Import from AlmaLinux stable repository
This commit is contained in:
parent
0b2c840a33
commit
ef3c3d8887
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
|||||||
SOURCES/gst-plugins-good-1.18.4.tar.xz
|
SOURCES/gst-plugins-good-1.22.1.tar.xz
|
||||||
|
@ -1 +1 @@
|
|||||||
aaf8f2aa0bb58cad638b32d0d44a183ed7e7f8b0 SOURCES/gst-plugins-good-1.18.4.tar.xz
|
4c8346aa97ca82f88b988471781f6b18b4e5642c SOURCES/gst-plugins-good-1.22.1.tar.xz
|
||||||
|
@ -1,65 +0,0 @@
|
|||||||
From bcfe7befea53869e7836be912ee7efe875877169 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
|
|
||||||
Date: Wed, 18 May 2022 12:00:48 +0300
|
|
||||||
Subject: [PATCH 1/4] avidemux: Fix integer overflow resulting in heap
|
|
||||||
corruption in DIB buffer inversion code
|
|
||||||
|
|
||||||
Check that width*bpp/8 doesn't overflow a guint and also that
|
|
||||||
height*stride fits into the provided buffer without overflowing.
|
|
||||||
|
|
||||||
Thanks to Adam Doupe for analyzing and reporting the issue.
|
|
||||||
|
|
||||||
CVE: CVE-2022-1921
|
|
||||||
|
|
||||||
See https://gstreamer.freedesktop.org/security/sa-2022-0001.html
|
|
||||||
|
|
||||||
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1224
|
|
||||||
|
|
||||||
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2608>
|
|
||||||
---
|
|
||||||
gst/avi/gstavidemux.c | 17 ++++++++++++++---
|
|
||||||
1 file changed, 14 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/gst/avi/gstavidemux.c b/gst/avi/gstavidemux.c
|
|
||||||
index 25c97da03e..1c87c668d0 100644
|
|
||||||
--- a/gst/avi/gstavidemux.c
|
|
||||||
+++ b/gst/avi/gstavidemux.c
|
|
||||||
@@ -4971,8 +4971,8 @@ swap_line (guint8 * d1, guint8 * d2, guint8 * tmp, gint bytes)
|
|
||||||
static GstBuffer *
|
|
||||||
gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf)
|
|
||||||
{
|
|
||||||
- gint y, w, h;
|
|
||||||
- gint bpp, stride;
|
|
||||||
+ guint y, w, h;
|
|
||||||
+ guint bpp, stride;
|
|
||||||
guint8 *tmp = NULL;
|
|
||||||
GstMapInfo map;
|
|
||||||
guint32 fourcc;
|
|
||||||
@@ -4999,12 +4999,23 @@ gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf)
|
|
||||||
h = stream->strf.vids->height;
|
|
||||||
w = stream->strf.vids->width;
|
|
||||||
bpp = stream->strf.vids->bit_cnt ? stream->strf.vids->bit_cnt : 8;
|
|
||||||
+
|
|
||||||
+ if ((guint64) w * ((guint64) bpp / 8) > G_MAXUINT - 4) {
|
|
||||||
+ GST_WARNING ("Width x stride overflows");
|
|
||||||
+ return buf;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (w == 0 || h == 0) {
|
|
||||||
+ GST_WARNING ("Zero width or height");
|
|
||||||
+ return buf;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
stride = GST_ROUND_UP_4 (w * (bpp / 8));
|
|
||||||
|
|
||||||
buf = gst_buffer_make_writable (buf);
|
|
||||||
|
|
||||||
gst_buffer_map (buf, &map, GST_MAP_READWRITE);
|
|
||||||
- if (map.size < (stride * h)) {
|
|
||||||
+ if (map.size < ((guint64) stride * (guint64) h)) {
|
|
||||||
GST_WARNING ("Buffer is smaller than reported Width x Height x Depth");
|
|
||||||
gst_buffer_unmap (buf, &map);
|
|
||||||
return buf;
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
@ -0,0 +1,55 @@
|
|||||||
|
From cf36c771ea7f4e42603c2b5880432bc8c7d3dff1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
|
||||||
|
Date: Tue, 13 Jun 2023 13:20:16 +0300
|
||||||
|
Subject: [PATCH] flacparse: Avoid integer overflow in available data check for
|
||||||
|
image tags
|
||||||
|
|
||||||
|
If the image length as stored in the file is some bogus integer then
|
||||||
|
adding it to the current byte readers position can overflow and wrongly
|
||||||
|
have the check for enough available data succeed.
