Compare commits
No commits in common. "imports/c8-beta/gstreamer1-plugins-bad-free-1.14.0-5.el8" and "c8" have entirely different histories.
imports/c8
...
c8
|
|
@ -1 +1 @@
|
|||
SOURCES/gst-plugins-bad-free-1.14.0.tar.xz
|
||||
SOURCES/gst-plugins-bad-free-1.16.1.tar.xz
|
||||
|
|
|
|||
|
|
@ -1 +0,0 @@
|
|||
6882db901c299b654342558e3d7c0384097eeb91 SOURCES/gst-plugins-bad-free-1.14.0.tar.xz
|
||||
|
|
@ -1,32 +0,0 @@
|
|||
From cb1b143b5b847e2320a58a6eb7af132eba685c9c Mon Sep 17 00:00:00 2001
|
||||
From: Jun Xie <jun.xie@samsung.com>
|
||||
Date: Tue, 27 Feb 2018 10:51:07 +0800
|
||||
Subject: [PATCH] curlhttpsrc: deadlock in multi-instance scenario
|
||||
|
||||
Fixed queue iterator issue and set context state to
|
||||
GSTCURL_MULTI_LOOP_STATE_RUNNING in case other
|
||||
instance are in running state.
|
||||
|
||||
https://bugzilla.gnome.org/show_bug.cgi?id=793863
|
||||
---
|
||||
ext/curl/gstcurlhttpsrc.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/ext/curl/gstcurlhttpsrc.c b/ext/curl/gstcurlhttpsrc.c
|
||||
index a47508e62..e60ccf531 100644
|
||||
--- a/ext/curl/gstcurlhttpsrc.c
|
||||
+++ b/ext/curl/gstcurlhttpsrc.c
|
||||
@@ -1668,8 +1668,10 @@ gst_curl_http_src_curl_multi_loop (gpointer thread_data)
|
||||
g_mutex_unlock (&qelement->p->buffer_mutex);
|
||||
gst_curl_http_src_remove_queue_item (&context->queue, qelement->p);
|
||||
}
|
||||
+ qelement = qelement->next;
|
||||
}
|
||||
context->request_removal_element = NULL;
|
||||
+ context->state = GSTCURL_MULTI_LOOP_STATE_RUNNING;
|
||||
g_mutex_unlock (&context->mutex);
|
||||
} else {
|
||||
GSTCURL_WARNING_PRINT ("Curl Loop State was invalid or unsupported");
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -0,0 +1,321 @@
|
|||
From 24e891568537f4447d1c212dcb355a766296bdbb Mon Sep 17 00:00:00 2001
|
||||
From: Wim Taymans <wtaymans@redhat.com>
|
||||
Date: Tue, 12 Dec 2023 18:00:58 +0100
|
||||
Subject: [PATCH] mxfdemux: Store GstMXFDemuxEssenceTrack in their own fixed
|
||||
allocation
|
||||
|
||||
Previously they were stored inline inside a GArray, but as references to
|
||||
the tracks were stored in various other places although the array could
|
||||
still be updated (and reallocated!), this could lead to dangling
|
||||
references in various places.
|
||||
|
||||
Instead now store them in a GPtrArray in their own allocation so each
|
||||
track's memory position stays fixed.
|
||||
|
||||
Fixes ZDI-CAN-22299
|
||||
|
||||
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3055
|
||||
|
||||
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5638>
|
||||
---
|
||||
gst/mxf/mxfdemux.c | 114 +++++++++++++++++++++------------------------
|
||||
gst/mxf/mxfdemux.h | 2 +-
|
||||
2 files changed, 53 insertions(+), 63 deletions(-)
|
||||
|
||||
diff --git a/gst/mxf/mxfdemux.c b/gst/mxf/mxfdemux.c
|
||||
index f6e5ac048..b97dce1ad 100644
|
||||
--- a/gst/mxf/mxfdemux.c
|
||||
+++ b/gst/mxf/mxfdemux.c
|
||||
@@ -154,10 +154,25 @@ gst_mxf_demux_partition_free (GstMXFDemuxPartition * partition)
|
||||
}
|
||||
|
||||
static void
|
||||
-gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux)
|
||||
+gst_mxf_demux_essence_track_free (GstMXFDemuxEssenceTrack * t)
|
||||
{
|
||||
- guint i;
|
||||
+ if (t->offsets)
|
||||
+ g_array_free (t->offsets, TRUE);
|
||||
+
|
||||
+ g_free (t->mapping_data);
|
||||
+
|
||||
+ if (t->tags)
|
||||
+ gst_tag_list_unref (t->tags);
|
||||
+
|
||||
+ if (t->caps)
|
||||
+ gst_caps_unref (t->caps);
|
||||
+
|
||||
+ g_free (t);
|
||||
+}
|
||||
|
||||
+static void
|
||||
+gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux)
|
||||
+{
|
||||
GST_DEBUG_OBJECT (demux, "Resetting MXF state");
|
||||
|
||||
g_list_foreach (demux->partitions, (GFunc) gst_mxf_demux_partition_free,
|
||||
@@ -167,22 +182,7 @@ gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux)
|
||||
|
||||
demux->current_partition = NULL;
|
||||
|
||||
- for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||
- GstMXFDemuxEssenceTrack *t =
|
||||
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
|
||||
-
|
||||
- if (t->offsets)
|
||||
- g_array_free (t->offsets, TRUE);
|
||||
-
|
||||
- g_free (t->mapping_data);
|
||||
-
|
||||
- if (t->tags)
|
||||
- gst_tag_list_unref (t->tags);
|
||||
-
|
||||
- if (t->caps)
|
||||
- gst_caps_unref (t->caps);
|
||||
- }
|
||||
- g_array_set_size (demux->essence_tracks, 0);
|
||||
+ g_ptr_array_set_size (demux->essence_tracks, 0);
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -200,7 +200,7 @@ gst_mxf_demux_reset_linked_metadata (GstMXFDemux * demux)
|
||||
|
||||
for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||
GstMXFDemuxEssenceTrack *track =
|
||||
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
|
||||
+ g_ptr_array_index (demux->essence_tracks, i);
|
||||
|
||||
track->source_package = NULL;
|
||||
track->source_track = NULL;
|
||||
