Compare commits

..

No commits in common. "c9-beta" and "c8" have entirely different histories.
c9-beta ... c8

13 changed files with 660 additions and 234 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/gst-plugins-good-1.22.1.tar.xz
SOURCES/gst-plugins-good-1.16.1.tar.xz

View File

@ -1 +1 @@
4c8346aa97ca82f88b988471781f6b18b4e5642c SOURCES/gst-plugins-good-1.22.1.tar.xz
2b88a2d36bc53bed1b06c359ed676ec8b8675d5c SOURCES/gst-plugins-good-1.16.1.tar.xz

View File

@ -0,0 +1,201 @@
From fff62c8b65cd18e2673944a2a9c95520e7b5ddf3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Thu, 4 Mar 2021 13:05:19 +0200
Subject: [PATCH 1/9] matroskademux: Fix extraction of multichannel WavPack
The old code had a couple of issues that all lead to potential memory
safety bugs.
- Use a constant for the Wavpack4Header size instead of using sizeof.
It's written out into the data and not from the struct and who knows
what special alignment/padding requirements some C compilers have.
- gst_buffer_set_size() does not realloc the buffer when setting a
bigger size than allocated, it only allows growing up to the maximum
allocated size. Instead use a GstAdapter to collect all the blocks
and take out everything at once in the end.
- Check that enough data is actually available in the input and
otherwise handle it an error in all cases instead of silently
ignoring it.
Among other things this fixes out of bounds writes because the code
assumed gst_buffer_set_size() can grow the buffer and simply wrote after
the end of the buffer.
Thanks to Natalie Silvanovich for reporting.
Fixes https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/issues/859
Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/merge_requests/904>
---
gst/matroska/matroska-demux.c | 99 +++++++++++++++++++----------------
gst/matroska/matroska-ids.h | 2 +
2 files changed, 55 insertions(+), 46 deletions(-)
diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
index b2cd9b5d4..5e724c8e0 100644
--- a/gst/matroska/matroska-demux.c
+++ b/gst/matroska/matroska-demux.c
@@ -3704,6 +3704,12 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
guint32 block_samples, tmp;
gsize size = gst_buffer_get_size (*buf);
+ if (size < 4) {
+ GST_ERROR_OBJECT (element, "Too small wavpack buffer");
+ gst_buffer_unmap (*buf, &map);
+ return GST_FLOW_ERROR;
+ }
+
gst_buffer_extract (*buf, 0, &tmp, sizeof (guint32));
block_samples = GUINT32_FROM_LE (tmp);
/* we need to reconstruct the header of the wavpack block */
@@ -3711,10 +3717,10 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
/* -20 because ck_size is the size of the wavpack block -8
* and lace_size is the size of the wavpack block + 12
* (the three guint32 of the header that already are in the buffer) */
- wvh.ck_size = size + sizeof (Wavpack4Header) - 20;
+ wvh.ck_size = size + WAVPACK4_HEADER_SIZE - 20;
/* block_samples, flags and crc are already in the buffer */
- newbuf = gst_buffer_new_allocate (NULL, sizeof (Wavpack4Header) - 12, NULL);
+ newbuf = gst_buffer_new_allocate (NULL, WAVPACK4_HEADER_SIZE - 12, NULL);
gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
data = outmap.data;
@@ -3739,9 +3745,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
audiocontext->wvpk_block_index += block_samples;
} else {
guint8 *outdata = NULL;
- guint outpos = 0;
- gsize buf_size, size, out_size = 0;
+ gsize buf_size, size;
guint32 block_samples, flags, crc, blocksize;
+ GstAdapter *adapter;
+
+ adapter = gst_adapter_new ();
gst_buffer_map (*buf, &map, GST_MAP_READ);
buf_data = map.data;
@@ -3750,6 +3758,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
if (buf_size < 4) {
GST_ERROR_OBJECT (element, "Too small wavpack buffer");
gst_buffer_unmap (*buf, &map);
+ g_object_unref (adapter);
return GST_FLOW_ERROR;
}
@@ -3771,59 +3780,57 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
data += 4;
size -= 4;
- if (blocksize == 0 || size < blocksize)
- break;
-
- g_assert ((newbuf == NULL) == (outdata == NULL));
+ if (blocksize == 0 || size < blocksize) {
+ GST_ERROR_OBJECT (element, "Too small wavpack buffer");
+ gst_buffer_unmap (*buf, &map);
+ g_object_unref (adapter);
+ return GST_FLOW_ERROR;
+ }
- if (newbuf == NULL) {
- out_size = sizeof (Wavpack4Header) + blocksize;
- newbuf = gst_buffer_new_allocate (NULL, out_size, NULL);
+ g_assert (newbuf == NULL);
- gst_buffer_copy_into (newbuf, *buf,
- GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1);
+ newbuf =
+ gst_buffer_new_allocate (NULL, WAVPACK4_HEADER_SIZE + blocksize,
+ NULL);
+ gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
+ outdata = outmap.data;
+
+ outdata[0] = 'w';
+ outdata[1] = 'v';
+ outdata[2] = 'p';
+ outdata[3] = 'k';
+ outdata += 4;
+
+ GST_WRITE_UINT32_LE (outdata, blocksize + WAVPACK4_HEADER_SIZE - 8);
+ GST_WRITE_UINT16_LE (outdata + 4, wvh.version);
+ GST_WRITE_UINT8 (outdata + 6, wvh.track_no);
+ GST_WRITE_UINT8 (outdata + 7, wvh.index_no);
+ GST_WRITE_UINT32_LE (outdata + 8, wvh.total_samples);
+ GST_WRITE_UINT32_LE (outdata + 12, wvh.block_index);
+ GST_WRITE_UINT32_LE (outdata + 16, block_samples);
+ GST_WRITE_UINT32_LE (outdata + 20, flags);
+ GST_WRITE_UINT32_LE (outdata + 24, crc);
+ outdata += 28;
+
+ memcpy (outdata, data, blocksize);
- outpos = 0;
- gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
- outdata = outmap.data;
- } else {
- gst_buffer_unmap (newbuf, &outmap);
- out_size += sizeof (Wavpack4Header) + blocksize;
- gst_buffer_set_size (newbuf, out_size);
- gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
- outdata = outmap.data;
- }
+ gst_buffer_unmap (newbuf, &outmap);
+ gst_adapter_push (adapter, newbuf);
+ newbuf = NULL;
- outdata[outpos] = 'w';
- outdata[outpos + 1] = 'v';
- outdata[outpos + 2] = 'p';
- outdata[outpos + 3] = 'k';
- outpos += 4;
-
- GST_WRITE_UINT32_LE (outdata + outpos,
- blocksize + sizeof (Wavpack4Header) - 8);
- GST_WRITE_UINT16_LE (outdata + outpos + 4, wvh.version);
- GST_WRITE_UINT8 (outdata + outpos + 6, wvh.track_no);
- GST_WRITE_UINT8 (outdata + outpos + 7, wvh.index_no);
- GST_WRITE_UINT32_LE (outdata + outpos + 8, wvh.total_samples);
- GST_WRITE_UINT32_LE (outdata + outpos + 12, wvh.block_index);
- GST_WRITE_UINT32_LE (outdata + outpos + 16, block_samples);
- GST_WRITE_UINT32_LE (outdata + outpos + 20, flags);
- GST_WRITE_UINT32_LE (outdata + outpos + 24, crc);
- outpos += 28;
-
- memmove (outdata + outpos, data, blocksize);
- outpos += blocksize;
data += blocksize;
size -= blocksize;
}
gst_buffer_unmap (*buf, &map);
- gst_buffer_unref (*buf);
- if (newbuf)
- gst_buffer_unmap (newbuf, &outmap);
+ newbuf = gst_adapter_take_buffer (adapter, gst_adapter_available (adapter));
+ g_object_unref (adapter);
+ gst_buffer_copy_into (newbuf, *buf,
+ GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1);
+ gst_buffer_unref (*buf);
*buf = newbuf;
+
audiocontext->wvpk_block_index += block_samples;
}
diff --git a/gst/matroska/matroska-ids.h b/gst/matroska/matroska-ids.h
index 9b263d8a1..a0d68343f 100644
--- a/gst/matroska/matroska-ids.h
+++ b/gst/matroska/matroska-ids.h
@@ -667,6 +667,8 @@ typedef struct _Wavpack4Header {
guint32 crc; /* crc for actual decoded data */
} Wavpack4Header;
+#define WAVPACK4_HEADER_SIZE (32)
+
typedef enum {
GST_MATROSKA_TRACK_ENCODING_SCOPE_FRAME = (1<<0),
GST_MATROSKA_TRACK_ENCODING_SCOPE_CODEC_DATA = (1<<1),
--
2.47.0

