Compare commits

..

No commits in common. "c8-beta" and "c8" have entirely different histories.
c8-beta ... c8

10 changed files with 307 additions and 21 deletions

View File

@ -1,7 +1,7 @@
From 9efd93e20dd7789e4172ad6c8f4108271b3fb1ee Mon Sep 17 00:00:00 2001
From fff62c8b65cd18e2673944a2a9c95520e7b5ddf3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Thu, 4 Mar 2021 13:05:19 +0200
Subject: [PATCH] matroskademux: Fix extraction of multichannel WavPack
Subject: [PATCH 1/9] matroskademux: Fix extraction of multichannel WavPack
The old code had a couple of issues that all lead to potential memory
safety bugs.
@ -32,10 +32,10 @@ Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/merge_requ
2 files changed, 55 insertions(+), 46 deletions(-)
diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
index 4eb3d2a9f..f890ae611 100644
index b2cd9b5d4..5e724c8e0 100644
--- a/gst/matroska/matroska-demux.c
+++ b/gst/matroska/matroska-demux.c
@@ -3706,6 +3706,12 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
@@ -3704,6 +3704,12 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
guint32 block_samples, tmp;
gsize size = gst_buffer_get_size (*buf);
@ -48,7 +48,7 @@ index 4eb3d2a9f..f890ae611 100644
gst_buffer_extract (*buf, 0, &tmp, sizeof (guint32));
block_samples = GUINT32_FROM_LE (tmp);
/* we need to reconstruct the header of the wavpack block */
@@ -3713,10 +3719,10 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
@@ -3711,10 +3717,10 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
/* -20 because ck_size is the size of the wavpack block -8
* and lace_size is the size of the wavpack block + 12
* (the three guint32 of the header that already are in the buffer) */
@ -61,7 +61,7 @@ index 4eb3d2a9f..f890ae611 100644
gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
data = outmap.data;
@@ -3741,9 +3747,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
@@ -3739,9 +3745,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
audiocontext->wvpk_block_index += block_samples;
} else {
guint8 *outdata = NULL;
@ -75,7 +75,7 @@ index 4eb3d2a9f..f890ae611 100644
gst_buffer_map (*buf, &map, GST_MAP_READ);
buf_data = map.data;
@@ -3752,6 +3760,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
@@ -3750,6 +3758,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
if (buf_size < 4) {
GST_ERROR_OBJECT (element, "Too small wavpack buffer");
gst_buffer_unmap (*buf, &map);
@ -83,7 +83,7 @@ index 4eb3d2a9f..f890ae611 100644
return GST_FLOW_ERROR;
}
@@ -3773,59 +3782,57 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
@@ -3771,59 +3780,57 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
data += 4;
size -= 4;
@ -197,5 +197,5 @@ index 9b263d8a1..a0d68343f 100644
GST_MATROSKA_TRACK_ENCODING_SCOPE_FRAME = (1<<0),
GST_MATROSKA_TRACK_ENCODING_SCOPE_CODEC_DATA = (1<<1),
--
GitLab
2.47.0

View File

@ -1,8 +1,8 @@
From d62cecf193d6bf3b16fe91d725f4514161f602c3 Mon Sep 17 00:00:00 2001
From a88489c4bc2a807912a12398c04c0fc8579037df Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Wed, 3 Mar 2021 11:31:52 +0200
Subject: [PATCH] matroskademux: Initialize track context out parameter to NULL
before parsing
Subject: [PATCH 2/9] matroskademux: Initialize track context out parameter to
NULL before parsing
Various error return paths don't set it to NULL and callers are only
checking if the pointer is NULL. As it's allocated on the stack this
@ -21,7 +21,7 @@ Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/merge_requ
1 file changed, 2 insertions(+)
diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
index b2cd9b5d4..4eb3d2a9f 100644
index 5e724c8e0..f890ae611 100644
--- a/gst/matroska/matroska-demux.c
+++ b/gst/matroska/matroska-demux.c
@@ -660,6 +660,8 @@ gst_matroska_demux_parse_stream (GstMatroskaDemux * demux, GstEbmlRead * ebml,
@ -34,5 +34,5 @@ index b2cd9b5d4..4eb3d2a9f 100644
if ((ret = gst_ebml_read_master (ebml, &id)) != GST_FLOW_OK) {
DEBUG_ELEMENT_STOP (demux, ebml, "TrackEntry", ret);
--
GitLab
2.47.0

