gst-plugins-good: fix several CVE

backport fix for: CVE-2022-1920 CVE-2022-1921 CVE-2022-1922 CVE-2022-1923 CVE-2022-1924 CVE-2022-1925 CVE-2022-2122 also set ignore at gstreamer1.0_1.16.3.bb (From OE-Core rev: c852d3e6742fe82b9f4ec84b077d6e1b0bfd021e) Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Chee Yang Lee <chee.yang.lee@intel.com> 2022-09-14 14:04:10 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-09-16 18:41:13 +0100
commit: e49990f01e52a33f041341a4d492aee3db2ebd0a (patch)
tree: b5aa94e0e9bc505a4f7478c53a66d7fee7208f9f /meta/recipes-multimedia
parent: aa19c8c35e5130b765fff4316c73c5710c98d9cd (diff)
download: poky-e49990f01e52a33f041341a4d492aee3db2ebd0a.tar.gz
6 files changed, 413 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch
new file mode 100644
index 0000000000..ee33c5564d
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch
@@ -0,0 +1,59 @@
+From cf887f1b8e228bff6e19829e6d03995d70ad739d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Wed, 18 May 2022 10:23:15 +0300
+Subject: [PATCH] matroskademux: Avoid integer-overflow resulting in heap
+ corruption in WavPack header handling code
+blocksize + WAVPACK4_HEADER_SIZE might overflow gsize, which then
+results in allocating a very small buffer. Into that buffer blocksize
+data is memcpy'd later which then causes out of bound writes and can
+potentially lead to anything from crashes to remote code execution.
+Thanks to Adam Doupe for analyzing and reporting the issue.
+CVE: CVE-2022-1920
+https://gstreamer.freedesktop.org/security/sa-2022-0004.html
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1226
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2612>
+https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/0df0dd7fe388174e4835eda4526b47f470a56370
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ .../gst/matroska/matroska-demux.c     | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
+index 64cc6be60be..01d754c3eb9 100644
+--- a/gst/matroska/matroska-demux.c
+++ b/gst/matroska/matroska-demux.c
+@@ -3933,7 +3933,8 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+   } else {
+     guint8 *outdata = NULL;
+     gsize buf_size, size;
+-    guint32 block_samples, flags, crc, blocksize;
+    guint32 block_samples, flags, crc;
+    gsize blocksize;
+     GstAdapter *adapter;
+ 
+     adapter = gst_adapter_new ();
+@@ -3974,6 +3975,13 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+         return GST_FLOW_ERROR;
+       }
+ 
+      if (blocksize > G_MAXSIZE - WAVPACK4_HEADER_SIZE) {
+        GST_ERROR_OBJECT (element, "Too big wavpack buffer");
+        gst_buffer_unmap (*buf, &map);
+        g_object_unref (adapter);
+        return GST_FLOW_ERROR;
+      }
+
+       g_assert (newbuf == NULL);
+ 
+       newbuf =
+-- 
+GitLab
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch
new file mode 100644
index 0000000000..99dbb2b1b0
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch
@@ -0,0 +1,69 @@
+From f503caad676971933dc0b52c4b313e5ef0d6dbb0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Wed, 18 May 2022 12:00:48 +0300
+Subject: [PATCH] avidemux: Fix integer overflow resulting in heap corruption
+ in DIB buffer inversion code
+Check that width*bpp/8 doesn't overflow a guint and also that
+height*stride fits into the provided buffer without overflowing.
+Thanks to Adam Doupe for analyzing and reporting the issue.
