gstreamer1.0-plugins-bad: fix CVE-2023-50186

Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/a46737a73155fe1c19fa5115df40da35426f9fb5] (From OE-Core rev: ce2d6ba5d69867471919fe698467e243d5f0e73c) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2024-05-10 17:23:44 +0530
committer: Steve Sakoman <steve@sakoman.com> 2024-05-16 05:22:09 -0700
commit: bb3988414648dbb380b888c7fdaec2c9b2c1d4ec (patch)
tree: a2b98705de9d07dab663a7b794e9855782ae5951
parent: 688f3725d2bc14f1343d2d3fb9b13c58c1140089 (diff)
download: poky-bb3988414648dbb380b888c7fdaec2c9b2c1d4ec.tar.gz
2 files changed, 71 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-50186.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-50186.patch
new file mode 100644
index 0000000000..86bae8fcaa
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-50186.patch
@@ -0,0 +1,70 @@
+From a46737a73155fe1c19fa5115df40da35426f9fb5 Mon Sep 17 00:00:00 2001
+From: Seungha Yang <seungha@centricular.com>
+Date: Thu, 23 Nov 2023 20:24:42 +0900
+Subject: [PATCH] av1parser: Fix array sizes in scalability structure
+Since the AV1 specification is not explicitly mentioning about
+the array size bounds, array sizes in scalability structure
+should be defined as possible maximum sizes that can have.
+Also, this commit removes GST_AV1_MAX_SPATIAL_LAYERS define from
+public header which is API break but the define is misleading
+and this patch is introducing ABI break already
+ZDI-CAN-22300
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5824>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/a46737a73155fe1c19fa5115df40da35426f9fb5]
+CVE: CVE-2023-50186
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ gst-libs/gst/codecparsers/gstav1parser.h | 11 +++++------
+ gst/videoparsers/gstav1parse.c           |  2 +-
+ 2 files changed, 6 insertions(+), 7 deletions(-)
+diff --git a/gst-libs/gst/codecparsers/gstav1parser.h b/gst-libs/gst/codecparsers/gstav1parser.h
+index 31f5945..ef6ce9e 100644
+--- a/gst-libs/gst/codecparsers/gstav1parser.h
+++ b/gst-libs/gst/codecparsers/gstav1parser.h
+@@ -71,9 +71,8 @@ G_BEGIN_DECLS
+ #define GST_AV1_MAX_TILE_COUNT                 512
+ #define GST_AV1_MAX_OPERATING_POINTS    \
+   (GST_AV1_MAX_NUM_TEMPORAL_LAYERS * GST_AV1_MAX_NUM_SPATIAL_LAYERS)
+-#define GST_AV1_MAX_SPATIAL_LAYERS             2  /* correct? */
+-#define GST_AV1_MAX_TEMPORAL_GROUP_SIZE        8  /* correct? */
+-#define GST_AV1_MAX_TEMPORAL_GROUP_REFERENCES  8  /* correct? */
+#define GST_AV1_MAX_TEMPORAL_GROUP_SIZE        255
+#define GST_AV1_MAX_TEMPORAL_GROUP_REFERENCES  7
+ #define GST_AV1_MAX_NUM_Y_POINTS               16
+ #define GST_AV1_MAX_NUM_CB_POINTS              16
+ #define GST_AV1_MAX_NUM_CR_POINTS              16
+@@ -968,9 +967,9 @@ struct _GstAV1MetadataScalability {
