SOURCES/0001-h265parser-Fix-max_dec_pic_buffering_minus1-bound-ch.patch

@@ -1,97 +0,0 @@
-From fba19d6c4975c1628ce47473a72b95e4e17992b4 Mon Sep 17 00:00:00 2001
-From: Wim Taymans <wtaymans@redhat.com>
-Date: Mon, 26 May 2025 15:42:55 +0200
-Subject: [PATCH] h265parser: Fix max_dec_pic_buffering_minus1 bound check
-
-Allowed max value is MaxDpbSize - 1
----
- gst-libs/gst/codecparsers/gsth265parser.c | 32 ++++++++++++++++++++---
- 1 file changed, 28 insertions(+), 4 deletions(-)
-
-diff --git a/gst-libs/gst/codecparsers/gsth265parser.c b/gst-libs/gst/codecparsers/gsth265parser.c
-index 2e8ef182b..200a06796 100644
---- a/gst-libs/gst/codecparsers/gsth265parser.c
-+++ b/gst-libs/gst/codecparsers/gsth265parser.c
-@@ -75,6 +75,8 @@
- GST_DEBUG_CATEGORY_STATIC (h265_parser_debug);
- #define GST_CAT_DEFAULT h265_parser_debug
- 
-+#define MAX_DPB_SIZE 16
-+
- static gboolean initialized = FALSE;
- #define INITIALIZE_DEBUG_CATEGORY \
-   if (!initialized) { \
-@@ -1506,7 +1508,7 @@ gst_h265_parse_vps (GstH265NalUnit * nalu, GstH265VPS * vps)
-   for (i =
-       (vps->sub_layer_ordering_info_present_flag ? 0 :
-           vps->max_sub_layers_minus1); i <= vps->max_sub_layers_minus1; i++) {
--    READ_UE_MAX (&nr, vps->max_dec_pic_buffering_minus1[i], G_MAXUINT32 - 1);
-+    READ_UE_MAX (&nr, vps->max_dec_pic_buffering_minus1[i], MAX_DPB_SIZE - 1);
-     READ_UE_MAX (&nr, vps->max_num_reorder_pics[i],
-         vps->max_dec_pic_buffering_minus1[i]);
-     READ_UE_MAX (&nr, vps->max_latency_increase_plus1[i], G_MAXUINT32 - 1);
-@@ -1702,7 +1704,7 @@ gst_h265_parse_sps (GstH265Parser * parser, GstH265NalUnit * nalu,
-   for (i =
-       (sps->sub_layer_ordering_info_present_flag ? 0 :
-           sps->max_sub_layers_minus1); i <= sps->max_sub_layers_minus1; i++) {
--    READ_UE_MAX (&nr, sps->max_dec_pic_buffering_minus1[i], 16);
-+    READ_UE_MAX (&nr, sps->max_dec_pic_buffering_minus1[i], MAX_DPB_SIZE - 1);
-     READ_UE_MAX (&nr, sps->max_num_reorder_pics[i],
-         sps->max_dec_pic_buffering_minus1[i]);
-     READ_UE_MAX (&nr, sps->max_latency_increase_plus1[i], G_MAXUINT32 - 1);
-@@ -2107,6 +2109,8 @@ gst_h265_parser_parse_slice_hdr (GstH265Parser * parser,
- 
-     if ((nalu->type != GST_H265_NAL_SLICE_IDR_W_RADL)
-         && (nalu->type != GST_H265_NAL_SLICE_IDR_N_LP)) {
-+      const GstH265ShortTermRefPicSet *ref_pic_sets = NULL;
-+
-       READ_UINT16 (&nr, slice->pic_order_cnt_lsb,
-           (sps->log2_max_pic_order_cnt_lsb_minus4 + 4));
- 
-@@ -2116,21 +2120,41 @@ gst_h265_parser_parse_slice_hdr (GstH265Parser * parser,
-             (&slice->short_term_ref_pic_sets, &nr,
-                 sps->num_short_term_ref_pic_sets, sps))
-           goto error;
-+        ref_pic_sets = &slice->short_term_ref_pic_sets;
-       } else if (sps->num_short_term_ref_pic_sets > 1) {
-         const guint n = ceil_log2 (sps->num_short_term_ref_pic_sets);
-         READ_UINT8 (&nr, slice->short_term_ref_pic_set_idx, n);
-         CHECK_ALLOWED_MAX (slice->short_term_ref_pic_set_idx,
-             sps->num_short_term_ref_pic_sets - 1);
-+        ref_pic_sets =
-+            &sps->short_term_ref_pic_set[slice->short_term_ref_pic_set_idx];
-+      } else {
-+        ref_pic_sets = &sps->short_term_ref_pic_set[0];
-       }
- 
-       if (sps->long_term_ref_pics_present_flag) {
-         guint32 limit;
-+        gint max_num_long_term_pics = 0;
- 
--        if (sps->num_long_term_ref_pics_sps > 0)
-+        if (sps->num_long_term_ref_pics_sps > 0) {
-           READ_UE_MAX (&nr, slice->num_long_term_sps,
-               sps->num_long_term_ref_pics_sps);
-+        }
-+
-+        /* Calculated upper bound num_long_term_pics can have. 7.4.7.1 */
-+        max_num_long_term_pics =
-+            /* sps_max_dec_pic_buffering_minus1[TemporalId], allowed max is
-+             * MaxDpbSize - 1 */
-+            MAX_DPB_SIZE - 1
-+            - (gint) slice->num_long_term_sps
-+            - (gint) ref_pic_sets->NumNegativePics
-+            - (gint) ref_pic_sets->NumPositivePics;
-+        if (max_num_long_term_pics < 0) {
-+          GST_WARNING ("Invalid stream, too many reference pictures");
-+          goto error;
-+        }
- 
--        READ_UE_MAX (&nr, slice->num_long_term_pics, 16);
-+        READ_UE_MAX (&nr, slice->num_long_term_pics, max_num_long_term_pics);
-         limit = slice->num_long_term_sps + slice->num_long_term_pics;
-         for (i = 0; i < limit; i++) {
-           if (i < slice->num_long_term_sps) {
--- 
-2.49.0
-