View File

@ -0,0 +1,38 @@
From a88489c4bc2a807912a12398c04c0fc8579037df Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Wed, 3 Mar 2021 11:31:52 +0200
Subject: [PATCH 2/9] matroskademux: Initialize track context out parameter to
NULL before parsing
Various error return paths don't set it to NULL and callers are only
checking if the pointer is NULL. As it's allocated on the stack this
usually contains random stack memory, and more often than not the memory
of a previously parsed track.
This then causes all kinds of memory corruptions further down the line.
Thanks to Natalie Silvanovich for reporting.
Fixes https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/issues/858
Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/merge_requests/904>
---
gst/matroska/matroska-demux.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
index 5e724c8e0..f890ae611 100644
--- a/gst/matroska/matroska-demux.c
+++ b/gst/matroska/matroska-demux.c
@@ -660,6 +660,8 @@ gst_matroska_demux_parse_stream (GstMatroskaDemux * demux, GstEbmlRead * ebml,
DEBUG_ELEMENT_START (demux, ebml, "TrackEntry");
+ *dest_context = NULL;
+
/* start with the master */
if ((ret = gst_ebml_read_master (ebml, &id)) != GST_FLOW_OK) {
DEBUG_ELEMENT_STOP (demux, ebml, "TrackEntry", ret);
--
2.47.0

