import UBI gstreamer1-plugins-base-1.22.12-4.el9

.gitignore

@@ -1 +1 @@
-SOURCES/gst-plugins-base-1.22.1.tar.xz
+SOURCES/gst-plugins-base-1.22.12.tar.xz

.gstreamer1-plugins-base.metadata

@@ -1 +1 @@
-489d54fcc3c8ee63cd03614e2f0e1ebfd5815539 SOURCES/gst-plugins-base-1.22.1.tar.xz
+e5c16230351e77f59073c2dcca7bfa2d39cbef60 SOURCES/gst-plugins-base-1.22.12.tar.xz

SOURCES/0001-missing-plugins-Remove-the-mpegaudioversion-field.patch

@@ -1,7 +1,8 @@
-From cd9358bdbae7e0cbaac4c235dead2e819b033d2f Mon Sep 17 00:00:00 2001
+From 55b9602e9728e5c0cdfa7e907b5a24a75fe23283 Mon Sep 17 00:00:00 2001
-From: Bastien Nocera <hadess@hadess.net>
+From: Wim Taymans <wtaymans@redhat.com>
-Date: Wed, 17 Jan 2024 16:19:30 +0100
+Date: Fri, 13 Dec 2024 15:22:07 +0100
-Subject: [PATCH 1/8] missing-plugins: Remove the mpegaudioversion field
+Subject: [PATCH 01/10] Subject: [PATCH 1/2] missing-plugins: Remove the
+ mpegaudioversion field
 
 From missing plugins requests as it's a duplicate of mpegversion
 and its presence would break codec discovery when using RPM.

SOURCES/0002-gl-fix-compilation.patch

@@ -1,25 +0,0 @@
-From 2ede3bc75535b7445db836fdcb6a6c85c5f47dbe Mon Sep 17 00:00:00 2001
-From: Wim Taymans <wtaymans@redhat.com>
-Date: Wed, 17 Jan 2024 16:20:46 +0100
-Subject: [PATCH 2/8] gl: fix compilation
-
----
- .../gst-libs/gst/gl/wayland/gstglwindow_wayland_egl.h           | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/subprojects/gst-plugins-base/gst-libs/gst/gl/wayland/gstglwindow_wayland_egl.h b/subprojects/gst-plugins-base/gst-libs/gst/gl/wayland/gstglwindow_wayland_egl.h
-index 0212744b74..58299473d9 100644
---- a/subprojects/gst-plugins-base/gst-libs/gst/gl/wayland/gstglwindow_wayland_egl.h
-+++ b/subprojects/gst-plugins-base/gst-libs/gst/gl/wayland/gstglwindow_wayland_egl.h
-@@ -22,7 +22,7 @@
- #define __GST_GL_WINDOW_WAYLAND_EGL_H__
- 
- #include <wayland-client.h>
--#include "xdg-shell-client-protocol.h"
-+#include "../xdg-shell-client-protocol.h"
- #include <wayland-egl.h>
- #include <wayland-cursor.h>
- 
--- 
-2.47.0
-

SOURCES/0002-id3v2-Don-t-try-parsing-extended-header-if-not-enoug.patch

@@ -0,0 +1,60 @@
+From cdeab27c352d2d90db8c9eb3004eba8969208fa9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Thu, 26 Sep 2024 13:43:06 +0300
+Subject: [PATCH 02/10] id3v2: Don't try parsing extended header if not enough
+ data is available
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-235
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3842
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8095>
+---
+ subprojects/gst-plugins-base/gst-libs/gst/tag/id3v2.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/subprojects/gst-plugins-base/gst-libs/gst/tag/id3v2.c b/subprojects/gst-plugins-base/gst-libs/gst/tag/id3v2.c
+index c295ac89ef..f2b38ca595 100644
+--- a/subprojects/gst-plugins-base/gst-libs/gst/tag/id3v2.c
++++ b/subprojects/gst-plugins-base/gst-libs/gst/tag/id3v2.c
+@@ -29,7 +29,7 @@
+ 
+ #define HANDLE_INVALID_SYNCSAFE
+ 
+-static gboolean id3v2_frames_to_tag_list (ID3TagsWorking * work, guint size);
++static gboolean id3v2_frames_to_tag_list (ID3TagsWorking * work);
+ 
+ #ifndef GST_DISABLE_GST_DEBUG
+ 
+@@ -258,7 +258,7 @@ gst_tag_list_from_id3v2_tag (GstBuffer * buffer)
+     GST_MEMDUMP ("ID3v2 tag (un-unsyced)", uu_data, work.hdr.frame_data_size);
+   }
+ 
+-  id3v2_frames_to_tag_list (&work, work.hdr.frame_data_size);
++  id3v2_frames_to_tag_list (&work);
+ 
+   g_free (uu_data);
+ 
+@@ -440,12 +440,17 @@ id3v2_add_id3v2_frame_blob_to_taglist (ID3TagsWorking * work,
+ }
+ 
+ static gboolean
+-id3v2_frames_to_tag_list (ID3TagsWorking * work, guint size)
++id3v2_frames_to_tag_list (ID3TagsWorking * work)
+ {
+   guint frame_hdr_size;
+ 
+   /* Extended header if present */
+   if (work->hdr.flags & ID3V2_HDR_FLAG_EXTHDR) {
++    if (work->hdr.frame_data_size < 4) {
++      GST_DEBUG ("Tag has no extended header data. Broken tag");
++      return FALSE;
++    }
++
+     work->hdr.ext_hdr_size = id3v2_read_synch_uint (work->hdr.frame_data, 4);
+ 
+     /* In id3v2.4.x the header size is the size of the *whole*
+-- 
+2.47.0
+

