!61 [sync] PR-57: fix CVE-2024-47538, CVE-2024-47541, CVE-2024-47542, CVE-2024-47600, CVE-2024-47607, CVE-2024-47615, CVE-2024-47835

From: @openeuler-sync-bot 
Reviewed-by: @t_feng 
Signed-off-by: @t_feng

CVE-2023-37328.patch

@@ -0,0 +1,70 @@
+From 97c6d7495e6edb009789cf43ea79e26c54f88538 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Tue, 13 Jun 2023 12:53:13 +0300
+Subject: [PATCH 1/2] subparse: Look for the closing `>` of a tag after the
+ opening `<`
+
+Previously when fixing up subrip markip, we were looking from the start
+of the remaining buffer instead. Due to how skipping over closing tags
+works, the remaining buffer will still contain the closing `>` of the
+previous tag so if a unexpected closing tag is found after another
+closing tag, we would potentially do an out of bounds memmove().
+
+Fixes ZDI-CAN-20968
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2662
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4895>
+---
+ subprojects/gst-plugins-base/gst/subparse/gstsubparse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
+index 0f7425d86334..6a82fb584649 100644
+--- a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
++++ b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
+@@ -776,7 +776,7 @@ subrip_fix_up_markup (gchar ** p_txt, gconstpointer allowed_tags_ptr)
+     }
+ 
+     if (*next_tag == '<' && *(next_tag + 1) == '/') {
+-      end_tag = strchr (cur, '>');
++      end_tag = strchr (next_tag, '>');
+       if (end_tag) {
+         const gchar *last = NULL;
+         if (num_open_tags > 0)
+-- 
+GitLab
+
+
+From 069065adc4cdc4499766928dde4982b794462006 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Tue, 13 Jun 2023 12:58:26 +0300
+Subject: [PATCH 2/2] subparse: Skip after the end of a valid closing tag
+ instead of only skipping `<`
+
+This is a small optimization and avoids restarting the next parsing
+iteration on already accepted data.
+
+On its own it would also fix ZDI-CAN-20968 (see previous commit) but the
+previous commit independently is also a valid fix for it.
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4895>
+---
+ subprojects/gst-plugins-base/gst/subparse/gstsubparse.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
+index 6a82fb584649..2b69595e5cb2 100644
+--- a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
++++ b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
+@@ -791,6 +791,8 @@ subrip_fix_up_markup (gchar ** p_txt, gconstpointer allowed_tags_ptr)
+         } else {
+           --num_open_tags;
+           g_ptr_array_remove_index (open_tags, num_open_tags);
++          cur = end_tag + 1;
++          continue;
+         }
+       }
+     }
+-- 
+GitLab
+

backport-CVE-2024-47538.patch

@@ -0,0 +1,31 @@
+From 5093691ef2ef5c7a6e03a20bce39db143b9cdc43 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Mon, 30 Sep 2024 21:35:07 +0300
+Subject: [PATCH] vorbisdec: Set at most 64 channels to NONE position
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-115
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3869
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8035>
+---
+ subprojects/gst-plugins-base/ext/vorbis/gstvorbisdec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/subprojects/gst-plugins-base/ext/vorbis/gstvorbisdec.c b/subprojects/gst-plugins-base/ext/vorbis/gstvorbisdec.c
+index 6a410ed858ca..1fc4fa883e68 100644
+--- a/subprojects/gst-plugins-base/ext/vorbis/gstvorbisdec.c
++++ b/subprojects/gst-plugins-base/ext/vorbis/gstvorbisdec.c
+@@ -204,7 +204,7 @@ vorbis_handle_identification_packet (GstVorbisDec * vd)
+     }
+     default:{
+       GstAudioChannelPosition position[64];
+-      gint i, max_pos = MAX (vd->vi.channels, 64);
++      gint i, max_pos = MIN (vd->vi.channels, 64);
+ 
+       GST_ELEMENT_WARNING (vd, STREAM, DECODE,
+           (NULL), ("Using NONE channel layout for more than 8 channels"));
+-- 
+GitLab
+