View File

@ -1,8 +1,8 @@
From cf36c771ea7f4e42603c2b5880432bc8c7d3dff1 Mon Sep 17 00:00:00 2001
From 2150d2ade8bd5949fa18fcc75b78016e3becc92b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Tue, 13 Jun 2023 13:20:16 +0300
Subject: [PATCH] flacparse: Avoid integer overflow in available data check for
image tags
Subject: [PATCH 3/9] flacparse: Avoid integer overflow in available data check
for image tags
If the image length as stored in the file is some bogus integer then
adding it to the current byte readers position can overflow and wrongly
@ -16,14 +16,14 @@ Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2661
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4894>
---
.../gst-plugins-good/gst/audioparsers/gstflacparse.c | 6 +++---
gst/audioparsers/gstflacparse.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/subprojects/gst-plugins-good/gst/audioparsers/gstflacparse.c b/subprojects/gst-plugins-good/gst/audioparsers/gstflacparse.c
index a53b7ebc77..8ee450c65a 100644
--- a/subprojects/gst-plugins-good/gst/audioparsers/gstflacparse.c
+++ b/subprojects/gst-plugins-good/gst/audioparsers/gstflacparse.c
@@ -1111,6 +1111,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer)
diff --git a/gst/audioparsers/gstflacparse.c b/gst/audioparsers/gstflacparse.c
index 2758d4cfc..cd5a48bee 100644
--- a/gst/audioparsers/gstflacparse.c
+++ b/gst/audioparsers/gstflacparse.c
@@ -1109,6 +1109,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer)
GstMapInfo map;
guint32 img_len = 0, img_type = 0;
guint32 img_mimetype_len = 0, img_description_len = 0;
@ -31,7 +31,7 @@ index a53b7ebc77..8ee450c65a 100644
gst_buffer_map (buffer, &map, GST_MAP_READ);
gst_byte_reader_init (&reader, map.data, map.size);
@@ -1137,7 +1138,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer)
@@ -1135,7 +1136,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer)
if (!gst_byte_reader_get_uint32_be (&reader, &img_len))
goto error;
@ -40,7 +40,7 @@ index a53b7ebc77..8ee450c65a 100644
goto error;
GST_INFO_OBJECT (flacparse, "Got image of %d bytes", img_len);
@@ -1146,8 +1147,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer)
@@ -1144,8 +1145,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer)
if (flacparse->tags == NULL)
flacparse->tags = gst_tag_list_new_empty ();
@ -51,5 +51,5 @@ index a53b7ebc77..8ee450c65a 100644
gst_buffer_unmap (buffer, &map);
--
2.43.0
2.47.0

View File

@ -0,0 +1,41 @@
From f0007ee8579f97999d69bbc6d7f9ac166a06fddb Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Mon, 16 Dec 2024 11:45:27 +0100
Subject: [PATCH 4/9] qtdemux: Avoid integer overflow when parsing Theora
extension
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-166
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3851
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8094>
---
gst/isomp4/qtdemux.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
index ad07c1e36..229edb3e5 100644
--- a/gst/isomp4/qtdemux.c
+++ b/gst/isomp4/qtdemux.c
@@ -7816,7 +7816,7 @@ qtdemux_parse_theora_extension (GstQTDemux * qtdemux, QtDemuxStream * stream,
end -= 8;
while (buf < end) {
- gint size;
+ guint32 size;
guint32 type;
size = QT_UINT32 (buf);
@@ -7824,7 +7824,7 @@ qtdemux_parse_theora_extension (GstQTDemux * qtdemux, QtDemuxStream * stream,
GST_LOG_OBJECT (qtdemux, "%p %p", buf, end);
- if (buf + size > end || size <= 0)
+ if (end - buf < size || size < 8)
break;
buf += 8;
--
2.47.0

View File

@ -0,0 +1,49 @@
From 8d4c79e61a62245dc6a499b0a439317bb37d0508 Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Mon, 16 Dec 2024 11:47:09 +0100
Subject: [PATCH 5/9] gdkpixbufdec: Check if initializing the video info
actually succeeded
Otherwise a 0-byte buffer would be allocated, which gives NULL memory when
mapped.
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-118
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3876
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8103>
---
ext/gdk_pixbuf/gstgdkpixbufdec.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/ext/gdk_pixbuf/gstgdkpixbufdec.c b/ext/gdk_pixbuf/gstgdkpixbufdec.c
index c119236a8..c0ecb3a08 100644
--- a/ext/gdk_pixbuf/gstgdkpixbufdec.c
+++ b/ext/gdk_pixbuf/gstgdkpixbufdec.c
@@ -318,7 +318,8 @@ gst_gdk_pixbuf_dec_flush (GstGdkPixbufDec * filter)
gst_video_info_init (&info);
- gst_video_info_set_format (&info, fmt, width, height);
+ if (!gst_video_info_set_format (&info, fmt, width, height))
+ goto format_not_supported;
info.fps_n = filter->in_fps_n;
info.fps_d = filter->in_fps_d;
caps = gst_video_info_to_caps (&info);
@@ -379,6 +380,12 @@ channels_not_supported:
("%d channels not supported", n_channels));
return GST_FLOW_ERROR;
}
+format_not_supported:
+ {
+ GST_ELEMENT_ERROR (filter, STREAM, DECODE, (NULL),
+ ("%d channels with %dx%d not supported", n_channels, width, height));
+ return GST_FLOW_ERROR;
+ }
no_buffer:
{
GST_DEBUG ("Failed to create outbuffer - %s", gst_flow_get_name (ret));
--
2.47.0

