new file mode 100644
@@ -0,0 +1,35 @@
+From 7eb26b198beffecdba4dbb64299f9cb09a9181d6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Mon, 30 Sep 2024 21:35:07 +0300
+Subject: [PATCH] vorbisdec: Set at most 64 channels to NONE position
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-115
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3869
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8047>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/7eb26b198beffecdba4dbb64299f9cb09a9181d6]
+CVE: CVE-2024-47538
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ subprojects/gst-plugins-base/ext/vorbis/gstvorbisdec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/subprojects/gst-plugins-base/ext/vorbis/gstvorbisdec.c b/subprojects/gst-plugins-base/ext/vorbis/gstvorbisdec.c
+index 6a410ed858ca..1fc4fa883e68 100644
+--- a/ext/vorbis/gstvorbisdec.c
++++ b/ext/vorbis/gstvorbisdec.c
+@@ -204,7 +204,7 @@ vorbis_handle_identification_packet (GstVorbisDec * vd)
+ }
+ default:{
+ GstAudioChannelPosition position[64];
+- gint i, max_pos = MAX (vd->vi.channels, 64);
++ gint i, max_pos = MIN (vd->vi.channels, 64);
+
+ GST_ELEMENT_WARNING (vd, STREAM, DECODE,
+ (NULL), ("Using NONE channel layout for more than 8 channels"));
+--
+GitLab
+
new file mode 100644
@@ -0,0 +1,38 @@
+From 7108073b5be73eb2482eb8494745962b8c0571f1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Mon, 30 Sep 2024 21:40:44 +0300
+Subject: [PATCH] ssaparse: Search for closing brace after opening brace
+
+Otherwise removing anything between the braces leads to out of bound writes if
+there is a closing brace before the first opening brace.
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-228
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3870
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8048>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/7108073b5be73eb2482eb8494745962b8c0571f1]
+CVE: CVE-2024-47541
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ subprojects/gst-plugins-base/gst/subparse/gstssaparse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c b/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c
+index 42fbb42b99fe..37b892e92843 100644
+--- a/gst/subparse/gstssaparse.c
++++ b/gst/subparse/gstssaparse.c
+@@ -238,7 +238,7 @@ gst_ssa_parse_remove_override_codes (GstSsaParse * parse, gchar * txt)
+ gboolean removed_any = FALSE;
+
+ while ((t = strchr (txt, '{'))) {
+- end = strchr (txt, '}');
++ end = strchr (t, '}');
+ if (end == NULL) {
+ GST_WARNING_OBJECT (parse, "Missing { for style override code");
+ return removed_any;
+--
+GitLab
+
new file mode 100644
@@ -0,0 +1,99 @@
+From b66cf81e99ab9f400b6aea79a4b597c5ddac324d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Mon, 30 Sep 2024 18:36:19 +0300
+Subject: [PATCH] ssaparse: Don't use strstr() on strings that are potentially
+ not NULL-terminated
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8048>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/b66cf81e99ab9f400b6aea79a4b597c5ddac324d]
+CVE: CVE-2024-47541
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ .../gst/subparse/gstssaparse.c | 36 ++++++++++++++++++-
+ subprojects/gst-plugins-base/meson.build | 1 +
+ 2 files changed, 36 insertions(+), 1 deletion(-)
+
+diff --git a/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c b/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c
+index 37b892e92843..c162a542f581 100644
+--- a/gst/subparse/gstssaparse.c
++++ b/gst/subparse/gstssaparse.c
+@@ -146,6 +146,35 @@ gst_ssa_parse_sink_event (GstPad * pad, GstObject * parent, GstEvent * event)
+ return res;
+ }
+
++#ifndef HAVE_MEMMEM
++// memmem() is a GNU extension so if it's not available we'll need
++// our own implementation here. Thanks C.
