1 files changed, 214 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch
new file mode 100644
index 0000000000..ebffbc473d
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch
@@ -0,0 +1,214 @@
+From ad6012159acf18c6b5c0f4edf037e8c9a2dbc966 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Wed, 18 May 2022 11:24:37 +0300
+Subject: [PATCH] matroskademux: Fix integer overflows in zlib/bz2/etc
+ decompression code
+Various variables were of smaller types than needed and there were no
+checks for any overflows when doing additions on the sizes. This is all
+checked now.
+In addition the size of the decompressed data is limited to 120MB now as
+any larger sizes are likely pathological and we can avoid out of memory
+situations in many cases like this.
+Also fix a bug where the available output size on the next iteration in
+the zlib/bz2 decompression code was provided too large and could
+potentially lead to out of bound writes.
+Thanks to Adam Doupe for analyzing and reporting the issue.
+CVE: CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925
+https://gstreamer.freedesktop.org/security/sa-2022-0002.html
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2610>
+CVE: CVE-2022-1922 CVE-2022-1923 CVE-2022-1924 CVE-2022-1925
+https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ad6012159acf18c6b5c0f4edf037e8c9a2dbc966
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ .../gst/matroska/matroska-read-common.c       | 76 +++++++++++++++----
+ 1 file changed, 61 insertions(+), 15 deletions(-)
+diff --git a/gst/matroska/matroska-read-common.c b/gst/matroska/matroska-read-common.c
+index eb317644cc5..6fadbba9567 100644
+--- a/gst/matroska/matroska-read-common.c
+++ b/gst/matroska/matroska-read-common.c
+@@ -70,6 +70,10 @@ typedef struct
+   gboolean audio_only;
+ } TargetTypeContext;
+ 
+/* 120MB as maximum decompressed data size. Anything bigger is likely
+ * pathological, and like this we avoid out of memory situations in many cases
+ */
+#define MAX_DECOMPRESS_SIZE (120 * 1024 * 1024)
+ 
+ static gboolean
+ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
+@@ -77,19 +81,23 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
+     GstMatroskaTrackCompressionAlgorithm algo)
+ {
+   guint8 *new_data = NULL;
+-  guint new_size = 0;
+  gsize new_size = 0;
+   guint8 *data = *data_out;
+-  guint size = *size_out;
+  const gsize size = *size_out;
+   gboolean ret = TRUE;
+ 
+  if (size > G_MAXUINT32) {
+    GST_WARNING ("too large compressed data buffer.");
+    ret = FALSE;
+    goto out;
+  }
+
+   if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_ZLIB) {
+ #ifdef HAVE_ZLIB
+     /* zlib encoded data */
+     z_stream zstream;
+-    guint orig_size;
+     int result;
+ 
+-    orig_size = size;
+     zstream.zalloc = (alloc_func) 0;
+     zstream.zfree = (free_func) 0;
+     zstream.opaque = (voidpf) 0;
+@@ -99,8 +107,8 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
+       goto out;
+     }
+     zstream.next_in = (Bytef *) data;
+-    zstream.avail_in = orig_size;
+-    new_size = orig_size;
+    zstream.avail_in = size;
+    new_size = size;
+     new_data = g_malloc (new_size);
+     zstream.avail_out = new_size;
+     zstream.next_out = (Bytef *) new_data;
+@@ -114,10 +122,18 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
+         break;
+       }
+ 
+      if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) {
+        GST_WARNING ("too big decompressed data");
+        result = Z_MEM_ERROR;
+        break;
+      }
+
+       new_size += 4096;
+       new_data = g_realloc (new_data, new_size);
+       zstream.next_out = (Bytef *) (new_data + zstream.total_out);
+-      zstream.avail_out += 4096;
+      /* avail_out is an unsigned int */
+      g_assert (new_size - zstream.total_out <= G_MAXUINT);
+      zstream.avail_out = new_size - zstream.total_out;
+     } while (zstream.avail_in > 0);
+ 
+     if (result != Z_STREAM_END) {
+@@ -137,13 +153,11 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
+ #ifdef HAVE_BZ2
+     /* bzip2 encoded data */
+     bz_stream bzstream;
+-    guint orig_size;
+     int result;
+ 
+     bzstream.bzalloc = NULL;
