packages/gstreamer1-plugins-good
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!38 Fix cves

Browse Source 
From: @starlet-dx 
Reviewed-by: @wang--ge 
Signed-off-by: @wang--ge
This commit is contained in:
openeuler-ci-bot 2024-12-18 07:44:50 +00:00 committed by Gitee
commit ef8cfc50bd
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
23 changed files with 1503 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
CVE-2024-47537.patch Normal file
View File

@ -0,0 +1,58 @@
From ae61a604c03ca07226a88e15fdb5487ad2096add Mon Sep 17 00:00:00 2001
From: Antonio Morales <antonio-morales@github.com>
Date: Thu, 26 Sep 2024 18:39:37 +0300
Subject: [PATCH 01/12] qtdemux: Fix integer overflow when allocating the
samples table for fragmented MP4
This can lead to out of bounds writes and NULL pointer dereferences.
Fixes GHSL-2024-094, GHSL-2024-237, GHSL-2024-241
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3839
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059>
---
gst/isomp4/qtdemux.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
index c2d8b5e0f134..a88dcaf2d3ef 100644
--- a/gst/isomp4/qtdemux.c
+++ b/gst/isomp4/qtdemux.c
@@ -3364,6 +3364,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun,
gint i;
guint8 *data;
guint entry_size, dur_offset, size_offset, flags_offset = 0, ct_offset = 0;
+ guint new_n_samples;
QtDemuxSample *sample;
gboolean ismv = FALSE;
gint64 initial_offset;
@@ -3475,14 +3476,13 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun,
goto fail;
data = (guint8 *) gst_byte_reader_peek_data_unchecked (trun);
- if (stream->n_samples + samples_count >=
- QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof (QtDemuxSample))
+ if (!g_uint_checked_add (&new_n_samples, stream->n_samples, samples_count) ||
+ new_n_samples >= QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof (QtDemuxSample))
goto index_too_big;
GST_DEBUG_OBJECT (qtdemux, "allocating n_samples %u * %u (%.2f MB)",
- stream->n_samples + samples_count, (guint) sizeof (QtDemuxSample),
- (stream->n_samples + samples_count) *
- sizeof (QtDemuxSample) / (1024.0 * 1024.0));
+ new_n_samples, (guint) sizeof (QtDemuxSample),
+ (new_n_samples) * sizeof (QtDemuxSample) / (1024.0 * 1024.0));
/* create a new array of samples if it's the first sample parsed */
if (stream->n_samples == 0) {
@@ -3491,7 +3491,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun,
/* or try to reallocate it with space enough to insert the new samples */
} else
stream->samples = g_try_renew (QtDemuxSample, stream->samples,
- stream->n_samples + samples_count);
+ new_n_samples);
if (stream->samples == NULL)
goto out_of_memory;
--
GitLab

39
CVE-2024-47539.patch Normal file
View File

@ -0,0 +1,39 @@
From 1d534ac209e4042d08513f8cd448b9b12187aacd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Thu, 26 Sep 2024 09:20:28 +0300
Subject: [PATCH 05/12] qtdemux: Make sure only an even number of bytes is
processed when handling CEA608 data
An odd number of bytes would lead to out of bound reads and writes, and doesn't
make any sense as CEA608 comes in byte pairs.
Strip off any leftover bytes and assume everything before that is valid.
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-195
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3841
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059>
---
gst/isomp4/qtdemux.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
index dbd42817c00b..4339943e347b 100644
--- a/gst/isomp4/qtdemux.c
+++ b/gst/isomp4/qtdemux.c
@@ -6145,6 +6145,11 @@ convert_to_s334_1a (const guint8 * ccpair, guint8 ccpair_size, guint field,
guint8 *storage;
gsize i;
+ /* Strip off any leftover odd bytes and assume everything before is valid */
+ if (ccpair_size % 2 != 0) {
+ ccpair_size -= 1;
+ }
+
/* We are converting from pairs to triplets */
*res = ccpair_size / 2 * 3;
storage = g_malloc (*res);
--
GitLab

51
CVE-2024-47540.patch Normal file
View File

@ -0,0 +1,51 @@
From c0dceda8e969f74f2326539c1f0368c2fd7afcd7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Mon, 30 Sep 2024 16:32:48 +0300
Subject: [PATCH 1/7] matroskademux: Only unmap GstMapInfo in WavPack header
extraction error paths if previously mapped
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-197
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3863
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8057>
---
gst/matroska/matroska-demux.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
index 41725e83a607..9e0de058e64a 100644
--- a/gst/matroska/matroska-demux.c
+++ b/gst/matroska/matroska-demux.c
@@ -3891,7 +3891,6 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
GstMatroskaTrackAudioContext *audiocontext =
(GstMatroskaTrackAudioContext *) stream;
GstBuffer *newbuf = NULL;
- GstMapInfo map, outmap;
guint8 *buf_data, *data;
Wavpack4Header wvh;
@@ -3908,11 +3907,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
if (audiocontext->channels <= 2) {
guint32 block_samples, tmp;
+ GstMapInfo outmap;
gsize size = gst_buffer_get_size (*buf);
if (size < 4) {
GST_ERROR_OBJECT (element, "Too small wavpack buffer");
- gst_buffer_unmap (*buf, &map);
return GST_FLOW_ERROR;
}
@@ -3950,6 +3949,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
*buf = newbuf;
audiocontext->wvpk_block_index += block_samples;
} else {
+ GstMapInfo map, outmap;
guint8 *outdata = NULL;
gsize buf_size, size;
guint32 block_samples, flags, crc;
--
GitLab