SOURCES/0003-opusdec-Set-at-most-64-channels-to-NONE-position.patch

@@ -1,7 +1,7 @@
-From 854ad98510462c560ede6539157ce53bebdebf15 Mon Sep 17 00:00:00 2001
+From 5e45367c3abc0b5b6e391bc7ec959bb486d636b8 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
 Date: Tue, 1 Oct 2024 13:22:50 +0300
-Subject: [PATCH 6/8] opusdec: Set at most 64 channels to NONE position
+Subject: [PATCH 03/10] opusdec: Set at most 64 channels to NONE position
 
 Thanks to Antonio Morales for finding and reporting the issue.
 

SOURCES/0003-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch

@@ -1,36 +0,0 @@
-From f7f24aed62178dc1deb581a512029dcb20727137 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
-Date: Tue, 13 Jun 2023 12:53:13 +0300
-Subject: [PATCH 3/8] subparse: Look for the closing `>` of a tag after the
- opening `<`
-
-Previously when fixing up subrip markip, we were looking from the start
-of the remaining buffer instead. Due to how skipping over closing tags
-works, the remaining buffer will still contain the closing `>` of the
-previous tag so if a unexpected closing tag is found after another
-closing tag, we would potentially do an out of bounds memmove().
-
-Fixes ZDI-CAN-20968
-Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2662
-
-Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4895>
----
- subprojects/gst-plugins-base/gst/subparse/gstsubparse.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
-index 7aa922cdd8..d0960a971a 100644
---- a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
-+++ b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
-@@ -779,7 +779,7 @@ subrip_fix_up_markup (gchar ** p_txt, gconstpointer allowed_tags_ptr)
-     }
- 
-     if (*next_tag == '<' && *(next_tag + 1) == '/') {
--      end_tag = strchr (cur, '>');
-+      end_tag = strchr (next_tag, '>');
-       if (end_tag) {
-         const gchar *last = NULL;
-         if (num_open_tags > 0)
--- 
-2.47.0
-

SOURCES/0004-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch

@@ -1,33 +0,0 @@
-From 997e8b0a485a22a9e44d503d7a1c6aa1970061e0 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
-Date: Tue, 13 Jun 2023 12:58:26 +0300
-Subject: [PATCH 4/8] subparse: Skip after the end of a valid closing tag
- instead of only skipping `<`
-
-This is a small optimization and avoids restarting the next parsing
-iteration on already accepted data.
-
-On its own it would also fix ZDI-CAN-20968 (see previous commit) but the
-previous commit independently is also a valid fix for it.
-
-Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4895>
----
- subprojects/gst-plugins-base/gst/subparse/gstsubparse.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
-index d0960a971a..b33ddbb2a7 100644
---- a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
-+++ b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
-@@ -794,6 +794,8 @@ subrip_fix_up_markup (gchar ** p_txt, gconstpointer allowed_tags_ptr)
-         } else {
-           --num_open_tags;
-           g_ptr_array_remove_index (open_tags, num_open_tags);
-+          cur = end_tag + 1;
-+          continue;
-         }
-       }
-     }
--- 
-2.47.0
-

SOURCES/0004-vorbis_parse-check-writes-to-GstOggStream.vorbis_mod.patch

@@ -1,7 +1,7 @@
-From 99cc78f36aa11642e88cad83a9f0a068c91532eb Mon Sep 17 00:00:00 2001
+From 6b757bd74b49cbcdabea2a87449038314ce926f9 Mon Sep 17 00:00:00 2001
 From: Mathieu Duponchelle <mathieu@centricular.com>
 Date: Wed, 2 Oct 2024 15:16:30 +0200
-Subject: [PATCH 7/8] vorbis_parse: check writes to
+Subject: [PATCH 04/10] vorbis_parse: check writes to
  GstOggStream.vorbis_mode_sizes
 
 Thanks to Antonio Morales for finding and reporting the issue.