+     bzstream.bzfree = NULL;
+     bzstream.opaque = NULL;
+-    orig_size = size;
+ 
+     if (BZ2_bzDecompressInit (&bzstream, 0, 0) != BZ_OK) {
+       GST_WARNING ("bzip2 initialization failed.");
+@@ -152,8 +166,8 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
+     }
+ 
+     bzstream.next_in = (char *) data;
+-    bzstream.avail_in = orig_size;
+-    new_size = orig_size;
+    bzstream.avail_in = size;
+    new_size = size;
+     new_data = g_malloc (new_size);
+     bzstream.avail_out = new_size;
+     bzstream.next_out = (char *) new_data;
+@@ -167,17 +181,31 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
+         break;
+       }
+ 
+      if (new_size > G_MAXSIZE - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) {
+        GST_WARNING ("too big decompressed data");
+        result = BZ_MEM_ERROR;
+        break;
+      }
+
+       new_size += 4096;
+       new_data = g_realloc (new_data, new_size);
+-      bzstream.next_out = (char *) (new_data + bzstream.total_out_lo32);
+-      bzstream.avail_out += 4096;
+      bzstream.next_out =
+          (char *) (new_data + ((guint64) bzstream.total_out_hi32 << 32) +
+          bzstream.total_out_lo32);
+      /* avail_out is an unsigned int */
+      g_assert (new_size - ((guint64) bzstream.total_out_hi32 << 32) +
+          bzstream.total_out_lo32 <= G_MAXUINT);
+      bzstream.avail_out =
+          new_size - ((guint64) bzstream.total_out_hi32 << 32) +
+          bzstream.total_out_lo32;
+     } while (bzstream.avail_in > 0);
+ 
+     if (result != BZ_STREAM_END) {
+       ret = FALSE;
+       g_free (new_data);
+     } else {
+-      new_size = bzstream.total_out_lo32;
+      new_size =
+          ((guint64) bzstream.total_out_hi32 << 32) + bzstream.total_out_lo32;
+     }
+     BZ2_bzDecompressEnd (&bzstream);
+ 
+@@ -189,7 +217,13 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
+   } else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_LZO1X) {
+     /* lzo encoded data */
+     int result;
+-    int orig_size, out_size;
+    gint orig_size, out_size;
+
+    if (size > G_MAXINT) {
+      GST_WARNING ("too large compressed data buffer.");
+      ret = FALSE;
+      goto out;
+    }
+ 
+     orig_size = size;
+     out_size = size;
+@@ -203,6 +237,11 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
+       result = lzo1x_decode (new_data, &out_size, data, &orig_size);
+ 
+       if (orig_size > 0) {
+        if (new_size > G_MAXINT - 4096 || new_size + 4096 > MAX_DECOMPRESS_SIZE) {
+          GST_WARNING ("too big decompressed data");
+          result = LZO_ERROR;
+          break;
+        }
+         new_size += 4096;
+         new_data = g_realloc (new_data, new_size);
+       }
+@@ -221,6 +260,13 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
+   } else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_HEADERSTRIP) {
+     /* header stripped encoded data */
+     if (enc->comp_settings_length > 0) {
+      if (size > G_MAXSIZE - enc->comp_settings_length
+          || size + enc->comp_settings_length > MAX_DECOMPRESS_SIZE) {
+        GST_WARNING ("too big decompressed data");
+        ret = FALSE;
+        goto out;
+      }
+
+       new_data = g_malloc (size + enc->comp_settings_length);
+       new_size = size + enc->comp_settings_length;
+ 
+-- 
+GitLab

diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch new file mode 100644 index 0000000000..ebffbc473d --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-1922-1923-1924-1925.patch
@@ -0,0 +1,214 @@
	1	From ad6012159acf18c6b5c0f4edf037e8c9a2dbc966 Mon Sep 17 00:00:00 2001
	2	From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
	3	Date: Wed, 18 May 2022 11:24:37 +0300
	4	Subject: [PATCH] matroskademux: Fix integer overflows in zlib/bz2/etc
	5	decompression code
	6
	7	Various variables were of smaller types than needed and there were no
	8	checks for any overflows when doing additions on the sizes. This is all
	9	checked now.
	10
	11	In addition the size of the decompressed data is limited to 120MB now as
	12	any larger sizes are likely pathological and we can avoid out of memory
	13	situations in many cases like this.
