import CS gstreamer1-plugins-good-1.22.1-1.el9

This commit is contained in:
eabdullin 2023-09-21 18:49:06 +00:00
parent e35aaf16af
commit 86da02eb4d
8 changed files with 15 additions and 475 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/gst-plugins-good-1.18.4.tar.xz
SOURCES/gst-plugins-good-1.22.1.tar.xz

View File

@ -1 +1 @@
aaf8f2aa0bb58cad638b32d0d44a183ed7e7f8b0 SOURCES/gst-plugins-good-1.18.4.tar.xz
4c8346aa97ca82f88b988471781f6b18b4e5642c SOURCES/gst-plugins-good-1.22.1.tar.xz

View File

@ -1,65 +0,0 @@
From bcfe7befea53869e7836be912ee7efe875877169 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Wed, 18 May 2022 12:00:48 +0300
Subject: [PATCH 1/4] avidemux: Fix integer overflow resulting in heap
corruption in DIB buffer inversion code
Check that width*bpp/8 doesn't overflow a guint and also that
height*stride fits into the provided buffer without overflowing.
Thanks to Adam Doupe for analyzing and reporting the issue.
CVE: CVE-2022-1921
See https://gstreamer.freedesktop.org/security/sa-2022-0001.html
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1224
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2608>
---
gst/avi/gstavidemux.c | 17 ++++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-)
diff --git a/gst/avi/gstavidemux.c b/gst/avi/gstavidemux.c
index 25c97da03e..1c87c668d0 100644
--- a/gst/avi/gstavidemux.c
+++ b/gst/avi/gstavidemux.c
@@ -4971,8 +4971,8 @@ swap_line (guint8 * d1, guint8 * d2, guint8 * tmp, gint bytes)
static GstBuffer *
gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf)
{
- gint y, w, h;
- gint bpp, stride;
+ guint y, w, h;
+ guint bpp, stride;
guint8 *tmp = NULL;
GstMapInfo map;
guint32 fourcc;
@@ -4999,12 +4999,23 @@ gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf)
h = stream->strf.vids->height;
w = stream->strf.vids->width;
bpp = stream->strf.vids->bit_cnt ? stream->strf.vids->bit_cnt : 8;
+
+ if ((guint64) w * ((guint64) bpp / 8) > G_MAXUINT - 4) {
+ GST_WARNING ("Width x stride overflows");
+ return buf;
+ }
+
+ if (w == 0 || h == 0) {
+ GST_WARNING ("Zero width or height");
+ return buf;
+ }
+
stride = GST_ROUND_UP_4 (w * (bpp / 8));
buf = gst_buffer_make_writable (buf);
gst_buffer_map (buf, &map, GST_MAP_READWRITE);
- if (map.size < (stride * h)) {
+ if (map.size < ((guint64) stride * (guint64) h)) {
GST_WARNING ("Buffer is smaller than reported Width x Height x Depth");
gst_buffer_unmap (buf, &map);
return buf;
--
2.38.1