@@ -713,8 +713,7 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
|
||||
|
||||
for (k = 0; k < demux->essence_tracks->len; k++) {
|
||||
GstMXFDemuxEssenceTrack *tmp =
|
||||
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
|
||||
- k);
|
||||
+ g_ptr_array_index (demux->essence_tracks, k);
|
||||
|
||||
if (tmp->track_number == track->parent.track_number &&
|
||||
tmp->body_sid == edata->body_sid) {
|
||||
@@ -732,24 +731,23 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
|
||||
}
|
||||
|
||||
if (!etrack) {
|
||||
- GstMXFDemuxEssenceTrack tmp;
|
||||
+ GstMXFDemuxEssenceTrack *tmp = g_new0 (GstMXFDemuxEssenceTrack, 1);
|
||||
|
||||
- memset (&tmp, 0, sizeof (tmp));
|
||||
- tmp.body_sid = edata->body_sid;
|
||||
- tmp.index_sid = edata->index_sid;
|
||||
- tmp.track_number = track->parent.track_number;
|
||||
- tmp.track_id = track->parent.track_id;
|
||||
- memcpy (&tmp.source_package_uid, &package->parent.package_uid, 32);
|
||||
+ tmp->body_sid = edata->body_sid;
|
||||
+ tmp->index_sid = edata->index_sid;
|
||||
+ tmp->track_number = track->parent.track_number;
|
||||
+ tmp->track_id = track->parent.track_id;
|
||||
+ memcpy (&tmp->source_package_uid, &package->parent.package_uid, 32);
|
||||
|
||||
if (demux->current_partition->partition.body_sid == edata->body_sid &&
|
||||
demux->current_partition->partition.body_offset == 0)
|
||||
- tmp.position = 0;
|
||||
+ tmp->position = 0;
|
||||
else
|
||||
- tmp.position = -1;
|
||||
+ tmp->position = -1;
|
||||
|
||||
- g_array_append_val (demux->essence_tracks, tmp);
|
||||
+ g_ptr_array_add (demux->essence_tracks, tmp);
|
||||
etrack =
|
||||
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
|
||||
+ g_ptr_array_index (demux->essence_tracks,
|
||||
demux->essence_tracks->len - 1);
|
||||
new = TRUE;
|
||||
}
|
||||
@@ -876,13 +874,7 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
|
||||
|
||||
next:
|
||||
if (new) {
|
||||
- g_free (etrack->mapping_data);
|
||||
- if (etrack->tags)
|
||||
- gst_tag_list_unref (etrack->tags);
|
||||
- if (etrack->caps)
|
||||
- gst_caps_unref (etrack->caps);
|
||||
-
|
||||
- g_array_remove_index (demux->essence_tracks,
|
||||
+ g_ptr_array_remove_index (demux->essence_tracks,
|
||||
demux->essence_tracks->len - 1);
|
||||
}
|
||||
}
|
||||
@@ -895,7 +887,7 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
|
||||
|
||||
for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||
GstMXFDemuxEssenceTrack *etrack =
|
||||
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
|
||||
+ g_ptr_array_index (demux->essence_tracks, i);
|
||||
|
||||
if (!etrack->source_package || !etrack->source_track || !etrack->caps) {
|
||||
GST_ERROR_OBJECT (demux, "Failed to update essence track %u", i);
|
||||
@@ -1117,7 +1109,7 @@ gst_mxf_demux_update_tracks (GstMXFDemux * demux)
|
||||
|
||||
for (k = 0; k < demux->essence_tracks->len; k++) {
|
||||
GstMXFDemuxEssenceTrack *tmp =
|
||||
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, k);
|
||||
+ g_ptr_array_index (demux->essence_tracks, k);
|
||||
|
||||
if (tmp->source_package == source_package &&
|
||||
tmp->source_track == source_track) {
|
||||
@@ -1598,8 +1590,7 @@ gst_mxf_demux_pad_set_component (GstMXFDemux * demux, GstMXFDemuxPad * pad,
|
||||
pad->current_essence_track = NULL;
|
||||
|
||||
for (k = 0; k < demux->essence_tracks->len; k++) {
|
||||
- GstMXFDemuxEssenceTrack *tmp =
|
||||
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, k);
|
||||
+ GstMXFDemuxEssenceTrack *tmp = g_ptr_array_index (demux->essence_tracks, k);
|
||||
|
||||
if (tmp->source_package == source_package &&
|
||||
tmp->source_track == source_track) {
|
||||
@@ -1731,7 +1722,7 @@ gst_mxf_demux_handle_generic_container_essence_element (GstMXFDemux * demux,
|
||||
|
||||
for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||
GstMXFDemuxEssenceTrack *tmp =
|
||||
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
|
||||
+ g_ptr_array_index (demux->essence_tracks, i);
|
||||
|
||||
if (tmp->body_sid == demux->current_partition->partition.body_sid &&
|
||||
(tmp->track_number == track_number || tmp->track_number == 0)) {
|
||||
@@ -2656,7 +2647,7 @@ gst_mxf_demux_handle_klv_packet (GstMXFDemux * demux, const MXFUL * key,
|
||||
|
||||
for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||
GstMXFDemuxEssenceTrack *etrack =
|
||||
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
|
||||
+ g_ptr_array_index (demux->essence_tracks, i);
|
||||
|
||||
if (etrack->body_sid != demux->current_partition->partition.body_sid)
|
||||
continue;
|
||||
@@ -2719,7 +2710,7 @@ gst_mxf_demux_handle_klv_packet (GstMXFDemux * demux, const MXFUL * key,
|
||||
guint i;
|
||||
for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||
GstMXFDemuxEssenceTrack *etrack =
|
||||
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
|
||||
+ g_ptr_array_index (demux->essence_tracks, i);