backport-CVE-2024-47541.patch

@@ -0,0 +1,130 @@
+From 15bb318416e1bf6b6b557006a37d1da86c3a76a8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Mon, 30 Sep 2024 21:40:44 +0300
+Subject: [PATCH 1/2] ssaparse: Search for closing brace after opening brace
+
+Otherwise removing anything between the braces leads to out of bound writes if
+there is a closing brace before the first opening brace.
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-228
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3870
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8036>
+---
+ subprojects/gst-plugins-base/gst/subparse/gstssaparse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c b/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c
+index 42fbb42b99fe..37b892e92843 100644
+--- a/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c
++++ b/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c
+@@ -238,7 +238,7 @@ gst_ssa_parse_remove_override_codes (GstSsaParse * parse, gchar * txt)
+   gboolean removed_any = FALSE;
+ 
+   while ((t = strchr (txt, '{'))) {
+-    end = strchr (txt, '}');
++    end = strchr (t, '}');
+     if (end == NULL) {
+       GST_WARNING_OBJECT (parse, "Missing { for style override code");
+       return removed_any;
+-- 
+GitLab
+
+
+From 403b10eba06679319aa2e35d310236234782102f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Mon, 30 Sep 2024 18:36:19 +0300
+Subject: [PATCH 2/2] ssaparse: Don't use strstr() on strings that are
+ potentially not NULL-terminated
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8036>
+---
+ .../gst/subparse/gstssaparse.c                | 36 ++++++++++++++++++-
+ subprojects/gst-plugins-base/meson.build      |  1 +
+ 2 files changed, 36 insertions(+), 1 deletion(-)
+
+diff --git a/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c b/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c
+index 37b892e92843..c162a542f581 100644
+--- a/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c
++++ b/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c
+@@ -146,6 +146,35 @@ gst_ssa_parse_sink_event (GstPad * pad, GstObject * parent, GstEvent * event)
+   return res;
+ }
+ 
++#ifndef HAVE_MEMMEM
++// memmem() is a GNU extension so if it's not available we'll need
++// our own implementation here. Thanks C.
++static void *
++my_memmem (const void *haystack, size_t haystacklen, const void *needle,
++    size_t needlelen)
++{
++  const guint8 *cur, *end;
++
++  if (needlelen > haystacklen)
++    return NULL;
++  if (needlelen == 0)
++    return (void *) haystack;
++
++
++  cur = haystack;
++  end = cur + haystacklen - needlelen;
++
++  for (; cur <= end; cur++) {
++    if (memcmp (cur, needle, needlelen) == 0)
++      return (void *) cur;
++  }
++
++  return NULL;
++}
++#else
++#define my_memmem memmem
++#endif
++
+ static gboolean
+ gst_ssa_parse_setcaps (GstPad * sinkpad, GstCaps * caps)
+ {
+@@ -154,6 +183,7 @@ gst_ssa_parse_setcaps (GstPad * sinkpad, GstCaps * caps)
+   const GValue *val;
+   GstStructure *s;
+   const guchar bom_utf8[] = { 0xEF, 0xBB, 0xBF };
++  const guint8 header[] = "[Script Info]";
+   const gchar *end;
+   GstBuffer *priv;
+   GstMapInfo map;
+@@ -193,7 +223,7 @@ gst_ssa_parse_setcaps (GstPad * sinkpad, GstCaps * caps)
+     left -= 3;
+   }
+ 
+-  if (!strstr (ptr, "[Script Info]"))
++  if (!my_memmem (ptr, left, header, sizeof (header) - 1))
+     goto invalid_init;
+ 
+   if (!g_utf8_validate (ptr, left, &end)) {
+@@ -231,6 +261,10 @@ invalid_init:
+   }
+ }
+ 
++#ifdef my_memmem
++#undef my_memmem
++#endif
++
+ static gboolean
+ gst_ssa_parse_remove_override_codes (GstSsaParse * parse, gchar * txt)
+ {
+diff --git a/subprojects/gst-plugins-base/meson.build b/subprojects/gst-plugins-base/meson.build
+index d1033bef4a96..65d094411424 100644
+--- a/subprojects/gst-plugins-base/meson.build
++++ b/subprojects/gst-plugins-base/meson.build
+@@ -197,6 +197,7 @@ check_functions = [
+   ['HAVE_LRINTF', 'lrintf', '#include<math.h>'],
+   ['HAVE_MMAP', 'mmap', '#include<sys/mman.h>'],
+   ['HAVE_LOG2', 'log2', '#include<math.h>'],
++  ['HAVE_MEMMEM', 'memmem', '#include<string.h>'],
+ ]
+ 
+ libm = cc.find_library('m', required : false)
+-- 
+GitLab
+

