plugins-base-devel >= %{version}
|
||||
@ -198,10 +192,6 @@ aren't tested well enough, or the code is not of good enough quality.
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
|
||||
%build
|
||||
%configure --disable-silent-rules --disable-fatal-warnings \
|
||||
@ -490,23 +480,6 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -fv {} ';'
|
||||
|
||||
|
||||
%changelog
|
||||
* Wed Jul 08 2026 RHEL Packaging Agent <redhat-ymir-agent@redhat.com> - 1.16.1-8
|
||||
- Fix for CVE-2026-52720: librfb framebuffer update rectangle
|
||||
validation
|
||||
Resolves: RHEL-184455
|
||||
|
||||
* Mon Jun 22 2026 RHEL Packaging Agent <redhat-ymir-agent@redhat.com> - 1.16.1-7
|
||||
- Fix integer overflow in vmncdec (CVE-2026-52722)
|
||||
Resolves: RHEL-184414
|
||||
|
||||
* Tue Mar 31 2026 Wim Taymans <wtaymans@redhat.com> - 1.16.1-6
|
||||
- Add patch for CVE-2026-3082
|
||||
Resolves: RHEL-156202
|
||||
|
||||
* Mon May 26 2025 Wim Taymans <wtaymans@redhat.com> - 1.16.1-5
|
||||
- fix for CVE-2025-3887
|
||||
Resolves: RHEL-93051
|
||||
|
||||
* Wed Jan 17 2024 Wim Taymans <wtaymans@redhat.com> - 1.16.1-4
|
||||
- Patch CVE-2023-40474: Integer overflow
|
||||
- Patch CVE-2023-40475: Integer overflow
|
||||
|
||||
Loading…
Reference in New Issue
Block a user