rpms/gstreamer1-plugins-bad-free
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8
Branches Tags
rpms:c8
rpms:c10s
rpms:c10
rpms:c9
rpms:c8s
rpms:c9s
rpms:c9-beta
rpms:c8-beta
rpms:a8
rpms:a9-beta-deprecated
rpms:imports/c10s/gstreamer1-plugins-bad-free-1.26.2-2.el10
rpms:imports/c8/gstreamer1-plugins-bad-free-1.16.1-5.el8_10
rpms:imports/c10/gstreamer1-plugins-bad-free-1.24.11-2.el10_0
rpms:imports/c9/gstreamer1-plugins-bad-free-1.22.12-4.el9_6
rpms:imports/c10s/gstreamer1-plugins-bad-free-1.24.11-2.el10
rpms:imports/c10/gstreamer1-plugins-bad-free-1.24.11-1.el10_0
rpms:imports/c9/gstreamer1-plugins-bad-free-1.22.12-3.el9
rpms:imports/c9-beta/gstreamer1-plugins-bad-free-1.22.12-3.el9
rpms:imports/c10s/gstreamer1-plugins-bad-free-1.24.11-1.el10
rpms:imports/c10s/gstreamer1-plugins-bad-free-1.24.10-1.el10
rpms:imports/c10s/gstreamer1-plugins-bad-free-1.24.6-2.el10
rpms:imports/c10s/gstreamer1-plugins-bad-free-1.24.6-1.el10
rpms:imports/c10s/gstreamer1-plugins-bad-free-1.22.12-3.el10
rpms:imports/c8/gstreamer1-plugins-bad-free-1.16.1-4.el8
rpms:imports/c9/gstreamer1-plugins-bad-free-1.22.1-4.el9
rpms:changed/a8/gstreamer1-plugins-bad-free-1.16.1-2.el8_9.alma.1
rpms:imports/c9/gstreamer1-plugins-bad-free-1.22.1-2.el9_3
rpms:imports/c9/gstreamer1-plugins-bad-free-1.22.1-1.el9
rpms:imports/c9-beta/gstreamer1-plugins-bad-free-1.22.1-1.el9
rpms:imports/c9/gstreamer1-plugins-bad-free-1.18.4-6.el9
rpms:changed/a9-beta/gstreamer1-plugins-bad-free-1.18.4-6.el9.alma
rpms:imports/c9-beta/gstreamer1-plugins-bad-free-1.18.4-6.el9
rpms:imports/c9/gstreamer1-plugins-bad-free-1.18.4-5.el9
rpms:changed/a9-beta/gstreamer1-plugins-bad-free-1.18.4-5.el9.alma
rpms:imports/c9-beta/gstreamer1-plugins-bad-free-1.18.4-5.el9
rpms:imports/c8-beta/gstreamer1-plugins-bad-free-1.16.1-1.el8
rpms:imports/c8-beta/gstreamer1-plugins-bad-free-1.14.0-5.el8
rpms:imports/c8s/gstreamer1-plugins-bad-free-1.16.1-1.el8
rpms:imports/c8/gstreamer1-plugins-bad-free-1.16.1-1.el8
rpms:imports/c8/gstreamer1-plugins-bad-free-1.14.0-5.el8
...
pull from: rpms:c9-beta
Branches Tags
rpms:c10s
rpms:c8
rpms:c10
rpms:c9
rpms:c8s
rpms:c9s
rpms:c9-beta
rpms:c8-beta
rpms:a8
rpms:a9-beta-deprecated
rpms:imports/c10s/gstreamer1-plugins-bad-free-1.26.2-2.el10
rpms:imports/c8/gstreamer1-plugins-bad-free-1.16.1-5.el8_10
rpms:imports/c10/gstreamer1-plugins-bad-free-1.24.11-2.el10_0
rpms:imports/c9/gstreamer1-plugins-bad-free-1.22.12-4.el9_6
rpms:imports/c10s/gstreamer1-plugins-bad-free-1.24.11-2.el10
rpms:imports/c10/gstreamer1-plugins-bad-free-1.24.11-1.el10_0
rpms:imports/c9/gstreamer1-plugins-bad-free-1.22.12-3.el9
rpms:imports/c9-beta/gstreamer1-plugins-bad-free-1.22.12-3.el9
rpms:imports/c10s/gstreamer1-plugins-bad-free-1.24.11-1.el10
rpms:imports/c10s/gstreamer1-plugins-bad-free-1.24.10-1.el10
rpms:imports/c10s/gstreamer1-plugins-bad-free-1.24.6-2.el10
rpms:imports/c10s/gstreamer1-plugins-bad-free-1.24.6-1.el10
rpms:imports/c10s/gstreamer1-plugins-bad-free-1.22.12-3.el10
rpms:imports/c8/gstreamer1-plugins-bad-free-1.16.1-4.el8
rpms:imports/c9/gstreamer1-plugins-bad-free-1.22.1-4.el9
rpms:changed/a8/gstreamer1-plugins-bad-free-1.16.1-2.el8_9.alma.1
rpms:imports/c9/gstreamer1-plugins-bad-free-1.22.1-2.el9_3
rpms:imports/c9/gstreamer1-plugins-bad-free-1.22.1-1.el9
rpms:imports/c9-beta/gstreamer1-plugins-bad-free-1.22.1-1.el9
rpms:imports/c9/gstreamer1-plugins-bad-free-1.18.4-6.el9
rpms:changed/a9-beta/gstreamer1-plugins-bad-free-1.18.4-6.el9.alma
rpms:imports/c9-beta/gstreamer1-plugins-bad-free-1.18.4-6.el9
rpms:imports/c9/gstreamer1-plugins-bad-free-1.18.4-5.el9
rpms:changed/a9-beta/gstreamer1-plugins-bad-free-1.18.4-5.el9.alma
rpms:imports/c9-beta/gstreamer1-plugins-bad-free-1.18.4-5.el9
rpms:imports/c8-beta/gstreamer1-plugins-bad-free-1.16.1-1.el8
rpms:imports/c8-beta/gstreamer1-plugins-bad-free-1.14.0-5.el8
rpms:imports/c8s/gstreamer1-plugins-bad-free-1.16.1-1.el8
rpms:imports/c8/gstreamer1-plugins-bad-free-1.16.1-1.el8
rpms:imports/c8/gstreamer1-plugins-bad-free-1.14.0-5.el8

