packages/gstreamer1-plugins-base
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2024-47538, CVE-2024-47541, CVE-2024-47542, CVE-2024-47600, CVE-2024-47607, CVE-2024-47615, CVE-2024-47835

Browse Source 
(cherry picked from commit 62301987591fbdb1baa50d83a7108c7aae67b434)
This commit is contained in:
Funda Wang 2024-12-04 11:22:23 +08:00 committed by openeuler-sync-bot
parent 8412c65286
commit 10ff79b554
9 changed files with 634 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
CVE-2023-37328.patch
View File

@ -1,17 +1,28 @@
From 803fec1d19a401af00153e0b5791bf9a14e11ca4 Mon Sep 17 00:00:00 2001
From: technology208 <technology@208suo.com>
Date: Thu, 11 Apr 2024 15:33:46 +0800
Subject: [PATCH] CreatePatch
From 97c6d7495e6edb009789cf43ea79e26c54f88538 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Tue, 13 Jun 2023 12:53:13 +0300
Subject: [PATCH 1/2] subparse: Look for the closing `>` of a tag after the
opening `<`
Previously when fixing up subrip markip, we were looking from the start
of the remaining buffer instead. Due to how skipping over closing tags
works, the remaining buffer will still contain the closing `>` of the
previous tag so if a unexpected closing tag is found after another
closing tag, we would potentially do an out of bounds memmove().
Fixes ZDI-CAN-20968
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2662
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4895>
---
gst/subparse/gstsubparse.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
subprojects/gst-plugins-base/gst/subparse/gstsubparse.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/gst/subparse/gstsubparse.c b/gst/subparse/gstsubparse.c
index 382e430..423112a 100644
--- a/gst/subparse/gstsubparse.c
+++ b/gst/subparse/gstsubparse.c
@@ -815,19 +815,22 @@ subrip_fix_up_markup (gchar ** p_txt, gconstpointer allowed_tags_ptr)
diff --git a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
index 0f7425d86334..6a82fb584649 100644
--- a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
+++ b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
@@ -776,7 +776,7 @@ subrip_fix_up_markup (gchar ** p_txt, gconstpointer allowed_tags_ptr)
}
if (*next_tag == '<' && *(next_tag + 1) == '/') {
@ -20,16 +31,32 @@ index 382e430..423112a 100644
if (end_tag) {
const gchar *last = NULL;
if (num_open_tags > 0)
last = g_ptr_array_index (open_tags, num_open_tags - 1);
if (num_open_tags == 0
|| g_ascii_strncasecmp (end_tag - 1, last, strlen (last))) {
- GST_LOG ("broken input, closing tag '%s' is not open", end_tag - 1);
- memmove (next_tag, end_tag + 1, strlen (end_tag) + 1);
- next_tag -= strlen (end_tag);
+ GST_LOG ("broken input, closing tag '%s' is not open", next_tag);
+ memmove (next_tag, end_tag + 1, strlen (end_tag));
+ cur = next_tag;
+ continue;
--
GitLab
From 069065adc4cdc4499766928dde4982b794462006 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Tue, 13 Jun 2023 12:58:26 +0300
Subject: [PATCH 2/2] subparse: Skip after the end of a valid closing tag
instead of only skipping `<`
This is a small optimization and avoids restarting the next parsing
iteration on already accepted data.
On its own it would also fix ZDI-CAN-20968 (see previous commit) but the
previous commit independently is also a valid fix for it.
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4895>
---
subprojects/gst-plugins-base/gst/subparse/gstsubparse.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
index 6a82fb584649..2b69595e5cb2 100644
--- a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
+++ b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
@@ -791,6 +791,8 @@ subrip_fix_up_markup (gchar ** p_txt, gconstpointer allowed_tags_ptr)
} else {
--num_open_tags;
g_ptr_array_remove_index (open_tags, num_open_tags);
@ -39,5 +66,5 @@ index 382e430..423112a 100644
}
}
--
2.43.0
GitLab