View File

@ -1,209 +0,0 @@
From 22eb3dc56d8cb71af2c2d413ae587cc401704780 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Wed, 18 May 2022 11:24:37 +0300
Subject: [PATCH 2/4] matroskademux: Fix integer overflows in zlib/bz2/etc
decompression code
Various variables were of smaller types than needed and there were no
checks for any overflows when doing additions on the sizes. This is all
checked now.
In addition the size of the decompressed data is limited to 120MB now as
any larger sizes are likely pathological and we can avoid out of memory
situations in many cases like this.
Also fix a bug where the available output size on the next iteration in
the zlib/bz2 decompression code was provided too large and could
potentially lead to out of bound writes.
Thanks to Adam Doupe for analyzing and reporting the issue.
CVE: CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925
https://gstreamer.freedesktop.org/security/sa-2022-0002.html
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2610>
---
gst/matroska/matroska-read-common.c | 76 +++++++++++++++++++++++------
1 file changed, 61 insertions(+), 15 deletions(-)
diff --git a/gst/matroska/matroska-read-common.c b/gst/matroska/matroska-read-common.c
index 90d6e38e17..0ee9a787a4 100644
--- a/gst/matroska/matroska-read-common.c
+++ b/gst/matroska/matroska-read-common.c
@@ -70,6 +70,10 @@ typedef struct
gboolean audio_only;
} TargetTypeContext;
+/* 120MB as maximum decompressed data size. Anything bigger is likely
+ * pathological, and like this we avoid out of memory situations in many cases
+ */
+#define MAX_DECOMPRESS_SIZE (120 * 1024 * 1024)
static gboolean
gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
@@ -77,19 +81,23 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
GstMatroskaTrackCompressionAlgorithm algo)
{
guint8 *new_data = NULL;
- guint new_size = 0;
+ gsize new_size = 0;
guint8 *data = *data_out;
- guint size = *size_out;
+ const gsize size = *size_out;
gboolean ret = TRUE;
+ if (size > G_MAXUINT32) {
+ GST_WARNING ("too large compressed data buffer.");
+ ret = FALSE;
+ goto out;
+ }
+
if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_ZLIB) {
#ifdef HAVE_ZLIB
/* zlib encoded data */
z_stream zstream;
- guint orig_size;
int result;
- orig_size = size;
zstream.zalloc = (alloc_func) 0;
zstream.zfree = (free_func) 0;
zstream.opaque = (voidpf) 0;
@@ -99,8 +107,8 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
goto out;
}
zstream.next_in = (Bytef *) data;
- zstream.avail_in = orig_size;
- new_size = orig_size;
+ zstream.avail_in = size;
+ new_size = size;
new_data = g_malloc (new_size);
zstream.avail_out = new_size;
zstream.next_out = (Bytef *) new_data;
@@ -114,10 +122,18 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
break;
}
+ if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) {
+ GST_WARNING ("too big decompressed data");
+ result = Z_MEM_ERROR;
+ break;
+ }
+
new_size += 4096;
new_data = g_realloc (new_data, new_size);
zstream.next_out = (Bytef *) (new_data + zstream.total_out);
- zstream.avail_out += 4096;
+ /* avail_out is an unsigned int */
+ g_assert (new_size - zstream.total_out <= G_MAXUINT);
+ zstream.avail_out = new_size - zstream.total_out;
} while (zstream.avail_in > 0);
if (result != Z_STREAM_END) {
@@ -137,13 +153,11 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
#ifdef HAVE_BZ2
/* bzip2 encoded data */
bz_stream bzstream;
- guint orig_size;
int result;
bzstream.bzalloc = NULL;
bzstream.bzfree = NULL;
bzstream.opaque = NULL;
- orig_size = size;
if (BZ2_bzDecompressInit (&bzstream, 0, 0) != BZ_OK) {
GST_WARNING ("bzip2 initialization failed.");
@@ -152,8 +166,8 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
}
bzstream.next_in = (char *) data;
- bzstream.avail_in = orig_size;
- new_size = orig_size;
+ bzstream.avail_in = size;
+ new_size = size;
new_data = g_malloc (new_size);
bzstream.avail_out = new_size;
bzstream.next_out = (char *) new_data;
@@ -167,17 +181,31 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
break;
}
+ if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) {
+ GST_WARNING ("too big decompressed data");
+ result = BZ_MEM_ERROR;
+ break;
+ }
+
new_size += 4096;
new_data = g_realloc (new_data, new_size);
- bzstream.next_out = (char *) (new_data + bzstream.total_out_lo32);
- bzstream.avail_out += 4096;
+ bzstream.next_out =
+ (char *) (new_data + ((guint64) bzstream.total_out_hi32 << 32) +
+ bzstream.total_out_lo32);
+ /* avail_out is an unsigned int */
+ g_assert (new_size - ((guint64) bzstream.total_out_hi32 << 32) +
+ bzstream.total_out_lo32 <= G_MAXUINT);
+ bzstream.avail_out =
+ new_size - ((guint64) bzstream.total_out_hi32 << 32) +
+ bzstream.total_out_lo32;
} while (bzstream.avail_in > 0);
if (result != BZ_STREAM_END) {
ret = FALSE;
g_free (new_data);
} else {
- new_size = bzstream.total_out_lo32;
+ new_size =
+ ((guint64) bzstream.total_out_hi32 << 32) + bzstream.total_out_lo32;
}
BZ2_bzDecompressEnd (&bzstream);
@@ -189,7 +217,13 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
} else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_LZO1X) {
/* lzo encoded data */
int result;
- int orig_size, out_size;
+ gint orig_size, out_size;
+
+ if (size > G_MAXINT) {
+ GST_WARNING ("too large compressed data buffer.");
+ ret = FALSE;
+ goto out;
+ }
orig_size = size;
out_size = size;
@@ -203,6 +237,11 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
result = lzo1x_decode (new_data, &out_size, data, &orig_size);
if (orig_size > 0) {
+ if (new_size > G_MAXINT - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) {
+ GST_WARNING ("too big decompressed data");
+ result = LZO_ERROR;
+ break;
+ }
new_size += 4096;
new_data = g_realloc (new_data, new_size);
}
@@ -221,6 +260,13 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
} else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_HEADERSTRIP) {
/* header stripped encoded data */
if (enc->comp_settings_length > 0) {
+ if (size > G_MAXSIZE - enc->comp_settings_length
+ || size + enc->comp_settings_length > MAX_DECOMPRESS_SIZE) {
+ GST_WARNING ("too big decompressed data");
+ ret = FALSE;
+ goto out;
+ }
+
new_data = g_malloc (size + enc->comp_settings_length);
new_size = size + enc->comp_settings_length;
--
2.38.1