backport-CVE-2024-47542.patch

@@ -0,0 +1,60 @@
+From 537161868f36048571f400648ac7909f26c73d53 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Thu, 26 Sep 2024 13:43:06 +0300
+Subject: [PATCH] id3v2: Don't try parsing extended header if not enough data
+ is available
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-235
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3842
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8033>
+---
+ subprojects/gst-plugins-base/gst-libs/gst/tag/id3v2.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/subprojects/gst-plugins-base/gst-libs/gst/tag/id3v2.c b/subprojects/gst-plugins-base/gst-libs/gst/tag/id3v2.c
+index 7db2cb7e12b6..70f975d13374 100644
+--- a/subprojects/gst-plugins-base/gst-libs/gst/tag/id3v2.c
++++ b/subprojects/gst-plugins-base/gst-libs/gst/tag/id3v2.c
+@@ -29,7 +29,7 @@
+ 
+ #define HANDLE_INVALID_SYNCSAFE
+ 
+-static gboolean id3v2_frames_to_tag_list (ID3TagsWorking * work, guint size);
++static gboolean id3v2_frames_to_tag_list (ID3TagsWorking * work);
+ 
+ #ifndef GST_DISABLE_GST_DEBUG
+ 
+@@ -258,7 +258,7 @@ gst_tag_list_from_id3v2_tag (GstBuffer * buffer)
+     GST_MEMDUMP ("ID3v2 tag (un-unsyced)", uu_data, work.hdr.frame_data_size);
+   }
+ 
+-  id3v2_frames_to_tag_list (&work, work.hdr.frame_data_size);
++  id3v2_frames_to_tag_list (&work);
+ 
+   g_free (uu_data);
+ 
+@@ -440,12 +440,17 @@ id3v2_add_id3v2_frame_blob_to_taglist (ID3TagsWorking * work,
+ }
+ 
+ static gboolean
+-id3v2_frames_to_tag_list (ID3TagsWorking * work, guint size)
++id3v2_frames_to_tag_list (ID3TagsWorking * work)
+ {
+   guint frame_hdr_size;
+ 
+   /* Extended header if present */
+   if (work->hdr.flags & ID3V2_HDR_FLAG_EXTHDR) {
++    if (work->hdr.frame_data_size < 4) {
++      GST_DEBUG ("Tag has no extended header data. Broken tag");
++      return FALSE;
++    }
++
+     work->hdr.ext_hdr_size = id3v2_read_synch_uint (work->hdr.frame_data, 4);
+ 
+     /* In id3v2.4.x the header size is the size of the *whole*
+-- 
+GitLab
+