|
||||
|
||||
if (etrack->body_sid != demux->current_partition->partition.body_sid)
|
||||
continue;
|
||||
@@ -2914,7 +2905,7 @@ from_index:
|
||||
|
||||
for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||
GstMXFDemuxEssenceTrack *t =
|
||||
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
|
||||
+ g_ptr_array_index (demux->essence_tracks, i);
|
||||
|
||||
if (index_start_position != -1 && t == etrack)
|
||||
t->position = index_start_position;
|
||||
@@ -2937,8 +2928,7 @@ from_index:
|
||||
if (ret == GST_FLOW_EOS) {
|
||||
for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||
GstMXFDemuxEssenceTrack *t =
|
||||
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
|
||||
- i);
|
||||
+ g_ptr_array_index (demux->essence_tracks, i);
|
||||
|
||||
if (t->position > 0)
|
||||
t->duration = t->position;
|
||||
@@ -3020,7 +3010,7 @@ gst_mxf_demux_pull_and_handle_klv_packet (GstMXFDemux * demux)
|
||||
|
||||
for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||
GstMXFDemuxEssenceTrack *t =
|
||||
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
|
||||
+ g_ptr_array_index (demux->essence_tracks, i);
|
||||
|
||||
if (t->position > 0)
|
||||
t->duration = t->position;
|
||||
@@ -3627,8 +3617,8 @@ gst_mxf_demux_seek_push (GstMXFDemux * demux, GstEvent * event)
|
||||
}
|
||||
|
||||
for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||
- GstMXFDemuxEssenceTrack *t =
|
||||
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
|
||||
+ GstMXFDemuxEssenceTrack *t = g_ptr_array_index (demux->essence_tracks, i);
|
||||
+
|
||||
t->position = -1;
|
||||
}
|
||||
|
||||
@@ -4001,8 +3991,8 @@ gst_mxf_demux_seek_pull (GstMXFDemux * demux, GstEvent * event)
|
||||
}
|
||||
|
||||
for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||
- GstMXFDemuxEssenceTrack *t =
|
||||
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
|
||||
+ GstMXFDemuxEssenceTrack *t = g_ptr_array_index (demux->essence_tracks, i);
|
||||
+
|
||||
t->position = -1;
|
||||
}
|
||||
|
||||
@@ -4284,7 +4274,7 @@ gst_mxf_demux_sink_event (GstPad * pad, GstObject * parent, GstEvent * event)
|
||||
|
||||
for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||
GstMXFDemuxEssenceTrack *t =
|
||||
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
|
||||
+ g_ptr_array_index (demux->essence_tracks, i);
|
||||
|
||||
if (t->position > 0)
|
||||
t->duration = t->position;
|
||||
@@ -4325,8 +4315,8 @@ gst_mxf_demux_sink_event (GstPad * pad, GstObject * parent, GstEvent * event)
|
||||
|
||||
for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||
GstMXFDemuxEssenceTrack *etrack =
|
||||
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
|
||||
- i);
|
||||
+ g_ptr_array_index (demux->essence_tracks, i);
|
||||
+
|
||||
etrack->position = -1;
|
||||
}
|
||||
ret = TRUE;
|
||||
@@ -4350,8 +4340,8 @@ gst_mxf_demux_sink_event (GstPad * pad, GstObject * parent, GstEvent * event)
|
||||
|
||||
for (i = 0; i < demux->essence_tracks->len; i++) {
|
||||
GstMXFDemuxEssenceTrack *t =
|
||||
- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
|
||||
- i);
|
||||
+ g_ptr_array_index (demux->essence_tracks, i);
|
||||
+
|
||||
t->position = -1;
|
||||
}
|
||||
demux->current_partition = NULL;
|
||||
@@ -4624,7 +4614,7 @@ gst_mxf_demux_finalize (GObject * object)
|
||||
|
||||
g_ptr_array_free (demux->src, TRUE);
|
||||
demux->src = NULL;
|
||||
- g_array_free (demux->essence_tracks, TRUE);
|
||||
+ g_ptr_array_free (demux->essence_tracks, TRUE);
|
||||
demux->essence_tracks = NULL;
|
||||
|
||||
g_hash_table_destroy (demux->metadata);
|
||||
@@ -4701,8 +4691,8 @@ gst_mxf_demux_init (GstMXFDemux * demux)
|
||||
g_rw_lock_init (&demux->metadata_lock);
|
||||
|
||||
demux->src = g_ptr_array_new ();
|
||||
- demux->essence_tracks =
|
||||
- g_array_new (FALSE, FALSE, sizeof (GstMXFDemuxEssenceTrack));
|
||||
+ demux->essence_tracks = g_ptr_array_new_with_free_func ((GDestroyNotify)
|
||||
+ gst_mxf_demux_essence_track_free);
|
||||
|
||||
gst_segment_init (&demux->segment, GST_FORMAT_TIME);
|
||||
|
||||
diff --git a/gst/mxf/mxfdemux.h b/gst/mxf/mxfdemux.h
|
||||
index aac3e67d0..a452980ee 100644
|
||||
--- a/gst/mxf/mxfdemux.h
|
||||
+++ b/gst/mxf/mxfdemux.h
|
||||
@@ -182,7 +182,7 @@ struct _GstMXFDemux
|
||||
GList *partitions;
|
||||
GstMXFDemuxPartition *current_partition;
|
||||
|
||||
- GArray *essence_tracks;
|
||||
+ GPtrArray *essence_tracks;
|
||||
|
||||
GList *pending_index_table_segments;
|
||||
GList *index_tables; /* one per BodySID / IndexSID */
|
||||
--
|
||||
2.43.0
|
||||
|
||||
|
|
@ -1,34 +0,0 @@
|
|||
From e098ad49187296273742dcd0c9c98eca1b351108 Mon Sep 17 00:00:00 2001
|
||||
From: Wim Taymans <wtaymans@redhat.com>
|
||||
Date: Thu, 16 Aug 2018 11:20:54 +0200
|
||||
Subject: [PATCH 1/2] rfbdecoder: don't free decoder data
|
||||
|
||||
The decoder data is freed when we read more data.