115
CVE-2024-47543.patch Normal file
View File

@ -0,0 +1,115 @@
From c1cd838706d29cab9479e7b5e6ec63ff8ad59b61 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Thu, 26 Sep 2024 14:17:02 +0300
Subject: [PATCH 06/12] qtdemux: Make sure enough data is available before
reading wave header node
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-236
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3843
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059>
---
gst/isomp4/qtdemux.c | 84 ++++++++++---------
1 file changed, 45 insertions(+), 39 deletions(-)
diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
index 4339943e347b..062140d3dd5f 100644
--- a/gst/isomp4/qtdemux.c
+++ b/gst/isomp4/qtdemux.c
@@ -13704,47 +13704,53 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
} else {
guint32 datalen = QT_UINT32 (stsd_entry_data + offset + 16);
const guint8 *data = stsd_entry_data + offset + 16;
- GNode *wavenode;
- GNode *waveheadernode;
-
- wavenode = g_node_new ((guint8 *) data);
- if (qtdemux_parse_node (qtdemux, wavenode, data, datalen)) {
- const guint8 *waveheader;
- guint32 headerlen;
-
- waveheadernode = qtdemux_tree_get_child_by_type (wavenode, fourcc);
- if (waveheadernode) {
- waveheader = (const guint8 *) waveheadernode->data;
- headerlen = QT_UINT32 (waveheader);
-
- if (headerlen > 8) {
- gst_riff_strf_auds *header = NULL;
- GstBuffer *headerbuf;
- GstBuffer *extra;
-
- waveheader += 8;
- headerlen -= 8;
-
- headerbuf = gst_buffer_new_and_alloc (headerlen);
- gst_buffer_fill (headerbuf, 0, waveheader, headerlen);
-
- if (gst_riff_parse_strf_auds (GST_ELEMENT_CAST (qtdemux),
- headerbuf, &header, &extra)) {
- gst_caps_unref (entry->caps);
- /* FIXME: Need to do something with the channel reorder map */
- entry->caps =
- gst_riff_create_audio_caps (header->format, NULL, header,
- extra, NULL, NULL, NULL);
-
- if (extra)
- gst_buffer_unref (extra);
- g_free (header);
+
+ if (len < datalen || len - datalen < offset + 16) {
+ GST_WARNING_OBJECT (qtdemux, "Not enough data for waveheadernode");
+ } else {
+ GNode *wavenode;
+ GNode *waveheadernode;
+
+ wavenode = g_node_new ((guint8 *) data);
+ if (qtdemux_parse_node (qtdemux, wavenode, data, datalen)) {
+ const guint8 *waveheader;
+ guint32 headerlen;
+
+ waveheadernode =
+ qtdemux_tree_get_child_by_type (wavenode, fourcc);
+ if (waveheadernode) {
+ waveheader = (const guint8 *) waveheadernode->data;
+ headerlen = QT_UINT32 (waveheader);
+
+ if (headerlen > 8) {
+ gst_riff_strf_auds *header = NULL;
+ GstBuffer *headerbuf;
+ GstBuffer *extra;
+
+ waveheader += 8;
+ headerlen -= 8;
+
+ headerbuf = gst_buffer_new_and_alloc (headerlen);
+ gst_buffer_fill (headerbuf, 0, waveheader, headerlen);
+
+ if (gst_riff_parse_strf_auds (GST_ELEMENT_CAST (qtdemux),
+ headerbuf, &header, &extra)) {
+ gst_caps_unref (entry->caps);
+ /* FIXME: Need to do something with the channel reorder map */
+ entry->caps =
+ gst_riff_create_audio_caps (header->format, NULL,
+ header, extra, NULL, NULL, NULL);
+
+ if (extra)
+ gst_buffer_unref (extra);
+ g_free (header);
+ }
}
- }
- } else
- GST_DEBUG ("Didn't find waveheadernode for this codec");
+ } else
+ GST_DEBUG ("Didn't find waveheadernode for this codec");
+ }
+ g_node_destroy (wavenode);
}
- g_node_destroy (wavenode);
}
} else if (esds) {
gst_qtdemux_handle_esds (qtdemux, stream, entry, esds,
--
GitLab

32
CVE-2024-47546.patch Normal file
View File

@ -0,0 +1,32 @@
From bfebca8307ae79223616fd27e8b402118787d394 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Thu, 26 Sep 2024 19:16:19 +0300
Subject: [PATCH 11/12] qtdemux: Check for invalid atom length when extracting
Closed Caption data
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-243
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3849
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059>
---
gst/isomp4/qtdemux.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
index 4b9ce20ad37b..7731b2c2c93b 100644
--- a/gst/isomp4/qtdemux.c
+++ b/gst/isomp4/qtdemux.c
@@ -6193,7 +6193,7 @@ extract_cc_from_data (QtDemuxStream * stream, const guint8 * data, gsize size,
goto invalid_cdat;
atom_length = QT_UINT32 (data);
fourcc = QT_FOURCC (data + 4);
- if (G_UNLIKELY (atom_length > size || atom_length == 8))
+ if (G_UNLIKELY (atom_length > size || atom_length <= 8))
goto invalid_cdat;
GST_DEBUG_OBJECT (stream->pad, "here");
--
GitLab

33
CVE-2024-47596.patch Normal file
View File

@ -0,0 +1,33 @@
From 519d86d9f36d80eb64148cd2d330b28a28be2755 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Fri, 27 Sep 2024 00:31:36 +0300
Subject: [PATCH 12/12] qtdemux: Add size check for parsing SMI / SEQH atom
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-244
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3853
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059>
---
gst/isomp4/qtdemux.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
index 7731b2c2c93b..5422e9f1d6f8 100644
--- a/gst/isomp4/qtdemux.c
+++ b/gst/isomp4/qtdemux.c
@@ -11198,8 +11198,9 @@ qtdemux_parse_svq3_stsd_data (GstQTDemux * qtdemux,
GST_WARNING_OBJECT (qtdemux, "Unexpected second SEQH SMI atom "
" found, ignoring");
} else {
+ /* Note: The size does *not* include the fourcc and the size field itself */
seqh_size = QT_UINT32 (data + 4);
- if (seqh_size > 0) {
+ if (seqh_size > 0 && seqh_size <= size - 8) {
_seqh = gst_buffer_new_and_alloc (seqh_size);
gst_buffer_fill (_seqh, 0, data + 8, seqh_size);
}
--
GitLab

44
CVE-2024-47597-1.patch Normal file
View File

@ -0,0 +1,44 @@
From 19359e2b2548927cbfd46a526d704cce5a65c2b1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Fri, 27 Sep 2024 10:38:50 +0300
Subject: [PATCH 09/12] qtdemux: Make sure there are enough offsets to read
when parsing samples
While this specific case is also caught when initializing co_chunk, the error
is ignored in various places and calling into the function would lead to out of
bounds reads if the error message doesn't cause the pipeline to be shut down
fast enough.
To avoid this, no matter what, make sure enough offsets are available when
parsing them. While this is potentially slower, the same is already done in the
non-chunks_are_samples case.
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-245
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3847
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059>
---
gst/isomp4/qtdemux.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
index 127ed77f6dba..07272f38c421 100644
--- a/gst/isomp4/qtdemux.c
+++ b/gst/isomp4/qtdemux.c
@@ -10635,9 +10635,9 @@ qtdemux_parse_samples (GstQTDemux * qtdemux, QtDemuxStream * stream, guint32 n)
goto done;
}
- cur->offset =
- qt_atom_parser_get_offset_unchecked (&stream->co_chunk,
- stream->co_size);
+ if (!qt_atom_parser_get_offset (&stream->co_chunk,
+ stream->co_size, &cur->offset))
+ goto corrupt_file;
GST_LOG_OBJECT (qtdemux, "Created entry %d with offset "
"%" G_GUINT64_FORMAT, j, cur->offset);
--
GitLab

