summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0001-qtdemux-Skip-zero-sized-boxes-instead-of-stopping-to.patch124
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0002-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch63
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0003-qtdemux-Fix-debug-output-during-trun-parsing.patch72
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0004-qtdemux-Don-t-iterate-over-all-trun-entries-if-none-.patch35
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0005-qtdemux-Check-sizes-of-stsc-stco-stts-before-trying-.patch63
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0006-qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch44
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0007-qtdemux-Make-sure-enough-data-is-available-before-re.patch120
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0008-qtdemux-Fix-length-checks-and-offsets-in-stsd-entry-.patch450
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0009-qtdemux-Fix-error-handling-when-parsing-cenc-sample-.patch56
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0010-qtdemux-Make-sure-there-are-enough-offsets-to-read-w.patch49
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0011-qtdemux-Actually-handle-errors-returns-from-various-.patch97
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0012-qtdemux-Check-for-invalid-atom-length-when-extractin.patch36
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0013-qtdemux-Add-size-check-for-parsing-SMI-SEQH-atom.patch37
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.12.bb16
14 files changed, 1261 insertions, 1 deletions
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0001-qtdemux-Skip-zero-sized-boxes-instead-of-stopping-to.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0001-qtdemux-Skip-zero-sized-boxes-instead-of-stopping-to.patch
new file mode 100644
index 0000000000..d9f1474ba4
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0001-qtdemux-Skip-zero-sized-boxes-instead-of-stopping-to.patch
@@ -0,0 +1,124 @@
1From 62de06c7a443a5ac40ab2a4f2589625932bf9632 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
3Date: Tue, 24 Sep 2024 09:50:34 +0300
4Subject: [PATCH 01/13] qtdemux: Skip zero-sized boxes instead of stopping to
5 look at further boxes
6
7A zero-sized box is not really a problem and can be skipped to look at any
8possibly following ones.
9
10BMD ATEM devices specifically write a zero-sized bmdc box in the sample
11description, followed by the avcC box in case of h264. Previously the avcC box
12would simply not be read at all and the file would be unplayable.
13
14Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/7620>
15
16Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/62de06c7a443a5ac40ab2a4f2589625932bf9632]
17Signed-off-by: Peter Marko <peter.marko@siemens.com>
18---
19 gst/isomp4/qtdemux.c | 54 +++++++++++++++++++++++++++++---------------
20 1 file changed, 36 insertions(+), 18 deletions(-)
21
22diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
23index a53d61e649..2f2ca4459b 100644
24--- a/gst/isomp4/qtdemux.c
25+++ b/gst/isomp4/qtdemux.c
26@@ -11666,9 +11666,12 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
27 else
28 size = len - 0x8;
29
30- if (size < 1)
31- /* No real data, so break out */
32- break;
33+ /* No real data, so skip */
34+ if (size < 1) {
35+ len -= 8;
36+ avc_data += 8;
37+ continue;
38+ }
39
40 switch (QT_FOURCC (avc_data + 0x4)) {
41 case FOURCC_avcC:
42@@ -11783,9 +11786,12 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
43 else
44 size = len - 0x8;
45
46- if (size < 1)
47- /* No real data, so break out */
48- break;
49+ /* No real data, so skip */
50+ if (size < 1) {
51+ len -= 8;
52+ hevc_data += 8;
53+ continue;
54+ }
55
56 switch (QT_FOURCC (hevc_data + 0x4)) {
57 case FOURCC_hvcC:
58@@ -12207,9 +12213,12 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
59 else
60 size = len - 8;
61
62- if (size < 1)
63- /* No real data, so break out */
64- break;
65+ /* No real data, so skip */
66+ if (size < 1) {
67+ len -= 8;
68+ vc1_data += 8;
69+ continue;
70+ }
71
72 switch (QT_FOURCC (vc1_data + 0x4)) {
73 case GST_MAKE_FOURCC ('d', 'v', 'c', '1'):
74@@ -12249,9 +12258,12 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
75 else
76 size = len - 0x8;
77
78- if (size < 1)
79- /* No real data, so break out */
80- break;
81+ /* No real data, so skip */
82+ if (size < 1) {
83+ len -= 8;
84+ av1_data += 8;
85+ continue;
86+ }
87
88 switch (QT_FOURCC (av1_data + 0x4)) {
89 case FOURCC_av1C:
90@@ -12359,9 +12371,12 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
91 else
92 size = len - 0x8;
93
94- if (size < 1)
95- /* No real data, so break out */
96- break;
97+ /* No real data, so skip */
98+ if (size < 1) {
99+ len -= 8;
100+ vpcc_data += 8;
101+ continue;
102+ }
103
104 switch (QT_FOURCC (vpcc_data + 0x4)) {
105 case FOURCC_vpcC:
106@@ -12861,9 +12876,12 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
107 else
108 size = len - 8;
109
110- if (size < 1)
111- /* No real data, so break out */
112- break;
113+ /* No real data, so skip */
114+ if (size < 1) {
115+ len -= 8;
116+ wfex_data += 8;
117+ continue;
118+ }
119
120 switch (QT_FOURCC (wfex_data + 4)) {
121 case GST_MAKE_FOURCC ('w', 'f', 'e', 'x'):
122--
1232.30.2
124
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0002-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0002-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch
new file mode 100644
index 0000000000..4eacb4e198
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0002-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch
@@ -0,0 +1,63 @@
1From 0e58b2f7ad7b310201eada442a6782aaebe8e2bd Mon Sep 17 00:00:00 2001
2From: Antonio Morales <antonio-morales@github.com>
3Date: Thu, 26 Sep 2024 18:39:37 +0300
4Subject: [PATCH 02/13] qtdemux: Fix integer overflow when allocating the
5 samples table for fragmented MP4
6
7This can lead to out of bounds writes and NULL pointer dereferences.
