diff --git a/SOURCES/gstreamer1-plugins-good-1.16.1-CVE-2026-53705.patch b/SOURCES/gstreamer1-plugins-good-1.16.1-CVE-2026-53705.patch new file mode 100644 index 0000000..38f500b --- /dev/null +++ b/SOURCES/gstreamer1-plugins-good-1.16.1-CVE-2026-53705.patch @@ -0,0 +1,162 @@ +From 558209ddcf3aad3603f5cb19d7267d1f9fa61f4a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 5 Jun 2026 11:24:21 +0300 +Subject: [PATCH 1/4] wavpackdec: Avoid integer overflow when calculating + output buffer size + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/work_items/5069 + +Part-of: +--- + ext/wavpack/gstwavpackdec.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/ext/wavpack/gstwavpackdec.c b/ext/wavpack/gstwavpackdec.c +index 7cce543..96daeb0 100644 +--- a/ext/wavpack/gstwavpackdec.c ++++ b/ext/wavpack/gstwavpackdec.c +@@ -279,6 +279,7 @@ gst_wavpack_dec_handle_frame (GstAudioDecoder * bdec, GstBuffer * buf) + gboolean format_changed; + gint width, depth, i, j, max; + gint32 *dec_data = NULL; ++ gsize dec_data_size; + guint8 *out_data; + GstMapInfo map, omap; + +@@ -351,7 +352,11 @@ gst_wavpack_dec_handle_frame (GstAudioDecoder * bdec, GstBuffer * buf) + } + + /* alloc output buffer */ +- dec_data = g_malloc (4 * wph.block_samples * dec->channels); ++ dec_data_size = 4; ++ if (!g_size_checked_mul (&dec_data_size, dec_data_size, wph.block_samples) || ++ !g_size_checked_mul (&dec_data_size, dec_data_size, dec->channels)) ++ goto invalid_header; ++ dec_data = g_malloc (dec_data_size); + + /* decode */ + decoded = WavpackUnpackSamples (dec->context, dec_data, wph.block_samples); +-- +2.52.0 + + +From 6d5f8cbf6cd7924131bfe3556167921782ab70c6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 5 Jun 2026 11:24:25 +0300 +Subject: [PATCH 2/4] wavpackdec: Use correctly-sized variable types + +Part-of: +--- + ext/wavpack/gstwavpackdec.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/ext/wavpack/gstwavpackdec.c b/ext/wavpack/gstwavpackdec.c +index 96daeb0..f7798df 100644 +--- a/ext/wavpack/gstwavpackdec.c ++++ b/ext/wavpack/gstwavpackdec.c +@@ -275,11 +275,11 @@ gst_wavpack_dec_handle_frame (GstAudioDecoder * bdec, GstBuffer * buf) + GstBuffer *outbuf = NULL; + GstFlowReturn ret = GST_FLOW_OK; + WavpackHeader wph; +- int32_t decoded, unpacked_size; + gboolean format_changed; +- gint width, depth, i, j, max; ++ gint width, depth, max; + gint32 *dec_data = NULL; +- gsize dec_data_size; ++ gsize i, j, dec_data_size, unpacked_size; ++ uint32_t decoded; + guint8 *out_data; + GstMapInfo map, omap; + +-- +2.52.0 + + +From 5981e286114d83f963abdef5304ef3bbfe46f9d1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 5 Jun 2026 11:24:29 +0300 +Subject: [PATCH 3/4] wavpackdec: Avoid integer overflow when checking input + buffer size + +Part-of: +--- + ext/wavpack/gstwavpackdec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/wavpack/gstwavpackdec.c b/ext/wavpack/gstwavpackdec.c +index f7798df..bf28f38 100644 +--- a/ext/wavpack/gstwavpackdec.c ++++ b/ext/wavpack/gstwavpackdec.c +@@ -296,7 +296,7 @@ gst_wavpack_dec_handle_frame (GstAudioDecoder * bdec, GstBuffer * buf) + if (!gst_wavpack_read_header (&wph, map.data)) + goto invalid_header; + +- if (map.size < wph.ckSize + 4 * 1 + 4) ++ if (map.size - 4 * 1 - 4 < wph.ckSize) + goto input_not_framed; + + if (!