diff options
author | Chee Yang Lee <chee.yang.lee@intel.com> | 2022-09-14 14:04:10 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-09-16 18:41:13 +0100 |
commit | e49990f01e52a33f041341a4d492aee3db2ebd0a (patch) | |
tree | b5aa94e0e9bc505a4f7478c53a66d7fee7208f9f /meta/recipes-multimedia | |
parent | aa19c8c35e5130b765fff4316c73c5710c98d9cd (diff) | |
download | poky-e49990f01e52a33f041341a4d492aee3db2ebd0a.tar.gz |
gst-plugins-good: fix several CVE
backport fix for:
CVE-2022-1920
CVE-2022-1921
CVE-2022-1922
CVE-2022-1923
CVE-2022-1924
CVE-2022-1925
CVE-2022-2122
also set ignore at gstreamer1.0_1.16.3.bb
(From OE-Core rev: c852d3e6742fe82b9f4ec84b077d6e1b0bfd021e)
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia')
6 files changed, 413 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch new file mode 100644 index 0000000000..ee33c5564d --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | From cf887f1b8e228bff6e19829e6d03995d70ad739d Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com> | ||
3 | Date: Wed, 18 May 2022 10:23:15 +0300 | ||
4 | Subject: [PATCH] matroskademux: Avoid integer-overflow resulting in heap | ||
5 | corruption in WavPack header handling code | ||
6 | |||
7 | blocksize + WAVPACK4_HEADER_SIZE might overflow gsize, which then | ||
8 | results in allocating a very small buffer. Into that buffer blocksize | ||
9 | data is memcpy'd later which then causes out of bound writes and can | ||
10 | potentially lead to anything from crashes to remote code execution. | ||
11 | |||
12 | Thanks to Adam Doupe for analyzing and reporting the issue. | ||
13 | |||
14 | CVE: CVE-2022-1920 | ||
15 | |||
16 | https://gstreamer.freedesktop.org/security/sa-2022-0004.html | ||
17 | |||
18 | Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1226 | ||
19 | |||
20 | Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2612> | ||
21 | |||
22 | https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/0df0dd7fe388174e4835eda4526b47f470a56370 | ||
23 | Upstream-Status: Backport | ||
24 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
25 | --- | ||
26 | .../gst/matroska/matroska-demux.c | 10 +++++++++- | ||
27 | 1 file changed, 9 insertions(+), 1 deletion(-) | ||
28 | |||
29 | diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c | ||
30 | index 64cc6be60be..01d754c3eb9 100644 | ||
31 | --- a/gst/matroska/matroska-demux.c | ||
32 | +++ b/gst/matroska/matroska-demux.c | ||
33 | @@ -3933,7 +3933,8 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, | ||
34 | } else { | ||
35 | guint8 *outdata = NULL; | ||
36 | gsize buf_size, size; | ||
37 | - guint32 block_samples, flags, crc, blocksize; | ||
38 | + guint32 block_samples, flags, crc; | ||
39 | + gsize blocksize; | ||
40 | GstAdapter *adapter; | ||
41 | |||
42 | adapter = gst_adapter_new (); | ||
43 | @@ -3974,6 +3975,13 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, | ||
44 | return GST_FLOW_ERROR; | ||
45 | } | ||
46 | |||
47 | + if (blocksize > G_MAXSIZE - WAVPACK4_HEADER_SIZE) { | ||
48 | + GST_ERROR_OBJECT (element, "Too big wavpack buffer"); | ||
49 | + gst_buffer_unmap (*buf, &map); | ||
50 | + g_object_unref (adapter); | ||
51 | + return GST_FLOW_ERROR; | ||
52 | + } | ||
53 | + | ||
54 | g_assert (newbuf == NULL); | ||
55 | |||
56 | newbuf = | ||
57 | -- | ||
58 | GitLab | ||
59 | |||
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch new file mode 100644 index 0000000000..99dbb2b1b0 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch | |||
@@ -0,0 +1,69 @@ | |||
1 | From f503caad676971933dc0b52c4b313e5ef0d6dbb0 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com> | ||
3 | Date: Wed, 18 May 2022 12:00:48 +0300 | ||
4 | Subject: [PATCH] avidemux: Fix integer overflow resulting in heap corruption | ||
5 | in DIB buffer inversion code | ||
6 | |||
7 | Check that width*bpp/8 doesn't overflow a guint and also that | ||
