Import from CS git
This commit is contained in:
parent
5b04e00c79
commit
593f2ab23e
1
.gstreamer1-plugins-base.metadata
Normal file
1
.gstreamer1-plugins-base.metadata
Normal file
@ -0,0 +1 @@
|
|||||||
|
e906442fd99376ce2384a634637ede9fd8515fc3 SOURCES/gst-plugins-base-1.16.1.tar.xz
|
||||||
@ -0,0 +1,69 @@
|
|||||||
|
From 58deb2c68fda0cf46a03643aefa28efdc0753efa Mon Sep 17 00:00:00 2001
|
||||||
|
From: Wim Taymans <wtaymans@redhat.com>
|
||||||
|
Date: Fri, 8 Nov 2024 10:45:07 +0100
|
||||||
|
Subject: [PATCH] exiftag: Prevent integer overflows and out of bounds reads
|
||||||
|
when handling undefined tags
|
||||||
|
|
||||||
|
Fixes ZDI-CAN-23896
|
||||||
|
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3483
|
||||||
|
|
||||||
|
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/6768>
|
||||||
|
---
|
||||||
|
gst-libs/gst/tag/gstexiftag.c | 21 +++++++++++++++++++--
|
||||||
|
1 file changed, 19 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/gst-libs/gst/tag/gstexiftag.c b/gst-libs/gst/tag/gstexiftag.c
|
||||||
|
index b615779be..558996b42 100644
|
||||||
|
--- a/gst-libs/gst/tag/gstexiftag.c
|
||||||
|
+++ b/gst-libs/gst/tag/gstexiftag.c
|
||||||
|
@@ -1372,6 +1372,8 @@ parse_exif_long_tag (GstExifReader * reader, const GstExifTagMatch * tag,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+static inline gboolean size_checked_add(gsize *dest, gsize a, gsize b) {
|
||||||
|
+ *dest = a + b; return *dest >= a; }
|
||||||
|
|
||||||
|
static void
|
||||||
|
parse_exif_undefined_tag (GstExifReader * reader, const GstExifTagMatch * tag,
|
||||||
|
@@ -1383,6 +1385,7 @@ parse_exif_undefined_tag (GstExifReader * reader, const GstExifTagMatch * tag,
|
||||||
|
|
||||||
|
if (count > 4) {
|
||||||
|
GstMapInfo info;
|
||||||
|
+ gsize alloc_size;
|
||||||
|
|
||||||
|
if (offset < reader->base_offset) {
|
||||||
|
GST_WARNING ("Offset is smaller (%u) than base offset (%u)", offset,
|
||||||
|
@@ -1404,14 +1407,28 @@ parse_exif_undefined_tag (GstExifReader * reader, const GstExifTagMatch * tag,
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (info.size - real_offset < count) {
|
||||||
|
+ GST_WARNING ("Invalid size %u for buffer of size %" G_GSIZE_FORMAT
|
||||||
|
+ ", not adding tag %s", count, info.size, tag->gst_tag);
|
||||||
|
+ gst_buffer_unmap (reader->buffer, &info);
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!size_checked_add (&alloc_size, count, 1)) {
|
||||||
|
+ GST_WARNING ("Invalid size %u for buffer of size %" G_GSIZE_FORMAT
|
||||||
|
+ ", not adding tag %s", real_offset, info.size, tag->gst_tag);
|
||||||
|
+ gst_buffer_unmap (reader->buffer, &info);
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* +1 because it could be a string without the \0 */
|
||||||
|
- data = malloc (sizeof (guint8) * count + 1);
|
||||||
|
+ data = malloc (alloc_size);
|
||||||
|
memcpy (data, info.data + real_offset, count);
|
||||||
|
data[count] = 0;
|
||||||
|
|
||||||
|
gst_buffer_unmap (reader->buffer, &info);
|
||||||
|
} else {
|
||||||
|
- data = malloc (sizeof (guint8) * count + 1);
|
||||||
|
+ data = malloc (count + 1);
|
||||||
|
memcpy (data, (guint8 *) offset_as_data, count);
|
||||||
|
data[count] = 0;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.47.0
|
||||||
|
|
||||||
@ -6,7 +6,7 @@
|
|||||||
|
|
||||||
Name: gstreamer1-plugins-base
|
Name: gstreamer1-plugins-base
|
||||||
Version: 1.16.1
|
Version: 1.16.1
|
||||||
Release: 3%{?gitcommit:.git%{shortcommit}}%{?dist}
|
Release: 4%{?gitcommit:.git%{shortcommit}}%{?dist}
|
||||||
Summary: GStreamer streaming media framework base plugins
|
Summary: GStreamer streaming media framework base plugins
|
||||||
|
|
||||||
License: LGPLv2+
|
License: LGPLv2+
|
||||||
@ -22,6 +22,7 @@ Patch0: 0001-missing-plugins-Remove-the-mpegaudioversion-field.patch
|
|||||||
Patch1: 0002-video-disable-ORC_RESTRICT.patch
|
Patch1: 0002-video-disable-ORC_RESTRICT.patch
|
||||||
Patch2: 0001-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch
|
Patch2: 0001-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch
|
||||||
Patch3: 0002-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch
|
Patch3: 0002-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch
|
||||||
|
Patch4: 0001-exiftag-Prevent-integer-overflows-and-out-of-bounds-.patch
|
||||||
|
|
||||||
BuildRequires: gcc-c++
|
BuildRequires: gcc-c++
|
||||||
BuildRequires: gstreamer1-devel >= %{version}
|
BuildRequires: gstreamer1-devel >= %{version}
|
||||||
@ -120,6 +121,7 @@ for the GStreamer Base Plugins library.
|
|||||||
%patch1 -p1
|
%patch1 -p1
|
||||||
%patch2 -p1
|
%patch2 -p1
|
||||||
%patch3 -p1
|
%patch3 -p1
|
||||||
|
%patch4 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# die rpath (method of modifying libtool fails here)
|
# die rpath (method of modifying libtool fails here)
|
||||||
@ -487,6 +489,10 @@ chrpath --delete $RPM_BUILD_ROOT%{_bindir}/gst-play-1.0
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Nov 08 2024 Wim Taymans <wtaymans@redhat.com> - 1.16.1-4
|
||||||
|
- CVE-2024-4453 gstreamer1: EXIF Metadata Parsing Integer Overflow
|
||||||
|
- Resolves: RHEL-38509
|
||||||
|
|
||||||
* Wed Jan 17 2024 Wim Taymans <wtaymans@redhat.com> - 1.16.1-3
|
* Wed Jan 17 2024 Wim Taymans <wtaymans@redhat.com> - 1.16.1-3
|
||||||
- CVE-2023-37328 gstreamer1-plugins-base: heap overwrite in subtitle parsing
|
- CVE-2023-37328 gstreamer1-plugins-base: heap overwrite in subtitle parsing
|
||||||
- Resolves: RHEL-19472
|
- Resolves: RHEL-19472
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user