93
CVE-2024-47597-2.patch Normal file
View File

@ -0,0 +1,93 @@
From 7d3f221d8795cd6910f375774a50ffe7c19d0538 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Fri, 27 Sep 2024 10:39:30 +0300
Subject: [PATCH 10/12] qtdemux: Actually handle errors returns from various
functions instead of ignoring them
Ignoring them might cause the element to continue as if all is fine despite the
internal state being inconsistent. This can lead to all kinds of follow-up
issues, including memory safety issues.
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-245
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3847
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059>
---
gst/isomp4/qtdemux.c | 29 +++++++++++++++++++++++------
1 file changed, 23 insertions(+), 6 deletions(-)
diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
index ba80392..f5ea797 100644
--- a/gst/isomp4/qtdemux.c
+++ b/gst/isomp4/qtdemux.c
@@ -4657,10 +4657,15 @@ gst_qtdemux_loop_state_header (GstQTDemux * qtdemux)
beach:
if (ret == GST_FLOW_EOS && (qtdemux->got_moov || qtdemux->media_caps)) {
/* digested all data, show what we have */
- qtdemux_prepare_streams (qtdemux);
+ ret = qtdemux_prepare_streams (qtdemux);
+ if (ret != GST_FLOW_OK)
+ return ret;
+
QTDEMUX_EXPOSE_LOCK (qtdemux);
ret = qtdemux_expose_streams (qtdemux);
QTDEMUX_EXPOSE_UNLOCK (qtdemux);
+ if (ret != GST_FLOW_OK)
+ return ret;
qtdemux->state = QTDEMUX_STATE_MOVIE;
GST_DEBUG_OBJECT (qtdemux, "switching state to STATE_MOVIE (%d)",
@@ -7275,13 +7280,21 @@ gst_qtdemux_process_adapter (GstQTDemux * demux, gboolean force)
gst_qtdemux_stream_concat (demux,
demux->old_streams, demux->active_streams);
- qtdemux_parse_moov (demux, data, demux->neededbytes);
+ if (!qtdemux_parse_moov (demux, data, demux->neededbytes)) {
+ ret = GST_FLOW_ERROR;
+ break;
+ }
qtdemux_node_dump (demux, demux->moov_node);
qtdemux_parse_tree (demux);
- qtdemux_prepare_streams (demux);
+ ret = qtdemux_prepare_streams (demux);
+ if (ret != GST_FLOW_OK)
+ break;
+
QTDEMUX_EXPOSE_LOCK (demux);
- qtdemux_expose_streams (demux);
+ ret = qtdemux_expose_streams (demux);
QTDEMUX_EXPOSE_UNLOCK (demux);
+ if (ret != GST_FLOW_OK)
+ break;
demux->got_moov = TRUE;
@@ -7372,8 +7385,10 @@ gst_qtdemux_process_adapter (GstQTDemux * demux, gboolean force)
/* in MSS we need to expose the pads after the first moof as we won't get a moov */
if (demux->mss_mode && !demux->exposed) {
QTDEMUX_EXPOSE_LOCK (demux);
- qtdemux_expose_streams (demux);
+ ret = qtdemux_expose_streams (demux);
QTDEMUX_EXPOSE_UNLOCK (demux);
+ if (ret != GST_FLOW_OK)
+ goto done;
}
gst_qtdemux_check_send_pending_segment (demux);
@@ -13350,8 +13365,10 @@ qtdemux_prepare_streams (GstQTDemux * qtdemux)
/* parse the initial sample for use in setting the frame rate cap */
while (sample_num == 0 && sample_num < stream->n_samples) {
- if (!qtdemux_parse_samples (qtdemux, stream, sample_num))
+ if (!qtdemux_parse_samples (qtdemux, stream, sample_num)) {
+ ret = GST_FLOW_ERROR;
break;
+ }
++sample_num;
}
}
--
2.33.0

58
CVE-2024-47598.patch Normal file
View File

@ -0,0 +1,58 @@
From 5a9e80c01b4b49c6c7630a6d08b600114f38c0db Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Fri, 27 Sep 2024 15:50:54 +0300
Subject: [PATCH 04/12] qtdemux: Check sizes of stsc/stco/stts before trying to
merge entries
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-246
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3854
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059>
---
gst/isomp4/qtdemux.c | 22 +++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
index 52d5a35c0ba0..dbd42817c00b 100644
--- a/gst/isomp4/qtdemux.c
+++ b/gst/isomp4/qtdemux.c
@@ -10040,6 +10040,21 @@ qtdemux_merge_sample_table (GstQTDemux * qtdemux, QtDemuxStream * stream)
return;
}
+ if (gst_byte_reader_get_remaining (&stream->stts) < 8) {
+ GST_DEBUG_OBJECT (qtdemux, "Too small stts");
+ return;
+ }
+
+ if (stream->stco.size < 8) {
+ GST_DEBUG_OBJECT (qtdemux, "Too small stco");
+ return;
+ }
+
+ if (stream->n_samples_per_chunk == 0) {
+ GST_DEBUG_OBJECT (qtdemux, "No samples per chunk");
+ return;
+ }
+
/* Parse the stts to get the sample duration and number of samples */
gst_byte_reader_skip_unchecked (&stream->stts, 4);
stts_duration = gst_byte_reader_get_uint32_be_unchecked (&stream->stts);
@@ -10051,6 +10066,13 @@ qtdemux_merge_sample_table (GstQTDemux * qtdemux, QtDemuxStream * stream)
GST_DEBUG_OBJECT (qtdemux, "sample_duration %d, num_chunks %u", stts_duration,
num_chunks);
+ if (gst_byte_reader_get_remaining (&stream->stsc) <
+ stream->n_samples_per_chunk * 3 * 4 +
+ (stream->n_samples_per_chunk - 1) * 4) {
+ GST_DEBUG_OBJECT (qtdemux, "Too small stsc");
+ return;
+ }
+
/* Now parse stsc, convert chunks into single samples and generate a
* new stsc, stts and stsz from this information */
gst_byte_writer_init (&stsc);
--
GitLab

