CVE-2024-47537, CVE-2024-47539, CVE-2024-47540, CVE-2024-47606,
CVE-2024-47613 Resolves: RHEL-70949, RHEL-70962, RHEL-70936, RHEL-71022 Resolves: RHEL-70998
This commit is contained in:
parent
a662184fb2
commit
938fd253a8
@ -1,56 +0,0 @@
|
|||||||
From a98341397d3522fdc7470c4220775035a2d1d790 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Youness Alaoui <kakaroto@kakaroto.homelinux.net>
|
|
||||||
Date: Thu, 7 Aug 2014 21:58:14 -0400
|
|
||||||
Subject: [PATCH] jitterbuffer: Allow rtp caps without clock-rate
|
|
||||||
|
|
||||||
The jitterbuffer shouldn't force clock-rate on its sink pad, this will cause a negotiation issue since rtpssrcdemux doesn't have the clock-rate and doesn't add it to the caps. The documentation states that the clock-rate can either be specified through the caps or through the request-pt-map signal, so we must remove clock-rate from the pad templates and we must accept the GST_EVENT_CAPS if the caps don't have the clock-rate.
|
|
||||||
|
|
||||||
https://bugzilla.gnome.org/show_bug.cgi?id=734322
|
|
||||||
---
|
|
||||||
gst/rtpmanager/gstrtpjitterbuffer.c | 16 ++++------------
|
|
||||||
1 file changed, 4 insertions(+), 12 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/gst/rtpmanager/gstrtpjitterbuffer.c b/gst/rtpmanager/gstrtpjitterbuffer.c
|
|
||||||
index c8c512e..0eccd1a 100644
|
|
||||||
--- a/gst/rtpmanager/gstrtpjitterbuffer.c
|
|
||||||
+++ b/gst/rtpmanager/gstrtpjitterbuffer.c
|
|
||||||
@@ -342,9 +342,9 @@ static GstStaticPadTemplate gst_rtp_jitter_buffer_sink_template =
|
|
||||||
GST_STATIC_PAD_TEMPLATE ("sink",
|
|
||||||
GST_PAD_SINK,
|
|
||||||
GST_PAD_ALWAYS,
|
|
||||||
- GST_STATIC_CAPS ("application/x-rtp, "
|
|
||||||
- "clock-rate = (int) [ 1, 2147483647 ]"
|
|
||||||
- /* "payload = (int) , "
|
|
||||||
+ GST_STATIC_CAPS ("application/x-rtp"
|
|
||||||
+ /* "clock-rate = (int) [ 1, 2147483647 ], "
|
|
||||||
+ * "payload = (int) , "
|
|
||||||
* "encoding-name = (string) "
|
|
||||||
*/ )
|
|
||||||
);
|
|
||||||
@@ -1364,9 +1364,7 @@ queue_event (GstRtpJitterBuffer * jitterbuffer, GstEvent * event)
|
|
||||||
GstCaps *caps;
|
|
||||||
|
|
||||||
gst_event_parse_caps (event, &caps);
|
|
||||||
- if (!gst_jitter_buffer_sink_parse_caps (jitterbuffer, caps))
|
|
||||||
- goto wrong_caps;
|
|
||||||
-
|
|
||||||
+ gst_jitter_buffer_sink_parse_caps (jitterbuffer, caps);
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
case GST_EVENT_SEGMENT:
|
|
||||||
@@ -1397,12 +1395,6 @@ queue_event (GstRtpJitterBuffer * jitterbuffer, GstEvent * event)
|
|
||||||
return TRUE;
|
|
||||||
|
|
||||||
/* ERRORS */
|
|
||||||
-wrong_caps:
|
|
||||||
- {
|
|
||||||
- GST_DEBUG_OBJECT (jitterbuffer, "received invalid caps");
|
|
||||||
- gst_event_unref (event);
|
|
||||||
- return FALSE;
|
|
||||||
- }
|
|
||||||
newseg_wrong_format:
|
|
||||||
{
|
|
||||||
GST_DEBUG_OBJECT (jitterbuffer, "received non TIME newsegment");
|
|
||||||
--
|
|
||||||
2.1.0
|
|
||||||
|
|
@ -1,7 +1,7 @@
|
|||||||
From 9efd93e20dd7789e4172ad6c8f4108271b3fb1ee Mon Sep 17 00:00:00 2001
|
From fff62c8b65cd18e2673944a2a9c95520e7b5ddf3 Mon Sep 17 00:00:00 2001
|
||||||
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
|
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
|
||||||
Date: Thu, 4 Mar 2021 13:05:19 +0200
|
Date: Thu, 4 Mar 2021 13:05:19 +0200
|
||||||
Subject: [PATCH] matroskademux: Fix extraction of multichannel WavPack
|
Subject: [PATCH 1/9] matroskademux: Fix extraction of multichannel WavPack
|
||||||
|
|
||||||
The old code had a couple of issues that all lead to potential memory
|
The old code had a couple of issues that all lead to potential memory
|
||||||
safety bugs.