No commits in common. "c8" and "c9-beta" have entirely different histories.
c8 ... c9-beta

11 changed files with 895 additions and 754 deletions
Show Stats Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/gst-plugins-bad-free-1.16.1.tar.xz
SOURCES/gst-plugins-bad-free-1.22.12.tar.xz

2
.gstreamer1-plugins-bad-free.metadata
View File

@ -1 +1 @@
318b749af5a289650e380cbabc0293e422b9a3ba SOURCES/gst-plugins-bad-free-1.16.1.tar.xz
820fec0ec0790525d888c785a761afe9a10d6f99 SOURCES/gst-plugins-bad-free-1.22.12.tar.xz

97
SOURCES/0001-h265parser-Fix-max_dec_pic_buffering_minus1-bound-ch.patch
View File

@ -1,97 +0,0 @@
From fba19d6c4975c1628ce47473a72b95e4e17992b4 Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Mon, 26 May 2025 15:42:55 +0200
Subject: [PATCH] h265parser: Fix max_dec_pic_buffering_minus1 bound check
Allowed max value is MaxDpbSize - 1
---
gst-libs/gst/codecparsers/gsth265parser.c | 32 ++++++++++++++++++++---
1 file changed, 28 insertions(+), 4 deletions(-)
diff --git a/gst-libs/gst/codecparsers/gsth265parser.c b/gst-libs/gst/codecparsers/gsth265parser.c
index 2e8ef182b..200a06796 100644
--- a/gst-libs/gst/codecparsers/gsth265parser.c
+++ b/gst-libs/gst/codecparsers/gsth265parser.c
@@ -75,6 +75,8 @@
GST_DEBUG_CATEGORY_STATIC (h265_parser_debug);
#define GST_CAT_DEFAULT h265_parser_debug
+#define MAX_DPB_SIZE 16
+
static gboolean initialized = FALSE;
#define INITIALIZE_DEBUG_CATEGORY \
if (!initialized) { \
@@ -1506,7 +1508,7 @@ gst_h265_parse_vps (GstH265NalUnit * nalu, GstH265VPS * vps)
for (i =
(vps->sub_layer_ordering_info_present_flag ? 0 :
vps->max_sub_layers_minus1); i <= vps->max_sub_layers_minus1; i++) {
- READ_UE_MAX (&nr, vps->max_dec_pic_buffering_minus1[i], G_MAXUINT32 - 1);
+ READ_UE_MAX (&nr, vps->max_dec_pic_buffering_minus1[i], MAX_DPB_SIZE - 1);
READ_UE_MAX (&nr, vps->max_num_reorder_pics[i],
vps->max_dec_pic_buffering_minus1[i]);
READ_UE_MAX (&nr, vps->max_latency_increase_plus1[i], G_MAXUINT32 - 1);
@@ -1702,7 +1704,7 @@ gst_h265_parse_sps (GstH265Parser * parser, GstH265NalUnit * nalu,
for (i =
(sps->sub_layer_ordering_info_present_flag ? 0 :
sps->max_sub_layers_minus1); i <= sps->max_sub_layers_minus1; i++) {
- READ_UE_MAX (&nr, sps->max_dec_pic_buffering_minus1[i], 16);
+ READ_UE_MAX (&nr, sps->max_dec_pic_buffering_minus1[i], MAX_DPB_SIZE - 1);
READ_UE_MAX (&nr, sps->max_num_reorder_pics[i],
sps->max_dec_pic_buffering_minus1[i]);
READ_UE_MAX (&nr, sps->max_latency_increase_plus1[i], G_MAXUINT32 - 1);
@@ -2107,6 +2109,8 @@ gst_h265_parser_parse_slice_hdr (GstH265Parser * parser,
if ((nalu->type != GST_H265_NAL_SLICE_IDR_W_RADL)
&& (nalu->type != GST_H265_NAL_SLICE_IDR_N_LP)) {
+ const GstH265ShortTermRefPicSet *ref_pic_sets = NULL;
+
READ_UINT16 (&nr, slice->pic_order_cnt_lsb,
(sps->log2_max_pic_order_cnt_lsb_minus4 + 4));
@@ -2116,21 +2120,41 @@ gst_h265_parser_parse_slice_hdr (GstH265Parser * parser,
(&slice->short_term_ref_pic_sets, &nr,
sps->num_short_term_ref_pic_sets, sps))
goto error;
+ ref_pic_sets = &slice->short_term_ref_pic_sets;
} else if (sps->num_short_term_ref_pic_sets > 1) {
const guint n = ceil_log2 (sps->num_short_term_ref_pic_sets);
READ_UINT8 (&nr, slice->short_term_ref_pic_set_idx, n);
CHECK_ALLOWED_MAX (slice->short_term_ref_pic_set_idx,
sps->num_short_term_ref_pic_sets - 1);
+ ref_pic_sets =
+ &sps->short_term_ref_pic_set[slice->short_term_ref_pic_set_idx];
+ } else {
+ ref_pic_sets = &sps->short_term_ref_pic_set[0];
}
if (sps->long_term_ref_pics_present_flag) {
guint32 limit;
+ gint max_num_long_term_pics = 0;
- if (sps->num_long_term_ref_pics_sps > 0)
+ if (sps->num_long_term_ref_pics_sps > 0) {
READ_UE_MAX (&nr, slice->num_long_term_sps,
sps->num_long_term_ref_pics_sps);
+ }
+
+ /* Calculated upper bound num_long_term_pics can have. 7.4.7.1 */
+ max_num_long_term_pics =
+ /* sps_max_dec_pic_buffering_minus1[TemporalId], allowed max is
+ * MaxDpbSize - 1 */
+ MAX_DPB_SIZE - 1
+ - (gint) slice->num_long_term_sps
+ - (gint) ref_pic_sets->NumNegativePics
+ - (gint) ref_pic_sets->NumPositivePics;
+ if (max_num_long_term_pics < 0) {
+ GST_WARNING ("Invalid stream, too many reference pictures");
+ goto error;
+ }
- READ_UE_MAX (&nr, slice->num_long_term_pics, 16);
+ READ_UE_MAX (&nr, slice->num_long_term_pics, max_num_long_term_pics);
limit = slice->num_long_term_sps + slice->num_long_term_pics;
for (i = 0; i < limit; i++) {
if (i < slice->num_long_term_sps) {
--
2.49.0