31
backport-CVE-2024-47538.patch Normal file
View File

@ -0,0 +1,31 @@
From 5093691ef2ef5c7a6e03a20bce39db143b9cdc43 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Mon, 30 Sep 2024 21:35:07 +0300
Subject: [PATCH] vorbisdec: Set at most 64 channels to NONE position
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-115
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3869
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8035>
---
subprojects/gst-plugins-base/ext/vorbis/gstvorbisdec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/subprojects/gst-plugins-base/ext/vorbis/gstvorbisdec.c b/subprojects/gst-plugins-base/ext/vorbis/gstvorbisdec.c
index 6a410ed858ca..1fc4fa883e68 100644
--- a/subprojects/gst-plugins-base/ext/vorbis/gstvorbisdec.c
+++ b/subprojects/gst-plugins-base/ext/vorbis/gstvorbisdec.c
@@ -204,7 +204,7 @@ vorbis_handle_identification_packet (GstVorbisDec * vd)
}
default:{
GstAudioChannelPosition position[64];
- gint i, max_pos = MAX (vd->vi.channels, 64);
+ gint i, max_pos = MIN (vd->vi.channels, 64);
GST_ELEMENT_WARNING (vd, STREAM, DECODE,
(NULL), ("Using NONE channel layout for more than 8 channels"));
--
GitLab

130
backport-CVE-2024-47541.patch Normal file
View File

@ -0,0 +1,130 @@
From 15bb318416e1bf6b6b557006a37d1da86c3a76a8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Mon, 30 Sep 2024 21:40:44 +0300
Subject: [PATCH 1/2] ssaparse: Search for closing brace after opening brace
Otherwise removing anything between the braces leads to out of bound writes if
there is a closing brace before the first opening brace.
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-228
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3870
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8036>
---
subprojects/gst-plugins-base/gst/subparse/gstssaparse.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c b/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c
index 42fbb42b99fe..37b892e92843 100644
--- a/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c
+++ b/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c
@@ -238,7 +238,7 @@ gst_ssa_parse_remove_override_codes (GstSsaParse * parse, gchar * txt)
gboolean removed_any = FALSE;
while ((t = strchr (txt, '{'))) {
- end = strchr (txt, '}');
+ end = strchr (t, '}');
if (end == NULL) {
GST_WARNING_OBJECT (parse, "Missing { for style override code");
return removed_any;
--
GitLab
From 403b10eba06679319aa2e35d310236234782102f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Mon, 30 Sep 2024 18:36:19 +0300
Subject: [PATCH 2/2] ssaparse: Don't use strstr() on strings that are
potentially not NULL-terminated
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8036>
---
.../gst/subparse/gstssaparse.c | 36 ++++++++++++++++++-
subprojects/gst-plugins-base/meson.build | 1 +
2 files changed, 36 insertions(+), 1 deletion(-)
diff --git a/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c b/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c
index 37b892e92843..c162a542f581 100644
--- a/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c
+++ b/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c
@@ -146,6 +146,35 @@ gst_ssa_parse_sink_event (GstPad * pad, GstObject * parent, GstEvent * event)
return res;
}
+#ifndef HAVE_MEMMEM
+// memmem() is a GNU extension so if it's not available we'll need
+// our own implementation here. Thanks C.
+static void *
+my_memmem (const void *haystack, size_t haystacklen, const void *needle,
+ size_t needlelen)
+{
+ const guint8 *cur, *end;
+
+ if (needlelen > haystacklen)
+ return NULL;
+ if (needlelen == 0)
+ return (void *) haystack;
+
+
+ cur = haystack;
+ end = cur + haystacklen - needlelen;
+
+ for (; cur <= end; cur++) {
+ if (memcmp (cur, needle, needlelen) == 0)
+ return (void *) cur;
+ }
+
+ return NULL;
+}
+#else
+#define my_memmem memmem
+#endif
+
static gboolean
gst_ssa_parse_setcaps (GstPad * sinkpad, GstCaps * caps)
{
@@ -154,6 +183,7 @@ gst_ssa_parse_setcaps (GstPad * sinkpad, GstCaps * caps)
const GValue *val;
GstStructure *s;
const guchar bom_utf8[] = { 0xEF, 0xBB, 0xBF };
+ const guint8 header[] = "[Script Info]";
const gchar *end;
GstBuffer *priv;
GstMapInfo map;
@@ -193,7 +223,7 @@ gst_ssa_parse_setcaps (GstPad * sinkpad, GstCaps * caps)
left -= 3;
}
- if (!strstr (ptr, "[Script Info]"))
+ if (!my_memmem (ptr, left, header, sizeof (header) - 1))
goto invalid_init;
if (!g_utf8_validate (ptr, left, &end)) {
@@ -231,6 +261,10 @@ invalid_init:
}
}
+#ifdef my_memmem
+#undef my_memmem
+#endif
+
static gboolean
gst_ssa_parse_remove_override_codes (GstSsaParse * parse, gchar * txt)
{
diff --git a/subprojects/gst-plugins-base/meson.build b/subprojects/gst-plugins-base/meson.build
index d1033bef4a96..65d094411424 100644
--- a/subprojects/gst-plugins-base/meson.build
+++ b/subprojects/gst-plugins-base/meson.build
@@ -197,6 +197,7 @@ check_functions = [
['HAVE_LRINTF', 'lrintf', '#include<math.h>'],
['HAVE_MMAP', 'mmap', '#include<sys/mman.h>'],
['HAVE_LOG2', 'log2', '#include<math.h>'],
+ ['HAVE_MEMMEM', 'memmem', '#include<string.h>'],
]
libm = cc.find_library('m', required : false)
--
GitLab