+CVE: CVE-2022-1921
+See https://gstreamer.freedesktop.org/security/sa-2022-0001.html
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1224
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2608>
+https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/f503caad676971933dc0b52c4b313e5ef0d6dbb0
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ .../gst/avi/gstavidemux.c      | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+diff --git a/gst/avi/gstavidemux.c b/gst/avi/gstavidemux.c
+index eafe865494c..0d18a6495c7 100644
+--- a/gst/avi/gstavidemux.c
+++ b/gst/avi/gstavidemux.c
+@@ -4973,8 +4973,8 @@ swap_line (guint8 * d1, guint8 * d2, guint8 * tmp, gint bytes)
+ static GstBuffer *
+ gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf)
+ {
+-  gint y, w, h;
+-  gint bpp, stride;
+  guint y, w, h;
+  guint bpp, stride;
+   guint8 *tmp = NULL;
+   GstMapInfo map;
+   guint32 fourcc;
+@@ -5001,12 +5001,23 @@ gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf)
+   h = stream->strf.vids->height;
+   w = stream->strf.vids->width;
+   bpp = stream->strf.vids->bit_cnt ? stream->strf.vids->bit_cnt : 8;
+
+  if ((guint64) w * ((guint64) bpp / 8) > G_MAXUINT - 4) {
+    GST_WARNING ("Width x stride overflows");
+    return buf;
+  }
+
+  if (w == 0 || h == 0) {
+    GST_WARNING ("Zero width or height");
+    return buf;
+  }
+
+   stride = GST_ROUND_UP_4 (w * (bpp / 8));
+ 
+   buf = gst_buffer_make_writable (buf);
+ 
+   gst_buffer_map (buf, &map, GST_MAP_READWRITE);
+-  if (map.size < (stride * h)) {
+  if (map.size < ((guint64) stride * (guint64) h)) {
+     GST_WARNING ("Buffer is smaller than reported Width x Height x Depth");
+     gst_buffer_unmap (buf, &map);
+     return buf;
+-- 
+GitLab
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch
new file mode 100644
index 0000000000..ebffbc473d
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch
@@ -0,0 +1,214 @@
+From ad6012159acf18c6b5c0f4edf037e8c9a2dbc966 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Wed, 18 May 2022 11:24:37 +0300
+Subject: [PATCH] matroskademux: Fix integer overflows in zlib/bz2/etc
+ decompression code
+Various variables were of smaller types than needed and there were no
+checks for any overflows when doing additions on the sizes. This is all
+checked now.
+In addition the size of the decompressed data is limited to 120MB now as
+any larger sizes are likely pathological and we can avoid out of memory
+situations in many cases like this.
+Also fix a bug where the available output size on the next iteration in
+the zlib/bz2 decompression code was provided too large and could
+potentially lead to out of bound writes.
+Thanks to Adam Doupe for analyzing and reporting the issue.
+CVE: CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925
+https://gstreamer.freedesktop.org/security/sa-2022-0002.html
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2610>
+CVE: CVE-2022-1922 CVE-2022-1923 CVE-2022-1924 CVE-2022-1925
+https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ad6012159acf18c6b5c0f4edf037e8c9a2dbc966
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ .../gst/matroska/matroska-read-common.c       | 76 +++++++++++++++----
+ 1 file changed, 61 insertions(+), 15 deletions(-)
+diff --git a/gst/matroska/matroska-read-common.c b/gst/matroska/matroska-read-common.c
+index eb317644cc5..6fadbba9567 100644
+--- a/gst/matroska/matroska-read-common.c
+++ b/gst/matroska/matroska-read-common.c
+@@ -70,6 +70,10 @@ typedef struct
+   gboolean audio_only;
+ } TargetTypeContext;
+ 
+/* 120MB as maximum decompressed data size. Anything bigger is likely
+ * pathological, and like this we avoid out of memory situations in many cases
+ */
+#define MAX_DECOMPRESS_SIZE (120 * 1024 * 1024)
+ 
+ static gboolean
+ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
+@@ -77,19 +81,23 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
+     GstMatroskaTrackCompressionAlgorithm algo)
+ {
+   guint8 *new_data = NULL;
+-  guint new_size = 0;
+  gsize new_size = 0;
+   guint8 *data = *data_out;
+-  guint size = *size_out;
+  const gsize size = *size_out;
+   gboolean ret = TRUE;
+ 
+  if (size > G_MAXUINT32) {
+    GST_WARNING ("too large compressed data buffer.");
+    ret = FALSE;
+    goto out;
+  }
+
+   if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_ZLIB) {
+ #ifdef HAVE_ZLIB
+     /* zlib encoded data */
+     z_stream zstream;
+-    guint orig_size;
+     int result;
+ 
+-    orig_size = size;
+     zstream.zalloc = (alloc_func) 0;
+     zstream.zfree = (free_func) 0;
+     zstream.opaque = (voidpf) 0;
+@@ -99,8 +107,8 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
+       goto out;
+     }
+     zstream.next_in = (Bytef *) data;
+-    zstream.avail_in = orig_size;
+-    new_size = orig_size;
+    zstream.avail_in = size;
+    new_size = size;
+     new_data = g_malloc (new_size);