backport-CVE-2024-47600.patch

@@ -0,0 +1,34 @@
+From aa07d94c10d71fac389dbbb264a59c1f6117eead Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Mon, 30 Sep 2024 18:19:30 +0300
+Subject: [PATCH] discoverer: Don't print channel layout for more than 64
+ channels
+
+64+ channels are always unpositioned / unknown layout.
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-248
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3864
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8034>
+---
+ subprojects/gst-plugins-base/tools/gst-discoverer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/subprojects/gst-plugins-base/tools/gst-discoverer.c b/subprojects/gst-plugins-base/tools/gst-discoverer.c
+index e3f048bed50d..4a2a1b4bc4d6 100644
+--- a/subprojects/gst-plugins-base/tools/gst-discoverer.c
++++ b/subprojects/gst-plugins-base/tools/gst-discoverer.c
+@@ -222,7 +222,7 @@ format_channel_mask (GstDiscovererAudioInfo * ainfo)
+ 
+   channel_mask = gst_discoverer_audio_info_get_channel_mask (ainfo);
+ 
+-  if (channel_mask != 0) {
++  if (channel_mask != 0 && channels <= 64) {
+     gst_audio_channel_positions_from_mask (channels, channel_mask, position);
+ 
+     for (i = 0; i < channels; i++) {
+-- 
+GitLab
+

backport-CVE-2024-47607.patch

@@ -0,0 +1,37 @@
+From 2838374d6ee4a0c9c4c4221ac46d5c1688f26e59 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Tue, 1 Oct 2024 13:22:50 +0300
+Subject: [PATCH] opusdec: Set at most 64 channels to NONE position
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-116
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3871
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8037>
+---
+ subprojects/gst-plugins-base/ext/opus/gstopusdec.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/subprojects/gst-plugins-base/ext/opus/gstopusdec.c b/subprojects/gst-plugins-base/ext/opus/gstopusdec.c
+index 99289fa7d223..d3f461d9a821 100644
+--- a/subprojects/gst-plugins-base/ext/opus/gstopusdec.c
++++ b/subprojects/gst-plugins-base/ext/opus/gstopusdec.c
+@@ -440,12 +440,12 @@ gst_opus_dec_parse_header (GstOpusDec * dec, GstBuffer * buf)
+         posn = gst_opus_channel_positions[dec->n_channels - 1];
+         break;
+       default:{
+-        gint i;
++        guint i, max_pos = MIN (dec->n_channels, 64);
+ 
+         GST_ELEMENT_WARNING (GST_ELEMENT (dec), STREAM, DECODE,
+             (NULL), ("Using NONE channel layout for more than 8 channels"));
+ 
+-        for (i = 0; i < dec->n_channels; i++)
++        for (i = 0; i < max_pos; i++)
+           pos[i] = GST_AUDIO_CHANNEL_POSITION_NONE;
+ 
+         posn = pos;
+-- 
+GitLab
+