321
SOURCES/0001-mxfdemux-Store-GstMXFDemuxEssenceTrack-in-their-own-.patch
View File

@ -1,321 +0,0 @@
From 24e891568537f4447d1c212dcb355a766296bdbb Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Tue, 12 Dec 2023 18:00:58 +0100
Subject: [PATCH] mxfdemux: Store GstMXFDemuxEssenceTrack in their own fixed
allocation
Previously they were stored inline inside a GArray, but as references to
the tracks were stored in various other places although the array could
still be updated (and reallocated!), this could lead to dangling
references in various places.
Instead now store them in a GPtrArray in their own allocation so each
track's memory position stays fixed.
Fixes ZDI-CAN-22299
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3055
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5638>
---
gst/mxf/mxfdemux.c | 114 +++++++++++++++++++++------------------------
gst/mxf/mxfdemux.h | 2 +-
2 files changed, 53 insertions(+), 63 deletions(-)
diff --git a/gst/mxf/mxfdemux.c b/gst/mxf/mxfdemux.c
index f6e5ac048..b97dce1ad 100644
--- a/gst/mxf/mxfdemux.c
+++ b/gst/mxf/mxfdemux.c
@@ -154,10 +154,25 @@ gst_mxf_demux_partition_free (GstMXFDemuxPartition * partition)
}
static void
-gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux)
+gst_mxf_demux_essence_track_free (GstMXFDemuxEssenceTrack * t)
{
- guint i;
+ if (t->offsets)
+ g_array_free (t->offsets, TRUE);
+
+ g_free (t->mapping_data);
+
+ if (t->tags)
+ gst_tag_list_unref (t->tags);
+
+ if (t->caps)
+ gst_caps_unref (t->caps);
+
+ g_free (t);
+}
+static void
+gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux)
+{
GST_DEBUG_OBJECT (demux, "Resetting MXF state");
g_list_foreach (demux->partitions, (GFunc) gst_mxf_demux_partition_free,
@@ -167,22 +182,7 @@ gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux)
demux->current_partition = NULL;
- for (i = 0; i < demux->essence_tracks->len; i++) {
- GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
-
- if (t->offsets)
- g_array_free (t->offsets, TRUE);
-
- g_free (t->mapping_data);
-
- if (t->tags)
- gst_tag_list_unref (t->tags);
-
- if (t->caps)
- gst_caps_unref (t->caps);
- }
- g_array_set_size (demux->essence_tracks, 0);
+ g_ptr_array_set_size (demux->essence_tracks, 0);
}
static void
@@ -200,7 +200,7 @@ gst_mxf_demux_reset_linked_metadata (GstMXFDemux * demux)
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *track =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ g_ptr_array_index (demux->essence_tracks, i);
track->source_package = NULL;
track->source_track = NULL;
@@ -713,8 +713,7 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
for (k = 0; k < demux->essence_tracks->len; k++) {
GstMXFDemuxEssenceTrack *tmp =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
- k);
+ g_ptr_array_index (demux->essence_tracks, k);
if (tmp->track_number == track->parent.track_number &&
tmp->body_sid == edata->body_sid) {
@@ -732,24 +731,23 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
}
if (!etrack) {
- GstMXFDemuxEssenceTrack tmp;
+ GstMXFDemuxEssenceTrack *tmp = g_new0 (GstMXFDemuxEssenceTrack, 1);
- memset (&tmp, 0, sizeof (tmp));
- tmp.body_sid = edata->body_sid;
- tmp.index_sid = edata->index_sid;
- tmp.track_number = track->parent.track_number;
- tmp.track_id = track->parent.track_id;
- memcpy (&tmp.source_package_uid, &package->parent.package_uid, 32);
+ tmp->body_sid = edata->body_sid;
+ tmp->index_sid = edata->index_sid;
+ tmp->track_number = track->parent.track_number;
+ tmp->track_id = track->parent.track_id;
+ memcpy (&tmp->source_package_uid, &package->parent.package_uid, 32);
if (demux->current_partition->partition.body_sid == edata->body_sid &&
demux->current_partition->partition.body_offset == 0)
- tmp.position = 0;
+ tmp->position = 0;
else
- tmp.position = -1;
+ tmp->position = -1;
- g_array_append_val (demux->essence_tracks, tmp);
+ g_ptr_array_add (demux->essence_tracks, tmp);
etrack =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
+ g_ptr_array_index (demux->essence_tracks,
demux->essence_tracks->len - 1);
new = TRUE;
}
@@ -876,13 +874,7 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
next:
if (new) {
- g_free (etrack->mapping_data);
- if (etrack->tags)
- gst_tag_list_unref (etrack->tags);
- if (etrack->caps)
- gst_caps_unref (etrack->caps);
-
- g_array_remove_index (demux->essence_tracks,
+ g_ptr_array_remove_index (demux->essence_tracks,
demux->essence_tracks->len - 1);
}
}
@@ -895,7 +887,7 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *etrack =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ g_ptr_array_index (demux->essence_tracks, i);
if (!etrack->source_package || !etrack->source_track || !etrack->caps) {
GST_ERROR_OBJECT (demux, "Failed to update essence track %u", i);
@@ -1117,7 +1109,7 @@ gst_mxf_demux_update_tracks (GstMXFDemux * demux)
for (k = 0; k < demux->essence_tracks->len; k++) {
GstMXFDemuxEssenceTrack *tmp =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, k);