95
CVE-2024-47599.patch Normal file
View File

@ -0,0 +1,95 @@
From 3cdf206f4fc5a9860bfe1437ed3d01e7d23c6c3e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Mon, 30 Sep 2024 16:22:19 +0300
Subject: [PATCH] jpegdec: Directly error out on negotiation failures
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-247
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3862
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8040>
---
ext/jpeg/gstjpegdec.c | 22 ++++++++++++++-----
1 file changed, 17 insertions(+), 5 deletions(-)
diff --git a/ext/jpeg/gstjpegdec.c b/ext/jpeg/gstjpegdec.c
index 51bc2d14bf0e..7523419835ee 100644
--- a/ext/jpeg/gstjpegdec.c
+++ b/ext/jpeg/gstjpegdec.c
@@ -1068,13 +1068,14 @@ gst_jpeg_turbo_parse_ext_fmt_convert (GstJpegDec * dec, gint * clrspc)
}
#endif
-static void
+static gboolean
gst_jpeg_dec_negotiate (GstJpegDec * dec, gint width, gint height, gint clrspc,
gboolean interlaced)
{
GstVideoCodecState *outstate;
GstVideoInfo *info;
GstVideoFormat format;
+ gboolean res;
#ifdef JCS_EXTENSIONS
if (dec->format_convert) {
@@ -1104,7 +1105,7 @@ gst_jpeg_dec_negotiate (GstJpegDec * dec, gint width, gint height, gint clrspc,
height == GST_VIDEO_INFO_HEIGHT (info) &&
format == GST_VIDEO_INFO_FORMAT (info)) {
gst_video_codec_state_unref (outstate);
- return;
+ return TRUE;
}
gst_video_codec_state_unref (outstate);
}
@@ -1118,6 +1119,8 @@ gst_jpeg_dec_negotiate (GstJpegDec * dec, gint width, gint height, gint clrspc,
outstate =
gst_video_decoder_set_output_state (GST_VIDEO_DECODER (dec), format,
width, height, dec->input_state);
+ if (!outstate)
+ return FALSE;
switch (clrspc) {
case JCS_RGB:
@@ -1142,10 +1145,12 @@ gst_jpeg_dec_negotiate (GstJpegDec * dec, gint width, gint height, gint clrspc,
gst_video_codec_state_unref (outstate);
- gst_video_decoder_negotiate (GST_VIDEO_DECODER (dec));
+ res = gst_video_decoder_negotiate (GST_VIDEO_DECODER (dec));
GST_DEBUG_OBJECT (dec, "max_v_samp_factor=%d", dec->cinfo.max_v_samp_factor);
GST_DEBUG_OBJECT (dec, "max_h_samp_factor=%d", dec->cinfo.max_h_samp_factor);
+
+ return res;
}
static GstFlowReturn
@@ -1425,8 +1430,9 @@ gst_jpeg_dec_handle_frame (GstVideoDecoder * bdec, GstVideoCodecFrame * frame)
num_fields = 1;
}
- gst_jpeg_dec_negotiate (dec, width, output_height,
- dec->cinfo.jpeg_color_space, num_fields == 2);
+ if (!gst_jpeg_dec_negotiate (dec, width, output_height,
+ dec->cinfo.jpeg_color_space, num_fields == 2))
+ goto negotiation_failed;
state = gst_video_decoder_get_output_state (bdec);
ret = gst_video_decoder_allocate_output_frame (bdec, frame);
@@ -1558,6 +1564,12 @@ map_failed:
ret = GST_FLOW_ERROR;
goto exit;
}
+negotiation_failed:
+ {
+ GST_ELEMENT_ERROR (dec, CORE, NEGOTIATION, (NULL), ("failed to negotiate"));
+ ret = GST_FLOW_NOT_NEGOTIATED;
+ goto exit;
+ }
decode_error:
{
gchar err_msg[JMSG_LENGTH_MAX];
--
GitLab

43
CVE-2024-47601-1.patch Normal file
View File

@ -0,0 +1,43 @@
From 395f2b3ffdc5e600b49e950f62df46e4ad2265ad Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Mon, 30 Sep 2024 19:04:51 +0300
Subject: [PATCH] matroskademux: Don't take data out of an empty adapter when
processing WavPack frames
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-249
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3865
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8057>
---
gst/matroska/matroska-demux.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
index 2a3df8b6c512..4e546b439ccc 100644
--- a/gst/matroska/matroska-demux.c
+++ b/gst/matroska/matroska-demux.c
@@ -4042,11 +4042,16 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
}
gst_buffer_unmap (*buf, &map);
- newbuf = gst_adapter_take_buffer (adapter, gst_adapter_available (adapter));
+ size = gst_adapter_available (adapter);
+ if (size > 0) {
+ newbuf = gst_adapter_take_buffer (adapter, size);
+ gst_buffer_copy_into (newbuf, *buf,
+ GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1);
+ } else {
+ newbuf = NULL;
+ }
g_object_unref (adapter);
- gst_buffer_copy_into (newbuf, *buf,
- GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1);
gst_buffer_unref (*buf);
*buf = newbuf;
--
GitLab

44
CVE-2024-47601-2.patch Normal file
View File

@ -0,0 +1,44 @@
From c20eff779d932fd1c1dbac1e62397578d8861241 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Mon, 30 Sep 2024 19:06:03 +0300
Subject: [PATCH] matroskademux: Skip over laces directly when postprocessing
the frame fails
Otherwise NULL buffers might be handled afterwards.
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-249
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3865
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8057>
---
gst/matroska/matroska-demux.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
index 4e546b439ccc..a35f79f02381 100644
--- a/gst/matroska/matroska-demux.c
+++ b/gst/matroska/matroska-demux.c
@@ -4988,6 +4988,18 @@ gst_matroska_demux_parse_blockgroup_or_simpleblock (GstMatroskaDemux * demux,
if (stream->postprocess_frame) {
GST_LOG_OBJECT (demux, "running post process");
ret = stream->postprocess_frame (GST_ELEMENT (demux), stream, &sub);
+ if (ret != GST_FLOW_OK) {
+ gst_clear_buffer (&sub);
+ goto next_lace;
+ }
+
+ if (sub == NULL) {
+ GST_WARNING_OBJECT (demux,
+ "Postprocessing buffer with timestamp %" GST_TIME_FORMAT
+ " for stream %d failed", GST_TIME_ARGS (buffer_timestamp),
+ stream_num);
+ goto next_lace;
+ }
}
/* At this point, we have a sub-buffer pointing at data within a larger
--
GitLab

35
CVE-2024-47602.patch Normal file
View File

@ -0,0 +1,35 @@
From 8aa1c185cf47042a0cc624ae3ff5b0545455fedf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Mon, 30 Sep 2024 18:25:53 +0300
Subject: [PATCH] matroskademux: Check for big enough WavPack codec private
data before accessing it
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-250
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3866
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8057>
---
gst/matroska/matroska-demux.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
index 2ed77b50d078..2a3df8b6c512 100644
--- a/gst/matroska/matroska-demux.c
+++ b/gst/matroska/matroska-demux.c
@@ -3894,6 +3894,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
guint8 *buf_data, *data;
Wavpack4Header wvh;
+ if (!stream->codec_priv || stream->codec_priv_size < 2) {
+ GST_ERROR_OBJECT (element, "No or too small wavpack codec private data");
+ return GST_FLOW_ERROR;
+ }
+
wvh.ck_id[0] = 'w';
wvh.ck_id[1] = 'v';
wvh.ck_id[2] = 'p';
--
GitLab

35
CVE-2024-47603.patch Normal file
View File

@ -0,0 +1,35 @@
From b84a0f326350989b81b95f55ef513fdaa16487fa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Mon, 30 Sep 2024 19:19:42 +0300
Subject: [PATCH] matroskademux: Skip over zero-sized Xiph stream headers
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-251
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3867
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8057>
---
gst/matroska/matroska-ids.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/gst/matroska/matroska-ids.c b/gst/matroska/matroska-ids.c
index f11b7c2ce31f..ba645f7306d9 100644
--- a/gst/matroska/matroska-ids.c
+++ b/gst/matroska/matroska-ids.c
@@ -189,8 +189,10 @@ gst_matroska_parse_xiph_stream_headers (gpointer codec_data,
if (offset + length[i] > codec_data_size)
goto error;
- hdr = gst_buffer_new_memdup (p + offset, length[i]);
- gst_buffer_list_add (list, hdr);
+ if (length[i] > 0) {
+ hdr = gst_buffer_new_memdup (p + offset, length[i]);
+ gst_buffer_list_add (list, hdr);
+ }
offset += length[i];
}
--
GitLab

