packages/gstreamer1-plugins-good
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!25 Update to 1.20.3

Browse Source 
From: @wk333 
Reviewed-by: @wang--ge 
Signed-off-by: @wang--ge
This commit is contained in:
openeuler-ci-bot 2023-11-02 07:16:07 +00:00 committed by Gitee
commit 1ecc8fad75
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
9 changed files with 130 additions and 674 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
CVE-2022-1920.patch
View File

@ -1,54 +0,0 @@
From cf887f1b8e228bff6e19829e6d03995d70ad739d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Wed, 18 May 2022 10:23:15 +0300
Subject: [PATCH] matroskademux: Avoid integer-overflow resulting in heap
corruption in WavPack header handling code
blocksize + WAVPACK4_HEADER_SIZE might overflow gsize, which then
results in allocating a very small buffer. Into that buffer blocksize
data is memcpy'd later which then causes out of bound writes and can
potentially lead to anything from crashes to remote code execution.
Thanks to Adam Doupe for analyzing and reporting the issue.
CVE: CVE-2022-1920
https://gstreamer.freedesktop.org/security/sa-2022-0004.html
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1226
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2612>
---
gst/matroska/matroska-demux.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
index 64cc6be60be..01d754c3eb9 100644
--- a/gst/matroska/matroska-demux.c
+++ b/gst/matroska/matroska-demux.c
@@ -3933,7 +3933,8 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
} else {
guint8 *outdata = NULL;
gsize buf_size, size;
- guint32 block_samples, flags, crc, blocksize;
+ guint32 block_samples, flags, crc;
+ gsize blocksize;
GstAdapter *adapter;
adapter = gst_adapter_new ();
@@ -3974,6 +3975,13 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
return GST_FLOW_ERROR;
}
+ if (blocksize > G_MAXSIZE - WAVPACK4_HEADER_SIZE) {
+ GST_ERROR_OBJECT (element, "Too big wavpack buffer");
+ gst_buffer_unmap (*buf, &map);
+ g_object_unref (adapter);
+ return GST_FLOW_ERROR;
+ }
+
g_assert (newbuf == NULL);
newbuf =
--
GitLab

64
CVE-2022-1921.patch
View File

@ -1,64 +0,0 @@
From f503caad676971933dc0b52c4b313e5ef0d6dbb0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Wed, 18 May 2022 12:00:48 +0300
Subject: [PATCH] avidemux: Fix integer overflow resulting in heap corruption
in DIB buffer inversion code
Check that width*bpp/8 doesn't overflow a guint and also that
height*stride fits into the provided buffer without overflowing.
Thanks to Adam Doupe for analyzing and reporting the issue.
CVE: CVE-2022-1921
See https://gstreamer.freedesktop.org/security/sa-2022-0001.html
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1224
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2608>
---
gst/avi/gstavidemux.c | 17 ++++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-)
diff --git a/gst/avi/gstavidemux.c b/gst/avi/gstavidemux.c
index eafe865494c..0d18a6495c7 100644
--- a/gst/avi/gstavidemux.c
+++ b/gst/avi/gstavidemux.c
@@ -4973,8 +4973,8 @@ swap_line (guint8 * d1, guint8 * d2, guint8 * tmp, gint bytes)
static GstBuffer *
gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf)
{
- gint y, w, h;
- gint bpp, stride;
+ guint y, w, h;
+ guint bpp, stride;
guint8 *tmp = NULL;
GstMapInfo map;
guint32 fourcc;
@@ -5001,12 +5001,23 @@ gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf)
h = stream->strf.vids->height;
w = stream->strf.vids->width;
bpp = stream->strf.vids->bit_cnt ? stream->strf.vids->bit_cnt : 8;
+
+ if ((guint64) w * ((guint64) bpp / 8) > G_MAXUINT - 4) {
+ GST_WARNING ("Width x stride overflows");
+ return buf;
+ }
+
+ if (w == 0 || h == 0) {
+ GST_WARNING ("Zero width or height");
+ return buf;
+ }
+
stride = GST_ROUND_UP_4 (w * (bpp / 8));
buf = gst_buffer_make_writable (buf);
gst_buffer_map (buf, &map, GST_MAP_READWRITE);
- if (map.size < (stride * h)) {
+ if (map.size < ((guint64) stride * (guint64) h)) {
GST_WARNING ("Buffer is smaller than reported Width x Height x Depth");
gst_buffer_unmap (buf, &map);
return buf;
--
GitLab