	14
	15	Also fix a bug where the available output size on the next iteration in
	16	the zlib/bz2 decompression code was provided too large and could
	17	potentially lead to out of bound writes.
	18
	19	Thanks to Adam Doupe for analyzing and reporting the issue.
	20
	21	CVE: CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925
	22
	23	https://gstreamer.freedesktop.org/security/sa-2022-0002.html
	24
	25	Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225
	26
	27	Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2610>
	28
	29	CVE: CVE-2022-1922 CVE-2022-1923 CVE-2022-1924 CVE-2022-1925
	30	https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ad6012159acf18c6b5c0f4edf037e8c9a2dbc966
	31	Upstream-Status: Backport
	32	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
	33	---
	34	.../gst/matroska/matroska-read-common.c \| 76 +++++++++++++++----
	35	1 file changed, 61 insertions(+), 15 deletions(-)
	36
	37	diff --git a/gst/matroska/matroska-read-common.c b/gst/matroska/matroska-read-common.c
	38	index eb317644cc5..6fadbba9567 100644
	39	--- a/gst/matroska/matroska-read-common.c
	40	+++ b/gst/matroska/matroska-read-common.c
	41	@@ -70,6 +70,10 @@ typedef struct
	42	gboolean audio_only;
	43	} TargetTypeContext;
	44
	45	+/* 120MB as maximum decompressed data size. Anything bigger is likely
	46	+ * pathological, and like this we avoid out of memory situations in many cases
	47	+ */
	48	+#define MAX_DECOMPRESS_SIZE (120 * 1024 * 1024)
	49
	50	static gboolean
	51	gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
	52	@@ -77,19 +81,23 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
	53	GstMatroskaTrackCompressionAlgorithm algo)
	54	{
	55	guint8 *new_data = NULL;
	56	- guint new_size = 0;
	57	+ gsize new_size = 0;
	58	guint8 data = data_out;
	59	- guint size = *size_out;
	60	+ const gsize size = *size_out;
	61	gboolean ret = TRUE;
	62
	63	+ if (size > G_MAXUINT32) {
	64	+ GST_WARNING ("too large compressed data buffer.");
	65	+ ret = FALSE;
	66	+ goto out;
	67	+ }
	68	+
	69	if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_ZLIB) {
	70	#ifdef HAVE_ZLIB
	71	/* zlib encoded data */
	72	z_stream zstream;
	73	- guint orig_size;
	74	int result;
	75
	76	- orig_size = size;
	77	zstream.zalloc = (alloc_func) 0;
	78	zstream.zfree = (free_func) 0;
	79	zstream.opaque = (voidpf) 0;
	80	@@ -99,8 +107,8 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
	81	goto out;
	82	}
	83	zstream.next_in = (Bytef *) data;
	84	- zstream.avail_in = orig_size;
	85	- new_size = orig_size;
	86	+ zstream.avail_in = size;
	87	+ new_size = size;
	88	new_data = g_malloc (new_size);
	89	zstream.avail_out = new_size;
	90	zstream.next_out = (Bytef *) new_data;
	91	@@ -114,10 +122,18 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
	92	break;
	93	}
	94
	95	+ if (new_size > G_MAXSIZE - 4096 \|\| new_size + 4096 > MAX_DECOMPRESS_SIZE) {
	96	+ GST_WARNING ("too big decompressed data");
	97	+ result = Z_MEM_ERROR;
	98	+ break;
	99	+ }
	100	+
	101	new_size += 4096;
	102	new_data = g_realloc (new_data, new_size);
	103	zstream.next_out = (Bytef *) (new_data + zstream.total_out);
	104	- zstream.avail_out += 4096;
	105	+ /* avail_out is an unsigned int */
	106	+ g_assert (new_size - zstream.total_out <= G_MAXUINT);
	107	+ zstream.avail_out = new_size - zstream.total_out;
	108	} while (zstream.avail_in > 0);
	109
	110	if (result != Z_STREAM_END) {
	111	@@ -137,13 +153,11 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