40
CVE-2024-47606.patch Normal file
View File

@ -0,0 +1,40 @@
From f8e398c46fc074f266edb3f20479c0ca31b52448 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Thu, 26 Sep 2024 22:16:06 +0300
Subject: [PATCH] qtdemux: Avoid integer overflow when parsing Theora extension
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-166
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3851
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8032>
---
gst/isomp4/qtdemux.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
index 5e3cb1b9e699..c2d8b5e0f134 100644
--- a/gst/isomp4/qtdemux.c
+++ b/gst/isomp4/qtdemux.c
@@ -8822,7 +8822,7 @@ qtdemux_parse_theora_extension (GstQTDemux * qtdemux, QtDemuxStream * stream,
end -= 8;
while (buf < end) {
- gint size;
+ guint32 size;
guint32 type;
size = QT_UINT32 (buf);
@@ -8830,7 +8830,7 @@ qtdemux_parse_theora_extension (GstQTDemux * qtdemux, QtDemuxStream * stream,
GST_LOG_OBJECT (qtdemux, "%p %p", buf, end);
- if (buf + size > end || size <= 0)
+ if (end - buf < size || size < 8)
break;
buf += 8;
--
GitLab

49
CVE-2024-47613.patch Normal file
View File

@ -0,0 +1,49 @@
From 1d1c9d63be51d85f9b80f0c227d4b3469fee2534 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Wed, 2 Oct 2024 14:44:21 +0300
Subject: [PATCH] gdkpixbufdec: Check if initializing the video info actually
succeeded
Otherwise a 0-byte buffer would be allocated, which gives NULL memory when
mapped.
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-118
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3876
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8041>
---
ext/gdk_pixbuf/gstgdkpixbufdec.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/ext/gdk_pixbuf/gstgdkpixbufdec.c b/ext/gdk_pixbuf/gstgdkpixbufdec.c
index 5482998c0d60..de5f05496466 100644
--- a/ext/gdk_pixbuf/gstgdkpixbufdec.c
+++ b/ext/gdk_pixbuf/gstgdkpixbufdec.c
@@ -322,7 +322,8 @@ gst_gdk_pixbuf_dec_flush (GstGdkPixbufDec * filter)
gst_video_info_init (&info);
- gst_video_info_set_format (&info, fmt, width, height);
+ if (!gst_video_info_set_format (&info, fmt, width, height))
+ goto format_not_supported;
info.fps_n = filter->in_fps_n;
info.fps_d = filter->in_fps_d;
caps = gst_video_info_to_caps (&info);
@@ -384,6 +385,12 @@ channels_not_supported:
("%d channels not supported", n_channels));
return GST_FLOW_ERROR;
}
+format_not_supported:
+ {
+ GST_ELEMENT_ERROR (filter, STREAM, DECODE, (NULL),
+ ("%d channels with %dx%d not supported", n_channels, width, height));
+ return GST_FLOW_ERROR;
+ }
no_buffer:
{
GST_DEBUG ("Failed to create outbuffer - %s", gst_flow_get_name (ret));
--
GitLab

42
CVE-2024-47774.patch Normal file
View File

@ -0,0 +1,42 @@
From 0870e87c7c02e28e22a09a7de0c5b1e5bed68c14 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Fri, 4 Oct 2024 14:04:03 +0300
Subject: [PATCH] avisubtitle: Fix size checks and avoid overflows when
checking sizes
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-262
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3890
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8043>
---
gst/avi/gstavisubtitle.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/gst/avi/gstavisubtitle.c b/gst/avi/gstavisubtitle.c
index efc5f0405186..c816934da61c 100644
--- a/gst/avi/gstavisubtitle.c
+++ b/gst/avi/gstavisubtitle.c
@@ -196,7 +196,7 @@ gst_avi_subtitle_parse_gab2_chunk (GstAviSubtitle * sub, GstBuffer * buf)
/* read 'name' of subtitle */
name_length = GST_READ_UINT32_LE (map.data + 5 + 2);
GST_LOG_OBJECT (sub, "length of name: %u", name_length);
- if (map.size <= 17 + name_length)
+ if (G_MAXUINT32 - 17 < name_length || map.size < 17 + name_length)
goto wrong_name_length;
name_utf8 =
@@ -216,7 +216,8 @@ gst_avi_subtitle_parse_gab2_chunk (GstAviSubtitle * sub, GstBuffer * buf)
file_length = GST_READ_UINT32_LE (map.data + 13 + name_length);
GST_LOG_OBJECT (sub, "length srt/ssa file: %u", file_length);
- if (map.size < (17 + name_length + file_length))
+ if (G_MAXUINT32 - 17 - name_length < file_length
+ || map.size < 17 + name_length + file_length)
goto wrong_total_length;
/* store this, so we can send it again after a seek; note that we shouldn't
--
GitLab