++static void *
++my_memmem (const void *haystack, size_t haystacklen, const void *needle,
++ size_t needlelen)
++{
++ const guint8 *cur, *end;
++
++ if (needlelen > haystacklen)
++ return NULL;
++ if (needlelen == 0)
++ return (void *) haystack;
++
++
++ cur = haystack;
++ end = cur + haystacklen - needlelen;
++
++ for (; cur <= end; cur++) {
++ if (memcmp (cur, needle, needlelen) == 0)
++ return (void *) cur;
++ }
++
++ return NULL;
++}
++#else
++#define my_memmem memmem
++#endif
++
+ static gboolean
+ gst_ssa_parse_setcaps (GstPad * sinkpad, GstCaps * caps)
+ {
+@@ -154,6 +183,7 @@ gst_ssa_parse_setcaps (GstPad * sinkpad, GstCaps * caps)
+ const GValue *val;
+ GstStructure *s;
+ const guchar bom_utf8[] = { 0xEF, 0xBB, 0xBF };
++ const guint8 header[] = "[Script Info]";
+ const gchar *end;
+ GstBuffer *priv;
+ GstMapInfo map;
+@@ -193,7 +223,7 @@ gst_ssa_parse_setcaps (GstPad * sinkpad, GstCaps * caps)
+ left -= 3;
+ }
+
+- if (!strstr (ptr, "[Script Info]"))
++ if (!my_memmem (ptr, left, header, sizeof (header) - 1))
+ goto invalid_init;
+
+ if (!g_utf8_validate (ptr, left, &end)) {
+@@ -231,6 +261,10 @@ invalid_init:
+ }
+ }
+
++#ifdef my_memmem
++#undef my_memmem
++#endif
++
+ static gboolean
+ gst_ssa_parse_remove_override_codes (GstSsaParse * parse, gchar * txt)
+ {
+diff --git a/subprojects/gst-plugins-base/meson.build b/subprojects/gst-plugins-base/meson.build
+index 65c5d944d30f..91f2b77aec23 100644
+--- a/meson.build
++++ b/meson.build
+@@ -197,6 +197,7 @@ check_functions = [
+ ['HAVE_LRINTF', 'lrintf', '#include<math.h>'],
+ ['HAVE_MMAP', 'mmap', '#include<sys/mman.h>'],
+ ['HAVE_LOG2', 'log2', '#include<math.h>'],
++ ['HAVE_MEMMEM', 'memmem', '#include<string.h>'],
+ ]
+
+ libm = cc.find_library('m', required : false)
+--
+GitLab
+
new file mode 100644
@@ -0,0 +1,64 @@
+From 921d8daa00c329932616dd5d197b601a7e271e79 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Thu, 26 Sep 2024 13:43:06 +0300
+Subject: [PATCH] id3v2: Don't try parsing extended header if not enough data
+ is available
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-235
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3842
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8045>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/921d8daa00c329932616dd5d197b601a7e271e79]
+CVE: CVE-2024-47542
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ subprojects/gst-plugins-base/gst-libs/gst/tag/id3v2.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/subprojects/gst-plugins-base/gst-libs/gst/tag/id3v2.c b/subprojects/gst-plugins-base/gst-libs/gst/tag/id3v2.c
+index 7db2cb7e12b6..70f975d13374 100644
+--- a/gst-libs/gst/tag/id3v2.c
++++ b/gst-libs/gst/tag/id3v2.c
+@@ -29,7 +29,7 @@
+
+ #define HANDLE_INVALID_SYNCSAFE
+
+-static gboolean id3v2_frames_to_tag_list (ID3TagsWorking * work, guint size);
++static gboolean id3v2_frames_to_tag_list (ID3TagsWorking * work);
+
+ #ifndef GST_DISABLE_GST_DEBUG
+
+@@ -258,7 +258,7 @@ gst_tag_list_from_id3v2_tag (GstBuffer * buffer)
+ GST_MEMDUMP ("ID3v2 tag (un-unsyced)", uu_data, work.hdr.frame_data_size);