|
||||||
|
|
||||||
|
This then later can cause NULL pointer dereferences or out of bounds
|
||||||
|
reads/writes when actually reading the image data.
|
||||||
|
|
||||||
|
Fixes ZDI-CAN-20775
|
||||||
|
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2661
|
||||||
|
|
||||||
|
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4894>
|
||||||
|
---
|
||||||
|
.../gst-plugins-good/gst/audioparsers/gstflacparse.c | 6 +++---
|
||||||
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/subprojects/gst-plugins-good/gst/audioparsers/gstflacparse.c b/subprojects/gst-plugins-good/gst/audioparsers/gstflacparse.c
|
||||||
|
index a53b7ebc77..8ee450c65a 100644
|
||||||
|
--- a/subprojects/gst-plugins-good/gst/audioparsers/gstflacparse.c
|
||||||
|
+++ b/subprojects/gst-plugins-good/gst/audioparsers/gstflacparse.c
|
||||||
|
@@ -1111,6 +1111,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer)
|
||||||
|
GstMapInfo map;
|
||||||
|
guint32 img_len = 0, img_type = 0;
|
||||||
|
guint32 img_mimetype_len = 0, img_description_len = 0;
|
||||||
|
+ const guint8 *img_data;
|
||||||
|
|
||||||
|
gst_buffer_map (buffer, &map, GST_MAP_READ);
|
||||||
|
gst_byte_reader_init (&reader, map.data, map.size);
|
||||||
|
@@ -1137,7 +1138,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer)
|
||||||
|
if (!gst_byte_reader_get_uint32_be (&reader, &img_len))
|
||||||
|
goto error;
|
||||||
|
|
||||||
|
- if (gst_byte_reader_get_pos (&reader) + img_len > map.size)
|
||||||
|
+ if (!gst_byte_reader_get_data (&reader, img_len, &img_data))
|
||||||
|
goto error;
|
||||||
|
|
||||||
|
GST_INFO_OBJECT (flacparse, "Got image of %d bytes", img_len);
|
||||||
|
@@ -1146,8 +1147,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer)
|
||||||
|
if (flacparse->tags == NULL)
|
||||||
|
flacparse->tags = gst_tag_list_new_empty ();
|
||||||
|
|
||||||
|
- gst_tag_list_add_id3_image (flacparse->tags,
|
||||||
|
- map.data + gst_byte_reader_get_pos (&reader), img_len, img_type);
|
||||||
|
+ gst_tag_list_add_id3_image (flacparse->tags, img_data, img_len, img_type);
|
||||||
|
}
|
||||||
|
|
||||||
|
gst_buffer_unmap (buffer, &map);
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
@ -1,209 +0,0 @@
|
|||||||
From 22eb3dc56d8cb71af2c2d413ae587cc401704780 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
|
|
||||||
Date: Wed, 18 May 2022 11:24:37 +0300
|
|
||||||
Subject: [PATCH 2/4] matroskademux: Fix integer overflows in zlib/bz2/etc
|
|
||||||
decompression code
|
|
||||||
|
|
||||||
Various variables were of smaller types than needed and there were no
|
|
||||||
checks for any overflows when doing additions on the sizes. This is all
|
|
||||||
checked now.
|
|
||||||
|
|
||||||
In addition the size of the decompressed data is limited to 120MB now as
|
|
||||||
any larger sizes are likely pathological and we can avoid out of memory
|
|
||||||
situations in many cases like this.
|
|
||||||
|
|
||||||
Also fix a bug where the available output size on the next iteration in
|
|
||||||
the zlib/bz2 decompression code was provided too large and could
|
|
||||||
potentially lead to out of bound writes.
|
|
||||||
|
|
||||||
Thanks to Adam Doupe for analyzing and reporting the issue.