8
9Fixes GHSL-2024-094, GHSL-2024-237, GHSL-2024-241
10Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3839
11
12Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8109>
13
14CVE: CVE-2024-47537
15Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/0e58b2f7ad7b310201eada442a6782aaebe8e2bd]
16Signed-off-by: Peter Marko <peter.marko@siemens.com>
17---
18 gst/isomp4/qtdemux.c | 12 ++++++------
19 1 file changed, 6 insertions(+), 6 deletions(-)
20
21diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
22index 2ccc9f3595..54f2dfead3 100644
23--- a/gst/isomp4/qtdemux.c
24+++ b/gst/isomp4/qtdemux.c
25@@ -3342,6 +3342,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun,
26 gint i;
27 guint8 *data;
28 guint entry_size, dur_offset, size_offset, flags_offset = 0, ct_offset = 0;
29+ guint new_n_samples;
30 QtDemuxSample *sample;
31 gboolean ismv = FALSE;
32 gint64 initial_offset;
33@@ -3442,14 +3443,13 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun,
34 goto fail;
35 data = (guint8 *) gst_byte_reader_peek_data_unchecked (trun);
36
37- if (stream->n_samples + samples_count >=
38- QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof (QtDemuxSample))
39+ if (!g_uint_checked_add (&new_n_samples, stream->n_samples, samples_count) ||
40+ new_n_samples >= QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof (QtDemuxSample))
41 goto index_too_big;
42
43 GST_DEBUG_OBJECT (qtdemux, "allocating n_samples %u * %u (%.2f MB)",
44- stream->n_samples + samples_count, (guint) sizeof (QtDemuxSample),
45- (stream->n_samples + samples_count) *
46- sizeof (QtDemuxSample) / (1024.0 * 1024.0));
47+ new_n_samples, (guint) sizeof (QtDemuxSample),
48+ (new_n_samples) * sizeof (QtDemuxSample) / (1024.0 * 1024.0));
49
50 /* create a new array of samples if it's the first sample parsed */
51 if (stream->n_samples == 0) {
52@@ -3458,7 +3458,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun,
53 /* or try to reallocate it with space enough to insert the new samples */
54 } else
55 stream->samples = g_try_renew (QtDemuxSample, stream->samples,
56- stream->n_samples + samples_count);
57+ new_n_samples);
58 if (stream->samples == NULL)
59 goto out_of_memory;
60
61--
622.30.2
63
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0003-qtdemux-Fix-debug-output-during-trun-parsing.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0003-qtdemux-Fix-debug-output-during-trun-parsing.patch
new file mode 100644
index 0000000000..298ecb0fe6
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0003-qtdemux-Fix-debug-output-during-trun-parsing.patch
@@ -0,0 +1,72 @@
1From c077ff2585927540f038635f26ca4ba99dc92f10 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
3Date: Thu, 26 Sep 2024 18:40:56 +0300
4Subject: [PATCH 03/13] qtdemux: Fix debug output during trun parsing
5
6Various integers are unsigned so print them as such. Also print the actual
7allocation size if allocation fails, not only parts of it.
8
9Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8109>
10
11Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/c077ff2585927540f038635f26ca4ba99dc92f10]
12Signed-off-by: Peter Marko <peter.marko@siemens.com>
13---
14 gst/isomp4/qtdemux.c | 17 +++++++++--------
15 1 file changed, 9 insertions(+), 8 deletions(-)
16
17diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
18index 54f2dfead3..4bb24b1b80 100644
19--- a/gst/isomp4/qtdemux.c
20+++ b/gst/isomp4/qtdemux.c
21@@ -3348,8 +3348,8 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun,
22 gint64 initial_offset;
23 gint32 min_ct = 0;
24
25- GST_LOG_OBJECT (qtdemux, "parsing trun track-id %d; "
26- "default dur %d, size %d, flags 0x%x, base offset %" G_GINT64_FORMAT ", "
27+ GST_LOG_OBJECT (qtdemux, "parsing trun track-id %u; "
28+ "default dur %u, size %u, flags 0x%x, base offset %" G_GINT64_FORMAT ", "
29 "decode ts %" G_GINT64_FORMAT, stream->track_id, d_sample_duration,
30 d_sample_size, d_sample_flags, *base_offset, decode_ts);
31
32@@ -3377,7 +3377,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun,
33 /* note this is really signed */
34 if (!gst_byte_reader_get_int32_be (trun, &data_offset))
35 goto fail;
36- GST_LOG_OBJECT (qtdemux, "trun data offset %d", data_offset);
37+ GST_LOG_OBJECT (qtdemux, "trun data offset %u", data_offset);
38 /* default base offset = first byte of moof */
39 if (*base_offset == -1) {
40 GST_LOG_OBJECT (qtdemux, "base_offset at moof");
41@@ -3399,7 +3399,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun,
42
43 GST_LOG_OBJECT (qtdemux, "running offset now %" G_GINT64_FORMAT,
44 *running_offset);
45- GST_LOG_OBJECT (qtdemux, "trun offset %d, flags 0x%x, entries %d",
46+ GST_LOG_OBJECT (qtdemux, "trun offset %u, flags 0x%x, entries %u",
47 data_offset, flags, samples_count);
48
49 if (flags & TR_FIRST_SAMPLE_FLAGS) {
50@@ -3608,14 +3608,15 @@ fail:
51 }
52 out_of_memory:
53 {
54- GST_WARNING_OBJECT (qtdemux, "failed to allocate %d samples",
55- stream->n_samples);
56+ GST_WARNING_OBJECT (qtdemux, "failed to allocate %u + %u samples",
57+ stream->n_samples, samples_count);
58 return FALSE;
59 }
60 index_too_big:
61 {
62- GST_WARNING_OBJECT (qtdemux, "not allocating index of %d samples, would "
63- "be larger than %uMB (broken file?)", stream->n_samples,
64+ GST_WARNING_OBJECT (qtdemux,
65+ "not allocating index of %u + %u samples, would "
66+ "be larger than %uMB (broken file?)", stream->n_samples, samples_count,
67 QTDEMUX_MAX_SAMPLE_INDEX_SIZE >> 20);
68 return FALSE;
69 }
70--
712.30.2
72
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0004-qtdemux-Don-t-iterate-over-all-trun-entries-if-none-.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0004-qtdemux-Don-t-iterate-over-all-trun-entries-if-none-.patch
new file mode 100644
index 0000000000..bc924391fe
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0004-qtdemux-Don-t-iterate-over-all-trun-entries-if-none-.patch
@@ -0,0 +1,35 @@
1From 53464dd2cf1a03f838899f7355133766ff211fce Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
3Date: Thu, 26 Sep 2024 18:41:39 +0300
4Subject: [PATCH 04/13] qtdemux: Don't iterate over all trun entries if none of
5 the flags are set
6
7Nothing would be printed anyway.