|
||||
---
|
||||
gst/librfb/rfbdecoder.c | 3 ---
|
||||
1 file changed, 3 deletions(-)
|
||||
|
||||
diff --git a/gst/librfb/rfbdecoder.c b/gst/librfb/rfbdecoder.c
|
||||
index b3b01f5a7..fa763313a 100644
|
||||
--- a/gst/librfb/rfbdecoder.c
|
||||
+++ b/gst/librfb/rfbdecoder.c
|
||||
@@ -983,7 +983,6 @@ rfb_decoder_corre_encoding (RfbDecoder * decoder, gint start_x, gint start_y,
|
||||
|
||||
number_of_rectangles = RFB_GET_UINT32 (decoder->data);
|
||||
color = GUINT32_SWAP_LE_BE ((RFB_GET_UINT32 (decoder->data + 4)));
|
||||
- g_free (decoder->data);
|
||||
|
||||
GST_DEBUG ("number of rectangles :%d", number_of_rectangles);
|
||||
|
||||
@@ -1003,8 +1002,6 @@ rfb_decoder_corre_encoding (RfbDecoder * decoder, gint start_x, gint start_y,
|
||||
|
||||
/* draw the rectangle in the foreground */
|
||||
rfb_decoder_fill_rectangle (decoder, start_x + x, start_y + y, w, h, color);
|
||||
-
|
||||
- g_free (decoder->data);
|
||||
}
|
||||
|
||||
return TRUE;
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -1,46 +0,0 @@
|
|||
From cb16d0b239ef3173bf356a6fe86f30403f285941 Mon Sep 17 00:00:00 2001
|
||||
From: Wim Taymans <wtaymans@redhat.com>
|
||||
Date: Thu, 16 Aug 2018 11:42:25 +0200
|
||||
Subject: [PATCH 2/2] curlhhtpsrc: avoid invalid memory references
|
||||
|
||||
gst_curl_http_src_remove_queue_item() can free qelement and then
|
||||
we get an invalid memory reference when we do qelement->next a
|
||||
couple of lines below. Take the next pointer earlier so that we can
|
||||
safely free.
|
||||
---
|
||||
ext/curl/gstcurlhttpsrc.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/ext/curl/gstcurlhttpsrc.c b/ext/curl/gstcurlhttpsrc.c
|
||||
index e60ccf531..c1a0bcf5c 100644
|
||||
--- a/ext/curl/gstcurlhttpsrc.c
|
||||
+++ b/ext/curl/gstcurlhttpsrc.c
|
||||
@@ -1509,7 +1509,7 @@ static void
|
||||
gst_curl_http_src_curl_multi_loop (gpointer thread_data)
|
||||
{
|
||||
GstCurlHttpSrcMultiTaskContext *context;
|
||||
- GstCurlHttpSrcQueueElement *qelement;
|
||||
+ GstCurlHttpSrcQueueElement *qelement, *qnext;
|
||||
int i, still_running;
|
||||
gboolean cond = FALSE;
|
||||
CURLMsg *curl_message;
|
||||
@@ -1655,6 +1655,7 @@ gst_curl_http_src_curl_multi_loop (gpointer thread_data)
|
||||
} else if (context->state == GSTCURL_MULTI_LOOP_STATE_REQUEST_REMOVAL) {
|
||||
qelement = context->queue;
|
||||
while (qelement != NULL) {
|
||||
+ qnext = qelement->next;
|
||||
if (qelement->p == context->request_removal_element) {
|
||||
g_mutex_lock (&qelement->p->buffer_mutex);
|
||||
curl_multi_remove_handle (context->multi_handle,
|
||||
@@ -1668,7 +1669,7 @@ gst_curl_http_src_curl_multi_loop (gpointer thread_data)
|
||||
g_mutex_unlock (&qelement->p->buffer_mutex);
|
||||
gst_curl_http_src_remove_queue_item (&context->queue, qelement->p);
|
||||
}
|
||||
- qelement = qelement->next;
|
||||
+ qelement = qnext;
|
||||
}
|
||||
context->request_removal_element = NULL;
|
||||
context->state = GSTCURL_MULTI_LOOP_STATE_RUNNING;
|
||||
--
|
||||
2.17.1
|
||||
|
||||
|
|
@ -0,0 +1,114 @@
|
|||
From b6353c44ca9f005d3b57ee07fda0570d80eecc0f Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
|
||||
Date: Thu, 10 Aug 2023 15:45:01 +0300
|
||||
Subject: [PATCH 3/5] mxfdemux: Fix integer overflow causing out of bounds
|
||||
writes when handling invalid uncompressed video
|
||||
|
||||
Check ahead of time when parsing the track information whether
|
||||
width, height and bpp are valid and usable without overflows.
