Import from CS git

This commit is contained in:
eabdullin 2024-12-18 06:30:14 +00:00
parent fb11ab9fb3
commit ce588a5bf1
11 changed files with 308 additions and 21 deletions

View File

@ -0,0 +1 @@
2b88a2d36bc53bed1b06c359ed676ec8b8675d5c SOURCES/gst-plugins-good-1.16.1.tar.xz

View File

@ -1,7 +1,7 @@
From 9efd93e20dd7789e4172ad6c8f4108271b3fb1ee Mon Sep 17 00:00:00 2001 From fff62c8b65cd18e2673944a2a9c95520e7b5ddf3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com> From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Thu, 4 Mar 2021 13:05:19 +0200 Date: Thu, 4 Mar 2021 13:05:19 +0200
Subject: [PATCH] matroskademux: Fix extraction of multichannel WavPack Subject: [PATCH 1/9] matroskademux: Fix extraction of multichannel WavPack
The old code had a couple of issues that all lead to potential memory The old code had a couple of issues that all lead to potential memory
safety bugs. safety bugs.
@ -32,10 +32,10 @@ Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/merge_requ
2 files changed, 55 insertions(+), 46 deletions(-) 2 files changed, 55 insertions(+), 46 deletions(-)
diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
index 4eb3d2a9f..f890ae611 100644 index b2cd9b5d4..5e724c8e0 100644
--- a/gst/matroska/matroska-demux.c --- a/gst/matroska/matroska-demux.c
+++ b/gst/matroska/matroska-demux.c +++ b/gst/matroska/matroska-demux.c
@@ -3706,6 +3706,12 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, @@ -3704,6 +3704,12 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
guint32 block_samples, tmp; guint32 block_samples, tmp;
gsize size = gst_buffer_get_size (*buf); gsize size = gst_buffer_get_size (*buf);
@ -48,7 +48,7 @@ index 4eb3d2a9f..f890ae611 100644
gst_buffer_extract (*buf, 0, &tmp, sizeof (guint32)); gst_buffer_extract (*buf, 0, &tmp, sizeof (guint32));
block_samples = GUINT32_FROM_LE (tmp); block_samples = GUINT32_FROM_LE (tmp);
/* we need to reconstruct the header of the wavpack block */ /* we need to reconstruct the header of the wavpack block */
@@ -3713,10 +3719,10 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, @@ -3711,10 +3717,10 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
/* -20 because ck_size is the size of the wavpack block -8 /* -20 because ck_size is the size of the wavpack block -8
* and lace_size is the size of the wavpack block + 12 * and lace_size is the size of the wavpack block + 12
* (the three guint32 of the header that already are in the buffer) */ * (the three guint32 of the header that already are in the buffer) */
@ -61,7 +61,7 @@ index 4eb3d2a9f..f890ae611 100644
gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE); gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
data = outmap.data; data = outmap.data;
@@ -3741,9 +3747,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, @@ -3739,9 +3745,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
audiocontext->wvpk_block_index += block_samples; audiocontext->wvpk_block_index += block_samples;
} else { } else {
guint8 *outdata = NULL; guint8 *outdata = NULL;
@ -75,7 +75,7 @@ index 4eb3d2a9f..f890ae611 100644
gst_buffer_map (*buf, &map, GST_MAP_READ); gst_buffer_map (*buf, &map, GST_MAP_READ);
buf_data = map.data; buf_data = map.data;
@@ -3752,6 +3760,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, @@ -3750,6 +3758,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
if (buf_size < 4) { if (buf_size < 4) {
GST_ERROR_OBJECT (element, "Too small wavpack buffer"); GST_ERROR_OBJECT (element, "Too small wavpack buffer");
gst_buffer_unmap (*buf, &map); gst_buffer_unmap (*buf, &map);
@ -83,7 +83,7 @@ index 4eb3d2a9f..f890ae611 100644
return GST_FLOW_ERROR; return GST_FLOW_ERROR;
} }
@@ -3773,59 +3782,57 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, @@ -3771,59 +3780,57 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
data += 4; data += 4;
size -= 4; size -= 4;
@ -197,5 +197,5 @@ index 9b263d8a1..a0d68343f 100644
GST_MATROSKA_TRACK_ENCODING_SCOPE_FRAME = (1<<0), GST_MATROSKA_TRACK_ENCODING_SCOPE_FRAME = (1<<0),
GST_MATROSKA_TRACK_ENCODING_SCOPE_CODEC_DATA = (1<<1), GST_MATROSKA_TRACK_ENCODING_SCOPE_CODEC_DATA = (1<<1),
-- --
GitLab 2.47.0