+ g_ptr_array_index (demux->essence_tracks, k);
if (tmp->source_package == source_package &&
tmp->source_track == source_track) {
@@ -1598,8 +1590,7 @@ gst_mxf_demux_pad_set_component (GstMXFDemux * demux, GstMXFDemuxPad * pad,
pad->current_essence_track = NULL;
for (k = 0; k < demux->essence_tracks->len; k++) {
- GstMXFDemuxEssenceTrack *tmp =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, k);
+ GstMXFDemuxEssenceTrack *tmp = g_ptr_array_index (demux->essence_tracks, k);
if (tmp->source_package == source_package &&
tmp->source_track == source_track) {
@@ -1731,7 +1722,7 @@ gst_mxf_demux_handle_generic_container_essence_element (GstMXFDemux * demux,
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *tmp =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ g_ptr_array_index (demux->essence_tracks, i);
if (tmp->body_sid == demux->current_partition->partition.body_sid &&
(tmp->track_number == track_number || tmp->track_number == 0)) {
@@ -2656,7 +2647,7 @@ gst_mxf_demux_handle_klv_packet (GstMXFDemux * demux, const MXFUL * key,
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *etrack =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ g_ptr_array_index (demux->essence_tracks, i);
if (etrack->body_sid != demux->current_partition->partition.body_sid)
continue;
@@ -2719,7 +2710,7 @@ gst_mxf_demux_handle_klv_packet (GstMXFDemux * demux, const MXFUL * key,
guint i;
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *etrack =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ g_ptr_array_index (demux->essence_tracks, i);
if (etrack->body_sid != demux->current_partition->partition.body_sid)
continue;
@@ -2914,7 +2905,7 @@ from_index:
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ g_ptr_array_index (demux->essence_tracks, i);
if (index_start_position != -1 && t == etrack)
t->position = index_start_position;
@@ -2937,8 +2928,7 @@ from_index:
if (ret == GST_FLOW_EOS) {
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
- i);
+ g_ptr_array_index (demux->essence_tracks, i);
if (t->position > 0)
t->duration = t->position;
@@ -3020,7 +3010,7 @@ gst_mxf_demux_pull_and_handle_klv_packet (GstMXFDemux * demux)
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ g_ptr_array_index (demux->essence_tracks, i);
if (t->position > 0)
t->duration = t->position;
@@ -3627,8 +3617,8 @@ gst_mxf_demux_seek_push (GstMXFDemux * demux, GstEvent * event)
}
for (i = 0; i < demux->essence_tracks->len; i++) {
- GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ GstMXFDemuxEssenceTrack *t = g_ptr_array_index (demux->essence_tracks, i);
+
t->position = -1;
}
@@ -4001,8 +3991,8 @@ gst_mxf_demux_seek_pull (GstMXFDemux * demux, GstEvent * event)
}
for (i = 0; i < demux->essence_tracks->len; i++) {
- GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ GstMXFDemuxEssenceTrack *t = g_ptr_array_index (demux->essence_tracks, i);
+
t->position = -1;
}
@@ -4284,7 +4274,7 @@ gst_mxf_demux_sink_event (GstPad * pad, GstObject * parent, GstEvent * event)
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+ g_ptr_array_index (demux->essence_tracks, i);
if (t->position > 0)
t->duration = t->position;
@@ -4325,8 +4315,8 @@ gst_mxf_demux_sink_event (GstPad * pad, GstObject * parent, GstEvent * event)
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *etrack =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
- i);
+ g_ptr_array_index (demux->essence_tracks, i);
+
etrack->position = -1;
}
ret = TRUE;
@@ -4350,8 +4340,8 @@ gst_mxf_demux_sink_event (GstPad * pad, GstObject * parent, GstEvent * event)
for (i = 0; i < demux->essence_tracks->len; i++) {
GstMXFDemuxEssenceTrack *t =
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
- i);
+ g_ptr_array_index (demux->essence_tracks, i);
+
t->position = -1;
}
demux->current_partition = NULL;
@@ -4624,7 +4614,7 @@ gst_mxf_demux_finalize (GObject * object)
g_ptr_array_free (demux->src, TRUE);
demux->src = NULL;
- g_array_free (demux->essence_tracks, TRUE);
+ g_ptr_array_free (demux->essence_tracks, TRUE);
demux->essence_tracks = NULL;
g_hash_table_destroy (demux->metadata);
@@ -4701,8 +4691,8 @@ gst_mxf_demux_init (GstMXFDemux * demux)
g_rw_lock_init (&demux->metadata_lock);
demux->src = g_ptr_array_new ();
- demux->essence_tracks =
- g_array_new (FALSE, FALSE, sizeof (GstMXFDemuxEssenceTrack));
+ demux->essence_tracks = g_ptr_array_new_with_free_func ((GDestroyNotify)
+ gst_mxf_demux_essence_track_free);
gst_segment_init (&demux->segment, GST_FORMAT_TIME);
diff --git a/gst/mxf/mxfdemux.h b/gst/mxf/mxfdemux.h
index aac3e67d0..a452980ee 100644
--- a/gst/mxf/mxfdemux.h
+++ b/gst/mxf/mxfdemux.h
@@ -182,7 +182,7 @@ struct _GstMXFDemux
GList *partitions;
GstMXFDemuxPartition *current_partition;
- GArray *essence_tracks;
+ GPtrArray *essence_tracks;
GList *pending_index_table_segments;
GList *index_tables; /* one per BodySID / IndexSID */
--
2.43.0