|
|
||||||
|
|
||||||
CVE: CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925
|
|
||||||
|
|
||||||
https://gstreamer.freedesktop.org/security/sa-2022-0002.html
|
|
||||||
|
|
||||||
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225
|
|
||||||
|
|
||||||
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2610>
|
|
||||||
---
|
|
||||||
gst/matroska/matroska-read-common.c | 76 +++++++++++++++++++++++------
|
|
||||||
1 file changed, 61 insertions(+), 15 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/gst/matroska/matroska-read-common.c b/gst/matroska/matroska-read-common.c
|
|
||||||
index 90d6e38e17..0ee9a787a4 100644
|
|
||||||
--- a/gst/matroska/matroska-read-common.c
|
|
||||||
+++ b/gst/matroska/matroska-read-common.c
|
|
||||||
@@ -70,6 +70,10 @@ typedef struct
|
|
||||||
gboolean audio_only;
|
|
||||||
} TargetTypeContext;
|
|
||||||
|
|
||||||
+/* 120MB as maximum decompressed data size. Anything bigger is likely
|
|
||||||
+ * pathological, and like this we avoid out of memory situations in many cases
|
|
||||||
+ */
|
|
||||||
+#define MAX_DECOMPRESS_SIZE (120 * 1024 * 1024)
|
|
||||||
|
|
||||||
static gboolean
|
|
||||||
gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
|
|
||||||
@@ -77,19 +81,23 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
|
|
||||||
GstMatroskaTrackCompressionAlgorithm algo)
|
|
||||||
{
|
|
||||||
guint8 *new_data = NULL;
|
|
||||||
- guint new_size = 0;
|
|
||||||
+ gsize new_size = 0;
|
|
||||||
guint8 *data = *data_out;
|
|
||||||
- guint size = *size_out;
|
|
||||||
+ const gsize size = *size_out;
|
|
||||||
gboolean ret = TRUE;
|
|
||||||
|
|
||||||
+ if (size > G_MAXUINT32) {
|
|
||||||
+ GST_WARNING ("too large compressed data buffer.");
|
|
||||||
+ ret = FALSE;
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_ZLIB) {
|
|
||||||
#ifdef HAVE_ZLIB
|
|
||||||
/* zlib encoded data */
|
|
||||||
z_stream zstream;
|
|
||||||
- guint orig_size;
|
|
||||||
int result;
|
|
||||||
|
|
||||||
- orig_size = size;
|
|
||||||
zstream.zalloc = (alloc_func) 0;
|
|
||||||
zstream.zfree = (free_func) 0;
|
|
||||||
zstream.opaque = (voidpf) 0;
|
|
||||||
@@ -99,8 +107,8 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
zstream.next_in = (Bytef *) data;
|
|
||||||
- zstream.avail_in = orig_size;
|
|
||||||
- new_size = orig_size;
|
|
||||||
+ zstream.avail_in = size;
|
|
||||||
+ new_size = size;
|
|
||||||
new_data = g_malloc (new_size);
|
|
||||||
zstream.avail_out = new_size;
|
|
||||||
zstream.next_out = (Bytef *) new_data;
|
|
||||||
@@ -114,10 +122,18 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) {
|
|
||||||
+ GST_WARNING ("too big decompressed data");
|
|
||||||
+ result = Z_MEM_ERROR;
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
new_size += 4096;
|
|
||||||
new_data = g_realloc (new_data, new_size);
|
|
||||||
zstream.next_out = (Bytef *) (new_data + zstream.total_out);
|
|
||||||
- zstream.avail_out += 4096;
|
|
||||||
+ /* avail_out is an unsigned int */
|
|
||||||
+ g_assert (new_size - zstream.total_out <= G_MAXUINT);
|
|
||||||
+ zstream.avail_out = new_size - zstream.total_out;
|
|
||||||
} while (zstream.avail_in > 0);
|
|
||||||
|
|
||||||
if (result != Z_STREAM_END) {
|
|
||||||
@@ -137,13 +153,11 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
|
|
||||||
#ifdef HAVE_BZ2
|
|
||||||
/* bzip2 encoded data */
|
|
||||||
bz_stream bzstream;
|
|
||||||
- guint orig_size;
|
|
||||||
int result;
|
|
||||||
|
|
||||||
bzstream.bzalloc = NULL;
|
|
||||||
bzstream.bzfree = NULL;
|
|
||||||
bzstream.opaque = NULL;
|
|
||||||
- orig_size = size;
|
|
||||||
|
|
||||||
if (BZ2_bzDecompressInit (&bzstream, 0, 0) != BZ_OK) {
|
|
||||||
GST_WARNING ("bzip2 initialization failed.");
|
|
||||||
@@ -152,8 +166,8 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
|
|
||||||
}
|
|
||||||
|
|
||||||
bzstream.next_in = (char *) data;
|
|
||||||
- bzstream.avail_in = orig_size;
|
|
||||||
- new_size = orig_size;
|
|
||||||
+ bzstream.avail_in = size;
|
|
||||||
+ new_size = size;
|
|
||||||
new_data = g_malloc (new_size);
|
|
||||||
bzstream.avail_out = new_size;