View File

@ -1,55 +0,0 @@
From 24267889a717e1e799037a0f1841d5416eb56e75 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Mon, 30 May 2022 10:15:37 +0300
Subject: [PATCH 3/4] qtdemux: Fix integer overflows in zlib decompression code
Various variables were of smaller types than needed and there were no
checks for any overflows when doing additions on the sizes. This is all
checked now.
In addition the size of the decompressed data is limited to 200MB now as
any larger sizes are likely pathological and we can avoid out of memory
situations in many cases like this.
Also fix a bug where the available output size on the next iteration in
the zlib decompression code was provided too large and could
potentially lead to out of bound writes.
Thanks to Adam Doupe for analyzing and reporting the issue.
CVE: tbd
https://gstreamer.freedesktop.org/security/sa-2022-0003.html
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2610>
---
gst/isomp4/qtdemux.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
index 182d0bc06f..a9cbbd4cd3 100644
--- a/gst/isomp4/qtdemux.c
+++ b/gst/isomp4/qtdemux.c
@@ -7611,10 +7611,16 @@ qtdemux_inflate (void *z_buffer, guint z_length, guint * length)
break;
}
+ if (*length > G_MAXUINT - 4096 || *length > QTDEMUX_MAX_SAMPLE_INDEX_SIZE) {
+ GST_WARNING ("too big decompressed data");
+ ret = Z_MEM_ERROR;
+ break;
+ }
+
*length += 4096;
buffer = (guint8 *) g_realloc (buffer, *length);
z.next_out = (Bytef *) (buffer + z.total_out);
- z.avail_out += 4096;
+ z.avail_out += *length - z.total_out;
} while (z.avail_in > 0);
if (ret != Z_STREAM_END) {
--
2.38.1

View File

@ -1,55 +0,0 @@
From c0ac3357342599cc09397c6af0e696770ae94548 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Wed, 18 May 2022 10:23:15 +0300
Subject: [PATCH 4/4] matroskademux: Avoid integer-overflow resulting in heap
corruption in WavPack header handling code
blocksize + WAVPACK4_HEADER_SIZE might overflow gsize, which then
results in allocating a very small buffer. Into that buffer blocksize
data is memcpy'd later which then causes out of bound writes and can
potentially lead to anything from crashes to remote code execution.
Thanks to Adam Doupe for analyzing and reporting the issue.
CVE: CVE-2022-1920
https://gstreamer.freedesktop.org/security/sa-2022-0004.html
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1226
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2612>
---
gst/matroska/matroska-demux.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
index 0e47ee7b5e..b7d009de90 100644
--- a/gst/matroska/matroska-demux.c
+++ b/gst/matroska/matroska-demux.c
@@ -3893,7 +3893,8 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
} else {
guint8 *outdata = NULL;
gsize buf_size, size;
- guint32 block_samples, flags, crc, blocksize;
+ guint32 block_samples, flags, crc;
+ gsize blocksize;
GstAdapter *adapter;
adapter = gst_adapter_new ();
@@ -3934,6 +3935,13 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
return GST_FLOW_ERROR;
}
+ if (blocksize > G_MAXSIZE - WAVPACK4_HEADER_SIZE) {
+ GST_ERROR_OBJECT (element, "Too big wavpack buffer");
+ gst_buffer_unmap (*buf, &map);
+ g_object_unref (adapter);
+ return GST_FLOW_ERROR;
+ }
+
g_assert (newbuf == NULL);
newbuf =
--
2.38.1