View File

@ -0,0 +1,52 @@
From c7f995f1030efb3281faa72a1a8827969f3591bc Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Mon, 16 Dec 2024 11:48:03 +0100
Subject: [PATCH 6/9] matroskademux: Only unmap GstMapInfo in WavPack header
extraction error paths if previously mapped
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-197
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3863
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8057>
---
gst/matroska/matroska-demux.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
index f890ae611..2db68bc1f 100644
--- a/gst/matroska/matroska-demux.c
+++ b/gst/matroska/matroska-demux.c
@@ -3687,7 +3687,6 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
GstMatroskaTrackAudioContext *audiocontext =
(GstMatroskaTrackAudioContext *) stream;
GstBuffer *newbuf = NULL;
- GstMapInfo map, outmap;
guint8 *buf_data, *data;
Wavpack4Header wvh;
@@ -3704,11 +3703,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
if (audiocontext->channels <= 2) {
guint32 block_samples, tmp;
+ GstMapInfo outmap;
gsize size = gst_buffer_get_size (*buf);
if (size < 4) {
GST_ERROR_OBJECT (element, "Too small wavpack buffer");
- gst_buffer_unmap (*buf, &map);
return GST_FLOW_ERROR;
}
@@ -3746,6 +3745,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
*buf = newbuf;
audiocontext->wvpk_block_index += block_samples;
} else {
+ GstMapInfo map, outmap;
guint8 *outdata = NULL;
gsize buf_size, size;
guint32 block_samples, flags, crc, blocksize;
--
2.47.0

View File

@ -0,0 +1,27 @@
From 5d1ac58fa39a4e8e1cb0545c44aae69f71099f27 Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Mon, 16 Dec 2024 11:49:04 +0100
Subject: [PATCH 7/9] matroskademux: Fix off-by-one when parsing multi-channel
WavPack
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8057>
---
gst/matroska/matroska-demux.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
index 2db68bc1f..0466c9a6b 100644
--- a/gst/matroska/matroska-demux.c
+++ b/gst/matroska/matroska-demux.c
@@ -3771,7 +3771,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
data += 4;
size -= 4;
- while (size > 12) {
+ while (size >= 12) {
flags = GST_READ_UINT32_LE (data);
data += 4;
size -= 4;
--
2.47.0

View File

@ -0,0 +1,59 @@
From f3358d7e6fb9540e45f1cde0378e94482846f216 Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Mon, 16 Dec 2024 11:49:37 +0100
Subject: [PATCH 8/9] qtdemux: Fix integer overflow when allocating the samples
table for fragmented MP4
This can lead to out of bounds writes and NULL pointer dereferences.
Fixes GHSL-2024-094, GHSL-2024-237, GHSL-2024-241
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3839
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059>
---
gst/isomp4/qtdemux.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
index 229edb3e5..a37c92933 100644
--- a/gst/isomp4/qtdemux.c
+++ b/gst/isomp4/qtdemux.c
@@ -3327,6 +3327,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun,
gint i;
guint8 *data;
guint entry_size, dur_offset, size_offset, flags_offset = 0, ct_offset = 0;
+ guint new_n_samples;
QtDemuxSample *sample;
gboolean ismv = FALSE;
gint64 initial_offset;
@@ -3426,14 +3427,13 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun,
goto fail;
data = (guint8 *) gst_byte_reader_peek_data_unchecked (trun);
- if (stream->n_samples + samples_count >=
- QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof (QtDemuxSample))
+ if (!g_uint_checked_add (&new_n_samples, stream->n_samples, samples_count) ||
+ new_n_samples >= QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof (QtDemuxSample))
goto index_too_big;
GST_DEBUG_OBJECT (qtdemux, "allocating n_samples %u * %u (%.2f MB)",
- stream->n_samples + samples_count, (guint) sizeof (QtDemuxSample),
- (stream->n_samples + samples_count) *
- sizeof (QtDemuxSample) / (1024.0 * 1024.0));
+ new_n_samples, (guint) sizeof (QtDemuxSample),
+ (new_n_samples) * sizeof (QtDemuxSample) / (1024.0 * 1024.0));
/* create a new array of samples if it's the first sample parsed */
if (stream->n_samples == 0) {
@@ -3442,7 +3442,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun,
/* or try to reallocate it with space enough to insert the new samples */
} else
stream->samples = g_try_renew (QtDemuxSample, stream->samples,
- stream->n_samples + samples_count);
+ new_n_samples);
if (stream->samples == NULL)
goto out_of_memory;
--
2.47.0

