From patchwork Thu Jan 2 13:33:12 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 54904 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5A988E77188 for ; Thu, 2 Jan 2025 13:33:39 +0000 (UTC) Received: from mail-io1-f44.google.com (mail-io1-f44.google.com [209.85.166.44]) by mx.groups.io with SMTP id smtpd.web10.8083.1735824817770193128 for ; Thu, 02 Jan 2025 05:33:38 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=DGiCJ8/R; spf=pass (domain: mvista.com, ip: 209.85.166.44, mailfrom: vanusuri@mvista.com) Received: by mail-io1-f44.google.com with SMTP id ca18e2360f4ac-844e7bc6d84so442593239f.0 for ; Thu, 02 Jan 2025 05:33:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1735824816; x=1736429616; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=wCmwVGNadkGI+6oIZUuLeiZBGWmH0w9ugx2Q99EQcsM=; b=DGiCJ8/RXHt6nhroVPY380BBCqsIcnXheeSvYV0FolFoGEtV9Ci/P53EnkX4p3kD16 yRGKOv7KrkYzhyIt92Jesu+Zkibflrsh+zNVBYFvxIuU87sMrwPHpoJ22Q3WMzCG8kbN dw/WLpR5pr7do2XQQrxvOZVFKGpatcD+oAuNM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1735824816; x=1736429616; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=wCmwVGNadkGI+6oIZUuLeiZBGWmH0w9ugx2Q99EQcsM=; b=UJe3fqTcu8T2ym8/nbKeFBp594bDFbLxE8akWqJ9zzIuBWXwl3sUclg1MCo+Kr0aLR U8bRfv3sofV+W7XJ64yAhQ9FaVY1E9WJDPcx2WHmZff3dsIGcxPANWzEHphZcjf+waVf +fKNTpqOHH0WPtg3Dd3zJobhgH8FOnkfHQdhS1Xopk0/u1yUY/P99FltegLH7MLVi3wi FSq4TthgGFj67vTDM73l7BWJj94lHg/EuocGNQZoyvzyenaANsvcwHSjpFnwxUmacJkm TEaYtxCi8HC97hgxZwmjFn/3PuvB8+E+YKezEo5P+hYbGNL2Ce7zSNdXGR9N187OUZsW +diQ== X-Gm-Message-State: AOJu0YzT/zJ2XGCiyV530K4lkkSSSefT8k/uMgPeBGOaP6n46rIFBbp1 4BlXOc+zA1etkL2u/0AUyBv39IcrJqBvCOMN6KJoe3EnHXEqBhxOG0eVRdhjKavtJgaYh7n6dwu qpWw= X-Gm-Gg: ASbGnctepB4lwXuQiAAIft1KxYCiWb6ObdR4VTzD03b1iZ+BK5DoVdZ2qL+2tsbY53e 4N28LKeyMGXfV5DXECcLdeC38ylp6aMrihW8mnUUiCfyX5py56aKQPsxeumrNkHeSJUBSOwnB03 QkCyN2pPfqQeEOTfI2oU0QvmS9vQ4Ng8Z8ettLFnG+BYmUTyRnwVkVKq629y/RjUoiQ5H1ytyIY oacmgsDWLfnlNlGbzymXXJmr/BWZEXF94t7JzV2mwD3Q+kymCbI3qKQSybvEAObW5TaLs8= X-Google-Smtp-Source: AGHT+IFIoqZsqL0Cbp11T0CU4W/tOeogI1zDQgEbCnsODnut+s7cArBoyceUBW4CIaSHM1Av50q1AA== X-Received: by 2002:a5e:dc48:0:b0:83a:943d:a280 with SMTP id ca18e2360f4ac-849885adfbemr3282791839f.1.1735824815596; Thu, 02 Jan 2025 05:33:35 -0800 (PST) Received: from MVIN00020.mvista.com ([2401:4900:882d:79d6:d2bf:f7c6:a6fe:8968]) by smtp.gmail.com with ESMTPSA id ca18e2360f4ac-8498d8aa81bsm685493139f.36.2025.01.02.05.33.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Jan 2025 05:33:33 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH 1/7] gstreamer1.0-plugins-good: fix several CVEs Date: Thu, 2 Jan 2025 19:03:12 +0530 Message-Id: <20250102133318.642859-1-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 02 Jan 2025 13:33:39 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209303 From: Vijay Anusuri Fixes for below CVEs: CVE-2024-47537 CVE-2024-47539 CVE-2024-47543 CVE-2024-47544 CVE-2024-47545 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 Signed-off-by: Vijay Anusuri --- ...o-sized-boxes-instead-of-stopping-to.patch | 124 +++++ ...ger-overflow-when-allocating-the-sam.patch | 64 +++ ...Fix-debug-output-during-trun-parsing.patch | 73 +++ ...erate-over-all-trun-entries-if-none-.patch | 36 ++ ...zes-of-stsc-stco-stts-before-trying-.patch | 63 +++ ...e-only-an-even-number-of-bytes-is-pr.patch | 44 ++ ...e-enough-data-is-available-before-re.patch | 120 +++++ ...th-checks-and-offsets-in-stsd-entry-.patch | 449 ++++++++++++++++++ ...r-handling-when-parsing-cenc-sample-.patch | 56 +++ ...e-there-are-enough-offsets-to-read-w.patch | 49 ++ ...-handle-errors-returns-from-various-.patch | 97 ++++ ...r-invalid-atom-length-when-extractin.patch | 36 ++ ...size-check-for-parsing-SMI-SEQH-atom.patch | 37 ++ .../gstreamer1.0-plugins-good_1.20.7.bb | 13 + 14 files changed, 1261 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0001-qtdemux-Skip-zero-sized-boxes-instead-of-stopping-to.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0002-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0003-qtdemux-Fix-debug-output-during-trun-parsing.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0004-qtdemux-Don-t-iterate-over-all-trun-entries-if-none-.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0005-qtdemux-Check-sizes-of-stsc-stco-stts-before-trying-.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0006-qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0007-qtdemux-Make-sure-enough-data-is-available-before-re.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0008-qtdemux-Fix-length-checks-and-offsets-in-stsd-entry-.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0009-qtdemux-Fix-error-handling-when-parsing-cenc-sample-.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0010-qtdemux-Make-sure-there-are-enough-offsets-to-read-w.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0011-qtdemux-Actually-handle-errors-returns-from-various-.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0012-qtdemux-Check-for-invalid-atom-length-when-extractin.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0013-qtdemux-Add-size-check-for-parsing-SMI-SEQH-atom.patch diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0001-qtdemux-Skip-zero-sized-boxes-instead-of-stopping-to.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0001-qtdemux-Skip-zero-sized-boxes-instead-of-stopping-to.patch new file mode 100644 index 0000000000..8af25e73fd --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0001-qtdemux-Skip-zero-sized-boxes-instead-of-stopping-to.patch @@ -0,0 +1,124 @@ +From d4bab55077c6a77bd80cb12a8b0d28020ef412a9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Tue, 24 Sep 2024 09:50:34 +0300 +Subject: [PATCH] qtdemux: Skip zero-sized boxes instead of stopping to look at + further boxes + +A zero-sized box is not really a problem and can be skipped to look at any +possibly following ones. + +BMD ATEM devices specifically write a zero-sized bmdc box in the sample +description, followed by the avcC box in case of h264. Previously the avcC box +would simply not be read at all and the file would be unplayable. + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/d4bab55077c6a77bd80cb12a8b0d28020ef412a9] +Signed-off-by: Vijay Anusuri +--- + .../gst-plugins-good/gst/isomp4/qtdemux.c | 54 ++++++++++++------- + 1 file changed, 36 insertions(+), 18 deletions(-) + +diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c +index 32df6eeb85c1..5e5c21758058 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -12226,9 +12226,12 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + else + size = len - 0x8; + +- if (size < 1) +- /* No real data, so break out */ +- break; ++ /* No real data, so skip */ ++ if (size < 1) { ++ len -= 8; ++ avc_data += 8; ++ continue; ++ } + + switch (QT_FOURCC (avc_data + 0x4)) { + case FOURCC_avcC: +@@ -12343,9 +12346,12 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + else + size = len - 0x8; + +- if (size < 1) +- /* No real data, so break out */ +- break; ++ /* No real data, so skip */ ++ if (size < 1) { ++ len -= 8; ++ hevc_data += 8; ++ continue; ++ } + + switch (QT_FOURCC (hevc_data + 0x4)) { + case FOURCC_hvcC: +@@ -12767,9 +12773,12 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + else + size = len - 8; + +- if (size < 1) +- /* No real data, so break out */ +- break; ++ /* No real data, so skip */ ++ if (size < 1) { ++ len -= 8; ++ vc1_data += 8; ++ continue; ++ } + + switch (QT_FOURCC (vc1_data + 0x4)) { + case GST_MAKE_FOURCC ('d', 'v', 'c', '1'): +@@ -12809,9 +12818,12 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + else + size = len - 0x8; + +- if (size < 1) +- /* No real data, so break out */ +- break; ++ /* No real data, so skip */ ++ if (size < 1) { ++ len -= 8; ++ av1_data += 8; ++ continue; ++ } + + switch (QT_FOURCC (av1_data + 0x4)) { + case FOURCC_av1C: +@@ -12919,9 +12931,12 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + else + size = len - 0x8; + +- if (size < 1) +- /* No real data, so break out */ +- break; ++ /* No real data, so skip */ ++ if (size < 1) { ++ len -= 8; ++ vpcc_data += 8; ++ continue; ++ } + + switch (QT_FOURCC (vpcc_data + 0x4)) { + case FOURCC_vpcC: +@@ -13421,9 +13436,12 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + else + size = len - 8; + +- if (size < 1) +- /* No real data, so break out */ +- break; ++ /* No real data, so skip */ ++ if (size < 1) { ++ len -= 8; ++ wfex_data += 8; ++ continue; ++ } + + switch (QT_FOURCC (wfex_data + 4)) { + case GST_MAKE_FOURCC ('w', 'f', 'e', 'x'): +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0002-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0002-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch new file mode 100644 index 0000000000..ded7e1b1c5 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0002-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch @@ -0,0 +1,64 @@ +From c3a2af94c652513ac1b1858295688ac88c5cc737 Mon Sep 17 00:00:00 2001 +From: Antonio Morales +Date: Thu, 26 Sep 2024 18:39:37 +0300 +Subject: [PATCH] qtdemux: Fix integer overflow when allocating the samples + table for fragmented MP4 + +This can lead to out of bounds writes and NULL pointer dereferences. + +Fixes GHSL-2024-094, GHSL-2024-237, GHSL-2024-241 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3839 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/c3a2af94c652513ac1b1858295688ac88c5cc737] +CVE: CVE-2024-47537 CVE-2024-47539 CVE-2024-47543 CVE-2024-47544 +CVE-2024-47545 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c +index de8fae8b02ee..2fb5b2b014db 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -3364,6 +3364,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun, + gint i; + guint8 *data; + guint entry_size, dur_offset, size_offset, flags_offset = 0, ct_offset = 0; ++ guint new_n_samples; + QtDemuxSample *sample; + gboolean ismv = FALSE; + gint64 initial_offset; +@@ -3475,14 +3476,13 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun, + goto fail; + data = (guint8 *) gst_byte_reader_peek_data_unchecked (trun); + +- if (stream->n_samples + samples_count >= +- QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof (QtDemuxSample)) ++ if (!g_uint_checked_add (&new_n_samples, stream->n_samples, samples_count) || ++ new_n_samples >= QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof (QtDemuxSample)) + goto index_too_big; + + GST_DEBUG_OBJECT (qtdemux, "allocating n_samples %u * %u (%.2f MB)", +- stream->n_samples + samples_count, (guint) sizeof (QtDemuxSample), +- (stream->n_samples + samples_count) * +- sizeof (QtDemuxSample) / (1024.0 * 1024.0)); ++ new_n_samples, (guint) sizeof (QtDemuxSample), ++ (new_n_samples) * sizeof (QtDemuxSample) / (1024.0 * 1024.0)); + + /* create a new array of samples if it's the first sample parsed */ + if (stream->n_samples == 0) { +@@ -3491,7 +3491,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun, + /* or try to reallocate it with space enough to insert the new samples */ + } else + stream->samples = g_try_renew (QtDemuxSample, stream->samples, +- stream->n_samples + samples_count); ++ new_n_samples); + if (stream->samples == NULL) + goto out_of_memory; + +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0003-qtdemux-Fix-debug-output-during-trun-parsing.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0003-qtdemux-Fix-debug-output-during-trun-parsing.patch new file mode 100644 index 0000000000..8c17c548df --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0003-qtdemux-Fix-debug-output-during-trun-parsing.patch @@ -0,0 +1,73 @@ +From 812f175c580a2e702581859fd481c8f51d633508 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 26 Sep 2024 18:40:56 +0300 +Subject: [PATCH] qtdemux: Fix debug output during trun parsing + +Various integers are unsigned so print them as such. Also print the actual +allocation size if allocation fails, not only parts of it. + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/812f175c580a2e702581859fd481c8f51d633508] +CVE: CVE-2024-47537 CVE-2024-47539 CVE-2024-47543 CVE-2024-47544 CVE-2024-47545 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 +Signed-off-by: Vijay Anusuri +--- + gst/isomp4/qtdemux.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c +index e012ce1..0111912 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -3228,8 +3228,8 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun, + gint64 initial_offset; + gint32 min_ct = 0; + +- GST_LOG_OBJECT (qtdemux, "parsing trun track-id %d; " +- "default dur %d, size %d, flags 0x%x, base offset %" G_GINT64_FORMAT ", " ++ GST_LOG_OBJECT (qtdemux, "parsing trun track-id %u; " ++ "default dur %u, size %u, flags 0x%x, base offset %" G_GINT64_FORMAT ", " + "decode ts %" G_GINT64_FORMAT, stream->track_id, d_sample_duration, + d_sample_size, d_sample_flags, *base_offset, decode_ts); + +@@ -3257,7 +3257,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun, + /* note this is really signed */ + if (!gst_byte_reader_get_int32_be (trun, &data_offset)) + goto fail; +- GST_LOG_OBJECT (qtdemux, "trun data offset %d", data_offset); ++ GST_LOG_OBJECT (qtdemux, "trun data offset %u", data_offset); + /* default base offset = first byte of moof */ + if (*base_offset == -1) { + GST_LOG_OBJECT (qtdemux, "base_offset at moof"); +@@ -3279,7 +3279,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun, + + GST_LOG_OBJECT (qtdemux, "running offset now %" G_GINT64_FORMAT, + *running_offset); +- GST_LOG_OBJECT (qtdemux, "trun offset %d, flags 0x%x, entries %d", ++ GST_LOG_OBJECT (qtdemux, "trun offset %u, flags 0x%x, entries %u", + data_offset, flags, samples_count); + + if (flags & TR_FIRST_SAMPLE_FLAGS) { +@@ -3499,14 +3499,15 @@ fail: + } + out_of_memory: + { +- GST_WARNING_OBJECT (qtdemux, "failed to allocate %d samples", +- stream->n_samples); ++ GST_WARNING_OBJECT (qtdemux, "failed to allocate %u + %u samples", ++ stream->n_samples, samples_count); + return FALSE; + } + index_too_big: + { +- GST_WARNING_OBJECT (qtdemux, "not allocating index of %d samples, would " +- "be larger than %uMB (broken file?)", stream->n_samples, ++ GST_WARNING_OBJECT (qtdemux, ++ "not allocating index of %u + %u samples, would " ++ "be larger than %uMB (broken file?)", stream->n_samples, samples_count, + QTDEMUX_MAX_SAMPLE_INDEX_SIZE >> 20); + return FALSE; + } +-- +2.25.1 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0004-qtdemux-Don-t-iterate-over-all-trun-entries-if-none-.