SOURCES/0005-oggstream-review-and-fix-per-format-min_packet_size.patch

@@ -0,0 +1,164 @@
+From ad43518d16302a97e74e4746730fac960718bd28 Mon Sep 17 00:00:00 2001
+From: Mathieu Duponchelle <mathieu@centricular.com>
+Date: Wed, 2 Oct 2024 16:52:51 +0200
+Subject: [PATCH 05/10] oggstream: review and fix per-format min_packet_size
+
+This addresses all manually detected invalid reads in setup functions.
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8097>
+---
+ .../gst-plugins-base/ext/ogg/gstoggstream.c   | 40 ++++++-------------
+ 1 file changed, 12 insertions(+), 28 deletions(-)
+
+diff --git a/subprojects/gst-plugins-base/ext/ogg/gstoggstream.c b/subprojects/gst-plugins-base/ext/ogg/gstoggstream.c
+index a8883304a5..ab6be238dc 100644
+--- a/subprojects/gst-plugins-base/ext/ogg/gstoggstream.c
++++ b/subprojects/gst-plugins-base/ext/ogg/gstoggstream.c
+@@ -665,11 +665,6 @@ setup_vp8_mapper (GstOggStream * pad, ogg_packet * packet)
+ {
+   gint width, height, par_n, par_d, fps_n, fps_d;
+ 
+-  if (packet->bytes < 26) {
+-    GST_DEBUG ("Failed to parse VP8 BOS page");
+-    return FALSE;
+-  }
+-
+   width = GST_READ_UINT16_BE (packet->packet + 8);
+   height = GST_READ_UINT16_BE (packet->packet + 10);
+   par_n = GST_READ_UINT24_BE (packet->packet + 12);
+@@ -1221,11 +1216,6 @@ setup_fishead_mapper (GstOggStream * pad, ogg_packet * packet)
+   gint64 prestime_n, prestime_d;
+   gint64 basetime_n, basetime_d;
+ 
+-  if (packet->bytes < 44) {
+-    GST_DEBUG ("Not enough data for fishead header");
+-    return FALSE;
+-  }
+-
+   data = packet->packet;
+ 
+   data += 8;                    /* header */
+@@ -1256,8 +1246,8 @@ setup_fishead_mapper (GstOggStream * pad, ogg_packet * packet)
+     pad->prestime = -1;
+ 
+   /* Ogg Skeleton 3.3+ streams provide additional information in the header */
+-  if (packet->bytes >= SKELETON_FISHEAD_3_3_MIN_SIZE && pad->skeleton_major == 3
+-      && pad->skeleton_minor > 0) {
++  if (packet->bytes - 44 >= SKELETON_FISHEAD_3_3_MIN_SIZE
++      && pad->skeleton_major == 3 && pad->skeleton_minor > 0) {
+     gint64 firstsampletime_n, firstsampletime_d;
+     gint64 lastsampletime_n, lastsampletime_d;
+     gint64 firstsampletime, lastsampletime;
+@@ -1296,7 +1286,7 @@ setup_fishead_mapper (GstOggStream * pad, ogg_packet * packet)
+ 
+     GST_INFO ("skeleton fishead parsed total: %" GST_TIME_FORMAT,
+         GST_TIME_ARGS (pad->total_time));
+-  } else if (packet->bytes >= SKELETON_FISHEAD_4_0_MIN_SIZE
++  } else if (packet->bytes - 44 >= SKELETON_FISHEAD_4_0_MIN_SIZE
+       && pad->skeleton_major == 4) {
+     guint64 segment_length, content_offset;
+ 
+@@ -1980,9 +1970,6 @@ setup_kate_mapper (GstOggStream * pad, ogg_packet * packet)
+   guint8 *data = packet->packet;
+   const char *category;
+ 
+-  if (packet->bytes < 64)
+-    return FALSE;
+-
+   pad->granulerate_n = GST_READ_UINT32_LE (data + 24);
+   pad->granulerate_d = GST_READ_UINT32_LE (data + 28);
+   pad->granuleshift = GST_READ_UINT8 (data + 15);
+@@ -2111,9 +2098,6 @@ setup_opus_mapper (GstOggStream * pad, ogg_packet * packet)
+ {
+   GstBuffer *buffer;
+ 
+-  if (packet->bytes < 19)
+-    return FALSE;
+-
+   pad->granulerate_n = 48000;
+   pad->granulerate_d = 1;
+   pad->granuleshift = 0;
+@@ -2394,7 +2378,7 @@ const GstOggMap mappers[] = {
+     NULL
+   },
+   {
+-    "\001vorbis", 7, 22,
++    "\001vorbis", 7, 29,
+     "audio/x-vorbis",
+     setup_vorbis_mapper,
+     NULL,
+@@ -2426,7 +2410,7 @@ const GstOggMap mappers[] = {
+     NULL
+   },
+   {
+-    "PCM     ", 8, 0,
++    "PCM     ", 8, 28,
+     "audio/x-raw",
+     setup_pcm_mapper,
+     NULL,
+@@ -2442,7 +2426,7 @@ const GstOggMap mappers[] = {
+     NULL
+   },
+   {
+-    "CMML\0\0\0\0", 8, 0,
++    "CMML\0\0\0\0", 8, 29,
+     "text/x-cmml",
+     setup_cmml_mapper,
+     NULL,
+@@ -2458,7 +2442,7 @@ const GstOggMap mappers[] = {
+     NULL
+   },
+   {
+-    "Annodex", 7, 0,
++    "Annodex", 7, 44,
+     "application/x-annodex",
+     setup_fishead_mapper,
+     NULL,
+@@ -2537,7 +2521,7 @@ const GstOggMap mappers[] = {
+     NULL
+   },
+   {
+-    "CELT    ", 8, 0,
++    "CELT    ", 8, 60,
+     "audio/x-celt",
+     setup_celt_mapper,
+     NULL,
+@@ -2553,7 +2537,7 @@ const GstOggMap mappers[] = {
+     NULL
+   },
+   {
+-    "\200kate\0\0\0", 8, 0,
++    "\200kate\0\0\0", 8, 64,
+     "text/x-kate",
+     setup_kate_mapper,
+     NULL,
+@@ -2585,7 +2569,7 @@ const GstOggMap mappers[] = {
+     NULL
+   },
+   {
+-    "OVP80\1\1", 7, 4,
++    "OVP80\1\1", 7, 26,
+     "video/x-vp8",
+     setup_vp8_mapper,
+     setup_vp8_mapper_from_caps,
+@@ -2601,7 +2585,7 @@ const GstOggMap mappers[] = {
+     update_stats_vp8
+   },
+   {
+-    "OpusHead", 8, 0,
++    "OpusHead", 8, 19,
+     "audio/x-opus",
+     setup_opus_mapper,
+     NULL,
+@@ -2649,7 +2633,7 @@ const GstOggMap mappers[] = {
+     NULL
+   },
+   {
+-    "\001text\0\0\0", 9, 9,
++    "\001text\0\0\0", 9, 25,
+     "application/x-ogm-text",
+     setup_ogmtext_mapper,
+     NULL,
+-- 
+2.47.0
+

