8 files changed, 431 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-1.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-1.patch
new file mode 100644
index 0000000000..2eaef45f41
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-1.patch
@@ -0,0 +1,171 @@
+From 13b48016b3ef1e822c393c2871b0a561ce19ecb3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Fri, 4 Oct 2024 13:00:57 +0300
+Subject: [PATCH] wavparse: Check for short reads when parsing headers in pull
+ mode
+And also return the actual flow return to the caller instead of always returning
+GST_FLOW_ERROR.
+Thanks to Antonio Morales for finding and reporting the issue.
+Fixes GHSL-2024-258, GHSL-2024-260
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3886
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3888
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/13b48016b3ef1e822c393c2871b0a561ce19ecb3]
+CVE: CVE-2024-47775 CVE-2024-47776 CVE-2024-47777 CVE-2024-47778
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ .../gst/wavparse/gstwavparse.c                | 63 ++++++++++++++-----
+ 1 file changed, 46 insertions(+), 17 deletions(-)
+diff --git a/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c b/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c
+index d074f273c501..97d5591fae8f 100644
+--- a/gst/wavparse/gstwavparse.c
+++ b/gst/wavparse/gstwavparse.c
+@@ -1097,6 +1097,24 @@ parse_ds64 (GstWavParse * wav, GstBuffer * buf)
+   return TRUE;
+ }
+ 
+static GstFlowReturn
+gst_wavparse_pull_range_exact (GstWavParse * wav, guint64 offset, guint size,
+    GstBuffer ** buffer)
+{
+  GstFlowReturn res;
+
+  res = gst_pad_pull_range (wav->sinkpad, offset, size, buffer);
+  if (res != GST_FLOW_OK)
+    return res;
+
+  if (gst_buffer_get_size (*buffer) < size) {
+    gst_clear_buffer (buffer);
+    return GST_FLOW_EOS;
+  }
+
+  return res;
+}
+
+ static GstFlowReturn
+ gst_wavparse_stream_headers (GstWavParse * wav)
+ {
+@@ -1292,9 +1310,9 @@ gst_wavparse_stream_headers (GstWavParse * wav)
+ 
+       buf = NULL;
+       if ((res =
+-              gst_pad_pull_range (wav->sinkpad, wav->offset, 8,
+              gst_wavparse_pull_range_exact (wav, wav->offset, 8,
+                   &buf)) != GST_FLOW_OK)
+-        goto header_read_error;
+        goto header_pull_error;
+       gst_buffer_map (buf, &map, GST_MAP_READ);
+       tag = GST_READ_UINT32_LE (map.data);
+       size = GST_READ_UINT32_LE (map.data + 4);
+@@ -1397,9 +1415,9 @@ gst_wavparse_stream_headers (GstWavParse * wav)
+             gst_buffer_unref (buf);
+             buf = NULL;
+             if ((res =
+-                    gst_pad_pull_range (wav->sinkpad, wav->offset + 8,
+                    gst_wavparse_pull_range_exact (wav, wav->offset + 8,
+                         data_size, &buf)) != GST_FLOW_OK)
+-              goto header_read_error;
+              goto header_pull_error;
+             gst_buffer_extract (buf, 0, &wav->fact, 4);
+             wav->fact = GUINT32_FROM_LE (wav->fact);
+             gst_buffer_unref (buf);
+@@ -1444,9 +1462,9 @@ gst_wavparse_stream_headers (GstWavParse * wav)
+           gst_buffer_unref (buf);
+           buf = NULL;
+           if ((res =
+-                  gst_pad_pull_range (wav->sinkpad, wav->offset + 8,
+-                      size, &buf)) != GST_FLOW_OK)
+-            goto header_read_error;
+                  gst_wavparse_pull_range_exact (wav, wav->offset + 8, size,
+                      &buf)) != GST_FLOW_OK)
+            goto header_pull_error;
+           gst_buffer_map (buf, &map, GST_MAP_READ);
+           acid = (const gst_riff_acid *) map.data;
+           tempo = acid->tempo;
+@@ -1484,9 +1502,9 @@ gst_wavparse_stream_headers (GstWavParse * wav)
+           gst_buffer_unref (buf);
+           buf = NULL;
+           if ((res =
+-                  gst_pad_pull_range (wav->sinkpad, wav->offset, 12,
+                  gst_wavparse_pull_range_exact (wav, wav->offset, 12,
+                       &buf)) != GST_FLOW_OK)
+-            goto header_read_error;
+            goto header_pull_error;
+           gst_buffer_extract (buf, 8, &ltag, 4);
+           ltag = GUINT32_FROM_LE (ltag);
+         }
+@@ -1513,9 +1531,9 @@ gst_wavparse_stream_headers (GstWavParse * wav)
+               buf = NULL;
+               if (data_size > 0) {
+                 if ((res =
+-                        gst_pad_pull_range (wav->sinkpad, wav->offset,