402
CVE-2024-47775_CVE-2024-47776_CVE-2024-47777_CVE-2024-47778.patch Normal file
View File

@ -0,0 +1,402 @@
From 13b48016b3ef1e822c393c2871b0a561ce19ecb3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Fri, 4 Oct 2024 13:00:57 +0300
Subject: [PATCH 1/7] wavparse: Check for short reads when parsing headers in
pull mode
And also return the actual flow return to the caller instead of always returning
GST_FLOW_ERROR.
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-258, GHSL-2024-260
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3886
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3888
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042>
---
gst/wavparse/gstwavparse.c | 63 ++++++++++++++-----
1 file changed, 46 insertions(+), 17 deletions(-)
diff --git a/gst/wavparse/gstwavparse.c b/gst/wavparse/gstwavparse.c
index d074f273c501..97d5591fae8f 100644
--- a/gst/wavparse/gstwavparse.c
+++ b/gst/wavparse/gstwavparse.c
@@ -1097,6 +1097,24 @@ parse_ds64 (GstWavParse * wav, GstBuffer * buf)
return TRUE;
}
+static GstFlowReturn
+gst_wavparse_pull_range_exact (GstWavParse * wav, guint64 offset, guint size,
+ GstBuffer ** buffer)
+{
+ GstFlowReturn res;
+
+ res = gst_pad_pull_range (wav->sinkpad, offset, size, buffer);
+ if (res != GST_FLOW_OK)
+ return res;
+
+ if (gst_buffer_get_size (*buffer) < size) {
+ gst_clear_buffer (buffer);
+ return GST_FLOW_EOS;
+ }
+
+ return res;
+}
+
static GstFlowReturn
gst_wavparse_stream_headers (GstWavParse * wav)
{
@@ -1292,9 +1310,9 @@ gst_wavparse_stream_headers (GstWavParse * wav)
buf = NULL;
if ((res =
- gst_pad_pull_range (wav->sinkpad, wav->offset, 8,
+ gst_wavparse_pull_range_exact (wav, wav->offset, 8,
&buf)) != GST_FLOW_OK)
- goto header_read_error;
+ goto header_pull_error;
gst_buffer_map (buf, &map, GST_MAP_READ);
tag = GST_READ_UINT32_LE (map.data);
size = GST_READ_UINT32_LE (map.data + 4);
@@ -1397,9 +1415,9 @@ gst_wavparse_stream_headers (GstWavParse * wav)
gst_buffer_unref (buf);
buf = NULL;
if ((res =
- gst_pad_pull_range (wav->sinkpad, wav->offset + 8,
+ gst_wavparse_pull_range_exact (wav, wav->offset + 8,
data_size, &buf)) != GST_FLOW_OK)
- goto header_read_error;
+ goto header_pull_error;
gst_buffer_extract (buf, 0, &wav->fact, 4);
wav->fact = GUINT32_FROM_LE (wav->fact);
gst_buffer_unref (buf);
@@ -1444,9 +1462,9 @@ gst_wavparse_stream_headers (GstWavParse * wav)
gst_buffer_unref (buf);
buf = NULL;
if ((res =
- gst_pad_pull_range (wav->sinkpad, wav->offset + 8,
- size, &buf)) != GST_FLOW_OK)
- goto header_read_error;
+ gst_wavparse_pull_range_exact (wav, wav->offset + 8, size,
+ &buf)) != GST_FLOW_OK)
+ goto header_pull_error;
gst_buffer_map (buf, &map, GST_MAP_READ);
acid = (const gst_riff_acid *) map.data;
tempo = acid->tempo;
@@ -1484,9 +1502,9 @@ gst_wavparse_stream_headers (GstWavParse * wav)
gst_buffer_unref (buf);
buf = NULL;
if ((res =
- gst_pad_pull_range (wav->sinkpad, wav->offset, 12,
+ gst_wavparse_pull_range_exact (wav, wav->offset, 12,
&buf)) != GST_FLOW_OK)
- goto header_read_error;
+ goto header_pull_error;
gst_buffer_extract (buf, 8, &ltag, 4);
ltag = GUINT32_FROM_LE (ltag);
}
@@ -1513,9 +1531,9 @@ gst_wavparse_stream_headers (GstWavParse * wav)
buf = NULL;
if (data_size > 0) {
if ((res =
- gst_pad_pull_range (wav->sinkpad, wav->offset,
+ gst_wavparse_pull_range_exact (wav, wav->offset,
data_size, &buf)) != GST_FLOW_OK)
- goto header_read_error;
+ goto header_pull_error;
}
}
if (data_size > 0) {
@@ -1553,9 +1571,9 @@ gst_wavparse_stream_headers (GstWavParse * wav)
buf = NULL;
wav->offset += 12;
if ((res =
- gst_pad_pull_range (wav->sinkpad, wav->offset,
+ gst_wavparse_pull_range_exact (wav, wav->offset,
data_size, &buf)) != GST_FLOW_OK)
- goto header_read_error;
+ goto header_pull_error;
gst_buffer_map (buf, &map, GST_MAP_READ);
gst_wavparse_adtl_chunk (wav, (const guint8 *) map.data,
data_size);
@@ -1599,9 +1617,9 @@ gst_wavparse_stream_headers (GstWavParse * wav)
gst_buffer_unref (buf);
buf = NULL;
if ((res =
- gst_pad_pull_range (wav->sinkpad, wav->offset,
+ gst_wavparse_pull_range_exact (wav, wav->offset,
data_size, &buf)) != GST_FLOW_OK)
- goto header_read_error;
+ goto header_pull_error;
gst_buffer_map (buf, &map, GST_MAP_READ);
if (!gst_wavparse_cue_chunk (wav, (const guint8 *) map.data,
data_size)) {
@@ -1643,9 +1661,9 @@ gst_wavparse_stream_headers (GstWavParse * wav)
gst_buffer_unref (buf);
buf = NULL;
if ((res =
- gst_pad_pull_range (wav->sinkpad, wav->offset,
+ gst_wavparse_pull_range_exact (wav, wav->offset,
data_size, &buf)) != GST_FLOW_OK)
- goto header_read_error;
+ goto header_pull_error;
gst_buffer_map (buf, &map, GST_MAP_READ);
if (!gst_wavparse_smpl_chunk (wav, (const guint8 *) map.data,
data_size)) {
@@ -1797,6 +1815,17 @@ header_read_error:
("Couldn't read in header %d (%s)", res, gst_flow_get_name (res)));
goto fail;
}
+header_pull_error:
+ {
+ if (res == GST_FLOW_EOS) {
+ GST_WARNING_OBJECT (wav, "Couldn't pull header %d (%s)", res,
+ gst_flow_get_name (res));
+ } else {
+ GST_ELEMENT_ERROR (wav, STREAM, DEMUX, (NULL),
+ ("Couldn't pull header %d (%s)", res, gst_flow_get_name (res)));
+ }
+ goto exit;
+ }
}
/*
--
GitLab
From 4c198f4891cfabde868944d55ff98925e7beb757 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Fri, 4 Oct 2024 13:09:43 +0300
Subject: [PATCH 2/7] wavparse: Make sure enough data for the tag list tag is
available before parsing
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-258
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3886
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042>
---
gst/wavparse/gstwavparse.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/gst/wavparse/gstwavparse.c b/gst/wavparse/gstwavparse.c
index 97d5591fae8f..21cb48c07eb3 100644
--- a/gst/wavparse/gstwavparse.c
+++ b/gst/wavparse/gstwavparse.c
@@ -1489,6 +1489,10 @@ gst_wavparse_stream_headers (GstWavParse * wav)
case GST_RIFF_TAG_LIST:{
guint32 ltag;
+ /* Need at least the ltag */
+ if (size < 4)
+ goto exit;
+
if (wav->streaming) {