SOURCES/0005-tags-Don-t-allow-image-tags-with-G_MAXUINT32-length.patch

@@ -1,34 +0,0 @@
-From 1ac83c63d28d02d2dbed663cd6eda4009d6b717e Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
-Date: Tue, 13 Jun 2023 13:22:57 +0300
-Subject: [PATCH 5/8] tags: Don't allow image tags with G_MAXUINT32 length
-
-This will cause an integer overflow a little bit further down because we
-allocate a bit more memory to allow for a NUL-terminator.
-
-The caller should've avoided passing that much data in already as it's
-not going to be a valid image and there's likely not even that much data
-available.
-
-Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4894>
----
- subprojects/gst-plugins-base/gst-libs/gst/tag/tags.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/subprojects/gst-plugins-base/gst-libs/gst/tag/tags.c b/subprojects/gst-plugins-base/gst-libs/gst/tag/tags.c
-index 73e6bb4a36..d38a0c97f4 100644
---- a/subprojects/gst-plugins-base/gst-libs/gst/tag/tags.c
-+++ b/subprojects/gst-plugins-base/gst-libs/gst/tag/tags.c
-@@ -530,7 +530,8 @@ gst_tag_image_data_to_image_sample (const guint8 * image_data,
-   GstStructure *image_info = NULL;
- 
-   g_return_val_if_fail (image_data != NULL, NULL);
--  g_return_val_if_fail (image_data_len > 0, NULL);
-+  g_return_val_if_fail (image_data_len > 0
-+      || image_data_len == G_MAXUINT32, NULL);
-   g_return_val_if_fail (gst_tag_image_type_is_valid (image_type), NULL);
- 
-   GST_DEBUG ("image data len: %u bytes", image_data_len);
--- 
-2.47.0
-

SOURCES/0006-discoverer-Don-t-print-channel-layout-for-more-than-.patch

@@ -0,0 +1,34 @@
+From e660aefc79c6bd8e2ced88ce04f56be67c5b4650 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Mon, 30 Sep 2024 18:19:30 +0300
+Subject: [PATCH 06/10] discoverer: Don't print channel layout for more than 64
+ channels
+
+64+ channels are always unpositioned / unknown layout.
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-248
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3864
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8098>
+---
+ subprojects/gst-plugins-base/tools/gst-discoverer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/subprojects/gst-plugins-base/tools/gst-discoverer.c b/subprojects/gst-plugins-base/tools/gst-discoverer.c
+index b042be535d..6028fc71c9 100644
+--- a/subprojects/gst-plugins-base/tools/gst-discoverer.c
++++ b/subprojects/gst-plugins-base/tools/gst-discoverer.c
+@@ -222,7 +222,7 @@ format_channel_mask (GstDiscovererAudioInfo * ainfo)
+ 
+   channel_mask = gst_discoverer_audio_info_get_channel_mask (ainfo);
+ 
+-  if (channel_mask != 0) {
++  if (channel_mask != 0 && channels <= 64) {
+     gst_audio_channel_positions_from_mask (channels, channel_mask, position);
+ 
+     for (i = 0; i < channels; i++) {
+-- 
+2.47.0
+

SOURCES/0007-vorbisdec-Set-at-most-64-channels-to-NONE-position.patch

@@ -1,7 +1,7 @@
-From 60cd489c12b46b63c6e6b95e24cacd53fef739ef Mon Sep 17 00:00:00 2001
+From dafd5895149f29528342ddecd7ef210dd5597421 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
 Date: Mon, 30 Sep 2024 21:35:07 +0300
-Subject: [PATCH 8/8] vorbisdec: Set at most 64 channels to NONE position
+Subject: [PATCH 07/10] vorbisdec: Set at most 64 channels to NONE position
 
 Thanks to Antonio Morales for finding and reporting the issue.
 