|
||||
|
||||
Fixes ZDI-CAN-21660, CVE-2023-40474
|
||||
|
||||
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2896
|
||||
|
||||
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5362>
|
||||
---
|
||||
gst/mxf/mxfup.c | 51 +++++++++++++++++++++++++++++++++++++++++--------
|
||||
1 file changed, 43 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/gst/mxf/mxfup.c b/gst/mxf/mxfup.c
|
||||
index d8b6664da..ba86255f2 100644
|
||||
--- a/gst/mxf/mxfup.c
|
||||
+++ b/gst/mxf/mxfup.c
|
||||
@@ -134,6 +134,8 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
|
||||
gpointer mapping_data, GstBuffer ** outbuf)
|
||||
{
|
||||
MXFUPMappingData *data = mapping_data;
|
||||
+ gsize expected_in_stride = 0, out_stride = 0;
|
||||
+ gsize expected_in_size = 0, out_size = 0;
|
||||
|
||||
/* SMPTE 384M 7.1 */
|
||||
if (key->u[12] != 0x15 || (key->u[14] != 0x01 && key->u[14] != 0x02
|
||||
@@ -162,22 +164,25 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
|
||||
}
|
||||
}
|
||||
|
||||
- if (gst_buffer_get_size (buffer) != data->bpp * data->width * data->height) {
|
||||
+ // Checked for overflows when parsing the descriptor
|
||||
+ expected_in_stride = data->bpp * data->width;
|
||||
+ out_stride = GST_ROUND_UP_4 (expected_in_stride);
|
||||
+ expected_in_size = expected_in_stride * data->height;
|
||||
+ out_size = out_stride * data->height;
|
||||
+
|
||||
+ if (gst_buffer_get_size (buffer) != expected_in_size) {
|
||||
GST_ERROR ("Invalid buffer size");
|
||||
gst_buffer_unref (buffer);
|
||||
return GST_FLOW_ERROR;
|
||||
}
|
||||
|
||||
- if (data->bpp != 4
|
||||
- || GST_ROUND_UP_4 (data->width * data->bpp) != data->width * data->bpp) {
|
||||
+ if (data->bpp != 4 || out_stride != expected_in_stride) {
|
||||
guint y;
|
||||
GstBuffer *ret;
|
||||
GstMapInfo inmap, outmap;
|
||||
guint8 *indata, *outdata;
|
||||
|
||||
- ret =
|
||||
- gst_buffer_new_and_alloc (GST_ROUND_UP_4 (data->width * data->bpp) *
|
||||
- data->height);
|
||||
+ ret = gst_buffer_new_and_alloc (out_size);
|
||||
gst_buffer_map (buffer, &inmap, GST_MAP_READ);
|
||||
gst_buffer_map (ret, &outmap, GST_MAP_WRITE);
|
||||
indata = inmap.data;
|
||||
@@ -185,8 +190,8 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
|
||||
|
||||
for (y = 0; y < data->height; y++) {
|
||||
memcpy (outdata, indata, data->width * data->bpp);
|
||||
- outdata += GST_ROUND_UP_4 (data->width * data->bpp);
|
||||
- indata += data->width * data->bpp;
|
||||
+ outdata += out_stride;
|
||||
+ indata += expected_in_stride;
|
||||
}
|
||||
|
||||
gst_buffer_unmap (buffer, &inmap);
|
||||
@@ -394,6 +399,36 @@ mxf_up_create_caps (MXFMetadataTimelineTrack * track, GstTagList ** tags,
|
||||
return NULL;
|
||||
}
|
||||
|
||||
+ if (caps) {
|
||||
+ MXFUPMappingData *data = *mapping_data;
|
||||
+ gsize expected_in_stride = 0, out_stride = 0;
|
||||
+ gsize expected_in_size = 0, out_size = 0;
|
||||
+
|
||||
+ // Do some checking of the parameters to see if they're valid and
|
||||
+ // we can actually work with them.
|
||||
+ if (data->image_start_offset > data->image_end_offset) {
|
||||
+ GST_WARNING ("Invalid image start/end offset");
|
||||
+ g_free (data);
|
||||
+ *mapping_data = NULL;
|
||||
+ gst_clear_caps (&caps);
|
||||
+
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ if (!g_size_checked_mul (&expected_in_stride, data->bpp, data->width) ||
|
||||
+ (out_stride = GST_ROUND_UP_4 (expected_in_stride)) < expected_in_stride
|
||||
+ || !g_size_checked_mul (&expected_in_size, expected_in_stride,
|
||||
+ data->height)
|
||||
+ || !g_size_checked_mul (&out_size, out_stride, data->height)) {
|
||||
+ GST_ERROR ("Invalid resolution or bit depth");
|
||||
+ g_free (data);
|
||||
+ *mapping_data = NULL;
|
||||
+ gst_clear_caps (&caps);
|
||||
+
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
return caps;
|
||||
}
|
||||
|
||||
--
|
||||
2.43.0
|
||||
|
||||
|
|
@ -0,0 +1,45 @@
|
|||
From 706abb367ab366be142fbea4e454fdaa7e7e2bcb Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
|
||||
Date: Thu, 10 Aug 2023 15:47:03 +0300
|
||||
Subject: [PATCH 4/5] mxfdemux: Check number of channels for AES3 audio
|
||||
|
||||
Only up to 8 channels are allowed and using a higher number would cause
|
||||
integer overflows when copying the data, and lead to out of bound
|
||||
writes.
