gstreamer1.0-plugins-good: patch several CVEs

Pick commits from: * https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042 (From OE-Core rev: 4763e9911e82c886a02727bf654872280138d83e) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Peter Marko <peter.marko@siemens.com> 2024-12-30 18:27:21 +0100
committer: Steve Sakoman <steve@sakoman.com> 2025-01-09 06:25:36 -0800
commit: cd24f9434ed740b81956bfd53d5d605154d4edc2 (patch)
tree: 61b9fbe753176b0708c055c1984836cc9b1188c8
parent: 1eed4bd135ed1a11a5e10d8bbdda747ba1b6aa9b (diff)
download: poky-cd24f9434ed740b81956bfd53d5d605154d4edc2.tar.gz
8 files changed, 452 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0025-wavparse-Check-for-short-reads-when-parsing-headers-.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0025-wavparse-Check-for-short-reads-when-parsing-headers-.patch
new file mode 100644
index 0000000000..4b53830e12
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0025-wavparse-Check-for-short-reads-when-parsing-headers-.patch
@@ -0,0 +1,174 @@
+From 13b48016b3ef1e822c393c2871b0a561ce19ecb3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Fri, 4 Oct 2024 13:00:57 +0300
+Subject: [PATCH 1/7] wavparse: Check for short reads when parsing headers in
+ pull mode
+And also return the actual flow return to the caller instead of always returning
+GST_FLOW_ERROR.
+Thanks to Antonio Morales for finding and reporting the issue.
+Fixes GHSL-2024-258, GHSL-2024-260
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3886
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3888
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042>
+CVE: CVE-2024-47775
+CVE: CVE-2024-47776
+CVE: CVE-2024-47777
+CVE: CVE-2024-47778
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/13b48016b3ef1e822c393c2871b0a561ce19ecb3]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ gst/wavparse/gstwavparse.c | 63 ++++++++++++++++++++++++++++----------
+ 1 file changed, 46 insertions(+), 17 deletions(-)
+diff --git a/gst/wavparse/gstwavparse.c b/gst/wavparse/gstwavparse.c
+index d074f273c5..97d5591fae 100644
+--- a/gst/wavparse/gstwavparse.c
+++ b/gst/wavparse/gstwavparse.c
+@@ -1096,6 +1096,24 @@ parse_ds64 (GstWavParse * wav, GstBuffer * buf)
+   return TRUE;
+ }
+ 
+static GstFlowReturn
+gst_wavparse_pull_range_exact (GstWavParse * wav, guint64 offset, guint size,
+    GstBuffer ** buffer)
+{
+  GstFlowReturn res;
+
+  res = gst_pad_pull_range (wav->sinkpad, offset, size, buffer);
+  if (res != GST_FLOW_OK)
+    return res;
+
+  if (gst_buffer_get_size (*buffer) < size) {
+    gst_clear_buffer (buffer);
+    return GST_FLOW_EOS;
+  }
+
+  return res;
+}
+
+ static GstFlowReturn
+ gst_wavparse_stream_headers (GstWavParse * wav)
+ {
+@@ -1291,9 +1309,9 @@ gst_wavparse_stream_headers (GstWavParse * wav)
+ 
+       buf = NULL;
+       if ((res =
+-              gst_pad_pull_range (wav->sinkpad, wav->offset, 8,
+              gst_wavparse_pull_range_exact (wav, wav->offset, 8,
+                   &buf)) != GST_FLOW_OK)
+-        goto header_read_error;
+        goto header_pull_error;
+       gst_buffer_map (buf, &map, GST_MAP_READ);
+       tag = GST_READ_UINT32_LE (map.data);
+       size = GST_READ_UINT32_LE (map.data + 4);
+@@ -1396,9 +1414,9 @@ gst_wavparse_stream_headers (GstWavParse * wav)
+             gst_buffer_unref (buf);
+             buf = NULL;
+             if ((res =
+-                    gst_pad_pull_range (wav->sinkpad, wav->offset + 8,
+                    gst_wavparse_pull_range_exact (wav, wav->offset + 8,
+                         data_size, &buf)) != GST_FLOW_OK)
+-              goto header_read_error;
+              goto header_pull_error;
+             gst_buffer_extract (buf, 0, &wav->fact, 4);
+             wav->fact = GUINT32_FROM_LE (wav->fact);
+             gst_buffer_unref (buf);
+@@ -1443,9 +1461,9 @@ gst_wavparse_stream_headers (GstWavParse * wav)
+           gst_buffer_unref (buf);
+           buf = NULL;
+           if ((res =
+-                  gst_pad_pull_range (wav->sinkpad, wav->offset + 8,
+-                      size, &buf)) != GST_FLOW_OK)
+-            goto header_read_error;
+                  gst_wavparse_pull_range_exact (wav, wav->offset + 8, size,
+                      &buf)) != GST_FLOW_OK)
+            goto header_pull_error;
+           gst_buffer_map (buf, &map, GST_MAP_READ);
+           acid = (const gst_riff_acid *) map.data;
+           tempo = acid->tempo;
+@@ -1483,9 +1501,9 @@ gst_wavparse_stream_headers (GstWavParse * wav)
+           gst_buffer_unref (buf);
+           buf = NULL;
+           if ((res =
+-                  gst_pad_pull_range (wav->sinkpad, wav->offset, 12,
+                  gst_wavparse_pull_range_exact (wav, wav->offset, 12,
+                       &buf)) != GST_FLOW_OK)
+-            goto header_read_error;
+            goto header_pull_error;
+           gst_buffer_extract (buf, 8, &ltag, 4);
+           ltag = GUINT32_FROM_LE (ltag);
+         }
+@@ -1512,9 +1530,9 @@ gst_wavparse_stream_headers (GstWavParse * wav)
+               buf = NULL;