backport-CVE-2024-47615.patch

@@ -0,0 +1,241 @@
+From 006047a23a4e4c146e40e5dab765bc6318a94744 Mon Sep 17 00:00:00 2001
+From: Mathieu Duponchelle <mathieu@centricular.com>
+Date: Wed, 2 Oct 2024 15:16:30 +0200
+Subject: [PATCH 1/2] vorbis_parse: check writes to
+ GstOggStream.vorbis_mode_sizes
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-117 Fixes gstreamer#3875
+
+Also perform out-of-bounds check for accesses to op->packet
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8038>
+---
+ .../gst-plugins-base/ext/ogg/vorbis_parse.c   | 21 +++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/subprojects/gst-plugins-base/ext/ogg/vorbis_parse.c b/subprojects/gst-plugins-base/ext/ogg/vorbis_parse.c
+index 65ef463808e1..757c7cd82b8d 100644
+--- a/subprojects/gst-plugins-base/ext/ogg/vorbis_parse.c
++++ b/subprojects/gst-plugins-base/ext/ogg/vorbis_parse.c
+@@ -165,6 +165,10 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op)
+     if (offset == 0) {
+       offset = 8;
+       current_pos -= 1;
++
++      /* have we underrun? */
++      if (current_pos < op->packet)
++        return -1;
+     }
+   }
+ 
+@@ -178,6 +182,10 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op)
+     if (offset == 7)
+       current_pos -= 1;
+ 
++    /* have we underrun? */
++    if (current_pos < op->packet + 5)
++      return -1;
++
+     if (((current_pos[-5] & ~((1 << (offset + 1)) - 1)) != 0)
+         ||
+         current_pos[-4] != 0
+@@ -199,9 +207,18 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op)
+   /* Give ourselves a chance to recover if we went back too far by using
+    * the size check. */
+   for (ii = 0; ii < 2; ii++) {
++
+     if (offset > 4) {
++      /* have we underrun? */
++      if (current_pos < op->packet)
++        return -1;
++
+       size_check = (current_pos[0] >> (offset - 5)) & 0x3F;
+     } else {
++      /* have we underrun? */
++      if (current_pos < op->packet + 1)
++        return -1;
++
+       /* mask part of byte from current_pos */
+       size_check = (current_pos[0] & ((1 << (offset + 1)) - 1));
+       /* shift to appropriate position */
+@@ -233,6 +250,10 @@ gst_parse_vorbis_setup_packet (GstOggStream * pad, ogg_packet * op)
+ 
+   mode_size_ptr = pad->vorbis_mode_sizes;
+ 
++  if (size > G_N_ELEMENTS (pad->vorbis_mode_sizes)) {
++    return -1;
++  }
++
+   for (i = 0; i < size; i++) {
+     offset = (offset + 1) % 8;
+     if (offset == 0)
+-- 
+GitLab
+
+
+From e633ec642825466b91fc12da6629c307906fa206 Mon Sep 17 00:00:00 2001
+From: Mathieu Duponchelle <mathieu@centricular.com>
+Date: Wed, 2 Oct 2024 16:52:51 +0200
+Subject: [PATCH 2/2] oggstream: review and fix per-format min_packet_size
+
+This addresses all manually detected invalid reads in setup functions.
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8038>
+---
+ .../gst-plugins-base/ext/ogg/gstoggstream.c   | 40 ++++++-------------
+ 1 file changed, 12 insertions(+), 28 deletions(-)
+
+diff --git a/subprojects/gst-plugins-base/ext/ogg/gstoggstream.c b/subprojects/gst-plugins-base/ext/ogg/gstoggstream.c
+index a8883304a5c0..ab6be238dc48 100644
+--- a/subprojects/gst-plugins-base/ext/ogg/gstoggstream.c
++++ b/subprojects/gst-plugins-base/ext/ogg/gstoggstream.c
+@@ -665,11 +665,6 @@ setup_vp8_mapper (GstOggStream * pad, ogg_packet * packet)
+ {
+   gint width, height, par_n, par_d, fps_n, fps_d;
+ 
+-  if (packet->bytes < 26) {
+-    GST_DEBUG ("Failed to parse VP8 BOS page");
+-    return FALSE;
+-  }
+-
+   width = GST_READ_UINT16_BE (packet->packet + 8);
+   height = GST_READ_UINT16_BE (packet->packet + 10);
+   par_n = GST_READ_UINT24_BE (packet->packet + 12);
+@@ -1221,11 +1216,6 @@ setup_fishead_mapper (GstOggStream * pad, ogg_packet * packet)