+                        gst_wavparse_pull_range_exact (wav, wav->offset,
+                             data_size, &buf)) != GST_FLOW_OK)
+-                  goto header_read_error;
+                  goto header_pull_error;
+               }
+             }
+             if (data_size > 0) {
+@@ -1553,9 +1571,9 @@ gst_wavparse_stream_headers (GstWavParse * wav)
+               buf = NULL;
+               wav->offset += 12;
+               if ((res =
+-                      gst_pad_pull_range (wav->sinkpad, wav->offset,
+                      gst_wavparse_pull_range_exact (wav, wav->offset,
+                           data_size, &buf)) != GST_FLOW_OK)
+-                goto header_read_error;
+                goto header_pull_error;
+               gst_buffer_map (buf, &map, GST_MAP_READ);
+               gst_wavparse_adtl_chunk (wav, (const guint8 *) map.data,
+                   data_size);
+@@ -1599,9 +1617,9 @@ gst_wavparse_stream_headers (GstWavParse * wav)
+           gst_buffer_unref (buf);
+           buf = NULL;
+           if ((res =
+-                  gst_pad_pull_range (wav->sinkpad, wav->offset,
+                  gst_wavparse_pull_range_exact (wav, wav->offset,
+                       data_size, &buf)) != GST_FLOW_OK)
+-            goto header_read_error;
+            goto header_pull_error;
+           gst_buffer_map (buf, &map, GST_MAP_READ);
+           if (!gst_wavparse_cue_chunk (wav, (const guint8 *) map.data,
+                   data_size)) {
+@@ -1643,9 +1661,9 @@ gst_wavparse_stream_headers (GstWavParse * wav)
+           gst_buffer_unref (buf);
+           buf = NULL;
+           if ((res =
+-                  gst_pad_pull_range (wav->sinkpad, wav->offset,
+                  gst_wavparse_pull_range_exact (wav, wav->offset,
+                       data_size, &buf)) != GST_FLOW_OK)
+-            goto header_read_error;
+            goto header_pull_error;
+           gst_buffer_map (buf, &map, GST_MAP_READ);
+           if (!gst_wavparse_smpl_chunk (wav, (const guint8 *) map.data,
+                   data_size)) {
+@@ -1797,6 +1815,17 @@ header_read_error:
+         ("Couldn't read in header %d (%s)", res, gst_flow_get_name (res)));
+     goto fail;
+   }
+header_pull_error:
+  {
+    if (res == GST_FLOW_EOS) {
+      GST_WARNING_OBJECT (wav, "Couldn't pull header %d (%s)", res,
+          gst_flow_get_name (res));
+    } else {
+      GST_ELEMENT_ERROR (wav, STREAM, DEMUX, (NULL),
+          ("Couldn't pull header %d (%s)", res, gst_flow_get_name (res)));
+    }
+    goto exit;
+  }
+ }
+ 
+ /*
+-- 
+GitLab
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-2.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-2.patch
new file mode 100644
index 0000000000..3df27b62bc
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-2.patch
@@ -0,0 +1,38 @@
+From 4c198f4891cfabde868944d55ff98925e7beb757 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Fri, 4 Oct 2024 13:09:43 +0300
+Subject: [PATCH] wavparse: Make sure enough data for the tag list tag is
+ available before parsing
+Thanks to Antonio Morales for finding and reporting the issue.
+Fixes GHSL-2024-258
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3886
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/4c198f4891cfabde868944d55ff98925e7beb757]
+CVE: CVE-2024-47775 CVE-2024-47776 CVE-2024-47777 CVE-2024-47778
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c b/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c
+index 97d5591fae8f..21cb48c07eb3 100644
+--- a/gst/wavparse/gstwavparse.c
+++ b/gst/wavparse/gstwavparse.c
+@@ -1489,6 +1489,10 @@ gst_wavparse_stream_headers (GstWavParse * wav)
+       case GST_RIFF_TAG_LIST:{
+         guint32 ltag;
+ 
+        /* Need at least the ltag */
+        if (size < 4)
+          goto exit;
+
+         if (wav->streaming) {
+           const guint8 *data = NULL;
+ 
+-- 
+GitLab
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-3.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-3.patch
new file mode 100644
index 0000000000..010041aa4e
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-3.patch
@@ -0,0 +1,62 @@
+From 296e17b4ea81e5c228bb853f6037b654fdca7d47 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Fri, 4 Oct 2024 13:15:27 +0300
+Subject: [PATCH] wavparse: Fix parsing of acid chunk
+Simply casting the bytes to a struct can lead to crashes because of unaligned
+reads, and is also missing the endianness swapping that is necessary on big
+endian architectures.