+               if (data_size > 0) {
+                 if ((res =
+-                        gst_pad_pull_range (wav->sinkpad, wav->offset,
+                        gst_wavparse_pull_range_exact (wav, wav->offset,
+                             data_size, &buf)) != GST_FLOW_OK)
+-                  goto header_read_error;
+                  goto header_pull_error;
+               }
+             }
+             if (data_size > 0) {
+@@ -1552,9 +1570,9 @@ gst_wavparse_stream_headers (GstWavParse * wav)
+               buf = NULL;
+               wav->offset += 12;
+               if ((res =
+-                      gst_pad_pull_range (wav->sinkpad, wav->offset,
+                      gst_wavparse_pull_range_exact (wav, wav->offset,
+                           data_size, &buf)) != GST_FLOW_OK)
+-                goto header_read_error;
+                goto header_pull_error;
+               gst_buffer_map (buf, &map, GST_MAP_READ);
+               gst_wavparse_adtl_chunk (wav, (const guint8 *) map.data,
+                   data_size);
+@@ -1598,9 +1616,9 @@ gst_wavparse_stream_headers (GstWavParse * wav)
+           gst_buffer_unref (buf);
+           buf = NULL;
+           if ((res =
+-                  gst_pad_pull_range (wav->sinkpad, wav->offset,
+                  gst_wavparse_pull_range_exact (wav, wav->offset,
+                       data_size, &buf)) != GST_FLOW_OK)
+-            goto header_read_error;
+            goto header_pull_error;
+           gst_buffer_map (buf, &map, GST_MAP_READ);
+           if (!gst_wavparse_cue_chunk (wav, (const guint8 *) map.data,
+                   data_size)) {
+@@ -1642,9 +1660,9 @@ gst_wavparse_stream_headers (GstWavParse * wav)
+           gst_buffer_unref (buf);
+           buf = NULL;
+           if ((res =
+-                  gst_pad_pull_range (wav->sinkpad, wav->offset,
+                  gst_wavparse_pull_range_exact (wav, wav->offset,
+                       data_size, &buf)) != GST_FLOW_OK)
+-            goto header_read_error;
+            goto header_pull_error;
+           gst_buffer_map (buf, &map, GST_MAP_READ);
+           if (!gst_wavparse_smpl_chunk (wav, (const guint8 *) map.data,
+                   data_size)) {
+@@ -1796,6 +1814,17 @@ header_read_error:
+         ("Couldn't read in header %d (%s)", res, gst_flow_get_name (res)));
+     goto fail;
+   }
+header_pull_error:
+  {
+    if (res == GST_FLOW_EOS) {
+      GST_WARNING_OBJECT (wav, "Couldn't pull header %d (%s)", res,
+          gst_flow_get_name (res));
+    } else {
+      GST_ELEMENT_ERROR (wav, STREAM, DEMUX, (NULL),
+          ("Couldn't pull header %d (%s)", res, gst_flow_get_name (res)));
+    }
+    goto exit;
+  }
+ }
+ 
+ /*
+-- 
+2.30.2
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0026-wavparse-Make-sure-enough-data-for-the-tag-list-tag-.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0026-wavparse-Make-sure-enough-data-for-the-tag-list-tag-.patch
new file mode 100644
index 0000000000..111c86e894
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0026-wavparse-Make-sure-enough-data-for-the-tag-list-tag-.patch
@@ -0,0 +1,41 @@
+From 4c198f4891cfabde868944d55ff98925e7beb757 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Fri, 4 Oct 2024 13:09:43 +0300
+Subject: [PATCH 2/7] wavparse: Make sure enough data for the tag list tag is
+ available before parsing
+Thanks to Antonio Morales for finding and reporting the issue.
+Fixes GHSL-2024-258
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3886
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042>
+CVE: CVE-2024-47775
+CVE: CVE-2024-47776
+CVE: CVE-2024-47777
+CVE: CVE-2024-47778
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/4c198f4891cfabde868944d55ff98925e7beb757]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ gst/wavparse/gstwavparse.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/gst/wavparse/gstwavparse.c b/gst/wavparse/gstwavparse.c
+index 97d5591fae..21cb48c07e 100644
+--- a/gst/wavparse/gstwavparse.c
+++ b/gst/wavparse/gstwavparse.c
+@@ -1488,6 +1488,10 @@ gst_wavparse_stream_headers (GstWavParse * wav)
+       case GST_RIFF_TAG_LIST:{
+         guint32 ltag;
+ 
+        /* Need at least the ltag */
+        if (size < 4)
+          goto exit;
+
+         if (wav->streaming) {
+           const guint8 *data = NULL;
+ 
+-- 
+2.30.2
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0027-wavparse-Fix-parsing-of-acid-chunk.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0027-wavparse-Fix-parsing-of-acid-chunk.patch
new file mode 100644
index 0000000000..39d0cccc9a
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0027-wavparse-Fix-parsing-of-acid-chunk.patch
@@ -0,0 +1,65 @@
+From 296e17b4ea81e5c228bb853f6037b654fdca7d47 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Fri, 4 Oct 2024 13:15:27 +0300
+Subject: [PATCH 3/7] wavparse: Fix parsing of acid chunk
+Simply casting the bytes to a struct can lead to crashes because of unaligned
+reads, and is also missing the endianness swapping that is necessary on big
+endian architectures.
