import OL gstreamer1-plugins-good-1.22.1-3.el9_5

This commit is contained in:
eabdullin 2024-12-19 09:44:27 +00:00
parent ef3c3d8887
commit 748dca30bb
8 changed files with 290 additions and 4 deletions

View File

@ -1,8 +1,8 @@
From cf36c771ea7f4e42603c2b5880432bc8c7d3dff1 Mon Sep 17 00:00:00 2001 From cf36c771ea7f4e42603c2b5880432bc8c7d3dff1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com> From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Tue, 13 Jun 2023 13:20:16 +0300 Date: Tue, 13 Jun 2023 13:20:16 +0300
Subject: [PATCH] flacparse: Avoid integer overflow in available data check for Subject: [PATCH 1/7] flacparse: Avoid integer overflow in available data check
image tags for image tags
If the image length as stored in the file is some bogus integer then If the image length as stored in the file is some bogus integer then
adding it to the current byte readers position can overflow and wrongly adding it to the current byte readers position can overflow and wrongly
@ -51,5 +51,5 @@ index a53b7ebc77..8ee450c65a 100644
gst_buffer_unmap (buffer, &map); gst_buffer_unmap (buffer, &map);
-- --
2.43.0 2.47.0

View File

@ -0,0 +1,41 @@
From b990afeaf306972756e154d4542b2ab1170e506c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Thu, 26 Sep 2024 22:16:06 +0300
Subject: [PATCH 2/7] qtdemux: Avoid integer overflow when parsing Theora
extension
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-166
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3851
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8094>
---
subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c
index 5723fce466..75a5a53713 100644
--- a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c
+++ b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c
@@ -8206,7 +8206,7 @@ qtdemux_parse_theora_extension (GstQTDemux * qtdemux, QtDemuxStream * stream,
end -= 8;
while (buf < end) {
- gint size;
+ guint32 size;
guint32 type;
size = QT_UINT32 (buf);
@@ -8214,7 +8214,7 @@ qtdemux_parse_theora_extension (GstQTDemux * qtdemux, QtDemuxStream * stream,
GST_LOG_OBJECT (qtdemux, "%p %p", buf, end);
- if (buf + size > end || size <= 0)
+ if (end - buf < size || size < 8)
break;
buf += 8;
--
2.47.0

View File

@ -0,0 +1,49 @@
From 85a46b70bbc5b353136052e3aba00adf761335b6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Wed, 2 Oct 2024 14:44:21 +0300
Subject: [PATCH 3/7] gdkpixbufdec: Check if initializing the video info
actually succeeded
Otherwise a 0-byte buffer would be allocated, which gives NULL memory when
mapped.
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-118
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3876
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8103>
---
.../gst-plugins-good/ext/gdk_pixbuf/gstgdkpixbufdec.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/subprojects/gst-plugins-good/ext/gdk_pixbuf/gstgdkpixbufdec.c b/subprojects/gst-plugins-good/ext/gdk_pixbuf/gstgdkpixbufdec.c
index 5482998c0d..de5f054964 100644
--- a/subprojects/gst-plugins-good/ext/gdk_pixbuf/gstgdkpixbufdec.c
+++ b/subprojects/gst-plugins-good/ext/gdk_pixbuf/gstgdkpixbufdec.c
@@ -322,7 +322,8 @@ gst_gdk_pixbuf_dec_flush (GstGdkPixbufDec * filter)
gst_video_info_init (&info);
- gst_video_info_set_format (&info, fmt, width, height);
+ if (!gst_video_info_set_format (&info, fmt, width, height))
+ goto format_not_supported;
info.fps_n = filter->in_fps_n;
info.fps_d = filter->in_fps_d;
caps = gst_video_info_to_caps (&info);
@@ -384,6 +385,12 @@ channels_not_supported:
("%d channels not supported", n_channels));
return GST_FLOW_ERROR;
}
+format_not_supported:
+ {
+ GST_ELEMENT_ERROR (filter, STREAM, DECODE, (NULL),
+ ("%d channels with %dx%d not supported", n_channels, width, height));
+ return GST_FLOW_ERROR;
+ }
no_buffer:
{
GST_DEBUG ("Failed to create outbuffer - %s", gst_flow_get_name (ret));
--
2.47.0