+   gint64 prestime_n, prestime_d;
+   gint64 basetime_n, basetime_d;
+ 
+-  if (packet->bytes < 44) {
+-    GST_DEBUG ("Not enough data for fishead header");
+-    return FALSE;
+-  }
+-
+   data = packet->packet;
+ 
+   data += 8;                    /* header */
+@@ -1256,8 +1246,8 @@ setup_fishead_mapper (GstOggStream * pad, ogg_packet * packet)
+     pad->prestime = -1;
+ 
+   /* Ogg Skeleton 3.3+ streams provide additional information in the header */
+-  if (packet->bytes >= SKELETON_FISHEAD_3_3_MIN_SIZE && pad->skeleton_major == 3
+-      && pad->skeleton_minor > 0) {
++  if (packet->bytes - 44 >= SKELETON_FISHEAD_3_3_MIN_SIZE
++      && pad->skeleton_major == 3 && pad->skeleton_minor > 0) {
+     gint64 firstsampletime_n, firstsampletime_d;
+     gint64 lastsampletime_n, lastsampletime_d;
+     gint64 firstsampletime, lastsampletime;
+@@ -1296,7 +1286,7 @@ setup_fishead_mapper (GstOggStream * pad, ogg_packet * packet)
+ 
+     GST_INFO ("skeleton fishead parsed total: %" GST_TIME_FORMAT,
+         GST_TIME_ARGS (pad->total_time));
+-  } else if (packet->bytes >= SKELETON_FISHEAD_4_0_MIN_SIZE
++  } else if (packet->bytes - 44 >= SKELETON_FISHEAD_4_0_MIN_SIZE
+       && pad->skeleton_major == 4) {
+     guint64 segment_length, content_offset;
+ 
+@@ -1980,9 +1970,6 @@ setup_kate_mapper (GstOggStream * pad, ogg_packet * packet)
+   guint8 *data = packet->packet;
+   const char *category;
+ 
+-  if (packet->bytes < 64)
+-    return FALSE;
+-
+   pad->granulerate_n = GST_READ_UINT32_LE (data + 24);
+   pad->granulerate_d = GST_READ_UINT32_LE (data + 28);
+   pad->granuleshift = GST_READ_UINT8 (data + 15);
+@@ -2111,9 +2098,6 @@ setup_opus_mapper (GstOggStream * pad, ogg_packet * packet)
+ {
+   GstBuffer *buffer;
+ 
+-  if (packet->bytes < 19)
+-    return FALSE;
+-
+   pad->granulerate_n = 48000;
+   pad->granulerate_d = 1;
+   pad->granuleshift = 0;
+@@ -2394,7 +2378,7 @@ const GstOggMap mappers[] = {
+     NULL
+   },
+   {
+-    "\001vorbis", 7, 22,
++    "\001vorbis", 7, 29,
+     "audio/x-vorbis",
+     setup_vorbis_mapper,
+     NULL,
+@@ -2426,7 +2410,7 @@ const GstOggMap mappers[] = {
+     NULL
+   },
+   {
+-    "PCM     ", 8, 0,
++    "PCM     ", 8, 28,
+     "audio/x-raw",
+     setup_pcm_mapper,
+     NULL,
+@@ -2442,7 +2426,7 @@ const GstOggMap mappers[] = {
+     NULL
+   },
+   {
+-    "CMML\0\0\0\0", 8, 0,
++    "CMML\0\0\0\0", 8, 29,
+     "text/x-cmml",
+     setup_cmml_mapper,
+     NULL,
+@@ -2458,7 +2442,7 @@ const GstOggMap mappers[] = {
+     NULL
+   },
+   {
+-    "Annodex", 7, 0,
++    "Annodex", 7, 44,
+     "application/x-annodex",
+     setup_fishead_mapper,
+     NULL,
+@@ -2537,7 +2521,7 @@ const GstOggMap mappers[] = {
+     NULL
+   },
+   {
+-    "CELT    ", 8, 0,
++    "CELT    ", 8, 60,
+     "audio/x-celt",
+     setup_celt_mapper,
+     NULL,
+@@ -2553,7 +2537,7 @@ const GstOggMap mappers[] = {
+     NULL
+   },
+   {
+-    "\200kate\0\0\0", 8, 0,
++    "\200kate\0\0\0", 8, 64,
+     "text/x-kate",
+     setup_kate_mapper,
+     NULL,
+@@ -2585,7 +2569,7 @@ const GstOggMap mappers[] = {
+     NULL
+   },
+   {
+-    "OVP80\1\1", 7, 4,
++    "OVP80\1\1", 7, 26,
+     "video/x-vp8",
+     setup_vp8_mapper,
+     setup_vp8_mapper_from_caps,
+@@ -2601,7 +2585,7 @@ const GstOggMap mappers[] = {
+     update_stats_vp8
+   },
+   {
+-    "OpusHead", 8, 0,
++    "OpusHead", 8, 19,
+     "audio/x-opus",
+     setup_opus_mapper,
+     NULL,
+@@ -2649,7 +2633,7 @@ const GstOggMap mappers[] = {
+     NULL
+   },
+   {
+-    "\001text\0\0\0", 9, 9,
++    "\001text\0\0\0", 9, 25,
+     "application/x-ogm-text",
+     setup_ogmtext_mapper,
+     NULL,
+-- 
+GitLab
+