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/296e17b4ea81e5c228bb853f6037b654fdca7d47]
+CVE: CVE-2024-47775 CVE-2024-47776 CVE-2024-47777 CVE-2024-47778
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ .../gst-plugins-good/gst/wavparse/gstwavparse.c      | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+diff --git a/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c b/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c
+index 21cb48c07eb3..6a0c44638ea2 100644
+--- a/gst/wavparse/gstwavparse.c
+++ b/gst/wavparse/gstwavparse.c
+@@ -1434,8 +1434,7 @@ gst_wavparse_stream_headers (GstWavParse * wav)
+         break;
+       }
+       case GST_RIFF_TAG_acid:{
+-        const gst_riff_acid *acid = NULL;
+-        const guint data_size = sizeof (gst_riff_acid);
+        const guint data_size = 24;
+         gfloat tempo;
+ 
+         GST_INFO_OBJECT (wav, "Have acid chunk");
+@@ -1449,13 +1448,13 @@ gst_wavparse_stream_headers (GstWavParse * wav)
+           break;
+         }
+         if (wav->streaming) {
+          const guint8 *data;
+           if (!gst_wavparse_peek_chunk (wav, &tag, &size)) {
+             goto exit;
+           }
+           gst_adapter_flush (wav->adapter, 8);
+-          acid = (const gst_riff_acid *) gst_adapter_map (wav->adapter,
+-              data_size);
+-          tempo = acid->tempo;
+          data = gst_adapter_map (wav->adapter, data_size);
+          tempo = GST_READ_FLOAT_LE (data + 20);
+           gst_adapter_unmap (wav->adapter);
+         } else {
+           GstMapInfo map;
+@@ -1466,8 +1465,7 @@ gst_wavparse_stream_headers (GstWavParse * wav)
+                       &buf)) != GST_FLOW_OK)
+             goto header_pull_error;
+           gst_buffer_map (buf, &map, GST_MAP_READ);
+-          acid = (const gst_riff_acid *) map.data;
+-          tempo = acid->tempo;
+          tempo = GST_READ_FLOAT_LE (map.data + 20);
+           gst_buffer_unmap (buf, &map);
+         }
+         /* send data as tags */
+-- 
+GitLab
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-4.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-4.patch
new file mode 100644
index 0000000000..c7c3dbed46
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-4.patch
@@ -0,0 +1,34 @@
+From c72025cabdfcb2fe30d24eda7bb9d1d01a1b6555 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Fri, 4 Oct 2024 13:21:44 +0300
+Subject: [PATCH] wavparse: Check that at least 4 bytes are available before
+ parsing cue chunks
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/c72025cabdfcb2fe30d24eda7bb9d1d01a1b6555]
+CVE: CVE-2024-47775 CVE-2024-47776 CVE-2024-47777 CVE-2024-47778
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+diff --git a/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c b/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c
+index 6a0c44638ea2..5655ee3825ca 100644
+--- a/gst/wavparse/gstwavparse.c
+++ b/gst/wavparse/gstwavparse.c
+@@ -790,6 +790,11 @@ gst_wavparse_cue_chunk (GstWavParse * wav, const guint8 * data, guint32 size)
+     return TRUE;
+   }
+ 
+  if (size < 4) {
+    GST_WARNING_OBJECT (wav, "broken file %d", size);
+    return FALSE;
+  }
+
+   ncues = GST_READ_UINT32_LE (data);
+ 
+   if (size < 4 + ncues * 24) {
+-- 
+GitLab
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-5.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-5.patch
new file mode 100644
index 0000000000..89b240998a
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-5.patch
@@ -0,0 +1,37 @@
+From 93d79c22a82604adc5512557c1238f72f41188c4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Fri, 4 Oct 2024 13:22:02 +0300
+Subject: [PATCH] wavparse: Check that at least 32 bytes are available before
+ parsing smpl chunks
+Thanks to Antonio Morales for finding and reporting the issue.
+Fixes GHSL-2024-259
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3887
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/93d79c22a82604adc5512557c1238f72f41188c4]
+CVE: CVE-2024-47775 CVE-2024-47776 CVE-2024-47777 CVE-2024-47778
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c b/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c
+index 5655ee3825ca..8a04805ed427 100644
+--- a/gst/wavparse/gstwavparse.c
+++ b/gst/wavparse/gstwavparse.c
+@@ -894,6 +894,9 @@ gst_wavparse_smpl_chunk (GstWavParse * wav, const guint8 * data, guint32 size)
+ {
+   guint32 note_number;
+ 
+  if (size < 32)
+    return FALSE;
+
+   /*
+      manufacturer_id = GST_READ_UINT32_LE (data);
+      product_id = GST_READ_UINT32_LE (data + 4);
+-- 
+GitLab
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-6.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-6.patch
new file mode 100644
index 0000000000..0ad2592bc9
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-6.patch
@@ -0,0 +1,44 @@
+From 526d0eef0d850c8f2fa1bf0aef15a836797f1a67 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Fri, 4 Oct 2024 13:27:27 +0300
+Subject: [PATCH] wavparse: Fix clipping of size to the file size
+The size does not include the 8 bytes tag and length, so an additional 8 bytes
+must be removed here. 8 bytes are always available at this point because
+otherwise the parsing of the tag and length right above would've failed.
+Thanks to Antonio Morales for finding and reporting the issue.