60
backport-CVE-2024-47542.patch Normal file
View File

@ -0,0 +1,60 @@
From 537161868f36048571f400648ac7909f26c73d53 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Thu, 26 Sep 2024 13:43:06 +0300
Subject: [PATCH] id3v2: Don't try parsing extended header if not enough data
is available
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-235
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3842
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8033>
---
subprojects/gst-plugins-base/gst-libs/gst/tag/id3v2.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/subprojects/gst-plugins-base/gst-libs/gst/tag/id3v2.c b/subprojects/gst-plugins-base/gst-libs/gst/tag/id3v2.c
index 7db2cb7e12b6..70f975d13374 100644
--- a/subprojects/gst-plugins-base/gst-libs/gst/tag/id3v2.c
+++ b/subprojects/gst-plugins-base/gst-libs/gst/tag/id3v2.c
@@ -29,7 +29,7 @@
#define HANDLE_INVALID_SYNCSAFE
-static gboolean id3v2_frames_to_tag_list (ID3TagsWorking * work, guint size);
+static gboolean id3v2_frames_to_tag_list (ID3TagsWorking * work);
#ifndef GST_DISABLE_GST_DEBUG
@@ -258,7 +258,7 @@ gst_tag_list_from_id3v2_tag (GstBuffer * buffer)
GST_MEMDUMP ("ID3v2 tag (un-unsyced)", uu_data, work.hdr.frame_data_size);
}
- id3v2_frames_to_tag_list (&work, work.hdr.frame_data_size);
+ id3v2_frames_to_tag_list (&work);
g_free (uu_data);
@@ -440,12 +440,17 @@ id3v2_add_id3v2_frame_blob_to_taglist (ID3TagsWorking * work,
}
static gboolean
-id3v2_frames_to_tag_list (ID3TagsWorking * work, guint size)
+id3v2_frames_to_tag_list (ID3TagsWorking * work)
{
guint frame_hdr_size;
/* Extended header if present */
if (work->hdr.flags & ID3V2_HDR_FLAG_EXTHDR) {
+ if (work->hdr.frame_data_size < 4) {
+ GST_DEBUG ("Tag has no extended header data. Broken tag");
+ return FALSE;
+ }
+
work->hdr.ext_hdr_size = id3v2_read_synch_uint (work->hdr.frame_data, 4);
/* In id3v2.4.x the header size is the size of the *whole*
--
GitLab

34
backport-CVE-2024-47600.patch Normal file
View File

@ -0,0 +1,34 @@
From aa07d94c10d71fac389dbbb264a59c1f6117eead Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Mon, 30 Sep 2024 18:19:30 +0300
Subject: [PATCH] discoverer: Don't print channel layout for more than 64
channels
64+ channels are always unpositioned / unknown layout.
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-248
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3864
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8034>
---
subprojects/gst-plugins-base/tools/gst-discoverer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/subprojects/gst-plugins-base/tools/gst-discoverer.c b/subprojects/gst-plugins-base/tools/gst-discoverer.c
index e3f048bed50d..4a2a1b4bc4d6 100644
--- a/subprojects/gst-plugins-base/tools/gst-discoverer.c
+++ b/subprojects/gst-plugins-base/tools/gst-discoverer.c
@@ -222,7 +222,7 @@ format_channel_mask (GstDiscovererAudioInfo * ainfo)
channel_mask = gst_discoverer_audio_info_get_channel_mask (ainfo);
- if (channel_mask != 0) {
+ if (channel_mask != 0 && channels <= 64) {
gst_audio_channel_positions_from_mask (channels, channel_mask, position);
for (i = 0; i < channels; i++) {
--
GitLab