View File

@ -0,0 +1,40 @@
From 6b751c71eb130f2c69eeacf5f47e0d6de639dc78 Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Mon, 16 Dec 2024 11:52:04 +0100
Subject: [PATCH 9/9] qtdemux: Make sure only an even number of bytes is
processed when handling CEA608 data
An odd number of bytes would lead to out of bound reads and writes, and doesn't
make any sense as CEA608 comes in byte pairs.
Strip off any leftover bytes and assume everything before that is valid.
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-195
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3841
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059>
---
gst/isomp4/qtdemux.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
index a37c92933..8336ff302 100644
--- a/gst/isomp4/qtdemux.c
+++ b/gst/isomp4/qtdemux.c
@@ -5612,6 +5612,11 @@ convert_to_s334_1a (const guint8 * ccpair, guint8 ccpair_size, guint field,
guint8 *storage;
gsize i;
+ /* Strip off any leftover odd bytes and assume everything before is valid */
+ if (ccpair_size % 2 != 0) {
+ ccpair_size -= 1;
+ }
+
/* We are converting from pairs to triplets */
*res = ccpair_size / 2 * 3;
storage = g_malloc (*res);
--
2.47.0

View File

@ -1,40 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!-- Copyright 2013 Richard Hughes <richard@hughsie.com> -->
<component type="codec">
<id>gstreamer-good</id>
<metadata_license>CC0-1.0</metadata_license>
<name>GStreamer Multimedia Codecs</name>
<summary>Multimedia playback for APE, AVI, DV, FLAC, FLX, Flash, MKV, MP4, Speex, VP8, VP9 and WAV</summary>
<description>
<p>
This addon includes several good quality codecs that are well tested.
These codecs can be used to encode and decode media files where the
format is not patent encumbered.
</p>
<p>
A codec decodes audio and video for for playback or editing and is also
used for transmission or storage.
Different codecs are used in video-conferencing, streaming media and
video editing applications.
</p>
</description>
<keywords>
<keyword>APE</keyword>
<keyword>AVI</keyword>
<keyword>DV</keyword>
<keyword>FLAC</keyword>
<keyword>FLX</keyword>
<keyword>Flash</keyword>
<keyword>MKV</keyword>
<keyword>MP4</keyword>
<keyword>Speex</keyword>
<keyword>VP8</keyword>
<keyword>VP9</keyword>
<keyword>WAV</keyword>
</keywords>
<url type="homepage">http://gstreamer.freedesktop.org/</url>
<url type="bugtracker">https://bugzilla.gnome.org/enter_bug.cgi?product=GStreamer</url>
<url type="donation">http://www.gnome.org/friends/</url>
<url type="help">http://gstreamer.freedesktop.org/documentation/</url>
<update_contact><!-- upstream-contact_at_email.com --></update_contact>
</component>