|
safety bugs.
|
||||||
@ -32,10 +32,10 @@ Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/merge_requ
|
|||||||
2 files changed, 55 insertions(+), 46 deletions(-)
|
2 files changed, 55 insertions(+), 46 deletions(-)
|
||||||
|
|
||||||
diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
|
diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
|
||||||
index 4eb3d2a9f..f890ae611 100644
|
index b2cd9b5d4..5e724c8e0 100644
|
||||||
--- a/gst/matroska/matroska-demux.c
|
--- a/gst/matroska/matroska-demux.c
|
||||||
+++ b/gst/matroska/matroska-demux.c
|
+++ b/gst/matroska/matroska-demux.c
|
||||||
@@ -3706,6 +3706,12 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
|
@@ -3704,6 +3704,12 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
|
||||||
guint32 block_samples, tmp;
|
guint32 block_samples, tmp;
|
||||||
gsize size = gst_buffer_get_size (*buf);
|
gsize size = gst_buffer_get_size (*buf);
|
||||||
|
|
||||||
@ -48,7 +48,7 @@ index 4eb3d2a9f..f890ae611 100644
|
|||||||
gst_buffer_extract (*buf, 0, &tmp, sizeof (guint32));
|
gst_buffer_extract (*buf, 0, &tmp, sizeof (guint32));
|
||||||
block_samples = GUINT32_FROM_LE (tmp);
|
block_samples = GUINT32_FROM_LE (tmp);
|
||||||
/* we need to reconstruct the header of the wavpack block */
|
/* we need to reconstruct the header of the wavpack block */
|
||||||
@@ -3713,10 +3719,10 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
|
@@ -3711,10 +3717,10 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
|
||||||
/* -20 because ck_size is the size of the wavpack block -8
|
/* -20 because ck_size is the size of the wavpack block -8
|
||||||
* and lace_size is the size of the wavpack block + 12
|
* and lace_size is the size of the wavpack block + 12
|
||||||
* (the three guint32 of the header that already are in the buffer) */
|
* (the three guint32 of the header that already are in the buffer) */
|
||||||
@ -61,7 +61,7 @@ index 4eb3d2a9f..f890ae611 100644
|
|||||||
|
|
||||||
gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
|
gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
|
||||||
data = outmap.data;
|
data = outmap.data;
|
||||||
@@ -3741,9 +3747,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
|
@@ -3739,9 +3745,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
|
||||||
audiocontext->wvpk_block_index += block_samples;
|
audiocontext->wvpk_block_index += block_samples;
|
||||||
} else {
|
} else {
|
||||||
guint8 *outdata = NULL;
|
guint8 *outdata = NULL;
|
||||||
@ -75,7 +75,7 @@ index 4eb3d2a9f..f890ae611 100644
|
|||||||
|
|
||||||
gst_buffer_map (*buf, &map, GST_MAP_READ);
|
gst_buffer_map (*buf, &map, GST_MAP_READ);
|
||||||
buf_data = map.data;
|
buf_data = map.data;
|
||||||
@@ -3752,6 +3760,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
|
@@ -3750,6 +3758,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
|
||||||
if (buf_size < 4) {
|
if (buf_size < 4) {
|
||||||