37
backport-CVE-2024-47607.patch Normal file
View File

@ -0,0 +1,37 @@
From 2838374d6ee4a0c9c4c4221ac46d5c1688f26e59 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Tue, 1 Oct 2024 13:22:50 +0300
Subject: [PATCH] opusdec: Set at most 64 channels to NONE position
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-116
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3871
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8037>
---
subprojects/gst-plugins-base/ext/opus/gstopusdec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/subprojects/gst-plugins-base/ext/opus/gstopusdec.c b/subprojects/gst-plugins-base/ext/opus/gstopusdec.c
index 99289fa7d223..d3f461d9a821 100644
--- a/subprojects/gst-plugins-base/ext/opus/gstopusdec.c
+++ b/subprojects/gst-plugins-base/ext/opus/gstopusdec.c
@@ -440,12 +440,12 @@ gst_opus_dec_parse_header (GstOpusDec * dec, GstBuffer * buf)
posn = gst_opus_channel_positions[dec->n_channels - 1];
break;
default:{
- gint i;
+ guint i, max_pos = MIN (dec->n_channels, 64);
GST_ELEMENT_WARNING (GST_ELEMENT (dec), STREAM, DECODE,
(NULL), ("Using NONE channel layout for more than 8 channels"));
- for (i = 0; i < dec->n_channels; i++)
+ for (i = 0; i < max_pos; i++)
pos[i] = GST_AUDIO_CHANNEL_POSITION_NONE;
posn = pos;
--
GitLab