8
9Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8109>
10
11Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/53464dd2cf1a03f838899f7355133766ff211fce]
12Signed-off-by: Peter Marko <peter.marko@siemens.com>
13---
14 gst/isomp4/qtdemux_dump.c | 5 +++++
15 1 file changed, 5 insertions(+)
16
17diff --git a/gst/isomp4/qtdemux_dump.c b/gst/isomp4/qtdemux_dump.c
18index 22da35e9e7..297b580ef0 100644
19--- a/gst/isomp4/qtdemux_dump.c
20+++ b/gst/isomp4/qtdemux_dump.c
21@@ -836,6 +836,11 @@ qtdemux_dump_trun (GstQTDemux * qtdemux, GstByteReader * data, int depth)
22 GST_LOG ("%*s first-sample-flags: %u", depth, "", first_sample_flags);
23 }
24
25+ /* Nothing to print below */
26+ if ((flags & (TR_SAMPLE_DURATION | TR_SAMPLE_SIZE | TR_SAMPLE_FLAGS |
27+ TR_COMPOSITION_TIME_OFFSETS)) == 0)
28+ return TRUE;
29+
30 for (i = 0; i < samples_count; i++) {
31 if (flags & TR_SAMPLE_DURATION) {
32 if (!gst_byte_reader_get_uint32_be (data, &sample_duration))
33--
342.30.2
35
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0005-qtdemux-Check-sizes-of-stsc-stco-stts-before-trying-.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0005-qtdemux-Check-sizes-of-stsc-stco-stts-before-trying-.patch
new file mode 100644
index 0000000000..25796bd983
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0005-qtdemux-Check-sizes-of-stsc-stco-stts-before-trying-.patch
@@ -0,0 +1,63 @@
1From 1fac18a8fa269343dd43c9a4bca8d89f307fb7a0 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
3Date: Fri, 27 Sep 2024 15:50:54 +0300
4Subject: [PATCH 05/13] qtdemux: Check sizes of stsc/stco/stts before trying to
5 merge entries
6
7Thanks to Antonio Morales for finding and reporting the issue.
8
9Fixes GHSL-2024-246
10Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3854
11
12Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8109>
13
14CVE: CVE-2024-47598
15Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/1fac18a8fa269343dd43c9a4bca8d89f307fb7a0]
16Signed-off-by: Peter Marko <peter.marko@siemens.com>
17---
18 gst/isomp4/qtdemux.c | 22 ++++++++++++++++++++++
19 1 file changed, 22 insertions(+)
20
21diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
22index 4bb24b1b80..d1aa9ee5a0 100644
23--- a/gst/isomp4/qtdemux.c
24+++ b/gst/isomp4/qtdemux.c
25@@ -9476,6 +9476,21 @@ qtdemux_merge_sample_table (GstQTDemux * qtdemux, QtDemuxStream * stream)
26 return;
27 }
28
29+ if (gst_byte_reader_get_remaining (&stream->stts) < 8) {
30+ GST_DEBUG_OBJECT (qtdemux, "Too small stts");
31+ return;
32+ }
33+
34+ if (stream->stco.size < 8) {
35+ GST_DEBUG_OBJECT (qtdemux, "Too small stco");
36+ return;
37+ }
38+
39+ if (stream->n_samples_per_chunk == 0) {
40+ GST_DEBUG_OBJECT (qtdemux, "No samples per chunk");
41+ return;
42+ }
43+
44 /* Parse the stts to get the sample duration and number of samples */
45 gst_byte_reader_skip_unchecked (&stream->stts, 4);
46 stts_duration = gst_byte_reader_get_uint32_be_unchecked (&stream->stts);
47@@ -9487,6 +9502,13 @@ qtdemux_merge_sample_table (GstQTDemux * qtdemux, QtDemuxStream * stream)
48 GST_DEBUG_OBJECT (qtdemux, "sample_duration %d, num_chunks %u", stts_duration,
49 num_chunks);
50
51+ if (gst_byte_reader_get_remaining (&stream->stsc) <
52+ stream->n_samples_per_chunk * 3 * 4 +
53+ (stream->n_samples_per_chunk - 1) * 4) {
54+ GST_DEBUG_OBJECT (qtdemux, "Too small stsc");
55+ return;
56+ }
57+
58 /* Now parse stsc, convert chunks into single samples and generate a
59 * new stsc, stts and stsz from this information */
60 gst_byte_writer_init (&stsc);
61--
622.30.2
63
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0006-qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0006-qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch
new file mode 100644
index 0000000000..f2ee62fd01
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0006-qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch
@@ -0,0 +1,44 @@
1From 6cca274bf25a5679330debdd61a59840e50c68ab Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
3Date: Thu, 26 Sep 2024 09:20:28 +0300
4Subject: [PATCH 06/13] qtdemux: Make sure only an even number of bytes is
5 processed when handling CEA608 data
6
7An odd number of bytes would lead to out of bound reads and writes, and doesn't
8make any sense as CEA608 comes in byte pairs.