114
SOURCES/0003-mxfdemux-Fix-integer-overflow-causing-out-of-bounds-.patch
View File

@ -1,114 +0,0 @@
From b6353c44ca9f005d3b57ee07fda0570d80eecc0f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Thu, 10 Aug 2023 15:45:01 +0300
Subject: [PATCH 3/5] mxfdemux: Fix integer overflow causing out of bounds
writes when handling invalid uncompressed video
Check ahead of time when parsing the track information whether
width, height and bpp are valid and usable without overflows.
Fixes ZDI-CAN-21660, CVE-2023-40474
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2896
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5362>
---
gst/mxf/mxfup.c | 51 +++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 43 insertions(+), 8 deletions(-)
diff --git a/gst/mxf/mxfup.c b/gst/mxf/mxfup.c
index d8b6664da..ba86255f2 100644
--- a/gst/mxf/mxfup.c
+++ b/gst/mxf/mxfup.c
@@ -134,6 +134,8 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
gpointer mapping_data, GstBuffer ** outbuf)
{
MXFUPMappingData *data = mapping_data;
+ gsize expected_in_stride = 0, out_stride = 0;
+ gsize expected_in_size = 0, out_size = 0;
/* SMPTE 384M 7.1 */
if (key->u[12] != 0x15 || (key->u[14] != 0x01 && key->u[14] != 0x02
@@ -162,22 +164,25 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
}
}
- if (gst_buffer_get_size (buffer) != data->bpp * data->width * data->height) {
+ // Checked for overflows when parsing the descriptor
+ expected_in_stride = data->bpp * data->width;
+ out_stride = GST_ROUND_UP_4 (expected_in_stride);
+ expected_in_size = expected_in_stride * data->height;
+ out_size = out_stride * data->height;
+
+ if (gst_buffer_get_size (buffer) != expected_in_size) {
GST_ERROR ("Invalid buffer size");
gst_buffer_unref (buffer);
return GST_FLOW_ERROR;
}
- if (data->bpp != 4
- || GST_ROUND_UP_4 (data->width * data->bpp) != data->width * data->bpp) {
+ if (data->bpp != 4 || out_stride != expected_in_stride) {
guint y;
GstBuffer *ret;
GstMapInfo inmap, outmap;
guint8 *indata, *outdata;
- ret =
- gst_buffer_new_and_alloc (GST_ROUND_UP_4 (data->width * data->bpp) *
- data->height);
+ ret = gst_buffer_new_and_alloc (out_size);
gst_buffer_map (buffer, &inmap, GST_MAP_READ);
gst_buffer_map (ret, &outmap, GST_MAP_WRITE);
indata = inmap.data;
@@ -185,8 +190,8 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
for (y = 0; y < data->height; y++) {
memcpy (outdata, indata, data->width * data->bpp);
- outdata += GST_ROUND_UP_4 (data->width * data->bpp);
- indata += data->width * data->bpp;
+ outdata += out_stride;
+ indata += expected_in_stride;
}
gst_buffer_unmap (buffer, &inmap);
@@ -394,6 +399,36 @@ mxf_up_create_caps (MXFMetadataTimelineTrack * track, GstTagList ** tags,
return NULL;
}
+ if (caps) {
+ MXFUPMappingData *data = *mapping_data;
+ gsize expected_in_stride = 0, out_stride = 0;
+ gsize expected_in_size = 0, out_size = 0;
+
+ // Do some checking of the parameters to see if they're valid and
+ // we can actually work with them.
+ if (data->image_start_offset > data->image_end_offset) {
+ GST_WARNING ("Invalid image start/end offset");
+ g_free (data);
+ *mapping_data = NULL;
+ gst_clear_caps (&caps);
+
+ return NULL;
+ }
+
+ if (!g_size_checked_mul (&expected_in_stride, data->bpp, data->width) ||
+ (out_stride = GST_ROUND_UP_4 (expected_in_stride)) < expected_in_stride
+ || !g_size_checked_mul (&expected_in_size, expected_in_stride,
+ data->height)
+ || !g_size_checked_mul (&out_size, out_stride, data->height)) {
+ GST_ERROR ("Invalid resolution or bit depth");
+ g_free (data);
+ *mapping_data = NULL;
+ gst_clear_caps (&caps);
+
+ return NULL;
+ }
+ }
+
return caps;
}
--
2.43.0