|
|
||||||
bzstream.next_out = (char *) new_data;
|
|
||||||
@@ -167,17 +181,31 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) {
|
|
||||||
+ GST_WARNING ("too big decompressed data");
|
|
||||||
+ result = BZ_MEM_ERROR;
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
new_size += 4096;
|
|
||||||
new_data = g_realloc (new_data, new_size);
|
|
||||||
- bzstream.next_out = (char *) (new_data + bzstream.total_out_lo32);
|
|
||||||
- bzstream.avail_out += 4096;
|
|
||||||
+ bzstream.next_out =
|
|
||||||
+ (char *) (new_data + ((guint64) bzstream.total_out_hi32 << 32) +
|
|
||||||
+ bzstream.total_out_lo32);
|
|
||||||
+ /* avail_out is an unsigned int */
|
|
||||||
+ g_assert (new_size - ((guint64) bzstream.total_out_hi32 << 32) +
|
|
||||||
+ bzstream.total_out_lo32 <= G_MAXUINT);
|
|
||||||
+ bzstream.avail_out =
|
|
||||||
+ new_size - ((guint64) bzstream.total_out_hi32 << 32) +
|
|
||||||
+ bzstream.total_out_lo32;
|
|
||||||
} while (bzstream.avail_in > 0);
|
|
||||||
|
|
||||||
if (result != BZ_STREAM_END) {
|
|
||||||
ret = FALSE;
|
|
||||||
g_free (new_data);
|
|
||||||
} else {
|
|
||||||
- new_size = bzstream.total_out_lo32;
|
|
||||||
+ new_size =
|
|
||||||
+ ((guint64) bzstream.total_out_hi32 << 32) + bzstream.total_out_lo32;
|
|
||||||
}
|
|
||||||
BZ2_bzDecompressEnd (&bzstream);
|
|
||||||
|
|
||||||
@@ -189,7 +217,13 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
|
|
||||||
} else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_LZO1X) {
|
|
||||||
/* lzo encoded data */
|
|
||||||
int result;
|
|
||||||
- int orig_size, out_size;
|
|
||||||
+ gint orig_size, out_size;
|
|
||||||
+
|
|
||||||
+ if (size > G_MAXINT) {
|
|
||||||
+ GST_WARNING ("too large compressed data buffer.");
|
|
||||||
+ ret = FALSE;
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
orig_size = size;
|
|
||||||
out_size = size;
|
|
||||||
@@ -203,6 +237,11 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
|
|
||||||
result = lzo1x_decode (new_data, &out_size, data, &orig_size);
|
|
||||||
|
|
||||||
if (orig_size > 0) {
|
|
||||||
+ if (new_size > G_MAXINT - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) {
|
|
||||||
+ GST_WARNING ("too big decompressed data");
|
|
||||||
+ result = LZO_ERROR;
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
new_size += 4096;
|
|
||||||
new_data = g_realloc (new_data, new_size);
|
|
||||||
}
|
|
||||||
@@ -221,6 +260,13 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
|
|
||||||
} else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_HEADERSTRIP) {
|
|
||||||
/* header stripped encoded data */
|
|
||||||
if (enc->comp_settings_length > 0) {
|
|
||||||
+ if (size > G_MAXSIZE - enc->comp_settings_length
|
|
||||||
+ || size + enc->comp_settings_length > MAX_DECOMPRESS_SIZE) {
|
|
||||||
+ GST_WARNING ("too big decompressed data");
|
|
||||||
+ ret = FALSE;
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
new_data = g_malloc (size + enc->comp_settings_length);
|
|
||||||
new_size = size + enc->comp_settings_length;
|
|
||||||
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
@ -1,55 +0,0 @@
|
|||||||
From 24267889a717e1e799037a0f1841d5416eb56e75 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
|
|
||||||
Date: Mon, 30 May 2022 10:15:37 +0300
|
|
||||||
Subject: [PATCH 3/4] qtdemux: Fix integer overflows in zlib decompression code
|
|
||||||
|
|
||||||
Various variables were of smaller types than needed and there were no
|
|
||||||
checks for any overflows when doing additions on the sizes. This is all
|
|
||||||
checked now.
|
|
||||||
|
|
||||||
In addition the size of the decompressed data is limited to 200MB now as
|
|
||||||
any larger sizes are likely pathological and we can avoid out of memory
|
|
||||||
situations in many cases like this.
|
|
||||||
|
|
||||||
Also fix a bug where the available output size on the next iteration in
|
|
||||||
the zlib decompression code was provided too large and could
|
|
||||||
potentially lead to out of bound writes.
|
|
||||||
|
|
||||||
Thanks to Adam Doupe for analyzing and reporting the issue.
