diff --git a/CVE-2022-1920.patch b/CVE-2022-1920.patch deleted file mode 100644 index 682ad34..0000000 --- a/CVE-2022-1920.patch +++ /dev/null @@ -1,54 +0,0 @@ -From cf887f1b8e228bff6e19829e6d03995d70ad739d Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= -Date: Wed, 18 May 2022 10:23:15 +0300 -Subject: [PATCH] matroskademux: Avoid integer-overflow resulting in heap - corruption in WavPack header handling code - -blocksize + WAVPACK4_HEADER_SIZE might overflow gsize, which then -results in allocating a very small buffer. Into that buffer blocksize -data is memcpy'd later which then causes out of bound writes and can -potentially lead to anything from crashes to remote code execution. - -Thanks to Adam Doupe for analyzing and reporting the issue. - -CVE: CVE-2022-1920 - -https://gstreamer.freedesktop.org/security/sa-2022-0004.html - -Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1226 - -Part-of: ---- - gst/matroska/matroska-demux.c | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c -index 64cc6be60be..01d754c3eb9 100644 ---- a/gst/matroska/matroska-demux.c -+++ b/gst/matroska/matroska-demux.c -@@ -3933,7 +3933,8 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, - } else { - guint8 *outdata = NULL; - gsize buf_size, size; -- guint32 block_samples, flags, crc, blocksize; -+ guint32 block_samples, flags, crc; -+ gsize blocksize; - GstAdapter *adapter; - - adapter = gst_adapter_new (); -@@ -3974,6 +3975,13 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, - return GST_FLOW_ERROR; - } - -+ if (blocksize > G_MAXSIZE - WAVPACK4_HEADER_SIZE) { -+ GST_ERROR_OBJECT (element, "Too big wavpack buffer"); -+ gst_buffer_unmap (*buf, &map); -+ g_object_unref (adapter); -+ return GST_FLOW_ERROR; -+ } -+ - g_assert (newbuf == NULL); - - newbuf = --- -GitLab diff --git a/CVE-2022-1921.patch b/CVE-2022-1921.patch deleted file mode 100644 index 8ac6035..0000000 --- a/CVE-2022-1921.patch +++ /dev/null @@ -1,64 +0,0 @@ -From f503caad676971933dc0b52c4b313e5ef0d6dbb0 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= -Date: Wed, 18 May 2022 12:00:48 +0300 -Subject: [PATCH] avidemux: Fix integer overflow resulting in heap corruption - in DIB buffer inversion code - -Check that width*bpp/8 doesn't overflow a guint and also that -height*stride fits into the provided buffer without overflowing. - -Thanks to Adam Doupe for analyzing and reporting the issue. - -CVE: CVE-2022-1921 - -See https://gstreamer.freedesktop.org/security/sa-2022-0001.html - -Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1224 - -Part-of: ---- - gst/avi/gstavidemux.c | 17 ++++++++++++++--- - 1 file changed, 14 insertions(+), 3 deletions(-) - -diff --git a/gst/avi/gstavidemux.c b/gst/avi/gstavidemux.c -index eafe865494c..0d18a6495c7 100644 ---- a/gst/avi/gstavidemux.c -+++ b/gst/avi/gstavidemux.c -@@ -4973,8 +4973,8 @@ swap_line (guint8 * d1, guint8 * d2, guint8 * tmp, gint bytes) - static GstBuffer * - gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf) - { -- gint y, w, h; -- gint bpp, stride; -+ guint y, w, h; -+ guint bpp, stride; - guint8 *tmp = NULL; - GstMapInfo map; - guint32 fourcc; -@@ -5001,12 +5001,23 @@ gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf) - h = stream->strf.vids->height; - w = stream->strf.vids->width; - bpp = stream->strf.vids->bit_cnt ? stream->strf.vids->bit_cnt : 8; -+ -+ if ((guint64) w * ((guint64) bpp / 8) > G_MAXUINT - 4) { -+ GST_WARNING ("Width x stride overflows"); -+ return buf; -+ } -+ -+ if (w == 0 || h == 0) { -+ GST_WARNING ("Zero width or height"); -+ return buf; -+ } -+ - stride = GST_ROUND_UP_4 (w * (bpp / 8)); - - buf = gst_buffer_make_writable (buf); - - gst_buffer_map (buf, &map, GST_MAP_READWRITE); -- if (map.size < (stride * h)) { -+ if (map.size < ((guint64) stride * (guint64) h)) { - GST_WARNING ("Buffer is smaller than reported Width x Height x Depth"); - gst_buffer_unmap (buf, &map); - return buf; --- -GitLab diff --git a/CVE-2022-1922_CVE-2022-1923_CVE-2022-1924_CVE-2022-1925.patch b/CVE-2022-1922_CVE-2022-1923_CVE-2022-1924_CVE-2022-1925.patch deleted file mode 100644 index d431f4c..0000000 --- a/CVE-2022-1922_CVE-2022-1923_CVE-2022-1924_CVE-2022-1925.patch +++ /dev/null @@ -1,208 +0,0 @@ -From ad6012159acf18c6b5c0f4edf037e8c9a2dbc966 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= -Date: Wed, 18 May 2022 11:24:37 +0300 -Subject: [PATCH] matroskademux: Fix integer overflows in zlib/bz2/etc - decompression code - -Various variables were of smaller types than needed and there were no -checks for any overflows when doing additions on the sizes. This is all -checked now. - -In addition the size of the decompressed data is limited to 120MB now as -any larger sizes are likely pathological and we can avoid out of memory -situations in many cases like this. - -Also fix a bug where the available output size on the next iteration in -the zlib/bz2 decompression code was provided too large and could -potentially lead to out of bound writes. - -Thanks to Adam Doupe for analyzing and reporting the issue. - -CVE: CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 - -https://gstreamer.freedesktop.org/security/sa-2022-0002.html - -Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225 - -Part-of: ---- - gst/matroska/matroska-read-common.c | 76 +++++++++++++++---- - 1 file changed, 61 insertions(+), 15 deletions(-) - -diff --git a/gst/matroska/matroska-read-common.c b/gst/matroska/matroska-read-common.c -index eb317644cc5..6fadbba9567 100644 ---- a/gst/matroska/matroska-read-common.c -+++ b/gst/matroska/matroska-read-common.c -@@ -70,6 +70,10 @@ typedef struct - gboolean audio_only; - } TargetTypeContext; - -+/* 120MB as maximum decompressed data size. Anything bigger is likely -+ * pathological, and like this we avoid out of memory situations in many cases -+ */ -+#define MAX_DECOMPRESS_SIZE (120 * 1024 * 1024) - - static gboolean - gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, -@@ -77,19 +81,23 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, - GstMatroskaTrackCompressionAlgorithm algo) - { - guint8 *new_data = NULL; -- guint new_size = 0; -+ gsize new_size = 0; - guint8 *data = *data_out; -- guint size = *size_out; -+ const gsize size = *size_out; - gboolean ret = TRUE; - -+ if (size > G_MAXUINT32) { -+ GST_WARNING ("too large compressed data buffer."); -+ ret = FALSE; -+ goto out; -+ } -+ - if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_ZLIB) { - #ifdef HAVE_ZLIB - /* zlib encoded data */ - z_stream zstream; -- guint orig_size; - int result; - -- orig_size = size; - zstream.zalloc = (alloc_func) 0; - zstream.zfree = (free_func) 0; - zstream.opaque = (voidpf) 0; -@@ -99,8 +107,8 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, - goto out; - } - zstream.next_in = (Bytef *) data; -- zstream.avail_in = orig_size; -- new_size = orig_size; -+ zstream.avail_in = size; -+ new_size = size; - new_data = g_malloc (new_size); - zstream.avail_out = new_size; - zstream.next_out = (Bytef *) new_data; -@@ -114,10 +122,18 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, - break; - } - -+ if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) { -+ GST_WARNING ("too big decompressed data"); -+ result = Z_MEM_ERROR; -+ break; -+ } -+ - new_size += 4096; - new_data = g_realloc (new_data, new_size); - zstream.next_out = (Bytef *) (new_data + zstream.total_out); -- zstream.avail_out += 4096; -+ /* avail_out is an unsigned