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0004-qtdemux-Don-t-iterate-over-all-trun-entries-if-none-.patch new file mode 100644 index 0000000000..217387a4cd --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0004-qtdemux-Don-t-iterate-over-all-trun-entries-if-none-.patch @@ -0,0 +1,36 @@ +From eb7f9331c2294bc28a549b79c9f931c3e6c6bc44 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 26 Sep 2024 18:41:39 +0300 +Subject: [PATCH] qtdemux: Don't iterate over all trun entries if none of the + flags are set + +Nothing would be printed anyway. + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/eb7f9331c2294bc28a549b79c9f931c3e6c6bc44] +CVE: CVE-2024-47537 CVE-2024-47539 CVE-2024-47543 CVE-2024-47544 CVE-2024-47545 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-good/gst/isomp4/qtdemux_dump.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux_dump.c b/subprojects/gst-plugins-good/gst/isomp4/qtdemux_dump.c +index 22da35e9e7ad..297b580ef038 100644 +--- a/gst/isomp4/qtdemux_dump.c ++++ b/gst/isomp4/qtdemux_dump.c +@@ -836,6 +836,11 @@ qtdemux_dump_trun (GstQTDemux * qtdemux, GstByteReader * data, int depth) + GST_LOG ("%*s first-sample-flags: %u", depth, "", first_sample_flags); + } + ++ /* Nothing to print below */ ++ if ((flags & (TR_SAMPLE_DURATION | TR_SAMPLE_SIZE | TR_SAMPLE_FLAGS | ++ TR_COMPOSITION_TIME_OFFSETS)) == 0) ++ return TRUE; ++ + for (i = 0; i < samples_count; i++) { + if (flags & TR_SAMPLE_DURATION) { + if (!gst_byte_reader_get_uint32_be (data, &sample_duration)) +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0005-qtdemux-Check-sizes-of-stsc-stco-stts-before-trying-.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0005-qtdemux-Check-sizes-of-stsc-stco-stts-before-trying-.patch new file mode 100644 index 0000000000..8b5bddbf5b --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0005-qtdemux-Check-sizes-of-stsc-stco-stts-before-trying-.patch @@ -0,0 +1,63 @@ +From 1def2965d8da8cc74ab0036d7f8d59e81e676cad Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 27 Sep 2024 15:50:54 +0300 +Subject: [PATCH] qtdemux: Check sizes of stsc/stco/stts before trying to merge + entries + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-246 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3854 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/1def2965d8da8cc74ab0036d7f8d59e81e676cad] +CVE: CVE-2024-47537 CVE-2024-47539 CVE-2024-47543 CVE-2024-47544 CVE-2024-47545 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 +Signed-off-by: Vijay Anusuri +--- + .../gst-plugins-good/gst/isomp4/qtdemux.c | 22 +++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c +index 0996292d0789..c14d939ee3c9 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -10033,6 +10033,21 @@ qtdemux_merge_sample_table (GstQTDemux * qtdemux, QtDemuxStream * stream) + return; + } + ++ if (gst_byte_reader_get_remaining (&stream->stts) < 8) { ++ GST_DEBUG_OBJECT (qtdemux, "Too small stts"); ++ return; ++ } ++ ++ if (stream->stco.size < 8) { ++ GST_DEBUG_OBJECT (qtdemux, "Too small stco"); ++ return; ++ } ++ ++ if (stream->n_samples_per_chunk == 0) { ++ GST_DEBUG_OBJECT (qtdemux, "No samples per chunk"); ++ return; ++ } ++ + /* Parse the stts to get the sample duration and number of samples */ + gst_byte_reader_skip_unchecked (&stream->stts, 4); + stts_duration = gst_byte_reader_get_uint32_be_unchecked (&stream->stts); +@@ -10044,6 +10059,13 @@ qtdemux_merge_sample_table (GstQTDemux * qtdemux, QtDemuxStream * stream) + GST_DEBUG_OBJECT (qtdemux, "sample_duration %d, num_chunks %u", stts_duration, + num_chunks); + ++ if (gst_byte_reader_get_remaining (&stream->stsc) < ++ stream->n_samples_per_chunk * 3 * 4 + ++ (stream->n_samples_per_chunk - 1) * 4) { ++ GST_DEBUG_OBJECT (qtdemux, "Too small stsc"); ++ return; ++ } ++ + /* Now parse stsc, convert chunks into single samples and generate a + * new stsc, stts and stsz from this information */ + gst_byte_writer_init (&stsc); +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0006-qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0006-qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch new file mode 100644 index 0000000000..02d9cb278c --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0006-qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch @@ -0,0 +1,44 @@ +From 314945426c7105ad90f44a188037bc43bb3b0300 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 26 Sep 2024 09:20:28 +0300 +Subject: [PATCH] qtdemux: Make sure only an even number of bytes is processed + when handling CEA608 data + +An odd number of bytes would lead to out of bound reads and writes, and doesn't +make any sense as CEA608 comes in byte pairs. + +Strip off any leftover bytes and assume everything before that is valid. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-195 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3841 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/314945426c7105ad90f44a188037bc43bb3b0300] +CVE: CVE-2024-47537 CVE-2024-47539 CVE-2024-47543 CVE-2024-47544 CVE-2024-47545 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c +index c14d939ee3c9..b9f466991adf 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -6145,6 +6145,11 @@ convert_to_s334_1a (const guint8 * ccpair, guint8 ccpair_size, guint field, + guint8 *storage; + gsize i; + ++ /* Strip off any leftover odd bytes and assume everything before is valid */ ++ if (ccpair_size % 2 != 0) { ++ ccpair_size -= 1; ++ } ++ + /* We are converting from pairs to triplets */ + *res = ccpair_size / 2 * 3; + storage = g_malloc (*res); +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0007-qtdemux-Make-sure-enough-data-is-available-before-re.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0007-qtdemux-Make-sure-enough-data-is-available-before-re.patch new file mode 100644 index 0000000000..5ff18baa7e --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0007-qtdemux-Make-sure-enough-data-is-available-before-re.patch @@ -0,0 +1,120 @@ +From 8ef08a7a41da987aa630082df355ea651aa09132 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 26 Sep 2024 14:17:02 +0300 +Subject: [PATCH] qtdemux: Make sure enough data is available before reading + wave header node + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-236 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3843 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/8ef08a7a41da987aa630082df355ea651aa09132] +CVE: CVE-2024-47537 CVE-2024-47539 CVE-2024-47543 CVE-2024-47544 CVE-2024-47545 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 +Signed-off-by: Vijay Anusuri +--- + .../gst-plugins-good/gst/isomp4/qtdemux.c | 84 ++++++++++--------- + 1 file changed, 45 insertions(+), 39 deletions(-) + +diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c +index b9f466991adf..55ba59152c7a 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -13697,47 +13697,53 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + } else { + guint32 datalen = QT_UINT32 (stsd_entry_data + offset + 16); + const guint8 *data = stsd_entry_data + offset + 16; +- GNode *wavenode; +- GNode *waveheadernode; +- +- wavenode = g_node_new ((guint8 *) data); +- if (qtdemux_parse_node (qtdemux, wavenode, data, datalen)) { +- const guint8 *waveheader; +- guint32 headerlen; +- +- waveheadernode = qtdemux_tree_get_child_by_type (wavenode, fourcc); +- if (waveheadernode) { +- waveheader = (const guint8 *) waveheadernode->data; +- headerlen = QT_UINT32 (waveheader); +- +- if (headerlen > 8) { +- gst_riff_strf_auds *header = NULL; +- GstBuffer *headerbuf; +- GstBuffer *extra; +- +- waveheader += 8; +- headerlen -= 8; +- +- headerbuf = gst_buffer_new_and_alloc (headerlen); +- gst_buffer_fill (headerbuf, 0, waveheader, headerlen); +- +- if (gst_riff_parse_strf_auds (GST_ELEMENT_CAST (qtdemux), +- headerbuf, &header, &extra)) { +- gst_caps_unref (entry->caps); +- /* FIXME: Need to do something with the channel reorder map */ +- entry->caps = +- gst_riff_create_audio_caps (header->format, NULL, header, +- extra, NULL, NULL, NULL); +- +- if (extra) +- gst_buffer_unref (extra); +- g_free (header); ++ ++ if (len < datalen || len - datalen < offset + 16) { ++ GST_WARNING_OBJECT (qtdemux, "Not enough data for waveheadernode"); ++ } else { ++ GNode *wavenode; ++ GNode *waveheadernode; ++ ++ wavenode = g_node_new ((guint8 *) data); ++ if (qtdemux_parse_node (qtdemux, wavenode, data, datalen)) { ++ const guint8 *waveheader; ++ guint32 headerlen; ++ ++ waveheadernode = ++ qtdemux_tree_get_child_by_type (wavenode, fourcc); ++ if (waveheadernode) { ++ waveheader = (const guint8 *) waveheadernode->data; ++ headerlen = QT_UINT32 (waveheader); ++ ++ if (headerlen > 8) { ++ gst_riff_strf_auds *header = NULL; ++ GstBuffer *headerbuf; ++ GstBuffer *extra; ++ ++ waveheader += 8; ++ headerlen -= 8; ++ ++ headerbuf = gst_buffer_new_and_alloc (headerlen); ++ gst_buffer_fill (headerbuf, 0, waveheader, headerlen); ++ ++ if (gst_riff_parse_strf_auds (GST_ELEMENT_CAST (qtdemux), ++ headerbuf, &header, &extra)) { ++ gst_caps_unref (entry->caps); ++ /* FIXME: Need to do something with the channel reorder map */ ++ entry->caps = ++ gst_riff_create_audio_caps (header->format, NULL, ++ header, extra, NULL, NULL, NULL); ++ ++ if (extra) ++ gst_buffer_unref (extra); ++ g_free (header); ++ } + } +- } +- } else +- GST_DEBUG ("Didn't find waveheadernode for this codec"); ++ } else ++ GST_DEBUG ("Didn't find waveheadernode for this codec"); ++ } ++ g_node_destroy (wavenode); + } +- g_node_destroy (wavenode); + } + } else if (esds) { + gst_qtdemux_handle_esds (qtdemux, stream, entry, esds, +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0008-qtdemux-Fix-length-checks-and-offsets-in-stsd-entry-.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0008-qtdemux-Fix-length-checks-and-offsets-in-stsd-entry-.patch new file mode 100644 index 0000000000..41cf4c7d00 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0008-qtdemux-Fix-length-checks-and-offsets-in-stsd-entry-.patch @@ -0,0 +1,449 @@ +From fe9d5d37234aca04fef7248184177168905a7a69 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 27 Sep 2024 00:12:57 +0300 +Subject: [PATCH] qtdemux: Fix length checks and offsets in stsd entry parsing + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-242 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3845 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/fe9d5d37234aca04fef7248184177168905a7a69] +CVE: CVE-2024-47537 CVE-2024-47539 CVE-2024-47543 CVE-2024-47544 CVE-2024-47545 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 +Signed-off-by: Vijay Anusuri +--- + .../gst-plugins-good/gst/isomp4/qtdemux.c | 218 +++++++----------- + 1 file changed, 79 insertions(+), 139 deletions(-) + +diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c +index 55ba59152c7a..fb157552eb75 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -12237,43 +12237,35 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + case FOURCC_avc1: + case FOURCC_avc3: + { +- guint len = QT_UINT32 (stsd_entry_data); ++ guint32 len = QT_UINT32 (stsd_entry_data); + len = len <= 0x56 ? 0 : len - 0x56; + const guint8 *avc_data = stsd_entry_data + 0x56; + + /* find avcC */ +- while (len >= 0x8) { +- guint size; +- +- if (QT_UINT32 (avc_data) <= 0x8) +- size = 0; +- else if (QT_UINT32 (avc_data) <= len) +- size = QT_UINT32 (avc_data) - 0x8; +- else +- size = len - 0x8; ++ while (len >= 8) { ++ guint32 size = QT_UINT32 (avc_data); + +- /* No real data, so skip */ +- if (size < 1) { +- len -= 8; +- avc_data += 8; +- continue; +- } ++ if (size < 8 || size > len) ++ break; + +- switch (QT_FOURCC (avc_data + 0x4)) { ++ switch (QT_FOURCC (avc_data + 4)) { + case FOURCC_avcC: + { + /* parse, if found */ + GstBuffer *buf; + ++ if (size < 8 + 1) ++ break; ++ + GST_DEBUG_OBJECT (qtdemux, "found avcC codec_data in stsd"); + + /* First 4 bytes are the length of the atom, the next 4 bytes + * are the fourcc, the next 1 byte is the version, and the + * subsequent bytes are profile_tier_level structure like data. */ + gst_codec_utils_h264_caps_set_level_and_profile (entry->caps, +- avc_data + 8 + 1, size - 1); +- buf = gst_buffer_new_and_alloc (size); +- gst_buffer_fill (buf, 0, avc_data + 0x8, size); ++ avc_data + 8 + 1, size - 8 - 1); ++ buf = gst_buffer_new_and_alloc (size - 8); ++ gst_buffer_fill (buf, 0, avc_data + 8, size - 8); + gst_caps_set_simple (entry->caps, + "codec_data", GST_TYPE_BUFFER, buf, NULL); + gst_buffer_unref (buf); +@@ -12284,6 +12276,9 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + { + GstBuffer *buf; + ++ if (size < 8 + 40 + 1) ++ break; ++ + GST_DEBUG_OBJECT (qtdemux, "found strf codec_data in stsd"); + + /* First 4 bytes are the length of the atom, the next 4 bytes +@@ -12291,17 +12286,14 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + * next 1 byte is the version, and the + * subsequent bytes are sequence parameter set like data. */ + +- size -= 40; /* we'll be skipping BITMAPINFOHEADER */ +- if (size > 1) { +- gst_codec_utils_h264_caps_set_level_and_profile +- (entry->caps, avc_data + 8 + 40 + 1, size - 1); ++ gst_codec_utils_h264_caps_set_level_and_profile ++ (entry->caps, avc_data + 8 + 40 + 1, size - 8 - 40 - 1); + +- buf = gst_buffer_new_and_alloc (size); +- gst_buffer_fill (buf, 0, avc_data + 8 + 40, size); +- gst_caps_set_simple (entry->caps, +- "codec_data", GST_TYPE_BUFFER, buf, NULL); +- gst_buffer_unref (buf); +- } ++ buf = gst_buffer_new_and_alloc (size - 8 - 40); ++ gst_buffer_fill (buf, 0, avc_data + 8 + 40, size - 8 - 40); ++ gst_caps_set_simple (entry->caps, ++ "codec_data", GST_TYPE_BUFFER, buf, NULL); ++ gst_buffer_unref (buf); + break; + } + case FOURCC_btrt: +@@ -12309,11 +12301,11 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + guint avg_bitrate, max_bitrate; + + /* bufferSizeDB, maxBitrate and avgBitrate - 4 bytes each */ +- if (size < 12) ++ if (size < 8 + 12) + break; + +- max_bitrate = QT_UINT32 (avc_data + 0xc); +- avg_bitrate = QT_UINT32 (avc_data + 0x10); ++ max_bitrate = QT_UINT32 (avc_data + 8 + 4); ++ avg_bitrate = QT_UINT32 (avc_data + 8 + 8); + + if (!max_bitrate && !avg_bitrate) + break; +@@ -12345,8 +12337,8 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + break; + } + +- len -= size + 8; +- avc_data += size + 8; ++ len -= size; ++ avc_data += size; + } + + break; +@@ -12357,44 +12349,36 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + case FOURCC_dvh1: + case FOURCC_dvhe: + { +- guint len = QT_UINT32 (stsd_entry_data); ++ guint32 len = QT_UINT32 (stsd_entry_data); + len = len <= 0x56 ? 