1 files changed, 59 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch
new file mode 100644
index 0000000000..ee33c5564d
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch
@@ -0,0 +1,59 @@
+From cf887f1b8e228bff6e19829e6d03995d70ad739d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Wed, 18 May 2022 10:23:15 +0300
+Subject: [PATCH] matroskademux: Avoid integer-overflow resulting in heap
+ corruption in WavPack header handling code
+blocksize + WAVPACK4_HEADER_SIZE might overflow gsize, which then
+results in allocating a very small buffer. Into that buffer blocksize
+data is memcpy'd later which then causes out of bound writes and can
+potentially lead to anything from crashes to remote code execution.
+Thanks to Adam Doupe for analyzing and reporting the issue.
+CVE: CVE-2022-1920
+https://gstreamer.freedesktop.org/security/sa-2022-0004.html
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1226
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2612>
+https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/0df0dd7fe388174e4835eda4526b47f470a56370
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ .../gst/matroska/matroska-demux.c     | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
+index 64cc6be60be..01d754c3eb9 100644
+--- a/gst/matroska/matroska-demux.c
+++ b/gst/matroska/matroska-demux.c
+@@ -3933,7 +3933,8 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+   } else {
+     guint8 *outdata = NULL;
+     gsize buf_size, size;
+-    guint32 block_samples, flags, crc, blocksize;
+    guint32 block_samples, flags, crc;
+    gsize blocksize;
+     GstAdapter *adapter;
+ 
+     adapter = gst_adapter_new ();
+@@ -3974,6 +3975,13 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+         return GST_FLOW_ERROR;
+       }
+ 
+      if (blocksize > G_MAXSIZE - WAVPACK4_HEADER_SIZE) {
+        GST_ERROR_OBJECT (element, "Too big wavpack buffer");
+        gst_buffer_unmap (*buf, &map);
+        g_object_unref (adapter);
+        return GST_FLOW_ERROR;
+      }
+
+       g_assert (newbuf == NULL);
+ 
+       newbuf =
+-- 
+GitLab

diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch new file mode 100644 index 0000000000..ee33c5564d --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1920.patch
@@ -0,0 +1,59 @@
	1	From cf887f1b8e228bff6e19829e6d03995d70ad739d Mon Sep 17 00:00:00 2001
	2	From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
	3	Date: Wed, 18 May 2022 10:23:15 +0300
	4	Subject: [PATCH] matroskademux: Avoid integer-overflow resulting in heap
	5	corruption in WavPack header handling code
	6
	7	blocksize + WAVPACK4_HEADER_SIZE might overflow gsize, which then
	8	results in allocating a very small buffer. Into that buffer blocksize
	9	data is memcpy'd later which then causes out of bound writes and can
	10	potentially lead to anything from crashes to remote code execution.
	11
	12	Thanks to Adam Doupe for analyzing and reporting the issue.
	13
	14	CVE: CVE-2022-1920
	15
	16	https://gstreamer.freedesktop.org/security/sa-2022-0004.html
	17
	18	Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1226
	19
	20	Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2612>
	21
	22	https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/0df0dd7fe388174e4835eda4526b47f470a56370
	23	Upstream-Status: Backport
	24	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
	25	---
	26	.../gst/matroska/matroska-demux.c \| 10 +++++++++-
	27	1 file changed, 9 insertions(+), 1 deletion(-)
	28
	29	diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
	30	index 64cc6be60be..01d754c3eb9 100644
	31	--- a/gst/matroska/matroska-demux.c
	32	+++ b/gst/matroska/matroska-demux.c
	33	@@ -3933,7 +3933,8 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
	34	} else {
	35	guint8 *outdata = NULL;
	36	gsize buf_size, size;
	37	- guint32 block_samples, flags, crc, blocksize;
	38	+ guint32 block_samples, flags, crc;
	39	+ gsize blocksize;
	40	GstAdapter *adapter;
	41
	42	adapter = gst_adapter_new ();
	43	@@ -3974,6 +3975,13 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
	44	return GST_FLOW_ERROR;
	45	}
	46
	47	+ if (blocksize > G_MAXSIZE - WAVPACK4_HEADER_SIZE) {
	48	+ GST_ERROR_OBJECT (element, "Too big wavpack buffer");
	49	+ gst_buffer_unmap (*buf, &map);
	50	+ g_object_unref (adapter);
	51	+ return GST_FLOW_ERROR;
	52	+ }
	53	+
	54	g_assert (newbuf == NULL);
	55
	56	newbuf =
	57	--
	58	GitLab
	59