208
CVE-2022-1922_CVE-2022-1923_CVE-2022-1924_CVE-2022-1925.patch
View File

@ -1,208 +0,0 @@
From ad6012159acf18c6b5c0f4edf037e8c9a2dbc966 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Wed, 18 May 2022 11:24:37 +0300
Subject: [PATCH] matroskademux: Fix integer overflows in zlib/bz2/etc
decompression code
Various variables were of smaller types than needed and there were no
checks for any overflows when doing additions on the sizes. This is all
checked now.
In addition the size of the decompressed data is limited to 120MB now as
any larger sizes are likely pathological and we can avoid out of memory
situations in many cases like this.
Also fix a bug where the available output size on the next iteration in
the zlib/bz2 decompression code was provided too large and could
potentially lead to out of bound writes.
Thanks to Adam Doupe for analyzing and reporting the issue.
CVE: CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925
https://gstreamer.freedesktop.org/security/sa-2022-0002.html
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2610>
---
gst/matroska/matroska-read-common.c | 76 +++++++++++++++----
1 file changed, 61 insertions(+), 15 deletions(-)
diff --git a/gst/matroska/matroska-read-common.c b/gst/matroska/matroska-read-common.c
index eb317644cc5..6fadbba9567 100644
--- a/gst/matroska/matroska-read-common.c
+++ b/gst/matroska/matroska-read-common.c
@@ -70,6 +70,10 @@ typedef struct
gboolean audio_only;
} TargetTypeContext;
+/* 120MB as maximum decompressed data size. Anything bigger is likely
+ * pathological, and like this we avoid out of memory situations in many cases
+ */
+#define MAX_DECOMPRESS_SIZE (120 * 1024 * 1024)
static gboolean
gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
@@ -77,19 +81,23 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
GstMatroskaTrackCompressionAlgorithm algo)
{
guint8 *new_data = NULL;
- guint new_size = 0;
+ gsize new_size = 0;
guint8 *data = *data_out;
- guint size = *size_out;
+ const gsize size = *size_out;
gboolean ret = TRUE;
+ if (size > G_MAXUINT32) {
+ GST_WARNING ("too large compressed data buffer.");
+ ret = FALSE;
+ goto out;
+ }
+
if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_ZLIB) {
#ifdef HAVE_ZLIB
/* zlib encoded data */
z_stream zstream;
- guint orig_size;
int result;
- orig_size = size;
zstream.zalloc = (alloc_func) 0;
zstream.zfree = (free_func) 0;
zstream.opaque = (voidpf) 0;
@@ -99,8 +107,8 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
goto out;
}
zstream.next_in = (Bytef *) data;
- zstream.avail_in = orig_size;
- new_size = orig_size;
+ zstream.avail_in = size;
+ new_size = size;
new_data = g_malloc (new_size);
zstream.avail_out = new_size;
zstream.next_out = (Bytef *) new_data;
@@ -114,10 +122,18 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
break;
}
+ if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) {
+ GST_WARNING ("too big decompressed data");
+ result = Z_MEM_ERROR;
+ break;
+ }
+
new_size += 4096;
new_data = g_realloc (new_data, new_size);
zstream.next_out = (Bytef *) (new_data + zstream.total_out);
- zstream.avail_out += 4096;
+ /* avail_out is an unsigned int */
+ g_assert (new_size - zstream.total_out <= G_MAXUINT);
+ zstream.avail_out = new_size - zstream.total_out;
} while (zstream.avail_in > 0);
if (result != Z_STREAM_END) {
@@ -137,13 +153,11 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
#ifdef HAVE_BZ2
/* bzip2 encoded data */
bz_stream bzstream;
- guint orig_size;
int result;
bzstream.bzalloc = NULL;
bzstream.bzfree = NULL;
bzstream.opaque = NULL;
- orig_size = size;
if (BZ2_bzDecompressInit (&bzstream, 0, 0) != BZ_OK) {
GST_WARNING ("bzip2 initialization failed.");
@@ -152,8 +166,8 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
}
bzstream.next_in = (char *) data;
- bzstream.avail_in = orig_size;
- new_size = orig_size;
+ bzstream.avail_in = size;
+ new_size = size;
new_data = g_malloc (new_size);
bzstream.avail_out = new_size;
bzstream.next_out = (char *) new_data;
@@ -167,17 +181,31 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
break;
}
+ if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) {
+ GST_WARNING ("too big decompressed data");
+ result = BZ_MEM_ERROR;
+ break;
+ }
+
new_size += 4096;
new_data = g_realloc (new_data, new_size);
- bzstream.next_out = (char *) (new_data + bzstream.total_out_lo32);
- bzstream.avail_out += 4096;
+ bzstream.next_out =
+ (char *) (new_data + ((guint64) bzstream.total_out_hi32 << 32) +
+ bzstream.total_out_lo32);
+ /* avail_out is an unsigned int */
+ g_assert (new_size - ((guint64) bzstream.total_out_hi32 << 32) +
+ bzstream.total_out_lo32 <= G_MAXUINT);
+ bzstream.avail_out =
+ new_size - ((guint64) bzstream.total_out_hi32 << 32) +
+ bzstream.total_out_lo32;
} while (bzstream.avail_in > 0);
if (result != BZ_STREAM_END) {
ret = FALSE;
g_free (new_data);
} else {
- new_size = bzstream.total_out_lo32;
+ new_size =
+ ((guint64) bzstream.total_out_hi32 << 32) + bzstream.total_out_lo32;
}
BZ2_bzDecompressEnd (&bzstream);
@@ -189,7 +217,13 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
} else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_LZO1X) {
/* lzo encoded data */
int result;
- int orig_size, out_size;
+ gint orig_size, out_size;
+
+ if (size > G_MAXINT) {
+ GST_WARNING ("too large compressed data buffer.");
+ ret = FALSE;
+ goto out;
+ }
orig_size = size;
out_size = size;
@@ -203,6 +237,11 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
result = lzo1x_decode (new_data, &out_size, data, &orig_size);
if (orig_size > 0) {
+ if (new_size > G_MAXINT - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) {
+ GST_WARNING ("too big decompressed data");
+ result = LZO_ERROR;
+ break;
+ }
new_size += 4096;
new_data = g_realloc (new_data, new_size);
}
@@ -221,6 +260,13 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
} else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_HEADERSTRIP) {
/* header stripped encoded data */
if (enc->comp_settings_length > 0) {
+ if (size > G_MAXSIZE - enc->comp_settings_length
+ || size + enc->comp_settings_length > MAX_DECOMPRESS_SIZE) {
+ GST_WARNING ("too big decompressed data");
+ ret = FALSE;
+ goto out;
+ }
+
new_data = g_malloc (size + enc->comp_settings_length);
new_size = size + enc->comp_settings_length;
--
GitLab