+ }
+
+- id3v2_frames_to_tag_list (&work, work.hdr.frame_data_size);
++ id3v2_frames_to_tag_list (&work);
+
+ g_free (uu_data);
+
+@@ -440,12 +440,17 @@ id3v2_add_id3v2_frame_blob_to_taglist (ID3TagsWorking * work,
+ }
+
+ static gboolean
+-id3v2_frames_to_tag_list (ID3TagsWorking * work, guint size)
++id3v2_frames_to_tag_list (ID3TagsWorking * work)
+ {
+ guint frame_hdr_size;
+
+ /* Extended header if present */
+ if (work->hdr.flags & ID3V2_HDR_FLAG_EXTHDR) {
++ if (work->hdr.frame_data_size < 4) {
++ GST_DEBUG ("Tag has no extended header data. Broken tag");
++ return FALSE;
++ }
++
+ work->hdr.ext_hdr_size = id3v2_read_synch_uint (work->hdr.frame_data, 4);
+
+ /* In id3v2.4.x the header size is the size of the *whole*
+--
+GitLab
+
new file mode 100644
@@ -0,0 +1,38 @@
+From 5b205225e2c6a19ddcace350fdc18a0edf87bcb5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Mon, 30 Sep 2024 18:19:30 +0300
+Subject: [PATCH] discoverer: Don't print channel layout for more than 64
+ channels
+
+64+ channels are always unpositioned / unknown layout.
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-248
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3864
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8046>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/5b205225e2c6a19ddcace350fdc18a0edf87bcb5]
+CVE: CVE-2024-47600
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ subprojects/gst-plugins-base/tools/gst-discoverer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/subprojects/gst-plugins-base/tools/gst-discoverer.c b/subprojects/gst-plugins-base/tools/gst-discoverer.c
+index b042be535d15..6028fc71c9d0 100644
+--- a/tools/gst-discoverer.c
++++ b/tools/gst-discoverer.c
+@@ -222,7 +222,7 @@ format_channel_mask (GstDiscovererAudioInfo * ainfo)
+
+ channel_mask = gst_discoverer_audio_info_get_channel_mask (ainfo);
+
+- if (channel_mask != 0) {
++ if (channel_mask != 0 && channels <= 64) {
+ gst_audio_channel_positions_from_mask (channels, channel_mask, position);
+
+ for (i = 0; i < channels; i++) {
+--
+GitLab
+
new file mode 100644
@@ -0,0 +1,41 @@
+From 804eca458fb547942ed70b88c021b996be9228a2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Tue, 1 Oct 2024 13:22:50 +0300
+Subject: [PATCH] opusdec: Set at most 64 channels to NONE position
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-116
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3871
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8049>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/804eca458fb547942ed70b88c021b996be9228a2]
+CVE: CVE-2024-47607
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ subprojects/gst-plugins-base/ext/opus/gstopusdec.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/subprojects/gst-plugins-base/ext/opus/gstopusdec.c b/subprojects/gst-plugins-base/ext/opus/gstopusdec.c
+index 99289fa7d223..d3f461d9a821 100644
+--- a/ext/opus/gstopusdec.c
++++ b/ext/opus/gstopusdec.c
+@@ -440,12 +440,12 @@ gst_opus_dec_parse_header (GstOpusDec * dec, GstBuffer * buf)
+ posn = gst_opus_channel_positions[dec->n_channels - 1];
