import CS git gstreamer1-plugins-good-1.16.1-7.el8_10

This commit is contained in:
AlmaLinux RelEng Bot 2026-07-08 12:30:43 -04:00
parent 543c2d4711
commit c727b83381
2 changed files with 171 additions and 1 deletions

View File

@ -0,0 +1,162 @@
From 558209ddcf3aad3603f5cb19d7267d1f9fa61f4a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Fri, 5 Jun 2026 11:24:21 +0300
Subject: [PATCH 1/4] wavpackdec: Avoid integer overflow when calculating
output buffer size
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/work_items/5069
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11811>
---
ext/wavpack/gstwavpackdec.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/ext/wavpack/gstwavpackdec.c b/ext/wavpack/gstwavpackdec.c
index 7cce543..96daeb0 100644
--- a/ext/wavpack/gstwavpackdec.c
+++ b/ext/wavpack/gstwavpackdec.c
@@ -279,6 +279,7 @@ gst_wavpack_dec_handle_frame (GstAudioDecoder * bdec, GstBuffer * buf)
gboolean format_changed;
gint width, depth, i, j, max;
gint32 *dec_data = NULL;
+ gsize dec_data_size;
guint8 *out_data;
GstMapInfo map, omap;
@@ -351,7 +352,11 @@ gst_wavpack_dec_handle_frame (GstAudioDecoder * bdec, GstBuffer * buf)
}
/* alloc output buffer */
- dec_data = g_malloc (4 * wph.block_samples * dec->channels);
+ dec_data_size = 4;
+ if (!g_size_checked_mul (&dec_data_size, dec_data_size, wph.block_samples) ||
+ !g_size_checked_mul (&dec_data_size, dec_data_size, dec->channels))
+ goto invalid_header;
+ dec_data = g_malloc (dec_data_size);
/* decode */
decoded = WavpackUnpackSamples (dec->context, dec_data, wph.block_samples);
--
2.52.0
From 6d5f8cbf6cd7924131bfe3556167921782ab70c6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Fri, 5 Jun 2026 11:24:25 +0300
Subject: [PATCH 2/4] wavpackdec: Use correctly-sized variable types
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11811>
---
ext/wavpack/gstwavpackdec.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/ext/wavpack/gstwavpackdec.c b/ext/wavpack/gstwavpackdec.c
index 96daeb0..f7798df 100644
--- a/ext/wavpack/gstwavpackdec.c
+++ b/ext/wavpack/gstwavpackdec.c
@@ -275,11 +275,11 @@ gst_wavpack_dec_handle_frame (GstAudioDecoder * bdec, GstBuffer * buf)
GstBuffer *outbuf = NULL;
GstFlowReturn ret = GST_FLOW_OK;
WavpackHeader wph;
- int32_t decoded, unpacked_size;
gboolean format_changed;
- gint width, depth, i, j, max;
+ gint width, depth, max;
gint32 *dec_data = NULL;
- gsize dec_data_size;
+ gsize i, j, dec_data_size, unpacked_size;
+ uint32_t decoded;
guint8 *out_data;
GstMapInfo map, omap;
--
2.52.0
From 5981e286114d83f963abdef5304ef3bbfe46f9d1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Fri, 5 Jun 2026 11:24:29 +0300
Subject: [PATCH 3/4] wavpackdec: Avoid integer overflow when checking input
buffer size
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11811>
---
ext/wavpack/gstwavpackdec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ext/wavpack/gstwavpackdec.c b/ext/wavpack/gstwavpackdec.c
index f7798df..bf28f38 100644
--- a/ext/wavpack/gstwavpackdec.c
+++ b/ext/wavpack/gstwavpackdec.c
@@ -296,7 +296,7 @@ gst_wavpack_dec_handle_frame (GstAudioDecoder * bdec, GstBuffer * buf)
if (!gst_wavpack_read_header (&wph, map.data))
goto invalid_header;
- if (map.size < wph.ckSize + 4 * 1 + 4)
+ if (map.size - 4 * 1 - 4 < wph.ckSize)
goto input_not_framed;
if (!(wph.flags & INITIAL_BLOCK))
--
2.52.0
From 4cbfaa356e027111909d612a8ad828364241cafe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Fri, 5 Jun 2026 11:24:33 +0300
Subject: [PATCH 4/4] wavpackdec: Unmap input buffer directly after decoding
In case of decoder errors we would otherwise unmap the buffer after
finish_frame(), which potentially invalidates the input buffer already.
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11811>
---
ext/wavpack/gstwavpackdec.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/ext/wavpack/gstwavpackdec.c b/ext/wavpack/gstwavpackdec.c
index bf28f38..3c9fa0f 100644
--- a/ext/wavpack/gstwavpackdec.c
+++ b/ext/wavpack/gstwavpackdec.c
@@ -280,6 +280,7 @@ gst_wavpack_dec_handle_frame (GstAudioDecoder * bdec, GstBuffer * buf)
gint32 *dec_data = NULL;
gsize i, j, dec_data_size, unpacked_size;
uint32_t decoded;
+ guint64 offset;
guint8 *out_data;
GstMapInfo map, omap;
@@ -357,9 +358,12 @@ gst_wavpack_dec_handle_frame (GstAudioDecoder * bdec, GstBuffer * buf)
!g_size_checked_mul (&dec_data_size, dec_data_size, dec->channels))
goto invalid_header;
dec_data = g_malloc (dec_data_size);
+ offset = GST_BUFFER_OFFSET (buf);
/* decode */
decoded = WavpackUnpackSamples (dec->context, dec_data, wph.block_samples);
+ gst_buffer_unmap (buf, &map);
+ buf = NULL;
if (decoded != wph.block_samples)
goto decode_error;
@@ -367,7 +371,7 @@ gst_wavpack_dec_handle_frame (GstAudioDecoder * bdec, GstBuffer * buf)
outbuf = gst_buffer_new_and_alloc (unpacked_size);
/* legacy; pass along offset, whatever that might entail */
- GST_BUFFER_OFFSET (outbuf) = GST_BUFFER_OFFSET (buf);
+ GST_BUFFER_OFFSET (outbuf) = offset;
gst_buffer_map (outbuf, &omap, GST_MAP_WRITE);
out_data = omap.data;
@@ -412,8 +416,6 @@ gst_wavpack_dec_handle_frame (GstAudioDecoder * bdec, GstBuffer * buf)
}
gst_buffer_unmap (outbuf, &omap);
- gst_buffer_unmap (buf, &map);
- buf = NULL;
g_free (dec_data);
--
2.52.0