8 | height*stride fits into the provided buffer without overflowing. | ||
9 | |||
10 | Thanks to Adam Doupe for analyzing and reporting the issue. | ||
11 | |||
12 | CVE: CVE-2022-1921 | ||
13 | |||
14 | See https://gstreamer.freedesktop.org/security/sa-2022-0001.html | ||
15 | |||
16 | Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1224 | ||
17 | |||
18 | Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2608> | ||
19 | |||
20 | https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/f503caad676971933dc0b52c4b313e5ef0d6dbb0 | ||
21 | Upstream-Status: Backport | ||
22 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
23 | --- | ||
24 | .../gst/avi/gstavidemux.c | 17 ++++++++++++++--- | ||
25 | 1 file changed, 14 insertions(+), 3 deletions(-) | ||
26 | |||
27 | diff --git a/gst/avi/gstavidemux.c b/gst/avi/gstavidemux.c | ||
28 | index eafe865494c..0d18a6495c7 100644 | ||
29 | --- a/gst/avi/gstavidemux.c | ||
30 | +++ b/gst/avi/gstavidemux.c | ||
31 | @@ -4973,8 +4973,8 @@ swap_line (guint8 * d1, guint8 * d2, guint8 * tmp, gint bytes) | ||
32 | static GstBuffer * | ||
33 | gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf) | ||
34 | { | ||
35 | - gint y, w, h; | ||
36 | - gint bpp, stride; | ||
37 | + guint y, w, h; | ||
38 | + guint bpp, stride; | ||
39 | guint8 *tmp = NULL; | ||
40 | GstMapInfo map; | ||
41 | guint32 fourcc; | ||
42 | @@ -5001,12 +5001,23 @@ gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf) | ||
43 | h = stream->strf.vids->height; | ||
44 | w = stream->strf.vids->width; | ||
45 | bpp = stream->strf.vids->bit_cnt ? stream->strf.vids->bit_cnt : 8; | ||
46 | + | ||
47 | + if ((guint64) w * ((guint64) bpp / 8) > G_MAXUINT - 4) { | ||
48 | + GST_WARNING ("Width x stride overflows"); | ||
49 | + return buf; | ||
50 | + } | ||
51 | + | ||
52 | + if (w == 0 || h == 0) { | ||
53 | + GST_WARNING ("Zero width or height"); | ||
54 | + return buf; | ||
55 | + } | ||
56 | + | ||
57 | stride = GST_ROUND_UP_4 (w * (bpp / 8)); | ||
58 | |||
59 | buf = gst_buffer_make_writable (buf); | ||
60 | |||
61 | gst_buffer_map (buf, &map, GST_MAP_READWRITE); | ||
62 | - if (map.size < (stride * h)) { | ||
63 | + if (map.size < ((guint64) stride * (guint64) h)) { | ||
64 | GST_WARNING ("Buffer is smaller than reported Width x Height x Depth"); | ||
65 | gst_buffer_unmap (buf, &map); | ||
66 | return buf; | ||
67 | -- | ||
68 | GitLab | ||
69 | |||
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch new file mode 100644 index 0000000000..ebffbc473d --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch | |||
@@ -0,0 +1,214 @@ | |||
1 | From ad6012159acf18c6b5c0f4edf037e8c9a2dbc966 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com> | ||
3 | Date: Wed, 18 May 2022 11:24:37 +0300 | ||
4 | Subject: [PATCH] matroskademux: Fix integer overflows in zlib/bz2/etc | ||
5 | decompression code | ||
6 | |||
7 | Various variables were of smaller types than needed and there were no | ||
8 | checks for any overflows when doing additions on the sizes. This is all | ||
9 | checked now. | ||
10 | |||
11 | In addition the size of the decompressed data is limited to 120MB now as | ||
12 | any larger sizes are likely pathological and we can avoid out of memory | ||
13 | situations in many cases like this. | ||
14 | |||
15 | Also fix a bug where the available output size on the next iteration in | ||
16 | the zlib/bz2 decompression code was provided too large and could | ||
17 | potentially lead to out of bound writes. | ||
18 | |||
19 | Thanks to Adam Doupe for analyzing and reporting the issue. | ||
20 | |||
21 | CVE: CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925 | ||
22 | |||
23 | https://gstreamer.freedesktop.org/security/sa-2022-0002.html | ||
24 | |||
25 | Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225 | ||
26 | |||
27 | Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2610> | ||
28 | |||
29 | CVE: CVE-2022-1922 CVE-2022-1923 CVE-2022-1924 CVE-2022-1925 | ||