|
|
||||||
|
|
||||||
CVE: tbd
|
|
||||||
|
|
||||||
https://gstreamer.freedesktop.org/security/sa-2022-0003.html
|
|
||||||
|
|
||||||
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225
|
|
||||||
|
|
||||||
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2610>
|
|
||||||
---
|
|
||||||
gst/isomp4/qtdemux.c | 8 +++++++-
|
|
||||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
|
|
||||||
index 182d0bc06f..a9cbbd4cd3 100644
|
|
||||||
--- a/gst/isomp4/qtdemux.c
|
|
||||||
+++ b/gst/isomp4/qtdemux.c
|
|
||||||
@@ -7611,10 +7611,16 @@ qtdemux_inflate (void *z_buffer, guint z_length, guint * length)
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (*length > G_MAXUINT - 4096 || *length > QTDEMUX_MAX_SAMPLE_INDEX_SIZE) {
|
|
||||||
+ GST_WARNING ("too big decompressed data");
|
|
||||||
+ ret = Z_MEM_ERROR;
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
*length += 4096;
|
|
||||||
buffer = (guint8 *) g_realloc (buffer, *length);
|
|
||||||
z.next_out = (Bytef *) (buffer + z.total_out);
|
|
||||||
- z.avail_out += 4096;
|
|
||||||
+ z.avail_out += *length - z.total_out;
|
|
||||||
} while (z.avail_in > 0);
|
|
||||||
|
|
||||||
if (ret != Z_STREAM_END) {
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
@ -1,55 +0,0 @@
|
|||||||
From c0ac3357342599cc09397c6af0e696770ae94548 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
|
|
||||||
Date: Wed, 18 May 2022 10:23:15 +0300
|
|
||||||
Subject: [PATCH 4/4] matroskademux: Avoid integer-overflow resulting in heap
|
|
||||||
corruption in WavPack header handling code
|
|
||||||
|
|
||||||
blocksize + WAVPACK4_HEADER_SIZE might overflow gsize, which then
|
|
||||||
results in allocating a very small buffer. Into that buffer blocksize
|
|
||||||
data is memcpy'd later which then causes out of bound writes and can
|
|
||||||
potentially lead to anything from crashes to remote code execution.
|
|
||||||
|
|
||||||
Thanks to Adam Doupe for analyzing and reporting the issue.
|
|
||||||
|
|
||||||
CVE: CVE-2022-1920
|
|
||||||
|
|
||||||
https://gstreamer.freedesktop.org/security/sa-2022-0004.html
|
|
||||||
|
|
||||||
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1226
|
|
||||||
|
|
||||||
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2612>
|
|
||||||
---
|
|
||||||
gst/matroska/matroska-demux.c | 10 +++++++++-
|
|
||||||
1 file changed, 9 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
|
|
||||||
index 0e47ee7b5e..b7d009de90 100644
|
|
||||||
--- a/gst/matroska/matroska-demux.c
|
|
||||||
+++ b/gst/matroska/matroska-demux.c
|
|
||||||
@@ -3893,7 +3893,8 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
|
|
||||||
} else {
|
|
||||||
guint8 *outdata = NULL;
|
|
||||||
gsize buf_size, size;
|
|
||||||
- guint32 block_samples, flags, crc, blocksize;
|
|
||||||
+ guint32 block_samples, flags, crc;
|
|
||||||
+ gsize blocksize;
|
|
||||||
GstAdapter *adapter;
|
|
||||||
|
|
||||||
adapter = gst_adapter_new ();
|
|
||||||
@@ -3934,6 +3935,13 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
|
|
||||||
return GST_FLOW_ERROR;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (blocksize > G_MAXSIZE - WAVPACK4_HEADER_SIZE) {
|
|
||||||
+ GST_ERROR_OBJECT (element, "Too big wavpack buffer");
|
|
||||||
+ gst_buffer_unmap (*buf, &map);
|
|
||||||
+ g_object_unref (adapter);
|
|
||||||
+ return GST_FLOW_ERROR;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