View File

@ -1,8 +1,8 @@
From 2150d2ade8bd5949fa18fcc75b78016e3becc92b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Tue, 13 Jun 2023 13:20:16 +0300
Subject: [PATCH] flacparse: Avoid integer overflow in available data check for
image tags
Subject: [PATCH 3/9] flacparse: Avoid integer overflow in available data check
for image tags
If the image length as stored in the file is some bogus integer then
adding it to the current byte readers position can overflow and wrongly
@ -51,5 +51,5 @@ index 2758d4cfc..cd5a48bee 100644
gst_buffer_unmap (buffer, &map);
--
2.43.0
2.47.0

View File

@ -0,0 +1,41 @@
From f0007ee8579f97999d69bbc6d7f9ac166a06fddb Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Mon, 16 Dec 2024 11:45:27 +0100
Subject: [PATCH 4/9] qtdemux: Avoid integer overflow when parsing Theora
extension
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-166
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3851
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8094>
---
gst/isomp4/qtdemux.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
index ad07c1e36..229edb3e5 100644
--- a/gst/isomp4/qtdemux.c
+++ b/gst/isomp4/qtdemux.c
@@ -7816,7 +7816,7 @@ qtdemux_parse_theora_extension (GstQTDemux * qtdemux, QtDemuxStream * stream,
end -= 8;
while (buf < end) {
- gint size;
+ guint32 size;
guint32 type;
size = QT_UINT32 (buf);
@@ -7824,7 +7824,7 @@ qtdemux_parse_theora_extension (GstQTDemux * qtdemux, QtDemuxStream * stream,
GST_LOG_OBJECT (qtdemux, "%p %p", buf, end);
- if (buf + size > end || size <= 0)
+ if (end - buf < size || size < 8)
break;
buf += 8;
--
2.47.0

View File

@ -0,0 +1,49 @@
From 8d4c79e61a62245dc6a499b0a439317bb37d0508 Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Mon, 16 Dec 2024 11:47:09 +0100
Subject: [PATCH 5/9] gdkpixbufdec: Check if initializing the video info
actually succeeded
Otherwise a 0-byte buffer would be allocated, which gives NULL memory when
mapped.
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-118
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3876
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8103>
---
ext/gdk_pixbuf/gstgdkpixbufdec.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/ext/gdk_pixbuf/gstgdkpixbufdec.c b/ext/gdk_pixbuf/gstgdkpixbufdec.c
index c119236a8..c0ecb3a08 100644
--- a/ext/gdk_pixbuf/gstgdkpixbufdec.c
+++ b/ext/gdk_pixbuf/gstgdkpixbufdec.c
@@ -318,7 +318,8 @@ gst_gdk_pixbuf_dec_flush (GstGdkPixbufDec * filter)
gst_video_info_init (&info);
- gst_video_info_set_format (&info, fmt, width, height);
+ if (!gst_video_info_set_format (&info, fmt, width, height))
+ goto format_not_supported;
info.fps_n = filter->in_fps_n;
info.fps_d = filter->in_fps_d;
caps = gst_video_info_to_caps (&info);
@@ -379,6 +380,12 @@ channels_not_supported:
("%d channels not supported", n_channels));
return GST_FLOW_ERROR;
}
+format_not_supported:
+ {
+ GST_ELEMENT_ERROR (filter, STREAM, DECODE, (NULL),
+ ("%d channels with %dx%d not supported", n_channels, width, height));
+ return GST_FLOW_ERROR;
+ }
no_buffer:
{
GST_DEBUG ("Failed to create outbuffer - %s", gst_flow_get_name (ret));
--
2.47.0