9
10Strip off any leftover bytes and assume everything before that is valid.
11
12Thanks to Antonio Morales for finding and reporting the issue.
13
14Fixes GHSL-2024-195
15Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3841
16
17Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8109>
18
19CVE: CVE-2024-47539
20Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/6cca274bf25a5679330debdd61a59840e50c68ab]
21Signed-off-by: Peter Marko <peter.marko@siemens.com>
22---
23 gst/isomp4/qtdemux.c | 5 +++++
24 1 file changed, 5 insertions(+)
25
26diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
27index d1aa9ee5a0..ce1a1b8d59 100644
28--- a/gst/isomp4/qtdemux.c
29+++ b/gst/isomp4/qtdemux.c
30@@ -5784,6 +5784,11 @@ convert_to_s334_1a (const guint8 * ccpair, guint8 ccpair_size, guint field,
31 guint8 *storage;
32 gsize i;
33
34+ /* Strip off any leftover odd bytes and assume everything before is valid */
35+ if (ccpair_size % 2 != 0) {
36+ ccpair_size -= 1;
37+ }
38+
39 /* We are converting from pairs to triplets */
40 *res = ccpair_size / 2 * 3;
41 storage = g_malloc (*res);
42--
432.30.2
44
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0007-qtdemux-Make-sure-enough-data-is-available-before-re.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0007-qtdemux-Make-sure-enough-data-is-available-before-re.patch
new file mode 100644
index 0000000000..9b885669a0
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0007-qtdemux-Make-sure-enough-data-is-available-before-re.patch
@@ -0,0 +1,120 @@
1From 64fa1ec0de71db28387a45819681ba760a71e6bc Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
3Date: Thu, 26 Sep 2024 14:17:02 +0300
4Subject: [PATCH 07/13] qtdemux: Make sure enough data is available before
5 reading wave header node
6
7Thanks to Antonio Morales for finding and reporting the issue.
8
9Fixes GHSL-2024-236
10Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3843
11
12Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8109>
13
14CVE: CVE-2024-47543
15Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/64fa1ec0de71db28387a45819681ba760a71e6bc]
16Signed-off-by: Peter Marko <peter.marko@siemens.com>
17---
18 gst/isomp4/qtdemux.c | 84 ++++++++++++++++++++++++--------------------
19 1 file changed, 45 insertions(+), 39 deletions(-)
20
21diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
22index ce1a1b8d59..ed83227d70 100644
23--- a/gst/isomp4/qtdemux.c
24+++ b/gst/isomp4/qtdemux.c
25@@ -13139,47 +13139,53 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
26 } else {
27 guint32 datalen = QT_UINT32 (stsd_entry_data + offset + 16);
28 const guint8 *data = stsd_entry_data + offset + 16;
29- GNode *wavenode;
30- GNode *waveheadernode;
31-
32- wavenode = g_node_new ((guint8 *) data);
33- if (qtdemux_parse_node (qtdemux, wavenode, data, datalen)) {
34- const guint8 *waveheader;
35- guint32 headerlen;
36-
37- waveheadernode = qtdemux_tree_get_child_by_type (wavenode, fourcc);
38- if (waveheadernode) {
39- waveheader = (const guint8 *) waveheadernode->data;
40- headerlen = QT_UINT32 (waveheader);
41-
42- if (headerlen > 8) {
43- gst_riff_strf_auds *header = NULL;
44- GstBuffer *headerbuf;
45- GstBuffer *extra;
46-
47- waveheader += 8;
48- headerlen -= 8;
49-
50- headerbuf = gst_buffer_new_and_alloc (headerlen);
51- gst_buffer_fill (headerbuf, 0, waveheader, headerlen);
52-
53- if (gst_riff_parse_strf_auds (GST_ELEMENT_CAST (qtdemux),
54- headerbuf, &header, &extra)) {
55- gst_caps_unref (entry->caps);
56- /* FIXME: Need to do something with the channel reorder map */
57- entry->caps =
58- gst_riff_create_audio_caps (header->format, NULL, header,
59- extra, NULL, NULL, NULL);
60-
61- if (extra)
62- gst_buffer_unref (extra);
63- g_free (header);
64+
65+ if (len < datalen || len - datalen < offset + 16) {
66+ GST_WARNING_OBJECT (qtdemux, "Not enough data for waveheadernode");
67+ } else {
68+ GNode *wavenode;
69+ GNode *waveheadernode;
70+
71+ wavenode = g_node_new ((guint8 *) data);
72+ if (qtdemux_parse_node (qtdemux, wavenode, data, datalen)) {
73+ const guint8 *waveheader;
74+ guint32 headerlen;
75+
76+ waveheadernode =
77+ qtdemux_tree_get_child_by_type (wavenode, fourcc);
78+ if (waveheadernode) {
79+ waveheader = (const guint8 *) waveheadernode->data;
80+ headerlen = QT_UINT32 (waveheader);
81+
82+ if (headerlen > 8) {
83+ gst_riff_strf_auds *header = NULL;