+     zstream.avail_out = new_size;
+     zstream.next_out = (Bytef *) new_data;
+@@ -114,10 +122,18 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
+         break;
+       }
+ 
+      if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) {
+        GST_WARNING ("too big decompressed data");
+        result = Z_MEM_ERROR;
+        break;
+      }
+
+       new_size += 4096;
+       new_data = g_realloc (new_data, new_size);
+       zstream.next_out = (Bytef *) (new_data + zstream.total_out);
+-      zstream.avail_out += 4096;
+      /* avail_out is an unsigned int */
+      g_assert (new_size - zstream.total_out <= G_MAXUINT);
+      zstream.avail_out = new_size - zstream.total_out;
+     } while (zstream.avail_in > 0);
+ 
+     if (result != Z_STREAM_END) {
+@@ -137,13 +153,11 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
+ #ifdef HAVE_BZ2
+     /* bzip2 encoded data */
+     bz_stream bzstream;
+-    guint orig_size;
+     int result;
+ 
+     bzstream.bzalloc = NULL;
+     bzstream.bzfree = NULL;
+     bzstream.opaque = NULL;
+-    orig_size = size;
+ 
+     if (BZ2_bzDecompressInit (&bzstream, 0, 0) != BZ_OK) {
+       GST_WARNING ("bzip2 initialization failed.");
+@@ -152,8 +166,8 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
+     }
+ 
+     bzstream.next_in = (char *) data;
+-    bzstream.avail_in = orig_size;
+-    new_size = orig_size;
+    bzstream.avail_in = size;
+    new_size = size;
+     new_data = g_malloc (new_size);
+     bzstream.avail_out = new_size;
+     bzstream.next_out = (char *) new_data;
+@@ -167,17 +181,31 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
+         break;
+       }
+ 
+      if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) {
+        GST_WARNING ("too big decompressed data");
+        result = BZ_MEM_ERROR;
+        break;
+      }
+
+       new_size += 4096;
+       new_data = g_realloc (new_data, new_size);
+-      bzstream.next_out = (char *) (new_data + bzstream.total_out_lo32);
+-      bzstream.avail_out += 4096;
+      bzstream.next_out =
+          (char *) (new_data + ((guint64) bzstream.total_out_hi32 << 32) +
+          bzstream.total_out_lo32);
+      /* avail_out is an unsigned int */
+      g_assert (new_size - ((guint64) bzstream.total_out_hi32 << 32) +
+          bzstream.total_out_lo32 <= G_MAXUINT);
+      bzstream.avail_out =
+          new_size - ((guint64) bzstream.total_out_hi32 << 32) +
+          bzstream.total_out_lo32;
+     } while (bzstream.avail_in > 0);
+ 
+     if (result != BZ_STREAM_END) {
+       ret = FALSE;
+       g_free (new_data);
+     } else {
+-      new_size = bzstream.total_out_lo32;
+      new_size =
+          ((guint64) bzstream.total_out_hi32 << 32) + bzstream.total_out_lo32;
+     }
+     BZ2_bzDecompressEnd (&bzstream);
+ 
+@@ -189,7 +217,13 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
+   } else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_LZO1X) {
+     /* lzo encoded data */
+     int result;
+-    int orig_size, out_size;
+    gint orig_size, out_size;
+
+    if (size > G_MAXINT) {
+      GST_WARNING ("too large compressed data buffer.");
+      ret = FALSE;
+      goto out;
+    }
+ 
+     orig_size = size;
+     out_size = size;
+@@ -203,6 +237,11 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
+       result = lzo1x_decode (new_data, &out_size, data, &orig_size);
+ 
+       if (orig_size > 0) {
+        if (new_size > G_MAXINT - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) {
+          GST_WARNING ("too big decompressed data");
+          result = LZO_ERROR;
+          break;
+        }
+         new_size += 4096;
+         new_data = g_realloc (new_data, new_size);
+       }
+@@ -221,6 +260,13 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
+   } else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_HEADERSTRIP) {
+     /* header stripped encoded data */
+     if (enc->comp_settings_length > 0) {
+      if (size > G_MAXSIZE - enc->comp_settings_length
+          || size + enc->comp_settings_length > MAX_DECOMPRESS_SIZE) {
+        GST_WARNING ("too big decompressed data");
+        ret = FALSE;
+        goto out;
+      }
+
+       new_data = g_malloc (size + enc->comp_settings_length);
+       new_size = size + enc->comp_settings_length;
+ 
+-- 
+GitLab
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch
new file mode 100644
index 0000000000..f4d38c270e
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch
@@ -0,0 +1,60 @@
+From 14d306da6da51a762c4dc701d161bb52ab66d774 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Mon, 30 May 2022 10:15:37 +0300
+Subject: [PATCH] qtdemux: Fix integer overflows in zlib decompression code
+Various variables were of smaller types than needed and there were no
+checks for any overflows when doing additions on the sizes. This is all
+checked now.