30 | https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ad6012159acf18c6b5c0f4edf037e8c9a2dbc966 | ||
31 | Upstream-Status: Backport | ||
32 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
33 | --- | ||
34 | .../gst/matroska/matroska-read-common.c | 76 +++++++++++++++---- | ||
35 | 1 file changed, 61 insertions(+), 15 deletions(-) | ||
36 | |||
37 | diff --git a/gst/matroska/matroska-read-common.c b/gst/matroska/matroska-read-common.c | ||
38 | index eb317644cc5..6fadbba9567 100644 | ||
39 | --- a/gst/matroska/matroska-read-common.c | ||
40 | +++ b/gst/matroska/matroska-read-common.c | ||
41 | @@ -70,6 +70,10 @@ typedef struct | ||
42 | gboolean audio_only; | ||
43 | } TargetTypeContext; | ||
44 | |||
45 | +/* 120MB as maximum decompressed data size. Anything bigger is likely | ||
46 | + * pathological, and like this we avoid out of memory situations in many cases | ||
47 | + */ | ||
48 | +#define MAX_DECOMPRESS_SIZE (120 * 1024 * 1024) | ||
49 | |||
50 | static gboolean | ||
51 | gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, | ||
52 | @@ -77,19 +81,23 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, | ||
53 | GstMatroskaTrackCompressionAlgorithm algo) | ||
54 | { | ||
55 | guint8 *new_data = NULL; | ||
56 | - guint new_size = 0; | ||
57 | + gsize new_size = 0; | ||
58 | guint8 *data = *data_out; | ||
59 | - guint size = *size_out; | ||
60 | + const gsize size = *size_out; | ||
61 | gboolean ret = TRUE; | ||
62 | |||
63 | + if (size > G_MAXUINT32) { | ||
64 | + GST_WARNING ("too large compressed data buffer."); | ||
65 | + ret = FALSE; | ||
66 | + goto out; | ||
67 | + } | ||
68 | + | ||
69 | if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_ZLIB) { | ||
70 | #ifdef HAVE_ZLIB | ||
71 | /* zlib encoded data */ | ||
72 | z_stream zstream; | ||
73 | - guint orig_size; | ||
74 | int result; | ||
75 | |||
76 | - orig_size = size; | ||
77 | zstream.zalloc = (alloc_func) 0; | ||
78 | zstream.zfree = (free_func) 0; | ||
79 | zstream.opaque = (voidpf) 0; | ||
80 | @@ -99,8 +107,8 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, | ||
81 | goto out; | ||
82 | } | ||
83 | zstream.next_in = (Bytef *) data; | ||
84 | - zstream.avail_in = orig_size; | ||
85 | - new_size = orig_size; | ||
86 | + zstream.avail_in = size; | ||
87 | + new_size = size; | ||
88 | new_data = g_malloc (new_size); | ||
89 | zstream.avail_out = new_size; | ||
90 | zstream.next_out = (Bytef *) new_data; | ||
91 | @@ -114,10 +122,18 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, | ||
92 | break; | ||
93 | } | ||
94 | |||
95 | + if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) { | ||
96 | + GST_WARNING ("too big decompressed data"); | ||
97 | + result = Z_MEM_ERROR; | ||
98 | + break; | ||
99 | + } | ||
100 | + | ||
101 | new_size += 4096; | ||
102 | new_data = g_realloc (new_data, new_size); | ||
103 | zstream.next_out = (Bytef *) (new_data + zstream.total_out); | ||
104 | - zstream.avail_out += 4096; | ||
105 | + /* avail_out is an unsigned int */ | ||
106 | + g_assert (new_size - zstream.total_out <= G_MAXUINT); | ||
107 | + zstream.avail_out = new_size - zstream.total_out; | ||
108 | } while (zstream.avail_in > 0); | ||
109 | |||
110 | if (result != Z_STREAM_END) { | ||
111 | @@ -137,13 +153,11 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, | ||
112 | #ifdef HAVE_BZ2 | ||
113 | /* bzip2 encoded data */ | ||
114 | bz_stream bzstream; | ||
115 | - guint orig_size; | ||
116 | int result; | ||
117 | |||
118 | bzstream.bzalloc = NULL; | ||
119 | bzstream.bzfree = NULL; | ||
120 | bzstream.opaque = NULL; | ||
121 | - orig_size = size; | ||
122 | |||
123 | if (BZ2_bzDecompressInit (&bzstream, 0, 0) != BZ_OK) { | ||
124 | GST_WARNING ("bzip2 initialization failed."); | ||
125 | @@ -152,8 +166,8 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, | ||
126 | } | ||
127 | |||
128 | bzstream.next_in = (char *) data; | ||