int */ -+ g_assert (new_size - zstream.total_out <= G_MAXUINT); -+ zstream.avail_out = new_size - zstream.total_out; - } while (zstream.avail_in > 0); - - if (result != Z_STREAM_END) { -@@ -137,13 +153,11 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, - #ifdef HAVE_BZ2 - /* bzip2 encoded data */ - bz_stream bzstream; -- guint orig_size; - int result; - - bzstream.bzalloc = NULL; - bzstream.bzfree = NULL; - bzstream.opaque = NULL; -- orig_size = size; - - if (BZ2_bzDecompressInit (&bzstream, 0, 0) != BZ_OK) { - GST_WARNING ("bzip2 initialization failed."); -@@ -152,8 +166,8 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, - } - - bzstream.next_in = (char *) data; -- bzstream.avail_in = orig_size; -- new_size = orig_size; -+ bzstream.avail_in = size; -+ new_size = size; - new_data = g_malloc (new_size); - bzstream.avail_out = new_size; - bzstream.next_out = (char *) new_data; -@@ -167,17 +181,31 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, - break; - } - -+ if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) { -+ GST_WARNING ("too big decompressed data"); -+ result = BZ_MEM_ERROR; -+ break; -+ } -+ - new_size += 4096; - new_data = g_realloc (new_data, new_size); -- bzstream.next_out = (char *) (new_data + bzstream.total_out_lo32); -- bzstream.avail_out += 4096; -+ bzstream.next_out = -+ (char *) (new_data + ((guint64) bzstream.total_out_hi32 << 32) + -+ bzstream.total_out_lo32); -+ /* avail_out is an unsigned int */ -+ g_assert (new_size - ((guint64) bzstream.total_out_hi32 << 32) + -+ bzstream.total_out_lo32 <= G_MAXUINT); -+ bzstream.avail_out = -+ new_size - ((guint64) bzstream.total_out_hi32 << 32) + -+ bzstream.total_out_lo32; - } while (bzstream.avail_in > 0); - - if (result != BZ_STREAM_END) { - ret = FALSE; - g_free (new_data); - } else { -- new_size = bzstream.total_out_lo32; -+ new_size = -+ ((guint64) bzstream.total_out_hi32 << 32) + bzstream.total_out_lo32; - } - BZ2_bzDecompressEnd (&bzstream); - -@@ -189,7 +217,13 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, - } else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_LZO1X) { - /* lzo encoded data */ - int result; -- int orig_size, out_size; -+ gint orig_size, out_size; -+ -+ if (size > G_MAXINT) { -+ GST_WARNING ("too large compressed data buffer."); -+ ret = FALSE; -+ goto out; -+ } - - orig_size = size; - out_size = size; -@@ -203,6 +237,11 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, - result = lzo1x_decode (new_data, &out_size, data, &orig_size); - - if (orig_size > 0) { -+ if (new_size > G_MAXINT - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) { -+ GST_WARNING ("too big decompressed data"); -+ result = LZO_ERROR; -+ break; -+ } - new_size += 4096; - new_data = g_realloc (new_data, new_size); - } -@@ -221,6 +260,13 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, - } else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_HEADERSTRIP) { - /* header stripped encoded data */ - if (enc->comp_settings_length > 0) { -+ if (size > G_MAXSIZE - enc->comp_settings_length -+ || size + enc->comp_settings_length > MAX_DECOMPRESS_SIZE) { -+ GST_WARNING ("too big decompressed data"); -+ ret = FALSE; -+ goto out; -+ } -+ - new_data = g_malloc (size + enc->comp_settings_length); - new_size = size + enc->comp_settings_length; - --- -GitLab diff --git a/CVE-2022-2122.patch b/CVE-2022-2122.patch deleted file mode 100644 index 5053906..0000000 --- a/CVE-2022-2122.