54
CVE-2022-2122.patch
View File

@ -1,54 +0,0 @@
From 14d306da6da51a762c4dc701d161bb52ab66d774 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Mon, 30 May 2022 10:15:37 +0300
Subject: [PATCH] qtdemux: Fix integer overflows in zlib decompression code
Various variables were of smaller types than needed and there were no
checks for any overflows when doing additions on the sizes. This is all
checked now.
In addition the size of the decompressed data is limited to 200MB now as
any larger sizes are likely pathological and we can avoid out of memory
situations in many cases like this.
Also fix a bug where the available output size on the next iteration in
the zlib decompression code was provided too large and could
potentially lead to out of bound writes.
Thanks to Adam Doupe for analyzing and reporting the issue.
CVE: tbd
https://gstreamer.freedesktop.org/security/sa-2022-0003.html
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2610>
---
gst/isomp4/qtdemux.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
index 7cc346b1e63..97ba0799a8d 100644
--- a/gst/isomp4/qtdemux.c
+++ b/gst/isomp4/qtdemux.c
@@ -7905,10 +7905,16 @@ qtdemux_inflate (void *z_buffer, guint z_length, guint * length)
break;
}
+ if (*length > G_MAXUINT - 4096 || *length > QTDEMUX_MAX_SAMPLE_INDEX_SIZE) {
+ GST_WARNING ("too big decompressed data");
+ ret = Z_MEM_ERROR;
+ break;
+ }
+
*length += 4096;
buffer = (guint8 *) g_realloc (buffer, *length);
z.next_out = (Bytef *) (buffer + z.total_out);
- z.avail_out += 4096;
+ z.avail_out += *length - z.total_out;
} while (z.avail_in > 0);
if (ret != Z_STREAM_END) {
--
GitLab