View File

@ -15,7 +15,7 @@
Name: gstreamer1-plugins-good
Version: 1.16.1
Release: 6%{?gitcommit:.git%{shortcommit}}%{?dist}
Release: 7%{?gitcommit:.git%{shortcommit}}%{?dist}
Summary: GStreamer plugins with good code and licensing
License: LGPLv2+
@ -39,6 +39,9 @@ Patch6: 0007-matroskademux-Fix-off-by-one-when-parsing-multi-chan.patch
Patch7: 0008-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch
Patch8: 0009-qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch
Patch9: 0001-rtpqdm2depay-error-out-if-anyone-tries-to-use-this-e.patch
# https://issues.redhat.com/browse/RHEL-184473
# https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11811
Patch10: gstreamer1-plugins-good-1.16.1-CVE-2026-53705.patch
BuildRequires: gcc
BuildRequires: gcc-c++
@ -182,6 +185,7 @@ to be installed.
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%build
%configure --disable-silent-rules --disable-fatal-warnings \
@ -366,6 +370,10 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
%changelog
* Fri Jun 19 2026 RHEL Packaging Agent <redhat-ymir-agent@redhat.com> - 1.16.1-7
- Fix integer overflow vulnerabilities in wavpackdec (CVE-2026-53705)
Resolves: RHEL-184473
* Tue Mar 31 2026 Wim Taymans <wtaymans@redhat.com> - 1.16.1-6
- Add patch for CVE-2026-3083 and CVE-2026-3085
Resolves: RHEL-156183, RHEL-156153