84+ GstBuffer *headerbuf;
85+ GstBuffer *extra;
86+
87+ waveheader += 8;
88+ headerlen -= 8;
89+
90+ headerbuf = gst_buffer_new_and_alloc (headerlen);
91+ gst_buffer_fill (headerbuf, 0, waveheader, headerlen);
92+
93+ if (gst_riff_parse_strf_auds (GST_ELEMENT_CAST (qtdemux),
94+ headerbuf, &header, &extra)) {
95+ gst_caps_unref (entry->caps);
96+ /* FIXME: Need to do something with the channel reorder map */
97+ entry->caps =
98+ gst_riff_create_audio_caps (header->format, NULL,
99+ header, extra, NULL, NULL, NULL);
100+
101+ if (extra)
102+ gst_buffer_unref (extra);
103+ g_free (header);
104+ }
105 }
106- }
107- } else
108- GST_DEBUG ("Didn't find waveheadernode for this codec");
109+ } else
110+ GST_DEBUG ("Didn't find waveheadernode for this codec");
111+ }
112+ g_node_destroy (wavenode);
113 }
114- g_node_destroy (wavenode);
115 }
116 } else if (esds) {
117 gst_qtdemux_handle_esds (qtdemux, stream, entry, esds,
118--
1192.30.2
120
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0008-qtdemux-Fix-length-checks-and-offsets-in-stsd-entry-.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0008-qtdemux-Fix-length-checks-and-offsets-in-stsd-entry-.patch
new file mode 100644
index 0000000000..75ca64f432
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0008-qtdemux-Fix-length-checks-and-offsets-in-stsd-entry-.patch
@@ -0,0 +1,450 @@
1From 2fbd654d4702e396b61b3963caddcefd024be4bc Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
3Date: Fri, 27 Sep 2024 00:12:57 +0300
4Subject: [PATCH 08/13] qtdemux: Fix length checks and offsets in stsd entry
5 parsing
6
7Thanks to Antonio Morales for finding and reporting the issue.
8
9Fixes GHSL-2024-242
10Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3845
11
12Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8109>
13
14CVE: CVE-2024-47545
15Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/2fbd654d4702e396b61b3963caddcefd024be4bc]
16Signed-off-by: Peter Marko <peter.marko@siemens.com>
17---
18 gst/isomp4/qtdemux.c | 218 ++++++++++++++++---------------------------
19 1 file changed, 79 insertions(+), 139 deletions(-)
20
21diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
22index ed83227d70..94ce75b2d4 100644
23--- a/gst/isomp4/qtdemux.c
24+++ b/gst/isomp4/qtdemux.c
25@@ -11679,43 +11679,35 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
26 case FOURCC_avc1:
27 case FOURCC_avc3:
28 {
29- guint len = QT_UINT32 (stsd_entry_data);
30+ guint32 len = QT_UINT32 (stsd_entry_data);
31 len = len <= 0x56 ? 0 : len - 0x56;
32 const guint8 *avc_data = stsd_entry_data + 0x56;
33
34 /* find avcC */
35- while (len >= 0x8) {
36- guint size;
37+ while (len >= 8) {
38+ guint32 size = QT_UINT32 (avc_data);
39
40- if (QT_UINT32 (avc_data) <= 0x8)
41- size = 0;
42- else if (QT_UINT32 (avc_data) <= len)
43- size = QT_UINT32 (avc_data) - 0x8;
44- else
45- size = len - 0x8;
46+ if (size < 8 || size > len)
47+ break;
48
49- /* No real data, so skip */
50- if (size < 1) {
51- len -= 8;
52- avc_data += 8;
53- continue;
54- }
55-
56- switch (QT_FOURCC (avc_data + 0x4)) {
57+ switch (QT_FOURCC (avc_data + 4)) {
58 case FOURCC_avcC:
59 {
60 /* parse, if found */
61 GstBuffer *buf;
62
63+ if (size < 8 + 1)
64+ break;
65+
66 GST_DEBUG_OBJECT (qtdemux, "found avcC codec_data in stsd");
67
68 /* First 4 bytes are the length of the atom, the next 4 bytes
69 * are the fourcc, the next 1 byte is the version, and the
70 * subsequent bytes are profile_tier_level structure like data. */
71 gst_codec_utils_h264_caps_set_level_and_profile (entry->caps,
72- avc_data + 8 + 1, size - 1);
73- buf = gst_buffer_new_and_alloc (size);
74- gst_buffer_fill (buf, 0, avc_data + 0x8, size);
75+ avc_data + 8 + 1, size - 8 - 1);
76+ buf = gst_buffer_new_and_alloc (size - 8);
77+ gst_buffer_fill (buf, 0, avc_data + 8, size - 8);
78 gst_caps_set_simple (entry->caps,
79 "codec_data", GST_TYPE_BUFFER, buf, NULL);
80 gst_buffer_unref (buf);
81@@ -11726,6 +11718,9 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
82 {
83 GstBuffer *buf;
84
85+ if (size < 8 + 40 + 1)
86+ break;
87+
88 GST_DEBUG_OBJECT (qtdemux, "found strf codec_data in stsd");
89
90 /* First 4 bytes are the length of the atom, the next 4 bytes
91@@ -11733,17 +11728,14 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
92 * next 1 byte is the version, and the
93 * subsequent bytes are sequence parameter set like data. */