200
backport-CVE-2021-3497.patch
View File

@ -1,200 +0,0 @@
From 242f3cae6da748ac128e86b5cadcd406fa61aff6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Thu, 4 Mar 2021 13:05:19 +0200
Subject: [PATCH] matroskademux: Fix extraction of multichannel WavPack
The old code had a couple of issues that all lead to potential memory
safety bugs.
- Use a constant for the Wavpack4Header size instead of using sizeof.
It's written out into the data and not from the struct and who knows
what special alignment/padding requirements some C compilers have.
- gst_buffer_set_size() does not realloc the buffer when setting a
bigger size than allocated, it only allows growing up to the maximum
allocated size. Instead use a GstAdapter to collect all the blocks
and take out everything at once in the end.
- Check that enough data is actually available in the input and
otherwise handle it an error in all cases instead of silently
ignoring it.
Among other things this fixes out of bounds writes because the code
assumed gst_buffer_set_size() can grow the buffer and simply wrote after
the end of the buffer.
Thanks to Natalie Silvanovich for reporting.
Fixes https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/issues/859
Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/merge_requests/902>
---
gst/matroska/matroska-demux.c | 99 +++++++++++++++++++----------------
gst/matroska/matroska-ids.h | 2 +
2 files changed, 55 insertions(+), 46 deletions(-)
diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
index e878e0d66..68215d2ca 100644
--- a/gst/matroska/matroska-demux.c
+++ b/gst/matroska/matroska-demux.c
@@ -3856,6 +3856,12 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
guint32 block_samples, tmp;
gsize size = gst_buffer_get_size (*buf);
+ if (size < 4) {
+ GST_ERROR_OBJECT (element, "Too small wavpack buffer");
+ gst_buffer_unmap (*buf, &map);
+ return GST_FLOW_ERROR;
+ }
+
gst_buffer_extract (*buf, 0, &tmp, sizeof (guint32));
block_samples = GUINT32_FROM_LE (tmp);
/* we need to reconstruct the header of the wavpack block */
@@ -3863,10 +3869,10 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
/* -20 because ck_size is the size of the wavpack block -8
* and lace_size is the size of the wavpack block + 12
* (the three guint32 of the header that already are in the buffer) */
- wvh.ck_size = size + sizeof (Wavpack4Header) - 20;
+ wvh.ck_size = size + WAVPACK4_HEADER_SIZE - 20;
/* block_samples, flags and crc are already in the buffer */
- newbuf = gst_buffer_new_allocate (NULL, sizeof (Wavpack4Header) - 12, NULL);
+ newbuf = gst_buffer_new_allocate (NULL, WAVPACK4_HEADER_SIZE - 12, NULL);
gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
data = outmap.data;
@@ -3891,9 +3897,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
audiocontext->wvpk_block_index += block_samples;
} else {
guint8 *outdata = NULL;
- guint outpos = 0;
- gsize buf_size, size, out_size = 0;
+ gsize buf_size, size;
guint32 block_samples, flags, crc, blocksize;
+ GstAdapter *adapter;
+
+ adapter = gst_adapter_new ();
gst_buffer_map (*buf, &map, GST_MAP_READ);
buf_data = map.data;
@@ -3902,6 +3910,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
if (buf_size < 4) {
GST_ERROR_OBJECT (element, "Too small wavpack buffer");
gst_buffer_unmap (*buf, &map);
+ g_object_unref (adapter);
return GST_FLOW_ERROR;
}
@@ -3923,59 +3932,57 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
data += 4;
size -= 4;