+   gboolean spatial_layer_dimensions_present_flag;
+   gboolean spatial_layer_description_present_flag;
+   gboolean temporal_group_description_present_flag;
+-  guint16 spatial_layer_max_width[GST_AV1_MAX_SPATIAL_LAYERS];
+-  guint16 spatial_layer_max_height[GST_AV1_MAX_SPATIAL_LAYERS];
+-  guint8 spatial_layer_ref_id[GST_AV1_MAX_SPATIAL_LAYERS];
+  guint16 spatial_layer_max_width[GST_AV1_MAX_NUM_SPATIAL_LAYERS];
+  guint16 spatial_layer_max_height[GST_AV1_MAX_NUM_SPATIAL_LAYERS];
+  guint8 spatial_layer_ref_id[GST_AV1_MAX_NUM_SPATIAL_LAYERS];
+   guint8 temporal_group_size;
+ 
+   guint8 temporal_group_temporal_id[GST_AV1_MAX_TEMPORAL_GROUP_SIZE];
+diff --git a/gst/videoparsers/gstav1parse.c b/gst/videoparsers/gstav1parse.c
+index f127856..ef1bc74 100644
+--- a/gst/videoparsers/gstav1parse.c
+++ b/gst/videoparsers/gstav1parse.c
+@@ -1229,7 +1229,7 @@ gst_av1_parse_handle_sequence_obu (GstAV1Parse * self, GstAV1OBU * obu)
+   }
+ 
+   val = (self->parser->state.operating_point_idc >> 8) & 0x0f;
+-  for (i = 0; i < (1 << GST_AV1_MAX_SPATIAL_LAYERS); i++) {
+  for (i = 0; i < GST_AV1_MAX_NUM_SPATIAL_LAYERS; i++) {
+     if (val & (1 << i))
+       self->highest_spatial_id = i;
+   }
+-- 
+2.25.1
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
index 4151e54284..dbe2b64c32 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
@@ -16,6 +16,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad
           file://CVE-2023-44429.patch \
           file://CVE-2024-0444.patch \
           file://CVE-2023-44446.patch \
+           file://CVE-2023-50186.patch \
           "
 SRC_URI[sha256sum] = "87251beebfd1325e5118cc67774061f6e8971761ca65a9e5957919610080d195"
author	Vijay Anusuri <vanusuri@mvista.com>	2024-05-10 17:23:44 +0530
committer	Steve Sakoman <steve@sakoman.com>	2024-05-16 05:22:09 -0700
commit	bb3988414648dbb380b888c7fdaec2c9b2c1d4ec (patch)
tree	a2b98705de9d07dab663a7b794e9855782ae5951
parent	688f3725d2bc14f1343d2d3fb9b13c58c1140089 (diff)
download	poky-bb3988414648dbb380b888c7fdaec2c9b2c1d4ec.tar.gz

diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-50186.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-50186.patch new file mode 100644 index 0000000000..86bae8fcaa --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-50186.patch
@@ -0,0 +1,70 @@
		1	From a46737a73155fe1c19fa5115df40da35426f9fb5 Mon Sep 17 00:00:00 2001
		2	From: Seungha Yang <seungha@centricular.com>
		3	Date: Thu, 23 Nov 2023 20:24:42 +0900
		4	Subject: [PATCH] av1parser: Fix array sizes in scalability structure
		5
		6	Since the AV1 specification is not explicitly mentioning about
		7	the array size bounds, array sizes in scalability structure
		8	should be defined as possible maximum sizes that can have.