(wph.flags & INITIAL_BLOCK)) +-- +2.52.0 + + +From 4cbfaa356e027111909d612a8ad828364241cafe Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 5 Jun 2026 11:24:33 +0300 +Subject: [PATCH 4/4] wavpackdec: Unmap input buffer directly after decoding + +In case of decoder errors we would otherwise unmap the buffer after +finish_frame(), which potentially invalidates the input buffer already. + +Part-of: +--- + ext/wavpack/gstwavpackdec.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/ext/wavpack/gstwavpackdec.c b/ext/wavpack/gstwavpackdec.c +index bf28f38..3c9fa0f 100644 +--- a/ext/wavpack/gstwavpackdec.c ++++ b/ext/wavpack/gstwavpackdec.c +@@ -280,6 +280,7 @@ gst_wavpack_dec_handle_frame (GstAudioDecoder * bdec, GstBuffer * buf) + gint32 *dec_data = NULL; + gsize i, j, dec_data_size, unpacked_size; + uint32_t decoded; ++ guint64 offset; + guint8 *out_data; + GstMapInfo map, omap; + +@@ -357,9 +358,12 @@ gst_wavpack_dec_handle_frame (GstAudioDecoder * bdec, GstBuffer * buf) + !g_size_checked_mul (&dec_data_size, dec_data_size, dec->channels)) + goto invalid_header; + dec_data = g_malloc (dec_data_size); ++ offset = GST_BUFFER_OFFSET (buf); + + /* decode */ + decoded = WavpackUnpackSamples (dec->context, dec_data, wph.block_samples); ++ gst_buffer_unmap (buf, &map); ++ buf = NULL; + if (decoded != wph.block_samples) + goto decode_error; + +@@ -367,7 +371,7 @@ gst_wavpack_dec_handle_frame (GstAudioDecoder * bdec, GstBuffer * buf) + outbuf = gst_buffer_new_and_alloc (unpacked_size); + + /* legacy; pass along offset, whatever that might entail */ +- GST_BUFFER_OFFSET (outbuf) = GST_BUFFER_OFFSET (buf); ++ GST_BUFFER_OFFSET (outbuf) = offset; + + gst_buffer_map (outbuf, &omap, GST_MAP_WRITE); + out_data = omap.data; +@@ -412,8 +416,6 @@ gst_wavpack_dec_handle_frame (GstAudioDecoder * bdec, GstBuffer * buf) + } + + gst_buffer_unmap (outbuf, &omap); +- gst_buffer_unmap (buf, &map); +- buf = NULL; + + g_free (dec_data); + +-- +2.52.0 + diff --git a/SPECS/gstreamer1-plugins-good.spec b/SPECS/gstreamer1-plugins-good.spec index e29b107..bc94f67 100644 --- a/SPECS/gstreamer1-plugins-good.spec +++ b/SPECS/gstreamer1-plugins-good.spec @@ -15,7 +15,7 @@ Name: gstreamer1-plugins-good Version: 1.16.1 -Release: 6%{?gitcommit:.git%{shortcommit}}%{?dist} +Release: 7%{?gitcommit:.git%{shortcommit}}%{?dist} Summary: GStreamer plugins with good code and licensing License: LGPLv2+ @@ -39,6 +39,9 @@ Patch6: 0007-matroskademux-Fix-off-by-one-when-parsing-multi-chan.patch Patch7: 0008-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch Patch8: 0009-qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch Patch9: 0001-rtpqdm2depay-error-out-if-anyone-tries-to-use-this-e.patch +# https://issues.redhat.com/browse/RHEL-184473 +# https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11811 +Patch10: gstreamer1-plugins-good-1.16.1-CVE-2026-53705.patch BuildRequires: gcc BuildRequires: gcc-c++ @@ -182,6 +185,7 @@ to be installed. %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 %build %configure --disable-silent-rules --disable-fatal-warnings \ @@ -366,6 +370,10 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';' %changelog +* Fri Jun 19 2026 RHEL Packaging Agent - 1.16.1-7 +- Fix integer overflow vulnerabilities in wavpackdec (CVE-2026-53705) + Resolves: RHEL-184473 + * Tue Mar 31 2026 Wim Taymans - 1.16.1-6 - Add patch for CVE-2026-3083 and CVE-2026-3085 Resolves: RHEL-156183, RHEL-156153