+ break;
+ default:{
+- gint i;
++ guint i, max_pos = MIN (dec->n_channels, 64);
+
+ GST_ELEMENT_WARNING (GST_ELEMENT (dec), STREAM, DECODE,
+ (NULL), ("Using NONE channel layout for more than 8 channels"));
+
+- for (i = 0; i < dec->n_channels; i++)
++ for (i = 0; i < max_pos; i++)
+ pos[i] = GST_AUDIO_CHANNEL_POSITION_NONE;
+
+ posn = pos;
+--
+GitLab
+
new file mode 100644
@@ -0,0 +1,79 @@
+From 30fa21ac45ef5dad2fef0d98f0e7130c75f0b628 Mon Sep 17 00:00:00 2001
+From: Mathieu Duponchelle <mathieu@centricular.com>
+Date: Wed, 2 Oct 2024 15:16:30 +0200
+Subject: [PATCH] vorbis_parse: check writes to GstOggStream.vorbis_mode_sizes
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-117 Fixes gstreamer#3875
+
+Also perform out-of-bounds check for accesses to op->packet
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8050>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/30fa21ac45ef5dad2fef0d98f0e7130c75f0b628]
+CVE: CVE-2024-47615
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ .../gst-plugins-base/ext/ogg/vorbis_parse.c | 21 +++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/subprojects/gst-plugins-base/ext/ogg/vorbis_parse.c b/subprojects/gst-plugins-base/ext/ogg/vorbis_parse.c
+index 65ef463808e1..757c7cd82b8d 100644
+--- a/ext/ogg/vorbis_parse.c
++++ b/ext/ogg/vorbis_parse.c
+@@ -165,6 +165,10 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op)
+ if (offset == 0) {
+ offset = 8;
+ current_pos -= 1;
++
++ /* have we underrun? */
++ if (current_pos < op->packet)
++ return -1;
+ }
+ }
+
+@@ -178,6 +182,10 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op)
+ if (offset == 7)
+ current_pos -= 1;
+
++ /* have we underrun? */
++ if (current_pos < op->packet + 5)
++ return -1;
++
+ if (((current_pos[-5] & ~((1 << (offset + 1)) - 1)) != 0)
+ ||
+ current_pos[-4] != 0
+@@ -199,9 +207,18 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op)
+ /* Give ourselves a chance to recover if we went back too far by using
+ * the size check. */
+ for (ii = 0; ii < 2; ii++) {
++
+ if (offset > 4) {
++ /* have we underrun? */
++ if (current_pos < op->packet)
++ return -1;
++
+ size_check = (current_pos[0] >> (offset - 5)) & 0x3F;
+ } else {
++ /* have we underrun? */
++ if (current_pos < op->packet + 1)
++ return -1;
++
+ /* mask part of byte from current_pos */
+ size_check = (current_pos[0] & ((1 << (offset + 1)) - 1));
+ /* shift to appropriate position */
+@@ -233,6 +250,10 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op)
+
+ mode_size_ptr = pad->vorbis_mode_sizes;
+
++ if (size > G_N_ELEMENTS (pad->vorbis_mode_sizes)) {
++ return -1;
++ }
++
+ for (i = 0; i < size; i++) {
+ offset = (offset + 1) % 8;
+ if (offset == 0)
+--
+GitLab
+
new file mode 100644
@@ -0,0 +1,168 @@
+From c94c44ce497d285ebcfe866b9faaae9c66c81132 Mon Sep 17 00:00:00 2001
+From: Mathieu Duponchelle <mathieu@centricular.com>
+Date: Wed, 2 Oct 2024 16:52:51 +0200
+Subject: [PATCH] oggstream: review and fix per-format min_packet_size
+
+This addresses all manually detected invalid reads in setup functions.