129 | - bzstream.avail_in = orig_size; | ||
130 | - new_size = orig_size; | ||
131 | + bzstream.avail_in = size; | ||
132 | + new_size = size; | ||
133 | new_data = g_malloc (new_size); | ||
134 | bzstream.avail_out = new_size; | ||
135 | bzstream.next_out = (char *) new_data; | ||
136 | @@ -167,17 +181,31 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, | ||
137 | break; | ||
138 | } | ||
139 | |||
140 | + if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) { | ||
141 | + GST_WARNING ("too big decompressed data"); | ||
142 | + result = BZ_MEM_ERROR; | ||
143 | + break; | ||
144 | + } | ||
145 | + | ||
146 | new_size += 4096; | ||
147 | new_data = g_realloc (new_data, new_size); | ||
148 | - bzstream.next_out = (char *) (new_data + bzstream.total_out_lo32); | ||
149 | - bzstream.avail_out += 4096; | ||
150 | + bzstream.next_out = | ||
151 | + (char *) (new_data + ((guint64) bzstream.total_out_hi32 << 32) + | ||
152 | + bzstream.total_out_lo32); | ||
153 | + /* avail_out is an unsigned int */ | ||
154 | + g_assert (new_size - ((guint64) bzstream.total_out_hi32 << 32) + | ||
155 | + bzstream.total_out_lo32 <= G_MAXUINT); | ||
156 | + bzstream.avail_out = | ||
157 | + new_size - ((guint64) bzstream.total_out_hi32 << 32) + | ||
158 | + bzstream.total_out_lo32; | ||
159 | } while (bzstream.avail_in > 0); | ||
160 | |||
161 | if (result != BZ_STREAM_END) { | ||
162 | ret = FALSE; | ||
163 | g_free (new_data); | ||
164 | } else { | ||
165 | - new_size = bzstream.total_out_lo32; | ||
166 | + new_size = | ||
167 | + ((guint64) bzstream.total_out_hi32 << 32) + bzstream.total_out_lo32; | ||
168 | } | ||
169 | BZ2_bzDecompressEnd (&bzstream); | ||
170 | |||
171 | @@ -189,7 +217,13 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, | ||
172 | } else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_LZO1X) { | ||
173 | /* lzo encoded data */ | ||
174 | int result; | ||
175 | - int orig_size, out_size; | ||
176 | + gint orig_size, out_size; | ||
177 | + | ||
178 | + if (size > G_MAXINT) { | ||
179 | + GST_WARNING ("too large compressed data buffer."); | ||
180 | + ret = FALSE; | ||
181 | + goto out; | ||
182 | + } | ||
183 | |||
184 | orig_size = size; | ||
185 | out_size = size; | ||
186 | @@ -203,6 +237,11 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, | ||
187 | result = lzo1x_decode (new_data, &out_size, data, &orig_size); | ||
188 | |||
189 | if (orig_size > 0) { | ||
190 | + if (new_size > G_MAXINT - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) { | ||
191 | + GST_WARNING ("too big decompressed data"); | ||
192 | + result = LZO_ERROR; | ||
193 | + break; | ||
194 | + } | ||
195 | new_size += 4096; | ||
196 | new_data = g_realloc (new_data, new_size); | ||
197 | } | ||
198 | @@ -221,6 +260,13 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc, | ||
199 | } else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_HEADERSTRIP) { | ||
200 | /* header stripped encoded data */ | ||
201 | if (enc->comp_settings_length > 0) { | ||
202 | + if (size > G_MAXSIZE - enc->comp_settings_length | ||
203 | + || size + enc->comp_settings_length > MAX_DECOMPRESS_SIZE) { | ||
204 | + GST_WARNING ("too big decompressed data"); | ||
205 | + ret = FALSE; | ||
206 | + goto out; | ||
207 | + } | ||
208 | + | ||
209 | new_data = g_malloc (size + enc->comp_settings_length); | ||
210 | new_size = size + enc->comp_settings_length; | ||
211 | |||
212 | -- | ||
213 | GitLab | ||
214 | |||
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch new file mode 100644 index 0000000000..f4d38c270e --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch | |||
@@ -0,0 +1,60 @@ | |||
1 | From 14d306da6da51a762c4dc701d161bb52ab66d774 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com> | ||
3 | Date: Mon, 30 May 2022 10:15:37 +0300 | ||
4 | Subject: [PATCH] qtdemux: Fix integer overflows in zlib decompression code | ||
5 | |||