GST_ERROR_OBJECT (element, "Too small wavpack buffer");
|
GST_ERROR_OBJECT (element, "Too small wavpack buffer");
|
||||||
gst_buffer_unmap (*buf, &map);
|
gst_buffer_unmap (*buf, &map);
|
||||||
@ -83,7 +83,7 @@ index 4eb3d2a9f..f890ae611 100644
|
|||||||
return GST_FLOW_ERROR;
|
return GST_FLOW_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -3773,59 +3782,57 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
|
@@ -3771,59 +3780,57 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
|
||||||
data += 4;
|
data += 4;
|
||||||
size -= 4;
|
size -= 4;
|
||||||
|
|
||||||
@ -197,5 +197,5 @@ index 9b263d8a1..a0d68343f 100644
|
|||||||
GST_MATROSKA_TRACK_ENCODING_SCOPE_FRAME = (1<<0),
|
GST_MATROSKA_TRACK_ENCODING_SCOPE_FRAME = (1<<0),
|
||||||
GST_MATROSKA_TRACK_ENCODING_SCOPE_CODEC_DATA = (1<<1),
|
GST_MATROSKA_TRACK_ENCODING_SCOPE_CODEC_DATA = (1<<1),
|
||||||
--
|
--
|
||||||
GitLab
|
2.47.0
|
||||||
|
|
@ -1,8 +1,8 @@
|
|||||||
From d62cecf193d6bf3b16fe91d725f4514161f602c3 Mon Sep 17 00:00:00 2001
|
From a88489c4bc2a807912a12398c04c0fc8579037df Mon Sep 17 00:00:00 2001
|
||||||
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
|
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
|
||||||
Date: Wed, 3 Mar 2021 11:31:52 +0200
|
Date: Wed, 3 Mar 2021 11:31:52 +0200
|
||||||
Subject: [PATCH] matroskademux: Initialize track context out parameter to NULL
|
Subject: [PATCH 2/9] matroskademux: Initialize track context out parameter to
|
||||||
before parsing
|
NULL before parsing
|
||||||
|
|
||||||
Various error return paths don't set it to NULL and callers are only
|
Various error return paths don't set it to NULL and callers are only
|
||||||
checking if the pointer is NULL. As it's allocated on the stack this
|
checking if the pointer is NULL. As it's allocated on the stack this
|
||||||
@ -21,7 +21,7 @@ Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/merge_requ
|
|||||||
1 file changed, 2 insertions(+)
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
|
diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
|
||||||
index b2cd9b5d4..4eb3d2a9f 100644
|
index 5e724c8e0..f890ae611 100644
|
||||||
--- a/gst/matroska/matroska-demux.c
|
--- a/gst/matroska/matroska-demux.c
|
||||||
+++ b/gst/matroska/matroska-demux.c
|
+++ b/gst/matroska/matroska-demux.c
|
||||||
@@ -660,6 +660,8 @@ gst_matroska_demux_parse_stream (GstMatroskaDemux * demux, GstEbmlRead * ebml,
|
@@ -660,6 +660,8 @@ gst_matroska_demux_parse_stream (GstMatroskaDemux * demux, GstEbmlRead * ebml,
|
||||||
@ -34,5 +34,5 @@ index b2cd9b5d4..4eb3d2a9f 100644
|
|||||||
if ((ret = gst_ebml_read_master (ebml, &id)) != GST_FLOW_OK) {
|
if ((ret = gst_ebml_read_master (ebml, &id)) != GST_FLOW_OK) {
|
||||||
DEBUG_ELEMENT_STOP (demux, ebml, "TrackEntry", ret);
|
DEBUG_ELEMENT_STOP (demux, ebml, "TrackEntry", ret);
|
||||||
--
|
--
|
||||||
GitLab
|
2.47.0
|
||||||
|
|
@ -1,8 +1,8 @@
|
|||||||
From 2150d2ade8bd5949fa18fcc75b78016e3becc92b Mon Sep 17 00:00:00 2001