- if (blocksize == 0 || size < blocksize)
- break;
-
- g_assert ((newbuf == NULL) == (outdata == NULL));
+ if (blocksize == 0 || size < blocksize) {
+ GST_ERROR_OBJECT (element, "Too small wavpack buffer");
+ gst_buffer_unmap (*buf, &map);
+ g_object_unref (adapter);
+ return GST_FLOW_ERROR;
+ }
- if (newbuf == NULL) {
- out_size = sizeof (Wavpack4Header) + blocksize;
- newbuf = gst_buffer_new_allocate (NULL, out_size, NULL);
+ g_assert (newbuf == NULL);
- gst_buffer_copy_into (newbuf, *buf,
- GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1);
+ newbuf =
+ gst_buffer_new_allocate (NULL, WAVPACK4_HEADER_SIZE + blocksize,
+ NULL);
+ gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
+ outdata = outmap.data;
+
+ outdata[0] = 'w';
+ outdata[1] = 'v';
+ outdata[2] = 'p';
+ outdata[3] = 'k';
+ outdata += 4;
+
+ GST_WRITE_UINT32_LE (outdata, blocksize + WAVPACK4_HEADER_SIZE - 8);
+ GST_WRITE_UINT16_LE (outdata + 4, wvh.version);
+ GST_WRITE_UINT8 (outdata + 6, wvh.track_no);
+ GST_WRITE_UINT8 (outdata + 7, wvh.index_no);
+ GST_WRITE_UINT32_LE (outdata + 8, wvh.total_samples);
+ GST_WRITE_UINT32_LE (outdata + 12, wvh.block_index);
+ GST_WRITE_UINT32_LE (outdata + 16, block_samples);
+ GST_WRITE_UINT32_LE (outdata + 20, flags);
+ GST_WRITE_UINT32_LE (outdata + 24, crc);
+ outdata += 28;
+
+ memcpy (outdata, data, blocksize);
- outpos = 0;
- gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
- outdata = outmap.data;
- } else {
- gst_buffer_unmap (newbuf, &outmap);
- out_size += sizeof (Wavpack4Header) + blocksize;
- gst_buffer_set_size (newbuf, out_size);
- gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
- outdata = outmap.data;
- }
+ gst_buffer_unmap (newbuf, &outmap);
+ gst_adapter_push (adapter, newbuf);
+ newbuf = NULL;
- outdata[outpos] = 'w';
- outdata[outpos + 1] = 'v';
- outdata[outpos + 2] = 'p';
- outdata[outpos + 3] = 'k';
- outpos += 4;
-
- GST_WRITE_UINT32_LE (outdata + outpos,
- blocksize + sizeof (Wavpack4Header) - 8);
- GST_WRITE_UINT16_LE (outdata + outpos + 4, wvh.version);
- GST_WRITE_UINT8 (outdata + outpos + 6, wvh.track_no);
- GST_WRITE_UINT8 (outdata + outpos + 7, wvh.index_no);
- GST_WRITE_UINT32_LE (outdata + outpos + 8, wvh.total_samples);
- GST_WRITE_UINT32_LE (outdata + outpos + 12, wvh.block_index);
- GST_WRITE_UINT32_LE (outdata + outpos + 16, block_samples);
- GST_WRITE_UINT32_LE (outdata + outpos + 20, flags);
- GST_WRITE_UINT32_LE (outdata + outpos + 24, crc);
- outpos += 28;
-
- memmove (outdata + outpos, data, blocksize);
- outpos += blocksize;
data += blocksize;
size -= blocksize;
}
gst_buffer_unmap (*buf, &map);
- gst_buffer_unref (*buf);
- if (newbuf)
- gst_buffer_unmap (newbuf, &outmap);
+ newbuf = gst_adapter_take_buffer (adapter, gst_adapter_available (adapter));
+ g_object_unref (adapter);
+ gst_buffer_copy_into (newbuf, *buf,
+ GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1);
+ gst_buffer_unref (*buf);
*buf = newbuf;
+
audiocontext->wvpk_block_index += block_samples;
}
diff --git a/gst/matroska/matroska-ids.h b/gst/matroska/matroska-ids.h
index 429213f77..8d4a685a9 100644
--- a/gst/matroska/matroska-ids.h
+++ b/gst/matroska/matroska-ids.h
@@ -688,6 +688,8 @@ typedef struct _Wavpack4Header {
guint32 crc; /* crc for actual decoded data */
} Wavpack4Header;
+#define WAVPACK4_HEADER_SIZE (32)
+
typedef enum {
GST_MATROSKA_TRACK_ENCODING_SCOPE_FRAME = (1<<0),
GST_MATROSKA_TRACK_ENCODING_SCOPE_CODEC_DATA = (1<<1),
--
GitLab