0 : len - 0x56; + const guint8 *hevc_data = stsd_entry_data + 0x56; + + /* find hevc */ +- while (len >= 0x8) { +- guint size; +- +- if (QT_UINT32 (hevc_data) <= 0x8) +- size = 0; +- else if (QT_UINT32 (hevc_data) <= len) +- size = QT_UINT32 (hevc_data) - 0x8; +- else +- size = len - 0x8; ++ while (len >= 8) { ++ guint32 size = QT_UINT32 (hevc_data); + +- /* No real data, so skip */ +- if (size < 1) { +- len -= 8; +- hevc_data += 8; +- continue; +- } ++ if (size < 8 || size > len) ++ break; + +- switch (QT_FOURCC (hevc_data + 0x4)) { ++ switch (QT_FOURCC (hevc_data + 4)) { + case FOURCC_hvcC: + { + /* parse, if found */ + GstBuffer *buf; + ++ if (size < 8 + 1) ++ break; ++ + GST_DEBUG_OBJECT (qtdemux, "found hvcC codec_data in stsd"); + + /* First 4 bytes are the length of the atom, the next 4 bytes + * are the fourcc, the next 1 byte is the version, and the + * subsequent bytes are sequence parameter set like data. */ + gst_codec_utils_h265_caps_set_level_tier_and_profile +- (entry->caps, hevc_data + 8 + 1, size - 1); ++ (entry->caps, hevc_data + 8 + 1, size - 8 - 1); + +- buf = gst_buffer_new_and_alloc (size); +- gst_buffer_fill (buf, 0, hevc_data + 0x8, size); ++ buf = gst_buffer_new_and_alloc (size - 8); ++ gst_buffer_fill (buf, 0, hevc_data + 8, size - 8); + gst_caps_set_simple (entry->caps, + "codec_data", GST_TYPE_BUFFER, buf, NULL); + gst_buffer_unref (buf); +@@ -12403,8 +12387,8 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + default: + break; + } +- len -= size + 8; +- hevc_data += size + 8; ++ len -= size; ++ hevc_data += size; + } + break; + } +@@ -12784,36 +12768,25 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + } + case FOURCC_vc_1: + { +- guint len = QT_UINT32 (stsd_entry_data); ++ guint32 len = QT_UINT32 (stsd_entry_data); + len = len <= 0x56 ? 0 : len - 0x56; + const guint8 *vc1_data = stsd_entry_data + 0x56; + + /* find dvc1 */ + while (len >= 8) { +- guint size; +- +- if (QT_UINT32 (vc1_data) <= 8) +- size = 0; +- else if (QT_UINT32 (vc1_data) <= len) +- size = QT_UINT32 (vc1_data) - 8; +- else +- size = len - 8; ++ guint32 size = QT_UINT32 (vc1_data); + +- /* No real data, so skip */ +- if (size < 1) { +- len -= 8; +- vc1_data += 8; +- continue; +- } ++ if (size < 8 || size > len) ++ break; + +- switch (QT_FOURCC (vc1_data + 0x4)) { ++ switch (QT_FOURCC (vc1_data + 4)) { + case GST_MAKE_FOURCC ('d', 'v', 'c', '1'): + { + GstBuffer *buf; + + GST_DEBUG_OBJECT (qtdemux, "found dvc1 codec_data in stsd"); +- buf = gst_buffer_new_and_alloc (size); +- gst_buffer_fill (buf, 0, vc1_data + 8, size); ++ buf = gst_buffer_new_and_alloc (size - 8); ++ gst_buffer_fill (buf, 0, vc1_data + 8, size - 8); + gst_caps_set_simple (entry->caps, + "codec_data", GST_TYPE_BUFFER, buf, NULL); + gst_buffer_unref (buf); +@@ -12822,36 +12795,25 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + default: + break; + } +- len -= size + 8; +- vc1_data += size + 8; ++ len -= size; ++ vc1_data += size; + } + break; + } + case FOURCC_av01: + { +- guint len = QT_UINT32 (stsd_entry_data); ++ guint32 len = QT_UINT32 (stsd_entry_data); + len = len <= 0x56 ? 0 : len - 0x56; + const guint8 *av1_data = stsd_entry_data + 0x56; + + /* find av1C */ +- while (len >= 0x8) { +- guint size; +- +- if (QT_UINT32 (av1_data) <= 0x8) +- size = 0; +- else if (QT_UINT32 (av1_data) <= len) +- size = QT_UINT32 (av1_data) - 0x8; +- else +- size = len - 0x8; ++ while (len >= 8) { ++ guint32 size = QT_UINT32 (av1_data); + +- /* No real data, so skip */ +- if (size < 1) { +- len -= 8; +- av1_data += 8; +- continue; +- } ++ if (size < 8 || size > len) ++ break; + +- switch (QT_FOURCC (av1_data + 0x4)) { ++ switch (QT_FOURCC (av1_data + 4)) { + case FOURCC_av1C: + { + /* parse, if found */ +@@ -12861,7 +12823,7 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + "found av1C codec_data in stsd of size %d", size); + + /* not enough data, just ignore and hope for the best */ +- if (size < 4) ++ if (size < 8 + 4) + break; + + /* Content is: +@@ -12910,9 +12872,9 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + (gint) (pres_delay_field & 0x0F) + 1, NULL); + } + +- buf = gst_buffer_new_and_alloc (size); ++ buf = gst_buffer_new_and_alloc (size - 8); + GST_BUFFER_FLAG_SET (buf, GST_BUFFER_FLAG_HEADER); +- gst_buffer_fill (buf, 0, av1_data + 8, size); ++ gst_buffer_fill (buf, 0, av1_data + 8, size - 8); + gst_caps_set_simple (entry->caps, + "codec_data", GST_TYPE_BUFFER, buf, NULL); + gst_buffer_unref (buf); +@@ -12930,8 +12892,8 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + break; + } + +- len -= size + 8; +- av1_data += size + 8; ++ len -= size; ++ av1_data += size; + } + + break; +@@ -12942,29 +12904,18 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + * vp08, vp09, and vp10 fourcc. */ + case FOURCC_vp09: + { +- guint len = QT_UINT32 (stsd_entry_data); ++ guint32 len = QT_UINT32 (stsd_entry_data); + len = len <= 0x56 ? 0 : len - 0x56; + const guint8 *vpcc_data = stsd_entry_data + 0x56; + + /* find vpcC */ +- while (len >= 0x8) { +- guint size; +- +- if (QT_UINT32 (vpcc_data) <= 0x8) +- size = 0; +- else if (QT_UINT32 (vpcc_data) <= len) +- size = QT_UINT32 (vpcc_data) - 0x8; +- else +- size = len - 0x8; ++ while (len >= 8) { ++ guint32 size = QT_UINT32 (vpcc_data); + +- /* No real data, so skip */ +- if (size < 1) { +- len -= 8; +- vpcc_data += 8; +- continue; +- } ++ if (size < 8 || size > len) ++ break; + +- switch (QT_FOURCC (vpcc_data + 0x4)) { ++ switch (QT_FOURCC (vpcc_data + 4)) { + case FOURCC_vpcC: + { + const gchar *profile_str = NULL; +@@ -12980,7 +12931,7 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + + /* the meaning of "size" is length of the atom body, excluding + * atom length and fourcc fields */ +- if (size < 12) ++ if (size < 8 + 12) + break; + + /* Content is: +@@ -13086,8 +13037,8 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + break; + } + +- len -= size + 8; +- vpcc_data += size + 8; ++ len -= size; ++ vpcc_data += size; + } + + break; +@@ -13428,7 +13379,7 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + } + case FOURCC_wma_: + { +- guint len = QT_UINT32 (stsd_entry_data); ++ guint32 len = QT_UINT32 (stsd_entry_data); + len = len <= offset ? 0 : len - offset; + const guint8 *wfex_data = stsd_entry_data + offset; + const gchar *codec_name = NULL; +@@ -13453,21 +13404,10 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + + /* find wfex */ + while (len >= 8) { +- guint size; ++ guint32 size = QT_UINT32 (wfex_data); + +- if (QT_UINT32 (wfex_data) <= 0x8) +- size = 0; +- else if (QT_UINT32 (wfex_data) <= len) +- size = QT_UINT32 (wfex_data) - 8; +- else +- size = len - 8; +- +- /* No real data, so skip */ +- if (size < 1) { +- len -= 8; +- wfex_data += 8; +- continue; +- } ++ if (size < 8 || size > len) ++ break; + + switch (QT_FOURCC (wfex_data + 4)) { + case GST_MAKE_FOURCC ('w', 'f', 'e', 'x'): +@@ -13512,12 +13452,12 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + "width", G_TYPE_INT, wfex.wBitsPerSample, + "depth", G_TYPE_INT, wfex.wBitsPerSample, NULL); + +- if (size > wfex.cbSize) { ++ if (size > 8 + wfex.cbSize) { + GstBuffer *buf; + +- buf = gst_buffer_new_and_alloc (size - wfex.cbSize); ++ buf = gst_buffer_new_and_alloc (size - 8 - wfex.cbSize); + gst_buffer_fill (buf, 0, wfex_data + 8 + wfex.cbSize, +- size - wfex.cbSize); ++ size - 8 - wfex.cbSize); + gst_caps_set_simple (entry->caps, + "codec_data", GST_TYPE_BUFFER, buf, NULL); + gst_buffer_unref (buf); +@@ -13534,8 +13474,8 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + default: + break; + } +- len -= size + 8; +- wfex_data += size + 8; ++ len -= size; ++ wfex_data += size; + } + break; + } +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0009-qtdemux-Fix-error-handling-when-parsing-cenc-sample-.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0009-qtdemux-Fix-error-handling-when-parsing-cenc-sample-.patch new file mode 100644 index 0000000000..a84575199e --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0009-qtdemux-Fix-error-handling-when-parsing-cenc-sample-.patch @@ -0,0 +1,56 @@ +From da3b4e903ae990193988a873368bdd1865350521 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 27 Sep 2024 09:47:50 +0300 +Subject: [PATCH] qtdemux: Fix error handling when parsing cenc sample groups + fails + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-238, GHSL-2024-239, GHSL-2024-240 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3846 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/da3b4e903ae990193988a873368bdd1865350521] +CVE: CVE-2024-47537 CVE-2024-47539 CVE-2024-47543 CVE-2024-47544 CVE-2024-47545 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c +index 94ce75b2d42d..e7a79be45b29 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -11404,12 +11404,15 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + if (stream->subtype != FOURCC_soun) { + GST_ERROR_OBJECT (qtdemux, + "Unexpeced stsd type 'aavd' outside 'soun' track"); ++ goto corrupt_file; + } else { + /* encrypted audio with sound sample description v0 */ + GNode *enc = qtdemux_tree_get_child_by_type (stsd, fourcc); + stream->protected = TRUE; +- if (!qtdemux_parse_protection_aavd (qtdemux, stream, enc, &fourcc)) ++ if (!qtdemux_parse_protection_aavd (qtdemux, stream, enc, &fourcc)) { + GST_ERROR_OBJECT (qtdemux, "Failed to parse protection scheme info"); ++ goto corrupt_file; ++ } + } + } + +@@ -11418,8 +11421,10 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + * with the same type */ + GNode *enc = qtdemux_tree_get_child_by_type (stsd, fourcc); + stream->protected = TRUE; +- if (!qtdemux_parse_protection_scheme_info (qtdemux, stream, enc, &fourcc)) ++ if (!qtdemux_parse_protection_scheme_info (qtdemux, stream, enc, &fourcc)) { + GST_ERROR_OBJECT (qtdemux, "Failed to parse protection scheme info"); ++ goto corrupt_file; ++ } + } + + if (stream->subtype == FOURCC_vide) { +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0010-qtdemux-Make-sure-there-are-enough-offsets-to-read-w.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0010-qtdemux-Make-sure-there-are-enough-offsets-to-read-w.patch new file mode 100644 index 0000000000..af0d1ed633 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0010-qtdemux-Make-sure-there-are-enough-offsets-to-read-w.patch @@ -0,0 +1,49 @@ +From 20503e5dd90e21ef170488b2a8b8529ae8a4cab9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 27 Sep 2024 10:38:50 +0300 +Subject: [PATCH] qtdemux: Make sure there are enough offsets to read when + parsing samples + +While this specific case is also caught when initializing co_chunk, the error +is ignored in various places and calling into the function would lead to out of +bounds reads if the error message doesn't cause the pipeline to be shut down +fast enough. + +To avoid this, no matter what, make sure enough offsets are available when +parsing them. While this is potentially slower, the same is already done in the +non-chunks_are_samples case. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-245 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3847 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/20503e5dd90e21ef170488b2a8b8529ae8a4cab9] +CVE: CVE-2024-47537 CVE-2024-47539 CVE-2024-47543 CVE-2024-47544 CVE-2024-47545 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c +index e7a79be45b29..5277952c5ea5 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -10070,9 +10070,9 @@ qtdemux_parse_samples (GstQTDemux * qtdemux, QtDemuxStream * stream, guint32 n) + goto done; + } + +- cur->offset = +- qt_atom_parser_get_offset_unchecked (&stream->co_chunk, +- stream->co_size); ++ if (!qt_atom_parser_get_offset (&stream->co_chunk, ++ stream->co_size, &cur->offset)) ++ goto corrupt_file; + + GST_LOG_OBJECT (qtdemux, "Created entry %d with offset " + "%" G_GUINT64_FORMAT, j, cur->offset); +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0011-qtdemux-Actually-handle-errors-returns-from-various-.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0011-qtdemux-Actually-handle-errors-returns-from-various-.patch new file mode 100644 index 0000000000..c864deb635 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0011-qtdemux-Actually-handle-errors-returns-from-various-.patch @@ -0,0 +1,97 @@ +From ed254790331a3fba2f68255a8f072552d622aac1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 27 Sep 2024 10:39:30 +0300 +Subject: [PATCH] qtdemux: Actually handle errors returns from various + functions instead of ignoring them + +Ignoring them might cause the element to continue as if all is fine despite the +internal state being inconsistent. This can lead to all kinds of follow-up +issues, including memory safety issues. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-245 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3847 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ed254790331a3fba2f68255a8f072552d622aac1] +CVE: CVE-2024-47537 CVE-2024-47539 CVE-2024-47543 CVE-2024-47544 CVE-2024-47545 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 +Signed-off-by: Vijay Anusuri +--- + .../gst-plugins-good/gst/isomp4/qtdemux.c | 29 +++++++++++++++---- + 1 file changed, 23 insertions(+), 6 deletions(-) + +diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c +index 5277952c5ea5..1de70f184f50 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -4853,10 +4853,15 @@ gst_qtdemux_loop_state_header (GstQTDemux * qtdemux) + beach: + if (ret == GST_FLOW_EOS && (qtdemux->got_moov || qtdemux->media_caps)) { + /* digested all data, show what we have */ +- qtdemux_prepare_streams (qtdemux); ++ ret = qtdemux_prepare_streams (qtdemux); ++ if (ret != GST_FLOW_OK) ++ return ret; ++ + QTDEMUX_EXPOSE_LOCK (qtdemux); + ret = qtdemux_expose_streams (qtdemux); + QTDEMUX_EXPOSE_UNLOCK (qtdemux); ++ if (ret != GST_FLOW_OK) ++ return ret; + + qtdemux->state = QTDEMUX_STATE_MOVIE; + GST_DEBUG_OBJECT (qtdemux, "switching state to STATE_MOVIE (%d)", +@@ -7552,13 +7557,21 @@ gst_qtdemux_process_adapter (GstQTDemux * demux, gboolean force) + gst_qtdemux_stream_concat (demux, + demux->old_streams, demux->active_streams); + +- qtdemux_parse_moov (demux, data, demux->neededbytes); ++ if (!qtdemux_parse_moov (demux, data, demux->neededbytes)) { ++ ret = GST_FLOW_ERROR; ++ break; ++ } + qtdemux_node_dump (demux, demux->moov_node); + qtdemux_parse_tree (demux); +- qtdemux_prepare_streams (demux); ++ ret = qtdemux_prepare_streams (demux); ++ if (ret != GST_FLOW_OK) ++ break; ++ + QTDEMUX_EXPOSE_LOCK (demux); +- qtdemux_expose_streams (demux); ++ ret = qtdemux_expose_streams (demux); + QTDEMUX_EXPOSE_UNLOCK (demux); ++ if (ret != GST_FLOW_OK) ++ break; + + demux->got_moov = TRUE; + +@@ -7649,8 +7662,10 @@ gst_qtdemux_process_adapter (GstQTDemux * demux, gboolean force) + /* in MSS we need to expose the pads after the first moof as we won't get a moov */ + if (demux->variant == VARIANT_MSS_FRAGMENTED && !demux->exposed) { + QTDEMUX_EXPOSE_LOCK (demux); +- qtdemux_expose_streams (demux); ++ ret = qtdemux_expose_streams (demux); + QTDEMUX_EXPOSE_UNLOCK (demux); ++ if (ret != GST_FLOW_OK) ++ goto done; + } + + gst_qtdemux_check_send_pending_segment (demux); +@@ -13764,8 +13779,10 @@ qtdemux_prepare_streams (GstQTDemux * qtdemux) + + /* parse the initial sample for use in setting the frame rate cap */ + while (sample_num == 0 && sample_num < stream->n_samples) { +- if (!qtdemux_parse_samples (qtdemux, stream, sample_num)) ++ if (!qtdemux_parse_samples (qtdemux, stream, sample_num)) { ++ ret = GST_FLOW_ERROR; + break; ++ } + ++sample_num; + } + } +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0012-qtdemux-Check-for-invalid-atom-length-when-extractin.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0012-qtdemux-Check-for-invalid-atom-length-when-extractin.patch new file mode 100644 index 0000000000..7096a75a71 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0012-qtdemux-Check-for-invalid-atom-length-when-extractin.patch @@ -0,0 +1,36 @@ +From 3153fda823cb91b1031dae69738c6c5d526fb6e1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 26 Sep 2024 19:16:19 +0300 +Subject: [PATCH] qtdemux: Check for invalid atom length when extracting Closed + Caption data + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-243 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3849 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/3153fda823cb91b1031dae69738c6c5d526fb6e1] +CVE: CVE-2024-47537 CVE-2024-47539 CVE-2024-47543 CVE-2024-47544 CVE-2024-47545 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c +index 1de70f184f50..8850d09321e8 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -5827,7 +5827,7 @@ extract_cc_from_data (QtDemuxStream * stream, const guint8 * data, gsize size, + goto invalid_cdat; + atom_length = QT_UINT32 (data); + fourcc = QT_FOURCC (data + 4); +- if (G_UNLIKELY (atom_length > size || atom_length == 8)) ++ if (G_UNLIKELY (atom_length > size || atom_length <= 8)) + goto invalid_cdat; + + GST_DEBUG_OBJECT (stream->pad, "here"); +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0013-qtdemux-Add-size-check-for-parsing-SMI-SEQH-atom.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0013-qtdemux-Add-size-check-for-parsing-SMI-SEQH-atom.patch new file mode 100644 index 0000000000..b379c2f88c --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0013-qtdemux-Add-size-check-for-parsing-SMI-SEQH-atom.patch @@ -0,0 +1,37 @@ +From 3ce1b812a9531611288af286b5dc6631a11e3f4a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 27 Sep 2024 00:31:36 +0300 +Subject: [PATCH] qtdemux: Add size check for parsing SMI / SEQH atom + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-244 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3853 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/3ce1b812a9531611288af286b5dc6631a11e3f4a] +CVE: CVE-2024-47537 CVE-2024-47539 CVE-2024-47543 CVE-2024-47544 CVE-2024-47545 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c +index 8850d09321e8..dc70287a8a9b 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -10633,8 +10633,9 @@ qtdemux_parse_svq3_stsd_data (GstQTDemux * qtdemux, + GST_WARNING_OBJECT (qtdemux, "Unexpected second SEQH SMI atom " + " found, ignoring"); + } else { ++ /* Note: The size does *not* include the fourcc and the size field itself */ + seqh_size = QT_UINT32 (data + 4); +- if (seqh_size > 0) { ++ if (seqh_size > 0 && seqh_size <= size - 8) { + _seqh = gst_buffer_new_and_alloc (seqh_size); + gst_buffer_fill (_seqh, 0, data + 8, seqh_size); + } +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb index dfb0c0f342..5427cdb75d 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb @@ -6,6 +6,19 @@ BUGTRACKER = "https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/issues SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-good-${PV}.tar.xz \ file://0001-qt-include-ext-qt-gstqtgl.h-instead-of-gst-gl-gstglf.patch \ + file://0001-qtdemux-Skip-zero-sized-boxes-instead-of-stopping-to.patch \ + file://0002-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch \ + file://0003-qtdemux-Fix-debug-output-during-trun-parsing.patch \ + file://0004-qtdemux-Don-t-iterate-over-all-trun-entries-if-none-.patch \ + file://0005-qtdemux-Check-sizes-of-stsc-stco-stts-before-trying-.patch \ + file://0006-qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch \ + file://0007-qtdemux-Make-sure-enough-data-is-available-before-re.patch \ + file://0008-qtdemux-Fix-length-checks-and-offsets-in-stsd-entry-.patch \ + file://0009-qtdemux-Fix-error-handling-when-parsing-cenc-sample-.patch \ + file://0010-qtdemux-Make-sure-there-are-enough-offsets-to-read-w.patch \ + file://0011-qtdemux-Actually-handle-errors-returns-from-various-.patch \ + file://0012-qtdemux-Check-for-invalid-atom-length-when-extractin.patch \ + file://0013-qtdemux-Add-size-check-for-parsing-SMI-SEQH-atom.patch \ " SRC_URI[sha256sum] = "599f093cc833a1e346939ab6e78a3f8046855b6da13520aae80dd385434f4ab2" From patchwork Thu Jan 2 13:33:13 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 54905 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 379DEE77188 for ; Thu, 2 Jan 2025 13:33:49 +0000 (UTC) Received: from mail-io1-f47.google.com (mail-io1-f47.google.com [209.85.166.47]) by mx.groups.io with SMTP id smtpd.web10.8086.1735824823141098641 for ; Thu, 02 Jan 2025 05:33:43 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=bTfqDtAQ; spf=pass (domain: mvista.com, ip: 209.85.166.47, mailfrom: vanusuri@mvista.com) Received: by mail-io1-f47.google.com with SMTP id ca18e2360f4ac-844df397754so432592339f.2 for ; Thu, 02 Jan 2025 05:33:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1735824821; x=1736429621; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=eMx80B85MiCu8RgEP6ZTKkMctY4va+QAq8vNe5BW1J8=; b=bTfqDtAQ32FQyZj82sGQwZ+7qPtXQmn9Khx51eQQQazSYYCXD8wWL4dswIm0goS0ok hNtRyNyEvZTXAbv1S9i0Qm3iKJGc32/7I0CGIwLbFEpdMUwe8MO2VcyhDfkvzrn0nAXH WJyBgnhw+O2RkfAT35kXBC0TIOlIHyPn6oTYg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1735824821; x=1736429621; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=eMx80B85MiCu8RgEP6ZTKkMctY4va+QAq8vNe5BW1J8=; b=Eccyj/T9WKVHU0dV1h8i9i6ulfRoohNKZRcfK6V/rsbNDHCq83KuTgf9TihutYYmKY aUqtOleCv2LspkkmnCJv1+U3qY6ztsOIAPsYpLcIEuKZljXvLk80KYR/If6u6zWaa+tX SbELtQAbuFyuy+XvqE16p6yTuJag2JT6Q6I6DxYXgc7zhjUI6qpE1nN4b2nCYbGDCp3t HCp3uh0kwLXff0pNc1S59Tv0oAYWd0woMPc34TyGEF5ofar6eHV2AYDeFH7biJwRhomk dDF71G/CcUtpS9597t7t8pH37z964MfCCTItEIoJXXVIMeN2KfHfvulk9PYLmG+MUfy+ 9iKg== X-Gm-Message-State: AOJu0Ywk01+cMHWuiFvphQzWI9vyMSnQ2Uz1icH3d8MoQ/RsMzWU6Hsd 11jizOAsiySbym6CfPG7XdKuMORATXpHTzaA5+otj2FHDZJdTZS4T7yU9OEzthYKdgcX7qFZFuE mI8Y= X-Gm-Gg: ASbGncuPPlpHrawsL1TwpImNg76fo8HmagGGtCC+F7y9LMOM243JouBwrl+NHlGQQHS zZjI4s2XXdv++Tlfzxr0n+c/zyAzDely9oXW4ET1cZzJ7ZvMwV2y+6qT59M09FLolAzeckaVrJq /V2qHscqVzG3HBu/E4y8zwFVY/H08Q5fu/PdEuWhmKzWGqnfzaBxTLgWfw/GnGscSOJz1AgqYR1 YGLyYUn3nB8aK0iBAJJaO/t/MoVvUsf5avc/pfISJej+s+xvuFsSzOR3EsKRvbQrQ08oZc= X-Google-Smtp-Source: AGHT+IHr19kN7YPAmxl5SGbR30sjTyXqtqy8/dNci/CUzSvpvZ785Ms01grBMGY9dnEb+k8PjTjQjw== X-Received: by 2002:a05:6602:29c7:b0:844:6297:7c1d with SMTP id ca18e2360f4ac-8499e7ecb50mr4076703539f.15.1735824821626; Thu, 02 Jan 2025 05:33:41 -0800 (PST) Received: from MVIN00020.mvista.com ([2401:4900:882d:79d6:d2bf:f7c6:a6fe:8968]) by smtp.gmail.com with ESMTPSA id ca18e2360f4ac-8498d8aa81bsm685493139f.36.2025.01.02.05.33.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Jan 2025 05:33:40 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH 2/7] gstreamer1.0-plugins-good: Fix for CVE-2024-47599 Date: Thu, 2 Jan 2025 19:03:13 +0530 Message-Id: <20250102133318.642859-2-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250102133318.642859-1-vanusuri@mvista.com> References: <20250102133318.642859-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 02 Jan 2025 13:33:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209304 From: Vijay Anusuri Upstream: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8040 Signed-off-by: Vijay Anusuri --- ...ly-error-out-on-negotiation-failures.patch | 99 +++++++++++++++++++ .../gstreamer1.0-plugins-good_1.20.7.bb | 1 + 2 files changed, 100 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0014-jpegdec-Directly-error-out-on-negotiation-failures.patch diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0014-jpegdec-Directly-error-out-on-negotiation-failures.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0014-jpegdec-Directly-error-out-on-negotiation-failures.patch new file mode 100644 index 0000000000..8dde992bcb --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0014-jpegdec-Directly-error-out-on-negotiation-failures.patch @@ -0,0 +1,99 @@ +From 3cdf206f4fc5a9860bfe1437ed3d01e7d23c6c3e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 16:22:19 +0300 +Subject: [PATCH] jpegdec: Directly error out on negotiation failures + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-247 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3862 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/3cdf206f4fc5a9860bfe1437ed3d01e7d23c6c3e] +CVE: CVE-2024-47599 +Signed-off-by: Vijay Anusuri +--- + .../gst-plugins-good/ext/jpeg/gstjpegdec.c | 22 ++++++++++++++----- + 1 file changed, 17 insertions(+), 5 deletions(-) + +diff --git a/subprojects/gst-plugins-good/ext/jpeg/gstjpegdec.c b/subprojects/gst-plugins-good/ext/jpeg/gstjpegdec.c +index 51bc2d14bf0e..7523419835ee 100644 +--- a/ext/jpeg/gstjpegdec.c ++++ b/ext/jpeg/gstjpegdec.c +@@ -1068,13 +1068,14 @@ gst_jpeg_turbo_parse_ext_fmt_convert (GstJpegDec * dec, gint * clrspc) + } + #endif + +-static void ++static gboolean + gst_jpeg_dec_negotiate (GstJpegDec * dec, gint width, gint height, gint clrspc, + gboolean interlaced) + { + GstVideoCodecState *outstate; + GstVideoInfo *info; + GstVideoFormat format; ++ gboolean res; + + #ifdef JCS_EXTENSIONS + if (dec->format_convert) { +@@ -1104,7 +1105,7 @@ gst_jpeg_dec_negotiate (GstJpegDec * dec, gint width, gint height, gint clrspc, + height == GST_VIDEO_INFO_HEIGHT (info) && + format == GST_VIDEO_INFO_FORMAT (info)) { + gst_video_codec_state_unref (outstate); +- return; ++ return TRUE; + } + gst_video_codec_state_unref (outstate); + } +@@ -1118,6 +1119,8 @@ gst_jpeg_dec_negotiate (GstJpegDec * dec, gint width, gint height, gint clrspc, + outstate = + gst_video_decoder_set_output_state (GST_VIDEO_DECODER (dec), format, + width, height, dec->input_state); ++ if (!outstate) ++ return FALSE; + + switch (clrspc) { + case JCS_RGB: +@@ -1142,10 +1145,12 @@ gst_jpeg_dec_negotiate (GstJpegDec * dec, gint width, gint height, gint clrspc, + + gst_video_codec_state_unref (outstate); + +- gst_video_decoder_negotiate (GST_VIDEO_DECODER (dec)); ++ res = gst_video_decoder_negotiate (GST_VIDEO_DECODER (dec)); + + GST_DEBUG_OBJECT (dec, "max_v_samp_factor=%d", dec->cinfo.max_v_samp_factor); + GST_DEBUG_OBJECT (dec, "max_h_samp_factor=%d", dec->cinfo.max_h_samp_factor); ++ ++ return res; + } + + static GstFlowReturn +@@ -1425,8 +1430,9 @@ gst_jpeg_dec_handle_frame (GstVideoDecoder * bdec, GstVideoCodecFrame * frame) + num_fields = 1; + } + +- gst_jpeg_dec_negotiate (dec, width, output_height, +- dec->cinfo.jpeg_color_space, num_fields == 2); ++ if (!gst_jpeg_dec_negotiate (dec, width, output_height, ++ dec->cinfo.jpeg_color_space, num_fields == 2)) ++ goto negotiation_failed; + + state = gst_video_decoder_get_output_state (bdec); + ret = gst_video_decoder_allocate_output_frame (bdec, frame); +@@ -1558,6 +1564,12 @@ map_failed: + ret = GST_FLOW_ERROR; + goto exit; + } ++negotiation_failed: ++ { ++ GST_ELEMENT_ERROR (dec, CORE, NEGOTIATION, (NULL), ("failed to negotiate")); ++ ret = GST_FLOW_NOT_NEGOTIATED; ++ goto exit; ++ } + decode_error: + { + gchar err_msg[JMSG_LENGTH_MAX]; +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb index 5427cdb75d..d437145b62 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb @@ -19,6 +19,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-go file://0011-qtdemux-Actually-handle-errors-returns-from-various-.patch \ file://0012-qtdemux-Check-for-invalid-atom-length-when-extractin.patch \ file://0013-qtdemux-Add-size-check-for-parsing-SMI-SEQH-atom.patch \ + file://0014-jpegdec-Directly-error-out-on-negotiation-failures.patch \ " SRC_URI[sha256sum] = "599f093cc833a1e346939ab6e78a3f8046855b6da13520aae80dd385434f4ab2" From patchwork Thu Jan 2 