|
From 2150d2ade8bd5949fa18fcc75b78016e3becc92b Mon Sep 17 00:00:00 2001
|
||||||
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
|
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
|
||||||
Date: Tue, 13 Jun 2023 13:20:16 +0300
|
Date: Tue, 13 Jun 2023 13:20:16 +0300
|
||||||
Subject: [PATCH] flacparse: Avoid integer overflow in available data check for
|
Subject: [PATCH 3/9] flacparse: Avoid integer overflow in available data check
|
||||||
image tags
|
for image tags
|
||||||
|
|
||||||
If the image length as stored in the file is some bogus integer then
|
If the image length as stored in the file is some bogus integer then
|
||||||
adding it to the current byte readers position can overflow and wrongly
|
adding it to the current byte readers position can overflow and wrongly
|
||||||
@ -51,5 +51,5 @@ index 2758d4cfc..cd5a48bee 100644
|
|||||||
|
|
||||||
gst_buffer_unmap (buffer, &map);
|
gst_buffer_unmap (buffer, &map);
|
||||||
--
|
--
|
||||||
2.43.0
|
2.47.0
|
||||||
|
|
@ -0,0 +1,41 @@
|
|||||||
|
From f0007ee8579f97999d69bbc6d7f9ac166a06fddb Mon Sep 17 00:00:00 2001
|
||||||
|
From: Wim Taymans <wtaymans@redhat.com>
|
||||||
|
Date: Mon, 16 Dec 2024 11:45:27 +0100
|
||||||
|
Subject: [PATCH 4/9] qtdemux: Avoid integer overflow when parsing Theora
|
||||||
|
extension
|
||||||
|
|
||||||
|
Thanks to Antonio Morales for finding and reporting the issue.
|
||||||
|
|
||||||
|
Fixes GHSL-2024-166
|
||||||
|
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3851
|
||||||
|
|
||||||
|
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8094>
|
||||||
|
---
|
||||||
|
gst/isomp4/qtdemux.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
|
||||||
|
index ad07c1e36..229edb3e5 100644
|
||||||
|
--- a/gst/isomp4/qtdemux.c
|
||||||
|
+++ b/gst/isomp4/qtdemux.c
|
||||||
|
@@ -7816,7 +7816,7 @@ qtdemux_parse_theora_extension (GstQTDemux * qtdemux, QtDemuxStream * stream,
|
||||||
|
end -= 8;
|
||||||
|
|
||||||
|
while (buf < end) {
|
||||||
|
- gint size;
|
||||||
|
+ guint32 size;
|
||||||
|
guint32 type;
|
||||||
|
|
||||||
|
size = QT_UINT32 (buf);
|
||||||
|
@@ -7824,7 +7824,7 @@ qtdemux_parse_theora_extension (GstQTDemux * qtdemux, QtDemuxStream * stream,
|
||||||
|
|
||||||
|
GST_LOG_OBJECT (qtdemux, "%p %p", buf, end);
|
||||||
|
|
||||||
|
- if (buf + size > end || size <= 0)
|
||||||
|
+ if (end - buf < size || size < 8)
|
||||||
|
break;
|
||||||
|
|
||||||
|
buf += 8;
|
||||||
|
--
|
||||||
|
2.47.0
|
||||||
|
|
@ -0,0 +1,49 @@
|
|||||||
|
From 8d4c79e61a62245dc6a499b0a439317bb37d0508 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Wim Taymans <wtaymans@redhat.com>
|
||||||
|
Date: Mon, 16 Dec 2024 11:47:09 +0100
|
||||||
|
Subject: [PATCH 5/9] gdkpixbufdec: Check if initializing the video info
|
||||||
|
actually succeeded
|
||||||
|
|
||||||
|
Otherwise a 0-byte buffer would be allocated, which gives NULL memory when
|
||||||
|
mapped.