37
backport-CVE-2021-3498.patch
View File

@ -1,37 +0,0 @@
From 6c461e90bc1eedce4b7e414d34c8a8a9162359b5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Wed, 3 Mar 2021 11:31:52 +0200
Subject: [PATCH] matroskademux: Initialize track context out parameter to NULL
before parsing
Various error return paths don't set it to NULL and callers are only
checking if the pointer is NULL. As it's allocated on the stack this
usually contains random stack memory, and more often than not the memory
of a previously parsed track.
This then causes all kinds of memory corruptions further down the line.
Thanks to Natalie Silvanovich for reporting.
Fixes https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/issues/858
Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/merge_requests/902>
---
gst/matroska/matroska-demux.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
index d7b6f7edc..e878e0d66 100644
--- a/gst/matroska/matroska-demux.c
+++ b/gst/matroska/matroska-demux.c
@@ -694,6 +694,8 @@ gst_matroska_demux_parse_stream (GstMatroskaDemux * demux, GstEbmlRead * ebml,
DEBUG_ELEMENT_START (demux, ebml, "TrackEntry");
+ *dest_context = NULL;
+
/* start with the master */
if ((ret = gst_ebml_read_master (ebml, &id)) != GST_FLOW_OK) {
DEBUG_ELEMENT_STOP (demux, ebml, "TrackEntry", ret);
--
GitLab

BIN
gst-plugins-good-1.16.2.tar.xz
View File

Binary file not shown.

BIN
gst-plugins-good-1.20.3.tar.xz Normal file
View File

Binary file not shown.