View File

@ -0,0 +1,52 @@
From c7f995f1030efb3281faa72a1a8827969f3591bc Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Mon, 16 Dec 2024 11:48:03 +0100
Subject: [PATCH 6/9] matroskademux: Only unmap GstMapInfo in WavPack header
extraction error paths if previously mapped
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-197
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3863
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8057>
---
gst/matroska/matroska-demux.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
index f890ae611..2db68bc1f 100644
--- a/gst/matroska/matroska-demux.c
+++ b/gst/matroska/matroska-demux.c
@@ -3687,7 +3687,6 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
GstMatroskaTrackAudioContext *audiocontext =
(GstMatroskaTrackAudioContext *) stream;
GstBuffer *newbuf = NULL;
- GstMapInfo map, outmap;
guint8 *buf_data, *data;
Wavpack4Header wvh;
@@ -3704,11 +3703,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
if (audiocontext->channels <= 2) {
guint32 block_samples, tmp;
+ GstMapInfo outmap;
gsize size = gst_buffer_get_size (*buf);
if (size < 4) {
GST_ERROR_OBJECT (element, "Too small wavpack buffer");
- gst_buffer_unmap (*buf, &map);
return GST_FLOW_ERROR;
}
@@ -3746,6 +3745,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
*buf = newbuf;
audiocontext->wvpk_block_index += block_samples;
} else {
+ GstMapInfo map, outmap;
guint8 *outdata = NULL;
gsize buf_size, size;
guint32 block_samples, flags, crc, blocksize;
--
2.47.0

View File

@ -0,0 +1,27 @@
From 5d1ac58fa39a4e8e1cb0545c44aae69f71099f27 Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Mon, 16 Dec 2024 11:49:04 +0100
Subject: [PATCH 7/9] matroskademux: Fix off-by-one when parsing multi-channel
WavPack
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8057>
---
gst/matroska/matroska-demux.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
index 2db68bc1f..0466c9a6b 100644
--- a/gst/matroska/matroska-demux.c
+++ b/gst/matroska/matroska-demux.c
@@ -3771,7 +3771,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
data += 4;
size -= 4;
- while (size > 12) {
+ while (size >= 12) {
flags = GST_READ_UINT32_LE (data);
data += 4;
size -= 4;
--
2.47.0

View File

@ -0,0 +1,59 @@
From f3358d7e6fb9540e45f1cde0378e94482846f216 Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Mon, 16 Dec 2024 11:49:37 +0100
Subject: [PATCH 8/9] qtdemux: Fix integer overflow when allocating the samples
table for fragmented MP4
This can lead to out of bounds writes and NULL pointer dereferences.
Fixes GHSL-2024-094, GHSL-2024-237, GHSL-2024-241
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3839
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059>
---
gst/isomp4/qtdemux.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
index 229edb3e5..a37c92933 100644
--- a/gst/isomp4/qtdemux.c
+++ b/gst/isomp4/qtdemux.c
@@ -3327,6 +3327,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun,
gint i;
guint8 *data;
guint entry_size, dur_offset, size_offset, flags_offset = 0, ct_offset = 0;
+ guint new_n_samples;
QtDemuxSample *sample;
gboolean ismv = FALSE;
gint64 initial_offset;
@@ -3426,14 +3427,13 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun,
goto fail;
data = (guint8 *) gst_byte_reader_peek_data_unchecked (trun);
- if (stream->n_samples + samples_count >=
- QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof (QtDemuxSample))
+ if (!g_uint_checked_add (&new_n_samples, stream->n_samples, samples_count) ||
+ new_n_samples >= QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof (QtDemuxSample))
goto index_too_big;
GST_DEBUG_OBJECT (qtdemux, "allocating n_samples %u * %u (%.2f MB)",
- stream->n_samples + samples_count, (guint) sizeof (QtDemuxSample),
- (stream->n_samples + samples_count) *
- sizeof (QtDemuxSample) / (1024.0 * 1024.0));
+ new_n_samples, (guint) sizeof (QtDemuxSample),
+ (new_n_samples) * sizeof (QtDemuxSample) / (1024.0 * 1024.0));
/* create a new array of samples if it's the first sample parsed */
if (stream->n_samples == 0) {
@@ -3442,7 +3442,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun,
/* or try to reallocate it with space enough to insert the new samples */
} else
stream->samples = g_try_renew (QtDemuxSample, stream->samples,
- stream->n_samples + samples_count);
+ new_n_samples);
if (stream->samples == NULL)
goto out_of_memory;
--
2.47.0