+Fixes GHSL-2024-260
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3888
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/526d0eef0d850c8f2fa1bf0aef15a836797f1a67]
+CVE: CVE-2024-47775 CVE-2024-47776 CVE-2024-47777 CVE-2024-47778
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+diff --git a/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c b/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c
+index 8a04805ed427..998cbb276dbf 100644
+--- a/gst/wavparse/gstwavparse.c
+++ b/gst/wavparse/gstwavparse.c
+@@ -1338,10 +1338,11 @@ gst_wavparse_stream_headers (GstWavParse * wav)
+     }
+ 
+     /* Clip to upstream size if known */
+-    if (upstream_size > 0 && size + wav->offset > upstream_size) {
+    if (upstream_size > 0 && size + 8 + wav->offset > upstream_size) {
+       GST_WARNING_OBJECT (wav, "Clipping chunk size to file size");
+       g_assert (upstream_size >= wav->offset);
+-      size = upstream_size - wav->offset;
+      g_assert (upstream_size - wav->offset >= 8);
+      size = upstream_size - wav->offset - 8;
+     }
+ 
+     /* wav is a st00pid format, we don't know for sure where data starts.
+-- 
+GitLab
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-7.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-7.patch
new file mode 100644
index 0000000000..d73359f375
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-7.patch
@@ -0,0 +1,38 @@
+From 4f381d15014471b026020d0990a5f5a9f420a22b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Fri, 4 Oct 2024 13:51:00 +0300
+Subject: [PATCH] wavparse: Check size before reading ds64 chunk
+Thanks to Antonio Morales for finding and reporting the issue.
+Fixes GHSL-2024-261
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3889
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042>
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/4f381d15014471b026020d0990a5f5a9f420a22b]
+CVE: CVE-2024-47775 CVE-2024-47776 CVE-2024-47777 CVE-2024-47778
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+diff --git a/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c b/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c
+index 998cbb276dbf..958868de6d9e 100644
+--- a/gst/wavparse/gstwavparse.c
+++ b/gst/wavparse/gstwavparse.c
+@@ -1088,6 +1088,11 @@ parse_ds64 (GstWavParse * wav, GstBuffer * buf)
+   guint32 sampleCountLow, sampleCountHigh;
+ 
+   gst_buffer_map (buf, &map, GST_MAP_READ);
+  if (map.size < 6 * 4) {
+    GST_WARNING_OBJECT (wav, "Too small ds64 chunk (%" G_GSIZE_FORMAT ")",
+        map.size);
+    return FALSE;
+  }
+   dataSizeLow = GST_READ_UINT32_LE (map.data + 2 * 4);
+   dataSizeHigh = GST_READ_UINT32_LE (map.data + 3 * 4);
+   sampleCountLow = GST_READ_UINT32_LE (map.data + 4 * 4);
+-- 
+GitLab
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb
index 8cf08c5088..e82473086e 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb
@@ -30,6 +30,13 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-go
           file://CVE-2024-47606.patch \
           file://CVE-2024-47613.patch \
           file://CVE-2024-47774.patch \
+           file://CVE-2024-47775_47776_47777_47778-1.patch \
+           file://CVE-2024-47775_47776_47777_47778-2.patch \
+           file://CVE-2024-47775_47776_47777_47778-3.patch \
+           file://CVE-2024-47775_47776_47777_47778-4.patch \
+           file://CVE-2024-47775_47776_47777_47778-5.patch \
+           file://CVE-2024-47775_47776_47777_47778-6.patch \
+           file://CVE-2024-47775_47776_47777_47778-7.patch \
           "
 SRC_URI[sha256sum] = "599f093cc833a1e346939ab6e78a3f8046855b6da13520aae80dd385434f4ab2"

diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-1.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-1.patch new file mode 100644 index 0000000000..2eaef45f41 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-1.patch