View File

@ -1,8 +1,8 @@
From d62cecf193d6bf3b16fe91d725f4514161f602c3 Mon Sep 17 00:00:00 2001 From a88489c4bc2a807912a12398c04c0fc8579037df Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com> From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Wed, 3 Mar 2021 11:31:52 +0200 Date: Wed, 3 Mar 2021 11:31:52 +0200
Subject: [PATCH] matroskademux: Initialize track context out parameter to NULL Subject: [PATCH 2/9] matroskademux: Initialize track context out parameter to
before parsing NULL before parsing
Various error return paths don't set it to NULL and callers are only Various error return paths don't set it to NULL and callers are only
checking if the pointer is NULL. As it's allocated on the stack this checking if the pointer is NULL. As it's allocated on the stack this
@ -21,7 +21,7 @@ Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/merge_requ
1 file changed, 2 insertions(+) 1 file changed, 2 insertions(+)
diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
index b2cd9b5d4..4eb3d2a9f 100644 index 5e724c8e0..f890ae611 100644
--- a/gst/matroska/matroska-demux.c --- a/gst/matroska/matroska-demux.c
+++ b/gst/matroska/matroska-demux.c +++ b/gst/matroska/matroska-demux.c
@@ -660,6 +660,8 @@ gst_matroska_demux_parse_stream (GstMatroskaDemux * demux, GstEbmlRead * ebml, @@ -660,6 +660,8 @@ gst_matroska_demux_parse_stream (GstMatroskaDemux * demux, GstEbmlRead * ebml,
@ -34,5 +34,5 @@ index b2cd9b5d4..4eb3d2a9f 100644
if ((ret = gst_ebml_read_master (ebml, &id)) != GST_FLOW_OK) { if ((ret = gst_ebml_read_master (ebml, &id)) != GST_FLOW_OK) {
DEBUG_ELEMENT_STOP (demux, ebml, "TrackEntry", ret); DEBUG_ELEMENT_STOP (demux, ebml, "TrackEntry", ret);
-- --
GitLab 2.47.0

View File

@ -1,8 +1,8 @@
From 2150d2ade8bd5949fa18fcc75b78016e3becc92b Mon Sep 17 00:00:00 2001 From 2150d2ade8bd5949fa18fcc75b78016e3becc92b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com> From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Tue, 13 Jun 2023 13:20:16 +0300 Date: Tue, 13 Jun 2023 13:20:16 +0300
Subject: [PATCH] flacparse: Avoid integer overflow in available data check for Subject: [PATCH 3/9] flacparse: Avoid integer overflow in available data check
image tags for image tags
If the image length as stored in the file is some bogus integer then If the image length as stored in the file is some bogus integer then
adding it to the current byte readers position can overflow and wrongly adding it to the current byte readers position can overflow and wrongly
@ -51,5 +51,5 @@ index 2758d4cfc..cd5a48bee 100644
gst_buffer_unmap (buffer, &map); gst_buffer_unmap (buffer, &map);
-- --
2.43.0 2.47.0

View File

@ -0,0 +1,41 @@
From f0007ee8579f97999d69bbc6d7f9ac166a06fddb Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Mon, 16 Dec 2024 11:45:27 +0100
Subject: [PATCH 4/9] qtdemux: Avoid integer overflow when parsing Theora
extension
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-166
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3851
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8094>
---
gst/isomp4/qtdemux.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
index ad07c1e36..229edb3e5 100644
--- a/gst/isomp4/qtdemux.c
+++ b/gst/isomp4/qtdemux.c
@@ -7816,7 +7816,7 @@ qtdemux_parse_theora_extension (GstQTDemux * qtdemux, QtDemuxStream * stream,
end -= 8;
while (buf < end) {
- gint size;
+ guint32 size;
guint32 type;
size = QT_UINT32 (buf);
@@ -7824,7 +7824,7 @@ qtdemux_parse_theora_extension (GstQTDemux * qtdemux, QtDemuxStream * stream,
GST_LOG_OBJECT (qtdemux, "%p %p", buf, end);
- if (buf + size > end || size <= 0)
+ if (end - buf < size || size < 8)
break;
buf += 8;
--
2.47.0