const guint8 *data = NULL;
--
GitLab
From 296e17b4ea81e5c228bb853f6037b654fdca7d47 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Fri, 4 Oct 2024 13:15:27 +0300
Subject: [PATCH 3/7] wavparse: Fix parsing of acid chunk
Simply casting the bytes to a struct can lead to crashes because of unaligned
reads, and is also missing the endianness swapping that is necessary on big
endian architectures.
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042>
---
gst/wavparse/gstwavparse.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/gst/wavparse/gstwavparse.c b/gst/wavparse/gstwavparse.c
index 21cb48c07eb3..6a0c44638ea2 100644
--- a/gst/wavparse/gstwavparse.c
+++ b/gst/wavparse/gstwavparse.c
@@ -1434,8 +1434,7 @@ gst_wavparse_stream_headers (GstWavParse * wav)
break;
}
case GST_RIFF_TAG_acid:{
- const gst_riff_acid *acid = NULL;
- const guint data_size = sizeof (gst_riff_acid);
+ const guint data_size = 24;
gfloat tempo;
GST_INFO_OBJECT (wav, "Have acid chunk");
@@ -1449,13 +1448,13 @@ gst_wavparse_stream_headers (GstWavParse * wav)
break;
}
if (wav->streaming) {
+ const guint8 *data;
if (!gst_wavparse_peek_chunk (wav, &tag, &size)) {
goto exit;
}
gst_adapter_flush (wav->adapter, 8);
- acid = (const gst_riff_acid *) gst_adapter_map (wav->adapter,
- data_size);
- tempo = acid->tempo;
+ data = gst_adapter_map (wav->adapter, data_size);
+ tempo = GST_READ_FLOAT_LE (data + 20);
gst_adapter_unmap (wav->adapter);
} else {
GstMapInfo map;
@@ -1466,8 +1465,7 @@ gst_wavparse_stream_headers (GstWavParse * wav)
&buf)) != GST_FLOW_OK)
goto header_pull_error;
gst_buffer_map (buf, &map, GST_MAP_READ);
- acid = (const gst_riff_acid *) map.data;
- tempo = acid->tempo;
+ tempo = GST_READ_FLOAT_LE (map.data + 20);
gst_buffer_unmap (buf, &map);
}
/* send data as tags */
--
GitLab
From c72025cabdfcb2fe30d24eda7bb9d1d01a1b6555 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Fri, 4 Oct 2024 13:21:44 +0300
Subject: [PATCH 4/7] wavparse: Check that at least 4 bytes are available
before parsing cue chunks
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042>
---
gst/wavparse/gstwavparse.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/gst/wavparse/gstwavparse.c b/gst/wavparse/gstwavparse.c
index 6a0c44638ea2..5655ee3825ca 100644
--- a/gst/wavparse/gstwavparse.c
+++ b/gst/wavparse/gstwavparse.c
@@ -790,6 +790,11 @@ gst_wavparse_cue_chunk (GstWavParse * wav, const guint8 * data, guint32 size)
return TRUE;
}
+ if (size < 4) {
+ GST_WARNING_OBJECT (wav, "broken file %d", size);
+ return FALSE;
+ }
+
ncues = GST_READ_UINT32_LE (data);
if (size < 4 + ncues * 24) {
--
GitLab
From 93d79c22a82604adc5512557c1238f72f41188c4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Fri, 4 Oct 2024 13:22:02 +0300
Subject: [PATCH 5/7] wavparse: Check that at least 32 bytes are available
before parsing smpl chunks
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-259
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3887
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042>
---
gst/wavparse/gstwavparse.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/gst/wavparse/gstwavparse.c b/gst/wavparse/gstwavparse.c
index 5655ee3825ca..8a04805ed427 100644
--- a/gst/wavparse/gstwavparse.c
+++ b/gst/wavparse/gstwavparse.c
@@ -894,6 +894,9 @@ gst_wavparse_smpl_chunk (GstWavParse * wav, const guint8 * data, guint32 size)
{
guint32 note_number;
+ if (size < 32)
+ return FALSE;
+
/*
manufacturer_id = GST_READ_UINT32_LE (data);
product_id = GST_READ_UINT32_LE (data + 4);
--
GitLab
From 526d0eef0d850c8f2fa1bf0aef15a836797f1a67 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Fri, 4 Oct 2024 13:27:27 +0300
Subject: [PATCH 6/7] wavparse: Fix clipping of size to the file size
The size does not include the 8 bytes tag and length, so an additional 8 bytes
must be removed here. 8 bytes are always available at this point because
otherwise the parsing of the tag and length right above would've failed.
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-260
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3888
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042>
---
gst/wavparse/gstwavparse.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/gst/wavparse/gstwavparse.c b/gst/wavparse/gstwavparse.c
index 8a04805ed427..998cbb276dbf 100644
--- a/gst/wavparse/gstwavparse.c
+++ b/gst/wavparse/gstwavparse.c
@@ -1338,10 +1338,11 @@ gst_wavparse_stream_headers (GstWavParse * wav)
}
/* Clip to upstream size if known */
- if (upstream_size > 0 && size + wav->offset > upstream_size) {
+ if (upstream_size > 0 && size + 8 + wav->offset > upstream_size) {
GST_WARNING_OBJECT (wav, "Clipping chunk size to file size");
g_assert (upstream_size >= wav->offset);
- size = upstream_size - wav->offset;
+ g_assert (upstream_size - wav->offset >= 8);
+ size = upstream_size - wav->offset - 8;
}
/* wav is a st00pid format, we don't know for sure where data starts.
--
GitLab
From 4f381d15014471b026020d0990a5f5a9f420a22b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Fri, 4 Oct 2024 13:51:00 +0300
Subject: [PATCH 7/7] wavparse: Check size before reading ds64 chunk
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-261
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3889
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042>
---
gst/wavparse/gstwavparse.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/gst/wavparse/gstwavparse.c b/gst/wavparse/gstwavparse.c
index 998cbb276dbf..958868de6d9e 100644
--- a/gst/wavparse/gstwavparse.c
+++ b/gst/wavparse/gstwavparse.c
@@ -1088,6 +1088,11 @@ parse_ds64 (GstWavParse * wav, GstBuffer * buf)
guint32 sampleCountLow, sampleCountHigh;
gst_buffer_map (buf, &map, GST_MAP_READ);
+ if (map.size < 6 * 4) {
+ GST_WARNING_OBJECT (wav, "Too small ds64 chunk (%" G_GSIZE_FORMAT ")",
+ map.size);
+ return FALSE;
+ }
dataSizeLow = GST_READ_UINT32_LE (map.data + 2 * 4);
dataSizeHigh = GST_READ_UINT32_LE (map.data + 3 * 4);
sampleCountLow = GST_READ_UINT32_LE (map.data + 4 * 4);
--
GitLab