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042>
+CVE: CVE-2024-47775
+CVE: CVE-2024-47776
+CVE: CVE-2024-47777
+CVE: CVE-2024-47778
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/296e17b4ea81e5c228bb853f6037b654fdca7d47]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ gst/wavparse/gstwavparse.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+diff --git a/gst/wavparse/gstwavparse.c b/gst/wavparse/gstwavparse.c
+index 21cb48c07e..6a0c44638e 100644
+--- a/gst/wavparse/gstwavparse.c
+++ b/gst/wavparse/gstwavparse.c
+@@ -1433,8 +1433,7 @@ gst_wavparse_stream_headers (GstWavParse * wav)
+         break;
+       }
+       case GST_RIFF_TAG_acid:{
+-        const gst_riff_acid *acid = NULL;
+-        const guint data_size = sizeof (gst_riff_acid);
+        const guint data_size = 24;
+         gfloat tempo;
+ 
+         GST_INFO_OBJECT (wav, "Have acid chunk");
+@@ -1448,13 +1447,13 @@ gst_wavparse_stream_headers (GstWavParse * wav)
+           break;
+         }
+         if (wav->streaming) {
+          const guint8 *data;
+           if (!gst_wavparse_peek_chunk (wav, &tag, &size)) {
+             goto exit;
+           }
+           gst_adapter_flush (wav->adapter, 8);
+-          acid = (const gst_riff_acid *) gst_adapter_map (wav->adapter,
+-              data_size);
+-          tempo = acid->tempo;
+          data = gst_adapter_map (wav->adapter, data_size);
+          tempo = GST_READ_FLOAT_LE (data + 20);
+           gst_adapter_unmap (wav->adapter);
+         } else {
+           GstMapInfo map;
+@@ -1465,8 +1464,7 @@ gst_wavparse_stream_headers (GstWavParse * wav)
+                       &buf)) != GST_FLOW_OK)
+             goto header_pull_error;
+           gst_buffer_map (buf, &map, GST_MAP_READ);
+-          acid = (const gst_riff_acid *) map.data;
+-          tempo = acid->tempo;
+          tempo = GST_READ_FLOAT_LE (map.data + 20);
+           gst_buffer_unmap (buf, &map);
+         }
+         /* send data as tags */
+-- 
+2.30.2
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0028-wavparse-Check-that-at-least-4-bytes-are-available-b.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0028-wavparse-Check-that-at-least-4-bytes-are-available-b.patch
new file mode 100644
index 0000000000..7dbda5abdd
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0028-wavparse-Check-that-at-least-4-bytes-are-available-b.patch
@@ -0,0 +1,37 @@
+From c72025cabdfcb2fe30d24eda7bb9d1d01a1b6555 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Fri, 4 Oct 2024 13:21:44 +0300
+Subject: [PATCH 4/7] wavparse: Check that at least 4 bytes are available
+ before parsing cue chunks
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042>
+CVE: CVE-2024-47775
+CVE: CVE-2024-47776
+CVE: CVE-2024-47777
+CVE: CVE-2024-47778
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/c72025cabdfcb2fe30d24eda7bb9d1d01a1b6555]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ gst/wavparse/gstwavparse.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+diff --git a/gst/wavparse/gstwavparse.c b/gst/wavparse/gstwavparse.c
+index 6a0c44638e..5655ee3825 100644
+--- a/gst/wavparse/gstwavparse.c
+++ b/gst/wavparse/gstwavparse.c
+@@ -789,6 +789,11 @@ gst_wavparse_cue_chunk (GstWavParse * wav, const guint8 * data, guint32 size)
+     return TRUE;
+   }
+ 
+  if (size < 4) {
+    GST_WARNING_OBJECT (wav, "broken file %d", size);
+    return FALSE;
+  }
+
+   ncues = GST_READ_UINT32_LE (data);
+ 
+   if (size < 4 + ncues * 24) {
+-- 
+2.30.2
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0029-wavparse-Check-that-at-least-32-bytes-are-available-.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0029-wavparse-Check-that-at-least-32-bytes-are-available-.patch
new file mode 100644
index 0000000000..bb5b6ff034
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0029-wavparse-Check-that-at-least-32-bytes-are-available-.patch
@@ -0,0 +1,40 @@
+From 93d79c22a82604adc5512557c1238f72f41188c4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Fri, 4 Oct 2024 13:22:02 +0300
+Subject: [PATCH 5/7] wavparse: Check that at least 32 bytes are available
+ before parsing smpl chunks
+Thanks to Antonio Morales for finding and reporting the issue.
+Fixes GHSL-2024-259
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3887
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042>
+CVE: CVE-2024-47775
+CVE: CVE-2024-47776
+CVE: CVE-2024-47777
+CVE: CVE-2024-47778
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/93d79c22a82604adc5512557c1238f72f41188c4]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ gst/wavparse/gstwavparse.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/gst/wavparse/gstwavparse.c b/gst/wavparse/gstwavparse.c
+index 5655ee3825..8a04805ed4 100644
+--- a/gst/wavparse/gstwavparse.c
+++ b/gst/wavparse/gstwavparse.c
+@@ -893,6 +893,9 @@ gst_wavparse_smpl_chunk (GstWavParse * wav, const guint8 * data, guint32 size)
+ {
+   guint32 note_number;
+ 
+  if (size < 32)
+    return FALSE;
+
+   /*
+      manufacturer_id = GST_READ_UINT32_LE (data);
+      product_id = GST_READ_UINT32_LE (data + 4);
+-- 
+2.30.2
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0030-wavparse-Fix-clipping-of-size-to-the-file-size.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0030-wavparse-Fix-clipping-of-size-to-the-file-size.patch
new file mode 100644
index 0000000000..d12ab9b4e1
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0030-wavparse-Fix-clipping-of-size-to-the-file-size.patch
@@ -0,0 +1,47 @@
+From 526d0eef0d850c8f2fa1bf0aef15a836797f1a67 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Fri, 4 Oct 2024 13:27:27 +0300
+Subject: [PATCH 6/7] wavparse: Fix clipping of size to the file size
+The size does not include the 8 bytes tag and length, so an additional 8 bytes
+must be removed here. 8 bytes are always available at this point because
+otherwise the parsing of the tag and length right above would've failed.
+Thanks to Antonio Morales for finding and reporting the issue.