	112	#ifdef HAVE_BZ2
	113	/* bzip2 encoded data */
	114	bz_stream bzstream;
	115	- guint orig_size;
	116	int result;
	117
	118	bzstream.bzalloc = NULL;
	119	bzstream.bzfree = NULL;
	120	bzstream.opaque = NULL;
	121	- orig_size = size;
	122
	123	if (BZ2_bzDecompressInit (&bzstream, 0, 0) != BZ_OK) {
	124	GST_WARNING ("bzip2 initialization failed.");
	125	@@ -152,8 +166,8 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
	126	}
	127
	128	bzstream.next_in = (char *) data;
	129	- bzstream.avail_in = orig_size;
	130	- new_size = orig_size;
	131	+ bzstream.avail_in = size;
	132	+ new_size = size;
	133	new_data = g_malloc (new_size);
	134	bzstream.avail_out = new_size;
	135	bzstream.next_out = (char *) new_data;
	136	@@ -167,17 +181,31 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
	137	break;
	138	}
	139
	140	+ if (new_size > G_MAXSIZE - 4096 \|\| new_size + 4096 > MAX_DECOMPRESS_SIZE) {
	141	+ GST_WARNING ("too big decompressed data");
	142	+ result = BZ_MEM_ERROR;
	143	+ break;
	144	+ }
	145	+
	146	new_size += 4096;
	147	new_data = g_realloc (new_data, new_size);
	148	- bzstream.next_out = (char *) (new_data + bzstream.total_out_lo32);
	149	- bzstream.avail_out += 4096;
	150	+ bzstream.next_out =
	151	+ (char *) (new_data + ((guint64) bzstream.total_out_hi32 << 32) +
	152	+ bzstream.total_out_lo32);
	153	+ /* avail_out is an unsigned int */
	154	+ g_assert (new_size - ((guint64) bzstream.total_out_hi32 << 32) +
	155	+ bzstream.total_out_lo32 <= G_MAXUINT);
	156	+ bzstream.avail_out =
	157	+ new_size - ((guint64) bzstream.total_out_hi32 << 32) +
	158	+ bzstream.total_out_lo32;
	159	} while (bzstream.avail_in > 0);
	160
	161	if (result != BZ_STREAM_END) {
	162	ret = FALSE;
	163	g_free (new_data);
	164	} else {
	165	- new_size = bzstream.total_out_lo32;
	166	+ new_size =
	167	+ ((guint64) bzstream.total_out_hi32 << 32) + bzstream.total_out_lo32;
	168	}
	169	BZ2_bzDecompressEnd (&bzstream);
	170
	171	@@ -189,7 +217,13 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
	172	} else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_LZO1X) {
	173	/* lzo encoded data */
	174	int result;
	175	- int orig_size, out_size;
	176	+ gint orig_size, out_size;
	177	+
	178	+ if (size > G_MAXINT) {
	179	+ GST_WARNING ("too large compressed data buffer.");
	180	+ ret = FALSE;
	181	+ goto out;
	182	+ }
	183
	184	orig_size = size;
	185	out_size = size;
	186	@@ -203,6 +237,11 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
	187	result = lzo1x_decode (new_data, &out_size, data, &orig_size);
	188
	189	if (orig_size > 0) {
	190	+ if (new_size > G_MAXINT - 4096 \|\| new_size + 4096 > MAX_DECOMPRESS_SIZE) {
	191	+ GST_WARNING ("too big decompressed data");
	192	+ result = LZO_ERROR;
	193	+ break;
	194	+ }
	195	new_size += 4096;
	196	new_data = g_realloc (new_data, new_size);
	197	}
	198	@@ -221,6 +260,13 @@ gst_matroska_decompress_data (GstMatroskaTrackEncoding * enc,
	199	} else if (algo == GST_MATROSKA_TRACK_COMPRESSION_ALGORITHM_HEADERSTRIP) {
	200	/* header stripped encoded data */
	201	if (enc->comp_settings_length > 0) {
	202	+ if (size > G_MAXSIZE - enc->comp_settings_length
	203	+ \|\| size + enc->comp_settings_length > MAX_DECOMPRESS_SIZE) {
	204	+ GST_WARNING ("too big decompressed data");
	205	+ ret = FALSE;
	206	+ goto out;
	207	+ }
	208	+
	209	new_data = g_malloc (size + enc->comp_settings_length);
	210	new_size = size + enc->comp_settings_length;
	211
	212	--
	213	GitLab
	214