View File

@ -0,0 +1,52 @@
From 6a61ee1073c22ec70e88748a5adfe63dad04687f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Mon, 30 Sep 2024 16:32:48 +0300
Subject: [PATCH 4/7] matroskademux: Only unmap GstMapInfo in WavPack header
extraction error paths if previously mapped
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-197
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3863
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8057>
---
subprojects/gst-plugins-good/gst/matroska/matroska-demux.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c b/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c
index 1e771b04d0..fbc773a80a 100644
--- a/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c
+++ b/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c
@@ -3885,7 +3885,6 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
GstMatroskaTrackAudioContext *audiocontext =
(GstMatroskaTrackAudioContext *) stream;
GstBuffer *newbuf = NULL;
- GstMapInfo map, outmap;
guint8 *buf_data, *data;
Wavpack4Header wvh;
@@ -3902,11 +3901,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
if (audiocontext->channels <= 2) {
guint32 block_samples, tmp;
+ GstMapInfo outmap;
gsize size = gst_buffer_get_size (*buf);
if (size < 4) {
GST_ERROR_OBJECT (element, "Too small wavpack buffer");
- gst_buffer_unmap (*buf, &map);
return GST_FLOW_ERROR;
}
@@ -3944,6 +3943,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
*buf = newbuf;
audiocontext->wvpk_block_index += block_samples;
} else {
+ GstMapInfo map, outmap;
guint8 *outdata = NULL;
gsize buf_size, size;
guint32 block_samples, flags, crc;
--
2.47.0

View File

@ -0,0 +1,27 @@
From 88c503100c2861c59a84c6b60fec90245db506a0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Mon, 30 Sep 2024 16:33:39 +0300
Subject: [PATCH 5/7] matroskademux: Fix off-by-one when parsing multi-channel
WavPack
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8057>
---
subprojects/gst-plugins-good/gst/matroska/matroska-demux.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c b/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c
index fbc773a80a..4fd0a3ae58 100644
--- a/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c
+++ b/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c
@@ -3970,7 +3970,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
data += 4;
size -= 4;
- while (size > 12) {
+ while (size >= 12) {
flags = GST_READ_UINT32_LE (data);
data += 4;
size -= 4;
--
2.47.0

View File

@ -0,0 +1,59 @@
From 64862bdf7e9811413e23a05206bdcc0856deead6 Mon Sep 17 00:00:00 2001
From: Antonio Morales <antonio-morales@github.com>
Date: Thu, 26 Sep 2024 18:39:37 +0300
Subject: [PATCH 6/7] qtdemux: Fix integer overflow when allocating the samples
table for fragmented MP4
This can lead to out of bounds writes and NULL pointer dereferences.
Fixes GHSL-2024-094, GHSL-2024-237, GHSL-2024-241
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3839
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059>
---
subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c
index 75a5a53713..adace0b534 100644
--- a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c
+++ b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c
@@ -3334,6 +3334,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun,
gint i;
guint8 *data;
guint entry_size, dur_offset, size_offset, flags_offset = 0, ct_offset = 0;
+ guint new_n_samples;
QtDemuxSample *sample;
gboolean ismv = FALSE;
gint64 initial_offset;
@@ -3434,14 +3435,13 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun,
goto fail;
data = (guint8 *) gst_byte_reader_peek_data_unchecked (trun);
- if (stream->n_samples + samples_count >=
- QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof (QtDemuxSample))
+ if (!g_uint_checked_add (&new_n_samples, stream->n_samples, samples_count) ||
+ new_n_samples >= QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof (QtDemuxSample))
goto index_too_big;
GST_DEBUG_OBJECT (qtdemux, "allocating n_samples %u * %u (%.2f MB)",
- stream->n_samples + samples_count, (guint) sizeof (QtDemuxSample),
- (stream->n_samples + samples_count) *
- sizeof (QtDemuxSample) / (1024.0 * 1024.0));
+ new_n_samples, (guint) sizeof (QtDemuxSample),
+ (new_n_samples) * sizeof (QtDemuxSample) / (1024.0 * 1024.0));
/* create a new array of samples if it's the first sample parsed */
if (stream->n_samples == 0) {
@@ -3450,7 +3450,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun,
/* or try to reallocate it with space enough to insert the new samples */
} else
stream->samples = g_try_renew (QtDemuxSample, stream->samples,
- stream->n_samples + samples_count);
+ new_n_samples);
if (stream->samples == NULL)
goto out_of_memory;
--
2.47.0