187
gstreamer1-plugins-good.spec
View File

@ -1,37 +1,61 @@
%bcond_with extras
%bcond_with qt
%bcond_without extras
%bcond_without nasm
Name: gstreamer1-plugins-good
Version: 1.16.2
Release: 5
Summary: GStreamer plugins with good code and licensing
License: LGPLv2+
URL: http://gstreamer.freedesktop.org/
Source0: http://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-good-%{version}.tar.xz
Source1: gstreamer-good.appdata.xml
Name: gstreamer1-plugins-good
Version: 1.20.3
Release: 1
Summary: GStreamer plugins with good code and licensing
License: LGPLv2+
URL: http://gstreamer.freedesktop.org/
Source0: http://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-good-%{version}.tar.xz
Source1: gstreamer-good.appdata.xml
Patch6000: backport-CVE-2021-3497.patch
Patch6001: backport-CVE-2021-3498.patch
#https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1226
Patch6002: CVE-2022-1920.patch
#https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1224
Patch6003: CVE-2022-1921.patch
#https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225
Patch0004: CVE-2022-2122.patch
#https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225
Patch0005: CVE-2022-1922_CVE-2022-1923_CVE-2022-1924_CVE-2022-1925.patch
BuildRequires: gcc gcc-c++ gstreamer1-devel gstreamer1-plugins-base-devel flac-devel
BuildRequires: gdk-pixbuf2-devel libjpeg-devel libpng-devel libshout-devel orc-devel
BuildRequires: libsoup-devel libX11-devel libXext-devel libXdamage-devel libXfixes-devel
BuildRequires: pulseaudio-libs-devel speex-devel taglib-devel wavpack-devel libv4l-devel
BuildRequires: libvpx-devel gtk3-devel mesa-libGL-devel libglvnd-devel lame-devel
BuildRequires: mesa-libEGL-devel mesa-libGLU-devel mpg123-devel twolame-devel libdv-devel
BuildRequires: libavc1394-devel libiec61883-devel libraw1394-devel gtk-doc
BuildRequires: chrpath
BuildRequires: meson >= 0.48.0
BuildRequires: gcc
BuildRequires: gcc-c++
BuildRequires: gstreamer1-devel >= %{version}
BuildRequires: gstreamer1-plugins-base-devel >= %{version}
BuildRequires: cairo-devel >= 1.10.0
BuildRequires: cairo-gobject-devel >= 1.10.0
BuildRequires: flac-devel >= 1.1.4
BuildRequires: gdk-pixbuf2-devel
BuildRequires: libjpeg-devel
BuildRequires: libpng-devel >= 1.2.0
BuildRequires: libshout-devel
BuildRequires: libsoup-devel
BuildRequires: libX11-devel
BuildRequires: libXext-devel
BuildRequires: libXdamage-devel
BuildRequires: libXfixes-devel
BuildRequires: orc-devel
BuildRequires: pulseaudio-libs-devel
BuildRequires: speex-devel
BuildRequires: taglib-devel
BuildRequires: wavpack-devel
BuildRequires: libv4l-devel
BuildRequires: libvpx-devel >= 1.1.0
BuildRequires: gtk3-devel >= 3.4
BuildRequires: mesa-libGL-devel
BuildRequires: mesa-libGLES-devel
BuildRequires: mesa-libGLU-devel
BuildRequires: mesa-libEGL-devel
BuildRequires: lame-devel
BuildRequires: mpg123-devel
BuildRequires: twolame-devel
%if %{with nasm}
BuildRequires: nasm
%endif
%if %{with extras}
BuildRequires: jack-audio-connection-kit-devel
BuildRequires: libdv-devel
BuildRequires: libraw1394-devel libavc1394-devel
BuildRequires: libiec61883-devel
%endif
BuildRequires: libgudev-devel
Provides: gstreamer1-plugins-mpg123 = %{version}-%{release}
Obsoletes: gstreamer1-plugins-mpg123 < %{version}-%{release}
Obsoletes: gstreamer1-plugins-mpg123 < %{version}-%{release}
Obsoletes: gstreamer1-plugins-good-help < 1.20.3
%description
GStreamer is a streaming media framework, based on graphs of filters which
@ -44,11 +68,11 @@ plugins.
GStreamer Good Plugins is a collection of well-supported plugins of
good quality and under the LGPL license.
%package gtk
Summary: gtk plugin for gstreamer1-plugins-good
Requires: %{name} = %{version}-%{release}
Provides: gstreamer1-plugins-bad-free-gtk = %{version}-%{release}
Obsoletes: gstreamer1-plugins-bad-free-gtk < %{version}-%{release}
%package gtk
Summary: gtk plugin for gstreamer1-plugins-good