+Fixes GHSL-2024-260
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3888
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042>
+CVE: CVE-2024-47775
+CVE: CVE-2024-47776
+CVE: CVE-2024-47777
+CVE: CVE-2024-47778
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/526d0eef0d850c8f2fa1bf0aef15a836797f1a67]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ gst/wavparse/gstwavparse.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+diff --git a/gst/wavparse/gstwavparse.c b/gst/wavparse/gstwavparse.c
+index 8a04805ed4..998cbb276d 100644
+--- a/gst/wavparse/gstwavparse.c
+++ b/gst/wavparse/gstwavparse.c
+@@ -1337,10 +1337,11 @@ gst_wavparse_stream_headers (GstWavParse * wav)
+     }
+ 
+     /* Clip to upstream size if known */
+-    if (upstream_size > 0 && size + wav->offset > upstream_size) {
+    if (upstream_size > 0 && size + 8 + wav->offset > upstream_size) {
+       GST_WARNING_OBJECT (wav, "Clipping chunk size to file size");
+       g_assert (upstream_size >= wav->offset);
+-      size = upstream_size - wav->offset;
+      g_assert (upstream_size - wav->offset >= 8);
+      size = upstream_size - wav->offset - 8;
+     }
+ 
+     /* wav is a st00pid format, we don't know for sure where data starts.
+-- 
+2.30.2
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0031-wavparse-Check-size-before-reading-ds64-chunk.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0031-wavparse-Check-size-before-reading-ds64-chunk.patch
new file mode 100644
index 0000000000..b27132b16d
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0031-wavparse-Check-size-before-reading-ds64-chunk.patch
@@ -0,0 +1,41 @@
+From 4f381d15014471b026020d0990a5f5a9f420a22b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Fri, 4 Oct 2024 13:51:00 +0300
+Subject: [PATCH 7/7] wavparse: Check size before reading ds64 chunk
+Thanks to Antonio Morales for finding and reporting the issue.
+Fixes GHSL-2024-261
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3889
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042>
+CVE: CVE-2024-47775
+CVE: CVE-2024-47776
+CVE: CVE-2024-47777
+CVE: CVE-2024-47778
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/4f381d15014471b026020d0990a5f5a9f420a22b]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ gst/wavparse/gstwavparse.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+diff --git a/gst/wavparse/gstwavparse.c b/gst/wavparse/gstwavparse.c
+index 998cbb276d..958868de6d 100644
+--- a/gst/wavparse/gstwavparse.c
+++ b/gst/wavparse/gstwavparse.c
+@@ -1087,6 +1087,11 @@ parse_ds64 (GstWavParse * wav, GstBuffer * buf)
+   guint32 sampleCountLow, sampleCountHigh;
+ 
+   gst_buffer_map (buf, &map, GST_MAP_READ);
+  if (map.size < 6 * 4) {
+    GST_WARNING_OBJECT (wav, "Too small ds64 chunk (%" G_GSIZE_FORMAT ")",
+        map.size);
+    return FALSE;
+  }
+   dataSizeLow = GST_READ_UINT32_LE (map.data + 2 * 4);
+   dataSizeHigh = GST_READ_UINT32_LE (map.data + 3 * 4);
+   sampleCountLow = GST_READ_UINT32_LE (map.data + 4 * 4);
+-- 
+2.30.2
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.12.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.12.bb
index 247fda7f9c..608c3030ba 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.12.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.12.bb
@@ -31,6 +31,13 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-go
           file://0022-jpegdec-Directly-error-out-on-negotiation-failures.patch \
           file://0023-qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch \
           file://0024-avisubtitle-Fix-size-checks-and-avoid-overflows-when.patch \
+           file://0025-wavparse-Check-for-short-reads-when-parsing-headers-.patch \
+           file://0026-wavparse-Make-sure-enough-data-for-the-tag-list-tag-.patch \
+           file://0027-wavparse-Fix-parsing-of-acid-chunk.patch \
+           file://0028-wavparse-Check-that-at-least-4-bytes-are-available-b.patch \
+           file://0029-wavparse-Check-that-at-least-32-bytes-are-available-.patch \
+           file://0030-wavparse-Fix-clipping-of-size-to-the-file-size.patch \
+           file://0031-wavparse-Check-size-before-reading-ds64-chunk.patch \
          "
 SRC_URI[sha256sum] = "9c1913f981900bd8867182639b20907b28ed78ef7a222cfbf2d8ba9dab992fa7"
author	Peter Marko <peter.marko@siemens.com>	2024-12-30 18:27:21 +0100
committer	Steve Sakoman <steve@sakoman.com>	2025-01-09 06:25:36 -0800
commit	cd24f9434ed740b81956bfd53d5d605154d4edc2 (patch)
tree	61b9fbe753176b0708c055c1984836cc9b1188c8
parent	1eed4bd135ed1a11a5e10d8bbdda747ba1b6aa9b (diff)
download	poky-cd24f9434ed740b81956bfd53d5d605154d4edc2.tar.gz

diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0025-wavparse-Check-for-short-reads-when-parsing-headers-.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0025-wavparse-Check-for-short-reads-when-parsing-headers-.patch new file mode 100644 index 0000000000..4b53830e12 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0025-wavparse-Check-for-short-reads-when-parsing-headers-.patch