+In addition the size of the decompressed data is limited to 200MB now as
+any larger sizes are likely pathological and we can avoid out of memory
+situations in many cases like this.
+Also fix a bug where the available output size on the next iteration in
+the zlib decompression code was provided too large and could
+potentially lead to out of bound writes.
+Thanks to Adam Doupe for analyzing and reporting the issue.
+CVE: tbd
+https://gstreamer.freedesktop.org/security/sa-2022-0003.html
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2610>
+https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/14d306da6da51a762c4dc701d161bb52ab66d774
+CVE: CVE-2022-2122
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ gst/isomp4/qtdemux.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
+index 7cc346b1e63..97ba0799a8d 100644
+--- a/gst/isomp4/qtdemux.c
+++ b/gst/isomp4/qtdemux.c
+@@ -7905,10 +7905,16 @@ qtdemux_inflate (void *z_buffer, guint z_length, guint * length)
+       break;
+     }
+ 
+    if (*length > G_MAXUINT - 4096 || *length > QTDEMUX_MAX_SAMPLE_INDEX_SIZE) {
+      GST_WARNING ("too big decompressed data");
+      ret = Z_MEM_ERROR;
+      break;
+    }
+
+     *length += 4096;
+     buffer = (guint8 *) g_realloc (buffer, *length);
+     z.next_out = (Bytef *) (buffer + z.total_out);
+-    z.avail_out += 4096;
+    z.avail_out += *length - z.total_out;
+   } while (z.avail_in > 0);
+ 
+   if (ret != Z_STREAM_END) {
+-- 
+GitLab
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb
index 1038cbf224..831a317a82 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb
@@ -10,6 +10,10 @@ SRC_URI = " \
            file://0001-qt-include-ext-qt-gstqtgl.h-instead-of-gst-gl-gstglf.patch \
            file://CVE-2021-3497.patch \
            file://CVE-2021-3498.patch \
+            file://CVE-2022-1920.patch \
+            file://CVE-2022-1921.patch \
+            file://CVE-2022-1922-1923-1924-1925.patch \
+            file://CVE-2022-2122.patch \
            "
 SRC_URI[md5sum] = "c79b6c2f8eaadb2bb66615b694db399e"
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb
index 966a904eef..14793b7fdf 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb
@@ -83,5 +83,12 @@ CVE_CHECK_WHITELIST += "CVE-2021-3522"
 # so we need to ignore the false hits
 CVE_CHECK_WHITELIST += "CVE-2021-3497"
 CVE_CHECK_WHITELIST += "CVE-2021-3498"
+CVE_CHECK_WHITELIST += "CVE-2022-1920"
+CVE_CHECK_WHITELIST += "CVE-2022-1921"
+CVE_CHECK_WHITELIST += "CVE-2022-1922"
+CVE_CHECK_WHITELIST += "CVE-2022-1923"
+CVE_CHECK_WHITELIST += "CVE-2022-1924"
+CVE_CHECK_WHITELIST += "CVE-2022-1925"
+CVE_CHECK_WHITELIST += "CVE-2022-2122"
 require gstreamer1.0-ptest.inc
author	Chee Yang Lee <chee.yang.lee@intel.com>	2022-09-14 14:04:10 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-09-16 18:41:13 +0100
commit	e49990f01e52a33f041341a4d492aee3db2ebd0a (patch)
tree	b5aa94e0e9bc505a4f7478c53a66d7fee7208f9f /meta/recipes-multimedia
parent	aa19c8c35e5130b765fff4316c73c5710c98d9cd (diff)
download	poky-e49990f01e52a33f041341a4d492aee3db2ebd0a.tar.gz

diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch new file mode 100644 index 0000000000..ee33c5564d --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch
@@ -0,0 +1,59 @@
		1	From cf887f1b8e228bff6e19829e6d03995d70ad739d Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
		3	Date: Wed, 18 May 2022 10:23:15 +0300
		4	Subject: [PATCH] matroskademux: Avoid integer-overflow resulting in heap
		5	corruption in WavPack header handling code
		6
		7	blocksize + WAVPACK4_HEADER_SIZE might overflow gsize, which then
		8	results in allocating a very small buffer. Into that buffer blocksize
		9	data is memcpy'd later which then causes out of bound writes and can
		10	potentially lead to anything from crashes to remote code execution.