SOURCES/0008-ssaparse-Search-for-closing-brace-after-opening-brac.patch

@@ -0,0 +1,34 @@
+From 6c650a7655dbc4b3237b17440eb52fb0f5a193cc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Mon, 30 Sep 2024 21:40:44 +0300
+Subject: [PATCH 08/10] ssaparse: Search for closing brace after opening brace
+
+Otherwise removing anything between the braces leads to out of bound writes if
+there is a closing brace before the first opening brace.
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-228
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3870
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8099>
+---
+ subprojects/gst-plugins-base/gst/subparse/gstssaparse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c b/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c
+index d6fdb9c9fc..8ed0134102 100644
+--- a/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c
++++ b/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c
+@@ -238,7 +238,7 @@ gst_ssa_parse_remove_override_codes (GstSsaParse * parse, gchar * txt)
+   gboolean removed_any = FALSE;
+ 
+   while ((t = strchr (txt, '{'))) {
+-    end = strchr (txt, '}');
++    end = strchr (t, '}');
+     if (end == NULL) {
+       GST_WARNING_OBJECT (parse, "Missing { for style override code");
+       return removed_any;
+-- 
+2.47.0
+

SOURCES/0009-ssaparse-Don-t-use-strstr-on-strings-that-are-potent.patch

@@ -0,0 +1,95 @@
+From e724bd66a099d0d866edfab6c5418c2826854d79 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Mon, 30 Sep 2024 18:36:19 +0300
+Subject: [PATCH 09/10] ssaparse: Don't use strstr() on strings that are
+ potentially not NULL-terminated
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8099>
+---
+ .../gst/subparse/gstssaparse.c                | 36 ++++++++++++++++++-
+ subprojects/gst-plugins-base/meson.build      |  1 +
+ 2 files changed, 36 insertions(+), 1 deletion(-)
+
+diff --git a/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c b/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c
+index 8ed0134102..2d8daf77e1 100644
+--- a/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c
++++ b/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c
+@@ -146,6 +146,35 @@ gst_ssa_parse_sink_event (GstPad * pad, GstObject * parent, GstEvent * event)
+   return res;
+ }
+ 
++#ifndef HAVE_MEMMEM
++// memmem() is a GNU extension so if it's not available we'll need
++// our own implementation here. Thanks C.
++static void *
++my_memmem (const void *haystack, size_t haystacklen, const void *needle,
++    size_t needlelen)
++{
++  const guint8 *cur, *end;
++
++  if (needlelen > haystacklen)
++    return NULL;
++  if (needlelen == 0)
++    return (void *) haystack;
++
++
++  cur = haystack;
++  end = cur + haystacklen - needlelen;
++
++  for (; cur <= end; cur++) {
++    if (memcmp (cur, needle, needlelen) == 0)
++      return (void *) cur;
++  }
++
++  return NULL;
++}
++#else
++#define my_memmem memmem
++#endif
++
+ static gboolean
+ gst_ssa_parse_setcaps (GstPad * sinkpad, GstCaps * caps)
+ {
+@@ -154,6 +183,7 @@ gst_ssa_parse_setcaps (GstPad * sinkpad, GstCaps * caps)
+   const GValue *val;
+   GstStructure *s;
+   const guchar bom_utf8[] = { 0xEF, 0xBB, 0xBF };
++  const guint8 header[] = "[Script Info]";
+   const gchar *end;
+   GstBuffer *priv;
+   GstMapInfo map;
+@@ -193,7 +223,7 @@ gst_ssa_parse_setcaps (GstPad * sinkpad, GstCaps * caps)
+     left -= 3;
+   }
+ 
+-  if (!strstr (ptr, "[Script Info]"))
++  if (!my_memmem (ptr, left, header, sizeof (header) - 1))
+     goto invalid_init;
+ 
+   if (!g_utf8_validate (ptr, left, &end)) {
+@@ -231,6 +261,10 @@ invalid_init:
+   }
+ }
+ 
++#ifdef my_memmem
++#undef my_memmem
++#endif
++
+ static gboolean
+ gst_ssa_parse_remove_override_codes (GstSsaParse * parse, gchar * txt)
+ {
+diff --git a/subprojects/gst-plugins-base/meson.build b/subprojects/gst-plugins-base/meson.build
+index 194de8c231..486833bd9f 100644
+--- a/subprojects/gst-plugins-base/meson.build
++++ b/subprojects/gst-plugins-base/meson.build
+@@ -199,6 +199,7 @@ check_functions = [
+   ['HAVE_LRINTF', 'lrintf', '#include<math.h>'],
+   ['HAVE_MMAP', 'mmap', '#include<sys/mman.h>'],
+   ['HAVE_LOG2', 'log2', '#include<math.h>'],
++  ['HAVE_MEMMEM', 'memmem', '#include<string.h>'],
+ ]
+ 
+ libm = cc.find_library('m', required : false)
+-- 
+2.47.0
+

