new file mode 100644
@@ -0,0 +1,56 @@
+From 008f0d52408f57f0704d5639b72db2f330b8f003 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Mon, 30 Sep 2024 16:32:48 +0300
+Subject: [PATCH] matroskademux: Only unmap GstMapInfo in WavPack header
+ extraction error paths if previously mapped
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-197
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3863
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8108>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/008f0d52408f57f0704d5639b72db2f330b8f003]
+CVE: CVE-2024-47540 CVE-2024-47601 CVE-2024-47602 CVE-2024-47603 CVE-2024-47834
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ subprojects/gst-plugins-good/gst/matroska/matroska-demux.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c b/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c
+index 9b3cf83adb87..35e60b71470d 100644
+--- a/gst/matroska/matroska-demux.c
++++ b/gst/matroska/matroska-demux.c
+@@ -3885,7 +3885,6 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+ GstMatroskaTrackAudioContext *audiocontext =
+ (GstMatroskaTrackAudioContext *) stream;
+ GstBuffer *newbuf = NULL;
+- GstMapInfo map, outmap;
+ guint8 *buf_data, *data;
+ Wavpack4Header wvh;
+
+@@ -3902,11 +3901,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+
+ if (audiocontext->channels <= 2) {
+ guint32 block_samples, tmp;
++ GstMapInfo outmap;
+ gsize size = gst_buffer_get_size (*buf);
+
+ if (size < 4) {
+ GST_ERROR_OBJECT (element, "Too small wavpack buffer");
+- gst_buffer_unmap (*buf, &map);
+ return GST_FLOW_ERROR;
+ }
+
+@@ -3944,6 +3943,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+ *buf = newbuf;
+ audiocontext->wvpk_block_index += block_samples;
+ } else {
++ GstMapInfo map, outmap;
+ guint8 *outdata = NULL;
+ gsize buf_size, size;
+ guint32 block_samples, flags, crc;
+--
+GitLab
+
new file mode 100644
@@ -0,0 +1,31 @@
+From b7e1b13af70b7c042f29674f5482b502af82d829 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Mon, 30 Sep 2024 16:33:39 +0300
+Subject: [PATCH] matroskademux: Fix off-by-one when parsing multi-channel
+ WavPack
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8108>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/b7e1b13af70b7c042f29674f5482b502af82d829]
+CVE: CVE-2024-47540 CVE-2024-47601 CVE-2024-47602 CVE-2024-47603 CVE-2024-47834
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ subprojects/gst-plugins-good/gst/matroska/matroska-demux.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c b/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c
+index 35e60b71470d..583fbbe6e695 100644
+--- a/gst/matroska/matroska-demux.c
++++ b/gst/matroska/matroska-demux.c
+@@ -3970,7 +3970,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+ data += 4;
+ size -= 4;
+
+- while (size > 12) {
++ while (size >= 12) {
+ flags = GST_READ_UINT32_LE (data);
+ data += 4;
+ size -= 4;
+--
+GitLab
+
new file mode 100644
@@ -0,0 +1,39 @@
+From 455393ef0f2bb0a49c5bf32ef208af914c44e806 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Mon, 30 Sep 2024 18:25:53 +0300
+Subject: [PATCH] matroskademux: Check for big enough WavPack codec private
+ data before accessing it
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-250
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3866
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8108>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/455393ef0f2bb0a49c5bf32ef208af914c44e806]
+CVE: CVE-2024-47540 CVE-2024-47601 CVE-2024-47602 CVE-2024-47603 CVE-2024-47834
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ subprojects/gst-plugins-good/gst/matroska/matroska-demux.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c b/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c
+index 583fbbe6e695..91e66fefc36a 100644
+--- a/gst/matroska/matroska-demux.c
++++ b/gst/matroska/matroska-demux.c
+@@ -3888,6 +3888,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+ guint8 *buf_data, *data;
+ Wavpack4Header wvh;
+
++ if (!stream->codec_priv || stream->codec_priv_size < 2) {
++ GST_ERROR_OBJECT (element, "No or too small wavpack codec private data");
++ return GST_FLOW_ERROR;
++ }
++
+ wvh.ck_id[0] = 'w';
+ wvh.ck_id[1] = 'v';
+ wvh.ck_id[2] = 'p';
+--
+GitLab
+
new file mode 100644
@@ -0,0 +1,47 @@
+From be0ac3f40949cb951d5f0761f4a3bd597a94947f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Mon, 30 Sep 2024 19:04:51 +0300
+Subject: [PATCH] matroskademux: Don't take data out of an empty adapter when
+ processing WavPack frames
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-249
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3865
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8108>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/be0ac3f40949cb951d5f0761f4a3bd597a94947f]
+CVE: CVE-2024-47540 CVE-2024-47601 CVE-2024-47602 CVE-2024-47603 CVE-2024-47834
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ .../gst-plugins-good/gst/matroska/matroska-demux.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c b/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c
+index 91e66fefc36a..98ed51e86a58 100644
+--- a/gst/matroska/matroska-demux.c
++++ b/gst/matroska/matroska-demux.c
+@@ -4036,11 +4036,16 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+ }
+ gst_buffer_unmap (*buf, &map);
+
+- newbuf = gst_adapter_take_buffer (adapter, gst_adapter_available (adapter));
++ size = gst_adapter_available (adapter);
++ if (size > 0) {
++ newbuf = gst_adapter_take_buffer (adapter, size);
++ gst_buffer_copy_into (newbuf, *buf,
++ GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1);
++ } else {
++ newbuf = NULL;
++ }
+ g_object_unref (adapter);
+
+- gst_buffer_copy_into (newbuf, *buf,
+- GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1);
+ gst_buffer_unref (*buf);
+ *buf = newbuf;
+
+--
+GitLab
+
new file mode 100644
@@ -0,0 +1,48 @@
+From effbbfd771487cc06c79d5a7e447a849884cc6cf Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Mon, 30 Sep 2024 19:06:03 +0300
+Subject: [PATCH] matroskademux: Skip over laces directly when postprocessing
+ the frame fails
+
+Otherwise NULL buffers might be handled afterwards.