View File

@ -0,0 +1,40 @@
From 6b751c71eb130f2c69eeacf5f47e0d6de639dc78 Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Mon, 16 Dec 2024 11:52:04 +0100
Subject: [PATCH 9/9] qtdemux: Make sure only an even number of bytes is
processed when handling CEA608 data
An odd number of bytes would lead to out of bound reads and writes, and doesn't
make any sense as CEA608 comes in byte pairs.
Strip off any leftover bytes and assume everything before that is valid.
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-195
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3841
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059>
---
gst/isomp4/qtdemux.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
index a37c92933..8336ff302 100644
--- a/gst/isomp4/qtdemux.c
+++ b/gst/isomp4/qtdemux.c
@@ -5612,6 +5612,11 @@ convert_to_s334_1a (const guint8 * ccpair, guint8 ccpair_size, guint field,
guint8 *storage;
gsize i;
+ /* Strip off any leftover odd bytes and assume everything before is valid */
+ if (ccpair_size % 2 != 0) {
+ ccpair_size -= 1;
+ }
+
/* We are converting from pairs to triplets */
*res = ccpair_size / 2 * 3;
storage = g_malloc (*res);
--
2.47.0

View File

@ -15,7 +15,7 @@
Name: gstreamer1-plugins-good
Version: 1.16.1
Release: 4%{?gitcommit:.git%{shortcommit}}%{?dist}
Release: 5%{?gitcommit:.git%{shortcommit}}%{?dist}
Summary: GStreamer plugins with good code and licensing
License: LGPLv2+
@ -29,9 +29,15 @@ Source0: gst-plugins-good-%{version}.tar.xz
Source0: http://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-good-%{version}.tar.xz
%endif
Patch0: d62cecf193d6bf3b16fe91d725f4514161f602c3.patch
Patch1: 9efd93e20dd7789e4172ad6c8f4108271b3fb1ee.patch
Patch2: 0001-flacparse-Avoid-integer-overflow-in-available-data-c.patch
Patch0: 0001-matroskademux-Fix-extraction-of-multichannel-WavPack.patch
Patch1: 0002-matroskademux-Initialize-track-context-out-parameter.patch
Patch2: 0003-flacparse-Avoid-integer-overflow-in-available-data-c.patch
Patch3: 0004-qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch
Patch4: 0005-gdkpixbufdec-Check-if-initializing-the-video-info-ac.patch
Patch5: 0006-matroskademux-Only-unmap-GstMapInfo-in-WavPack-heade.patch
Patch6: 0007-matroskademux-Fix-off-by-one-when-parsing-multi-chan.patch
Patch7: 0008-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch
Patch8: 0009-qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch
BuildRequires: gcc
BuildRequires: gcc-c++
@ -168,6 +174,12 @@ to be installed.
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%build
%configure --disable-silent-rules --disable-fatal-warnings \
@ -352,6 +364,12 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
%changelog
* Mon Dec 16 2024 Wim Taymans <wtaymans@redhat.com> - 1.16.1-5
- CVE-2024-47537, CVE-2024-47539, CVE-2024-47540, CVE-2024-47606,
CVE-2024-47613
Resolves: RHEL-70949, RHEL-70962, RHEL-70936, RHEL-71022
Resolves: RHEL-70998
* Wed Jan 17 2024 Wim Taymans <wtaymans@redhat.com> - 1.16.1-4
- CVE-2023-37327: integer overflow leading to heap overwrite in
FLAC image tag handling