@@ -0,0 +1,174 @@
		1	From 13b48016b3ef1e822c393c2871b0a561ce19ecb3 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
		3	Date: Fri, 4 Oct 2024 13:00:57 +0300
		4	Subject: [PATCH 1/7] wavparse: Check for short reads when parsing headers in
		5	pull mode
		6
		7	And also return the actual flow return to the caller instead of always returning
		8	GST_FLOW_ERROR.
		9
		10	Thanks to Antonio Morales for finding and reporting the issue.
		11
		12	Fixes GHSL-2024-258, GHSL-2024-260
		13	Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3886
		14	Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3888
		15
		16	Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042>
		17
		18	CVE: CVE-2024-47775
		19	CVE: CVE-2024-47776
		20	CVE: CVE-2024-47777
		21	CVE: CVE-2024-47778
		22	Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/13b48016b3ef1e822c393c2871b0a561ce19ecb3]
		23	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		24	---
		25	gst/wavparse/gstwavparse.c \| 63 ++++++++++++++++++++++++++++----------
		26	1 file changed, 46 insertions(+), 17 deletions(-)
		27
		28	diff --git a/gst/wavparse/gstwavparse.c b/gst/wavparse/gstwavparse.c
		29	index d074f273c5..97d5591fae 100644
		30	--- a/gst/wavparse/gstwavparse.c
		31	+++ b/gst/wavparse/gstwavparse.c
		32	@@ -1096,6 +1096,24 @@ parse_ds64 (GstWavParse * wav, GstBuffer * buf)
		33	return TRUE;
		34	}
		35
		36	+static GstFlowReturn
		37	+gst_wavparse_pull_range_exact (GstWavParse * wav, guint64 offset, guint size,
		38	+ GstBuffer ** buffer)
		39	+{
		40	+ GstFlowReturn res;
		41	+
		42	+ res = gst_pad_pull_range (wav->sinkpad, offset, size, buffer);
		43	+ if (res != GST_FLOW_OK)
		44	+ return res;
		45	+
		46	+ if (gst_buffer_get_size (*buffer) < size) {
		47	+ gst_clear_buffer (buffer);
		48	+ return GST_FLOW_EOS;
		49	+ }
		50	+
		51	+ return res;
		52	+}
		53	+
		54	static GstFlowReturn
		55	gst_wavparse_stream_headers (GstWavParse * wav)
		56	{
		57	@@ -1291,9 +1309,9 @@ gst_wavparse_stream_headers (GstWavParse * wav)
		58
		59	buf = NULL;
		60	if ((res =
		61	- gst_pad_pull_range (wav->sinkpad, wav->offset, 8,
		62	+ gst_wavparse_pull_range_exact (wav, wav->offset, 8,
		63	&buf)) != GST_FLOW_OK)
		64	- goto header_read_error;
		65	+ goto header_pull_error;
		66	gst_buffer_map (buf, &map, GST_MAP_READ);
		67	tag = GST_READ_UINT32_LE (map.data);
		68	size = GST_READ_UINT32_LE (map.data + 4);
		69	@@ -1396,9 +1414,9 @@ gst_wavparse_stream_headers (GstWavParse * wav)
		70	gst_buffer_unref (buf);
		71	buf = NULL;
		72	if ((res =
		73	- gst_pad_pull_range (wav->sinkpad, wav->offset + 8,
		74	+ gst_wavparse_pull_range_exact (wav, wav->offset + 8,
		75	data_size, &buf)) != GST_FLOW_OK)
		76	- goto header_read_error;
		77	+ goto header_pull_error;
		78	gst_buffer_extract (buf, 0, &wav->fact, 4);
		79	wav->fact = GUINT32_FROM_LE (wav->fact);
		80	gst_buffer_unref (buf);
		81	@@ -1443,9 +1461,9 @@ gst_wavparse_stream_headers (GstWavParse * wav)
		82	gst_buffer_unref (buf);
		83	buf = NULL;
		84	if ((res =
		85	- gst_pad_pull_range (wav->sinkpad, wav->offset + 8,
		86	- size, &buf)) != GST_FLOW_OK)
		87	- goto header_read_error;
		88	+ gst_wavparse_pull_range_exact (wav, wav->offset + 8, size,
		89	+ &buf)) != GST_FLOW_OK)
		90	+ goto header_pull_error;
		91	gst_buffer_map (buf, &map, GST_MAP_READ);
		92	acid = (const gst_riff_acid *) map.data;
		93	tempo = acid->tempo;
		94	@@ -1483,9 +1501,9 @@ gst_wavparse_stream_headers (GstWavParse * wav)
		95	gst_buffer_unref (buf);
		96	buf = NULL;
		97	if ((res =
		98	- gst_pad_pull_range (wav->sinkpad, wav->offset, 12,
		99	+ gst_wavparse_pull_range_exact (wav, wav->offset, 12,
		100	&buf)) != GST_FLOW_OK)
		101	- goto header_read_error;
		102	+ goto header_pull_error;
		103	gst_buffer_extract (buf, 8, &ltag, 4);
		104	ltag = GUINT32_FROM_LE (ltag);
		105	}
		106	@@ -1512,9 +1530,9 @@ gst_wavparse_stream_headers (GstWavParse * wav)
		107	buf = NULL;
		108	if (data_size > 0) {
		109	if ((res =
		110	- gst_pad_pull_range (wav->sinkpad, wav->offset,
		111	+ gst_wavparse_pull_range_exact (wav, wav->offset,
		112	data_size, &buf)) != GST_FLOW_OK)
		113	- goto header_read_error;
		114	+ goto header_pull_error;
		115	}
		116	}
		117	if (data_size > 0) {
		118	@@ -1552,9 +1570,9 @@ gst_wavparse_stream_headers (GstWavParse * wav)
		119	buf = NULL;
		120	wav->offset += 12;
		121	if ((res =