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 14d306da6da51a762c4dc701d161bb52ab66d774 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= -Date: Mon, 30 May 2022 10:15:37 +0300 -Subject: [PATCH] qtdemux: Fix integer overflows in zlib decompression code - -Various variables were of smaller types than needed and there were no -checks for any overflows when doing additions on the sizes. This is all -checked now. - -In addition the size of the decompressed data is limited to 200MB now as -any larger sizes are likely pathological and we can avoid out of memory -situations in many cases like this. - -Also fix a bug where the available output size on the next iteration in -the zlib decompression code was provided too large and could -potentially lead to out of bound writes. - -Thanks to Adam Doupe for analyzing and reporting the issue. - -CVE: tbd - -https://gstreamer.freedesktop.org/security/sa-2022-0003.html - -Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225 - -Part-of: ---- - gst/isomp4/qtdemux.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c -index 7cc346b1e63..97ba0799a8d 100644 ---- a/gst/isomp4/qtdemux.c -+++ b/gst/isomp4/qtdemux.c -@@ -7905,10 +7905,16 @@ qtdemux_inflate (void *z_buffer, guint z_length, guint * length) - break; - } - -+ if (*length > G_MAXUINT - 4096 || *length > QTDEMUX_MAX_SAMPLE_INDEX_SIZE) { -+ GST_WARNING ("too big decompressed data"); -+ ret = Z_MEM_ERROR; -+ break; -+ } -+ - *length += 4096; - buffer = (guint8 *) g_realloc (buffer, *length); - z.next_out = (Bytef *) (buffer + z.total_out); -- z.avail_out += 4096; -+ z.avail_out += *length - z.total_out; - } while (z.avail_in > 0); - - if (ret != Z_STREAM_END) { --- -GitLab diff --git a/backport-CVE-2021-3497.patch b/backport-CVE-2021-3497.patch deleted file mode 100644 index 645c774..0000000 --- a/backport-CVE-2021-3497.patch +++ /dev/null @@ -1,200 +0,0 @@ -From 242f3cae6da748ac128e86b5cadcd406fa61aff6 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= -Date: Thu, 4 Mar 2021 13:05:19 +0200 -Subject: [PATCH] matroskademux: Fix extraction of multichannel WavPack - -The old code had a couple of issues that all lead to potential memory -safety bugs. - - - Use a constant for the Wavpack4Header size instead of using sizeof. - It's written out into the data and not from the struct and who knows - what special alignment/padding requirements some C compilers have. - - gst_buffer_set_size() does not realloc the buffer when setting a - bigger size than allocated, it only allows growing up to the maximum - allocated size. Instead use a GstAdapter to collect all the blocks - and take out everything at once in the end. - - Check that enough data is actually available in the input and - otherwise handle it an error in all cases instead of silently - ignoring it. - -Among other things this fixes out of bounds writes because the code -assumed gst_buffer_set_size() can grow the buffer and simply wrote after -the end of the buffer. - -Thanks to Natalie Silvanovich for reporting. - -Fixes https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/issues/859 - -Part-of: ---- - gst/matroska/matroska-demux.c | 99 +++++++++++++++++++---------------- - gst/matroska/matroska-ids.h | 2 + - 2 files changed, 55 insertions(+), 46 deletions(-) - -diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c -index e878e0d66..68215d2ca 100644 ---- a/gst/matroska/matroska-demux.c -+++ b/gst/matroska/matroska-demux.c -@@ -3856,6 +3856,12 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, - guint32 block_samples, tmp; - gsize size = gst_buffer_get_size (*buf); - -+ if (size < 4) { -+ GST_ERROR_OBJECT (element, "Too small wavpack buffer"); -+ gst_buffer_unmap (*buf, &map); -+ return GST_FLOW_ERROR; -+ } -+ - gst_buffer_extract (*buf, 0, &tmp, sizeof (guint32)); - block_samples = GUINT32_FROM_LE (tmp); - /* we need to reconstruct the header of the wavpack block */ -@@ -3863,10 +3869,10 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, - /* -20 