@@ -0,0 +1,171 @@
		1	From 13b48016b3ef1e822c393c2871b0a561ce19ecb3 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
		3	Date: Fri, 4 Oct 2024 13:00:57 +0300
		4	Subject: [PATCH] wavparse: Check for short reads when parsing headers in pull
		5	mode
		6
		7	And also return the actual flow return to the caller instead of always returning
		8	GST_FLOW_ERROR.
		9
		10	Thanks to Antonio Morales for finding and reporting the issue.
		11
		12	Fixes GHSL-2024-258, GHSL-2024-260
		13	Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3886
		14	Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3888
		15
		16	Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042>
		17
		18	Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/13b48016b3ef1e822c393c2871b0a561ce19ecb3]
		19	CVE: CVE-2024-47775 CVE-2024-47776 CVE-2024-47777 CVE-2024-47778
		20	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		21	---
		22	.../gst/wavparse/gstwavparse.c \| 63 ++++++++++++++-----
		23	1 file changed, 46 insertions(+), 17 deletions(-)
		24
		25	diff --git a/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c b/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c
		26	index d074f273c501..97d5591fae8f 100644
		27	--- a/gst/wavparse/gstwavparse.c
		28	+++ b/gst/wavparse/gstwavparse.c
		29	@@ -1097,6 +1097,24 @@ parse_ds64 (GstWavParse * wav, GstBuffer * buf)
		30	return TRUE;
		31	}
		32
		33	+static GstFlowReturn
		34	+gst_wavparse_pull_range_exact (GstWavParse * wav, guint64 offset, guint size,
		35	+ GstBuffer ** buffer)
		36	+{
		37	+ GstFlowReturn res;
		38	+
		39	+ res = gst_pad_pull_range (wav->sinkpad, offset, size, buffer);
		40	+ if (res != GST_FLOW_OK)
		41	+ return res;
		42	+
		43	+ if (gst_buffer_get_size (*buffer) < size) {
		44	+ gst_clear_buffer (buffer);
		45	+ return GST_FLOW_EOS;
		46	+ }
		47	+
		48	+ return res;
		49	+}
		50	+
		51	static GstFlowReturn
		52	gst_wavparse_stream_headers (GstWavParse * wav)
		53	{
		54	@@ -1292,9 +1310,9 @@ gst_wavparse_stream_headers (GstWavParse * wav)
		55
		56	buf = NULL;
		57	if ((res =
		58	- gst_pad_pull_range (wav->sinkpad, wav->offset, 8,
		59	+ gst_wavparse_pull_range_exact (wav, wav->offset, 8,
		60	&buf)) != GST_FLOW_OK)
		61	- goto header_read_error;
		62	+ goto header_pull_error;
		63	gst_buffer_map (buf, &map, GST_MAP_READ);
		64	tag = GST_READ_UINT32_LE (map.data);
		65	size = GST_READ_UINT32_LE (map.data + 4);
		66	@@ -1397,9 +1415,9 @@ gst_wavparse_stream_headers (GstWavParse * wav)
		67	gst_buffer_unref (buf);
		68	buf = NULL;
		69	if ((res =
		70	- gst_pad_pull_range (wav->sinkpad, wav->offset + 8,
		71	+ gst_wavparse_pull_range_exact (wav, wav->offset + 8,
		72	data_size, &buf)) != GST_FLOW_OK)
		73	- goto header_read_error;
		74	+ goto header_pull_error;
		75	gst_buffer_extract (buf, 0, &wav->fact, 4);
		76	wav->fact = GUINT32_FROM_LE (wav->fact);
		77	gst_buffer_unref (buf);
		78	@@ -1444,9 +1462,9 @@ gst_wavparse_stream_headers (GstWavParse * wav)
		79	gst_buffer_unref (buf);
		80	buf = NULL;
		81	if ((res =
		82	- gst_pad_pull_range (wav->sinkpad, wav->offset + 8,
		83	- size, &buf)) != GST_FLOW_OK)
		84	- goto header_read_error;
		85	+ gst_wavparse_pull_range_exact (wav, wav->offset + 8, size,
		86	+ &buf)) != GST_FLOW_OK)
		87	+ goto header_pull_error;
		88	gst_buffer_map (buf, &map, GST_MAP_READ);
		89	acid = (const gst_riff_acid *) map.data;
		90	tempo = acid->tempo;
		91	@@ -1484,9 +1502,9 @@ gst_wavparse_stream_headers (GstWavParse * wav)
		92	gst_buffer_unref (buf);
		93	buf = NULL;
		94	if ((res =
		95	- gst_pad_pull_range (wav->sinkpad, wav->offset, 12,
		96	+ gst_wavparse_pull_range_exact (wav, wav->offset, 12,
		97	&buf)) != GST_FLOW_OK)
		98	- goto header_read_error;
		99	+ goto header_pull_error;
		100	gst_buffer_extract (buf, 8, &ltag, 4);
		101	ltag = GUINT32_FROM_LE (ltag);
		102	}
		103	@@ -1513,9 +1531,9 @@ gst_wavparse_stream_headers (GstWavParse * wav)
		104	buf = NULL;
		105	if (data_size > 0) {
		106	if ((res =
		107	- gst_pad_pull_range (wav->sinkpad, wav->offset,
		108	+ gst_wavparse_pull_range_exact (wav, wav->offset,
		109	data_size, &buf)) != GST_FLOW_OK)
		110	- goto header_read_error;
		111	+ goto header_pull_error;
		112	}
		113	}
		114	if (data_size > 0) {
		115	@@ -1553,9 +1571,9 @@ gst_wavparse_stream_headers (GstWavParse * wav)