|
||||||
|
|
||||||
|
Thanks to Antonio Morales for finding and reporting the issue.
|
||||||
|
|
||||||
|
Fixes GHSL-2024-118
|
||||||
|
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3876
|
||||||
|
|
||||||
|
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8103>
|
||||||
|
---
|
||||||
|
ext/gdk_pixbuf/gstgdkpixbufdec.c | 9 ++++++++-
|
||||||
|
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/ext/gdk_pixbuf/gstgdkpixbufdec.c b/ext/gdk_pixbuf/gstgdkpixbufdec.c
|
||||||
|
index c119236a8..c0ecb3a08 100644
|
||||||
|
--- a/ext/gdk_pixbuf/gstgdkpixbufdec.c
|
||||||
|
+++ b/ext/gdk_pixbuf/gstgdkpixbufdec.c
|
||||||
|
@@ -318,7 +318,8 @@ gst_gdk_pixbuf_dec_flush (GstGdkPixbufDec * filter)
|
||||||
|
|
||||||
|
|
||||||
|
gst_video_info_init (&info);
|
||||||
|
- gst_video_info_set_format (&info, fmt, width, height);
|
||||||
|
+ if (!gst_video_info_set_format (&info, fmt, width, height))
|
||||||
|
+ goto format_not_supported;
|
||||||
|
info.fps_n = filter->in_fps_n;
|
||||||
|
info.fps_d = filter->in_fps_d;
|
||||||
|
caps = gst_video_info_to_caps (&info);
|
||||||
|
@@ -379,6 +380,12 @@ channels_not_supported:
|
||||||
|
("%d channels not supported", n_channels));
|
||||||
|
return GST_FLOW_ERROR;
|
||||||
|
}
|
||||||
|
+format_not_supported:
|
||||||
|
+ {
|
||||||
|
+ GST_ELEMENT_ERROR (filter, STREAM, DECODE, (NULL),
|
||||||
|
+ ("%d channels with %dx%d not supported", n_channels, width, height));
|
||||||
|
+ return GST_FLOW_ERROR;
|
||||||
|
+ }
|
||||||
|
no_buffer:
|
||||||
|
{
|
||||||
|
GST_DEBUG ("Failed to create outbuffer - %s", gst_flow_get_name (ret));
|
||||||
|
--
|
||||||
|
2.47.0
|
||||||
|
|
@ -0,0 +1,52 @@
|
|||||||
|
From c7f995f1030efb3281faa72a1a8827969f3591bc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Wim Taymans <wtaymans@redhat.com>
|
||||||
|
Date: Mon, 16 Dec 2024 11:48:03 +0100
|
||||||
|
Subject: [PATCH 6/9] matroskademux: Only unmap GstMapInfo in WavPack header
|
||||||
|
extraction error paths if previously mapped
|
||||||
|
|
||||||
|
Thanks to Antonio Morales for finding and reporting the issue.