backport-CVE-2024-47835.patch

@@ -0,0 +1,35 @@
+From 4c40f73b7002967e824ef34a5435282f4a0ea363 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Wed, 9 Oct 2024 11:23:47 -0400
+Subject: [PATCH] subparse: Check for NULL return of strchr() when parsing LRC
+ subtitles
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-263
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3892
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8039>
+---
+ subprojects/gst-plugins-base/gst/subparse/gstsubparse.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
+index 8d925524a650..7d286ed3186e 100644
+--- a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
++++ b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
+@@ -1070,6 +1070,11 @@ parse_lrc (ParserState * state, const gchar * line)
+     return NULL;
+ 
+   start = strchr (line, ']');
++  // sscanf() does not check for the trailing ] but only up to the last
++  // placeholder, so there might be no ] at the end.
++  if (!start)
++    return NULL;
++
+   if (start - line == 9)
+     milli = 10;
+   else
+-- 
+GitLab
+

backport-xclaesse:fix-meson-0-58.patch

@@ -1,47 +0,0 @@
-From 90903917a8185e0f9add7af8153ae2fc9875fdcb Mon Sep 17 00:00:00 2001
-From: Xavier Claessens <xavier.claessens@collabora.com>
-Date: Mon, 26 Apr 2021 14:25:03 -0400
-Subject: [PATCH] gstgl: Fix build when Meson >= 0.58.0rc1
-
-"implicit_include_directories: false" now also means that current build
-directory is not added to include paths by default any more. We have to
-add it manually because we have some custom_target() that generate
-headers in current build directory.
-
-See https://github.com/mesonbuild/meson/issues/8700.
-
-Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/merge_requests/1127>
----
- gst-libs/gst/gl/meson.build | 15 ++++++++++++---
- 1 file changed, 12 insertions(+), 3 deletions(-)
-
-diff --git a/gst-libs/gst/gl/meson.build b/gst-libs/gst/gl/meson.build
-index db11c5e89..731ee9f5e 100644
---- a/gst-libs/gst/gl/meson.build
-+++ b/gst-libs/gst/gl/meson.build
-@@ -989,11 +989,20 @@ if build_gstgl
-     command : [mkenums, glib_mkenums, '@OUTPUT@', '@INPUT@'])
-   gen_sources = [gl_enumtypes_h]
- 
-+  common_args = gst_plugins_base_args + gl_cpp_args + ['-DBUILDING_GST_GL']
-+
-+  # We have custom_target() that generate headers in the current build dir,
-+  # but with implicit_include_directories: false, meson >= 0.58.0 won't include
-+  # it by default. We cannot use include_directories('.') here because it would
-+  # also include current source dir which is what we want to avoid because
-+  # case-insensitive FS would include gst-libs/gl/egl/egl.h as EGL/egl.h.
-+  common_args += '-I@0@'.format(meson.current_build_dir())
-+
-   gstgl = library('gstgl-' + api_version,
-     gl_sources, gl_egl_sources, gl_x11_sources, gl_wayland_sources, gl_priv_sources, gl_enumtypes_c, gl_enumtypes_h,
--    c_args : gst_plugins_base_args + gl_cpp_args + ['-DBUILDING_GST_GL'],
--    cpp_args : gst_plugins_base_args + gl_cpp_args + ['-DBUILDING_GST_GL'],
--    objc_args : gst_plugins_base_args + gl_cpp_args + gl_objc_args + ['-DBUILDING_GST_GL'],
-+    c_args : common_args,
-+    cpp_args : common_args,
-+    objc_args : common_args + gl_objc_args,
-     include_directories : [configinc, libsinc, gl_includes],
-     version : libversion,
-     soversion : soversion,
--- 
-GitLab