		11
		12	Thanks to Adam Doupe for analyzing and reporting the issue.
		13
		14	CVE: CVE-2022-1920
		15
		16	https://gstreamer.freedesktop.org/security/sa-2022-0004.html
		17
		18	Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1226
		19
		20	Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2612>
		21
		22	https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/0df0dd7fe388174e4835eda4526b47f470a56370
		23	Upstream-Status: Backport
		24	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		25	---
		26	.../gst/matroska/matroska-demux.c \| 10 +++++++++-
		27	1 file changed, 9 insertions(+), 1 deletion(-)
		28
		29	diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
		30	index 64cc6be60be..01d754c3eb9 100644
		31	--- a/gst/matroska/matroska-demux.c
		32	+++ b/gst/matroska/matroska-demux.c
		33	@@ -3933,7 +3933,8 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
		34	} else {
		35	guint8 *outdata = NULL;
		36	gsize buf_size, size;
		37	- guint32 block_samples, flags, crc, blocksize;
		38	+ guint32 block_samples, flags, crc;
		39	+ gsize blocksize;
		40	GstAdapter *adapter;
		41
		42	adapter = gst_adapter_new ();
		43	@@ -3974,6 +3975,13 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
		44	return GST_FLOW_ERROR;
		45	}
		46
		47	+ if (blocksize > G_MAXSIZE - WAVPACK4_HEADER_SIZE) {
		48	+ GST_ERROR_OBJECT (element, "Too big wavpack buffer");
		49	+ gst_buffer_unmap (*buf, &map);
		50	+ g_object_unref (adapter);
		51	+ return GST_FLOW_ERROR;
		52	+ }
		53	+
		54	g_assert (newbuf == NULL);
		55
		56	newbuf =
		57	--
		58	GitLab
		59


diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch new file mode 100644 index 0000000000..99dbb2b1b0 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch
@@ -0,0 +1,69 @@
		1	From f503caad676971933dc0b52c4b313e5ef0d6dbb0 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
		3	Date: Wed, 18 May 2022 12:00:48 +0300
		4	Subject: [PATCH] avidemux: Fix integer overflow resulting in heap corruption
		5	in DIB buffer inversion code
		6
		7	Check that width*bpp/8 doesn't overflow a guint and also that
		8	height*stride fits into the provided buffer without overflowing.
		9
		10	Thanks to Adam Doupe for analyzing and reporting the issue.
		11
		12	CVE: CVE-2022-1921
		13
		14	See https://gstreamer.freedesktop.org/security/sa-2022-0001.html
		15
		16	Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1224
		17
		18	Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2608>
		19
		20	https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/f503caad676971933dc0b52c4b313e5ef0d6dbb0
		21	Upstream-Status: Backport
		22	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		23	---
		24	.../gst/avi/gstavidemux.c \| 17 ++++++++++++++---
		25	1 file changed, 14 insertions(+), 3 deletions(-)
		26
		27	diff --git a/gst/avi/gstavidemux.c b/gst/avi/gstavidemux.c
		28	index eafe865494c..0d18a6495c7 100644
		29	--- a/gst/avi/gstavidemux.c
		30	+++ b/gst/avi/gstavidemux.c
		31	@@ -4973,8 +4973,8 @@ swap_line (guint8 * d1, guint8 * d2, guint8 * tmp, gint bytes)
		32	static GstBuffer *
		33	gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf)
		34	{
		35	- gint y, w, h;
		36	- gint bpp, stride;
		37	+ guint y, w, h;
		38	+ guint bpp, stride;
		39	guint8 *tmp = NULL;
		40	GstMapInfo map;
		41	guint32 fourcc;
		42	@@ -5001,12 +5001,23 @@ gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf)
		43	h = stream->strf.vids->height;
		44	w = stream->strf.vids->width;
		45	bpp = stream->strf.vids->bit_cnt ? stream->strf.vids->bit_cnt : 8;
		46	+
		47	+ if ((guint64) w * ((guint64) bpp / 8) > G_MAXUINT - 4) {
		48	+ GST_WARNING ("Width x stride overflows");
		49	+ return buf;
		50	+ }
		51	+
		52	+ if (w == 0 \|\| h == 0) {
		53	+ GST_WARNING ("Zero width or height");
		54	+ return buf;
		55	+ }
		56	+
		57	stride = GST_ROUND_UP_4 (w * (bpp / 8));
		58
		59	buf = gst_buffer_make_writable (buf);
		60
		61	gst_buffer_map (buf, &map, GST_MAP_READWRITE);
		62	- if (map.size < (stride * h)) {
		63	+ if (map.size < ((guint64) stride * (guint64) h)) {
		64	GST_WARNING ("Buffer is smaller than reported Width x Height x Depth");
		65	gst_buffer_unmap (buf, &map);
		66	return buf;
		67	--
		68	GitLab
		69


diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch new file mode 100644 index 0000000000..ebffbc473d --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch
@@ -0,0 +1,214 @@
		1	From ad6012159acf18c6b5c0f4edf037e8c9a2dbc966 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
		3	Date: Wed, 18 May 2022 11:24:37 +0300
		4	Subject: [PATCH] matroskademux: Fix integer overflows in zlib/bz2/etc
		5	decompression code
		6
		7	Various variables were of smaller types than needed and there were no
		8	checks for any overflows when doing additions on the sizes. This is all
		9	checked now.