because ck_size is the size of the wavpack block -8 - * and lace_size is the size of the wavpack block + 12 - * (the three guint32 of the header that already are in the buffer) */ -- wvh.ck_size = size + sizeof (Wavpack4Header) - 20; -+ wvh.ck_size = size + WAVPACK4_HEADER_SIZE - 20; - - /* block_samples, flags and crc are already in the buffer */ -- newbuf = gst_buffer_new_allocate (NULL, sizeof (Wavpack4Header) - 12, NULL); -+ newbuf = gst_buffer_new_allocate (NULL, WAVPACK4_HEADER_SIZE - 12, NULL); - - gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE); - data = outmap.data; -@@ -3891,9 +3897,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, - audiocontext->wvpk_block_index += block_samples; - } else { - guint8 *outdata = NULL; -- guint outpos = 0; -- gsize buf_size, size, out_size = 0; -+ gsize buf_size, size; - guint32 block_samples, flags, crc, blocksize; -+ GstAdapter *adapter; -+ -+ adapter = gst_adapter_new (); - - gst_buffer_map (*buf, &map, GST_MAP_READ); - buf_data = map.data; -@@ -3902,6 +3910,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, - if (buf_size < 4) { - GST_ERROR_OBJECT (element, "Too small wavpack buffer"); - gst_buffer_unmap (*buf, &map); -+ g_object_unref (adapter); - return GST_FLOW_ERROR; - } - -@@ -3923,59 +3932,57 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, - data += 4; - size -= 4; - -- if (blocksize == 0 || size < blocksize) -- break; -- -- g_assert ((newbuf == NULL) == (outdata == NULL)); -+ if (blocksize == 0 || size < blocksize) { -+ GST_ERROR_OBJECT (element, "Too small wavpack buffer"); -+ gst_buffer_unmap (*buf, &map); -+ g_object_unref (adapter); -+ return GST_FLOW_ERROR; -+ } - -- if (newbuf == NULL) { -- out_size = sizeof (Wavpack4Header) + blocksize; -- newbuf = gst_buffer_new_allocate (NULL, out_size, NULL); -+ g_assert (newbuf == NULL); - -- gst_buffer_copy_into (newbuf, *buf, -- GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1); -+ newbuf = -+ gst_buffer_new_allocate (NULL, WAVPACK4_HEADER_SIZE + blocksize, -+ NULL); -+ gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE); -+ outdata = outmap.data; -+ -+ outdata[0] = 'w'; -+ outdata[1] = 'v'; -+ outdata[2] = 'p'; -+ outdata[3] = 'k'; -+ outdata += 4; -+ -+ GST_WRITE_UINT32_LE (outdata, blocksize + WAVPACK4_HEADER_SIZE - 8); -+ GST_WRITE_UINT16_LE (outdata + 4, wvh.version); -+ GST_WRITE_UINT8 (outdata + 6, wvh.track_no); -+ GST_WRITE_UINT8 (outdata + 7, wvh.index_no); -+ GST_WRITE_UINT32_LE (outdata + 8, wvh.total_samples); -+ GST_WRITE_UINT32_LE (outdata + 12, wvh.block_index); -+ GST_WRITE_UINT32_LE (outdata + 16, block_samples); -+ GST_WRITE_UINT32_LE (outdata + 20, flags); -+ GST_WRITE_UINT32_LE (outdata + 24, crc); -+ outdata += 28; -+ -+ memcpy (outdata, data, blocksize); - -- outpos = 0; -- gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE); -- outdata = outmap.data; -- } else { -- gst_buffer_unmap (newbuf, &outmap); -- out_size += sizeof (Wavpack4Header) + blocksize; -- gst_buffer_set_size (newbuf, out_size); -- gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE); -- outdata = outmap.data; -- } -+ gst_buffer_unmap (newbuf, &outmap); -+ gst_adapter_push (adapter, newbuf); -+ newbuf = NULL; - -- outdata[outpos] = 'w'; -- outdata[outpos + 1] = 'v'; -- outdata[outpos + 2] = 'p'; -- outdata[outpos + 3] = 'k'; -- outpos += 4; -- -- GST_WRITE_UINT32_LE (outdata + outpos, -- blocksize + sizeof (Wavpack4Header) - 8); -- GST_WRITE_UINT16_LE (outdata + outpos + 4, wvh.version); -- GST_WRITE_UINT8 (outdata + outpos + 6, wvh.track_no); -- GST_WRITE_UINT8 (outdata + outpos + 7, wvh.index_no); -- GST_WRITE_UINT32_LE (outdata + outpos + 8, wvh.total_samples); -- GST_WRITE_UINT32_LE (outdata + outpos + 12, wvh.block_index); -- GST_WRITE_UINT32_LE (outdata + outpos + 16, block_samples); -- GST_WRITE_UINT32_LE (outdata + outpos + 20, flags); -- GST_WRITE_UINT32_LE (outdata + outpos + 24, crc); -- outpos += 28; -- -- memmove (outdata + outpos, data, blocksize); -- outpos += blocksize; - data += blocksize; - size -= blocksize; - } - gst_buffer_unmap (*buf, &map); -- gst_buffer_unref (*buf); - -- if (newbuf) -- gst_buffer_unmap (newbuf, &outmap); -+ newbuf = gst_adapter_take_buffer (adapter, gst_adapter_available (adapter)); -+ g_object_unref (adapter); - -+ gst_buffer_copy_into (newbuf, *buf, -+ GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1); -+ gst_buffer_unref (*buf); - *buf = newbuf; -+ - audiocontext->wvpk_block_index += block_samples; - } - -diff --git a/gst/matroska/matroska-ids.h b/gst/matroska/matroska-ids.h -index 429213f77..8d4a685a9 100644 ---- a/gst/matroska/matroska-ids.h -+++ b/gst/matroska/matroska-ids.h -@@ -688,6 +688,8 @@ typedef struct _Wavpack4Header { - guint32 crc; /* crc for actual decoded data */ - } Wavpack4Header; - -+#define WAVPACK4_HEADER_SIZE (32) -+ - typedef enum { - GST_MATROSKA_TRACK_ENCODING_SCOPE_FRAME = (1<<0), - GST_MATROSKA_TRACK_ENCODING_SCOPE_CODEC_DATA = (1<<1), --- -GitLab diff --git a/backport-CVE-2021-3498.patch b/backport-CVE-2021-3498.patch deleted file mode 100644 index 4b0a98a..0000000 --- a/backport-CVE-2021-3498.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 6c461e90bc1eedce4b7e414d34c8a8a9162359b5 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= -Date: Wed, 3 Mar 2021 11:31:52 +0200 -Subject: [PATCH] matroskademux: Initialize track context out parameter to NULL - before parsing - -Various error return paths don't set it to NULL and callers are only -checking if the pointer is NULL. As it's allocated on the stack this -usually contains random stack memory, and more often than not the memory -of a previously parsed track. - -This then causes all kinds of memory corruptions further down the line. - -Thanks to Natalie Silvanovich for reporting. - -Fixes https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/issues/858 - -Part-of: ---- - gst/matroska/matroska-demux.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c -index d7b6f7edc..e878e0d66 100644 ---- a/gst/matroska/matroska-demux.c -+++ b/gst/matroska/matroska-demux.c -@@ -694,6 +694,8 @@ gst_matroska_demux_parse_stream (GstMatroskaDemux * demux, GstEbmlRead * ebml, - - DEBUG_ELEMENT_START (demux, ebml, "TrackEntry"); - -+ *dest_context = NULL; -+ - /* start with the master */ - if ((ret = gst_ebml_read_master (ebml, &id)) != GST_FLOW_OK) { - DEBUG_ELEMENT_STOP (demux, ebml, "TrackEntry", ret); --- -GitLab diff --git a/gst-plugins-good-1.16.2.tar.xz b/gst-plugins-good-1.16.2.tar.xz deleted file mode 100644 index 8fdcb57..0000000 Binary files a/gst-plugins-good-1.16.2.tar.xz and /dev/null differ diff --git a/gst-plugins-good-1.20.3.tar.xz b/gst-plugins-good-1.20.3.tar.xz new file mode 100644 index 0000000..f3ad47e Binary files /dev/null and b/gst-plugins-good-1.20.3.tar.xz differ diff --git a/gstreamer1-plugins-good.spec b/gstreamer1-plugins-good.spec index af38bbd..d15b067 100644 --- a/gstreamer1-plugins-good.spec +++ b/gstreamer1-plugins-good.spec @@ -1,37 +1,61 @@ -%bcond_with extras -%bcond_with qt +%bcond_without extras +%bcond_without nasm -Name: gstreamer1-plugins-good -Version: 1.16.2 -Release: 5 -Summary: GStreamer plugins with good code and licensing -License: LGPLv2+ -URL: http://gstreamer.freedesktop.org/ -Source0: http://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-good-%{version}.tar.xz -Source1: gstreamer-good.appdata.xml +Name: gstreamer1-plugins-good +Version: 1.20.3 +Release: 1 +Summary: GStreamer plugins with good code and licensing +License: LGPLv2+ +URL: http://gstreamer.freedesktop.org/ +Source0: http://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-good-%{version}.tar.xz +Source1: gstreamer-good.appdata.xml -Patch6000: backport-CVE-2021-3497.patch -Patch6001: backport-CVE-2021-3498.patch -#https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1226 -Patch6002: CVE-2022-1920.patch -#https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1224 -Patch6003: CVE-2022-1921.patch -#https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225 -Patch0004: CVE-2022-2122.patch -#https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225 -Patch0005: CVE-2022-1922_CVE-2022-1923_CVE-2022-1924_CVE-2022-1925.patch - -BuildRequires: gcc gcc-c++ gstreamer1-devel gstreamer1-plugins-base-devel flac-devel -BuildRequires: gdk-pixbuf2-devel libjpeg-devel libpng-devel libshout-devel orc-devel -BuildRequires: libsoup-devel libX11-devel libXext-devel libXdamage-devel libXfixes-devel -BuildRequires: pulseaudio-libs-devel speex-devel taglib-devel wavpack-devel libv4l-devel -BuildRequires: libvpx-devel gtk3-devel mesa-libGL-devel libglvnd-devel lame-devel -BuildRequires: mesa-libEGL-devel mesa-libGLU-devel mpg123-devel twolame-devel libdv-devel -BuildRequires: libavc1394-devel libiec61883-devel libraw1394-devel gtk-doc -BuildRequires: chrpath +BuildRequires: meson >= 0.48.0 +BuildRequires: gcc +BuildRequires: gcc-c++ +BuildRequires: gstreamer1-devel >= %{version} +BuildRequires: gstreamer1-plugins-base-devel >= %{version} +BuildRequires: cairo-devel >= 1.10.0 +BuildRequires: cairo-gobject-devel >= 1.10.0 +BuildRequires: flac-devel >= 1.1.4 +BuildRequires: gdk-pixbuf2-devel +BuildRequires: libjpeg-devel +BuildRequires: libpng-devel >= 1.2.0 +BuildRequires: libshout-devel +BuildRequires: libsoup-devel +BuildRequires: libX11-devel +BuildRequires: libXext-devel +BuildRequires: libXdamage-devel +BuildRequires: libXfixes-devel +BuildRequires: orc-devel +BuildRequires: pulseaudio-libs-devel +BuildRequires: speex-devel +BuildRequires: taglib-devel +BuildRequires: wavpack-devel +BuildRequires: libv4l-devel +BuildRequires: libvpx-devel >= 1.1.0 +BuildRequires: gtk3-devel >= 3.4 +BuildRequires: mesa-libGL-devel +BuildRequires: mesa-libGLES-devel +BuildRequires: mesa-libGLU-devel +BuildRequires: mesa-libEGL-devel +BuildRequires: lame-devel +BuildRequires: mpg123-devel +BuildRequires: twolame-devel +%if %{with nasm} +BuildRequires: nasm +%endif +%if %{with extras} +BuildRequires: jack-audio-connection-kit-devel +BuildRequires: libdv-devel +BuildRequires: libraw1394-devel libavc1394-devel +BuildRequires: libiec61883-devel +%endif +BuildRequires: libgudev-devel Provides: gstreamer1-plugins-mpg123 = %{version}-%{release} -Obsoletes: gstreamer1-plugins-mpg123 < %{version}-%{release} +Obsoletes: gstreamer1-plugins-mpg123 < %{version}-%{release} +Obsoletes: gstreamer1-plugins-good-help < 1.20.3 %description GStreamer is a streaming media framework, based on graphs of filters which @@ -44,11 +68,11 @@ plugins. GStreamer Good Plugins is a collection of well-supported plugins of good quality and under the LGPL license. -%package gtk -Summary: gtk plugin for gstreamer1-plugins-good -Requires: %{name} = %{version}-%{release} -Provides: gstreamer1-plugins-bad-free-gtk = %{version}-%{release} -Obsoletes: gstreamer1-plugins-bad-free-gtk < %{version}-%{release} +%package gtk +Summary: gtk plugin for gstreamer1-plugins-good +Requires: %{name} = %{version}-%{release} +Provides: gstreamer1-plugins-bad-free-gtk = %{version}-%{release} +Obsoletes: gstreamer1-plugins-bad-free-gtk < %{version}-%{release} %description gtk GStreamer is a streaming media framework, based on graphs of elements which @@ -57,34 +81,71 @@ operate on media data. GStreamer Good Plugins is a collection of well-supported plugins of good quality and under the LGPL license. -%package_help +%package qt +Summary: GStreamer "good" plugins qt qml plugin +Requires: %{name}%{?