|
||||||
|
|
||||||
|
Fixes GHSL-2024-197
|
||||||
|
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3863
|
||||||
|
|
||||||
|
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8057>
|
||||||
|
---
|
||||||
|
gst/matroska/matroska-demux.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
|
||||||
|
index f890ae611..2db68bc1f 100644
|
||||||
|
--- a/gst/matroska/matroska-demux.c
|
||||||
|
+++ b/gst/matroska/matroska-demux.c
|
||||||
|
@@ -3687,7 +3687,6 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
|
||||||
|
GstMatroskaTrackAudioContext *audiocontext =
|
||||||
|
(GstMatroskaTrackAudioContext *) stream;
|
||||||
|
GstBuffer *newbuf = NULL;
|
||||||
|
- GstMapInfo map, outmap;
|
||||||
|
guint8 *buf_data, *data;
|
||||||
|
Wavpack4Header wvh;
|
||||||
|
|
||||||
|
@@ -3704,11 +3703,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
|
||||||
|
|
||||||
|
if (audiocontext->channels <= 2) {
|
||||||
|
guint32 block_samples, tmp;
|
||||||
|
+ GstMapInfo outmap;
|
||||||
|
gsize size = gst_buffer_get_size (*buf);
|
||||||
|
|
||||||
|
if (size < 4) {
|
||||||
|
GST_ERROR_OBJECT (element, "Too small wavpack buffer");
|
||||||
|
- gst_buffer_unmap (*buf, &map);
|
||||||
|
return GST_FLOW_ERROR;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -3746,6 +3745,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
|
||||||
|
*buf = newbuf;
|
||||||
|
audiocontext->wvpk_block_index += block_samples;
|
||||||
|
} else {
|
||||||
|
+ GstMapInfo map, outmap;
|
||||||
|
guint8 *outdata = NULL;
|
||||||
|
gsize buf_size, size;
|
||||||
|
guint32 block_samples, flags, crc, blocksize;
|
||||||
|
--
|
||||||
|
2.47.0
|
||||||
|
|
@ -0,0 +1,27 @@
|
|||||||
|
From 5d1ac58fa39a4e8e1cb0545c44aae69f71099f27 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Wim Taymans <wtaymans@redhat.com>
|
||||||
|
Date: Mon, 16 Dec 2024 11:49:04 +0100
|
||||||
|
Subject: [PATCH 7/9] matroskademux: Fix off-by-one when parsing multi-channel
|
||||||
|
WavPack
|
||||||
|
|
||||||
|
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8057>
|
||||||
|
---
|
||||||
|
gst/matroska/matroska-demux.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
|
||||||
|
index 2db68bc1f..0466c9a6b 100644
|
||||||
|
--- a/gst/matroska/matroska-demux.c
|
||||||
|
+++ b/gst/matroska/matroska-demux.c
|
||||||
|
@@ -3771,7 +3771,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
|
||||||
|
data += 4;
|
||||||
|
size -= 4;
|
||||||
|
|
||||||
|
- while (size > 12) {
|
||||||
|
+ while (size >= 12) {
|
||||||
|
flags = GST_READ_UINT32_LE (data);
|
||||||
|
data += 4;
|
||||||
|
size -= 4;
|
||||||
|
--
|
||||||
|
2.47.0
|
||||||
|
|
@ -0,0 +1,59 @@
|
|||||||
|
From f3358d7e6fb9540e45f1cde0378e94482846f216 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Wim Taymans <wtaymans@redhat.com>
|
||||||
|
Date: Mon, 16 Dec 2024 11:49:37 +0100
|
||||||
|
Subject: [PATCH 8/9] qtdemux: Fix integer overflow when allocating the samples
|
||||||
|
table for fragmented MP4
|
||||||
|
|
||||||
|
This can lead to out of bounds writes and NULL pointer dereferences.