		10
		11	In addition the size of the decompressed data is limited to 120MB now as
		12	any larger sizes are likely pathological and we can avoid out of memory
		13	situations in many cases like this.
		14
		15	Also fix a bug where the available output size on the next iteration in
		16	the zlib/bz2 decompression code was provided too large and could
		17	potentially lead to out of bound writes.
		18
		19	Thanks to Adam Doupe for analyzing and reporting the issue.
		20
		21	CVE: CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925
		22
		23	https://gstreamer.freedesktop.org/security/sa-2022-0002.html
		24
		25	Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225
		26
		27	Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2610>
		28
		29	CVE: CVE-2022-1922 CVE-2022-1923 CVE-2022-1924 CVE-2022-1925
		30	https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ad6012159acf18c6b5c0f4edf037e8c9a2dbc966
		31	Upstream-Status: Backport
		32	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		33	---
		34	.../gst/matroska/matroska-read-common.c \| 76 +++++++++++++++----
		35	1 file changed, 61 insertions(+), 15 deletions(-)
		36
		37	diff --git a/gst/matroska/matroska-read-common.c b/gst/matroska/matroska-read-common.c
		38	index eb317644cc5..6fadbba9567 100644
		39	--- a/gst/matroska/matroska-read-common.c
		40	+++ b/gst/matroska/matroska-read-common.c
		41	@@ -70,6 +70,10 @@ typedef struct
		42	gboolean audio_only;
		43	} TargetTypeContext;
		44
		45	+/* 120MB as maximum decompressed data size. Anything bigger is likely
		46	+ * pathological, and like this we avoid out of memory situations in many cases
		47	+ */
		48	+#define MAX_DECOMPRESS_SIZE (120 * 1024 * 1024)
		49
		50	static gboolean
		51	gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
		52	@@ -77,19 +81,23 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
		53	GstMatroskaTrackCompressionAlgorithm algo)
		54	{
		55	guint8 *new_data = NULL;
		56	- guint new_size = 0;
		57	+ gsize new_size = 0;
		58	guint8 data = data_out;
		59	- guint size = *size_out;
		60	+ const gsize size = *size_out;
		61	gboolean ret = TRUE;
		62
		63	+ if (size > G_MAXUINT32) {
		64	+ GST_WARNING ("too large compressed data buffer.");
		65	+ ret = FALSE;
		66	+ goto out;
		67	+ }
		68	+
		69	if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_ZLIB) {
		70	#ifdef HAVE_ZLIB
		71	/* zlib encoded data */
		72	z_stream zstream;
		73	- guint orig_size;
		74	int result;
		75
		76	- orig_size = size;
		77	zstream.zalloc = (alloc_func) 0;
		78	zstream.zfree = (free_func) 0;
		79	zstream.opaque = (voidpf) 0;
		80	@@ -99,8 +107,8 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
		81	goto out;
		82	}
		83	zstream.next_in = (Bytef *) data;
		84	- zstream.avail_in = orig_size;
		85	- new_size = orig_size;
		86	+ zstream.avail_in = size;
		87	+ new_size = size;
		88	new_data = g_malloc (new_size);
		89	zstream.avail_out = new_size;
		90	zstream.next_out = (Bytef *) new_data;
		91	@@ -114,10 +122,18 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
		92	break;
		93	}
		94
		95	+ if (new_size > G_MAXSIZE - 4096 \|\| new_size + 4096 > MAX_DECOMPRESS_SIZE) {
		96	+ GST_WARNING ("too big decompressed data");
		97	+ result = Z_MEM_ERROR;
		98	+ break;
		99	+ }
		100	+
		101	new_size += 4096;
		102	new_data = g_realloc (new_data, new_size);
		103	zstream.next_out = (Bytef *) (new_data + zstream.total_out);
		104	- zstream.avail_out += 4096;
		105	+ /* avail_out is an unsigned int */
		106	+ g_assert (new_size - zstream.total_out <= G_MAXUINT);
		107	+ zstream.avail_out = new_size - zstream.total_out;
		108	} while (zstream.avail_in > 0);
		109
		110	if (result != Z_STREAM_END) {
		111	@@ -137,13 +153,11 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
		112	#ifdef HAVE_BZ2
		113	/* bzip2 encoded data */
		114	bz_stream bzstream;
		115	- guint orig_size;
		116	int result;
		117
		118	bzstream.bzalloc = NULL;
		119	bzstream.bzfree = NULL;