SOURCES/0010-subparse-Check-for-NULL-return-of-strchr-when-parsin.patch

@@ -0,0 +1,35 @@
+From 570cba0db38693cc5576304b0f0fafaaddbdf750 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Wed, 9 Oct 2024 11:23:47 -0400
+Subject: [PATCH 10/10] subparse: Check for NULL return of strchr() when
+ parsing LRC subtitles
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-263
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3892
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8100>
+---
+ subprojects/gst-plugins-base/gst/subparse/gstsubparse.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
+index 1867dee69c..4ea4ec64a9 100644
+--- a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
++++ b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
+@@ -1068,6 +1068,11 @@ parse_lrc (ParserState * state, const gchar * line)
+     return NULL;
+ 
+   start = strchr (line, ']');
++  // sscanf() does not check for the trailing ] but only up to the last
++  // placeholder, so there might be no ] at the end.
++  if (!start)
++    return NULL;
++
+   if (start - line == 9)
+     milli = 10;
+   else
+-- 
+2.47.0
+

SOURCES/xdg-compile.patch

@@ -0,0 +1,12 @@
+diff -ru gst-plugins-base-1.18.4/gst-libs/gst/gl/wayland/gstglwindow_wayland_egl.h gst-plugins-base-1.18.4.new/gst-libs/gst/gl/wayland/gstglwindow_wayland_egl.h
+--- gst-plugins-base-1.18.4/gst-libs/gst/gl/wayland/gstglwindow_wayland_egl.h	2021-03-15 18:48:01.251275800 +0100
++++ gst-plugins-base-1.18.4.new/gst-libs/gst/gl/wayland/gstglwindow_wayland_egl.h	2022-01-14 16:53:07.235319602 +0100
+@@ -22,7 +22,7 @@
+ #define __GST_GL_WINDOW_WAYLAND_EGL_H__
+ 
+ #include <wayland-client.h>
+-#include "xdg-shell-client-protocol.h"
++#include "../xdg-shell-client-protocol.h"
+ #include <wayland-egl.h>
+ #include <wayland-cursor.h>
+ 

SPECS/gstreamer1-plugins-base.spec

@@ -1,3 +1,6 @@
+%bcond cdparanoia %{undefined rhel}
+%bcond libvisual %{undefined rhel}
+
 %global         majorminor      1.0
 
 #global gitrel     140
@@ -5,11 +8,11 @@
 #global shortcommit %(c=%{gitcommit}; echo ${c:0:5})
 
 Name:           gstreamer1-plugins-base
-Version:        1.22.1
+Version:        1.22.12
-Release:        3%{?gitcommit:.git%{shortcommit}}%{?dist}
+Release:        4%{?dist}
 Summary:        GStreamer streaming media framework base plugins
 
-License:        LGPLv2+
+License:        LGPL-2.1-or-later
 URL:            http://gstreamer.freedesktop.org/
 %if 0%{?gitrel}
 # git clone git://anongit.freedesktop.org/gstreamer/gst-plugins-base
@@ -18,14 +21,18 @@ Source0:        gst-plugins-base-%{version}.tar.xz
 %else
 Source0:        http://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-base-%{version}.tar.xz
 %endif
-Patch0:		0001-missing-plugins-Remove-the-mpegaudioversion-field.patch
+Patch000:       0001-missing-plugins-Remove-the-mpegaudioversion-field.patch
-Patch1:		0002-gl-fix-compilation.patch
+Patch001:       xdg-compile.patch
-Patch2:		0003-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch
+Patch002:	0002-id3v2-Don-t-try-parsing-extended-header-if-not-enoug.patch
-Patch3:		0004-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch
+Patch003:	0003-opusdec-Set-at-most-64-channels-to-NONE-position.patch
-Patch4:		0005-tags-Don-t-allow-image-tags-with-G_MAXUINT32-length.patch
+Patch004:	0004-vorbis_parse-check-writes-to-GstOggStream.vorbis_mod.patch
-Patch5:		0006-opusdec-Set-at-most-64-channels-to-NONE-position.patch
+Patch005:	0005-oggstream-review-and-fix-per-format-min_packet_size.patch
-Patch6:		0007-vorbis_parse-check-writes-to-GstOggStream.vorbis_mod.patch
+Patch006:	0006-discoverer-Don-t-print-channel-layout-for-more-than-.patch
-Patch7:		0008-vorbisdec-Set-at-most-64-channels-to-NONE-position.patch
+Patch007:	0007-vorbisdec-Set-at-most-64-channels-to-NONE-position.patch
+Patch008:	0008-ssaparse-Search-for-closing-brace-after-opening-brac.patch
+Patch009:	0009-ssaparse-Don-t-use-strstr-on-strings-that-are-potent.patch
+Patch010:	0010-subparse-Check-for-NULL-return-of-strchr-when-parsin.patch
+
 
 BuildRequires:  meson >= 0.48.0
 BuildRequires:  gcc
@@ -35,9 +42,14 @@ BuildRequires:  gobject-introspection-devel >= 1.31.1
 BuildRequires:  iso-codes-devel
 
 BuildRequires:  alsa-lib-devel
+%if %{with cdparanoia}
+BuildRequires:  cdparanoia-devel
+%endif
 BuildRequires:  libogg-devel >= 1.0
 BuildRequires:  libtheora-devel >= 1.1
+%if %{with libvisual}
 BuildRequires:  libvisual-devel
+%endif
 BuildRequires:  libvorbis-devel >= 1.0
 BuildRequires:  libXv-devel
 BuildRequires:  orc-devel >= 0.4.18
@@ -122,26 +134,30 @@ for the GStreamer Base Plugins library.
 