13:33:14 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 54907 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 422CFE7718B for ; Thu, 2 Jan 2025 13:33:59 +0000 (UTC) Received: from mail-io1-f51.google.com (mail-io1-f51.google.com [209.85.166.51]) by mx.groups.io with SMTP id smtpd.web11.7795.1735824830777917797 for ; Thu, 02 Jan 2025 05:33:50 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=g3XQswhl; spf=pass (domain: mvista.com, ip: 209.85.166.51, mailfrom: vanusuri@mvista.com) Received: by mail-io1-f51.google.com with SMTP id ca18e2360f4ac-844dac0a8f4so831408339f.2 for ; Thu, 02 Jan 2025 05:33:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1735824829; x=1736429629; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Nh6PQb9p2VJ2gmcpUODesmCfxHuJMNzvP+uzoNS81T8=; b=g3XQswhlVusq42qbAuJe6J6GiKXSND1r98gk1Nq4jmOnhtHIUtT3FRb9sCTGdwyeti 1Bv6OqNhXx91Pzj0ERXocmWbGRDMTPqO+/Sds/6+EuVq6zDAE6tycdQ+Wt2twkMa/wZ4 vNtWzkPbkOAdI7FpAh03Qu8m7CWSfrpQf5G40= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1735824829; x=1736429629; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Nh6PQb9p2VJ2gmcpUODesmCfxHuJMNzvP+uzoNS81T8=; b=wwNkedaF/fDJIroRn86Lw2UtN7a6BQWLtFQaLxvWvG52EPk4MZtGSdZNyJjafvUj0J UEzK/sfDqUYZJ6OjaQ7AEjafIHjwMUCEzrMLq1Wf9y75eMOLpaw4RbemiWy87Ykv2GEY cSSBQzLDO+g/CsXxxHLJsp7ZRmHt47U8kwyBp68mB57rXB9tAyD7ob3T4mMf6agcIXt8 /zgJF2h0ciVJT/bY9HvcXehifZf/9nZ0zyMrxzBjqo40iLxCZZt5Fmq2NhBHUc+COkZA 6obMyBJ7PNEiSr3xZe1GTQhS6NpjNZEv87EDE7BubmUYTlbzMPgRt5RnX8IC/NzOrkiG stbw== X-Gm-Message-State: AOJu0YxHshKky7JdG5BB2rJ/CF7PxJ61nZY4LV5l582sgm6NAZefhhsH Mx8VGYwIYgtqSayj5QyT5htA5kCchEVSlGQTzE6pfHFSx+BePj8/vPE7XyNiKYQFzvUn5U/0jI4 /wf0= X-Gm-Gg: ASbGncs/QERpvLs2nxtMW8X1Q0usAREGoW5zi/kILVsHiBqpKM8NYscpdT0Pi+/SaI/ pPA4quBYRVI9BVWVX4dRCOxIjrXRjsyhy/ot94vTbVA9zuwlo0tAZRSPKN0g/TEb5sZPiwMpo+Y h8cA8QfvlJgrw7TGSZE8WGaqqV5m8cvf5qaDATheK1F45/RQV0TySAXGK12gLGnkYZCWFq7nOnk SXIReYaIp+kFiWunz3C8ymMHz81UMpkk9txJsK91NmBak7Zn+v7rg/ljFzlvzQEXLaFKkE= X-Google-Smtp-Source: AGHT+IFWenpfdsH5JvV6KbhuaIjItXq8Acwt4fbj6SxoDKNW9htmEa8ZO3XvRW+PjL/HVBCmbhld8A== X-Received: by 2002:a05:6602:340b:b0:835:3ffe:fe31 with SMTP id ca18e2360f4ac-8499e631f0fmr3911056139f.8.1735824829121; Thu, 02 Jan 2025 05:33:49 -0800 (PST) Received: from MVIN00020.mvista.com ([2401:4900:882d:79d6:d2bf:f7c6:a6fe:8968]) by smtp.gmail.com with ESMTPSA id ca18e2360f4ac-8498d8aa81bsm685493139f.36.2025.01.02.05.33.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Jan 2025 05:33:46 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH 3/7] gstreamer1.0-plugins-good: Fix multiple CVEs Date: Thu, 2 Jan 2025 19:03:14 +0530 Message-Id: <20250102133318.642859-3-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250102133318.642859-1-vanusuri@mvista.com> References: <20250102133318.642859-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 02 Jan 2025 13:33:59 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209305 From: Vijay Anusuri Fixes for below CVEs: CVE-2024-47540 CVE-2024-47601 CVE-2024-47602 CVE-2024-47603 CVE-2024-47834 Upstream: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8057 Signed-off-by: Vijay Anusuri --- ...ly-unmap-GstMapInfo-in-WavPack-heade.patch | 56 +++++++++++++++++++ ...x-off-by-one-when-parsing-multi-chan.patch | 31 ++++++++++ ...eck-for-big-enough-WavPack-codec-pri.patch | 39 +++++++++++++ ...n-t-take-data-out-of-an-empty-adapte.patch | 47 ++++++++++++++++ ...ip-over-laces-directly-when-postproc.patch | 48 ++++++++++++++++ ...ip-over-zero-sized-Xiph-stream-heade.patch | 39 +++++++++++++ ...t-a-copy-of-the-codec-data-into-the-.patch | 40 +++++++++++++ .../gstreamer1.0-plugins-good_1.20.7.bb | 7 +++ 8 files changed, 307 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0015-matroskademux-Only-unmap-GstMapInfo-in-WavPack-heade.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0016-matroskademux-Fix-off-by-one-when-parsing-multi-chan.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0017-matroskademux-Check-for-big-enough-WavPack-codec-pri.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0018-matroskademux-Don-t-take-data-out-of-an-empty-adapte.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0019-matroskademux-Skip-over-laces-directly-when-postproc.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0020-matroskademux-Skip-over-zero-sized-Xiph-stream-heade.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0021-matroskademux-Put-a-copy-of-the-codec-data-into-the-.patch diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0015-matroskademux-Only-unmap-GstMapInfo-in-WavPack-heade.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0015-matroskademux-Only-unmap-GstMapInfo-in-WavPack-heade.patch new file mode 100644 index 0000000000..865759916f --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0015-matroskademux-Only-unmap-GstMapInfo-in-WavPack-heade.patch @@ -0,0 +1,56 @@ +From 008f0d52408f57f0704d5639b72db2f330b8f003 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 16:32:48 +0300 +Subject: [PATCH] matroskademux: Only unmap GstMapInfo in WavPack header + extraction error paths if previously mapped + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-197 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3863 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/008f0d52408f57f0704d5639b72db2f330b8f003] +CVE: CVE-2024-47540 CVE-2024-47601 CVE-2024-47602 CVE-2024-47603 CVE-2024-47834 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-good/gst/matroska/matroska-demux.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c b/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c +index 9b3cf83adb87..35e60b71470d 100644 +--- a/gst/matroska/matroska-demux.c ++++ b/gst/matroska/matroska-demux.c +@@ -3885,7 +3885,6 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + GstMatroskaTrackAudioContext *audiocontext = + (GstMatroskaTrackAudioContext *) stream; + GstBuffer *newbuf = NULL; +- GstMapInfo map, outmap; + guint8 *buf_data, *data; + Wavpack4Header wvh; + +@@ -3902,11 +3901,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + + if (audiocontext->channels <= 2) { + guint32 block_samples, tmp; ++ GstMapInfo outmap; + gsize size = gst_buffer_get_size (*buf); + + if (size < 4) { + GST_ERROR_OBJECT (element, "Too small wavpack buffer"); +- gst_buffer_unmap (*buf, &map); + return GST_FLOW_ERROR; + } + +@@ -3944,6 +3943,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + *buf = newbuf; + audiocontext->wvpk_block_index += block_samples; + } else { ++ GstMapInfo map, outmap; + guint8 *outdata = NULL; + gsize buf_size, size; + guint32 block_samples, flags, crc; +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0016-matroskademux-Fix-off-by-one-when-parsing-multi-chan.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0016-matroskademux-Fix-off-by-one-when-parsing-multi-chan.patch new file mode 100644 index 0000000000..04e3a9168a --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0016-matroskademux-Fix-off-by-one-when-parsing-multi-chan.patch @@ -0,0 +1,31 @@ +From b7e1b13af70b7c042f29674f5482b502af82d829 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 16:33:39 +0300 +Subject: [PATCH] matroskademux: Fix off-by-one when parsing multi-channel + WavPack + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/b7e1b13af70b7c042f29674f5482b502af82d829] +CVE: CVE-2024-47540 CVE-2024-47601 CVE-2024-47602 CVE-2024-47603 CVE-2024-47834 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-good/gst/matroska/matroska-demux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c b/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c +index 35e60b71470d..583fbbe6e695 100644 +--- a/gst/matroska/matroska-demux.c ++++ b/gst/matroska/matroska-demux.c +@@ -3970,7 +3970,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + data += 4; + size -= 4; + +- while (size > 12) { ++ while (size >= 12) { + flags = GST_READ_UINT32_LE (data); + data += 4; + size -= 4; +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0017-matroskademux-Check-for-big-enough-WavPack-codec-pri.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0017-matroskademux-Check-for-big-enough-WavPack-codec-pri.patch new file mode 100644 index 0000000000..de2bdc13cb --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0017-matroskademux-Check-for-big-enough-WavPack-codec-pri.patch @@ -0,0 +1,39 @@ +From 455393ef0f2bb0a49c5bf32ef208af914c44e806 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 18:25:53 +0300 +Subject: [PATCH] matroskademux: Check for big enough WavPack codec private + data before accessing it + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-250 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3866 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/455393ef0f2bb0a49c5bf32ef208af914c44e806] +CVE: CVE-2024-47540 CVE-2024-47601 CVE-2024-47602 CVE-2024-47603 CVE-2024-47834 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-good/gst/matroska/matroska-demux.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c b/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c +index 583fbbe6e695..91e66fefc36a 100644 +--- a/gst/matroska/matroska-demux.c ++++ b/gst/matroska/matroska-demux.c +@@ -3888,6 +3888,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + guint8 *buf_data, *data; + Wavpack4Header wvh; + ++ if (!stream->codec_priv || stream->codec_priv_size < 2) { ++ GST_ERROR_OBJECT (element, "No or too small wavpack codec private data"); ++ return GST_FLOW_ERROR; ++ } ++ + wvh.ck_id[0] = 'w'; + wvh.ck_id[1] = 'v'; + wvh.ck_id[2] = 'p'; +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0018-matroskademux-Don-t-take-data-out-of-an-empty-adapte.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0018-matroskademux-Don-t-take-data-out-of-an-empty-adapte.patch new file mode 100644 index 0000000000..9bfbd07e1b --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0018-matroskademux-Don-t-take-data-out-of-an-empty-adapte.patch @@ -0,0 +1,47 @@ +From be0ac3f40949cb951d5f0761f4a3bd597a94947f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 19:04:51 +0300 +Subject: [PATCH] matroskademux: Don't take data out of an empty adapter when + processing WavPack frames + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-249 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3865 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/be0ac3f40949cb951d5f0761f4a3bd597a94947f] +CVE: CVE-2024-47540 CVE-2024-47601 CVE-2024-47602 CVE-2024-47603 CVE-2024-47834 +Signed-off-by: Vijay Anusuri +--- + .../gst-plugins-good/gst/matroska/matroska-demux.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c b/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c +index 91e66fefc36a..98ed51e86a58 100644 +--- a/gst/matroska/matroska-demux.c ++++ b/gst/matroska/matroska-demux.c +@@ -4036,11 +4036,16 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + } + gst_buffer_unmap (*buf, &map); + +- newbuf = gst_adapter_take_buffer (adapter, gst_adapter_available (adapter)); ++ size = gst_adapter_available (adapter); ++ if (size > 0) { ++ newbuf = gst_adapter_take_buffer (adapter, size); ++ gst_buffer_copy_into (newbuf, *buf, ++ GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1); ++ } else { ++ newbuf = NULL; ++ } + g_object_unref (adapter); + +- gst_buffer_copy_into (newbuf, *buf, +- GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1); + gst_buffer_unref (*buf); + *buf = newbuf; + +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0019-matroskademux-Skip-over-laces-directly-when-postproc.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0019-matroskademux-Skip-over-laces-directly-when-postproc.patch new file mode 100644 index 0000000000..0e13b8a1ca --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0019-matroskademux-Skip-over-laces-directly-when-postproc.patch @@ -0,0 +1,48 @@ +From effbbfd771487cc06c79d5a7e447a849884cc6cf Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 19:06:03 +0300 +Subject: [PATCH] matroskademux: Skip over laces directly when postprocessing + the frame fails + +Otherwise NULL buffers might be handled afterwards. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-249 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3865 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/effbbfd771487cc06c79d5a7e447a849884cc6cf] +CVE: CVE-2024-47540 CVE-2024-47601 CVE-2024-47602 CVE-2024-47603 CVE-2024-47834 +Signed-off-by: Vijay Anusuri +--- + .../gst-plugins-good/gst/matroska/matroska-demux.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c b/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c +index 98ed51e86a58..e0a4405dcefa 100644 +--- a/gst/matroska/matroska-demux.c ++++ b/gst/matroska/matroska-demux.c +@@ -4982,6 +4982,18 @@ gst_matroska_demux_parse_blockgroup_or_simpleblock (GstMatroskaDemux * demux, + if (stream->postprocess_frame) { + GST_LOG_OBJECT (demux, "running post process"); + ret = stream->postprocess_frame (GST_ELEMENT (demux), stream, &sub); ++ if (ret != GST_FLOW_OK) { ++ gst_clear_buffer (&sub); ++ goto next_lace; ++ } ++ ++ if (sub == NULL) { ++ GST_WARNING_OBJECT (demux, ++ "Postprocessing buffer with timestamp %" GST_TIME_FORMAT ++ " for stream %d failed", GST_TIME_ARGS (buffer_timestamp), ++ stream_num); ++ goto next_lace; ++ } + } + + /* At this point, we have a sub-buffer pointing at data within a larger +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0020-matroskademux-Skip-over-zero-sized-Xiph-stream-heade.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0020-matroskademux-Skip-over-zero-sized-Xiph-stream-heade.patch new file mode 100644 index 0000000000..3c661e92f7 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0020-matroskademux-Skip-over-zero-sized-Xiph-stream-heade.patch @@ -0,0 +1,39 @@ +From ed7b46bac3fa14f95422cc4bb4655d041df51454 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 19:19:42 +0300 +Subject: [PATCH] matroskademux: Skip over zero-sized Xiph stream headers + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-251 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3867 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ed7b46bac3fa14f95422cc4bb4655d041df51454] +CVE: CVE-2024-47540 CVE-2024-47601 CVE-2024-47602 CVE-2024-47603 CVE-2024-47834 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-good/gst/matroska/matroska-ids.