241
backport-CVE-2024-47615.patch Normal file
View File

@ -0,0 +1,241 @@
From 006047a23a4e4c146e40e5dab765bc6318a94744 Mon Sep 17 00:00:00 2001
From: Mathieu Duponchelle <mathieu@centricular.com>
Date: Wed, 2 Oct 2024 15:16:30 +0200
Subject: [PATCH 1/2] vorbis_parse: check writes to
GstOggStream.vorbis_mode_sizes
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-117 Fixes gstreamer#3875
Also perform out-of-bounds check for accesses to op->packet
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8038>
---
.../gst-plugins-base/ext/ogg/vorbis_parse.c | 21 +++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/subprojects/gst-plugins-base/ext/ogg/vorbis_parse.c b/subprojects/gst-plugins-base/ext/ogg/vorbis_parse.c
index 65ef463808e1..757c7cd82b8d 100644
--- a/subprojects/gst-plugins-base/ext/ogg/vorbis_parse.c
+++ b/subprojects/gst-plugins-base/ext/ogg/vorbis_parse.c
@@ -165,6 +165,10 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op)
if (offset == 0) {
offset = 8;
current_pos -= 1;
+
+ /* have we underrun? */
+ if (current_pos < op->packet)
+ return -1;
}
}
@@ -178,6 +182,10 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op)
if (offset == 7)
current_pos -= 1;
+ /* have we underrun? */
+ if (current_pos < op->packet + 5)
+ return -1;
+
if (((current_pos[-5] & ~((1 << (offset + 1)) - 1)) != 0)
||
current_pos[-4] != 0
@@ -199,9 +207,18 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op)
/* Give ourselves a chance to recover if we went back too far by using
* the size check. */
for (ii = 0; ii < 2; ii++) {
+
if (offset > 4) {
+ /* have we underrun? */
+ if (current_pos < op->packet)
+ return -1;
+
size_check = (current_pos[0] >> (offset - 5)) & 0x3F;
} else {
+ /* have we underrun? */
+ if (current_pos < op->packet + 1)
+ return -1;
+
/* mask part of byte from current_pos */
size_check = (current_pos[0] & ((1 << (offset + 1)) - 1));
/* shift to appropriate position */
@@ -233,6 +250,10 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op)
mode_size_ptr = pad->vorbis_mode_sizes;
+ if (size > G_N_ELEMENTS (pad->vorbis_mode_sizes)) {
+ return -1;
+ }
+
for (i = 0; i < size; i++) {
offset = (offset + 1) % 8;
if (offset == 0)
--
GitLab
From e633ec642825466b91fc12da6629c307906fa206 Mon Sep 17 00:00:00 2001
From: Mathieu Duponchelle <mathieu@centricular.com>
Date: Wed, 2 Oct 2024 16:52:51 +0200
Subject: [PATCH 2/2] oggstream: review and fix per-format min_packet_size
This addresses all manually detected invalid reads in setup functions.
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8038>
---
.../gst-plugins-base/ext/ogg/gstoggstream.c | 40 ++++++-------------
1 file changed, 12 insertions(+), 28 deletions(-)
diff --git a/subprojects/gst-plugins-base/ext/ogg/gstoggstream.c b/subprojects/gst-plugins-base/ext/ogg/gstoggstream.c
index a8883304a5c0..ab6be238dc48 100644
--- a/subprojects/gst-plugins-base/ext/ogg/gstoggstream.c
+++ b/subprojects/gst-plugins-base/ext/ogg/gstoggstream.c
@@ -665,11 +665,6 @@ setup_vp8_mapper (GstOggStream * pad, ogg_packet * packet)
{
gint width, height, par_n, par_d, fps_n, fps_d;
- if (packet->bytes < 26) {
- GST_DEBUG ("Failed to parse VP8 BOS page");
- return FALSE;
- }
-
width = GST_READ_UINT16_BE (packet->packet + 8);
height = GST_READ_UINT16_BE (packet->packet + 10);
par_n = GST_READ_UINT24_BE (packet->packet + 12);
@@ -1221,11 +1216,6 @@ setup_fishead_mapper (GstOggStream * pad, ogg_packet * packet)
gint64 prestime_n, prestime_d;
gint64 basetime_n, basetime_d;
- if (packet->bytes < 44) {
- GST_DEBUG ("Not enough data for fishead header");
- return FALSE;
- }
-
data = packet->packet;
data += 8; /* header */
@@ -1256,8 +1246,8 @@ setup_fishead_mapper (GstOggStream * pad, ogg_packet * packet)
pad->prestime = -1;
/* Ogg Skeleton 3.3+ streams provide additional information in the header */
- if (packet->bytes >= SKELETON_FISHEAD_3_3_MIN_SIZE && pad->skeleton_major == 3
- && pad->skeleton_minor > 0) {
+ if (packet->bytes - 44 >= SKELETON_FISHEAD_3_3_MIN_SIZE
+ && pad->skeleton_major == 3 && pad->skeleton_minor > 0) {
gint64 firstsampletime_n, firstsampletime_d;
gint64 lastsampletime_n, lastsampletime_d;
gint64 firstsampletime, lastsampletime;
@@ -1296,7 +1286,7 @@ setup_fishead_mapper (GstOggStream * pad, ogg_packet * packet)
GST_INFO ("skeleton fishead parsed total: %" GST_TIME_FORMAT,
GST_TIME_ARGS (pad->total_time));
- } else if (packet->bytes >= SKELETON_FISHEAD_4_0_MIN_SIZE
+ } else if (packet->bytes - 44 >= SKELETON_FISHEAD_4_0_MIN_SIZE
&& pad->skeleton_major == 4) {
guint64 segment_length, content_offset;
@@ -1980,9 +1970,6 @@ setup_kate_mapper (GstOggStream * pad, ogg_packet * packet)
guint8 *data = packet->packet;
const char *category;
- if (packet->bytes < 64)
- return FALSE;
-
pad->granulerate_n = GST_READ_UINT32_LE (data + 24);
pad->granulerate_d = GST_READ_UINT32_LE (data + 28);
pad->granuleshift = GST_READ_UINT8 (data + 15);
@@ -2111,9 +2098,6 @@ setup_opus_mapper (GstOggStream * pad, ogg_packet * packet)
{
GstBuffer *buffer;
- if (packet->bytes < 19)
- return FALSE;
-
pad->granulerate_n = 48000;
pad->granulerate_d = 1;
pad->granuleshift = 0;
@@ -2394,7 +2378,7 @@ const GstOggMap mappers[] = {
NULL
},
{
- "\001vorbis", 7, 22,
+ "\001vorbis", 7, 29,
"audio/x-vorbis",
setup_vorbis_mapper,
NULL,
@@ -2426,7 +2410,7 @@ const GstOggMap mappers[] = {
NULL
},
{
- "PCM ", 8, 0,
+ "PCM ", 8, 28,
"audio/x-raw",
setup_pcm_mapper,
NULL,
@@ -2442,7 +2426,7 @@ const GstOggMap mappers[] = {
NULL
},
{
- "CMML\0\0\0\0", 8, 0,
+ "CMML\0\0\0\0", 8, 29,
"text/x-cmml",
setup_cmml_mapper,
NULL,
@@ -2458,7 +2442,7 @@ const GstOggMap mappers[] = {
NULL
},
{
- "Annodex", 7, 0,
+ "Annodex", 7, 44,
"application/x-annodex",
setup_fishead_mapper,
NULL,
@@ -2537,7 +2521,7 @@ const GstOggMap mappers[] = {
NULL
},
{
- "CELT ", 8, 0,
+ "CELT ", 8, 60,
"audio/x-celt",
setup_celt_mapper,
NULL,
@@ -2553,7 +2537,7 @@ const GstOggMap mappers[] = {
NULL
},
{
- "\200kate\0\0\0", 8, 0,
+ "\200kate\0\0\0", 8, 64,
"text/x-kate",
setup_kate_mapper,
NULL,
@@ -2585,7 +2569,7 @@ const GstOggMap mappers[] = {
NULL
},
{
- "OVP80\1\1", 7, 4,
+ "OVP80\1\1", 7, 26,
"video/x-vp8",
setup_vp8_mapper,
setup_vp8_mapper_from_caps,
@@ -2601,7 +2585,7 @@ const GstOggMap mappers[] = {
update_stats_vp8
},
{
- "OpusHead", 8, 0,
+ "OpusHead", 8, 19,
"audio/x-opus",
setup_opus_mapper,
NULL,
@@ -2649,7 +2633,7 @@ const GstOggMap mappers[] = {
NULL
},
{
- "\001text\0\0\0", 9, 9,
+ "\001text\0\0\0", 9, 25,
"application/x-ogm-text",
setup_ogmtext_mapper,
NULL,
--
GitLab