45
SOURCES/0004-mxfdemux-Check-number-of-channels-for-AES3-audio.patch
View File

@ -1,45 +0,0 @@
From 706abb367ab366be142fbea4e454fdaa7e7e2bcb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Thu, 10 Aug 2023 15:47:03 +0300
Subject: [PATCH 4/5] mxfdemux: Check number of channels for AES3 audio
Only up to 8 channels are allowed and using a higher number would cause
integer overflows when copying the data, and lead to out of bound
writes.
Also check that each buffer is at least 4 bytes long to avoid another
overflow.
Fixes ZDI-CAN-21661, CVE-2023-40475
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2897
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5362>
---
gst/mxf/mxfd10.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/gst/mxf/mxfd10.c b/gst/mxf/mxfd10.c
index 21401cf52..99c197ab9 100644
--- a/gst/mxf/mxfd10.c
+++ b/gst/mxf/mxfd10.c
@@ -119,7 +119,7 @@ mxf_d10_sound_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
gst_buffer_map (buffer, &map, GST_MAP_READ);
/* Now transform raw AES3 into raw audio, see SMPTE 331M */
- if ((map.size - 4) % 32 != 0) {
+ if (map.size < 4 || (map.size - 4) % 32 != 0) {
gst_buffer_unmap (buffer, &map);
GST_ERROR ("Invalid D10 sound essence buffer size");
return GST_FLOW_ERROR;
@@ -219,6 +219,7 @@ mxf_d10_create_caps (MXFMetadataTimelineTrack * track, GstTagList ** tags,
GstAudioFormat audio_format;
if (s->channel_count == 0 ||
+ s->channel_count > 8 ||
s->quantization_bits == 0 ||
s->audio_sampling_rate.n == 0 || s->audio_sampling_rate.d == 0) {
GST_ERROR ("Invalid descriptor");
--
2.43.0

42
SOURCES/0005-h265parser-Fix-possible-overflow-using-max_sub_layer.patch
View File

@ -1,42 +0,0 @@
From 33868442087aac6f26f18aeafd527c1a75946f34 Mon Sep 17 00:00:00 2001
From: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Date: Wed, 17 Jan 2024 12:50:34 +0100
Subject: [PATCH 5/5] h265parser: Fix possible overflow using
max_sub_layers_minus1
This fixes a possible overflow that can be triggered by an invalid value of
max_sub_layers_minus1 being set in the bitstream. The bitstream uses 3 bits,
but the allowed range is 0 to 6 only.
Fixes ZDI-CAN-21768, CVE-2023-40476
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2895
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5364>
---
gst-libs/gst/codecparsers/gsth265parser.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/gst-libs/gst/codecparsers/gsth265parser.c b/gst-libs/gst/codecparsers/gsth265parser.c
index 16fce006b..2e8ef182b 100644
--- a/gst-libs/gst/codecparsers/gsth265parser.c
+++ b/gst-libs/gst/codecparsers/gsth265parser.c
@@ -1490,6 +1490,7 @@ gst_h265_parse_vps (GstH265NalUnit * nalu, GstH265VPS * vps)
READ_UINT8 (&nr, vps->max_layers_minus1, 6);
READ_UINT8 (&nr, vps->max_sub_layers_minus1, 3);
+ CHECK_ALLOWED (vps->max_sub_layers_minus1, 0, 6);
READ_UINT8 (&nr, vps->temporal_id_nesting_flag, 1);
/* skip reserved_0xffff_16bits */
@@ -1669,6 +1670,7 @@ gst_h265_parse_sps (GstH265Parser * parser, GstH265NalUnit * nalu,
sps->vps = vps;
READ_UINT8 (&nr, sps->max_sub_layers_minus1, 3);
+ CHECK_ALLOWED (sps->max_sub_layers_minus1, 0, 6);
READ_UINT8 (&nr, sps->temporal_id_nesting_flag, 1);
if (!gst_h265_parse_profile_tier_level (&sps->profile_tier_level, &nr,
--
2.43.0