g_assert (newbuf == NULL);
|
|
||||||
|
|
||||||
newbuf =
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
@ -1,74 +0,0 @@
|
|||||||
diff --git a/gst-plugins-good-1.18.0/ext/qt/gstqsgtexture.cc b/gst-plugins-good-1.18.0/ext/qt/gstqsgtexture.cc
|
|
||||||
index a05d26e..bfa79cd 100644
|
|
||||||
--- a/gst-plugins-good-1.18.0/ext/qt/gstqsgtexture.cc
|
|
||||||
+++ b/gst-plugins-good-1.18.0/ext/qt/gstqsgtexture.cc
|
|
||||||
@@ -35,7 +35,7 @@ GST_DEBUG_CATEGORY_STATIC (GST_CAT_DEFAULT);
|
|
||||||
|
|
||||||
GstQSGTexture::GstQSGTexture ()
|
|
||||||
{
|
|
||||||
- static volatile gsize _debug;
|
|
||||||
+ static gsize _debug;
|
|
||||||
|
|
||||||
initializeOpenGLFunctions();
|
|
||||||
|
|
||||||
diff --git a/gst-plugins-good-1.18.0/ext/qt/gstqtglutility.cc b/gst-plugins-good-1.18.0/ext/qt/gstqtglutility.cc
|
|
||||||
index acb89b6..657bfda 100644
|
|
||||||
--- a/gst-plugins-good-1.18.0/ext/qt/gstqtglutility.cc
|
|
||||||
+++ b/gst-plugins-good-1.18.0/ext/qt/gstqtglutility.cc
|
|
||||||
@@ -66,7 +66,7 @@ gst_qt_get_gl_display ()
|
|
||||||
{
|
|
||||||
GstGLDisplay *display = NULL;
|
|
||||||
QGuiApplication *app = static_cast<QGuiApplication *> (QCoreApplication::instance ());
|
|
||||||
- static volatile gsize _debug;
|
|
||||||
+ static gsize _debug;
|
|
||||||
|
|
||||||
g_assert (app != NULL);
|
|
||||||
|
|
||||||
diff --git a/gst-plugins-good-1.18.0/ext/qt/qtglrenderer.cc b/gst-plugins-good-1.18.0/ext/qt/qtglrenderer.cc
|
|
||||||
index 2ad5601..576171c 100644
|
|
||||||
--- a/gst-plugins-good-1.18.0/ext/qt/qtglrenderer.cc
|
|
||||||
+++ b/gst-plugins-good-1.18.0/ext/qt/qtglrenderer.cc
|
|
||||||
@@ -22,7 +22,7 @@ GST_DEBUG_CATEGORY_STATIC (GST_CAT_DEFAULT);
|
|
||||||
static void
|
|
||||||
init_debug (void)
|
|
||||||
{
|
|
||||||
- static volatile gsize _debug;
|
|
||||||
+ static gsize _debug;
|
|
||||||
|
|
||||||
if (g_once_init_enter (&_debug)) {
|
|
||||||
GST_DEBUG_CATEGORY_INIT (GST_CAT_DEFAULT, "qtglrenderer", 0,
|
|
||||||
diff --git a/gst-plugins-good-1.18.0/ext/qt/qtitem.cc b/gst-plugins-good-1.18.0/ext/qt/qtitem.cc
|
|
||||||
index 49dafc8..caa1ab5 100644
|
|
||||||
--- a/gst-plugins-good-1.18.0/ext/qt/qtitem.cc
|
|
||||||
+++ b/gst-plugins-good-1.18.0/ext/qt/qtitem.cc
|
|
||||||
@@ -102,7 +102,7 @@ void InitializeSceneGraph::run()
|
|
||||||
|
|
||||||
QtGLVideoItem::QtGLVideoItem()
|
|
||||||
{
|
|
||||||
- static volatile gsize _debug;
|
|
||||||
+ static gsize _debug;
|
|
||||||
|
|
||||||
if (g_once_init_enter (&_debug)) {
|
|
||||||
GST_DEBUG_CATEGORY_INIT (GST_CAT_DEFAULT, "qtglwidget", 0, "Qt GL Widget");
|
|
||||||
diff --git a/gst-plugins-good-1.18.0/ext/qt/qtwindow.cc b/gst-plugins-good-1.18.0/ext/qt/qtwindow.cc
|
|
||||||
index 9360c33..55a13ab 100644
|
|
||||||
--- a/gst-plugins-good-1.18.0/ext/qt/qtwindow.cc
|
|
||||||
+++ b/gst-plugins-good-1.18.0/ext/qt/qtwindow.cc
|
|
||||||
@@ -103,7 +103,7 @@ QtGLWindow::QtGLWindow ( QWindow * parent, QQuickWindow *src ) :
|
|
||||||
QQuickWindow( parent ), source (src)
|
|
||||||
{
|
|
||||||
QGuiApplication *app = static_cast<QGuiApplication *> (QCoreApplication::instance ());
|
|
||||||
- static volatile gsize _debug;
|
|
||||||
+ static gsize _debug;
|
|
||||||
|
|
||||||
g_assert (app != NULL);
|
|
||||||
|
|
||||||
@@ -152,7 +152,7 @@ QtGLWindow::beforeRendering()
|
|
||||||
|
|
||||||
g_mutex_lock (&this->priv->lock);
|
|
||||||
|
|