gst-plugins-base-1.18.4-sw.patch

@@ -0,0 +1,11 @@
+diff -Naur gst-plugins-base-1.18.4.org/meson.build gst-plugins-base-1.18.4.sw/meson.build
+--- gst-plugins-base-1.18.4.org/meson.build	2022-03-11 05:47:56.152357080 +0000
++++ gst-plugins-base-1.18.4.sw/meson.build	2022-03-11 05:55:05.152357080 +0000
+@@ -123,6 +123,7 @@
+   [ 'powerpc', 'HAVE_CPU_PPC' ],
+   [ 'powerpc64', 'HAVE_CPU_PPC64' ],
+   [ 'alpha', 'HAVE_CPU_ALPHA' ],
++  [ 'sw_64', 'HAVE_CPU_SW_64' ],
+   [ 'sparc', 'HAVE_CPU_SPARC' ],
+   [ 'ia64', 'HAVE_CPU_IA64' ],
+   [ 'hppa', 'HAVE_CPU_HPPA' ],

gstreamer1-plugins-base.spec

@@ -3,15 +3,24 @@
 
 Name:            gstreamer1-plugins-base
 Version:         1.18.4
-Release:         3
+Release:         8
 Summary:         GStreamer streaming media framework base plugins
 License:         LGPLv2+
 URL:             http://gstreamer.freedesktop.org/
 Source0:         http://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-base-%{version}.tar.xz
 
 Patch0:         0001-missing-plugins-Remove-the-mpegaudioversion-field.patch
+Patch1000:      gst-plugins-base-1.18.4-sw.patch
 
 Patch6000:	backport-xclaesse-fix-meson-0-58.patch
+Patch6001:      CVE-2023-37328.patch
+Patch6002: backport-CVE-2024-47538.patch
+Patch6003: backport-CVE-2024-47541.patch
+Patch6004: backport-CVE-2024-47542.patch
+Patch6005: backport-CVE-2024-47600.patch
+Patch6006: backport-CVE-2024-47607.patch
+Patch6007: backport-CVE-2024-47615.patch
+Patch6008: backport-CVE-2024-47835.patch
 
 BuildRequires:  gcc-c++ gstreamer1-devel >= %{version} gobject-introspection-devel >= 1.31.1 iso-codes-devel alsa-lib-devel
 BuildRequires:  cdparanoia-devel libogg-devel >= 1.0 libtheora-devel >= 1.1 libvisual-devel libvorbis-devel >= 1.0 libXv-devel
@@ -49,8 +58,10 @@ This package provides manual for developpers.
 
 %prep
 %setup -q -n gst-plugins-base-%{version}
-%patch0 -p1
-%patch6000 -p1
+%patch -P0 -p1
+%patch -P1000 -p1
+%patch -P6000 -p1
+%autopatch -p3 -m6001
 
 %build
 %meson -D doc=disabled -D gtk_doc=disabled -D orc=enabled \
@@ -266,6 +277,22 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -fv {} ';'
 %{_mandir}/man1/gst-device-monitor-*.gz
 
 %changelog
+* Wed Dec 04 2024 Funda Wang <fundawang@yeah.net> - 1.18.4-8
+- fix CVE-2024-47538, CVE-2024-47541, CVE-2024-47542, CVE-2024-47600,
+  CVE-2024-47607, CVE-2024-47615, CVE-2024-47835
+
+* Mon May 20 2024 technology208 <technology@208suo.com> - 1.18.4-7
+- optimize subparse end_tag process
+
+* Fri Mar 15 2024 technology208 <technology@208suo.com> - 1.18.4-6
+- fix CVE-2023-37328
+
+* Sun Feb 04 2024 yangchenguang <yangchenguang@kylinsec.com.cn> - 1.18.4-5
+- Add build sw_64 support
+
+* Wed Jan 31 2024 liyanan <liyanan61@h-partners.com> - 1.18.4-4
+- Delete unnecessary files
+
 * Tue Jan 11 2022 wuchaochao <wuchaochao4@huawei.com> - 1.18.4-3
 - change patch name