 %prep
 %setup -q -n gst-plugins-base-%{version}
-%patch0 -p3
+%patch -P 0 -p3
-%patch1 -p3
+%patch -P 1 -p1
-%patch2 -p3
+%patch -P 2 -p3
-%patch3 -p3
+%patch -P 3 -p3
-%patch4 -p3
+%patch -P 4 -p3
-%patch5 -p3
+%patch -P 5 -p3
-%patch6 -p3
+%patch -P 6 -p3
-%patch7 -p3
+%patch -P 7 -p3
+%patch -P 8 -p3
+%patch -P 9 -p3
+%patch -P 10 -p3
 
 %build
 %meson \
   -D package-name='Fedora GStreamer-plugins-base package' \
   -D package-origin='http://download.fedoraproject.org' \
   -D gl_winsys=wayland,x11,gbm \
+  %{!?with_cdparanoia:-D cdparanoia=disabled} \
+  %{!?with_libvisual:-D libvisual=disabled} \
   -D doc=disabled \
   -D orc=enabled \
   -D tremor=disabled \
   -D tests=disabled \
-  -D examples=disabled \
+  -D examples=disabled
-  -D cdparanoia=disabled
 %meson_build
 
 %install
@@ -212,12 +228,17 @@ chrpath --delete $RPM_BUILD_ROOT%{_libdir}/gstreamer-%{majorminor}/libgstapp.so
 chrpath --delete $RPM_BUILD_ROOT%{_libdir}/gstreamer-%{majorminor}/libgstencoding.so
 chrpath --delete $RPM_BUILD_ROOT%{_libdir}/gstreamer-%{majorminor}/libgstrawparse.so
 chrpath --delete $RPM_BUILD_ROOT%{_libdir}/gstreamer-%{majorminor}/libgstplayback.so
+%if %{with cdparanoia}
+chrpath --delete $RPM_BUILD_ROOT%{_libdir}/gstreamer-%{majorminor}/libgstcdparanoia.so
+%endif
 chrpath --delete $RPM_BUILD_ROOT%{_libdir}/libgstriff-1.0.so.*
 chrpath --delete $RPM_BUILD_ROOT%{_libdir}/gstreamer-%{majorminor}/libgstxvimagesink.so
 chrpath --delete $RPM_BUILD_ROOT%{_libdir}/gstreamer-%{majorminor}/libgsttheora.so
 chrpath --delete $RPM_BUILD_ROOT%{_libdir}/gstreamer-%{majorminor}/libgsttypefindfunctions.so
 chrpath --delete $RPM_BUILD_ROOT%{_libdir}/gstreamer-%{majorminor}/libgstaudioresample.so
+%if %{with libvisual}
 chrpath --delete $RPM_BUILD_ROOT%{_libdir}/gstreamer-%{majorminor}/libgstlibvisual.so
+%endif
 chrpath --delete $RPM_BUILD_ROOT%{_libdir}/gstreamer-%{majorminor}/libgstaudioconvert.so
 chrpath --delete $RPM_BUILD_ROOT%{_libdir}/gstreamer-%{majorminor}/libgstvideoconvertscale.so
 chrpath --delete $RPM_BUILD_ROOT%{_libdir}/gstreamer-%{majorminor}/libgstvideorate.so
@@ -288,8 +309,13 @@ chrpath --delete $RPM_BUILD_ROOT%{_bindir}/gst-play-1.0
 
 # base plugins with dependencies
 %{_libdir}/gstreamer-%{majorminor}/libgstalsa.so
+%if %{with cdparanoia}
+%{_libdir}/gstreamer-%{majorminor}/libgstcdparanoia.so
+%endif
 %{_libdir}/gstreamer-%{majorminor}/libgstopengl.so
+%if %{with libvisual}
 %{_libdir}/gstreamer-%{majorminor}/libgstlibvisual.so
+%endif
 %{_libdir}/gstreamer-%{majorminor}/libgstogg.so
 %{_libdir}/gstreamer-%{majorminor}/libgstopus.so
 %{_libdir}/gstreamer-%{majorminor}/libgstpango.so
@@ -494,33 +520,104 @@ chrpath --delete $RPM_BUILD_ROOT%{_bindir}/gst-play-1.0
 %endif
 