_isa} = %{version}-%{release} + +BuildRequires: pkgconfig(Qt5Gui) +BuildRequires: pkgconfig(Qt5Qml) +BuildRequires: pkgconfig(Qt5Quick) +BuildRequires: pkgconfig(Qt5X11Extras) +BuildRequires: pkgconfig(Qt5WaylandClient) + +Supplements: (gstreamer1-plugins-good and qt5-qtdeclarative) + +%description qt +GStreamer is a streaming media framework, based on graphs of elements which +operate on media data. + +GStreamer Good Plugins is a collection of well-supported plugins of +good quality and under the LGPL license. + +This package (%{name}-qt) contains the qtsink output plugin. + +%if %{with extras} +%package extras +Summary: Extra GStreamer plugins with good code and licensing +Requires: %{name}%{?_isa} = %{version}-%{release} + + +%description extras +GStreamer is a streaming media framework, based on graphs of filters +which operate on media data. + +GStreamer Good Plugins is a collection of well-supported plugins of +good quality and under the LGPL license. + +%{name}-extras contains extra "good" plugins +which are not used very much and require additional libraries +to be installed. +%endif %prep %autosetup -n gst-plugins-good-%{version} -p1 %build -%configure --disable-silent-rules --disable-fatal-warnings --enable-experimental \ - --enable-gtk-doc --enable-orc --disable-monoscope --disable-aalib \ - --disable-cairo --disable-libcaca --disable-jack \ - --with-default-visualizer=autoaudiosink +%meson \ + -D doc=disabled \ + -D asm=%{?with_nasm:enabled}%{!?with_nasm:disabled} \ + -D orc=enabled \ + -D monoscope=disabled \ + -D aalib=disabled \ + -D libcaca=disabled \ + -D rpicamsrc=disabled \ + -D jack=%{?with_extras:enabled}%{!?with_extras:disabled} \ + -D dv=%{?with_extras:enabled}%{!?with_extras:disabled} \ + -D dv1394=%{?with_extras:enabled}%{!?with_extras:disabled} \ -%make_build +%meson_build %install -%make_install +%meson_install %delete_la_and_a install -p -D %{SOURCE1} %{buildroot}%{_metainfodir}/gstreamer-good.appdata.xml -chrpath -d %{buildroot}%{_libdir}/gstreamer-1.0/libgstshout2.so - -mkdir -p %{buildroot}/etc/ld.so.conf.d -echo "%{_libdir}" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf - -%ldconfig_scriptlets - -%files +%files %defattr(-,root,root) -%doc AUTHORS +%doc AUTHORS NEWS README.md README.static-linking RELEASE REQUIREMENTS %license COPYING %{_libdir}/gstreamer-1.0/*.so %{_datadir}/locale/* @@ -92,18 +153,30 @@ echo "%{_libdir}" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf %{_datadir}/gstreamer-1.0/presets/*.prs %{_metainfodir}/gstreamer-good.appdata.xml %exclude %{_libdir}/gstreamer-1.0/libgstgtk.so -%config(noreplace) /etc/ld.so.conf.d/* +%exclude %{_libdir}/gstreamer-1.0/libgstqmlgl.so +%exclude %{_libdir}/gstreamer-1.0/libgstjack.so +%exclude %{_libdir}/gstreamer-1.0/libgstdv.so +%exclude %{_libdir}/gstreamer-1.0/libgst1394.so -%files gtk +%files gtk %defattr(-,root,root) %{_libdir}/gstreamer-1.0/libgstgtk.so -%files help -%defattr(-,root,root) -%doc README REQUIREMENTS -%doc %{_datadir}/gtk-doc/html/* +%files qt +%{_libdir}/gstreamer-1.0/libgstqmlgl.so + +%if %{with extras} +%files extras +# Plugins with external dependencies +%{_libdir}/gstreamer-1.0/libgstjack.so +%{_libdir}/gstreamer-1.0/libgstdv.so +%{_libdir}/gstreamer-1.0/libgst1394.so +%endif %changelog +* Wed Nov 01 2023 wangkai <13474090681@163.com> - 1.20.3-1 +- Update to 1.20.3 + * Mon Jun 27 2022 yaoxin - 1.16.2-5 - Fix CVE-2022-2122 CVE-2022-1920-to-CVE-2022-1925