		120	bzstream.opaque = NULL;
		121	- orig_size = size;
		122
		123	if (BZ2_bzDecompressInit (&bzstream, 0, 0) != BZ_OK) {
		124	GST_WARNING ("bzip2 initialization failed.");
		125	@@ -152,8 +166,8 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
		126	}
		127
		128	bzstream.next_in = (char *) data;
		129	- bzstream.avail_in = orig_size;
		130	- new_size = orig_size;
		131	+ bzstream.avail_in = size;
		132	+ new_size = size;
		133	new_data = g_malloc (new_size);
		134	bzstream.avail_out = new_size;
		135	bzstream.next_out = (char *) new_data;
		136	@@ -167,17 +181,31 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
		137	break;
		138	}
		139
		140	+ if (new_size > G_MAXSIZE - 4096 \|\| new_size + 4096 > MAX_DECOMPRESS_SIZE) {
		141	+ GST_WARNING ("too big decompressed data");
		142	+ result = BZ_MEM_ERROR;
		143	+ break;
		144	+ }
		145	+
		146	new_size += 4096;
		147	new_data = g_realloc (new_data, new_size);
		148	- bzstream.next_out = (char *) (new_data + bzstream.total_out_lo32);
		149	- bzstream.avail_out += 4096;
		150	+ bzstream.next_out =
		151	+ (char *) (new_data + ((guint64) bzstream.total_out_hi32 << 32) +
		152	+ bzstream.total_out_lo32);
		153	+ /* avail_out is an unsigned int */
		154	+ g_assert (new_size - ((guint64) bzstream.total_out_hi32 << 32) +
		155	+ bzstream.total_out_lo32 <= G_MAXUINT);
		156	+ bzstream.avail_out =
		157	+ new_size - ((guint64) bzstream.total_out_hi32 << 32) +
		158	+ bzstream.total_out_lo32;
		159	} while (bzstream.avail_in > 0);
		160
		161	if (result != BZ_STREAM_END) {
		162	ret = FALSE;
		163	g_free (new_data);
		164	} else {
		165	- new_size = bzstream.total_out_lo32;
		166	+ new_size =
		167	+ ((guint64) bzstream.total_out_hi32 << 32) + bzstream.total_out_lo32;
		168	}
		169	BZ2_bzDecompressEnd (&bzstream);
		170
		171	@@ -189,7 +217,13 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
		172	} else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_LZO1X) {
		173	/* lzo encoded data */
		174	int result;
		175	- int orig_size, out_size;
		176	+ gint orig_size, out_size;
		177	+
		178	+ if (size > G_MAXINT) {
		179	+ GST_WARNING ("too large compressed data buffer.");
		180	+ ret = FALSE;
		181	+ goto out;
		182	+ }
		183
		184	orig_size = size;
		185	out_size = size;
		186	@@ -203,6 +237,11 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
		187	result = lzo1x_decode (new_data, &out_size, data, &orig_size);
		188
		189	if (orig_size > 0) {
		190	+ if (new_size > G_MAXINT - 4096 \|\| new_size + 4096 > MAX_DECOMPRESS_SIZE) {
		191	+ GST_WARNING ("too big decompressed data");
		192	+ result = LZO_ERROR;
		193	+ break;
		194	+ }
		195	new_size += 4096;
		196	new_data = g_realloc (new_data, new_size);
		197	}
		198	@@ -221,6 +260,13 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
		199	} else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_HEADERSTRIP) {
		200	/* header stripped encoded data */
		201	if (enc->comp_settings_length > 0) {
		202	+ if (size > G_MAXSIZE - enc->comp_settings_length
		203	+ \|\| size + enc->comp_settings_length > MAX_DECOMPRESS_SIZE) {
		204	+ GST_WARNING ("too big decompressed data");
		205	+ ret = FALSE;
		206	+ goto out;
		207	+ }
		208	+
		209	new_data = g_malloc (size + enc->comp_settings_length);
		210	new_size = size + enc->comp_settings_length;
		211
		212	--
		213	GitLab
		214


diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch new file mode 100644 index 0000000000..f4d38c270e --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch
@@ -0,0 +1,60 @@
		1	From 14d306da6da51a762c4dc701d161bb52ab66d774 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
		3	Date: Mon, 30 May 2022 10:15:37 +0300
		4	Subject: [PATCH] qtdemux: Fix integer overflows in zlib decompression code
		5
		6	Various variables were of smaller types than needed and there were no
		7	checks for any overflows when doing additions on the sizes. This is all
		8	checked now.