||||||
- static volatile gsize once = 0;
|
|
||||||
+ static gsize once = 0;
|
|
||||||
if (g_once_init_enter(&once)) {
|
|
||||||
this->priv->start = QDateTime::currentDateTime().toMSecsSinceEpoch();
|
|
||||||
g_once_init_leave(&once,1);
|
|
@ -16,8 +16,8 @@
|
|||||||
#global shortcommit %(c=%{gitcommit}; echo ${c:0:5})
|
#global shortcommit %(c=%{gitcommit}; echo ${c:0:5})
|
||||||
|
|
||||||
Name: gstreamer1-plugins-good
|
Name: gstreamer1-plugins-good
|
||||||
Version: 1.18.4
|
Version: 1.22.1
|
||||||
Release: 6%{?gitcommit:.git%{shortcommit}}%{?dist}
|
Release: 2%{?gitcommit:.git%{shortcommit}}%{?dist}
|
||||||
Summary: GStreamer plugins with good code and licensing
|
Summary: GStreamer plugins with good code and licensing
|
||||||
|
|
||||||
License: LGPLv2+
|
License: LGPLv2+
|
||||||
@ -30,12 +30,6 @@ Source0: gst-plugins-good-%{version}.tar.xz
|
|||||||
%else
|
%else
|
||||||
Source0: http://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-good-%{version}.tar.xz
|
Source0: http://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-good-%{version}.tar.xz
|
||||||
%endif
|
%endif
|
||||||
Patch0: %{name}-gcc11.patch
|
|
||||||
|
|
||||||
Patch1: 0001-avidemux-Fix-integer-overflow-resulting-in-heap-corr.patch
|
|
||||||
Patch2: 0002-matroskademux-Fix-integer-overflows-in-zlib-bz2-etc-.patch
|
|
||||||
Patch3: 0003-qtdemux-Fix-integer-overflows-in-zlib-decompression-.patch
|
|
||||||
Patch4: 0004-matroskademux-Avoid-integer-overflow-resulting-in-he.patch
|
|
||||||
|
|
||||||
# Register as an AppStream component to be visible in the software center
|
# Register as an AppStream component to be visible in the software center
|
||||||
# NOTE: It would be *awesome* if this file was maintained by the upstream
|
# NOTE: It would be *awesome* if this file was maintained by the upstream
|
||||||
@ -43,6 +37,8 @@ Patch4: 0004-matroskademux-Avoid-integer-overflow-resulting-in-he.patch
|
|||||||
# See http://www.freedesktop.org/software/appstream/docs/ for more details.
|
# See http://www.freedesktop.org/software/appstream/docs/ for more details.
|
||||||
Source1: gstreamer-good.appdata.xml
|
Source1: gstreamer-good.appdata.xml
|
||||||
|
|
||||||
|
Patch0: 0001-flacparse-Avoid-integer-overflow-in-available-data-c.patch
|
||||||
|
|
||||||
BuildRequires: meson >= 0.48.0
|
BuildRequires: meson >= 0.48.0
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: gcc-c++
|
BuildRequires: gcc-c++
|
||||||
@ -169,11 +165,7 @@ to be installed.
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q -n gst-plugins-good-%{version}
|
%setup -q -n gst-plugins-good-%{version}
|
||||||
%patch0 -p2
|
%patch0 -p3
|
||||||
%patch1 -p1
|
|
||||||
%patch2 -p1
|
|
||||||
%patch3 -p1
|
|
||||||
%patch4 -p1
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%meson \
|
%meson \
|
||||||
@ -181,7 +173,7 @@ to be installed.
|
|||||||
-D package-origin='http://download.fedoraproject.org' \
|
-D package-origin='http://download.fedoraproject.org' \
|
||||||
-D doc=disabled \
|
-D doc=disabled \
|
||||||
-D asm=%{?with_nasm:enabled}%{!?with_nasm:disabled} \
|
-D asm=%{?with_nasm:enabled}%{!?with_nasm:disabled} \
|
||||||
-D gtk_doc=disabled \
|
-D doc=disabled \
|
||||||
-D orc=enabled \
|
-D orc=enabled \
|
||||||
-D monoscope=disabled \
|
-D monoscope=disabled \
|
||||||
-D aalib=disabled \
|
-D aalib=disabled \
|
||||||
@ -194,6 +186,10 @@ to be installed.