35
backport-CVE-2024-47835.patch Normal file
View File

@ -0,0 +1,35 @@
From 4c40f73b7002967e824ef34a5435282f4a0ea363 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Wed, 9 Oct 2024 11:23:47 -0400
Subject: [PATCH] subparse: Check for NULL return of strchr() when parsing LRC
subtitles
Thanks to Antonio Morales for finding and reporting the issue.
Fixes GHSL-2024-263
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3892
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8039>
---
subprojects/gst-plugins-base/gst/subparse/gstsubparse.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
index 8d925524a650..7d286ed3186e 100644
--- a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
+++ b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
@@ -1070,6 +1070,11 @@ parse_lrc (ParserState * state, const gchar * line)
return NULL;
start = strchr (line, ']');
+ // sscanf() does not check for the trailing ] but only up to the last
+ // placeholder, so there might be no ] at the end.
+ if (!start)
+ return NULL;
+
if (start - line == 9)
milli = 10;
else
--
GitLab

23
gstreamer1-plugins-base.spec
View File

@ -3,7 +3,7 @@
Name: gstreamer1-plugins-base
Version: 1.18.4
Release: 7
Release: 8
Summary: GStreamer streaming media framework base plugins
License: LGPLv2+
URL: http://gstreamer.freedesktop.org/
@ -13,7 +13,14 @@ Patch0: 0001-missing-plugins-Remove-the-mpegaudioversion-field.patch
Patch1000: gst-plugins-base-1.18.4-sw.patch
Patch6000: backport-xclaesse-fix-meson-0-58.patch
Patch6001: CVE-2023-37328.patch
Patch6001: CVE-2023-37328.patch
Patch6002: backport-CVE-2024-47538.patch
Patch6003: backport-CVE-2024-47541.patch
Patch6004: backport-CVE-2024-47542.patch
Patch6005: backport-CVE-2024-47600.patch
Patch6006: backport-CVE-2024-47607.patch
Patch6007: backport-CVE-2024-47615.patch
Patch6008: backport-CVE-2024-47835.patch
BuildRequires: gcc-c++ gstreamer1-devel >= %{version} gobject-introspection-devel >= 1.31.1 iso-codes-devel alsa-lib-devel
BuildRequires: cdparanoia-devel libogg-devel >= 1.0 libtheora-devel >= 1.1 libvisual-devel libvorbis-devel >= 1.0 libXv-devel
@ -51,10 +58,10 @@ This package provides manual for developpers.
%prep
%setup -q -n gst-plugins-base-%{version}
%patch0 -p1
%patch1000 -p1
%patch6000 -p1
%patch6001 -p1
%patch -P0 -p1
%patch -P1000 -p1
%patch -P6000 -p1
%autopatch -p3 -m6001
%build
%meson -D doc=disabled -D gtk_doc=disabled -D orc=enabled \
@ -270,6 +277,10 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -fv {} ';'
%{_mandir}/man1/gst-device-monitor-*.gz
%changelog
* Wed Dec 04 2024 Funda Wang <fundawang@yeah.net> - 1.18.4-8
- fix CVE-2024-47538, CVE-2024-47541, CVE-2024-47542, CVE-2024-47600,
CVE-2024-47607, CVE-2024-47615, CVE-2024-47835
* Mon May 20 2024 technology208 <technology@208suo.com> - 1.18.4-7
- optimize subparse end_tag process