|
||||
|
||||
Also check that each buffer is at least 4 bytes long to avoid another
|
||||
overflow.
|
||||
|
||||
Fixes ZDI-CAN-21661, CVE-2023-40475
|
||||
|
||||
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2897
|
||||
|
||||
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5362>
|
||||
---
|
||||
gst/mxf/mxfd10.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/gst/mxf/mxfd10.c b/gst/mxf/mxfd10.c
|
||||
index 21401cf52..99c197ab9 100644
|
||||
--- a/gst/mxf/mxfd10.c
|
||||
+++ b/gst/mxf/mxfd10.c
|
||||
@@ -119,7 +119,7 @@ mxf_d10_sound_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
|
||||
gst_buffer_map (buffer, &map, GST_MAP_READ);
|
||||
|
||||
/* Now transform raw AES3 into raw audio, see SMPTE 331M */
|
||||
- if ((map.size - 4) % 32 != 0) {
|
||||
+ if (map.size < 4 || (map.size - 4) % 32 != 0) {
|
||||
gst_buffer_unmap (buffer, &map);
|
||||
GST_ERROR ("Invalid D10 sound essence buffer size");
|
||||
return GST_FLOW_ERROR;
|
||||
@@ -219,6 +219,7 @@ mxf_d10_create_caps (MXFMetadataTimelineTrack * track, GstTagList ** tags,
|
||||
GstAudioFormat audio_format;
|
||||
|
||||
if (s->channel_count == 0 ||
|
||||
+ s->channel_count > 8 ||
|
||||
s->quantization_bits == 0 ||
|
||||
s->audio_sampling_rate.n == 0 || s->audio_sampling_rate.d == 0) {
|
||||
GST_ERROR ("Invalid descriptor");
|
||||
--
|
||||
2.43.0
|
||||
|
||||
|
|
@ -0,0 +1,42 @@
|
|||
From 33868442087aac6f26f18aeafd527c1a75946f34 Mon Sep 17 00:00:00 2001
|
||||
From: Nicolas Dufresne <nicolas.dufresne@collabora.com>
|
||||
Date: Wed, 17 Jan 2024 12:50:34 +0100
|
||||
Subject: [PATCH 5/5] h265parser: Fix possible overflow using
|
||||
max_sub_layers_minus1
|
||||
|
||||
This fixes a possible overflow that can be triggered by an invalid value of
|
||||
max_sub_layers_minus1 being set in the bitstream. The bitstream uses 3 bits,
|
||||
but the allowed range is 0 to 6 only.
|
||||
|
||||
Fixes ZDI-CAN-21768, CVE-2023-40476
|
||||
|
||||
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2895
|
||||
|
||||
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5364>
|
||||
---
|
||||
gst-libs/gst/codecparsers/gsth265parser.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/gst-libs/gst/codecparsers/gsth265parser.c b/gst-libs/gst/codecparsers/gsth265parser.c
|
||||
index 16fce006b..2e8ef182b 100644
|
||||
--- a/gst-libs/gst/codecparsers/gsth265parser.c
|
||||
+++ b/gst-libs/gst/codecparsers/gsth265parser.c
|
||||
@@ -1490,6 +1490,7 @@ gst_h265_parse_vps (GstH265NalUnit * nalu, GstH265VPS * vps)
|
||||
|
||||
READ_UINT8 (&nr, vps->max_layers_minus1, 6);
|
||||
READ_UINT8 (&nr, vps->max_sub_layers_minus1, 3);
|
||||
+ CHECK_ALLOWED (vps->max_sub_layers_minus1, 0, 6);
|
||||
READ_UINT8 (&nr, vps->temporal_id_nesting_flag, 1);
|
||||
|
||||
/* skip reserved_0xffff_16bits */
|
||||
@@ -1669,6 +1670,7 @@ gst_h265_parse_sps (GstH265Parser * parser, GstH265NalUnit * nalu,
|
||||
sps->vps = vps;
|
||||
|
||||
READ_UINT8 (&nr, sps->max_sub_layers_minus1, 3);
|
||||
+ CHECK_ALLOWED (sps->max_sub_layers_minus1, 0, 6);
|
||||
READ_UINT8 (&nr, sps->temporal_id_nesting_flag, 1);
|
||||
|
||||
if (!gst_h265_parse_profile_tier_level (&sps->profile_tier_level, &nr,
|
||||
--
|
||||
2.43.0
|
||||
|
||||
|
|
@ -13,8 +13,8 @@
|
|||
#global shortcommit %(c=%{gitcommit}; echo ${c:0:5})
|
||||
|
||||
Name: gstreamer1-plugins-bad-free
|
||||
Version: 1.14.0
|
||||
Release: 5%{?gitcommit:.git%{shortcommit}}%{?dist}
|
||||
Version: 1.16.1
|
||||
Release: 4%{?gitcommit:.git%{shortcommit}}%{?dist}
|
||||
Summary: GStreamer streaming media framework "bad" plugins
|
||||
|
||||
License: LGPLv2+ and LGPLv2
|
||||
|
|
@ -32,9 +32,10 @@ Source0: gst-plugins-bad-free-%{version}.tar.xz
|
|||
Source1: gst-p-bad-cleanup.sh
|
||||
|
||||
#upstream patches
|
||||
Patch0: 0001-rfbdecoder-don-t-free-decoder-data.patch
|
||||
Patch1: 0001-curlhttpsrc-deadlock-in-multi-instance-scenario.patch
|
||||