|
|||||||
-D dv=%{?with_extras:enabled}%{!?with_extras:disabled} \
|
-D dv=%{?with_extras:enabled}%{!?with_extras:disabled} \
|
||||||
-D dv1394=%{?with_extras:enabled}%{!?with_extras:disabled} \
|
-D dv1394=%{?with_extras:enabled}%{!?with_extras:disabled} \
|
||||||
%endif
|
%endif
|
||||||
|
%if 0%{?_module_build} && "%{_module_name}" == "flatpak-runtime"
|
||||||
|
-D v4l2-gudev=disabled \
|
||||||
|
%endif
|
||||||
|
-D qt6=disabled
|
||||||
|
|
||||||
%meson_build
|
%meson_build
|
||||||
|
|
||||||
@ -208,7 +204,7 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -fv {} ';'
|
|||||||
|
|
||||||
%files -f gst-plugins-good-%{majorminor}.lang
|
%files -f gst-plugins-good-%{majorminor}.lang
|
||||||
%license COPYING
|
%license COPYING
|
||||||
%doc AUTHORS README REQUIREMENTS
|
%doc AUTHORS NEWS README.md README.static-linking RELEASE REQUIREMENTS
|
||||||
%{_metainfodir}/gstreamer-good.appdata.xml
|
%{_metainfodir}/gstreamer-good.appdata.xml
|
||||||
%if 0
|
%if 0
|
||||||
%doc %{_datadir}/gtk-doc/html/gst-plugins-good-plugins-%{majorminor}
|
%doc %{_datadir}/gtk-doc/html/gst-plugins-good-plugins-%{majorminor}
|
||||||
@ -222,6 +218,7 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -fv {} ';'
|
|||||||
%{_datadir}/gstreamer-%{majorminor}/presets/GstQTMux.prs
|
%{_datadir}/gstreamer-%{majorminor}/presets/GstQTMux.prs
|
||||||
|
|
||||||
# non-core plugins without external dependencies
|
# non-core plugins without external dependencies
|
||||||
|
%{_libdir}/gstreamer-%{majorminor}/libgstadaptivedemux2.so
|
||||||
%{_libdir}/gstreamer-%{majorminor}/libgstalaw.so
|
%{_libdir}/gstreamer-%{majorminor}/libgstalaw.so
|
||||||
%{_libdir}/gstreamer-%{majorminor}/libgstalphacolor.so
|
%{_libdir}/gstreamer-%{majorminor}/libgstalphacolor.so
|
||||||
%{_libdir}/gstreamer-%{majorminor}/libgstalpha.so
|
%{_libdir}/gstreamer-%{majorminor}/libgstalpha.so
|
||||||
@ -267,6 +264,7 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -fv {} ';'
|
|||||||
%{_libdir}/gstreamer-%{majorminor}/libgstwavenc.so
|
%{_libdir}/gstreamer-%{majorminor}/libgstwavenc.so
|
||||||
%{_libdir}/gstreamer-%{majorminor}/libgstwavparse.so
|
%{_libdir}/gstreamer-%{majorminor}/libgstwavparse.so
|
||||||
%{_libdir}/gstreamer-%{majorminor}/libgstximagesrc.so
|
%{_libdir}/gstreamer-%{majorminor}/libgstximagesrc.so
|
||||||
|
%{_libdir}/gstreamer-%{majorminor}/libgstxingmux.so
|
||||||
%{_libdir}/gstreamer-%{majorminor}/libgsty4menc.so
|
%{_libdir}/gstreamer-%{majorminor}/libgsty4menc.so
|
||||||
|
|
||||||
# gstreamer-plugins with external dependencies but in the main package
|
# gstreamer-plugins with external dependencies but in the main package
|
||||||
@ -309,6 +307,14 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -fv {} ';'
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Jan 17 2024 Wim Taymans <wtaymans@redhat.com> - 1.22.1-2
|
||||||
|
- CVE-2023-37327: integer overflow leading to heap overwrite in FLAC
|
||||||
|
image tag handling
|
||||||
|
- Resolves: RHEL-19471
|
||||||
|
|
||||||
|
* Thu Apr 13 2023 Wim Taymans <wtaymans@redhat.com> - 1.22.1-1
|
||||||
|
- Update to 1.22.1
|
||||||
|
|
||||||
* Fri Nov 11 2022 Wim Taymans <wtaymans@redhat.com> - 1.18.4-6
|
* Fri Nov 11 2022 Wim Taymans <wtaymans@redhat.com> - 1.18.4-6
|
||||||
- Fixes for CVE-2022-1920, CVE-2022-1921, CVE-2022-1922, CVE-2022-1923,
|
- Fixes for CVE-2022-1920, CVE-2022-1921, CVE-2022-1922, CVE-2022-1923,
|
||||||
CVE-2022-1924, CVE-2022-1925, CVE-2022-2122
|
CVE-2022-1924, CVE-2022-1925, CVE-2022-2122
|
||||||
|
Loading…
Reference in New Issue
Block a user