		122	- gst_pad_pull_range (wav->sinkpad, wav->offset,
		123	+ gst_wavparse_pull_range_exact (wav, wav->offset,
		124	data_size, &buf)) != GST_FLOW_OK)
		125	- goto header_read_error;
		126	+ goto header_pull_error;
		127	gst_buffer_map (buf, &map, GST_MAP_READ);
		128	gst_wavparse_adtl_chunk (wav, (const guint8 *) map.data,
		129	data_size);
		130	@@ -1598,9 +1616,9 @@ gst_wavparse_stream_headers (GstWavParse * wav)
		131	gst_buffer_unref (buf);
		132	buf = NULL;
		133	if ((res =
		134	- gst_pad_pull_range (wav->sinkpad, wav->offset,
		135	+ gst_wavparse_pull_range_exact (wav, wav->offset,
		136	data_size, &buf)) != GST_FLOW_OK)
		137	- goto header_read_error;
		138	+ goto header_pull_error;
		139	gst_buffer_map (buf, &map, GST_MAP_READ);
		140	if (!gst_wavparse_cue_chunk (wav, (const guint8 *) map.data,
		141	data_size)) {
		142	@@ -1642,9 +1660,9 @@ gst_wavparse_stream_headers (GstWavParse * wav)
		143	gst_buffer_unref (buf);
		144	buf = NULL;
		145	if ((res =
		146	- gst_pad_pull_range (wav->sinkpad, wav->offset,
		147	+ gst_wavparse_pull_range_exact (wav, wav->offset,
		148	data_size, &buf)) != GST_FLOW_OK)
		149	- goto header_read_error;
		150	+ goto header_pull_error;
		151	gst_buffer_map (buf, &map, GST_MAP_READ);
		152	if (!gst_wavparse_smpl_chunk (wav, (const guint8 *) map.data,
		153	data_size)) {
		154	@@ -1796,6 +1814,17 @@ header_read_error:
		155	("Couldn't read in header %d (%s)", res, gst_flow_get_name (res)));
		156	goto fail;
		157	}
		158	+header_pull_error:
		159	+ {
		160	+ if (res == GST_FLOW_EOS) {
		161	+ GST_WARNING_OBJECT (wav, "Couldn't pull header %d (%s)", res,
		162	+ gst_flow_get_name (res));
		163	+ } else {
		164	+ GST_ELEMENT_ERROR (wav, STREAM, DEMUX, (NULL),
		165	+ ("Couldn't pull header %d (%s)", res, gst_flow_get_name (res)));
		166	+ }
		167	+ goto exit;
		168	+ }
		169	}
		170
		171	/*
		172	--
		173	2.30.2
		174


diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0026-wavparse-Make-sure-enough-data-for-the-tag-list-tag-.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0026-wavparse-Make-sure-enough-data-for-the-tag-list-tag-.patch new file mode 100644 index 0000000000..111c86e894 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0026-wavparse-Make-sure-enough-data-for-the-tag-list-tag-.patch
@@ -0,0 +1,41 @@
		1	From 4c198f4891cfabde868944d55ff98925e7beb757 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
		3	Date: Fri, 4 Oct 2024 13:09:43 +0300
		4	Subject: [PATCH 2/7] wavparse: Make sure enough data for the tag list tag is
		5	available before parsing
		6
		7	Thanks to Antonio Morales for finding and reporting the issue.
		8
		9	Fixes GHSL-2024-258
		10	Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3886
		11
		12	Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042>
		13
		14	CVE: CVE-2024-47775
		15	CVE: CVE-2024-47776
		16	CVE: CVE-2024-47777
		17	CVE: CVE-2024-47778
		18	Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/4c198f4891cfabde868944d55ff98925e7beb757]
		19	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		20	---
		21	gst/wavparse/gstwavparse.c \| 4 ++++
		22	1 file changed, 4 insertions(+)
		23
		24	diff --git a/gst/wavparse/gstwavparse.c b/gst/wavparse/gstwavparse.c
		25	index 97d5591fae..21cb48c07e 100644
		26	--- a/gst/wavparse/gstwavparse.c
		27	+++ b/gst/wavparse/gstwavparse.c
		28	@@ -1488,6 +1488,10 @@ gst_wavparse_stream_headers (GstWavParse * wav)
		29	case GST_RIFF_TAG_LIST:{
		30	guint32 ltag;
		31
		32	+ /* Need at least the ltag */
		33	+ if (size < 4)
		34	+ goto exit;
		35	+
		36	if (wav->streaming) {
		37	const guint8 *data = NULL;
		38
		39	--
		40	2.30.2
		41


diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0027-wavparse-Fix-parsing-of-acid-chunk.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0027-wavparse-Fix-parsing-of-acid-chunk.patch new file mode 100644 index 0000000000..39d0cccc9a --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0027-wavparse-Fix-parsing-of-acid-chunk.patch
@@ -0,0 +1,65 @@
		1	From 296e17b4ea81e5c228bb853f6037b654fdca7d47 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
		3	Date: Fri, 4 Oct 2024 13:15:27 +0300
		4	Subject: [PATCH 3/7] wavparse: Fix parsing of acid chunk
		5
		6	Simply casting the bytes to a struct can lead to crashes because of unaligned
		7	reads, and is also missing the endianness swapping that is necessary on big
		8	endian architectures.