23
SOURCES/gst-p-bad-cleanup.sh
View File

@ -41,6 +41,7 @@ dataurisrc
dccp
debugutils
dtmf
dvbsubenc
faceoverlay
festival
fieldanalysis
@ -84,6 +85,8 @@ proxy
qtmux
rawparse
removesilence
rist
rtmp2
rtp
rtpmux
rtpvp8
@ -96,7 +99,9 @@ smooth
speed
stereo
subenc
switchbin
timecode
transcode
tta
valve
videofilters
@ -164,20 +169,6 @@ for subdir in gst ext sys; do
echo "**** Removing $MODULE ****"
echo "Removing directory $dir"
rm -r $dir || error "Cannot remove $dir"
if grep -q "AG_GST_CHECK_PLUGIN($MODULE)" configure.ac ; then
echo "Removing element check for $MODULE"
grep -v "AG_GST_CHECK_PLUGIN($MODULE)" configure.ac > configure.ac.new && mv configure.ac.new configure.ac
fi
echo "Removing Makefile generation for $MODULE"
grep -v "$dir/Makefile" configure.ac > configure.ac.new && mv configure.ac.new configure.ac
# Urgh
if test $MODULE = real ; then
grep -v "AG_GST_DISABLE_PLUGIN(real)" configure.ac > configure.ac.new && mv configure.ac.new configure.ac
fi
echo "Removing documentation for $MODULE"
if grep -q "$MODULE" docs/plugins/Makefile.am ; then
grep -v $dir docs/plugins/Makefile.am > docs/plugins/Makefile.am.new && mv docs/plugins/Makefile.am.new docs/plugins/Makefile.am
fi
echo
elif test $subdir = ext || test $subdir = sys; then
# Ignore library or system non-blacklisted plugins
@ -197,10 +188,6 @@ if test "x$unknown" != "x"; then
exit 1
fi
#autoreconf
NOCONFIGURE=1 \
./autogen.sh
popd > /dev/null
tar cJf $NEW_SOURCE $DIRECTORY

45
SOURCES/openh264-add-license-file.patch Normal file
View File

@ -0,0 +1,45 @@
From b13e925daa574fb07aac0271f2b51c25ecb9d483 Mon Sep 17 00:00:00 2001
From: Kalev Lember <klember@redhat.com>
Date: Wed, 8 Nov 2023 14:41:14 +0100
Subject: [PATCH 1/1] openh264: Add LICENSE file
The openh264 plugin is BSD-licensed, different from the rest of the
gst-plugins-bad. This commit splits the license text out in its own file
to make it easier for binary distributions to distribute the license
text.
---
.../gst-plugins-bad/ext/openh264/LICENSE | 22 +++++++++++++++++++
1 file changed, 22 insertions(+)
create mode 100644 subprojects/gst-plugins-bad/ext/openh264/LICENSE
diff --git a/subprojects/gst-plugins-bad/ext/openh264/LICENSE b/subprojects/gst-plugins-bad/ext/openh264/LICENSE
new file mode 100644
index 00000000000..e57601b4fb6
--- /dev/null
+++ b/subprojects/gst-plugins-bad/ext/openh264/LICENSE
@@ -0,0 +1,22 @@
+Copyright (c) 2014, Ericsson AB. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice, this
+list of conditions and the following disclaimer in the documentation and/or other
+materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
+OF SUCH DAMAGE.
--
GitLab