|
||||||
|
|
||||||
|
Fixes GHSL-2024-094, GHSL-2024-237, GHSL-2024-241
|
||||||
|
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3839
|
||||||
|
|
||||||
|
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059>
|
||||||
|
---
|
||||||
|
gst/isomp4/qtdemux.c | 12 ++++++------
|
||||||
|
1 file changed, 6 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
|
||||||
|
index 229edb3e5..a37c92933 100644
|
||||||
|
--- a/gst/isomp4/qtdemux.c
|
||||||
|
+++ b/gst/isomp4/qtdemux.c
|
||||||
|
@@ -3327,6 +3327,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun,
|
||||||
|
gint i;
|
||||||
|
guint8 *data;
|
||||||
|
guint entry_size, dur_offset, size_offset, flags_offset = 0, ct_offset = 0;
|
||||||
|
+ guint new_n_samples;
|
||||||
|
QtDemuxSample *sample;
|
||||||
|
gboolean ismv = FALSE;
|
||||||
|
gint64 initial_offset;
|
||||||
|
@@ -3426,14 +3427,13 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun,
|
||||||
|
goto fail;
|
||||||
|
data = (guint8 *) gst_byte_reader_peek_data_unchecked (trun);
|
||||||
|
|
||||||
|
- if (stream->n_samples + samples_count >=
|
||||||
|
- QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof (QtDemuxSample))
|
||||||
|
+ if (!g_uint_checked_add (&new_n_samples, stream->n_samples, samples_count) ||
|
||||||
|
+ new_n_samples >= QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof (QtDemuxSample))
|
||||||
|
goto index_too_big;
|
||||||
|
|
||||||
|
GST_DEBUG_OBJECT (qtdemux, "allocating n_samples %u * %u (%.2f MB)",
|
||||||
|
- stream->n_samples + samples_count, (guint) sizeof (QtDemuxSample),
|
||||||
|
- (stream->n_samples + samples_count) *
|
||||||
|
- sizeof (QtDemuxSample) / (1024.0 * 1024.0));
|
||||||
|
+ new_n_samples, (guint) sizeof (QtDemuxSample),
|
||||||
|
+ (new_n_samples) * sizeof (QtDemuxSample) / (1024.0 * 1024.0));
|
||||||
|
|
||||||
|
/* create a new array of samples if it's the first sample parsed */
|
||||||
|
if (stream->n_samples == 0) {
|
||||||
|
@@ -3442,7 +3442,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun,
|
||||||
|
/* or try to reallocate it with space enough to insert the new samples */
|
||||||
|
} else
|
||||||
|
stream->samples = g_try_renew (QtDemuxSample, stream->samples,
|
||||||
|
- stream->n_samples + samples_count);
|
||||||
|
+ new_n_samples);
|
||||||
|
if (stream->samples == NULL)
|
||||||
|
goto out_of_memory;
|
||||||
|
|
||||||
|
--
|
||||||
|
2.47.0
|
||||||
|
|
@ -0,0 +1,40 @@
|
|||||||
|
From 6b751c71eb130f2c69eeacf5f47e0d6de639dc78 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Wim Taymans <wtaymans@redhat.com>
|
||||||
|
Date: Mon, 16 Dec 2024 11:52:04 +0100
|
||||||
|
Subject: [PATCH 9/9] qtdemux: Make sure only an even number of bytes is
|
||||||
|
processed when handling CEA608 data
|
||||||
|
|
||||||
|
An odd number of bytes would lead to out of bound reads and writes, and doesn't
|
||||||
|
make any sense as CEA608 comes in byte pairs.
|
||||||
|
|
||||||
|
Strip off any leftover bytes and assume everything before that is valid.
|
||||||
|
|
||||||
|
Thanks to Antonio Morales for finding and reporting the issue.