Patch2: 0002-curlhhtpsrc-avoid-invalid-memory-references.patch
|
||||
Patch0: 0001-mxfdemux-Store-GstMXFDemuxEssenceTrack-in-their-own-.patch
|
||||
Patch1: 0003-mxfdemux-Fix-integer-overflow-causing-out-of-bounds-.patch
|
||||
Patch2: 0004-mxfdemux-Check-number-of-channels-for-AES3-audio.patch
|
||||
Patch3: 0005-h265parser-Fix-possible-overflow-using-max_sub_layer.patch
|
||||
|
||||
BuildRequires: gstreamer1-devel >= %{version}
|
||||
BuildRequires: gstreamer1-plugins-base-devel >= %{version}
|
||||
|
|
@ -53,7 +54,6 @@ BuildRequires: ladspa-devel
|
|||
BuildRequires: lcms2-devel
|
||||
BuildRequires: libdvdnav-devel
|
||||
BuildRequires: libexif-devel
|
||||
BuildRequires: libiptcdata-devel
|
||||
BuildRequires: libmpcdec-devel
|
||||
BuildRequires: librsvg2-devel
|
||||
BuildRequires: libsndfile-devel
|
||||
|
|
@ -69,7 +69,7 @@ BuildRequires: opus-devel
|
|||
BuildRequires: nettle-devel
|
||||
BuildRequires: libgcrypt-devel
|
||||
%if 0%{?fedora} || 0%{?rhel} > 7
|
||||
BuildRequires: libwayland-client-devel
|
||||
BuildRequires: wayland-devel
|
||||
%endif
|
||||
BuildRequires: gnutls-devel
|
||||
BuildRequires: libsrtp-devel
|
||||
|
|
@ -191,11 +191,12 @@ aren't tested well enough, or the code is not of good enough quality.
|
|||
%patch0 -p1
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
|
||||
%build
|
||||
%configure --disable-silent-rules --disable-fatal-warnings \
|
||||
--with-package-name="Fedora GStreamer-plugins-bad package" \
|
||||
--with-package-origin="http://download.fedoraproject.org" \
|
||||
--with-package-name="GStreamer-plugins-bad package" \
|
||||
--with-package-origin="http://www.redhat.com" \
|
||||
%{!?with_extras:--disable-fbdev --disable-decklink --disable-linsys} \
|
||||
--enable-debug --disable-static --enable-gtk-doc --enable-experimental \
|
||||
--disable-dts --disable-faac --disable-faad --disable-nas \
|
||||
|
|
@ -283,13 +284,13 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -fv {} ';'
|
|||
%{_libdir}/libgstadaptivedemux-%{majorminor}.so.*
|
||||
%{_libdir}/libgstbasecamerabinsrc-%{majorminor}.so.*
|
||||
%{_libdir}/libgstbadaudio-%{majorminor}.so.*
|
||||
%{_libdir}/libgstbadvideo-%{majorminor}.so.*
|
||||
%{_libdir}/libgstcodecparsers-%{majorminor}.so.*
|
||||
%{_libdir}/libgstinsertbin-%{majorminor}.so.*
|
||||
%{_libdir}/libgstisoff-%{majorminor}.so.*
|
||||
%{_libdir}/libgstmpegts-%{majorminor}.so.*
|
||||
%{_libdir}/libgstplayer-%{majorminor}.so.*
|
||||
%{_libdir}/libgstphotography-%{majorminor}.so.*
|
||||
%{_libdir}/libgstsctp-%{majorminor}.so.*
|
||||
%{_libdir}/libgsturidownloader-%{majorminor}.so.*
|
||||
%{_libdir}/libgstwebrtc-%{majorminor}.so.*
|
||||
%if 0%{?fedora} || 0%{?rhel} > 7
|
||||
|
|
@ -316,7 +317,6 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -fv {} ';'
|
|||
%{_libdir}/gstreamer-%{majorminor}/libgstbayer.so
|
||||
%{_libdir}/gstreamer-%{majorminor}/libgstcamerabin.so
|
||||
%{_libdir}/gstreamer-%{majorminor}/libgstcoloreffects.so
|
||||
%{_libdir}/gstreamer-%{majorminor}/libgstcompositor.so
|
||||
%{_libdir}/gstreamer-%{majorminor}/libgstdashdemux.so
|
||||
%{_libdir}/gstreamer-%{majorminor}/libgstfaceoverlay.so
|
||||
%if %{with extras}
|
||||
|
|
@ -360,7 +360,6 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -fv {} ';'
|
|||
%{_libdir}/gstreamer-%{majorminor}/libgstsmooth.so
|
||||
%{_libdir}/gstreamer-%{majorminor}/libgstsmoothstreaming.so
|
||||
%{_libdir}/gstreamer-%{majorminor}/libgstspeed.so
|
||||
%{_libdir}/gstreamer-%{majorminor}/libgststereo.so
|
||||
%{_libdir}/gstreamer-%{majorminor}/libgstsubenc.so
|
||||
%{_libdir}/gstreamer-%{majorminor}/libgsttimecode.so
|
||||
%{_libdir}/gstreamer-%{majorminor}/libgstuvch264.so
|
||||
|
|
@ -374,19 +373,17 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -fv {} ';'
|
|||
|
||||
# System (Linux) specific plugins
|
||||
%{_libdir}/gstreamer-%{majorminor}/libgstdvb.so
|
||||
%{_libdir}/gstreamer-%{majorminor}/libgstvcdsrc.so