View File

@ -0,0 +1,40 @@
From dd171f132d5ffde7fdff6f0e3a8ba83a47422b10 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Thu, 26 Sep 2024 09:20:28 +0300
Subject: [PATCH 7/7] qtdemux: Make sure only an even number of bytes is
processed when handling CEA608 data
An odd number of bytes would lead to out of bound reads and writes, and doesn't
make any sense as CEA608 comes in byte pairs.
Strip off any leftover bytes and assume everything before that is valid.
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-195
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3841
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059>
---
subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c
index adace0b534..a72dfa9294 100644
--- a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c
+++ b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c
@@ -5770,6 +5770,11 @@ convert_to_s334_1a (const guint8 * ccpair, guint8 ccpair_size, guint field,
guint8 *storage;
gsize i;
+ /* Strip off any leftover odd bytes and assume everything before is valid */
+ if (ccpair_size % 2 != 0) {
+ ccpair_size -= 1;
+ }
+
/* We are converting from pairs to triplets */
*res = ccpair_size / 2 * 3;
storage = g_malloc (*res);
--
2.47.0

View File

@ -17,7 +17,7 @@
Name: gstreamer1-plugins-good Name: gstreamer1-plugins-good
Version: 1.22.1 Version: 1.22.1
Release: 2%{?gitcommit:.git%{shortcommit}}%{?dist} Release: 3%{?gitcommit:.git%{shortcommit}}%{?dist}
Summary: GStreamer plugins with good code and licensing Summary: GStreamer plugins with good code and licensing
License: LGPLv2+ License: LGPLv2+
@ -38,6 +38,12 @@ Source0: http://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugin
Source1: gstreamer-good.appdata.xml Source1: gstreamer-good.appdata.xml
Patch0: 0001-flacparse-Avoid-integer-overflow-in-available-data-c.patch Patch0: 0001-flacparse-Avoid-integer-overflow-in-available-data-c.patch
Patch1: 0002-qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch
Patch2: 0003-gdkpixbufdec-Check-if-initializing-the-video-info-ac.patch
Patch3: 0004-matroskademux-Only-unmap-GstMapInfo-in-WavPack-heade.patch
Patch4: 0005-matroskademux-Fix-off-by-one-when-parsing-multi-chan.patch
Patch5: 0006-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch
Patch6: 0007-qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch
BuildRequires: meson >= 0.48.0 BuildRequires: meson >= 0.48.0
BuildRequires: gcc BuildRequires: gcc
@ -166,6 +172,12 @@ to be installed.
%prep %prep
%setup -q -n gst-plugins-good-%{version} %setup -q -n gst-plugins-good-%{version}
%patch0 -p3 %patch0 -p3
%patch1 -p3
%patch2 -p3
%patch3 -p3
%patch4 -p3
%patch5 -p3
%patch6 -p3
%build %build
%meson \ %meson \
@ -307,6 +319,12 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -fv {} ';'
%changelog %changelog
* Mon Dec 16 2024 Wim Taymans <wtaymans@redhat.com> - 1.22.1-3
- CVE-2024-47537, CVE-2024-47539, CVE-2024-47540, CVE-2024-47606,
CVE-2024-47613
Resolves: RHEL-70954, RHEL-70967, RHEL-70941, RHEL-71027,
Resolves: RHEL-71003
* Wed Jan 17 2024 Wim Taymans <wtaymans@redhat.com> - 1.22.1-2 * Wed Jan 17 2024 Wim Taymans <wtaymans@redhat.com> - 1.22.1-2
- CVE-2023-37327: integer overflow leading to heap overwrite in FLAC - CVE-2023-37327: integer overflow leading to heap overwrite in FLAC
image tag handling image tag handling