 %changelog
-* Mon Dec 16 2024 Wim Taymans <wtaymans@redhat.com> - 1.22.1-3
+* Fri Dec 13 2024 Wim Taymans <wtaymans@redhat.com> - 1.22.12-4
-- Fixes for CVE-2024-47538, CVE-2024-47607, CVE-2024-47615
+- Bump version
-  Resolves: RHEL-70979, RHEL-71015, RHEL-70991
+- Apply patches for CVE-2024-47538, CVE-2024-47541, CVE-2024-47542,
+  CVE-2024-47600, CVE-2024-47607, CVE-2024-47615, CVE-2024-47835
+  Resolves: RHEL-70983, RHEL-71035, RHEL-70932, RHEL-71037
+  Resolves: RHEL-71019, RHEL-70995, RHEL-71163
 
-* Wed Jan 17 2024 Wim Taymans <wtaymans@redhat.com> - 1.22.1-2
+* Sat Nov 09 2024 Wim Taymans <wtaymans@redhat.com> - 1.22.12-3
-- CVE-2023-37328: heap overwrite in subtitle parsing
+- Rebuild
-- Resolves: RHEL-19475
+- Resolves: RHEL-38511, RHEL-41157
 
-* Wed Apr 12 2021 Wim Taymans <wtaymans@redhat.com> - 1.22.1-1
+* Fri Nov 08 2024 Wim Taymans <wtaymans@redhat.com> - 1.22.12-2
+- Rebuild
+- Resolves: RHEL-38511, RHEL-41157
+
+* Fri Jun 14 2024 Wim Taymans <wtaymans@redhat.com> - 1.22.12-1
+- Update to 1.22.12
+
+* Thu May 02 2024 Wim Taymans <wtaymans@redhat.com> - 1.22.9-2
+- Disable libvisual in RHEL builds
+
+* Thu Jan 25 2024 Gwyn Ciesla <gwync@protonmail.com> - 1.22.9-1
+- 1.22.9
+
+* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.8-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Sat Jan 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.8-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Mon Dec 18 2023 Gwyn Ciesla <gwync@protonmail.com> - 1.22.8-1
+- 1.22.8
+
+* Tue Nov 14 2023 Gwyn Ciesla <gwync@protonmail.com> - 1.22.7-1
+- 1.22.7
+
+* Fri Jul 21 2023 Wim Taymans <wtaymans@redhat.com> - 1.22.5-1
+- Update to 1.22.5
+
+* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Thu Jun 08 2023 Yaakov Selkowitz <yselkowi@redhat.com> - 1.22.3-2
+- Disable cdparanoia in RHEL builds
+
+* Thu May 25 2023 Wim Taymans <wtaymans@redhat.com> - 1.22.3-1
+- Update to 1.22.3
+
+* Thu Apr 13 2023 Wim Taymans <wtaymans@redhat.com> - 1.22.2-1
+- Update to 1.22.2
+
+* Mon Mar 13 2023 Wim Taymans <wtaymans@redhat.com> - 1.22.1-1
 - Update to 1.22.1
-- Resolves: rhbz#2144557
 
-* Fri Jan 14 2022 Wim Taymans <wtaymans@redhat.com> - 1.18.4-5
+* Tue Jan 24 2023 Wim Taymans <wtaymans@redhat.com> - 1.22.0-1
-- Handle both compressed and uncompressed man pages
+- Update to 1.22.0
-- Fix build with small patch
-- Resolves: rhbz#2005247
 
-* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.18.4-4
+* Fri Jan 20 2023 Wim Taymans <wtaymans@redhat.com> - 1.21.90-1
-- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+- Update to 1.21.90
-  Related: rhbz#1991688
 
-* Thu Jul 15 2021 Jiri Kucera <jkucera@redhat.com> - 1.18.4-3
+* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.20.5-2
-- Remove cdparanoia dependency on el9 and later
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
-- Resolves: rhbz#1973678
 
-* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.18.4-2
+* Wed Jan 11 2023 Wim Taymans <wtaymans@redhat.com> - 1.20.5-1
-- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+- Update to 1.20.5
+
+* Thu Oct 13 2022 Wim Taymans <wtaymans@redhat.com> - 1.20.4-1
+- Update to 1.20.4
+
+* Tue Sep 27 2022 Erico Nunes <ernunes@redhat.com> - 1.20.3-3
+- Enable gbm winsys
+
+* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.20.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Mon Jul 18 2022 Wim Taymans <wtaymans@redhat.com> - 1.20.3-1
+- Update to 1.20.3
+
+* Fri Feb 4 2022 Wim Taymans <wtaymans@redhat.com> - 1.20.0-1
+- Update to 1.20.0
+
+* Wed Jan 26 2022 Wim Taymans <wtaymans@redhat.com> - 1.19.3-3
+- Fix build, gtk_doc does not exist anymore.
+
+* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.19.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Thu Nov 11 2021 Wim Taymans <wtaymans@redhat.com> - 1.19.3-1
+- Update to 1.19.3
+
+* Thu Sep 23 2021 Wim Taymans <wtaymans@redhat.com> - 1.19.2-1
+- Update to 1.19.2
+
+* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.19.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Thu Jun 03 2021 Wim Taymans <wtaymans@redhat.com> - 1.19.1-1
+- Update to 1.19.1
 
 * Tue Mar 16 2021 Wim Taymans <wtaymans@redhat.com> - 1.18.4-1
 - Update to 1.18.4