		9
		10	In addition the size of the decompressed data is limited to 200MB now as
		11	any larger sizes are likely pathological and we can avoid out of memory
		12	situations in many cases like this.
		13
		14	Also fix a bug where the available output size on the next iteration in
		15	the zlib decompression code was provided too large and could
		16	potentially lead to out of bound writes.
		17
		18	Thanks to Adam Doupe for analyzing and reporting the issue.
		19
		20	CVE: tbd
		21
		22	https://gstreamer.freedesktop.org/security/sa-2022-0003.html
		23
		24	Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225
		25
		26	Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2610>
		27
		28	https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/14d306da6da51a762c4dc701d161bb52ab66d774
		29	CVE: CVE-2022-2122
		30	Upstream-Status: Backport
		31	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		32	---
		33	gst/isomp4/qtdemux.c \| 8 +++++++-
		34	1 file changed, 7 insertions(+), 1 deletion(-)
		35
		36	diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
		37	index 7cc346b1e63..97ba0799a8d 100644
		38	--- a/gst/isomp4/qtdemux.c
		39	+++ b/gst/isomp4/qtdemux.c
		40	@@ -7905,10 +7905,16 @@ qtdemux_inflate (void z_buffer, guint z_length, guint length)
		41	break;
		42	}
		43
		44	+ if (length > G_MAXUINT - 4096 \|\| length > QTDEMUX_MAX_SAMPLE_INDEX_SIZE) {
		45	+ GST_WARNING ("too big decompressed data");
		46	+ ret = Z_MEM_ERROR;
		47	+ break;
		48	+ }
		49	+
		50	*length += 4096;
		51	buffer = (guint8 ) g_realloc (buffer, length);
		52	z.next_out = (Bytef *) (buffer + z.total_out);
		53	- z.avail_out += 4096;
		54	+ z.avail_out += *length - z.total_out;
		55	} while (z.avail_in > 0);
		56
		57	if (ret != Z_STREAM_END) {
		58	--
		59	GitLab
		60


diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb index 1038cbf224..831a317a82 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb
@@ -10,6 +10,10 @@ SRC_URI = " \
10	file://0001-qt-include-ext-qt-gstqtgl.h-instead-of-gst-gl-gstglf.patch \	10	file://0001-qt-include-ext-qt-gstqtgl.h-instead-of-gst-gl-gstglf.patch \
11	file://CVE-2021-3497.patch \	11	file://CVE-2021-3497.patch \
12	file://CVE-2021-3498.patch \	12	file://CVE-2021-3498.patch \
		13	file://CVE-2022-1920.patch \
		14	file://CVE-2022-1921.patch \
		15	file://CVE-2022-1922-1923-1924-1925.patch \
		16	file://CVE-2022-2122.patch \
13	"	17	"
14		18
15	SRC_URI[md5sum] = "c79b6c2f8eaadb2bb66615b694db399e"	19	SRC_URI[md5sum] = "c79b6c2f8eaadb2bb66615b694db399e"


diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb index 966a904eef..14793b7fdf 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb
@@ -83,5 +83,12 @@ CVE_CHECK_WHITELIST += "CVE-2021-3522"
83	# so we need to ignore the false hits	83	# so we need to ignore the false hits
84	CVE_CHECK_WHITELIST += "CVE-2021-3497"	84	CVE_CHECK_WHITELIST += "CVE-2021-3497"
85	CVE_CHECK_WHITELIST += "CVE-2021-3498"	85	CVE_CHECK_WHITELIST += "CVE-2021-3498"
		86	CVE_CHECK_WHITELIST += "CVE-2022-1920"
		87	CVE_CHECK_WHITELIST += "CVE-2022-1921"
		88	CVE_CHECK_WHITELIST += "CVE-2022-1922"
		89	CVE_CHECK_WHITELIST += "CVE-2022-1923"
		90	CVE_CHECK_WHITELIST += "CVE-2022-1924"
		91	CVE_CHECK_WHITELIST += "CVE-2022-1925"
		92	CVE_CHECK_WHITELIST += "CVE-2022-2122"
86		93
87	require gstreamer1.0-ptest.inc	94	require gstreamer1.0-ptest.inc