View File

@ -1,74 +0,0 @@
diff --git a/gst-plugins-good-1.18.0/ext/qt/gstqsgtexture.cc b/gst-plugins-good-1.18.0/ext/qt/gstqsgtexture.cc
index a05d26e..bfa79cd 100644
--- a/gst-plugins-good-1.18.0/ext/qt/gstqsgtexture.cc
+++ b/gst-plugins-good-1.18.0/ext/qt/gstqsgtexture.cc
@@ -35,7 +35,7 @@ GST_DEBUG_CATEGORY_STATIC (GST_CAT_DEFAULT);
GstQSGTexture::GstQSGTexture ()
{
- static volatile gsize _debug;
+ static gsize _debug;
initializeOpenGLFunctions();
diff --git a/gst-plugins-good-1.18.0/ext/qt/gstqtglutility.cc b/gst-plugins-good-1.18.0/ext/qt/gstqtglutility.cc
index acb89b6..657bfda 100644
--- a/gst-plugins-good-1.18.0/ext/qt/gstqtglutility.cc
+++ b/gst-plugins-good-1.18.0/ext/qt/gstqtglutility.cc
@@ -66,7 +66,7 @@ gst_qt_get_gl_display ()
{
GstGLDisplay *display = NULL;
QGuiApplication *app = static_cast<QGuiApplication *> (QCoreApplication::instance ());
- static volatile gsize _debug;
+ static gsize _debug;
g_assert (app != NULL);
diff --git a/gst-plugins-good-1.18.0/ext/qt/qtglrenderer.cc b/gst-plugins-good-1.18.0/ext/qt/qtglrenderer.cc
index 2ad5601..576171c 100644
--- a/gst-plugins-good-1.18.0/ext/qt/qtglrenderer.cc
+++ b/gst-plugins-good-1.18.0/ext/qt/qtglrenderer.cc
@@ -22,7 +22,7 @@ GST_DEBUG_CATEGORY_STATIC (GST_CAT_DEFAULT);
static void
init_debug (void)
{
- static volatile gsize _debug;
+ static gsize _debug;
if (g_once_init_enter (&_debug)) {
GST_DEBUG_CATEGORY_INIT (GST_CAT_DEFAULT, "qtglrenderer", 0,
diff --git a/gst-plugins-good-1.18.0/ext/qt/qtitem.cc b/gst-plugins-good-1.18.0/ext/qt/qtitem.cc
index 49dafc8..caa1ab5 100644
--- a/gst-plugins-good-1.18.0/ext/qt/qtitem.cc
+++ b/gst-plugins-good-1.18.0/ext/qt/qtitem.cc
@@ -102,7 +102,7 @@ void InitializeSceneGraph::run()
QtGLVideoItem::QtGLVideoItem()
{
- static volatile gsize _debug;
+ static gsize _debug;
if (g_once_init_enter (&_debug)) {
GST_DEBUG_CATEGORY_INIT (GST_CAT_DEFAULT, "qtglwidget", 0, "Qt GL Widget");
diff --git a/gst-plugins-good-1.18.0/ext/qt/qtwindow.cc b/gst-plugins-good-1.18.0/ext/qt/qtwindow.cc
index 9360c33..55a13ab 100644
--- a/gst-plugins-good-1.18.0/ext/qt/qtwindow.cc
+++ b/gst-plugins-good-1.18.0/ext/qt/qtwindow.cc
@@ -103,7 +103,7 @@ QtGLWindow::QtGLWindow ( QWindow * parent, QQuickWindow *src ) :
QQuickWindow( parent ), source (src)
{
QGuiApplication *app = static_cast<QGuiApplication *> (QCoreApplication::instance ());
- static volatile gsize _debug;
+ static gsize _debug;
g_assert (app != NULL);
@@ -152,7 +152,7 @@ QtGLWindow::beforeRendering()
g_mutex_lock (&this->priv->lock);
- static volatile gsize once = 0;
+ static gsize once = 0;
if (g_once_init_enter(&once)) {
this->priv->start = QDateTime::currentDateTime().toMSecsSinceEpoch();
g_once_init_leave(&once,1);