|
||||
|
||||
# Plugins with external dependencies
|
||||
%{_libdir}/gstreamer-%{majorminor}/libgstbluez.so
|
||||
%{_libdir}/gstreamer-%{majorminor}/libgstbz2.so
|
||||
%{_libdir}/gstreamer-%{majorminor}/libgstclosedcaption.so
|
||||
%{_libdir}/gstreamer-%{majorminor}/libgstcolormanagement.so
|
||||
%{_libdir}/gstreamer-%{majorminor}/libgstdtls.so
|
||||
%{_libdir}/gstreamer-%{majorminor}/libgsthls.so
|
||||
%{_libdir}/gstreamer-%{majorminor}/libgstgsm.so
|
||||
%{_libdir}/gstreamer-%{majorminor}/libgstkms.so
|
||||
%{_libdir}/gstreamer-%{majorminor}/libgstladspa.so
|
||||
%{_libdir}/gstreamer-%{majorminor}/libgstmusepack.so
|
||||
%{_libdir}/gstreamer-%{majorminor}/libgstopenglmixers.so
|
||||
%{_libdir}/gstreamer-%{majorminor}/libgstopusparse.so
|
||||
%{_libdir}/gstreamer-%{majorminor}/libgstsndfile.so
|
||||
%{_libdir}/gstreamer-%{majorminor}/libgstsoundtouch.so
|
||||
|
|
@ -446,13 +443,13 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -fv {} ';'
|
|||
%{_libdir}/libgstadaptivedemux-%{majorminor}.so
|
||||
%{_libdir}/libgstbasecamerabinsrc-%{majorminor}.so
|
||||
%{_libdir}/libgstbadaudio-%{majorminor}.so
|
||||
%{_libdir}/libgstbadvideo-%{majorminor}.so
|
||||
%{_libdir}/libgstcodecparsers-%{majorminor}.so
|
||||
%{_libdir}/libgstinsertbin-%{majorminor}.so
|
||||
%{_libdir}/libgstisoff-%{majorminor}.so
|
||||
%{_libdir}/libgstmpegts-%{majorminor}.so
|
||||
%{_libdir}/libgstplayer-%{majorminor}.so
|
||||
%{_libdir}/libgstphotography-%{majorminor}.so
|
||||
%{_libdir}/libgstsctp-%{majorminor}.so
|
||||
%{_libdir}/libgsturidownloader-%{majorminor}.so
|
||||
%{_libdir}/libgstwebrtc-%{majorminor}.so
|
||||
%if 0%{?fedora} || 0%{?rhel} > 7
|
||||
|
|
@ -467,22 +464,44 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -fv {} ';'
|
|||
%{_includedir}/gstreamer-%{majorminor}/gst/isoff/
|
||||
%{_includedir}/gstreamer-%{majorminor}/gst/mpegts
|
||||
%{_includedir}/gstreamer-%{majorminor}/gst/player
|
||||
%{_includedir}/gstreamer-%{majorminor}/gst/sctp
|
||||
%{_includedir}/gstreamer-%{majorminor}/gst/uridownloader
|
||||
%{_includedir}/gstreamer-%{majorminor}/gst/video
|
||||
%{_includedir}/gstreamer-%{majorminor}/gst/webrtc/
|
||||
|
||||
# pkg-config files
|
||||
%{_libdir}/pkgconfig/gstreamer-bad-audio-%{majorminor}.pc
|
||||
%{_libdir}/pkgconfig/gstreamer-bad-video-%{majorminor}.pc
|
||||
%{_libdir}/pkgconfig/gstreamer-codecparsers-%{majorminor}.pc
|
||||
%{_libdir}/pkgconfig/gstreamer-insertbin-%{majorminor}.pc
|
||||
%{_libdir}/pkgconfig/gstreamer-mpegts-%{majorminor}.pc
|
||||
%{_libdir}/pkgconfig/gstreamer-player-%{majorminor}.pc
|
||||
%{_libdir}/pkgconfig/gstreamer-plugins-bad-%{majorminor}.pc
|
||||
%{_libdir}/pkgconfig/gstreamer-sctp-%{majorminor}.pc
|
||||
%{_libdir}/pkgconfig/gstreamer-webrtc-%{majorminor}.pc
|
||||
|
||||
|
||||
%changelog
|
||||
* Wed Jan 17 2024 Wim Taymans <wtaymans@redhat.com> - 1.16.1-4
|
||||
- Patch CVE-2023-40474: Integer overflow
|
||||
- Patch CVE-2023-40475: Integer overflow
|
||||
- Patch CVE-2023-40476: Integer overflow in H.265 video parser
|
||||
- Resolves: RHEL-19500, RHEL-19504, RHEL-19507
|
||||
|
||||
* Thu Jan 11 2024 Wim Taymans <wtaymans@redhat.com> - 1.16.1-3
|
||||
- Bump to avoid conflict with z stream.
|
||||
- Resolves: RHEL-16794
|
||||
|
||||
* Wed Dec 13 2023 Wim Taymans <wtaymans@redhat.com> - 1.16.1-2
|
||||
- Patch CVE-2023-44446: MXF demuxer use-after-free
|
||||
- Resolves: RHEL-16794
|
||||
|
||||
* Mon Nov 18 2019 Wim Taymans <wtaymans@redhat.com> - 1.16.1-1
|
||||
- Update to 1.16.1
|
||||
- Remove upstreamed patches
|
||||
- Remove dependency on removed package
|
||||
- Add sctp and closedcaption plugins
|
||||
- The vcdsrc plugin was removed
|
||||
- Resolves: rhbz#1756299
|
||||
|
||||
* Thu Aug 16 2018 Wim Taymans <wtaymans@redhat.com> - 1.14.0-5
|
||||
- Fixes for problems found by covscan
|
||||
- Resolves: rhbz#1602534
|
||||
|
|
|
|||
Loading…
Reference in New Issue