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8050>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/c94c44ce497d285ebcfe866b9faaae9c66c81132]
+CVE: CVE-2024-47615
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ .../gst-plugins-base/ext/ogg/gstoggstream.c | 40 ++++++-------------
+ 1 file changed, 12 insertions(+), 28 deletions(-)
+
+diff --git a/subprojects/gst-plugins-base/ext/ogg/gstoggstream.c b/subprojects/gst-plugins-base/ext/ogg/gstoggstream.c
+index a8883304a5c0..ab6be238dc48 100644
+--- a/ext/ogg/gstoggstream.c
++++ b/ext/ogg/gstoggstream.c
+@@ -665,11 +665,6 @@ setup_vp8_mapper (GstOggStream * pad, ogg_packet * packet)
+ {
+ gint width, height, par_n, par_d, fps_n, fps_d;
+
+- if (packet->bytes < 26) {
+- GST_DEBUG ("Failed to parse VP8 BOS page");
+- return FALSE;
+- }
+-
+ width = GST_READ_UINT16_BE (packet->packet + 8);
+ height = GST_READ_UINT16_BE (packet->packet + 10);
+ par_n = GST_READ_UINT24_BE (packet->packet + 12);
+@@ -1221,11 +1216,6 @@ setup_fishead_mapper (GstOggStream * pad, ogg_packet * packet)
+ gint64 prestime_n, prestime_d;
+ gint64 basetime_n, basetime_d;
+
+- if (packet->bytes < 44) {
+- GST_DEBUG ("Not enough data for fishead header");
+- return FALSE;
+- }
+-
+ data = packet->packet;
+
+ data += 8; /* header */
+@@ -1256,8 +1246,8 @@ setup_fishead_mapper (GstOggStream * pad, ogg_packet * packet)
+ pad->prestime = -1;
+
+ /* Ogg Skeleton 3.3+ streams provide additional information in the header */
+- if (packet->bytes >= SKELETON_FISHEAD_3_3_MIN_SIZE && pad->skeleton_major == 3
+- && pad->skeleton_minor > 0) {
++ if (packet->bytes - 44 >= SKELETON_FISHEAD_3_3_MIN_SIZE
++ && pad->skeleton_major == 3 && pad->skeleton_minor > 0) {
+ gint64 firstsampletime_n, firstsampletime_d;
+ gint64 lastsampletime_n, lastsampletime_d;
+ gint64 firstsampletime, lastsampletime;
+@@ -1296,7 +1286,7 @@ setup_fishead_mapper (GstOggStream * pad, ogg_packet * packet)
+
+ GST_INFO ("skeleton fishead parsed total: %" GST_TIME_FORMAT,
+ GST_TIME_ARGS (pad->total_time));
+- } else if (packet->bytes >= SKELETON_FISHEAD_4_0_MIN_SIZE
++ } else if (packet->bytes - 44 >= SKELETON_FISHEAD_4_0_MIN_SIZE
+ && pad->skeleton_major == 4) {
+ guint64 segment_length, content_offset;
+
+@@ -1980,9 +1970,6 @@ setup_kate_mapper (GstOggStream * pad, ogg_packet * packet)
+ guint8 *data = packet->packet;
+ const char *category;
+
+- if (packet->bytes < 64)
+- return FALSE;
+-
+ pad->granulerate_n = GST_READ_UINT32_LE (data + 24);
+ pad->granulerate_d = GST_READ_UINT32_LE (data + 28);
+ pad->granuleshift = GST_READ_UINT8 (data + 15);
+@@ -2111,9 +2098,6 @@ setup_opus_mapper (GstOggStream * pad, ogg_packet * packet)
+ {
+ GstBuffer *buffer;
+
+- if (packet->bytes < 19)
+- return FALSE;
+-
+ pad->granulerate_n = 48000;
+ pad->granulerate_d = 1;
+ pad->granuleshift = 0;
+@@ -2394,7 +2378,7 @@ const GstOggMap mappers[] = {
+ NULL
+ },
+ {
+- "\001vorbis", 7, 22,
++ "\001vorbis", 7, 29,
+ "audio/x-vorbis",
+ setup_vorbis_mapper,
+ NULL,
+@@ -2426,7 +2410,7 @@ const GstOggMap mappers[] = {
+ NULL
+ },
+ {
