1 files changed, 60 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch
new file mode 100644
index 0000000000..f4d38c270e
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch
@@ -0,0 +1,60 @@
+From 14d306da6da51a762c4dc701d161bb52ab66d774 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Mon, 30 May 2022 10:15:37 +0300
+Subject: [PATCH] qtdemux: Fix integer overflows in zlib decompression code
+Various variables were of smaller types than needed and there were no
+checks for any overflows when doing additions on the sizes. This is all
+checked now.
+In addition the size of the decompressed data is limited to 200MB now as
+any larger sizes are likely pathological and we can avoid out of memory
+situations in many cases like this.
+Also fix a bug where the available output size on the next iteration in
+the zlib decompression code was provided too large and could
+potentially lead to out of bound writes.
+Thanks to Adam Doupe for analyzing and reporting the issue.
+CVE: tbd
+https://gstreamer.freedesktop.org/security/sa-2022-0003.html
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2610>
+https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/14d306da6da51a762c4dc701d161bb52ab66d774
+CVE: CVE-2022-2122
+Upstream-Status: Backport
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ gst/isomp4/qtdemux.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
+index 7cc346b1e63..97ba0799a8d 100644
+--- a/gst/isomp4/qtdemux.c
+++ b/gst/isomp4/qtdemux.c
+@@ -7905,10 +7905,16 @@ qtdemux_inflate (void *z_buffer, guint z_length, guint * length)
+       break;
+     }
+ 
+    if (*length > G_MAXUINT - 4096 || *length > QTDEMUX_MAX_SAMPLE_INDEX_SIZE) {
+      GST_WARNING ("too big decompressed data");
+      ret = Z_MEM_ERROR;
+      break;
+    }
+
+     *length += 4096;
+     buffer = (guint8 *) g_realloc (buffer, *length);
+     z.next_out = (Bytef *) (buffer + z.total_out);
+-    z.avail_out += 4096;
+    z.avail_out += *length - z.total_out;
+   } while (z.avail_in > 0);
+ 
+   if (ret != Z_STREAM_END) {
+-- 
+GitLab

diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch new file mode 100644 index 0000000000..f4d38c270e --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2022-2122.patch
@@ -0,0 +1,60 @@
	1	From 14d306da6da51a762c4dc701d161bb52ab66d774 Mon Sep 17 00:00:00 2001
	2	From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
	3	Date: Mon, 30 May 2022 10:15:37 +0300
	4	Subject: [PATCH] qtdemux: Fix integer overflows in zlib decompression code
	5
	6	Various variables were of smaller types than needed and there were no
	7	checks for any overflows when doing additions on the sizes. This is all
	8	checked now.
	9
	10	In addition the size of the decompressed data is limited to 200MB now as
	11	any larger sizes are likely pathological and we can avoid out of memory
	12	situations in many cases like this.
	13
	14	Also fix a bug where the available output size on the next iteration in
	15	the zlib decompression code was provided too large and could
	16	potentially lead to out of bound writes.
	17
	18	Thanks to Adam Doupe for analyzing and reporting the issue.
	19
	20	CVE: tbd
	21
	22	https://gstreamer.freedesktop.org/security/sa-2022-0003.html
	23
	24	Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225
	25
	26	Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2610>
	27
	28	https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/14d306da6da51a762c4dc701d161bb52ab66d774
	29	CVE: CVE-2022-2122
	30	Upstream-Status: Backport
	31	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
	32	---
	33	gst/isomp4/qtdemux.c \| 8 +++++++-
	34	1 file changed, 7 insertions(+), 1 deletion(-)
	35
	36	diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
	37	index 7cc346b1e63..97ba0799a8d 100644
	38	--- a/gst/isomp4/qtdemux.c
	39	+++ b/gst/isomp4/qtdemux.c
	40	@@ -7905,10 +7905,16 @@ qtdemux_inflate (void z_buffer, guint z_length, guint length)
	41	break;
	42	}
	43
	44	+ if (length > G_MAXUINT - 4096 \|\| length > QTDEMUX_MAX_SAMPLE_INDEX_SIZE) {
	45	+ GST_WARNING ("too big decompressed data");
	46	+ ret = Z_MEM_ERROR;
	47	+ break;
	48	+ }
	49	+
	50	*length += 4096;
	51	buffer = (guint8 ) g_realloc (buffer, length);
	52	z.next_out = (Bytef *) (buffer + z.total_out);
	53	- z.avail_out += 4096;
	54	+ z.avail_out += *length - z.total_out;
	55	} while (z.avail_in > 0);
	56
	57	if (ret != Z_STREAM_END) {
	58	--
	59	GitLab
	60