		9
		10	Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042>
		11
		12	CVE: CVE-2024-47775
		13	CVE: CVE-2024-47776
		14	CVE: CVE-2024-47777
		15	CVE: CVE-2024-47778
		16	Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/296e17b4ea81e5c228bb853f6037b654fdca7d47]
		17	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		18	---
		19	gst/wavparse/gstwavparse.c \| 12 +++++-------
		20	1 file changed, 5 insertions(+), 7 deletions(-)
		21
		22	diff --git a/gst/wavparse/gstwavparse.c b/gst/wavparse/gstwavparse.c
		23	index 21cb48c07e..6a0c44638e 100644
		24	--- a/gst/wavparse/gstwavparse.c
		25	+++ b/gst/wavparse/gstwavparse.c
		26	@@ -1433,8 +1433,7 @@ gst_wavparse_stream_headers (GstWavParse * wav)
		27	break;
		28	}
		29	case GST_RIFF_TAG_acid:{
		30	- const gst_riff_acid *acid = NULL;
		31	- const guint data_size = sizeof (gst_riff_acid);
		32	+ const guint data_size = 24;
		33	gfloat tempo;
		34
		35	GST_INFO_OBJECT (wav, "Have acid chunk");
		36	@@ -1448,13 +1447,13 @@ gst_wavparse_stream_headers (GstWavParse * wav)
		37	break;
		38	}
		39	if (wav->streaming) {
		40	+ const guint8 *data;
		41	if (!gst_wavparse_peek_chunk (wav, &tag, &size)) {
		42	goto exit;
		43	}
		44	gst_adapter_flush (wav->adapter, 8);
		45	- acid = (const gst_riff_acid *) gst_adapter_map (wav->adapter,
		46	- data_size);
		47	- tempo = acid->tempo;
		48	+ data = gst_adapter_map (wav->adapter, data_size);
		49	+ tempo = GST_READ_FLOAT_LE (data + 20);
		50	gst_adapter_unmap (wav->adapter);
		51	} else {
		52	GstMapInfo map;
		53	@@ -1465,8 +1464,7 @@ gst_wavparse_stream_headers (GstWavParse * wav)
		54	&buf)) != GST_FLOW_OK)
		55	goto header_pull_error;
		56	gst_buffer_map (buf, &map, GST_MAP_READ);
		57	- acid = (const gst_riff_acid *) map.data;
		58	- tempo = acid->tempo;
		59	+ tempo = GST_READ_FLOAT_LE (map.data + 20);
		60	gst_buffer_unmap (buf, &map);
		61	}
		62	/* send data as tags */
		63	--
		64	2.30.2
		65


diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0028-wavparse-Check-that-at-least-4-bytes-are-available-b.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0028-wavparse-Check-that-at-least-4-bytes-are-available-b.patch new file mode 100644 index 0000000000..7dbda5abdd --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0028-wavparse-Check-that-at-least-4-bytes-are-available-b.patch
@@ -0,0 +1,37 @@
		1	From c72025cabdfcb2fe30d24eda7bb9d1d01a1b6555 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
		3	Date: Fri, 4 Oct 2024 13:21:44 +0300
		4	Subject: [PATCH 4/7] wavparse: Check that at least 4 bytes are available
		5	before parsing cue chunks
		6
		7	Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042>
		8
		9	CVE: CVE-2024-47775
		10	CVE: CVE-2024-47776
		11	CVE: CVE-2024-47777
		12	CVE: CVE-2024-47778
		13	Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/c72025cabdfcb2fe30d24eda7bb9d1d01a1b6555]
		14	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		15	---
		16	gst/wavparse/gstwavparse.c \| 5 +++++
		17	1 file changed, 5 insertions(+)
		18
		19	diff --git a/gst/wavparse/gstwavparse.c b/gst/wavparse/gstwavparse.c
		20	index 6a0c44638e..5655ee3825 100644
		21	--- a/gst/wavparse/gstwavparse.c
		22	+++ b/gst/wavparse/gstwavparse.c
		23	@@ -789,6 +789,11 @@ gst_wavparse_cue_chunk (GstWavParse * wav, const guint8 * data, guint32 size)
		24	return TRUE;
		25	}
		26
		27	+ if (size < 4) {
		28	+ GST_WARNING_OBJECT (wav, "broken file %d", size);
		29	+ return FALSE;
		30	+ }
		31	+
		32	ncues = GST_READ_UINT32_LE (data);
		33
		34	if (size < 4 + ncues * 24) {
		35	--
		36	2.30.2
		37


diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0029-wavparse-Check-that-at-least-32-bytes-are-available-.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0029-wavparse-Check-that-at-least-32-bytes-are-available-.patch new file mode 100644 index 0000000000..bb5b6ff034 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0029-wavparse-Check-that-at-least-32-bytes-are-available-.patch
@@ -0,0 +1,40 @@
		1	From 93d79c22a82604adc5512557c1238f72f41188c4 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
		3	Date: Fri, 4 Oct 2024 13:22:02 +0300
		4	Subject: [PATCH 5/7] wavparse: Check that at least 32 bytes are available
		5	before parsing smpl chunks
		6
		7	Thanks to Antonio Morales for finding and reporting the issue.
		8
		9	Fixes GHSL-2024-259
		10	Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3887
		11
		12	Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042>
		13
		14	CVE: CVE-2024-47775
		15	CVE: CVE-2024-47776
		16	CVE: CVE-2024-47777
		17	CVE: CVE-2024-47778
		18	Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/93d79c22a82604adc5512557c1238f72f41188c4]
		19	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		20	---
		21	gst/wavparse/gstwavparse.c \| 3 +++
		22	1 file changed, 3 insertions(+)
		23
		24	diff --git a/gst/wavparse/gstwavparse.c b/gst/wavparse/gstwavparse.c
		25	index 5655ee3825..8a04805ed4 100644
		26	--- a/gst/wavparse/gstwavparse.c
		27	+++ b/gst/wavparse/gstwavparse.c
		28	@@ -893,6 +893,9 @@ gst_wavparse_smpl_chunk (GstWavParse * wav, const guint8 * data, guint32 size)
		29	{
		30	guint32 note_number;
		31
		32	+ if (size < 32)
		33	+ return FALSE;
		34	+
		35	/*
		36	manufacturer_id = GST_READ_UINT32_LE (data);
		37	product_id = GST_READ_UINT32_LE (data + 4);
		38	--
		39	2.30.2
		40


diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0030-wavparse-Fix-clipping-of-size-to-the-file-size.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0030-wavparse-Fix-clipping-of-size-to-the-file-size.patch new file mode 100644 index 0000000000..d12ab9b4e1 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0030-wavparse-Fix-clipping-of-size-to-the-file-size.patch
@@ -0,0 +1,47 @@
		1	From 526d0eef0d850c8f2fa1bf0aef15a836797f1a67 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
		3	Date: Fri, 4 Oct 2024 13:27:27 +0300
		4	Subject: [PATCH 6/7] wavparse: Fix clipping of size to the file size
		5
		6	The size does not include the 8 bytes tag and length, so an additional 8 bytes
		7	must be removed here. 8 bytes are always available at this point because
		8	otherwise the parsing of the tag and length right above would've failed.