94
95- size -= 40; /* we'll be skipping BITMAPINFOHEADER */
96- if (size > 1) {
97- gst_codec_utils_h264_caps_set_level_and_profile
98- (entry->caps, avc_data + 8 + 40 + 1, size - 1);
99+ gst_codec_utils_h264_caps_set_level_and_profile
100+ (entry->caps, avc_data + 8 + 40 + 1, size - 8 - 40 - 1);
101
102- buf = gst_buffer_new_and_alloc (size);
103- gst_buffer_fill (buf, 0, avc_data + 8 + 40, size);
104- gst_caps_set_simple (entry->caps,
105- "codec_data", GST_TYPE_BUFFER, buf, NULL);
106- gst_buffer_unref (buf);
107- }
108+ buf = gst_buffer_new_and_alloc (size - 8 - 40);
109+ gst_buffer_fill (buf, 0, avc_data + 8 + 40, size - 8 - 40);
110+ gst_caps_set_simple (entry->caps,
111+ "codec_data", GST_TYPE_BUFFER, buf, NULL);
112+ gst_buffer_unref (buf);
113 break;
114 }
115 case FOURCC_btrt:
116@@ -11751,11 +11743,11 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
117 guint avg_bitrate, max_bitrate;
118
119 /* bufferSizeDB, maxBitrate and avgBitrate - 4 bytes each */
120- if (size < 12)
121+ if (size < 8 + 12)
122 break;
123
124- max_bitrate = QT_UINT32 (avc_data + 0xc);
125- avg_bitrate = QT_UINT32 (avc_data + 0x10);
126+ max_bitrate = QT_UINT32 (avc_data + 8 + 4);
127+ avg_bitrate = QT_UINT32 (avc_data + 8 + 8);
128
129 if (!max_bitrate && !avg_bitrate)
130 break;
131@@ -11787,8 +11779,8 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
132 break;
133 }
134
135- len -= size + 8;
136- avc_data += size + 8;
137+ len -= size;
138+ avc_data += size;
139 }
140
141 break;
142@@ -11799,44 +11791,36 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
143 case FOURCC_dvh1:
144 case FOURCC_dvhe:
145 {
146- guint len = QT_UINT32 (stsd_entry_data);
147+ guint32 len = QT_UINT32 (stsd_entry_data);
148 len = len <= 0x56 ? 0 : len - 0x56;
149 const guint8 *hevc_data = stsd_entry_data + 0x56;
150
151 /* find hevc */
152- while (len >= 0x8) {
153- guint size;
154+ while (len >= 8) {
155+ guint32 size = QT_UINT32 (hevc_data);
156
157- if (QT_UINT32 (hevc_data) <= 0x8)
158- size = 0;
159- else if (QT_UINT32 (hevc_data) <= len)
160- size = QT_UINT32 (hevc_data) - 0x8;
161- else
162- size = len - 0x8;
163+ if (size < 8 || size > len)
164+ break;
165
166- /* No real data, so skip */
167- if (size < 1) {
168- len -= 8;
169- hevc_data += 8;
170- continue;
171- }
172-
173- switch (QT_FOURCC (hevc_data + 0x4)) {
174+ switch (QT_FOURCC (hevc_data + 4)) {
175 case FOURCC_hvcC:
176 {
177 /* parse, if found */
178 GstBuffer *buf;
179
180+ if (size < 8 + 1)
181+ break;
182+
183 GST_DEBUG_OBJECT (qtdemux, "found hvcC codec_data in stsd");
184
185 /* First 4 bytes are the length of the atom, the next 4 bytes
186 * are the fourcc, the next 1 byte is the version, and the
187 * subsequent bytes are sequence parameter set like data. */
188 gst_codec_utils_h265_caps_set_level_tier_and_profile
189- (entry->caps, hevc_data + 8 + 1, size - 1);
190+ (entry->caps, hevc_data + 8 + 1, size - 8 - 1);
191
192- buf = gst_buffer_new_and_alloc (size);
193- gst_buffer_fill (buf, 0, hevc_data + 0x8, size);
194+ buf = gst_buffer_new_and_alloc (size - 8);
195+ gst_buffer_fill (buf, 0, hevc_data + 8, size - 8);
196 gst_caps_set_simple (entry->caps,
197 "codec_data", GST_TYPE_BUFFER, buf, NULL);
198 gst_buffer_unref (buf);
199@@ -11845,8 +11829,8 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
200 default:
201 break;
202 }
203- len -= size + 8;
204- hevc_data += size + 8;
205+ len -= size;
206+ hevc_data += size;
207 }
208 break;
209 }
210@@ -12226,36 +12210,25 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
211 }
212 case FOURCC_vc_1:
213 {
214- guint len = QT_UINT32 (stsd_entry_data);
215+ guint32 len = QT_UINT32 (stsd_entry_data);
216 len = len <= 0x56 ? 0 : len - 0x56;
217 const guint8 *vc1_data = stsd_entry_data + 0x56;
218
219 /* find dvc1 */
220 while (len >= 8) {
221- guint size;
222+ guint32 size = QT_UINT32 (vc1_data);
223
224- if (QT_UINT32 (vc1_data) <= 8)
225- size = 0;
226- else if (QT_UINT32 (vc1_data) <= len)
227- size = QT_UINT32 (vc1_data) - 8;
228- else
229- size = len - 8;
230+ if (size < 8 || size > len)
231+ break;
232
233- /* No real data, so skip */
234- if (size < 1) {
235- len -= 8;
236- vc1_data += 8;
237- continue;
238- }
239-
240- switch (QT_FOURCC (vc1_data + 0x4)) {
241+ switch (QT_FOURCC (vc1_data + 4)) {
242 case GST_MAKE_FOURCC ('d', 'v', 'c', '1'):
243 {
244 GstBuffer *buf;
