import CS git gstreamer1-plugins-good-1.16.1-7.el8_10
This commit is contained in:
parent
543c2d4711
commit
c727b83381
162
SOURCES/gstreamer1-plugins-good-1.16.1-CVE-2026-53705.patch
Normal file
162
SOURCES/gstreamer1-plugins-good-1.16.1-CVE-2026-53705.patch
Normal file
@ -0,0 +1,162 @@
|
||||
From 558209ddcf3aad3603f5cb19d7267d1f9fa61f4a Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
|
||||
Date: Fri, 5 Jun 2026 11:24:21 +0300
|
||||
Subject: [PATCH 1/4] wavpackdec: Avoid integer overflow when calculating
|
||||
output buffer size
|
||||
|
||||
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/work_items/5069
|
||||
|
||||
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11811>
|
||||
---
|
||||
ext/wavpack/gstwavpackdec.c | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ext/wavpack/gstwavpackdec.c b/ext/wavpack/gstwavpackdec.c
|
||||
index 7cce543..96daeb0 100644
|
||||
--- a/ext/wavpack/gstwavpackdec.c
|
||||
+++ b/ext/wavpack/gstwavpackdec.c
|
||||
@@ -279,6 +279,7 @@ gst_wavpack_dec_handle_frame (GstAudioDecoder * bdec, GstBuffer * buf)
|
||||
gboolean format_changed;
|
||||
gint width, depth, i, j, max;
|
||||
gint32 *dec_data = NULL;
|
||||
+ gsize dec_data_size;
|
||||
guint8 *out_data;
|
||||
GstMapInfo map, omap;
|
||||
|
||||
@@ -351,7 +352,11 @@ gst_wavpack_dec_handle_frame (GstAudioDecoder * bdec, GstBuffer * buf)
|
||||
}
|
||||
|
||||
/* alloc output buffer */
|
||||
- dec_data = g_malloc (4 * wph.block_samples * dec->channels);
|
||||
+ dec_data_size = 4;
|
||||
+ if (!g_size_checked_mul (&dec_data_size, dec_data_size, wph.block_samples) ||
|
||||
+ !g_size_checked_mul (&dec_data_size, dec_data_size, dec->channels))
|
||||
+ goto invalid_header;
|
||||
+ dec_data = g_malloc (dec_data_size);
|
||||
|
||||
/* decode */
|
||||
decoded = WavpackUnpackSamples (dec->context, dec_data, wph.block_samples);
|
||||
--
|
||||
2.52.0
|
||||
|
||||
|
||||
From 6d5f8cbf6cd7924131bfe3556167921782ab70c6 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
|
||||
Date: Fri, 5 Jun 2026 11:24:25 +0300
|
||||
Subject: [PATCH 2/4] wavpackdec: Use correctly-sized variable types
|
||||
|
||||
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11811>
|
||||
---
|
||||
ext/wavpack/gstwavpackdec.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/ext/wavpack/gstwavpackdec.c b/ext/wavpack/gstwavpackdec.c
|
||||
index 96daeb0..f7798df 100644
|
||||
--- a/ext/wavpack/gstwavpackdec.c
|
||||
+++ b/ext/wavpack/gstwavpackdec.c
|
||||
@@ -275,11 +275,11 @@ gst_wavpack_dec_handle_frame (GstAudioDecoder * bdec, GstBuffer * buf)
|
||||
GstBuffer *outbuf = NULL;
|
||||
GstFlowReturn ret = GST_FLOW_OK;
|
||||
WavpackHeader wph;
|
||||
- int32_t decoded, unpacked_size;
|
||||
gboolean format_changed;
|
||||
- gint width, depth, i, j, max;
|
||||
+ gint width, depth, max;
|
||||
gint32 *dec_data = NULL;
|
||||
- gsize dec_data_size;
|
||||
+ gsize i, j, dec_data_size, unpacked_size;
|
||||
+ uint32_t decoded;
|
||||
guint8 *out_data;
|
||||
GstMapInfo map, omap;
|
||||
|
||||
--
|
||||
2.52.0
|
||||
|
||||
|
||||
From 5981e286114d83f963abdef5304ef3bbfe46f9d1 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
|
||||
Date: Fri, 5 Jun 2026 11:24:29 +0300
|
||||
Subject: [PATCH 3/4] wavpackdec: Avoid integer overflow when checking input
|
||||
buffer size
|
||||
|
||||
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11811>
|
||||
---
|
||||
ext/wavpack/gstwavpackdec.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ext/wavpack/gstwavpackdec.c b/ext/wavpack/gstwavpackdec.c
|
||||
index f7798df..bf28f38 100644
|
||||
--- a/ext/wavpack/gstwavpackdec.c
|
||||
+++ b/ext/wavpack/gstwavpackdec.c
|
||||
@@ -296,7 +296,7 @@ gst_wavpack_dec_handle_frame (GstAudioDecoder * bdec, GstBuffer * buf)
|
||||
if (!gst_wavpack_read_header (&wph, map.data))
|
||||
goto invalid_header;
|
||||
|
||||
- if (map.size < wph.ckSize + 4 * 1 + 4)
|
||||
+ if (map.size - 4 * 1 - 4 < wph.ckSize)
|
||||
goto input_not_framed;
|
||||
|
||||
if (!(wph.flags & INITIAL_BLOCK))
|
||||
--
|
||||
2.52.0
|
||||
|
||||
|
||||
From 4cbfaa356e027111909d612a8ad828364241cafe Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
|
||||
Date: Fri, 5 Jun 2026 11:24:33 +0300
|
||||
Subject: [PATCH 4/4] wavpackdec: Unmap input buffer directly after decoding
|
||||
|
||||
In case of decoder errors we would otherwise unmap the buffer after
|
||||
finish_frame(), which potentially invalidates the input buffer already.