		9
		10	Thanks to Antonio Morales for finding and reporting the issue.
		11
		12	Fixes GHSL-2024-260
		13	Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3888
		14
		15	Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042>
		16
		17	CVE: CVE-2024-47775
		18	CVE: CVE-2024-47776
		19	CVE: CVE-2024-47777
		20	CVE: CVE-2024-47778
		21	Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/526d0eef0d850c8f2fa1bf0aef15a836797f1a67]
		22	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		23	---
		24	gst/wavparse/gstwavparse.c \| 5 +++--
		25	1 file changed, 3 insertions(+), 2 deletions(-)
		26
		27	diff --git a/gst/wavparse/gstwavparse.c b/gst/wavparse/gstwavparse.c
		28	index 8a04805ed4..998cbb276d 100644
		29	--- a/gst/wavparse/gstwavparse.c
		30	+++ b/gst/wavparse/gstwavparse.c
		31	@@ -1337,10 +1337,11 @@ gst_wavparse_stream_headers (GstWavParse * wav)
		32	}
		33
		34	/* Clip to upstream size if known */
		35	- if (upstream_size > 0 && size + wav->offset > upstream_size) {
		36	+ if (upstream_size > 0 && size + 8 + wav->offset > upstream_size) {
		37	GST_WARNING_OBJECT (wav, "Clipping chunk size to file size");
		38	g_assert (upstream_size >= wav->offset);
		39	- size = upstream_size - wav->offset;
		40	+ g_assert (upstream_size - wav->offset >= 8);
		41	+ size = upstream_size - wav->offset - 8;
		42	}
		43
		44	/* wav is a st00pid format, we don't know for sure where data starts.
		45	--
		46	2.30.2
		47


diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0031-wavparse-Check-size-before-reading-ds64-chunk.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0031-wavparse-Check-size-before-reading-ds64-chunk.patch new file mode 100644 index 0000000000..b27132b16d --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0031-wavparse-Check-size-before-reading-ds64-chunk.patch
@@ -0,0 +1,41 @@
		1	From 4f381d15014471b026020d0990a5f5a9f420a22b Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
		3	Date: Fri, 4 Oct 2024 13:51:00 +0300
		4	Subject: [PATCH 7/7] wavparse: Check size before reading ds64 chunk
		5
		6	Thanks to Antonio Morales for finding and reporting the issue.
		7
		8	Fixes GHSL-2024-261
		9	Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3889
		10
		11	Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042>
		12
		13	CVE: CVE-2024-47775
		14	CVE: CVE-2024-47776
		15	CVE: CVE-2024-47777
		16	CVE: CVE-2024-47778
		17	Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/4f381d15014471b026020d0990a5f5a9f420a22b]
		18	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		19	---
		20	gst/wavparse/gstwavparse.c \| 5 +++++
		21	1 file changed, 5 insertions(+)
		22
		23	diff --git a/gst/wavparse/gstwavparse.c b/gst/wavparse/gstwavparse.c
		24	index 998cbb276d..958868de6d 100644
		25	--- a/gst/wavparse/gstwavparse.c
		26	+++ b/gst/wavparse/gstwavparse.c
		27	@@ -1087,6 +1087,11 @@ parse_ds64 (GstWavParse * wav, GstBuffer * buf)
		28	guint32 sampleCountLow, sampleCountHigh;
		29
		30	gst_buffer_map (buf, &map, GST_MAP_READ);
		31	+ if (map.size < 6 * 4) {
		32	+ GST_WARNING_OBJECT (wav, "Too small ds64 chunk (%" G_GSIZE_FORMAT ")",
		33	+ map.size);
		34	+ return FALSE;
		35	+ }
		36	dataSizeLow = GST_READ_UINT32_LE (map.data + 2 * 4);
		37	dataSizeHigh = GST_READ_UINT32_LE (map.data + 3 * 4);
		38	sampleCountLow = GST_READ_UINT32_LE (map.data + 4 * 4);
		39	--
		40	2.30.2
		41


diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.12.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.12.bb index 247fda7f9c..608c3030ba 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.12.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.12.bb
@@ -31,6 +31,13 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-go
31	file://0022-jpegdec-Directly-error-out-on-negotiation-failures.patch \	31	file://0022-jpegdec-Directly-error-out-on-negotiation-failures.patch \
32	file://0023-qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch \	32	file://0023-qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch \
33	file://0024-avisubtitle-Fix-size-checks-and-avoid-overflows-when.patch \	33	file://0024-avisubtitle-Fix-size-checks-and-avoid-overflows-when.patch \
		34	file://0025-wavparse-Check-for-short-reads-when-parsing-headers-.patch \
		35	file://0026-wavparse-Make-sure-enough-data-for-the-tag-list-tag-.patch \
		36	file://0027-wavparse-Fix-parsing-of-acid-chunk.patch \
		37	file://0028-wavparse-Check-that-at-least-4-bytes-are-available-b.patch \
		38	file://0029-wavparse-Check-that-at-least-32-bytes-are-available-.patch \
		39	file://0030-wavparse-Fix-clipping-of-size-to-the-file-size.patch \
		40	file://0031-wavparse-Check-size-before-reading-ds64-chunk.patch \
34	"	41	"
35		42
36	SRC_URI[sha256sum] = "9c1913f981900bd8867182639b20907b28ed78ef7a222cfbf2d8ba9dab992fa7"	43	SRC_URI[sha256sum] = "9c1913f981900bd8867182639b20907b28ed78ef7a222cfbf2d8ba9dab992fa7"