View File

@ -0,0 +1,49 @@
From 8d4c79e61a62245dc6a499b0a439317bb37d0508 Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Mon, 16 Dec 2024 11:47:09 +0100
Subject: [PATCH 5/9] gdkpixbufdec: Check if initializing the video info
actually succeeded
Otherwise a 0-byte buffer would be allocated, which gives NULL memory when
mapped.
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-118
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3876
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8103>
---
ext/gdk_pixbuf/gstgdkpixbufdec.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/ext/gdk_pixbuf/gstgdkpixbufdec.c b/ext/gdk_pixbuf/gstgdkpixbufdec.c
index c119236a8..c0ecb3a08 100644
--- a/ext/gdk_pixbuf/gstgdkpixbufdec.c
+++ b/ext/gdk_pixbuf/gstgdkpixbufdec.c
@@ -318,7 +318,8 @@ gst_gdk_pixbuf_dec_flush (GstGdkPixbufDec * filter)
gst_video_info_init (&info);
- gst_video_info_set_format (&info, fmt, width, height);
+ if (!gst_video_info_set_format (&info, fmt, width, height))
+ goto format_not_supported;
info.fps_n = filter->in_fps_n;
info.fps_d = filter->in_fps_d;
caps = gst_video_info_to_caps (&info);
@@ -379,6 +380,12 @@ channels_not_supported:
("%d channels not supported", n_channels));
return GST_FLOW_ERROR;
}
+format_not_supported:
+ {
+ GST_ELEMENT_ERROR (filter, STREAM, DECODE, (NULL),
+ ("%d channels with %dx%d not supported", n_channels, width, height));
+ return GST_FLOW_ERROR;
+ }
no_buffer:
{
GST_DEBUG ("Failed to create outbuffer - %s", gst_flow_get_name (ret));
--
2.47.0

View File

@ -0,0 +1,52 @@
From c7f995f1030efb3281faa72a1a8827969f3591bc Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Mon, 16 Dec 2024 11:48:03 +0100
Subject: [PATCH 6/9] matroskademux: Only unmap GstMapInfo in WavPack header
extraction error paths if previously mapped
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-197
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3863
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8057>
---
gst/matroska/matroska-demux.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
index f890ae611..2db68bc1f 100644
--- a/gst/matroska/matroska-demux.c
+++ b/gst/matroska/matroska-demux.c
@@ -3687,7 +3687,6 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
GstMatroskaTrackAudioContext *audiocontext =
(GstMatroskaTrackAudioContext *) stream;
GstBuffer *newbuf = NULL;
- GstMapInfo map, outmap;
guint8 *buf_data, *data;
Wavpack4Header wvh;
@@ -3704,11 +3703,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
if (audiocontext->channels <= 2) {
guint32 block_samples, tmp;
+ GstMapInfo outmap;
gsize size = gst_buffer_get_size (*buf);
if (size < 4) {
GST_ERROR_OBJECT (element, "Too small wavpack buffer");
- gst_buffer_unmap (*buf, &map);
return GST_FLOW_ERROR;
}
@@ -3746,6 +3745,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
*buf = newbuf;
audiocontext->wvpk_block_index += block_samples;
} else {
+ GstMapInfo map, outmap;
guint8 *outdata = NULL;
gsize buf_size, size;
guint32 block_samples, flags, crc, blocksize;
--
2.47.0

View File

@ -0,0 +1,27 @@
From 5d1ac58fa39a4e8e1cb0545c44aae69f71099f27 Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Mon, 16 Dec 2024 11:49:04 +0100
Subject: [PATCH 7/9] matroskademux: Fix off-by-one when parsing multi-channel
WavPack
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8057>
---
gst/matroska/matroska-demux.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
index 2db68bc1f..0466c9a6b 100644
--- a/gst/matroska/matroska-demux.c
+++ b/gst/matroska/matroska-demux.c
@@ -3771,7 +3771,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
data += 4;
size -= 4;
- while (size > 12) {
+ while (size >= 12) {
flags = GST_READ_UINT32_LE (data);
data += 4;
size -= 4;
--
2.47.0

View File

@ -0,0 +1,59 @@
From f3358d7e6fb9540e45f1cde0378e94482846f216 Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Mon, 16 Dec 2024 11:49:37 +0100
Subject: [PATCH 8/9] qtdemux: Fix integer overflow when allocating the samples
table for fragmented MP4
This can lead to out of bounds writes and NULL pointer dereferences.
Fixes GHSL-2024-094, GHSL-2024-237, GHSL-2024-241
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3839
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059>
---
gst/isomp4/qtdemux.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
index 229edb3e5..a37c92933 100644
--- a/gst/isomp4/qtdemux.c
+++ b/gst/isomp4/qtdemux.c
@@ -3327,6 +3327,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun,
gint i;
guint8 *data;
guint entry_size, dur_offset, size_offset, flags_offset = 0, ct_offset = 0;
+ guint new_n_samples;
QtDemuxSample *sample;
gboolean ismv = FALSE;
gint64 initial_offset;
@@ -3426,14 +3427,13 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun,
goto fail;
data = (guint8 *) gst_byte_reader_peek_data_unchecked (trun);
- if (stream->n_samples + samples_count >=
- QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof (QtDemuxSample))
+ if (!g_uint_checked_add (&new_n_samples, stream->n_samples, samples_count) ||
+ new_n_samples >= QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof (QtDemuxSample))
goto index_too_big;
GST_DEBUG_OBJECT (qtdemux, "allocating n_samples %u * %u (%.2f MB)",
- stream->n_samples + samples_count, (guint) sizeof (QtDemuxSample),
- (stream->n_samples + samples_count) *
- sizeof (QtDemuxSample) / (1024.0 * 1024.0));
+ new_n_samples, (guint) sizeof (QtDemuxSample),
+ (new_n_samples) * sizeof (QtDemuxSample) / (1024.0 * 1024.0));
/* create a new array of samples if it's the first sample parsed */
if (stream->n_samples == 0) {
@@ -3442,7 +3442,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun,
/* or try to reallocate it with space enough to insert the new samples */
} else
stream->samples = g_try_renew (QtDemuxSample, stream->samples,
- stream->n_samples + samples_count);
+ new_n_samples);
if (stream->samples == NULL)
goto out_of_memory;
--
2.47.0