View File

@ -16,8 +16,8 @@
#global shortcommit %(c=%{gitcommit}; echo ${c:0:5})
Name: gstreamer1-plugins-good
Version: 1.18.4
Release: 6%{?gitcommit:.git%{shortcommit}}%{?dist}
Version: 1.22.1
Release: 1%{?gitcommit:.git%{shortcommit}}%{?dist}
Summary: GStreamer plugins with good code and licensing
License: LGPLv2+
@ -30,12 +30,6 @@ Source0: gst-plugins-good-%{version}.tar.xz
%else
Source0: http://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-good-%{version}.tar.xz
%endif
Patch0: %{name}-gcc11.patch
Patch1: 0001-avidemux-Fix-integer-overflow-resulting-in-heap-corr.patch
Patch2: 0002-matroskademux-Fix-integer-overflows-in-zlib-bz2-etc-.patch
Patch3: 0003-qtdemux-Fix-integer-overflows-in-zlib-decompression-.patch
Patch4: 0004-matroskademux-Avoid-integer-overflow-resulting-in-he.patch
# Register as an AppStream component to be visible in the software center
# NOTE: It would be *awesome* if this file was maintained by the upstream
@ -169,11 +163,6 @@ to be installed.
%prep
%setup -q -n gst-plugins-good-%{version}
%patch0 -p2
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%build
%meson \
@ -181,7 +170,7 @@ to be installed.
-D package-origin='http://download.fedoraproject.org' \
-D doc=disabled \
-D asm=%{?with_nasm:enabled}%{!?with_nasm:disabled} \
-D gtk_doc=disabled \
-D doc=disabled \
-D orc=enabled \
-D monoscope=disabled \
-D aalib=disabled \
@ -194,6 +183,10 @@ to be installed.
-D dv=%{?with_extras:enabled}%{!?with_extras:disabled} \
-D dv1394=%{?with_extras:enabled}%{!?with_extras:disabled} \
%endif
%if 0%{?_module_build} && "%{_module_name}" == "flatpak-runtime"
-D v4l2-gudev=disabled \
%endif
-D qt6=disabled
%meson_build
@ -208,7 +201,7 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -fv {} ';'
%files -f gst-plugins-good-%{majorminor}.lang
%license COPYING
%doc AUTHORS README REQUIREMENTS
%doc AUTHORS NEWS README.md README.static-linking RELEASE REQUIREMENTS
%{_metainfodir}/gstreamer-good.appdata.xml
%if 0
%doc %{_datadir}/gtk-doc/html/gst-plugins-good-plugins-%{majorminor}
@ -222,6 +215,7 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -fv {} ';'
%{_datadir}/gstreamer-%{majorminor}/presets/GstQTMux.prs
# non-core plugins without external dependencies
%{_libdir}/gstreamer-%{majorminor}/libgstadaptivedemux2.so
%{_libdir}/gstreamer-%{majorminor}/libgstalaw.so
%{_libdir}/gstreamer-%{majorminor}/libgstalphacolor.so
%{_libdir}/gstreamer-%{majorminor}/libgstalpha.so
@ -267,6 +261,7 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -fv {} ';'
%{_libdir}/gstreamer-%{majorminor}/libgstwavenc.so
%{_libdir}/gstreamer-%{majorminor}/libgstwavparse.so
%{_libdir}/gstreamer-%{majorminor}/libgstximagesrc.so
%{_libdir}/gstreamer-%{majorminor}/libgstxingmux.so
%{_libdir}/gstreamer-%{majorminor}/libgsty4menc.so
# gstreamer-plugins with external dependencies but in the main package
@ -309,6 +304,9 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -fv {} ';'
%changelog
* Thu Apr 13 2023 Wim Taymans <wtaymans@redhat.com> - 1.22.1-1
- Update to 1.22.1
* Fri Nov 11 2022 Wim Taymans <wtaymans@redhat.com> - 1.18.4-6
- Fixes for CVE-2022-1920, CVE-2022-1921, CVE-2022-1922, CVE-2022-1923,
CVE-2022-1924, CVE-2022-1925, CVE-2022-2122