		116	buf = NULL;
		117	wav->offset += 12;
		118	if ((res =
		119	- gst_pad_pull_range (wav->sinkpad, wav->offset,
		120	+ gst_wavparse_pull_range_exact (wav, wav->offset,
		121	data_size, &buf)) != GST_FLOW_OK)
		122	- goto header_read_error;
		123	+ goto header_pull_error;
		124	gst_buffer_map (buf, &map, GST_MAP_READ);
		125	gst_wavparse_adtl_chunk (wav, (const guint8 *) map.data,
		126	data_size);
		127	@@ -1599,9 +1617,9 @@ gst_wavparse_stream_headers (GstWavParse * wav)
		128	gst_buffer_unref (buf);
		129	buf = NULL;
		130	if ((res =
		131	- gst_pad_pull_range (wav->sinkpad, wav->offset,
		132	+ gst_wavparse_pull_range_exact (wav, wav->offset,
		133	data_size, &buf)) != GST_FLOW_OK)
		134	- goto header_read_error;
		135	+ goto header_pull_error;
		136	gst_buffer_map (buf, &map, GST_MAP_READ);
		137	if (!gst_wavparse_cue_chunk (wav, (const guint8 *) map.data,
		138	data_size)) {
		139	@@ -1643,9 +1661,9 @@ gst_wavparse_stream_headers (GstWavParse * wav)
		140	gst_buffer_unref (buf);
		141	buf = NULL;
		142	if ((res =
		143	- gst_pad_pull_range (wav->sinkpad, wav->offset,
		144	+ gst_wavparse_pull_range_exact (wav, wav->offset,
		145	data_size, &buf)) != GST_FLOW_OK)
		146	- goto header_read_error;
		147	+ goto header_pull_error;
		148	gst_buffer_map (buf, &map, GST_MAP_READ);
		149	if (!gst_wavparse_smpl_chunk (wav, (const guint8 *) map.data,
		150	data_size)) {
		151	@@ -1797,6 +1815,17 @@ header_read_error:
		152	("Couldn't read in header %d (%s)", res, gst_flow_get_name (res)));
		153	goto fail;
		154	}
		155	+header_pull_error:
		156	+ {
		157	+ if (res == GST_FLOW_EOS) {
		158	+ GST_WARNING_OBJECT (wav, "Couldn't pull header %d (%s)", res,
		159	+ gst_flow_get_name (res));
		160	+ } else {
		161	+ GST_ELEMENT_ERROR (wav, STREAM, DEMUX, (NULL),
		162	+ ("Couldn't pull header %d (%s)", res, gst_flow_get_name (res)));
		163	+ }
		164	+ goto exit;
		165	+ }
		166	}
		167
		168	/*
		169	--
		170	GitLab
		171


diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-2.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-2.patch new file mode 100644 index 0000000000..3df27b62bc --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-2.patch
@@ -0,0 +1,38 @@
		1	From 4c198f4891cfabde868944d55ff98925e7beb757 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
		3	Date: Fri, 4 Oct 2024 13:09:43 +0300
		4	Subject: [PATCH] wavparse: Make sure enough data for the tag list tag is
		5	available before parsing
		6
		7	Thanks to Antonio Morales for finding and reporting the issue.
		8
		9	Fixes GHSL-2024-258
		10	Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3886
		11
		12	Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042>
		13
		14	Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/4c198f4891cfabde868944d55ff98925e7beb757]
		15	CVE: CVE-2024-47775 CVE-2024-47776 CVE-2024-47777 CVE-2024-47778
		16	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		17	---
		18	subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c \| 4 ++++
		19	1 file changed, 4 insertions(+)
		20
		21	diff --git a/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c b/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c
		22	index 97d5591fae8f..21cb48c07eb3 100644
		23	--- a/gst/wavparse/gstwavparse.c
		24	+++ b/gst/wavparse/gstwavparse.c
		25	@@ -1489,6 +1489,10 @@ gst_wavparse_stream_headers (GstWavParse * wav)
		26	case GST_RIFF_TAG_LIST:{
		27	guint32 ltag;
		28
		29	+ /* Need at least the ltag */
		30	+ if (size < 4)
		31	+ goto exit;
		32	+
		33	if (wav->streaming) {
		34	const guint8 *data = NULL;
		35
		36	--
		37	GitLab
		38


diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-3.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-3.patch new file mode 100644 index 0000000000..010041aa4e --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-3.patch
@@ -0,0 +1,62 @@
		1	From 296e17b4ea81e5c228bb853f6037b654fdca7d47 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
		3	Date: Fri, 4 Oct 2024 13:15:27 +0300
		4	Subject: [PATCH] wavparse: Fix parsing of acid chunk
		5
		6	Simply casting the bytes to a struct can lead to crashes because of unaligned
		7	reads, and is also missing the endianness swapping that is necessary on big
		8	endian architectures.