6 | Various variables were of smaller types than needed and there were no | ||
7 | checks for any overflows when doing additions on the sizes. This is all | ||
8 | checked now. | ||
9 | |||
10 | In addition the size of the decompressed data is limited to 200MB now as | ||
11 | any larger sizes are likely pathological and we can avoid out of memory | ||
12 | situations in many cases like this. | ||
13 | |||
14 | Also fix a bug where the available output size on the next iteration in | ||
15 | the zlib decompression code was provided too large and could | ||
16 | potentially lead to out of bound writes. | ||
17 | |||
18 | Thanks to Adam Doupe for analyzing and reporting the issue. | ||
19 | |||
20 | CVE: tbd | ||
21 | |||
22 | https://gstreamer.freedesktop.org/security/sa-2022-0003.html | ||
23 | |||
24 | Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225 | ||
25 | |||
26 | Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2610> | ||
27 | |||
28 | https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/14d306da6da51a762c4dc701d161bb52ab66d774 | ||
29 | CVE: CVE-2022-2122 | ||
30 | Upstream-Status: Backport | ||
31 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
32 | --- | ||
33 | gst/isomp4/qtdemux.c | 8 +++++++- | ||
34 | 1 file changed, 7 insertions(+), 1 deletion(-) | ||
35 | |||
36 | diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c | ||
37 | index 7cc346b1e63..97ba0799a8d 100644 | ||
38 | --- a/gst/isomp4/qtdemux.c | ||
39 | +++ b/gst/isomp4/qtdemux.c | ||
40 | @@ -7905,10 +7905,16 @@ qtdemux_inflate (void *z_buffer, guint z_length, guint * length) | ||
41 | break; | ||
42 | } | ||
43 | |||
44 | + if (*length > G_MAXUINT - 4096 || *length > QTDEMUX_MAX_SAMPLE_INDEX_SIZE) { | ||
45 | + GST_WARNING ("too big decompressed data"); | ||
46 | + ret = Z_MEM_ERROR; | ||
47 | + break; | ||
48 | + } | ||
49 | + | ||
50 | *length += 4096; | ||
51 | buffer = (guint8 *) g_realloc (buffer, *length); | ||
52 | z.next_out = (Bytef *) (buffer + z.total_out); | ||
53 | - z.avail_out += 4096; | ||
54 | + z.avail_out += *length - z.total_out; | ||
55 | } while (z.avail_in > 0); | ||
56 | |||
57 | if (ret != Z_STREAM_END) { | ||
58 | -- | ||
59 | GitLab | ||
60 | |||
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb index 1038cbf224..831a317a82 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.16.3.bb | |||
@@ -10,6 +10,10 @@ SRC_URI = " \ | |||
10 | file://0001-qt-include-ext-qt-gstqtgl.h-instead-of-gst-gl-gstglf.patch \ | 10 | file://0001-qt-include-ext-qt-gstqtgl.h-instead-of-gst-gl-gstglf.patch \ |
11 | file://CVE-2021-3497.patch \ | 11 | file://CVE-2021-3497.patch \ |
12 | file://CVE-2021-3498.patch \ | 12 | file://CVE-2021-3498.patch \ |
13 | file://CVE-2022-1920.patch \ | ||
14 | file://CVE-2022-1921.patch \ | ||
15 | file://CVE-2022-1922-1923-1924-1925.patch \ | ||
16 | file://CVE-2022-2122.patch \ | ||
13 | " | 17 | " |
14 | 18 | ||
15 | SRC_URI[md5sum] = "c79b6c2f8eaadb2bb66615b694db399e" | 19 | SRC_URI[md5sum] = "c79b6c2f8eaadb2bb66615b694db399e" |
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb index 966a904eef..14793b7fdf 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb | |||
@@ -83,5 +83,12 @@ CVE_CHECK_WHITELIST += "CVE-2021-3522" | |||
83 | # so we need to ignore the false hits | 83 | # so we need to ignore the false hits |
84 | CVE_CHECK_WHITELIST += "CVE-2021-3497" | 84 | CVE_CHECK_WHITELIST += "CVE-2021-3497" |
85 | CVE_CHECK_WHITELIST += "CVE-2021-3498" | 85 | CVE_CHECK_WHITELIST += "CVE-2021-3498" |
86 | CVE_CHECK_WHITELIST += "CVE-2022-1920" | ||
87 | CVE_CHECK_WHITELIST += "CVE-2022-1921" | ||
88 | CVE_CHECK_WHITELIST += "CVE-2022-1922" | ||
89 | CVE_CHECK_WHITELIST += "CVE-2022-1923" | ||
90 | CVE_CHECK_WHITELIST += "CVE-2022-1924" | ||
91 | CVE_CHECK_WHITELIST += "CVE-2022-1925" | ||
92 | CVE_CHECK_WHITELIST += "CVE-2022-2122" | ||
86 | 93 | ||
87 | require gstreamer1.0-ptest.inc | 94 | require gstreamer1.0-ptest.inc |