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/subprojects/gst-plugins-good/gst/matroska/matroska-ids.c b/subprojects/gst-plugins-good/gst/matroska/matroska-ids.c +index f11b7c2ce31f..ba645f7306d9 100644 +--- a/gst/matroska/matroska-ids.c ++++ b/gst/matroska/matroska-ids.c +@@ -189,8 +189,10 @@ gst_matroska_parse_xiph_stream_headers (gpointer codec_data, + if (offset + length[i] > codec_data_size) + goto error; + +- hdr = gst_buffer_new_memdup (p + offset, length[i]); +- gst_buffer_list_add (list, hdr); ++ if (length[i] > 0) { ++ hdr = gst_buffer_new_memdup (p + offset, length[i]); ++ gst_buffer_list_add (list, hdr); ++ } + + offset += length[i]; + } +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0021-matroskademux-Put-a-copy-of-the-codec-data-into-the-.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0021-matroskademux-Put-a-copy-of-the-codec-data-into-the-.patch new file mode 100644 index 0000000000..1341491873 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0021-matroskademux-Put-a-copy-of-the-codec-data-into-the-.patch @@ -0,0 +1,40 @@ +From 98e4356be7afa869373f96b4e8ca792c5f9707ee Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Wed, 9 Oct 2024 11:52:52 -0400 +Subject: [PATCH] matroskademux: Put a copy of the codec data into the A_MS/ACM + caps + +The original codec data buffer is owned by matroskademux and does not +necessarily live as long as the caps. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-280 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3894 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/98e4356be7afa869373f96b4e8ca792c5f9707ee] +CVE: CVE-2024-47540 CVE-2024-47601 CVE-2024-47602 CVE-2024-47603 CVE-2024-47834 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-good/gst/matroska/matroska-demux.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c b/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c +index e0a4405dcefa..80da30673120 100644 +--- a/gst/matroska/matroska-demux.c ++++ b/gst/matroska/matroska-demux.c +@@ -7165,8 +7165,7 @@ gst_matroska_demux_audio_caps (GstMatroskaTrackAudioContext * + + /* 18 is the waveformatex size */ + if (size > 18) { +- codec_data = gst_buffer_new_wrapped_full (GST_MEMORY_FLAG_READONLY, +- data + 18, size - 18, 0, size - 18, NULL, NULL); ++ codec_data = gst_buffer_new_memdup (data + 18, size - 18); + } + + if (riff_audio_fmt) +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb index d437145b62..deea4f8bce 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb @@ -20,6 +20,13 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-go file://0012-qtdemux-Check-for-invalid-atom-length-when-extractin.patch \ file://0013-qtdemux-Add-size-check-for-parsing-SMI-SEQH-atom.patch \ file://0014-jpegdec-Directly-error-out-on-negotiation-failures.patch \ + file://0015-matroskademux-Only-unmap-GstMapInfo-in-WavPack-heade.patch \ + file://0016-matroskademux-Fix-off-by-one-when-parsing-multi-chan.patch \ + file://0017-matroskademux-Check-for-big-enough-WavPack-codec-pri.patch \ + file://0018-matroskademux-Don-t-take-data-out-of-an-empty-adapte.patch \ + file://0019-matroskademux-Skip-over-laces-directly-when-postproc.patch \ + file://0020-matroskademux-Skip-over-zero-sized-Xiph-stream-heade.patch \ + file://0021-matroskademux-Put-a-copy-of-the-codec-data-into-the-.patch \ " SRC_URI[sha256sum] = "599f093cc833a1e346939ab6e78a3f8046855b6da13520aae80dd385434f4ab2" From patchwork Thu Jan 2 13:33:15 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 54906 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3B406E77188 for ; Thu, 2 Jan 2025 13:33:59 +0000 (UTC) Received: from mail-io1-f43.google.com (mail-io1-f43.google.com [209.85.166.43]) by mx.groups.io with SMTP id smtpd.web11.7796.1735824836364694921 for ; Thu, 02 Jan 2025 05:33:56 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=KytkRkhm; spf=pass (domain: mvista.com, ip: 209.85.166.43, mailfrom: vanusuri@mvista.com) Received: by mail-io1-f43.google.com with SMTP id ca18e2360f4ac-844e161a8b4so346290839f.0 for ; Thu, 02 Jan 2025 05:33:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1735824835; x=1736429635; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=6AjDXvwT1gCtlmK3L1awdH9Y3uAh0UKikyktYxK9qM4=; b=KytkRkhmcb4hED01jvzjIbKvOn869oqVh8+/8R3CfuQs9XguUG+7IyC0H0TCAajZWV VOqdsP0g1wyVXlObiI21urOB1ydIVJQvbMa07iY985lp5iwxF/4vKaq+Qh3We4yUHbEX bMTmR3hADE//LMFGH6NEWdz+FHzWlG7rymxyM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1735824835; x=1736429635; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=6AjDXvwT1gCtlmK3L1awdH9Y3uAh0UKikyktYxK9qM4=; b=WSk4Sm53aj7KA9bVACv1HxLY2b3q3uksz9NhEiQfGQS2IRTgA7+qXUhOvWXms+jyy9 6bJ5tL4AeJBItcoBVAfZEzb1iT0/7+rXpPu2rgDRIBNYfQfD22uuevMmj2c7pTgnheX4 EZhRCIqpRVLhzTIrgV2fx7zWASJPb1y6UTmqCCJ2Gc0lRazIm1vn+s+plpeQiwe/xILn hTD3eLobaIQvkZASuV4qdQkyVYWqzhsDsWewgPalpvYC0eFeSkHnV6bH7EZZhFeZwZw+ AeAELD9aGpeYH4pOTxMlPDKW5HRwos5RW0TosAUf5io8pHtvVpqe9mgiok+S86aqzwSI PokA== X-Gm-Message-State: AOJu0YztZ5gaV6JPyRXHLzQTKfyt+fEQVY7SArOJz8SbaHtKD1fjmrjo 3ucxVAcA7VEnPT73Jk8eouEhOhoD1MqNStF//f6pNqeQ0r6YmP66qfF9rotdbydRC5rulkEwaAZ 33g8= X-Gm-Gg: ASbGnctMhxaK1Lcctv9WmUIdr+C4/pT52bekXO2UPQ0P1dTIMqVjnp0iQXi3TBWgmhD CoJzy9YFTHIL25ptSs81wPEzIzEUlKb6EYs8peRbJIgkyluYKKPr6U5lO6PqSqt6B+DQWBYB+9a ZGAJG7jqh6GVb8r3csukvf58ofd6ZdKH3HU3Le3tks7PcJNfDfOx40oILLIbVh/SEs2JHZ7CKyV UGKhyduX0IXWDkAr5PPbhGfO7Xos9sIYoZu+6faWGONPYShoeu4bywQOfbXd/tyUVB1KuI= X-Google-Smtp-Source: AGHT+IHO9p7m+nY0VNz6GyEUTjsK/yy+ZsJcEfTl/RPxtUISVZp6bor4/JIKPY246RgLZxPKzvwi0w== X-Received: by 2002:a05:6602:3fd5:b0:843:eb5b:5293 with SMTP id ca18e2360f4ac-8499e4d79c9mr4011829739f.2.1735824835181; Thu, 02 Jan 2025 05:33:55 -0800 (PST) Received: from MVIN00020.mvista.com ([2401:4900:882d:79d6:d2bf:f7c6:a6fe:8968]) by smtp.gmail.com with ESMTPSA id ca18e2360f4ac-8498d8aa81bsm685493139f.36.2025.01.02.05.33.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Jan 2025 05:33:53 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH 4/7] gstreamer1.0-plugins-good: Fix CVE-2024-47606 Date: Thu, 2 Jan 2025 19:03:15 +0530 Message-Id: <20250102133318.642859-4-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250102133318.642859-1-vanusuri@mvista.com> References: <20250102133318.642859-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 02 Jan 2025 13:33:59 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209306 From: Vijay Anusuri Upstream: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8032 Signed-off-by: Vijay Anusuri --- ...teger-overflow-when-parsing-Theora-e.patch | 44 +++++++++++++++++++ .../gstreamer1.0-plugins-good_1.20.7.bb | 1 + 2 files changed, 45 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0022-qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0022-qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0022-qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch new file mode 100644 index 0000000000..fe4bdc8802 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0022-qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch @@ -0,0 +1,44 @@ +From f8e398c46fc074f266edb3f20479c0ca31b52448 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 26 Sep 2024 22:16:06 +0300 +Subject: [PATCH] qtdemux: Avoid integer overflow when parsing Theora extension + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-166 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3851 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/f8e398c46fc074f266edb3f20479c0ca31b52448] +CVE: CVE-2024-47606 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c +index 5e3cb1b9e699..c2d8b5e0f134 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -8822,7 +8822,7 @@ qtdemux_parse_theora_extension (GstQTDemux * qtdemux, QtDemuxStream * stream, + end -= 8; + + while (buf < end) { +- gint size; ++ guint32 size; + guint32 type; + + size = QT_UINT32 (buf); +@@ -8830,7 +8830,7 @@ qtdemux_parse_theora_extension (GstQTDemux * qtdemux, QtDemuxStream * stream, + + GST_LOG_OBJECT (qtdemux, "%p %p", buf, end); + +- if (buf + size > end || size <= 0) ++ if (end - buf < size || size < 8) + break; + + buf += 8; +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb index deea4f8bce..8b9354aec2 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb @@ -27,6 +27,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-go file://0019-matroskademux-Skip-over-laces-directly-when-postproc.patch \ file://0020-matroskademux-Skip-over-zero-sized-Xiph-stream-heade.patch \ file://0021-matroskademux-Put-a-copy-of-the-codec-data-into-the-.patch \ + file://0022-qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch \ " SRC_URI[sha256sum] = "599f093cc833a1e346939ab6e78a3f8046855b6da13520aae80dd385434f4ab2" From patchwork Thu Jan 2 13:33:16 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 54908 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 39432E77194 for ; Thu, 2 Jan 2025 13:34:09 +0000 (UTC) Received: from mail-io1-f47.google.com (mail-io1-f47.google.com [209.85.166.47]) by mx.groups.io with SMTP id smtpd.web10.8091.1735824842925770536 for ; Thu, 02 Jan 2025 05:34:03 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=QnGxZmc8; spf=pass (domain: mvista.com, ip: 209.85.166.47, mailfrom: vanusuri@mvista.com) Received: by mail-io1-f47.google.com with SMTP id ca18e2360f4ac-8442ec2adc7so420273939f.2 for ; Thu, 02 Jan 2025 05:34:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1735824842; x=1736429642; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=16QIwKogNRouynofyfKMQI8sIaKB5QxlrNt1MPGhdJI=; b=QnGxZmc8uP57yeS5O200rmQymPilIFWnNuD/tFA9gqrojxIPSOlQSBkvNlsoz+xhu2 q6VIQVm8z9KurCs+qc45X762V7b8tlV2XE4JWLLL9JpWAOUhamIpWLGFUAazjcdGW4LW 8aniMrj4E4wFbtdaUTvEwr+IXSsZbLAHHpN+0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1735824842; x=1736429642; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=16QIwKogNRouynofyfKMQI8sIaKB5QxlrNt1MPGhdJI=; b=rcGoerf6KJmZwc+plBwzuB0EKsCExQDStgPdfXmyFVgv4RQJGeoeOiQeSlCoDqq3FA xPavPgJB5LqHwCxMUJnRxoyWf7qr6UvEWTK6z9xB40sLfp5tspQdBiJtaNN2CMT1BwOZ 3CFInWSW8Z7/FeTxpfX4Ema1cjof/NwJKphxJDYUr+bwtNkX/OeSQl7JZOAvZbEYuaAB XaAnWMej6jZwvTdFKQRRZn0VgU9YlByFQ8R2HdauiT3uDDxCvmSkIkwaVtJh7BN+JVAQ yTsAIEW3q7c6IfEhh1wJyI3FBi83B9Np/kWtxJlsZIbI7FDN7gAoCVzxU4g302FBa3lC QRbA== X-Gm-Message-State: AOJu0YyO4+inMcbIseRWFnXngtyJ7JKHuit4YO5QbMARmPEtfek2oHvx XQUAchN1QqllJeC0nDXbRCD09MEw7oydD6edAXBK5vtB/mg1SKD/QCQm6QeWWk+9/9Hscsd1ziG HbPo= X-Gm-Gg: ASbGncsARKKj0H4aeosxpx719SRsg/yPtZtnAYCHfdJas/pARfOwY5VpxN+80PHeU+T 7ihSjRnfNzSv2TqzJnoR0CLPRpwU94Sc/mFSX/C3Etx/omg5B8GnpvySO92Latx0N0bFsR6PzIx wLAXTELwxUmxehlMCRE9GHDewLBQWESHTwbBnMI+BnA94kECHS6hWkJmmWdqsDR8iSveJiRBGSP WUsOMaw56zVOmm/oqEqypA3ipcHlO4ldHVVfCxWPnNOCNkBZQAXBPLBG3fmLb+4cJwVBo0= X-Google-Smtp-Source: AGHT+IHMLYJK/gL/QQXqyYbJFsy6DPwJkQwOL5O1xy+/yjbPwVSK3zrsSBCbxEisXoeyS7qSSVTr3Q== X-Received: by 2002:a05:6602:1490:b0:844:debf:24dc with SMTP id ca18e2360f4ac-8499e4c7bf9mr3857033939f.5.1735824841732; Thu, 02 Jan 2025 05:34:01 -0800 (PST) Received: from MVIN00020.mvista.com ([2401:4900:882d:79d6:d2bf:f7c6:a6fe:8968]) by smtp.gmail.com with ESMTPSA id ca18e2360f4ac-8498d8aa81bsm685493139f.36.2025.01.02.05.33.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Jan 2025 05:33:59 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH 5/7] gstreamer1.0-plugins-good: Fix CVE-2024-47613 Date: Thu, 2 Jan 2025 19:03:16 +0530 Message-Id: <20250102133318.642859-5-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250102133318.642859-1-vanusuri@mvista.com> References: <20250102133318.642859-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 02 Jan 2025 13:34:09 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209307 From: Vijay Anusuri Upstream: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8041 Signed-off-by: Vijay Anusuri --- ...ck-if-initializing-the-video-info-ac.patch | 53 +++++++++++++++++++ .../gstreamer1.0-plugins-good_1.20.7.bb | 1 + 2 files changed, 54 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0023-gdkpixbufdec-Check-if-initializing-the-video-info-ac.patch diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0023-gdkpixbufdec-Check-if-initializing-the-video-info-ac.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0023-gdkpixbufdec-Check-if-initializing-the-video-info-ac.patch new file mode 100644 index 0000000000..d60086deb4 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0023-gdkpixbufdec-Check-if-initializing-the-video-info-ac.patch @@ -0,0 +1,53 @@ +From 1d1c9d63be51d85f9b80f0c227d4b3469fee2534 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Wed, 2 Oct 2024 14:44:21 +0300 +Subject: [PATCH] gdkpixbufdec: Check if initializing the video info actually + succeeded + +Otherwise a 0-byte buffer would be allocated, which gives NULL memory when +mapped. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-118 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3876 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/1d1c9d63be51d85f9b80f0c227d4b3469fee2534] +CVE: CVE-2024-47613 +Signed-off-by: Vijay Anusuri +--- + .../gst-plugins-good/ext/gdk_pixbuf/gstgdkpixbufdec.