1 files changed, 69 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch
new file mode 100644
index 0000000000..99dbb2b1b0
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch
@@ -0,0 +1,69 @@
+From f503caad676971933dc0b52c4b313e5ef0d6dbb0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Wed, 18 May 2022 12:00:48 +0300
+Subject: [PATCH] avidemux: Fix integer overflow resulting in heap corruption
+ in DIB buffer inversion code
+Check that width*bpp/8 doesn't overflow a guint and also that
+height*stride fits into the provided buffer without overflowing.
+Thanks to Adam Doupe for analyzing and reporting the issue.
+CVE: CVE-2022-1921
+See https://gstreamer.freedesktop.org/security/sa-2022-0001.html
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1224
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2608>
+https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/f503caad676971933dc0b52c4b313e5ef0d6dbb0
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ .../gst/avi/gstavidemux.c      | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+diff --git a/gst/avi/gstavidemux.c b/gst/avi/gstavidemux.c
+index eafe865494c..0d18a6495c7 100644
+--- a/gst/avi/gstavidemux.c
+++ b/gst/avi/gstavidemux.c
+@@ -4973,8 +4973,8 @@ swap_line (guint8 * d1, guint8 * d2, guint8 * tmp, gint bytes)
+ static GstBuffer *
+ gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf)
+ {
+-  gint y, w, h;
+-  gint bpp, stride;
+  guint y, w, h;
+  guint bpp, stride;
+   guint8 *tmp = NULL;
+   GstMapInfo map;
+   guint32 fourcc;
+@@ -5001,12 +5001,23 @@ gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf)
+   h = stream->strf.vids->height;
+   w = stream->strf.vids->width;
+   bpp = stream->strf.vids->bit_cnt ? stream->strf.vids->bit_cnt : 8;
+
+  if ((guint64) w * ((guint64) bpp / 8) > G_MAXUINT - 4) {
+    GST_WARNING ("Width x stride overflows");
+    return buf;
+  }
+
+  if (w == 0 || h == 0) {
+    GST_WARNING ("Zero width or height");
+    return buf;
+  }
+
+   stride = GST_ROUND_UP_4 (w * (bpp / 8));
+ 
+   buf = gst_buffer_make_writable (buf);
+ 
+   gst_buffer_map (buf, &map, GST_MAP_READWRITE);
+-  if (map.size < (stride * h)) {
+  if (map.size < ((guint64) stride * (guint64) h)) {
+     GST_WARNING ("Buffer is smaller than reported Width x Height x Depth");
+     gst_buffer_unmap (buf, &map);
+     return buf;
+-- 
+GitLab

diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch new file mode 100644 index 0000000000..99dbb2b1b0 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1921.patch
@@ -0,0 +1,69 @@
	1	From f503caad676971933dc0b52c4b313e5ef0d6dbb0 Mon Sep 17 00:00:00 2001
	2	From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
	3	Date: Wed, 18 May 2022 12:00:48 +0300
	4	Subject: [PATCH] avidemux: Fix integer overflow resulting in heap corruption
	5	in DIB buffer inversion code
	6
	7	Check that width*bpp/8 doesn't overflow a guint and also that
	8	height*stride fits into the provided buffer without overflowing.
	9
	10	Thanks to Adam Doupe for analyzing and reporting the issue.
	11
	12	CVE: CVE-2022-1921
	13
	14	See https://gstreamer.freedesktop.org/security/sa-2022-0001.html
	15
	16	Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1224
	17
	18	Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2608>
	19
	20	https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/f503caad676971933dc0b52c4b313e5ef0d6dbb0
	21	Upstream-Status: Backport
	22	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
	23	---
	24	.../gst/avi/gstavidemux.c \| 17 ++++++++++++++---
	25	1 file changed, 14 insertions(+), 3 deletions(-)
	26
	27	diff --git a/gst/avi/gstavidemux.c b/gst/avi/gstavidemux.c
	28	index eafe865494c..0d18a6495c7 100644
	29	--- a/gst/avi/gstavidemux.c
	30	+++ b/gst/avi/gstavidemux.c
	31	@@ -4973,8 +4973,8 @@ swap_line (guint8 * d1, guint8 * d2, guint8 * tmp, gint bytes)
	32	static GstBuffer *
	33	gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf)
	34	{
	35	- gint y, w, h;
	36	- gint bpp, stride;
	37	+ guint y, w, h;
	38	+ guint bpp, stride;
	39	guint8 *tmp = NULL;
	40	GstMapInfo map;
	41	guint32 fourcc;
	42	@@ -5001,12 +5001,23 @@ gst_avi_demux_invert (GstAviStream * stream, GstBuffer * buf)
	43	h = stream->strf.vids->height;
	44	w = stream->strf.vids->width;
	45	bpp = stream->strf.vids->bit_cnt ? stream->strf.vids->bit_cnt : 8;
	46	+
	47	+ if ((guint64) w * ((guint64) bpp / 8) > G_MAXUINT - 4) {
	48	+ GST_WARNING ("Width x stride overflows");
	49	+ return buf;
	50	+ }
	51	+
	52	+ if (w == 0 \|\| h == 0) {
	53	+ GST_WARNING ("Zero width or height");
	54	+ return buf;
	55	+ }
	56	+
	57	stride = GST_ROUND_UP_4 (w * (bpp / 8));
	58
	59	buf = gst_buffer_make_writable (buf);
	60
	61	gst_buffer_map (buf, &map, GST_MAP_READWRITE);
	62	- if (map.size < (stride * h)) {
	63	+ if (map.size < ((guint64) stride * (guint64) h)) {
	64	GST_WARNING ("Buffer is smaller than reported Width x Height x Depth");
	65	gst_buffer_unmap (buf, &map);
	66	return buf;
	67	--
	68	GitLab
	69