View File

@ -1,23 +1,21 @@
%global majorminor 1.0
# Only build extras on fedora
# Only build extras on Fedora
%if 0%{?fedora}
%bcond_without extras
%bcond_without nasm
%bcond_without qt
%else
%bcond_with extras
%bcond_with nasm
%bcond_with qt
%endif
%bcond_without qt
#global gitrel 140
#global gitcommit 9865730cfa5b3a8b2560d082e7e56b350042d3d2
#global shortcommit %(c=%{gitcommit}; echo ${c:0:5})
Name: gstreamer1-plugins-good
Version: 1.22.1
Release: 2%{?gitcommit:.git%{shortcommit}}%{?dist}
Version: 1.16.1
Release: 5%{?gitcommit:.git%{shortcommit}}%{?dist}
Summary: GStreamer plugins with good code and licensing
License: LGPLv2+
@ -31,15 +29,16 @@ Source0: gst-plugins-good-%{version}.tar.xz
Source0: http://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-good-%{version}.tar.xz
%endif
# Register as an AppStream component to be visible in the software center
# NOTE: It would be *awesome* if this file was maintained by the upstream
# project, translated and installed into the right place during `make install`.
# See http://www.freedesktop.org/software/appstream/docs/ for more details.
Source1: gstreamer-good.appdata.xml
Patch0: 0001-matroskademux-Fix-extraction-of-multichannel-WavPack.patch
Patch1: 0002-matroskademux-Initialize-track-context-out-parameter.patch
Patch2: 0003-flacparse-Avoid-integer-overflow-in-available-data-c.patch
Patch3: 0004-qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch
Patch4: 0005-gdkpixbufdec-Check-if-initializing-the-video-info-ac.patch
Patch5: 0006-matroskademux-Only-unmap-GstMapInfo-in-WavPack-heade.patch
Patch6: 0007-matroskademux-Fix-off-by-one-when-parsing-multi-chan.patch
Patch7: 0008-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch
Patch8: 0009-qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch
Patch0: 0001-flacparse-Avoid-integer-overflow-in-available-data-c.patch
BuildRequires: meson >= 0.48.0
BuildRequires: gcc
BuildRequires: gcc-c++
BuildRequires: gstreamer1-devel >= %{version}
@ -72,26 +71,32 @@ BuildRequires: mesa-libEGL-devel
BuildRequires: lame-devel
BuildRequires: mpg123-devel
BuildRequires: twolame-devel
%if %{with nasm}
BuildRequires: nasm
%endif
BuildRequires: libgudev-devel
# extras
%if %{with extras}
BuildRequires: jack-audio-connection-kit-devel
%ifnarch s390 s390x
BuildRequires: libavc1394-devel
BuildRequires: libdv-devel
BuildRequires: libiec61883-devel
BuildRequires: libraw1394-devel
%endif
# extras
%if %{with extras}
BuildRequires: jack-audio-connection-kit-devel
%endif
# documentation
%if ! 0%{?flatpak}
BuildRequires: gtk-doc
%endif
BuildRequires: python3-devel
# Obsoletes/Provides moved from plugins-bad-free
Obsoletes: gstreamer1-plugin-mpg123 < 1.13.1
Provides: gstreamer1-plugin-mpg123 = %{version}-%{release}
# mpg123, lame, twolame were moved -> conflict old package version
Conflicts: gstreamer1-plugins-ugly-free < 1.13.1
%description
GStreamer is a streaming media framework, based on graphs of filters which
operate on media data. Applications using this library can do anything
@ -144,6 +149,7 @@ good quality and under the LGPL license.
This package (%{name}-qt) contains the qtsink output plugin.
%endif
%if %{with extras}
%package extras
Summary: Extra GStreamer plugins with good code and licensing
@ -165,50 +171,101 @@ to be installed.
%prep
%setup -q -n gst-plugins-good-%{version}
%patch0 -p3
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%build
%meson \
-D package-name='Fedora GStreamer-plugins-good package' \
-D package-origin='http://download.fedoraproject.org' \
-D doc=disabled \
-D asm=%{?with_nasm:enabled}%{!?with_nasm:disabled} \
-D doc=disabled \
-D orc=enabled \
-D monoscope=disabled \
-D aalib=disabled \
-D libcaca=disabled \
-D rpicamsrc=disabled \
-D jack=%{?with_extras:enabled}%{!?with_extras:disabled} \
%ifarch s390 s390x
-D dv=disabled -D dv1394=disabled \
%configure --disable-silent-rules --disable-fatal-warnings \
--with-package-name='Fedora GStreamer-plugins-good package' \
--with-package-origin='http://download.fedoraproject.org' \
--enable-experimental \
%if ! 0%{?flatpak}
--enable-gtk-doc \
%endif
--enable-orc \
--disable-monoscope \
--disable-aalib \
--disable-libcaca \
%if %{with extras}
--enable-jack \
%else
-D dv=%{?with_extras:enabled}%{!?with_extras:disabled} \
-D dv1394=%{?with_extras:enabled}%{!?with_extras:disabled} \
--disable-jack \
%endif
%if 0%{?_module_build} && "%{_module_name}" == "flatpak-runtime"
-D v4l2-gudev=disabled \
%endif
-D qt6=disabled
--with-default-visualizer=autoaudiosink
make %{?_smp_mflags} V=1
%meson_build
%install
%meson_install
make install DESTDIR=$RPM_BUILD_ROOT
install -p -D %{SOURCE1} %{buildroot}%{_metainfodir}/gstreamer-good.appdata.xml