36
CVE-2024-47834.patch Normal file
View File

@ -0,0 +1,36 @@
From 474eb62d85b65de1f4a9389d28e4a380a0bf1d7b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Wed, 9 Oct 2024 11:52:52 -0400
Subject: [PATCH] matroskademux: Put a copy of the codec data into the A_MS/ACM
caps
The original codec data buffer is owned by matroskademux and does not
necessarily live as long as the caps.
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-280
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3894
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8057>
---
gst/matroska/matroska-demux.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
index a35f79f02381..afde4ee62897 100644
--- a/gst/matroska/matroska-demux.c
+++ b/gst/matroska/matroska-demux.c
@@ -7183,8 +7183,7 @@ gst_matroska_demux_audio_caps (GstMatroskaTrackAudioContext *
/* 18 is the waveformatex size */
if (size > 18) {
- codec_data = gst_buffer_new_wrapped_full (GST_MEMORY_FLAG_READONLY,
- data + 18, size - 18, 0, size - 18, NULL, NULL);
+ codec_data = gst_buffer_new_memdup (data + 18, size - 18);
}
if (riff_audio_fmt)
--
GitLab

32
gstreamer1-plugins-good.spec
View File

@ -3,7 +3,7 @@
Name: gstreamer1-plugins-good
Version: 1.20.3
Release: 2
Release: 3
Summary: GStreamer plugins with good code and licensing
License: LGPLv2+
URL: http://gstreamer.freedesktop.org/
@ -11,6 +11,28 @@ Source0: http://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugin
Source1: gstreamer-good.appdata.xml
#https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4894.patch
Patch0: CVE-2023-37327.patch
Patch1: CVE-2024-47606.patch
Patch2: CVE-2024-47599.patch
Patch3: CVE-2024-47613.patch
Patch4: CVE-2024-47775_CVE-2024-47776_CVE-2024-47777_CVE-2024-47778.patch
Patch5: CVE-2024-47774.patch
Patch6: CVE-2024-47540.patch
Patch7: CVE-2024-47602.patch
Patch8: CVE-2024-47601-1.patch
Patch9: CVE-2024-47601-2.patch
Patch10: CVE-2024-47603.patch
Patch11: CVE-2024-47834.patch
Patch12: CVE-2024-47537.patch
Patch13: CVE-2024-47597-1.patch
Patch14: CVE-2024-47597-2.patch
Patch15: CVE-2024-47543.patch
Patch16: CVE-2024-47596.patch
Patch17: CVE-2024-47539.patch
Patch18: CVE-2024-47546.patch
Patch19: CVE-2024-47598.patch
Patch20: matroskademux-Fix-off-by-one-when-parsing-multi-channel-WavPack.patch
Patch21: qtdemux-Do-not-iterate-over-all-trun-entries-if-none.patch
Patch22: qtdemux-Fix-debug-output-during-trun-parsing.patch
BuildRequires: meson >= 0.48.0
BuildRequires: gcc
@ -176,6 +198,14 @@ install -p -D %{SOURCE1} %{buildroot}%{_metainfodir}/gstreamer-good.appdata.xml
%endif
%changelog
* Wed Dec 18 2024 yaoxin <yao_xin001@hoperun.com> - 1.20.3-3
- Fix cves:
CVE-2024-47606,CVE-2024-47599,CVE-2024-47613,CVE-2024-47775
CVE-2024-47776,CVE-2024-47777,CVE-2024-47778,CVE-2024-47774
CVE-2024-47540,CVE-2024-47602,CVE-2024-47601,CVE-2024-47603
CVE-2024-47834,CVE-2024-47537,CVE-2024-47597,CVE-2024-47543
CVE-2024-47596,CVE-2024-47539,CVE-2024-47546,CVE-2024-47598
* Fri Dec 15 2023 wangkai <13474090681@163.com> - 1.20.3-2
- Fix CVE-2023-37327

27
matroskademux-Fix-off-by-one-when-parsing-multi-channel-WavPack.patch Normal file
View File

@ -0,0 +1,27 @@
From b7ad9a2c5d2b1d87a33dfd73b5e10b184b31a3d2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Mon, 30 Sep 2024 16:33:39 +0300
Subject: [PATCH] matroskademux: Fix off-by-one when parsing multi-channel
WavPack
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8057>
---
gst/matroska/matroska-demux.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
index 9e0de058e64a..2ed77b50d078 100644
--- a/gst/matroska/matroska-demux.c
+++ b/gst/matroska/matroska-demux.c
@@ -3976,7 +3976,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
data += 4;
size -= 4;
- while (size > 12) {
+ while (size >= 12) {
flags = GST_READ_UINT32_LE (data);
data += 4;
size -= 4;
--
GitLab

32
qtdemux-Do-not-iterate-over-all-trun-entries-if-none.patch Normal file
View File

@ -0,0 +1,32 @@
From 0f4dae9b01fcc4ec3a16d2386dfac432e011465b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Thu, 26 Sep 2024 18:41:39 +0300
Subject: [PATCH] qtdemux: Don't iterate over all trun entries if none of the
flags are set
Nothing would be printed anyway.
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059>
---
gst/isomp4/qtdemux_dump.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/gst/isomp4/qtdemux_dump.c b/gst/isomp4/qtdemux_dump.c
index 22da35e9e7ad..297b580ef038 100644
--- a/gst/isomp4/qtdemux_dump.c
+++ b/gst/isomp4/qtdemux_dump.c
@@ -836,6 +836,11 @@ qtdemux_dump_trun (GstQTDemux * qtdemux, GstByteReader * data, int depth)
GST_LOG ("%*s first-sample-flags: %u", depth, "", first_sample_flags);
}
+ /* Nothing to print below */
+ if ((flags & (TR_SAMPLE_DURATION | TR_SAMPLE_SIZE | TR_SAMPLE_FLAGS |
+ TR_COMPOSITION_TIME_OFFSETS)) == 0)
+ return TRUE;
+
for (i = 0; i < samples_count; i++) {
if (flags & TR_SAMPLE_DURATION) {
if (!gst_byte_reader_get_uint32_be (data, &sample_duration))
--
GitLab

69
qtdemux-Fix-debug-output-during-trun-parsing.patch Normal file
View File

@ -0,0 +1,69 @@
From cbd659c58f3236596a47b45a2afe6130139cf661 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Thu, 26 Sep 2024 18:40:56 +0300
Subject: [PATCH] qtdemux: Fix debug output during trun parsing
Various integers are unsigned so print them as such. Also print the actual
allocation size if allocation fails, not only parts of it.
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059>
---
gst/isomp4/qtdemux.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
index f71d04b..ba80392 100644
--- a/gst/isomp4/qtdemux.c
+++ b/gst/isomp4/qtdemux.c
@@ -3221,8 +3221,8 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun,
gint64 initial_offset;
gint32 min_ct = 0;
- GST_LOG_OBJECT (qtdemux, "parsing trun track-id %d; "
- "default dur %d, size %d, flags 0x%x, base offset %" G_GINT64_FORMAT ", "
+ GST_LOG_OBJECT (qtdemux, "parsing trun track-id %u; "
+ "default dur %u, size %u, flags 0x%x, base offset %" G_GINT64_FORMAT ", "
"decode ts %" G_GINT64_FORMAT, stream->track_id, d_sample_duration,
d_sample_size, d_sample_flags, *base_offset, decode_ts);
@@ -3250,7 +3250,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun,
/* note this is really signed */
if (!gst_byte_reader_get_int32_be (trun, &data_offset))
goto fail;
- GST_LOG_OBJECT (qtdemux, "trun data offset %d", data_offset);
+ GST_LOG_OBJECT (qtdemux, "trun data offset %u", data_offset);
/* default base offset = first byte of moof */
if (*base_offset == -1) {
GST_LOG_OBJECT (qtdemux, "base_offset at moof");
@@ -3272,7 +3272,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun,
GST_LOG_OBJECT (qtdemux, "running offset now %" G_GINT64_FORMAT,
*running_offset);
- GST_LOG_OBJECT (qtdemux, "trun offset %d, flags 0x%x, entries %d",
+ GST_LOG_OBJECT (qtdemux, "trun offset %u, flags 0x%x, entries %u",
data_offset, flags, samples_count);
if (flags & TR_FIRST_SAMPLE_FLAGS) {
@@ -3492,14 +3492,15 @@ fail:
}
out_of_memory:
{
- GST_WARNING_OBJECT (qtdemux, "failed to allocate %d samples",
- stream->n_samples);
+ GST_WARNING_OBJECT (qtdemux, "failed to allocate %u + %u samples",
+ stream->n_samples, samples_count);
return FALSE;
}
index_too_big:
{
- GST_WARNING_OBJECT (qtdemux, "not allocating index of %d samples, would "
- "be larger than %uMB (broken file?)", stream->n_samples,
+ GST_WARNING_OBJECT (qtdemux,
+ "not allocating index of %u + %u samples, would "
+ "be larger than %uMB (broken file?)", stream->n_samples, samples_count,
QTDEMUX_MAX_SAMPLE_INDEX_SIZE >> 20);
return FALSE;
}
--
2.33.0