245
246 GST_DEBUG_OBJECT (qtdemux, "found dvc1 codec_data in stsd");
247- buf = gst_buffer_new_and_alloc (size);
248- gst_buffer_fill (buf, 0, vc1_data + 8, size);
249+ buf = gst_buffer_new_and_alloc (size - 8);
250+ gst_buffer_fill (buf, 0, vc1_data + 8, size - 8);
251 gst_caps_set_simple (entry->caps,
252 "codec_data", GST_TYPE_BUFFER, buf, NULL);
253 gst_buffer_unref (buf);
254@@ -12264,36 +12237,25 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
255 default:
256 break;
257 }
258- len -= size + 8;
259- vc1_data += size + 8;
260+ len -= size;
261+ vc1_data += size;
262 }
263 break;
264 }
265 case FOURCC_av01:
266 {
267- guint len = QT_UINT32 (stsd_entry_data);
268+ guint32 len = QT_UINT32 (stsd_entry_data);
269 len = len <= 0x56 ? 0 : len - 0x56;
270 const guint8 *av1_data = stsd_entry_data + 0x56;
271
272 /* find av1C */
273- while (len >= 0x8) {
274- guint size;
275+ while (len >= 8) {
276+ guint32 size = QT_UINT32 (av1_data);
277
278- if (QT_UINT32 (av1_data) <= 0x8)
279- size = 0;
280- else if (QT_UINT32 (av1_data) <= len)
281- size = QT_UINT32 (av1_data) - 0x8;
282- else
283- size = len - 0x8;
284+ if (size < 8 || size > len)
285+ break;
286
287- /* No real data, so skip */
288- if (size < 1) {
289- len -= 8;
290- av1_data += 8;
291- continue;
292- }
293-
294- switch (QT_FOURCC (av1_data + 0x4)) {
295+ switch (QT_FOURCC (av1_data + 4)) {
296 case FOURCC_av1C:
297 {
298 /* parse, if found */
299@@ -12303,7 +12265,7 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
300 "found av1C codec_data in stsd of size %d", size);
301
302 /* not enough data, just ignore and hope for the best */
303- if (size < 4)
304+ if (size < 8 + 4)
305 break;
306
307 /* Content is:
308@@ -12352,9 +12314,9 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
309 (gint) (pres_delay_field & 0x0F) + 1, NULL);
310 }
311
312- buf = gst_buffer_new_and_alloc (size);
313+ buf = gst_buffer_new_and_alloc (size - 8);
314 GST_BUFFER_FLAG_SET (buf, GST_BUFFER_FLAG_HEADER);
315- gst_buffer_fill (buf, 0, av1_data + 8, size);
316+ gst_buffer_fill (buf, 0, av1_data + 8, size - 8);
317 gst_caps_set_simple (entry->caps,
318 "codec_data", GST_TYPE_BUFFER, buf, NULL);
319 gst_buffer_unref (buf);
320@@ -12372,8 +12334,8 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
321 break;
322 }
323
324- len -= size + 8;
325- av1_data += size + 8;
326+ len -= size;
327+ av1_data += size;
328 }
329
330 break;
331@@ -12384,29 +12346,18 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
332 * vp08, vp09, and vp10 fourcc. */
333 case FOURCC_vp09:
334 {
335- guint len = QT_UINT32 (stsd_entry_data);
336+ guint32 len = QT_UINT32 (stsd_entry_data);
337 len = len <= 0x56 ? 0 : len - 0x56;
338 const guint8 *vpcc_data = stsd_entry_data + 0x56;
339
340 /* find vpcC */
341- while (len >= 0x8) {
342- guint size;
343+ while (len >= 8) {
344+ guint32 size = QT_UINT32 (vpcc_data);
345
346- if (QT_UINT32 (vpcc_data) <= 0x8)
347- size = 0;
348- else if (QT_UINT32 (vpcc_data) <= len)
349- size = QT_UINT32 (vpcc_data) - 0x8;
350- else
351- size = len - 0x8;
352+ if (size < 8 || size > len)
353+ break;
354
355- /* No real data, so skip */
356- if (size < 1) {
357- len -= 8;
358- vpcc_data += 8;
359- continue;
360- }
361-
362- switch (QT_FOURCC (vpcc_data + 0x4)) {
363+ switch (QT_FOURCC (vpcc_data + 4)) {
364 case FOURCC_vpcC:
365 {
366 const gchar *profile_str = NULL;
367@@ -12422,7 +12373,7 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
368
369 /* the meaning of "size" is length of the atom body, excluding
370 * atom length and fourcc fields */
371- if (size < 12)
372+ if (size < 8 + 12)
373 break;
374
375 /* Content is:
376@@ -12528,8 +12479,8 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
377 break;
378 }
379
380- len -= size + 8;
381- vpcc_data += size + 8;
382+ len -= size;
383+ vpcc_data += size;
384 }
385
386 break;
387@@ -12870,7 +12821,7 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
388 }
389 case FOURCC_wma_:
390 {
391- guint len = QT_UINT32 (stsd_entry_data);
392+ guint32 len = QT_UINT32 (stsd_entry_data);
393 len = len <= offset ? 0 : len - offset;
394 const guint8 *wfex_data = stsd_entry_data + offset;
395 const gchar *codec_name = NULL;
396@@ -12895,21 +12846,10 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
397
398 /* find wfex */
399 while (len >= 8) {
400- guint size;
401+ guint32 size = QT_UINT32 (wfex_data);