149
SOURCES/openh264-drop-runtime-version-checks.patch Normal file
View File

@ -0,0 +1,149 @@
From 1dadccd48c97a4b7c96ae0307c2263107e7f1876 Mon Sep 17 00:00:00 2001
From: Kalev Lember <klember@redhat.com>
Date: Wed, 6 Dec 2023 14:58:38 +0100
Subject: [PATCH] openh264: Drop runtime version checks
With the way the runtime checks are currently set up, every single
openh264 release, no matter how minor, is considered an ABI break and
requires gst-plugins-bad recompilation. This is unnecessarily strict
because it doesn't allow downstream distributions to ship any openh264
bug fix version updates without breaking gstreamer's openh264 support.
Years ago, at the time when gstreamer's openh264 support was merged,
openh264 releases were done without a versioned soname (the library was
just libopenh264.so, unversioned). Since then, starting with version
1.3.0, openh264 has started using versioned sonames and the intent has
been to bump the soname every time there's a new release with an ABI
change.
This patch drops the strict version check. meson.build already has a
minimum requirement on openh264 version 1.3.0 where soname versioning
was added, which should be good enough to ensure that the library is
using soname versioning.
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5780>
---
.../ext/openh264/gstopenh264dec.cpp | 7 +--
.../ext/openh264/gstopenh264element.c | 48 -------------------
.../ext/openh264/gstopenh264elements.h | 2 -
.../ext/openh264/gstopenh264enc.cpp | 7 +--
.../gst-plugins-bad/ext/openh264/meson.build | 1 -
5 files changed, 4 insertions(+), 61 deletions(-)
delete mode 100644 subprojects/gst-plugins-bad/ext/openh264/gstopenh264element.c
diff --git a/subprojects/gst-plugins-bad/ext/openh264/gstopenh264dec.cpp b/subprojects/gst-plugins-bad/ext/openh264/gstopenh264dec.cpp
index 77f2b8fe348..f3302567c7b 100644
--- a/subprojects/gst-plugins-bad/ext/openh264/gstopenh264dec.cpp
+++ b/subprojects/gst-plugins-bad/ext/openh264/gstopenh264dec.cpp
@@ -459,10 +459,7 @@ openh264dec_element_init (GstPlugin * plugin)
{
GST_DEBUG_CATEGORY_INIT (gst_openh264dec_debug_category, "openh264dec", 0,
"debug category for openh264dec element");
- if (openh264_element_init (plugin))
- return gst_element_register (plugin, "openh264dec", GST_RANK_MARGINAL,
- GST_TYPE_OPENH264DEC);
- GST_ERROR ("Incorrect library version loaded, expecting %s", g_strCodecVer);
- return FALSE;
+ return gst_element_register (plugin, "openh264dec", GST_RANK_MARGINAL,
+ GST_TYPE_OPENH264DEC);
}
diff --git a/subprojects/gst-plugins-bad/ext/openh264/gstopenh264element.c b/subprojects/gst-plugins-bad/ext/openh264/gstopenh264element.c
deleted file mode 100644
index 3c5c378c81e..00000000000
--- a/subprojects/gst-plugins-bad/ext/openh264/gstopenh264element.c
+++ /dev/null
@@ -1,48 +0,0 @@
-/*
- * Copyright (c) 2014, Ericsson AB. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without modification,
- * are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice, this
- * list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright notice, this
- * list of conditions and the following disclaimer in the documentation and/or other
- * materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
- * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
- * OF SUCH DAMAGE.
- */
-
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-
-#include <gst/gst.h>
-#include <wels/codec_api.h>
-#include <wels/codec_ver.h>
-#include <string.h>
-#include "gstopenh264elements.h"
-
-
-gboolean
-openh264_element_init (GstPlugin * plugin)
-{
- OpenH264Version libver;
- /* g_stCodecVersion is the version detected at build time as defined in the
- * headers and WelsGetCodecVersion() is the version detected at runtime.
- * This is a safeguard to avoid crashes since OpenH264 has been changing
- * ABI without changing the SONAME.
- */
- libver = WelsGetCodecVersion ();
- return (memcmp (&libver, &g_stCodecVersion, sizeof (libver)) == 0);
-}
diff --git a/subprojects/gst-plugins-bad/ext/openh264/gstopenh264elements.h b/subprojects/gst-plugins-bad/ext/openh264/gstopenh264elements.h
index 572f6a8e078..5c9582941ee 100644
--- a/subprojects/gst-plugins-bad/ext/openh264/gstopenh264elements.h
+++ b/subprojects/gst-plugins-bad/ext/openh264/gstopenh264elements.h
@@ -27,8 +27,6 @@
G_BEGIN_DECLS
-gboolean openh264_element_init (GstPlugin * plugin);
-
GST_ELEMENT_REGISTER_DECLARE (openh264dec);
GST_ELEMENT_REGISTER_DECLARE (openh264enc);
diff --git a/subprojects/gst-plugins-bad/ext/openh264/gstopenh264enc.cpp b/subprojects/gst-plugins-bad/ext/openh264/gstopenh264enc.cpp
index 6b54b1584f8..05c126cfc64 100644
--- a/subprojects/gst-plugins-bad/ext/openh264/gstopenh264enc.cpp
+++ b/subprojects/gst-plugins-bad/ext/openh264/gstopenh264enc.cpp
@@ -1066,10 +1066,7 @@ openh264enc_element_init (GstPlugin * plugin)
{
GST_DEBUG_CATEGORY_INIT (gst_openh264enc_debug_category, "openh264enc", 0,
"debug category for openh264enc element");
- if (openh264_element_init (plugin))
- return gst_element_register (plugin, "openh264enc", GST_RANK_MARGINAL,
- GST_TYPE_OPENH264ENC);
- GST_ERROR ("Incorrect library version loaded, expecting %s", g_strCodecVer);
- return FALSE;
+ return gst_element_register (plugin, "openh264enc", GST_RANK_MARGINAL,
+ GST_TYPE_OPENH264ENC);
}
diff --git a/subprojects/gst-plugins-bad/ext/openh264/meson.build b/subprojects/gst-plugins-bad/ext/openh264/meson.build
index 1f0a198b05e..c6f247e1cdd 100644
--- a/subprojects/gst-plugins-bad/ext/openh264/meson.build
+++ b/subprojects/gst-plugins-bad/ext/openh264/meson.build
@@ -1,7 +1,6 @@
openh264_sources = [
'gstopenh264dec.cpp',
'gstopenh264enc.cpp',
- 'gstopenh264element.c',
'gstopenh264plugin.c',
]
--
GitLab

809
SPECS/gstreamer1-plugins-bad-free.spec
View File

File diff suppressed because it is too large Load Diff