|
||||||
|
|
||||||
|
Fixes GHSL-2024-195
|
||||||
|
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3841
|
||||||
|
|
||||||
|
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059>
|
||||||
|
---
|
||||||
|
gst/isomp4/qtdemux.c | 5 +++++
|
||||||
|
1 file changed, 5 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
|
||||||
|
index a37c92933..8336ff302 100644
|
||||||
|
--- a/gst/isomp4/qtdemux.c
|
||||||
|
+++ b/gst/isomp4/qtdemux.c
|
||||||
|
@@ -5612,6 +5612,11 @@ convert_to_s334_1a (const guint8 * ccpair, guint8 ccpair_size, guint field,
|
||||||
|
guint8 *storage;
|
||||||
|
gsize i;
|
||||||
|
|
||||||
|
+ /* Strip off any leftover odd bytes and assume everything before is valid */
|
||||||
|
+ if (ccpair_size % 2 != 0) {
|
||||||
|
+ ccpair_size -= 1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* We are converting from pairs to triplets */
|
||||||
|
*res = ccpair_size / 2 * 3;
|
||||||
|
storage = g_malloc (*res);
|
||||||
|
--
|
||||||
|
2.47.0
|
||||||
|
|
@ -15,7 +15,7 @@
|
|||||||
|
|
||||||
Name: gstreamer1-plugins-good
|
Name: gstreamer1-plugins-good
|
||||||
Version: 1.16.1
|
Version: 1.16.1
|
||||||
Release: 4%{?gitcommit:.git%{shortcommit}}%{?dist}
|
Release: 5%{?gitcommit:.git%{shortcommit}}%{?dist}
|
||||||
Summary: GStreamer plugins with good code and licensing
|
Summary: GStreamer plugins with good code and licensing
|
||||||
|
|
||||||
License: LGPLv2+
|
License: LGPLv2+
|
||||||
@ -29,9 +29,15 @@ Source0: gst-plugins-good-%{version}.tar.xz
|
|||||||
Source0: http://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-good-%{version}.tar.xz
|
Source0: http://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-good-%{version}.tar.xz
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
Patch0: d62cecf193d6bf3b16fe91d725f4514161f602c3.patch
|
Patch0: 0001-matroskademux-Fix-extraction-of-multichannel-WavPack.patch
|
||||||
Patch1: 9efd93e20dd7789e4172ad6c8f4108271b3fb1ee.patch
|
Patch1: 0002-matroskademux-Initialize-track-context-out-parameter.patch
|
||||||
Patch2: 0001-flacparse-Avoid-integer-overflow-in-available-data-c.patch
|
Patch2: 0003-flacparse-Avoid-integer-overflow-in-available-data-c.patch
|
||||||
|
Patch3: 0004-qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch
|
||||||
|
Patch4: 0005-gdkpixbufdec-Check-if-initializing-the-video-info-ac.patch
|
||||||
|
Patch5: 0006-matroskademux-Only-unmap-GstMapInfo-in-WavPack-heade.patch
|
||||||
|
Patch6: 0007-matroskademux-Fix-off-by-one-when-parsing-multi-chan.patch
|
||||||
|
Patch7: 0008-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch
|
||||||
|
Patch8: 0009-qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch
|
||||||
|
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: gcc-c++
|
BuildRequires: gcc-c++
|
||||||
@ -168,6 +174,12 @@ to be installed.
|
|||||||
%patch0 -p1
|
%patch0 -p1
|
||||||
%patch1 -p1
|
%patch1 -p1
|
||||||
%patch2 -p1
|
%patch2 -p1
|
||||||
|
%patch3 -p1
|
||||||
|
%patch4 -p1
|
||||||
|
%patch5 -p1
|
||||||
|
%patch6 -p1
|
||||||
|
%patch7 -p1
|
||||||
|
%patch8 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%configure --disable-silent-rules --disable-fatal-warnings \
|
%configure --disable-silent-rules --disable-fatal-warnings \
|
||||||
@ -352,6 +364,12 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Dec 16 2024 Wim Taymans <wtaymans@redhat.com> - 1.16.1-5
|
||||||
|
- CVE-2024-47537, CVE-2024-47539, CVE-2024-47540, CVE-2024-47606,
|
||||||
|
CVE-2024-47613
|
||||||
|
Resolves: RHEL-70949, RHEL-70962, RHEL-70936, RHEL-71022
|
||||||
|
Resolves: RHEL-70998
|
||||||
|
|
||||||
* Wed Jan 17 2024 Wim Taymans <wtaymans@redhat.com> - 1.16.1-4
|
* Wed Jan 17 2024 Wim Taymans <wtaymans@redhat.com> - 1.16.1-4
|
||||||
- CVE-2023-37327: integer overflow leading to heap overwrite in
|
- CVE-2023-37327: integer overflow leading to heap overwrite in
|
||||||
FLAC image tag handling
|
FLAC image tag handling
|
||||||
|
Loading…
Reference in New Issue
Block a user