SOURCES/0001-libs-jpegparser-boundary-checks-before-copying-it.patch

@@ -1,42 +0,0 @@
-From 8131f29e035f8b66d597a891a678b118d3158f29 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?V=C3=ADctor=20Manuel=20J=C3=A1quez=20Leal?=
- <vjaquez@igalia.com>
-Date: Wed, 11 Feb 2026 22:07:49 +0100
-Subject: [PATCH] libs: jpegparser: boundary checks before copying it
-
-READ_BYTES macro reads data from a byte reader and then copy it to a storage
-variable. This patch adds a validation that the length to read cannot be bigger
-than the storage size.
-
-This macro right now is used only for storage variables of guint8 arrays.
-
-We have validated in the specification (sections F.1.2.1.2 and F.1.2.2.1 in ITU
-T.81) that Huffman tables (both AC and DC) aren't bigger than 256.
-
-Fixes SA-2026-0003, CVE-2026-3082, ZDI-CAN-28840.
-
-Fixes: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4899>
-
-Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/10885>
----
- gst-libs/gst/codecparsers/gstjpegparser.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/gst-libs/gst/codecparsers/gstjpegparser.c b/gst-libs/gst/codecparsers/gstjpegparser.c
-index 64110763f..86125b374 100644
---- a/gst-libs/gst/codecparsers/gstjpegparser.c
-+++ b/gst-libs/gst/codecparsers/gstjpegparser.c
-@@ -79,6 +79,10 @@ ensure_debug_category (void)
- 
- #define READ_BYTES(reader, buf, length) G_STMT_START {          \
-     const guint8 *vals;                                         \
-+    if (length > sizeof (buf)) {                                \
-+      GST_WARNING ("data size is bigger than its storage");     \
-+      goto failed;                                              \
-+    }                                                           \
-     if (!gst_byte_reader_get_data (reader, length, &vals)) {    \
-       GST_WARNING ("failed to read bytes, size:%d", length);    \
-       goto failed;                                              \
--- 
-2.53.0
-

SPECS/gstreamer1-plugins-bad-free.spec

@@ -14,7 +14,7 @@
 
 Name:           gstreamer1-plugins-bad-free
 Version:        1.16.1
-Release:        6%{?gitcommit:.git%{shortcommit}}%{?dist}
+Release:        4%{?gitcommit:.git%{shortcommit}}%{?dist}
 Summary:        GStreamer streaming media framework "bad" plugins
 
 License:        LGPLv2+ and LGPLv2
@@ -36,8 +36,6 @@ Patch0:		0001-mxfdemux-Store-GstMXFDemuxEssenceTrack-in-their-own-.patch
 Patch1:		0003-mxfdemux-Fix-integer-overflow-causing-out-of-bounds-.patch
 Patch2:		0004-mxfdemux-Check-number-of-channels-for-AES3-audio.patch
 Patch3:		0005-h265parser-Fix-possible-overflow-using-max_sub_layer.patch
-Patch4:         0001-h265parser-Fix-max_dec_pic_buffering_minus1-bound-ch.patch
-Patch5:         0001-libs-jpegparser-boundary-checks-before-copying-it.patch
 
 BuildRequires:  gstreamer1-devel >= %{version}
 BuildRequires:  gstreamer1-plugins-base-devel >= %{version}
@@ -194,8 +192,6 @@ aren't tested well enough, or the code is not of good enough quality.
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
-%patch4 -p1
-%patch5 -p1
 
 %build
 %configure --disable-silent-rules --disable-fatal-warnings \
@@ -484,14 +480,6 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -fv {} ';'
 
 
 %changelog
-* Tue Mar 31 2026 Wim Taymans <wtaymans@redhat.com> - 1.16.1-6
-- Add patch for CVE-2026-3082
-  Resolves: RHEL-156202
-
-* Mon May 26 2025 Wim Taymans <wtaymans@redhat.com> - 1.16.1-5
-- fix for CVE-2025-3887
-  Resolves: RHEL-93051
-
 * Wed Jan 17 2024 Wim Taymans <wtaymans@redhat.com> - 1.16.1-4
 - Patch CVE-2023-40474: Integer overflow
 - Patch CVE-2023-40475: Integer overflow