find $RPM_BUILD_ROOT -name '*.la' -exec rm -fv {} ';'
# Register as an AppStream component to be visible in the software center
#
# NOTE: It would be *awesome* if this file was maintained by the upstream
# project, translated and installed into the right place during `make install`.
#
# See http://www.freedesktop.org/software/appstream/docs/ for more details.
#
mkdir -p $RPM_BUILD_ROOT%{_datadir}/appdata
cat > $RPM_BUILD_ROOT%{_datadir}/appdata/gstreamer-good.appdata.xml <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<!-- Copyright 2013 Richard Hughes <richard@hughsie.com> -->
<component type="codec">
<id>gstreamer-good</id>
<metadata_license>CC0-1.0</metadata_license>
<name>GStreamer Multimedia Codecs</name>
<summary>Multimedia playback for APE, AVI, DV, FLAC, FLX, Flash, MKV, MP4, Speex, VP8, VP9 and WAV</summary>
<description>
<p>
This addon includes several good quality codecs that are well tested.
These codecs can be used to encode and decode media files where the
format is not patent encumbered.
</p>
<p>
A codec decodes audio and video for for playback or editing and is also
used for transmission or storage.
Different codecs are used in video-conferencing, streaming media and
video editing applications.
</p>
</description>
<keywords>
<keyword>APE</keyword>
<keyword>AVI</keyword>
<keyword>DV</keyword>
<keyword>FLAC</keyword>
<keyword>FLX</keyword>
<keyword>Flash</keyword>
<keyword>MKV</keyword>
<keyword>MP4</keyword>
<keyword>Speex</keyword>
<keyword>VP8</keyword>
<keyword>VP9</keyword>
<keyword>WAV</keyword>
</keywords>
<url type="homepage">http://gstreamer.freedesktop.org/</url>
<url type="bugtracker">https://bugzilla.gnome.org/enter_bug.cgi?product=GStreamer</url>
<url type="donation">http://www.gnome.org/friends/</url>
<url type="help">http://gstreamer.freedesktop.org/documentation/</url>
<update_contact><!-- upstream-contact_at_email.com --></update_contact>
</component>
EOF
%find_lang gst-plugins-good-%{majorminor}
find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
%files -f gst-plugins-good-%{majorminor}.lang
%license COPYING
%doc AUTHORS NEWS README.md README.static-linking RELEASE REQUIREMENTS
%{_metainfodir}/gstreamer-good.appdata.xml
%if 0
%doc AUTHORS README REQUIREMENTS
%{_datadir}/appdata/*.appdata.xml
%doc %{_datadir}/gtk-doc/html/gst-plugins-good-plugins-%{majorminor}
%endif
# presets
%dir %{_datadir}/gstreamer-%{majorminor}/presets/
@ -218,7 +275,6 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -fv {} ';'
%{_datadir}/gstreamer-%{majorminor}/presets/GstQTMux.prs
# non-core plugins without external dependencies
%{_libdir}/gstreamer-%{majorminor}/libgstadaptivedemux2.so
%{_libdir}/gstreamer-%{majorminor}/libgstalaw.so
%{_libdir}/gstreamer-%{majorminor}/libgstalphacolor.so
%{_libdir}/gstreamer-%{majorminor}/libgstalpha.so
@ -264,7 +320,6 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -fv {} ';'
%{_libdir}/gstreamer-%{majorminor}/libgstwavenc.so
%{_libdir}/gstreamer-%{majorminor}/libgstwavparse.so
%{_libdir}/gstreamer-%{majorminor}/libgstximagesrc.so
%{_libdir}/gstreamer-%{majorminor}/libgstxingmux.so
%{_libdir}/gstreamer-%{majorminor}/libgsty4menc.so
# gstreamer-plugins with external dependencies but in the main package
@ -287,156 +342,60 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -fv {} ';'
%{_libdir}/gstreamer-%{majorminor}/libgstmpg123.so
%{_libdir}/gstreamer-%{majorminor}/libgsttwolame.so
%ifnarch s390 s390x
%{_libdir}/gstreamer-%{majorminor}/libgstdv.so
%{_libdir}/gstreamer-%{majorminor}/libgst1394.so
%endif
%files gtk
# Plugins with external dependencies
%{_libdir}/gstreamer-%{majorminor}/libgstgtk.so
%if %{with qt}
%files qt
%{_libdir}/gstreamer-%{majorminor}/libgstqmlgl.so
%endif
%if %{with extras}
%files extras
# Plugins with external dependencies
%{_libdir}/gstreamer-%{majorminor}/libgstjack.so
%ifnarch s390 s390x
%{_libdir}/gstreamer-%{majorminor}/libgstdv.so
%{_libdir}/gstreamer-%{majorminor}/libgst1394.so
%endif
%endif
%changelog
* Wed Jan 17 2024 Wim Taymans <wtaymans@redhat.com> - 1.22.1-2
- CVE-2023-37327: integer overflow leading to heap overwrite in FLAC
image tag handling
- Resolves: RHEL-19471
* Mon Dec 16 2024 Wim Taymans <wtaymans@redhat.com> - 1.16.1-5
- CVE-2024-47537, CVE-2024-47539, CVE-2024-47540, CVE-2024-47606,
CVE-2024-47613
Resolves: RHEL-70949, RHEL-70962, RHEL-70936, RHEL-71022
Resolves: RHEL-70998
* Thu Apr 13 2023 Wim Taymans <wtaymans@redhat.com> - 1.22.1-1
- Update to 1.22.1
* Wed Jan 17 2024 Wim Taymans <wtaymans@redhat.com> - 1.16.1-4
- CVE-2023-37327: integer overflow leading to heap overwrite in
FLAC image tag handling
- Resolves: RHEL-19469
* Fri Nov 11 2022 Wim Taymans <wtaymans@redhat.com> - 1.18.4-6