View File

@ -0,0 +1,40 @@
From 6b751c71eb130f2c69eeacf5f47e0d6de639dc78 Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Mon, 16 Dec 2024 11:52:04 +0100
Subject: [PATCH 9/9] qtdemux: Make sure only an even number of bytes is
processed when handling CEA608 data
An odd number of bytes would lead to out of bound reads and writes, and doesn't
make any sense as CEA608 comes in byte pairs.
Strip off any leftover bytes and assume everything before that is valid.
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-195
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3841
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059>
---
gst/isomp4/qtdemux.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
index a37c92933..8336ff302 100644
--- a/gst/isomp4/qtdemux.c
+++ b/gst/isomp4/qtdemux.c
@@ -5612,6 +5612,11 @@ convert_to_s334_1a (const guint8 * ccpair, guint8 ccpair_size, guint field,
guint8 *storage;
gsize i;
+ /* Strip off any leftover odd bytes and assume everything before is valid */
+ if (ccpair_size % 2 != 0) {
+ ccpair_size -= 1;
+ }
+
/* We are converting from pairs to triplets */
*res = ccpair_size / 2 * 3;
storage = g_malloc (*res);
--
2.47.0

View File

@ -15,7 +15,7 @@
Name: gstreamer1-plugins-good Name: gstreamer1-plugins-good
Version: 1.16.1 Version: 1.16.1
Release: 4%{?gitcommit:.git%{shortcommit}}%{?dist} Release: 5%{?gitcommit:.git%{shortcommit}}%{?dist}
Summary: GStreamer plugins with good code and licensing Summary: GStreamer plugins with good code and licensing
License: LGPLv2+ License: LGPLv2+
@ -29,9 +29,15 @@ Source0: gst-plugins-good-%{version}.tar.xz
Source0: http://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-good-%{version}.tar.xz Source0: http://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-good-%{version}.tar.xz
%endif %endif
Patch0: d62cecf193d6bf3b16fe91d725f4514161f602c3.patch Patch0: 0001-matroskademux-Fix-extraction-of-multichannel-WavPack.patch
Patch1: 9efd93e20dd7789e4172ad6c8f4108271b3fb1ee.patch Patch1: 0002-matroskademux-Initialize-track-context-out-parameter.patch
Patch2: 0001-flacparse-Avoid-integer-overflow-in-available-data-c.patch Patch2: 0003-flacparse-Avoid-integer-overflow-in-available-data-c.patch
Patch3: 0004-qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch
Patch4: 0005-gdkpixbufdec-Check-if-initializing-the-video-info-ac.patch
Patch5: 0006-matroskademux-Only-unmap-GstMapInfo-in-WavPack-heade.patch
Patch6: 0007-matroskademux-Fix-off-by-one-when-parsing-multi-chan.patch
Patch7: 0008-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch
Patch8: 0009-qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch
BuildRequires: gcc BuildRequires: gcc
BuildRequires: gcc-c++ BuildRequires: gcc-c++
@ -168,6 +174,12 @@ to be installed.
%patch0 -p1 %patch0 -p1
%patch1 -p1 %patch1 -p1
%patch2 -p1 %patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%build %build
%configure --disable-silent-rules --disable-fatal-warnings \ %configure --disable-silent-rules --disable-fatal-warnings \
@ -352,6 +364,12 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
%changelog %changelog
* Mon Dec 16 2024 Wim Taymans <wtaymans@redhat.com> - 1.16.1-5
- CVE-2024-47537, CVE-2024-47539, CVE-2024-47540, CVE-2024-47606,
CVE-2024-47613
Resolves: RHEL-70949, RHEL-70962, RHEL-70936, RHEL-71022
Resolves: RHEL-70998
* Wed Jan 17 2024 Wim Taymans <wtaymans@redhat.com> - 1.16.1-4 * Wed Jan 17 2024 Wim Taymans <wtaymans@redhat.com> - 1.16.1-4
- CVE-2023-37327: integer overflow leading to heap overwrite in - CVE-2023-37327: integer overflow leading to heap overwrite in
FLAC image tag handling FLAC image tag handling