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/subprojects/gst-plugins-good/ext/gdk_pixbuf/gstgdkpixbufdec.c b/subprojects/gst-plugins-good/ext/gdk_pixbuf/gstgdkpixbufdec.c +index 5482998c0d60..de5f05496466 100644 +--- a/ext/gdk_pixbuf/gstgdkpixbufdec.c ++++ b/ext/gdk_pixbuf/gstgdkpixbufdec.c +@@ -322,7 +322,8 @@ gst_gdk_pixbuf_dec_flush (GstGdkPixbufDec * filter) + + + gst_video_info_init (&info); +- gst_video_info_set_format (&info, fmt, width, height); ++ if (!gst_video_info_set_format (&info, fmt, width, height)) ++ goto format_not_supported; + info.fps_n = filter->in_fps_n; + info.fps_d = filter->in_fps_d; + caps = gst_video_info_to_caps (&info); +@@ -384,6 +385,12 @@ channels_not_supported: + ("%d channels not supported", n_channels)); + return GST_FLOW_ERROR; + } ++format_not_supported: ++ { ++ GST_ELEMENT_ERROR (filter, STREAM, DECODE, (NULL), ++ ("%d channels with %dx%d not supported", n_channels, width, height)); ++ return GST_FLOW_ERROR; ++ } + no_buffer: + { + GST_DEBUG ("Failed to create outbuffer - %s", gst_flow_get_name (ret)); +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb index 8b9354aec2..bb85f4d2e9 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb @@ -28,6 +28,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-go file://0020-matroskademux-Skip-over-zero-sized-Xiph-stream-heade.patch \ file://0021-matroskademux-Put-a-copy-of-the-codec-data-into-the-.patch \ file://0022-qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch \ + file://0023-gdkpixbufdec-Check-if-initializing-the-video-info-ac.patch \ " SRC_URI[sha256sum] = "599f093cc833a1e346939ab6e78a3f8046855b6da13520aae80dd385434f4ab2" From patchwork Thu Jan 2 13:33:17 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 54909 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 380F7E77188 for ; Thu, 2 Jan 2025 13:34:09 +0000 (UTC) Received: from mail-io1-f52.google.com (mail-io1-f52.google.com [209.85.166.52]) by mx.groups.io with SMTP id smtpd.web10.8095.1735824848538973778 for ; Thu, 02 Jan 2025 05:34:08 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=QF1153Uf; spf=pass (domain: mvista.com, ip: 209.85.166.52, mailfrom: vanusuri@mvista.com) Received: by mail-io1-f52.google.com with SMTP id ca18e2360f4ac-844e7bc6d84so442606839f.0 for ; Thu, 02 Jan 2025 05:34:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1735824847; x=1736429647; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=JMRYZF9cCQsqVgiDfObYX4B+p7MR5bChBwHXG40zmQM=; b=QF1153UfhkiXsqyinZVFbV5HiLeqbGslQRZN505+JArdfekUqNSQrDf4D4Qh4m8yJr cEGpqBPXLFJ/F2LYA1H7peJaObR6zFdJasohU/CW/0BXb7iBXgrFBlleQkD40u4Vqyjd 8vMqxJ/FKba3F5WA3KB03UCP6FTkGCefPyHYQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1735824847; x=1736429647; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=JMRYZF9cCQsqVgiDfObYX4B+p7MR5bChBwHXG40zmQM=; b=OC/26A7gFOjvrXl1G9zjZItlPej0gP8Z5yARAlbkD6SOH2isYNuMVk/MtdS7N3i0hn fQClto1FvxqGeAZc3uGkFvGQrBPdPwI/MZgTqe++7qjiSNi/g2PPlqM6svB361B08j2F iKIDio+McHQOfMCVUOWe7keB9K1wx1KYez3tOpu/tX4DKanswcwN+f+n9Op48EJOkFsP gUjgtpjx6oxYhkP73+ZLNbuuDNb89u2dT9zFl1+t7yr5Cvgm4g43SQ/c77COqh8nKhr3 npk16o1Z8nD6f+gOfFc1S1wLEnUZ4If55rerLT9QHLuKWuNMxzCP79laX2k9NvV5JzFS pF4w== X-Gm-Message-State: AOJu0YwUhHzdima1Btqqgprfar8YkKqMslSr85bnh/ihe6cgbHchFEB8 BMmDvFz1A8/cSnO1kXaz3lxPyB84wt6+4yi/0oFaCP4Eiz39B51PJ+vVZ/I90EYN/OHphBpA9Kj sJSA= X-Gm-Gg: ASbGncv8D5JSv3aYL/tdIUOWDPcirR1oIs9Yq/4zVTCUwThFUvq7k6pFkedO37wK3G6 u7BkguqssD4l86ftG8rLOLdWc7yHrnsodlPppxiFxKDvUJYTjari6sDW/3+GRgvZAiJr2CGsYEI IT/1yGJDN3iya/GNMXTuXGfhHN4lDVFyCNnlgdV5mZ0HqhIz9y3hvAqrAosSJYU5KqJsvj4JTqn zjH4cDKOINfXIExOOMDeyVdCqno03r4sc+i3mRcyzFbV+bVJpfp1rmT1+CnBJ1i6Vf6JF4= X-Google-Smtp-Source: AGHT+IGOZXhOp4b5HDR2+R9PwKWJ8Jh0MVb9nBWowCTxOXXr5A37icmAW3H5U1XPwuw82qBOO1ddjQ== X-Received: by 2002:a05:6602:3428:b0:7f6:8489:2679 with SMTP id ca18e2360f4ac-8499ec27bbcmr3674642639f.8.1735824847395; Thu, 02 Jan 2025 05:34:07 -0800 (PST) Received: from MVIN00020.mvista.com ([2401:4900:882d:79d6:d2bf:f7c6:a6fe:8968]) by smtp.gmail.com with ESMTPSA id ca18e2360f4ac-8498d8aa81bsm685493139f.36.2025.01.02.05.34.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Jan 2025 05:34:05 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH 6/7] gstreamer1.0-plugins-good: Fix CVE-2024-47774 Date: Thu, 2 Jan 2025 19:03:17 +0530 Message-Id: <20250102133318.642859-6-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250102133318.642859-1-vanusuri@mvista.com> References: <20250102133318.642859-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 02 Jan 2025 13:34:09 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209308 From: Vijay Anusuri Upstream: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8043 Signed-off-by: Vijay Anusuri --- ...size-checks-and-avoid-overflows-when.patch | 46 +++++++++++++++++++ .../gstreamer1.0-plugins-good_1.20.7.bb | 1 + 2 files changed, 47 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0024-avisubtitle-Fix-size-checks-and-avoid-overflows-when.patch diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0024-avisubtitle-Fix-size-checks-and-avoid-overflows-when.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0024-avisubtitle-Fix-size-checks-and-avoid-overflows-when.patch new file mode 100644 index 0000000000..b9624a148c --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0024-avisubtitle-Fix-size-checks-and-avoid-overflows-when.patch @@ -0,0 +1,46 @@ +From 0870e87c7c02e28e22a09a7de0c5b1e5bed68c14 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 4 Oct 2024 14:04:03 +0300 +Subject: [PATCH] avisubtitle: Fix size checks and avoid overflows when + checking sizes + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-262 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3890 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/0870e87c7c02e28e22a09a7de0c5b1e5bed68c14] +CVE: CVE-2024-47774 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-good/gst/avi/gstavisubtitle.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/subprojects/gst-plugins-good/gst/avi/gstavisubtitle.c b/subprojects/gst-plugins-good/gst/avi/gstavisubtitle.c +index efc5f0405186..c816934da61c 100644 +--- a/gst/avi/gstavisubtitle.c ++++ b/gst/avi/gstavisubtitle.c +@@ -196,7 +196,7 @@ gst_avi_subtitle_parse_gab2_chunk (GstAviSubtitle * sub, GstBuffer * buf) + /* read 'name' of subtitle */ + name_length = GST_READ_UINT32_LE (map.data + 5 + 2); + GST_LOG_OBJECT (sub, "length of name: %u", name_length); +- if (map.size <= 17 + name_length) ++ if (G_MAXUINT32 - 17 < name_length || map.size < 17 + name_length) + goto wrong_name_length; + + name_utf8 = +@@ -216,7 +216,8 @@ gst_avi_subtitle_parse_gab2_chunk (GstAviSubtitle * sub, GstBuffer * buf) + file_length = GST_READ_UINT32_LE (map.data + 13 + name_length); + GST_LOG_OBJECT (sub, "length srt/ssa file: %u", file_length); + +- if (map.size < (17 + name_length + file_length)) ++ if (G_MAXUINT32 - 17 - name_length < file_length ++ || map.size < 17 + name_length + file_length) + goto wrong_total_length; + + /* store this, so we can send it again after a seek; note that we shouldn't +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb index bb85f4d2e9..42c9b86471 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb @@ -29,6 +29,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-go file://0021-matroskademux-Put-a-copy-of-the-codec-data-into-the-.patch \ file://0022-qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch \ file://0023-gdkpixbufdec-Check-if-initializing-the-video-info-ac.patch \ + file://0024-avisubtitle-Fix-size-checks-and-avoid-overflows-when.patch \ " SRC_URI[sha256sum] = "599f093cc833a1e346939ab6e78a3f8046855b6da13520aae80dd385434f4ab2" From patchwork Thu Jan 2 13:33:18 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vijay Anusuri X-Patchwork-Id: 54910 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3A983E77188 for ; Thu, 2 Jan 2025 13:34:19 +0000 (UTC) Received: from mail-io1-f53.google.com (mail-io1-f53.google.com [209.85.166.53]) by mx.groups.io with SMTP id smtpd.web10.8098.1735824855957395019 for ; Thu, 02 Jan 2025 05:34:16 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@mvista.com header.s=google header.b=JLW+tV+y; spf=pass (domain: mvista.com, ip: 209.85.166.53, mailfrom: vanusuri@mvista.com) Received: by mail-io1-f53.google.com with SMTP id ca18e2360f4ac-84a012f7232so202491839f.0 for ; Thu, 02 Jan 2025 05:34:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista.com; s=google; t=1735824855; x=1736429655; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=odx1qahUPmZ7Q9fDVsG3I/JhOjdVnrZ+tGMHi3Vf++I=; b=JLW+tV+yYmmuopc1GLIqzSCtqPUfVy+n3aX3MGLDxJQha1V54myur6T/bBejIbIDHB OPYpG5aYf9dVI2zsJnBNa/Pmu0BFAVlEwx7BkIHdrEsrkoOBulU8p//onNaile/sOfC7 SlLjQP6oHppGYXBeGL+YtbN9ALy/gQB7vzwZ8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1735824855; x=1736429655; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=odx1qahUPmZ7Q9fDVsG3I/JhOjdVnrZ+tGMHi3Vf++I=; b=W+70mfLFWqXv3jN27FQuJSQqT8cDFokv9vuotV9s/LvU0ZRlUmLkPEexe/67xPs/YO lenqL7b84UB6Eb/vXcfn6IwmjrhTQkP8imm6WINa5IDvR7rpSVoQMYaDAC4+Y+4lgGPu qLaZTp3+QVOORx00DapaenPf7gwxq1Mu2uQwy5Hw5kLnN4tGOyiPOTaI3fVwZgrUEuO1 8cyAhTLYbR+jFURvLaG36DjTJFcRuwSgS5sLrgGFe5RC95itCU72uwZh1HJzE9ROz6XI ZgVJDXwEFKKKAKK9hDZ9TgFL10hLZ+ffCrUcJLXFITzHqsUwFYDYS6JrOxyM+M+iaUrh rT+A== X-Gm-Message-State: AOJu0Yx3XyAy/+u+YFEuhrrN9le/zOd1OdqLQ1Xu00QgnTC3n5MOTFKH j8mv5kTMR8tYS3SOa2MGeStSs05rmBXbQCVammItyFK6mcwCS1kbGStGYlRUJJOrYxtcL5I/loa xJ4I= X-Gm-Gg: ASbGncsO7pni+D0cKAG/MbLIfKeqka9YAVFjbxAKruluqKcjrYtUqIp9mPb4p84Bp90 JmlfM5ZQw9jlMLneTOlg2JmY9JBhvcNu6ps5xJFiqQFJViqIMzBP/XtqVvuiYrSFrTthTl8JjGj cVHo2p2PBorMuLMuYNW45FCZ0y5IV9pF8wG/7pTTLJqUO8Vi3M4OXhV+1kO0c9ceCPKU2b/wiC7 C3ihIYTunRsMXpzwTxluPDa53rF345xtStWGtyEmjW2HF1A98qrXIaoghnzLYERClzDmKc= X-Google-Smtp-Source: AGHT+IFMHIp908f8wsgwVRq5sYvU1HkP1vymJLDc4VAKhpSf/GzQnd6oBC2UjsRa7vVgjEtZennjPA== X-Received: by 2002:a05:6602:3a86:b0:844:2ef3:a95a with SMTP id ca18e2360f4ac-84988d25967mr5117326139f.7.1735824854703; Thu, 02 Jan 2025 05:34:14 -0800 (PST) Received: from MVIN00020.mvista.com ([2401:4900:882d:79d6:d2bf:f7c6:a6fe:8968]) by smtp.gmail.com with ESMTPSA id ca18e2360f4ac-8498d8aa81bsm685493139f.36.2025.01.02.05.34.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Jan 2025 05:34:11 -0800 (PST) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri Subject: [OE-core][kirkstone][PATCH 7/7] gstreamer1.0-plugins-good: Fix multiple CVEs Date: Thu, 2 Jan 2025 19:03:18 +0530 Message-Id: <20250102133318.642859-7-vanusuri@mvista.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250102133318.642859-1-vanusuri@mvista.com> References: <20250102133318.642859-1-vanusuri@mvista.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 02 Jan 2025 13:34:19 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/209309 From: Vijay Anusuri Fixes below CVEs: CVE-2024-47775 CVE-2024-47776 CVE-2024-47777 CVE-2024-47778 Upstream: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042 Signed-off-by: Vijay Anusuri --- ...or-short-reads-when-parsing-headers-.patch | 171 ++++++++++++++++++ ...re-enough-data-for-the-tag-list-tag-.patch | 38 ++++ ...7-wavparse-Fix-parsing-of-acid-chunk.patch | 62 +++++++ ...hat-at-least-4-bytes-are-available-b.patch | 34 ++++ ...hat-at-least-32-bytes-are-available-.patch | 37 ++++ ...ix-clipping-of-size-to-the-file-size.patch | 44 +++++ ...Check-size-before-reading-ds64-chunk.patch | 38 ++++ .../gstreamer1.0-plugins-good_1.20.7.bb | 7 + 8 files changed, 431 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0025-wavparse-Check-for-short-reads-when-parsing-headers-.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0026-wavparse-Make-sure-enough-data-for-the-tag-list-tag-.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0027-wavparse-Fix-parsing-of-acid-chunk.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0028-wavparse-Check-that-at-least-4-bytes-are-available-b.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0029-wavparse-Check-that-at-least-32-bytes-are-available-.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0030-wavparse-Fix-clipping-of-size-to-the-file-size.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0031-wavparse-Check-size-before-reading-ds64-chunk.patch diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0025-wavparse-Check-for-short-reads-when-parsing-headers-.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0025-wavparse-Check-for-short-reads-when-parsing-headers-.patch new file mode 100644 index 0000000000..2eaef45f41 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0025-wavparse-Check-for-short-reads-when-parsing-headers-.patch @@ -0,0 +1,171 @@ +From 13b48016b3ef1e822c393c2871b0a561ce19ecb3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 4 Oct 2024 13:00:57 +0300 +Subject: [PATCH] wavparse: Check for short reads when parsing headers in pull + mode + +And also return the actual flow return to the caller instead of always returning +GST_FLOW_ERROR. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-258, GHSL-2024-260 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3886 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3888 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/13b48016b3ef1e822c393c2871b0a561ce19ecb3] +CVE: CVE-2024-47775 CVE-2024-47776 CVE-2024-47777 CVE-2024-47778 +Signed-off-by: Vijay Anusuri +--- + .../gst/wavparse/gstwavparse.c | 63 ++++++++++++++----- + 1 file changed, 46 insertions(+), 17 deletions(-) + +diff --git a/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c b/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c +index d074f273c501..97d5591fae8f 100644 +--- a/gst/wavparse/gstwavparse.c ++++ b/gst/wavparse/gstwavparse.c +@@ -1097,6 +1097,24 @@ parse_ds64 (GstWavParse * wav, GstBuffer * buf) + return TRUE; + } + ++static GstFlowReturn ++gst_wavparse_pull_range_exact (GstWavParse * wav, guint64 offset, guint size, ++ GstBuffer ** buffer) ++{ ++ GstFlowReturn res; ++ ++ res = gst_pad_pull_range (wav->sinkpad, offset, size, buffer); ++ if (res != GST_FLOW_OK) ++ return res; ++ ++ if (gst_buffer_get_size (*buffer) < size) { ++ gst_clear_buffer (buffer); ++ return GST_FLOW_EOS; ++ } ++ ++ return res; ++} ++ + static GstFlowReturn + gst_wavparse_stream_headers (GstWavParse * wav) + { +@@ -1292,9 +1310,9 @@ gst_wavparse_stream_headers (GstWavParse * wav) + + buf = NULL; + if ((res = +- gst_pad_pull_range (wav->sinkpad, wav->offset, 8, ++ gst_wavparse_pull_range_exact (wav, wav->offset, 8, + &buf)) != GST_FLOW_OK) +- goto header_read_error; ++ goto header_pull_error; + gst_buffer_map (buf, &map, GST_MAP_READ); + tag = GST_READ_UINT32_LE (map.data); + size = GST_READ_UINT32_LE (map.data + 4); +@@ -1397,9 +1415,9 @@ gst_wavparse_stream_headers (GstWavParse * wav) + gst_buffer_unref (buf); + buf = NULL; + if ((res = +- gst_pad_pull_range (wav->sinkpad, wav->offset + 8, ++ gst_wavparse_pull_range_exact (wav, wav->offset + 8, + data_size, &buf)) != GST_FLOW_OK) +- goto header_read_error; ++ goto header_pull_error; + gst_buffer_extract (buf, 0, &wav->fact, 4); + wav->fact = GUINT32_FROM_LE (wav->fact); + gst_buffer_unref (buf); +@@ -1444,9 +1462,9 @@ gst_wavparse_stream_headers (GstWavParse * wav) + gst_buffer_unref (buf); + buf = NULL; + if ((res = +- gst_pad_pull_range (wav->sinkpad, wav->offset + 8, +- size, &buf)) != GST_FLOW_OK) +- goto header_read_error; ++ gst_wavparse_pull_range_exact (wav, wav->offset + 8, size, ++ &buf)) != GST_FLOW_OK) ++ goto header_pull_error; + gst_buffer_map (buf, &map, GST_MAP_READ); + acid = (const gst_riff_acid *) map.data; + tempo = acid->tempo; +@@ -1484,9 +1502,9 @@ gst_wavparse_stream_headers (GstWavParse * wav) + gst_buffer_unref (buf); + buf = NULL; + if ((res = +- gst_pad_pull_range (wav->sinkpad, wav->offset, 12, ++ gst_wavparse_pull_range_exact (wav, wav->offset, 12, + &buf)) != GST_FLOW_OK) +- goto header_read_error; ++ goto header_pull_error; + gst_buffer_extract (buf, 8, <ag, 4); + ltag = GUINT32_FROM_LE (ltag); + } +@@ -1513,9 +1531,9 @@ gst_wavparse_stream_headers (GstWavParse * wav) + buf = NULL; + if (data_size > 0) { + if ((res = +- gst_pad_pull_range (wav->sinkpad, wav->offset, ++ gst_wavparse_pull_range_exact (wav, wav->offset, + data_size, &buf)) != GST_FLOW_OK) +- goto header_read_error; ++ goto header_pull_error; + } + } + if (data_size > 0) { +@@ -1553,9 +1571,9 @@ gst_wavparse_stream_headers (GstWavParse * wav) + buf = NULL; + wav->offset += 12; + if ((res = +- gst_pad_pull_range (wav->sinkpad, wav->offset, ++ gst_wavparse_pull_range_exact (wav, wav->offset, + data_size, &buf)) != GST_FLOW_OK) +- goto header_read_error; ++ goto header_pull_error; + gst_buffer_map (buf, &map, GST_MAP_READ); + gst_wavparse_adtl_chunk (wav, (const guint8 *) map.data, + data_size); +@@ -1599,9 +1617,9 @@ gst_wavparse_stream_headers (GstWavParse * wav) + gst_buffer_unref (buf); + buf = NULL; + if ((res = +- gst_pad_pull_range (wav->sinkpad, wav->offset, ++ gst_wavparse_pull_range_exact (wav, wav->offset, + data_size, &buf)) != GST_FLOW_OK) +- goto header_read_error; ++ goto header_pull_error; + gst_buffer_map (buf, &map, GST_MAP_READ); + if (!gst_wavparse_cue_chunk (wav, (const guint8 *) map.data, + data_size)) { +@@ -1643,9 +1661,9 @@ gst_wavparse_stream_headers (GstWavParse * wav) + gst_buffer_unref (buf); + buf = NULL; + if ((res = +- gst_pad_pull_range (wav->sinkpad, wav->offset, ++ gst_wavparse_pull_range_exact (wav, wav->offset, + data_size, &buf)) != GST_FLOW_OK) +- goto header_read_error; ++ goto header_pull_error; + gst_buffer_map (buf, &map, GST_MAP_READ); + if (!gst_wavparse_smpl_chunk (wav, (const guint8 *) map.data, + data_size)) { +@@ -1797,6 +1815,17 @@ header_read_error: + ("Couldn't read in header %d (%s)", res, gst_flow_get_name (res))); + goto fail; + } ++header_pull_error: ++ { ++ if (res == GST_FLOW_EOS) { ++ GST_WARNING_OBJECT (wav, "Couldn't pull header %d (%s)", res, ++ gst_flow_get_name (res)); ++ } else { ++ GST_ELEMENT_ERROR (wav, STREAM, DEMUX, (NULL), ++ ("Couldn't pull header %d (%s)", res, gst_flow_get_name (res))); ++ } ++ goto exit; ++ } + } + + /* +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0026-wavparse-Make-sure-enough-data-for-the-tag-list-tag-.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0026-wavparse-Make-sure-enough-data-for-the-tag-list-tag-.patch new file mode 100644 index 0000000000..3df27b62bc --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0026-wavparse-Make-sure-enough-data-for-the-tag-list-tag-.patch @@ -0,0 +1,38 @@ +From 4c198f4891cfabde868944d55ff98925e7beb757 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 4 Oct 2024 13:09:43 +0300 +Subject: [PATCH] wavparse: Make sure enough data for the tag list tag is + available before parsing + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-258 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3886 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/4c198f4891cfabde868944d55ff98925e7beb757] +CVE: CVE-2024-47775 CVE-2024-47776 CVE-2024-47777 CVE-2024-47778 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c b/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c +index 97d5591fae8f..21cb48c07eb3 100644 +--- a/gst/wavparse/gstwavparse.c ++++ b/gst/wavparse/gstwavparse.c +@@ -1489,6 +1489,10 @@ gst_wavparse_stream_headers (GstWavParse * wav) + case GST_RIFF_TAG_LIST:{ + guint32 ltag; + ++ /* Need at least the ltag */ ++ if (size < 4) ++ goto exit; ++ + if (wav->streaming) { + const guint8 *data = NULL; + +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0027-wavparse-Fix-parsing-of-acid-chunk.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0027-wavparse-Fix-parsing-of-acid-chunk.patch new file mode 100644 index 0000000000..010041aa4e --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0027-wavparse-Fix-parsing-of-acid-chunk.patch @@ -0,0 +1,62 @@ +From 296e17b4ea81e5c228bb853f6037b654fdca7d47 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 4 Oct 2024 13:15:27 +0300 +Subject: [PATCH] wavparse: Fix parsing of acid chunk + +Simply casting the bytes to a struct can lead to crashes because of unaligned +reads, and is also missing the endianness swapping that is necessary on big +endian architectures. + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/296e17b4ea81e5c228bb853f6037b654fdca7d47] +CVE: CVE-2024-47775 CVE-2024-47776 CVE-2024-47777 CVE-2024-47778 +Signed-off-by: Vijay Anusuri +--- + .../gst-plugins-good/gst/wavparse/gstwavparse.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c b/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c +index 21cb48c07eb3..6a0c44638ea2 100644 +--- a/gst/wavparse/gstwavparse.c ++++ b/gst/wavparse/gstwavparse.c +@@ -1434,8 +1434,7 @@ gst_wavparse_stream_headers (GstWavParse * wav) + break; + } + case GST_RIFF_TAG_acid:{ +- const gst_riff_acid *acid = NULL; +- const guint data_size = sizeof (gst_riff_acid); ++ const guint data_size = 24; + gfloat tempo; + + GST_INFO_OBJECT (wav, "Have acid chunk"); +@@ -1449,13 +1448,13 @@ gst_wavparse_stream_headers (GstWavParse * wav) + break; + } + if (wav->streaming) { ++ const guint8 *data; + if (!gst_wavparse_peek_chunk (wav, &tag, &size)) { + goto exit; + } + gst_adapter_flush (wav->adapter, 8); +- acid = (const gst_riff_acid *) gst_adapter_map (wav->adapter, +- data_size); +- tempo = acid->tempo; ++ data = gst_adapter_map (wav->adapter, data_size); ++ tempo = GST_READ_FLOAT_LE (data + 20); + gst_adapter_unmap (wav->adapter); + } else { + GstMapInfo map; +@@ -1466,8 +1465,7 @@ gst_wavparse_stream_headers (GstWavParse * wav) + &buf)) != GST_FLOW_OK) + goto header_pull_error; + gst_buffer_map (buf, &map, GST_MAP_READ); +- acid = (const gst_riff_acid *) map.data; +- tempo = acid->tempo; ++ tempo = GST_READ_FLOAT_LE (map.data + 20); + gst_buffer_unmap (buf, &map); + } + /* send data as tags */ +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0028-wavparse-Check-that-at-least-4-bytes-are-available-b.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0028-wavparse-Check-that-at-least-4-bytes-are-available-b.patch new file mode 100644 index 0000000000..c7c3dbed46 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0028-wavparse-Check-that-at-least-4-bytes-are-available-b.patch @@ -0,0 +1,34 @@ +From c72025cabdfcb2fe30d24eda7bb9d1d01a1b6555 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 4 Oct 2024 13:21:44 +0300 +Subject: [PATCH] wavparse: Check that at least 4 bytes are available before + parsing cue chunks + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/c72025cabdfcb2fe30d24eda7bb9d1d01a1b6555] +CVE: CVE-2024-47775 CVE-2024-47776 CVE-2024-47777 CVE-2024-47778 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c b/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c +index 6a0c44638ea2..5655ee3825ca 100644 +--- a/gst/wavparse/gstwavparse.c ++++ b/gst/wavparse/gstwavparse.c +@@ -790,6 +790,11 @@ gst_wavparse_cue_chunk (GstWavParse * wav, const guint8 * data, guint32 size) + return TRUE; + } + ++ if (size < 4) { ++ GST_WARNING_OBJECT (wav, "broken file %d", size); ++ return FALSE; ++ } ++ + ncues = GST_READ_UINT32_LE (data); + + if (size < 4 + ncues * 24) { +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0029-wavparse-Check-that-at-least-32-bytes-are-available-.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0029-wavparse-Check-that-at-least-32-bytes-are-available-.patch new file mode 100644 index 0000000000..89b240998a --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0029-wavparse-Check-that-at-least-32-bytes-are-available-.patch @@ -0,0 +1,37 @@ +From 93d79c22a82604adc5512557c1238f72f41188c4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 4 Oct 2024 13:22:02 +0300 +Subject: [PATCH] wavparse: Check that at least 32 bytes are available before + parsing smpl chunks + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-259 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3887 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/93d79c22a82604adc5512557c1238f72f41188c4] +CVE: CVE-2024-47775 CVE-2024-47776 CVE-2024-47777 CVE-2024-47778 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c b/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c +index 5655ee3825ca..8a04805ed427 100644 +--- a/gst/wavparse/gstwavparse.c ++++ b/gst/wavparse/gstwavparse.c +@@ -894,6 +894,9 @@ gst_wavparse_smpl_chunk (GstWavParse * wav, const guint8 * data, guint32 size) + { + guint32 note_number; + ++ if (size < 32) ++ return FALSE; ++ + /* + manufacturer_id = GST_READ_UINT32_LE (data); + product_id = GST_READ_UINT32_LE (data + 4); +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0030-wavparse-Fix-clipping-of-size-to-the-file-size.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0030-wavparse-Fix-clipping-of-size-to-the-file-size.patch new file mode 100644 index 0000000000..0ad2592bc9 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0030-wavparse-Fix-clipping-of-size-to-the-file-size.patch @@ -0,0 +1,44 @@ +From 526d0eef0d850c8f2fa1bf0aef15a836797f1a67 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 4 Oct 2024 13:27:27 +0300 +Subject: [PATCH] wavparse: Fix clipping of size to the file size + +The size does not include the 8 bytes tag and length, so an additional 8 bytes +must be removed here. 8 bytes are always available at this point because +otherwise the parsing of the tag and length right above would've failed. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-260 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3888 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/526d0eef0d850c8f2fa1bf0aef15a836797f1a67] +CVE: CVE-2024-47775 CVE-2024-47776 CVE-2024-47777 CVE-2024-47778 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c b/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c +index 8a04805ed427..998cbb276dbf 100644 +--- a/gst/wavparse/gstwavparse.c ++++ b/gst/wavparse/gstwavparse.c +@@ -1338,10 +1338,11 @@ gst_wavparse_stream_headers (GstWavParse * wav) + } + + /* Clip to upstream size if known */ +- if (upstream_size > 0 && size + wav->offset > upstream_size) { ++ if (upstream_size > 0 && size + 8 + wav->offset > upstream_size) { + GST_WARNING_OBJECT (wav, "Clipping chunk size to file size"); + g_assert (upstream_size >= wav->offset); +- size = upstream_size - wav->offset; ++ g_assert (upstream_size - wav->offset >= 8); ++ size = upstream_size - wav->offset - 8; + } + + /* wav is a st00pid format, we don't know for sure where data starts. +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0031-wavparse-Check-size-before-reading-ds64-chunk.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0031-wavparse-Check-size-before-reading-ds64-chunk.patch new file mode 100644 index 0000000000..d73359f375 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0031-wavparse-Check-size-before-reading-ds64-chunk.patch @@ -0,0 +1,38 @@ +From 4f381d15014471b026020d0990a5f5a9f420a22b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 4 Oct 2024 13:51:00 +0300 +Subject: [PATCH] wavparse: Check size before reading ds64 chunk + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-261 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3889 + +Part-of: + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/4f381d15014471b026020d0990a5f5a9f420a22b] +CVE: CVE-2024-47775 CVE-2024-47776 CVE-2024-47777 CVE-2024-47778 +Signed-off-by: Vijay Anusuri +--- + subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c b/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c +index 998cbb276dbf..958868de6d9e 100644 +--- a/gst/wavparse/gstwavparse.c ++++ b/gst/wavparse/gstwavparse.c +@@ -1088,6 +1088,11 @@ parse_ds64 (GstWavParse * wav, GstBuffer * buf) + guint32 sampleCountLow, sampleCountHigh; + + gst_buffer_map (buf, &map, GST_MAP_READ); ++ if (map.size < 6 * 4) { ++ GST_WARNING_OBJECT (wav, "Too small ds64 chunk (%" G_GSIZE_FORMAT ")", ++ map.size); ++ return FALSE; ++ } + dataSizeLow = GST_READ_UINT32_LE (map.data + 2 * 4); + dataSizeHigh = GST_READ_UINT32_LE (map.data + 3 * 4); + sampleCountLow = GST_READ_UINT32_LE (map.data + 4 * 4); +-- +GitLab + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb index 42c9b86471..2cdc62cdb2 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb @@ -30,6 +30,13 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-go file://0022-qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch \ file://0023-gdkpixbufdec-Check-if-initializing-the-video-info-ac.patch \ file://0024-avisubtitle-Fix-size-checks-and-avoid-overflows-when.patch \ + file://0025-wavparse-Check-for-short-reads-when-parsing-headers-.patch \ + file://0026-wavparse-Make-sure-enough-data-for-the-tag-list-tag-.patch \ + file://0027-wavparse-Fix-parsing-of-acid-chunk.patch \ + file://0028-wavparse-Check-that-at-least-4-bytes-are-available-b.patch \ + file://0029-wavparse-Check-that-at-least-32-bytes-are-available-.patch \ + file://0030-wavparse-Fix-clipping-of-size-to-the-file-size.patch \ + file://0031-wavparse-Check-size-before-reading-ds64-chunk.patch \ " SRC_URI[sha256sum] = "599f093cc833a1e346939ab6e78a3f8046855b6da13520aae80dd385434f4ab2"