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-249
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3865
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8108>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/effbbfd771487cc06c79d5a7e447a849884cc6cf]
+CVE: CVE-2024-47540 CVE-2024-47601 CVE-2024-47602 CVE-2024-47603 CVE-2024-47834
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ .../gst-plugins-good/gst/matroska/matroska-demux.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c b/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c
+index 98ed51e86a58..e0a4405dcefa 100644
+--- a/gst/matroska/matroska-demux.c
++++ b/gst/matroska/matroska-demux.c
+@@ -4982,6 +4982,18 @@ gst_matroska_demux_parse_blockgroup_or_simpleblock (GstMatroskaDemux * demux,
+ if (stream->postprocess_frame) {
+ GST_LOG_OBJECT (demux, "running post process");
+ ret = stream->postprocess_frame (GST_ELEMENT (demux), stream, &sub);
++ if (ret != GST_FLOW_OK) {
++ gst_clear_buffer (&sub);
++ goto next_lace;
++ }
++
++ if (sub == NULL) {
++ GST_WARNING_OBJECT (demux,
++ "Postprocessing buffer with timestamp %" GST_TIME_FORMAT
++ " for stream %d failed", GST_TIME_ARGS (buffer_timestamp),
++ stream_num);
++ goto next_lace;
++ }
+ }
+
+ /* At this point, we have a sub-buffer pointing at data within a larger
+--
+GitLab
+
new file mode 100644
@@ -0,0 +1,39 @@
+From ed7b46bac3fa14f95422cc4bb4655d041df51454 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Mon, 30 Sep 2024 19:19:42 +0300
+Subject: [PATCH] matroskademux: Skip over zero-sized Xiph stream headers
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-251
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3867
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8108>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ed7b46bac3fa14f95422cc4bb4655d041df51454]
+CVE: CVE-2024-47540 CVE-2024-47601 CVE-2024-47602 CVE-2024-47603 CVE-2024-47834
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ subprojects/gst-plugins-good/gst/matroska/matroska-ids.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/subprojects/gst-plugins-good/gst/matroska/matroska-ids.c b/subprojects/gst-plugins-good/gst/matroska/matroska-ids.c
+index f11b7c2ce31f..ba645f7306d9 100644
+--- a/gst/matroska/matroska-ids.c
++++ b/gst/matroska/matroska-ids.c
+@@ -189,8 +189,10 @@ gst_matroska_parse_xiph_stream_headers (gpointer codec_data,
+ if (offset + length[i] > codec_data_size)
+ goto error;
+
+- hdr = gst_buffer_new_memdup (p + offset, length[i]);
+- gst_buffer_list_add (list, hdr);
++ if (length[i] > 0) {
++ hdr = gst_buffer_new_memdup (p + offset, length[i]);
++ gst_buffer_list_add (list, hdr);
++ }
+
+ offset += length[i];
+ }
+--
+GitLab
+
new file mode 100644
@@ -0,0 +1,40 @@
+From 98e4356be7afa869373f96b4e8ca792c5f9707ee Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Wed, 9 Oct 2024 11:52:52 -0400
+Subject: [PATCH] matroskademux: Put a copy of the codec data into the A_MS/ACM
+ caps
+
+The original codec data buffer is owned by matroskademux and does not
+necessarily live as long as the caps.
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-280
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3894
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8108>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/98e4356be7afa869373f96b4e8ca792c5f9707ee]
+CVE: CVE-2024-47540 CVE-2024-47601 CVE-2024-47602 CVE-2024-47603 CVE-2024-47834
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ subprojects/gst-plugins-good/gst/matroska/matroska-demux.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c b/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c
+index e0a4405dcefa..80da30673120 100644
+--- a/gst/matroska/matroska-demux.c
++++ b/gst/matroska/matroska-demux.c
+@@ -7165,8 +7165,7 @@ gst_matroska_demux_audio_caps (GstMatroskaTrackAudioContext *
+
+ /* 18 is the waveformatex size */
+ if (size > 18) {
+- codec_data = gst_buffer_new_wrapped_full (GST_MEMORY_FLAG_READONLY,
+- data + 18, size - 18, 0, size - 18, NULL, NULL);
++ codec_data = gst_buffer_new_memdup (data + 18, size - 18);
+ }
+
+ if (riff_audio_fmt)
+--
+GitLab
+
@@ -20,6 +20,13 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-go
file://CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-11.patch \
file://CVE-2024-47537_47539_47543_47544_47545_47546_47596_47597_47598-12.patch \
file://CVE-2024-47599.patch \
+ file://CVE-2024-47540_47601_47602_47603_47834-1.patch \
+ file://CVE-2024-47540_47601_47602_47603_47834-2.patch \
+ file://CVE-2024-47540_47601_47602_47603_47834-3.patch \
+ file://CVE-2024-47540_47601_47602_47603_47834-4.patch \
+ file://CVE-2024-47540_47601_47602_47603_47834-5.patch \
+ file://CVE-2024-47540_47601_47602_47603_47834-6.patch \
+ file://CVE-2024-47540_47601_47602_47603_47834-7.patch \
"
SRC_URI[sha256sum] = "599f093cc833a1e346939ab6e78a3f8046855b6da13520aae80dd385434f4ab2"