|
||||
|
||||
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11811>
|
||||
---
|
||||
ext/wavpack/gstwavpackdec.c | 8 +++++---
|
||||
1 file changed, 5 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/ext/wavpack/gstwavpackdec.c b/ext/wavpack/gstwavpackdec.c
|
||||
index bf28f38..3c9fa0f 100644
|
||||
--- a/ext/wavpack/gstwavpackdec.c
|
||||
+++ b/ext/wavpack/gstwavpackdec.c
|
||||
@@ -280,6 +280,7 @@ gst_wavpack_dec_handle_frame (GstAudioDecoder * bdec, GstBuffer * buf)
|
||||
gint32 *dec_data = NULL;
|
||||
gsize i, j, dec_data_size, unpacked_size;
|
||||
uint32_t decoded;
|
||||
+ guint64 offset;
|
||||
guint8 *out_data;
|
||||
GstMapInfo map, omap;
|
||||
|
||||
@@ -357,9 +358,12 @@ gst_wavpack_dec_handle_frame (GstAudioDecoder * bdec, GstBuffer * buf)
|
||||
!g_size_checked_mul (&dec_data_size, dec_data_size, dec->channels))
|
||||
goto invalid_header;
|
||||
dec_data = g_malloc (dec_data_size);
|
||||
+ offset = GST_BUFFER_OFFSET (buf);
|
||||
|
||||
/* decode */
|
||||
decoded = WavpackUnpackSamples (dec->context, dec_data, wph.block_samples);
|
||||
+ gst_buffer_unmap (buf, &map);
|
||||
+ buf = NULL;
|
||||
if (decoded != wph.block_samples)
|
||||
goto decode_error;
|
||||
|
||||
@@ -367,7 +371,7 @@ gst_wavpack_dec_handle_frame (GstAudioDecoder * bdec, GstBuffer * buf)
|
||||
outbuf = gst_buffer_new_and_alloc (unpacked_size);
|
||||
|
||||
/* legacy; pass along offset, whatever that might entail */
|
||||
- GST_BUFFER_OFFSET (outbuf) = GST_BUFFER_OFFSET (buf);
|
||||
+ GST_BUFFER_OFFSET (outbuf) = offset;
|
||||
|
||||
gst_buffer_map (outbuf, &omap, GST_MAP_WRITE);
|
||||
out_data = omap.data;
|
||||
@@ -412,8 +416,6 @@ gst_wavpack_dec_handle_frame (GstAudioDecoder * bdec, GstBuffer * buf)
|
||||
}
|
||||
|
||||
gst_buffer_unmap (outbuf, &omap);
|
||||
- gst_buffer_unmap (buf, &map);
|
||||
- buf = NULL;
|
||||
|
||||
g_free (dec_data);
|
||||
|
||||
--
|
||||
2.52.0
|
||||
|
||||
@ -15,7 +15,7 @@
|
||||
|
||||
Name: gstreamer1-plugins-good
|
||||
Version: 1.16.1
|
||||
Release: 6%{?gitcommit:.git%{shortcommit}}%{?dist}
|
||||
Release: 7%{?gitcommit:.git%{shortcommit}}%{?dist}
|
||||
Summary: GStreamer plugins with good code and licensing
|
||||
|
||||
License: LGPLv2+
|
||||
@ -39,6 +39,9 @@ Patch6: 0007-matroskademux-Fix-off-by-one-when-parsing-multi-chan.patch
|
||||
Patch7: 0008-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch
|
||||
Patch8: 0009-qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch
|
||||
Patch9: 0001-rtpqdm2depay-error-out-if-anyone-tries-to-use-this-e.patch
|
||||
# https://issues.redhat.com/browse/RHEL-184473
|
||||
# https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11811
|
||||
Patch10: gstreamer1-plugins-good-1.16.1-CVE-2026-53705.patch
|
||||
|
||||
BuildRequires: gcc
|
||||
BuildRequires: gcc-c++
|
||||
@ -182,6 +185,7 @@ to be installed.
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
%patch10 -p1
|
||||
|
||||
%build
|
||||
%configure --disable-silent-rules --disable-fatal-warnings \
|
||||
@ -366,6 +370,10 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
|
||||
|
||||
|
||||
%changelog
|
||||
* Fri Jun 19 2026 RHEL Packaging Agent <redhat-ymir-agent@redhat.com> - 1.16.1-7
|
||||
- Fix integer overflow vulnerabilities in wavpackdec (CVE-2026-53705)
|
||||
Resolves: RHEL-184473
|
||||
|
||||
* Tue Mar 31 2026 Wim Taymans <wtaymans@redhat.com> - 1.16.1-6
|
||||
- Add patch for CVE-2026-3083 and CVE-2026-3085
|
||||
Resolves: RHEL-156183, RHEL-156153
|
||||
|
||||
Loading…
Reference in New Issue
Block a user