gstreamer1.0-plugins-bad: fix CVE-2023-40476

gst-plugins-bad: h265parser: Fix possible overflow using max_sub_layers_minus1 (From OE-Core rev: 2abcf03fbe343596de38113c655028c157763245) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Archana Polampalli <archana.polampalli@windriver.com> 2023-09-22 12:19:11 +0000
committer: Steve Sakoman <steve@sakoman.com> 2023-09-30 09:43:59 -1000
commit: fe7e47368e796b40aaddd2c2eb79df1e7f46e48c (patch)
tree: f8d3f8fc01d9aee9d7639db4572a8dd4b26a51c2
parent: 200596b5ada020098359d62457e584a7ed216c47 (diff)
download: poky-fe7e47368e796b40aaddd2c2eb79df1e7f46e48c.tar.gz
2 files changed, 45 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40476.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40476.patch
new file mode 100644
index 0000000000..7810e98024
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40476.patch
@@ -0,0 +1,44 @@
+From 1b51467ea640bcc73c97f3186350d72cbfba5cb4 Mon Sep 17 00:00:00 2001
+From: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Date: Wed, 9 Aug 2023 12:49:19 -0400
+Subject: [PATCH] h265parser: Fix possible overflow using max_sub_layers_minus1
+This fixes a possible overflow that can be triggered by an invalid value of
+max_sub_layers_minus1 being set in the bitstream. The bitstream uses 3 bits,
+but the allowed range is 0 to 6 only.
+Fixes ZDI-CAN-21768, CVE-2023-40476
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2895
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5364>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ff91a3d8d6f7e2412c44663bf30fad5c7fdbc9d9]
+CVE: CVE-2023-40476
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ gst-libs/gst/codecparsers/gsth265parser.c | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/gst-libs/gst/codecparsers/gsth265parser.c b/gst-libs/gst/codecparsers/gsth265parser.c
+index a4e7549..3db1c38 100644
+--- a/gst-libs/gst/codecparsers/gsth265parser.c
+++ b/gst-libs/gst/codecparsers/gsth265parser.c
+@@ -1670,6 +1670,7 @@ gst_h265_parse_vps (GstH265NalUnit * nalu, GstH265VPS * vps)
+   READ_UINT8 (&nr, vps->max_layers_minus1, 6);
+   READ_UINT8 (&nr, vps->max_sub_layers_minus1, 3);
+  CHECK_ALLOWED (vps->max_sub_layers_minus1, 0, 6);
+   READ_UINT8 (&nr, vps->temporal_id_nesting_flag, 1);
+   /* skip reserved_0xffff_16bits */
+@@ -1849,6 +1850,7 @@ gst_h265_parse_sps (GstH265Parser * parser, GstH265NalUnit * nalu,
+   sps->vps = vps;
+   READ_UINT8 (&nr, sps->max_sub_layers_minus1, 3);
+  CHECK_ALLOWED (sps->max_sub_layers_minus1, 0, 6);
+   READ_UINT8 (&nr, sps->temporal_id_nesting_flag, 1);
+   if (!gst_h265_parse_profile_tier_level (&sps->profile_tier_level, &nr,
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
index d5f1e794cd..fbaabda3f9 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
@@ -12,6 +12,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad
           file://0004-opencv-resolve-missing-opencv-data-dir-in-yocto-buil.patch \
           file://CVE-2023-40474.patch \
           file://CVE-2023-40475.patch \
+           file://CVE-2023-40476.patch \
           "
 SRC_URI[sha256sum] = "87251beebfd1325e5118cc67774061f6e8971761ca65a9e5957919610080d195"
author	Archana Polampalli <archana.polampalli@windriver.com>	2023-09-22 12:19:11 +0000
committer	Steve Sakoman <steve@sakoman.com>	2023-09-30 09:43:59 -1000
commit	fe7e47368e796b40aaddd2c2eb79df1e7f46e48c (patch)
tree	f8d3f8fc01d9aee9d7639db4572a8dd4b26a51c2
parent	200596b5ada020098359d62457e584a7ed216c47 (diff)
download	poky-fe7e47368e796b40aaddd2c2eb79df1e7f46e48c.tar.gz

diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40476.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40476.patch new file mode 100644 index 0000000000..7810e98024 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40476.patch
@@ -0,0 +1,44 @@
		1	From 1b51467ea640bcc73c97f3186350d72cbfba5cb4 Mon Sep 17 00:00:00 2001
		2	From: Nicolas Dufresne <nicolas.dufresne@collabora.com>
		3	Date: Wed, 9 Aug 2023 12:49:19 -0400
		4	Subject: [PATCH] h265parser: Fix possible overflow using max_sub_layers_minus1
		5
		6	This fixes a possible overflow that can be triggered by an invalid value of
		7	max_sub_layers_minus1 being set in the bitstream. The bitstream uses 3 bits,
		8	but the allowed range is 0 to 6 only.
		9
		10	Fixes ZDI-CAN-21768, CVE-2023-40476
		11
		12	Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2895
		13
		14	Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5364>
		15
		16	Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ff91a3d8d6f7e2412c44663bf30fad5c7fdbc9d9]
		17	CVE: CVE-2023-40476
		18
		19	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		20
		21	---
		22	gst-libs/gst/codecparsers/gsth265parser.c \| 2 ++
		23	1 file changed, 2 insertions(+)
		24
		25	diff --git a/gst-libs/gst/codecparsers/gsth265parser.c b/gst-libs/gst/codecparsers/gsth265parser.c
		26	index a4e7549..3db1c38 100644
		27	--- a/gst-libs/gst/codecparsers/gsth265parser.c
		28	+++ b/gst-libs/gst/codecparsers/gsth265parser.c
		29	@@ -1670,6 +1670,7 @@ gst_h265_parse_vps (GstH265NalUnit * nalu, GstH265VPS * vps)
		30
		31	READ_UINT8 (&nr, vps->max_layers_minus1, 6);
		32	READ_UINT8 (&nr, vps->max_sub_layers_minus1, 3);
		33	+ CHECK_ALLOWED (vps->max_sub_layers_minus1, 0, 6);
		34	READ_UINT8 (&nr, vps->temporal_id_nesting_flag, 1);
		35
		36	/* skip reserved_0xffff_16bits */
		37	@@ -1849,6 +1850,7 @@ gst_h265_parse_sps (GstH265Parser * parser, GstH265NalUnit * nalu,
		38	sps->vps = vps;
		39
		40	READ_UINT8 (&nr, sps->max_sub_layers_minus1, 3);
		41	+ CHECK_ALLOWED (sps->max_sub_layers_minus1, 0, 6);
		42	READ_UINT8 (&nr, sps->temporal_id_nesting_flag, 1);
		43
		44	if (!gst_h265_parse_profile_tier_level (&sps->profile_tier_level, &nr,


diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb index d5f1e794cd..fbaabda3f9 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
@@ -12,6 +12,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad
12	file://0004-opencv-resolve-missing-opencv-data-dir-in-yocto-buil.patch \	12	file://0004-opencv-resolve-missing-opencv-data-dir-in-yocto-buil.patch \
13	file://CVE-2023-40474.patch \	13	file://CVE-2023-40474.patch \
14	file://CVE-2023-40475.patch \	14	file://CVE-2023-40475.patch \
		15	file://CVE-2023-40476.patch \
15	"	16	"
16	SRC_URI[sha256sum] = "87251beebfd1325e5118cc67774061f6e8971761ca65a9e5957919610080d195"	17	SRC_URI[sha256sum] = "87251beebfd1325e5118cc67774061f6e8971761ca65a9e5957919610080d195"
17		18