+- "PCM ", 8, 0,
++ "PCM ", 8, 28,
+ "audio/x-raw",
+ setup_pcm_mapper,
+ NULL,
+@@ -2442,7 +2426,7 @@ const GstOggMap mappers[] = {
+ NULL
+ },
+ {
+- "CMML\0\0\0\0", 8, 0,
++ "CMML\0\0\0\0", 8, 29,
+ "text/x-cmml",
+ setup_cmml_mapper,
+ NULL,
+@@ -2458,7 +2442,7 @@ const GstOggMap mappers[] = {
+ NULL
+ },
+ {
+- "Annodex", 7, 0,
++ "Annodex", 7, 44,
+ "application/x-annodex",
+ setup_fishead_mapper,
+ NULL,
+@@ -2537,7 +2521,7 @@ const GstOggMap mappers[] = {
+ NULL
+ },
+ {
+- "CELT ", 8, 0,
++ "CELT ", 8, 60,
+ "audio/x-celt",
+ setup_celt_mapper,
+ NULL,
+@@ -2553,7 +2537,7 @@ const GstOggMap mappers[] = {
+ NULL
+ },
+ {
+- "\200kate\0\0\0", 8, 0,
++ "\200kate\0\0\0", 8, 64,
+ "text/x-kate",
+ setup_kate_mapper,
+ NULL,
+@@ -2585,7 +2569,7 @@ const GstOggMap mappers[] = {
+ NULL
+ },
+ {
+- "OVP80\1\1", 7, 4,
++ "OVP80\1\1", 7, 26,
+ "video/x-vp8",
+ setup_vp8_mapper,
+ setup_vp8_mapper_from_caps,
+@@ -2601,7 +2585,7 @@ const GstOggMap mappers[] = {
+ update_stats_vp8
+ },
+ {
+- "OpusHead", 8, 0,
++ "OpusHead", 8, 19,
+ "audio/x-opus",
+ setup_opus_mapper,
+ NULL,
+@@ -2649,7 +2633,7 @@ const GstOggMap mappers[] = {
+ NULL
+ },
+ {
+- "\001text\0\0\0", 9, 9,
++ "\001text\0\0\0", 9, 25,
+ "application/x-ogm-text",
+ setup_ogmtext_mapper,
+ NULL,
+--
+GitLab
+
new file mode 100644
@@ -0,0 +1,39 @@
+From 1a5fdba14a1ccfe473bc4429f22ee5bbaee034eb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Wed, 9 Oct 2024 11:23:47 -0400
+Subject: [PATCH] subparse: Check for NULL return of strchr() when parsing LRC
+ subtitles
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-263
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3892
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8051>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/1a5fdba14a1ccfe473bc4429f22ee5bbaee034eb]
+CVE: CVE-2024-47835
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ subprojects/gst-plugins-base/gst/subparse/gstsubparse.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
+index 994cf62d1acc..4fe43d91003f 100644
+--- a/gst/subparse/gstsubparse.c
++++ b/gst/subparse/gstsubparse.c
+@@ -1066,6 +1066,11 @@ parse_lrc (ParserState * state, const gchar * line)
+ return NULL;
+
+ start = strchr (line, ']');
++ // sscanf() does not check for the trailing ] but only up to the last
++ // placeholder, so there might be no ] at the end.
++ if (!start)
++ return NULL;
++
+ if (start - line == 9)
+ milli = 10;
+ else
+--
+GitLab
+
@@ -11,6 +11,15 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-ba
file://0003-viv-fb-Make-sure-config.h-is-included.patch \
file://0002-ssaparse-enhance-SSA-text-lines-parsing.patch \
file://CVE-2024-4453.patch \
+ file://CVE-2024-47538.patch \
+ file://CVE-2024-47541-1.patch \
+ file://CVE-2024-47541-2.patch \
+ file://CVE-2024-47542.patch \
+ file://CVE-2024-47600.patch \
+ file://CVE-2024-47607.patch \
+ file://CVE-2024-47615-1.patch \
+ file://CVE-2024-47615-2.patch \
+ file://CVE-2024-47835.patch \
"
SRC_URI[sha256sum] = "fde6696a91875095d82c1012b5777c28ba926047ffce08508e12c1d2c66f0057"