		9
		10	Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042>
		11
		12	Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/296e17b4ea81e5c228bb853f6037b654fdca7d47]
		13	CVE: CVE-2024-47775 CVE-2024-47776 CVE-2024-47777 CVE-2024-47778
		14	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		15	---
		16	.../gst-plugins-good/gst/wavparse/gstwavparse.c \| 12 +++++-------
		17	1 file changed, 5 insertions(+), 7 deletions(-)
		18
		19	diff --git a/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c b/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c
		20	index 21cb48c07eb3..6a0c44638ea2 100644
		21	--- a/gst/wavparse/gstwavparse.c
		22	+++ b/gst/wavparse/gstwavparse.c
		23	@@ -1434,8 +1434,7 @@ gst_wavparse_stream_headers (GstWavParse * wav)
		24	break;
		25	}
		26	case GST_RIFF_TAG_acid:{
		27	- const gst_riff_acid *acid = NULL;
		28	- const guint data_size = sizeof (gst_riff_acid);
		29	+ const guint data_size = 24;
		30	gfloat tempo;
		31
		32	GST_INFO_OBJECT (wav, "Have acid chunk");
		33	@@ -1449,13 +1448,13 @@ gst_wavparse_stream_headers (GstWavParse * wav)
		34	break;
		35	}
		36	if (wav->streaming) {
		37	+ const guint8 *data;
		38	if (!gst_wavparse_peek_chunk (wav, &tag, &size)) {
		39	goto exit;
		40	}
		41	gst_adapter_flush (wav->adapter, 8);
		42	- acid = (const gst_riff_acid *) gst_adapter_map (wav->adapter,
		43	- data_size);
		44	- tempo = acid->tempo;
		45	+ data = gst_adapter_map (wav->adapter, data_size);
		46	+ tempo = GST_READ_FLOAT_LE (data + 20);
		47	gst_adapter_unmap (wav->adapter);
		48	} else {
		49	GstMapInfo map;
		50	@@ -1466,8 +1465,7 @@ gst_wavparse_stream_headers (GstWavParse * wav)
		51	&buf)) != GST_FLOW_OK)
		52	goto header_pull_error;
		53	gst_buffer_map (buf, &map, GST_MAP_READ);
		54	- acid = (const gst_riff_acid *) map.data;
		55	- tempo = acid->tempo;
		56	+ tempo = GST_READ_FLOAT_LE (map.data + 20);
		57	gst_buffer_unmap (buf, &map);
		58	}
		59	/* send data as tags */
		60	--
		61	GitLab
		62


diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-4.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-4.patch new file mode 100644 index 0000000000..c7c3dbed46 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-4.patch
@@ -0,0 +1,34 @@
		1	From c72025cabdfcb2fe30d24eda7bb9d1d01a1b6555 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
		3	Date: Fri, 4 Oct 2024 13:21:44 +0300
		4	Subject: [PATCH] wavparse: Check that at least 4 bytes are available before
		5	parsing cue chunks
		6
		7	Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042>
		8
		9	Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/c72025cabdfcb2fe30d24eda7bb9d1d01a1b6555]
		10	CVE: CVE-2024-47775 CVE-2024-47776 CVE-2024-47777 CVE-2024-47778
		11	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		12	---
		13	subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c \| 5 +++++
		14	1 file changed, 5 insertions(+)
		15
		16	diff --git a/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c b/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c
		17	index 6a0c44638ea2..5655ee3825ca 100644
		18	--- a/gst/wavparse/gstwavparse.c
		19	+++ b/gst/wavparse/gstwavparse.c
		20	@@ -790,6 +790,11 @@ gst_wavparse_cue_chunk (GstWavParse * wav, const guint8 * data, guint32 size)
		21	return TRUE;
		22	}
		23
		24	+ if (size < 4) {
		25	+ GST_WARNING_OBJECT (wav, "broken file %d", size);
		26	+ return FALSE;
		27	+ }
		28	+
		29	ncues = GST_READ_UINT32_LE (data);
		30
		31	if (size < 4 + ncues * 24) {
		32	--
		33	GitLab
		34


diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-5.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-5.patch new file mode 100644 index 0000000000..89b240998a --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-5.patch
@@ -0,0 +1,37 @@
		1	From 93d79c22a82604adc5512557c1238f72f41188c4 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
		3	Date: Fri, 4 Oct 2024 13:22:02 +0300
		4	Subject: [PATCH] wavparse: Check that at least 32 bytes are available before
		5	parsing smpl chunks
		6
		7	Thanks to Antonio Morales for finding and reporting the issue.
		8
		9	Fixes GHSL-2024-259
		10	Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3887
		11
		12	Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042>
		13
		14	Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/93d79c22a82604adc5512557c1238f72f41188c4]
		15	CVE: CVE-2024-47775 CVE-2024-47776 CVE-2024-47777 CVE-2024-47778
		16	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		17	---
		18	subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c \| 3 +++
		19	1 file changed, 3 insertions(+)
		20
		21	diff --git a/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c b/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c
		22	index 5655ee3825ca..8a04805ed427 100644
		23	--- a/gst/wavparse/gstwavparse.c
		24	+++ b/gst/wavparse/gstwavparse.c
		25	@@ -894,6 +894,9 @@ gst_wavparse_smpl_chunk (GstWavParse * wav, const guint8 * data, guint32 size)
		26	{
		27	guint32 note_number;
		28
		29	+ if (size < 32)
		30	+ return FALSE;
		31	+
		32	/*
		33	manufacturer_id = GST_READ_UINT32_LE (data);
		34	product_id = GST_READ_UINT32_LE (data + 4);
		35	--
		36	GitLab
		37


diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-6.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-6.patch new file mode 100644 index 0000000000..0ad2592bc9 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-6.patch
@@ -0,0 +1,44 @@
		1	From 526d0eef0d850c8f2fa1bf0aef15a836797f1a67 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
		3	Date: Fri, 4 Oct 2024 13:27:27 +0300
		4	Subject: [PATCH] wavparse: Fix clipping of size to the file size
		5
		6	The size does not include the 8 bytes tag and length, so an additional 8 bytes
		7	must be removed here. 8 bytes are always available at this point because
		8	otherwise the parsing of the tag and length right above would've failed.