		9
		10	Also, this commit removes GST_AV1_MAX_SPATIAL_LAYERS define from
		11	public header which is API break but the define is misleading
		12	and this patch is introducing ABI break already
		13
		14	ZDI-CAN-22300
		15
		16	Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5824>
		17
		18	Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/a46737a73155fe1c19fa5115df40da35426f9fb5]
		19	CVE: CVE-2023-50186
		20	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		21	---
		22	gst-libs/gst/codecparsers/gstav1parser.h \| 11 +++++------
		23	gst/videoparsers/gstav1parse.c \| 2 +-
		24	2 files changed, 6 insertions(+), 7 deletions(-)
		25
		26	diff --git a/gst-libs/gst/codecparsers/gstav1parser.h b/gst-libs/gst/codecparsers/gstav1parser.h
		27	index 31f5945..ef6ce9e 100644
		28	--- a/gst-libs/gst/codecparsers/gstav1parser.h
		29	+++ b/gst-libs/gst/codecparsers/gstav1parser.h
		30	@@ -71,9 +71,8 @@ G_BEGIN_DECLS
		31	#define GST_AV1_MAX_TILE_COUNT 512
		32	#define GST_AV1_MAX_OPERATING_POINTS \
		33	(GST_AV1_MAX_NUM_TEMPORAL_LAYERS * GST_AV1_MAX_NUM_SPATIAL_LAYERS)
		34	-#define GST_AV1_MAX_SPATIAL_LAYERS 2 /* correct? */
		35	-#define GST_AV1_MAX_TEMPORAL_GROUP_SIZE 8 /* correct? */
		36	-#define GST_AV1_MAX_TEMPORAL_GROUP_REFERENCES 8 /* correct? */
		37	+#define GST_AV1_MAX_TEMPORAL_GROUP_SIZE 255
		38	+#define GST_AV1_MAX_TEMPORAL_GROUP_REFERENCES 7
		39	#define GST_AV1_MAX_NUM_Y_POINTS 16
		40	#define GST_AV1_MAX_NUM_CB_POINTS 16
		41	#define GST_AV1_MAX_NUM_CR_POINTS 16
		42	@@ -968,9 +967,9 @@ struct _GstAV1MetadataScalability {
		43	gboolean spatial_layer_dimensions_present_flag;
		44	gboolean spatial_layer_description_present_flag;
		45	gboolean temporal_group_description_present_flag;
		46	- guint16 spatial_layer_max_width[GST_AV1_MAX_SPATIAL_LAYERS];
		47	- guint16 spatial_layer_max_height[GST_AV1_MAX_SPATIAL_LAYERS];
		48	- guint8 spatial_layer_ref_id[GST_AV1_MAX_SPATIAL_LAYERS];
		49	+ guint16 spatial_layer_max_width[GST_AV1_MAX_NUM_SPATIAL_LAYERS];
		50	+ guint16 spatial_layer_max_height[GST_AV1_MAX_NUM_SPATIAL_LAYERS];
		51	+ guint8 spatial_layer_ref_id[GST_AV1_MAX_NUM_SPATIAL_LAYERS];
		52	guint8 temporal_group_size;
		53
		54	guint8 temporal_group_temporal_id[GST_AV1_MAX_TEMPORAL_GROUP_SIZE];
		55	diff --git a/gst/videoparsers/gstav1parse.c b/gst/videoparsers/gstav1parse.c
		56	index f127856..ef1bc74 100644
		57	--- a/gst/videoparsers/gstav1parse.c
		58	+++ b/gst/videoparsers/gstav1parse.c
		59	@@ -1229,7 +1229,7 @@ gst_av1_parse_handle_sequence_obu (GstAV1Parse * self, GstAV1OBU * obu)
		60	}
		61
		62	val = (self->parser->state.operating_point_idc >> 8) & 0x0f;
		63	- for (i = 0; i < (1 << GST_AV1_MAX_SPATIAL_LAYERS); i++) {
		64	+ for (i = 0; i < GST_AV1_MAX_NUM_SPATIAL_LAYERS; i++) {
		65	if (val & (1 << i))
		66	self->highest_spatial_id = i;
		67	}
		68	--
		69	2.25.1
		70


diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb index 4151e54284..dbe2b64c32 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
@@ -16,6 +16,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad
16	file://CVE-2023-44429.patch \	16	file://CVE-2023-44429.patch \
17	file://CVE-2024-0444.patch \	17	file://CVE-2024-0444.patch \
18	file://CVE-2023-44446.patch \	18	file://CVE-2023-44446.patch \
		19	file://CVE-2023-50186.patch \
19	"	20	"
20	SRC_URI[sha256sum] = "87251beebfd1325e5118cc67774061f6e8971761ca65a9e5957919610080d195"	21	SRC_URI[sha256sum] = "87251beebfd1325e5118cc67774061f6e8971761ca65a9e5957919610080d195"
21		22