Requires: %{name} = %{version}-%{release}
Provides: gstreamer1-plugins-bad-free-gtk = %{version}-%{release}
Obsoletes: gstreamer1-plugins-bad-free-gtk < %{version}-%{release}
%description gtk
GStreamer is a streaming media framework, based on graphs of elements which
@ -57,34 +81,71 @@ operate on media data.
GStreamer Good Plugins is a collection of well-supported plugins of
good quality and under the LGPL license.
%package_help
%package qt
Summary: GStreamer "good" plugins qt qml plugin
Requires: %{name}%{?_isa} = %{version}-%{release}
BuildRequires: pkgconfig(Qt5Gui)
BuildRequires: pkgconfig(Qt5Qml)
BuildRequires: pkgconfig(Qt5Quick)
BuildRequires: pkgconfig(Qt5X11Extras)
BuildRequires: pkgconfig(Qt5WaylandClient)
Supplements: (gstreamer1-plugins-good and qt5-qtdeclarative)
%description qt
GStreamer is a streaming media framework, based on graphs of elements which
operate on media data.
GStreamer Good Plugins is a collection of well-supported plugins of
good quality and under the LGPL license.
This package (%{name}-qt) contains the qtsink output plugin.
%if %{with extras}
%package extras
Summary: Extra GStreamer plugins with good code and licensing
Requires: %{name}%{?_isa} = %{version}-%{release}
%description extras
GStreamer is a streaming media framework, based on graphs of filters
which operate on media data.
GStreamer Good Plugins is a collection of well-supported plugins of
good quality and under the LGPL license.
%{name}-extras contains extra "good" plugins
which are not used very much and require additional libraries
to be installed.
%endif
%prep
%autosetup -n gst-plugins-good-%{version} -p1
%build
%configure --disable-silent-rules --disable-fatal-warnings --enable-experimental \
--enable-gtk-doc --enable-orc --disable-monoscope --disable-aalib \
--disable-cairo --disable-libcaca --disable-jack \
--with-default-visualizer=autoaudiosink
%meson \
-D doc=disabled \
-D asm=%{?with_nasm:enabled}%{!?with_nasm:disabled} \
-D orc=enabled \
-D monoscope=disabled \
-D aalib=disabled \
-D libcaca=disabled \
-D rpicamsrc=disabled \
-D jack=%{?with_extras:enabled}%{!?with_extras:disabled} \
-D dv=%{?with_extras:enabled}%{!?with_extras:disabled} \
-D dv1394=%{?with_extras:enabled}%{!?with_extras:disabled} \
%make_build
%meson_build
%install
%make_install
%meson_install
%delete_la_and_a
install -p -D %{SOURCE1} %{buildroot}%{_metainfodir}/gstreamer-good.appdata.xml
chrpath -d %{buildroot}%{_libdir}/gstreamer-1.0/libgstshout2.so
mkdir -p %{buildroot}/etc/ld.so.conf.d
echo "%{_libdir}" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf
%ldconfig_scriptlets
%files
%files
%defattr(-,root,root)
%doc AUTHORS
%doc AUTHORS NEWS README.md README.static-linking RELEASE REQUIREMENTS
%license COPYING
%{_libdir}/gstreamer-1.0/*.so
%{_datadir}/locale/*
@ -92,18 +153,30 @@ echo "%{_libdir}" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf
%{_datadir}/gstreamer-1.0/presets/*.prs
%{_metainfodir}/gstreamer-good.appdata.xml
%exclude %{_libdir}/gstreamer-1.0/libgstgtk.so
%config(noreplace) /etc/ld.so.conf.d/*
%exclude %{_libdir}/gstreamer-1.0/libgstqmlgl.so
%exclude %{_libdir}/gstreamer-1.0/libgstjack.so
%exclude %{_libdir}/gstreamer-1.0/libgstdv.so
%exclude %{_libdir}/gstreamer-1.0/libgst1394.so
%files gtk
%files gtk
%defattr(-,root,root)
%{_libdir}/gstreamer-1.0/libgstgtk.so
%files help
%defattr(-,root,root)
%doc README REQUIREMENTS
%doc %{_datadir}/gtk-doc/html/*
%files qt
%{_libdir}/gstreamer-1.0/libgstqmlgl.so
%if %{with extras}
%files extras
# Plugins with external dependencies
%{_libdir}/gstreamer-1.0/libgstjack.so
%{_libdir}/gstreamer-1.0/libgstdv.so
%{_libdir}/gstreamer-1.0/libgst1394.so
%endif
%changelog
* Wed Nov 01 2023 wangkai <13474090681@163.com> - 1.20.3-1
- Update to 1.20.3
* Mon Jun 27 2022 yaoxin <yaoxin30@h-partners.com> - 1.16.2-5
- Fix CVE-2022-2122 CVE-2022-1920-to-CVE-2022-1925