		9
		10	Thanks to Antonio Morales for finding and reporting the issue.
		11
		12	Fixes GHSL-2024-260
		13	Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3888
		14
		15	Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042>
		16
		17	Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/526d0eef0d850c8f2fa1bf0aef15a836797f1a67]
		18	CVE: CVE-2024-47775 CVE-2024-47776 CVE-2024-47777 CVE-2024-47778
		19	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		20	---
		21	subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c \| 5 +++--
		22	1 file changed, 3 insertions(+), 2 deletions(-)
		23
		24	diff --git a/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c b/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c
		25	index 8a04805ed427..998cbb276dbf 100644
		26	--- a/gst/wavparse/gstwavparse.c
		27	+++ b/gst/wavparse/gstwavparse.c
		28	@@ -1338,10 +1338,11 @@ gst_wavparse_stream_headers (GstWavParse * wav)
		29	}
		30
		31	/* Clip to upstream size if known */
		32	- if (upstream_size > 0 && size + wav->offset > upstream_size) {
		33	+ if (upstream_size > 0 && size + 8 + wav->offset > upstream_size) {
		34	GST_WARNING_OBJECT (wav, "Clipping chunk size to file size");
		35	g_assert (upstream_size >= wav->offset);
		36	- size = upstream_size - wav->offset;
		37	+ g_assert (upstream_size - wav->offset >= 8);
		38	+ size = upstream_size - wav->offset - 8;
		39	}
		40
		41	/* wav is a st00pid format, we don't know for sure where data starts.
		42	--
		43	GitLab
		44


diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-7.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-7.patch new file mode 100644 index 0000000000..d73359f375 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2024-47775_47776_47777_47778-7.patch
@@ -0,0 +1,38 @@
		1	From 4f381d15014471b026020d0990a5f5a9f420a22b Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
		3	Date: Fri, 4 Oct 2024 13:51:00 +0300
		4	Subject: [PATCH] wavparse: Check size before reading ds64 chunk
		5
		6	Thanks to Antonio Morales for finding and reporting the issue.
		7
		8	Fixes GHSL-2024-261
		9	Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3889
		10
		11	Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042>
		12
		13	Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/4f381d15014471b026020d0990a5f5a9f420a22b]
		14	CVE: CVE-2024-47775 CVE-2024-47776 CVE-2024-47777 CVE-2024-47778
		15	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		16	---
		17	subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c \| 5 +++++
		18	1 file changed, 5 insertions(+)
		19
		20	diff --git a/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c b/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c
		21	index 998cbb276dbf..958868de6d9e 100644
		22	--- a/gst/wavparse/gstwavparse.c
		23	+++ b/gst/wavparse/gstwavparse.c
		24	@@ -1088,6 +1088,11 @@ parse_ds64 (GstWavParse * wav, GstBuffer * buf)
		25	guint32 sampleCountLow, sampleCountHigh;
		26
		27	gst_buffer_map (buf, &map, GST_MAP_READ);
		28	+ if (map.size < 6 * 4) {
		29	+ GST_WARNING_OBJECT (wav, "Too small ds64 chunk (%" G_GSIZE_FORMAT ")",
		30	+ map.size);
		31	+ return FALSE;
		32	+ }
		33	dataSizeLow = GST_READ_UINT32_LE (map.data + 2 * 4);
		34	dataSizeHigh = GST_READ_UINT32_LE (map.data + 3 * 4);
		35	sampleCountLow = GST_READ_UINT32_LE (map.data + 4 * 4);
		36	--
		37	GitLab
		38


diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb index 8cf08c5088..e82473086e 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb
@@ -30,6 +30,13 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-go
30	file://CVE-2024-47606.patch \	30	file://CVE-2024-47606.patch \
31	file://CVE-2024-47613.patch \	31	file://CVE-2024-47613.patch \
32	file://CVE-2024-47774.patch \	32	file://CVE-2024-47774.patch \
		33	file://CVE-2024-47775_47776_47777_47778-1.patch \
		34	file://CVE-2024-47775_47776_47777_47778-2.patch \
		35	file://CVE-2024-47775_47776_47777_47778-3.patch \
		36	file://CVE-2024-47775_47776_47777_47778-4.patch \
		37	file://CVE-2024-47775_47776_47777_47778-5.patch \
		38	file://CVE-2024-47775_47776_47777_47778-6.patch \
		39	file://CVE-2024-47775_47776_47777_47778-7.patch \
33	"	40	"
34		41
35	SRC_URI[sha256sum] = "599f093cc833a1e346939ab6e78a3f8046855b6da13520aae80dd385434f4ab2"	42	SRC_URI[sha256sum] = "599f093cc833a1e346939ab6e78a3f8046855b6da13520aae80dd385434f4ab2"