- Fixes for CVE-2022-1920, CVE-2022-1921, CVE-2022-1922, CVE-2022-1923,
CVE-2022-1924, CVE-2022-1925, CVE-2022-2122
Resolves: rhbz#2131034, rhbz#2131039, rhbz#2131045, rhbz#2131049,
rhbz#2131054, rhbz#2131060, rhbz#2131064
* Thu Jul 14 2022 Wim Taymans <wtaymans@redhat.com> - 1.16.1-3
- Add patches for matroskademux. CVE-2021-3497
- Resolves: rhbz#1948942
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.18.4-5
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Dec 9 2020 Wim Taymans <wtaymans@redhat.com> - 1.16.1-2
- Suppress documentation in Flatpak builds
- Resolves: rhbz#1895938
* Tue Jun 22 2021 Mohan Boddu <mboddu@redhat.com> - 1.18.4-4
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Fri May 14 2021 Wim Taymans <wtaymans@redhat.com> - 1.18.4-3
- Move libdv and friends to extras
- Resolves: rhbz#1960634
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.18.4-2
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Tue Mar 16 2021 Wim Taymans <wtaymans@redhat.com> - 1.18.4-1
- Update to 1.18.4
* Tue Feb 23 2021 Wim Taymans <wtaymans@redhat.com> - 1.18.2-3
- use only nasm on fedora
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.18.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Thu Dec 10 2020 Wim Taymans <wtaymans@redhat.com> - 1.18.2-1
- Update to 1.18.2
* Fri Oct 30 2020 Wim Taymans <wtaymans@redhat.com> - 1.18.1-1
- Update to 1.18.1
* Wed Oct 28 2020 Jeff Law <law@redhat.com> - 1.18.0-2
- Fix bogus use of volatile diagnosed by gcc-11
* Tue Sep 8 2020 Wim Taymans <wtaymans@redhat.com> - 1.18.0-1
- Update to 1.18.0
* Fri Aug 21 2020 Wim Taymans <wtaymans@redhat.com> - 1.17.90-1
- Update to 1.17.90
- disable rpicamsrc
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.17.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon Jul 6 2020 Wim Taymans <wtaymans@redhat.com> - 1.17.2-1
- Update to 1.17.2
* Mon Jun 22 2020 Wim Taymans <wtaymans@redhat.com> - 1.17.1-1
- Update to 1.17.1
- disable dv and 1394 on s390
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.16.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Jan 2 2020 Wim Taymans <wtaymans@redhat.com> - 1.16.2-1
- Update to 1.16.2
* Fri Sep 27 2019 Wim Taymans <wtaymans@redhat.com> - 1.16.1-2
- Enable cairo plugins. (rhbz#1737254)
* Tue Sep 24 2019 Wim Taymans <wtaymans@redhat.com> - 1.16.1-1
* Thu Nov 14 2019 Wim Taymans <wtaymans@redhat.com> - 1.16.1-1
- Update to 1.16.1
- enable cairo plugins
- Resolves: rhbz#1756299
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.16.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Tue Jul 17 2018 Wim Taymans <wtaymans@redhat.com> - 1.14.0-4
- Only build extras on Fedora
* Tue Apr 23 2019 Wim Taymans <wtaymans@redhat.com> - 1.16.0-1
- Update to 1.16.0
* Tue Jul 17 2018 Wim Taymans <wtaymans@redhat.com> - 1.14.0-3
- Conflict old package after move of mp3 plugins (#1578420)
* Thu Mar 07 2019 Rex Dieter <rdieter@fedoraproject.org> - 1.15.2-3
- -qt: fix Supplements
* Thu Mar 07 2019 Rex Dieter <rdieter@fedoraproject.org> - 1.15.2-2
- -qt subpkg
* Fri Mar 01 2019 Wim Taymans <wtaymans@redhat.com> - 1.15.2-1
- Update to 1.15.2
* Tue Feb 05 2019 Björn Esser <besser82@fedoraproject.org> - 1.15.1-3
- rebuilt (libvpx)
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.15.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Fri Jan 25 2019 Wim Taymans <wtaymans@redhat.com> - 1.15.1-1
- Update to 1.15.1
* Wed Oct 03 2018 Wim Taymans <wtaymans@redhat.com> - 1.14.4-1
- Update to 1.14.4
* Tue Sep 18 2018 Wim Taymans <wtaymans@redhat.com> - 1.14.3-1
- Update to 1.14.3
* Mon Jul 23 2018 Wim Taymans <wtaymans@redhat.com> - 1.14.2-1
- Update to 1.14.2
* Fri Jul 20 2018 Wim Taymans <wtaymans@redhat.com> - 1.14.1-5
- Add c++ buildrequires
- Only build extras on fedora
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.14.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Fri May 25 2018 Wim Taymans <wtaymans@redhat.com> - 1.14.1-3
- Rebuild to correct Provides (#1581325)
- Remove check line that was added for testing
* Tue May 22 2018 Rex Dieter <rdieter@fedoraproject.org> - 1.14.1-2
- use %%make_build %%make_install %%_metainfodir
- %%build: --disable-qt (for now)
* Mon May 21 2018 Wim Taymans <wtaymans@redhat.com> - 1.14.1-1
- Update to 1.14.1
* Fri Mar 23 2018 Iryna Shcherbina <ishcherb@redhat.com> - 1.14.0-2
- Update Python 2 dependency declarations to new packaging standards
(See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
* Fri Jun 29 2018 Charalampos Stratakis <cstratak@redhat.com> - 1.14.0-2
- Use Python 3 for docs generation
* Tue Mar 20 2018 Wim Taymans <wtaymans@redhat.com> - 1.14.0-1
- Update to 1.14.0