402
403- if (QT_UINT32 (wfex_data) <= 0x8)
404- size = 0;
405- else if (QT_UINT32 (wfex_data) <= len)
406- size = QT_UINT32 (wfex_data) - 8;
407- else
408- size = len - 8;
409-
410- /* No real data, so skip */
411- if (size < 1) {
412- len -= 8;
413- wfex_data += 8;
414- continue;
415- }
416+ if (size < 8 || size > len)
417+ break;
418
419 switch (QT_FOURCC (wfex_data + 4)) {
420 case GST_MAKE_FOURCC ('w', 'f', 'e', 'x'):
421@@ -12954,12 +12894,12 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
422 "width", G_TYPE_INT, wfex.wBitsPerSample,
423 "depth", G_TYPE_INT, wfex.wBitsPerSample, NULL);
424
425- if (size > wfex.cbSize) {
426+ if (size > 8 + wfex.cbSize) {
427 GstBuffer *buf;
428
429- buf = gst_buffer_new_and_alloc (size - wfex.cbSize);
430+ buf = gst_buffer_new_and_alloc (size - 8 - wfex.cbSize);
431 gst_buffer_fill (buf, 0, wfex_data + 8 + wfex.cbSize,
432- size - wfex.cbSize);
433+ size - 8 - wfex.cbSize);
434 gst_caps_set_simple (entry->caps,
435 "codec_data", GST_TYPE_BUFFER, buf, NULL);
436 gst_buffer_unref (buf);
437@@ -12976,8 +12916,8 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
438 default:
439 break;
440 }
441- len -= size + 8;
442- wfex_data += size + 8;
443+ len -= size;
444+ wfex_data += size;
445 }
446 break;
447 }
448--
4492.30.2
450
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0009-qtdemux-Fix-error-handling-when-parsing-cenc-sample-.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0009-qtdemux-Fix-error-handling-when-parsing-cenc-sample-.patch
new file mode 100644
index 0000000000..53867a8970
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0009-qtdemux-Fix-error-handling-when-parsing-cenc-sample-.patch
@@ -0,0 +1,56 @@
1From da3b4e903ae990193988a873368bdd1865350521 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
3Date: Fri, 27 Sep 2024 09:47:50 +0300
4Subject: [PATCH 09/13] qtdemux: Fix error handling when parsing cenc sample
5 groups fails
6
7Thanks to Antonio Morales for finding and reporting the issue.
8
9Fixes GHSL-2024-238, GHSL-2024-239, GHSL-2024-240
10Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3846
11
12Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8109>
13
14CVE: CVE-2024-47544
15Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/da3b4e903ae990193988a873368bdd1865350521]
16Signed-off-by: Peter Marko <peter.marko@siemens.com>
17---
18 gst/isomp4/qtdemux.c | 9 +++++++--
19 1 file changed, 7 insertions(+), 2 deletions(-)
20
21diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
22index 94ce75b2d4..e7a79be45b 100644
23--- a/gst/isomp4/qtdemux.c
24+++ b/gst/isomp4/qtdemux.c
25@@ -11400,12 +11400,15 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
26 if (stream->subtype != FOURCC_soun) {
27 GST_ERROR_OBJECT (qtdemux,
28 "Unexpeced stsd type 'aavd' outside 'soun' track");
29+ goto corrupt_file;
30 } else {
31 /* encrypted audio with sound sample description v0 */
32 GNode *enc = qtdemux_tree_get_child_by_type (stsd, fourcc);
33 stream->protected = TRUE;
34- if (!qtdemux_parse_protection_aavd (qtdemux, stream, enc, &fourcc))
35+ if (!qtdemux_parse_protection_aavd (qtdemux, stream, enc, &fourcc)) {
36 GST_ERROR_OBJECT (qtdemux, "Failed to parse protection scheme info");
37+ goto corrupt_file;
38+ }
39 }
40 }
41
42@@ -11414,8 +11417,10 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak)
43 * with the same type */
44 GNode *enc = qtdemux_tree_get_child_by_type (stsd, fourcc);
45 stream->protected = TRUE;
46- if (!qtdemux_parse_protection_scheme_info (qtdemux, stream, enc, &fourcc))
47+ if (!qtdemux_parse_protection_scheme_info (qtdemux, stream, enc, &fourcc)) {
48 GST_ERROR_OBJECT (qtdemux, "Failed to parse protection scheme info");
49+ goto corrupt_file;
50+ }
51 }
52
53 if (stream->subtype == FOURCC_vide) {
54--
552.30.2
56
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0010-qtdemux-Make-sure-there-are-enough-offsets-to-read-w.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0010-qtdemux-Make-sure-there-are-enough-offsets-to-read-w.patch
new file mode 100644
index 0000000000..52416b412f
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0010-qtdemux-Make-sure-there-are-enough-offsets-to-read-w.patch
@@ -0,0 +1,49 @@
1From 20503e5dd90e21ef170488b2a8b8529ae8a4cab9 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
3Date: Fri, 27 Sep 2024 10:38:50 +0300
4Subject: [PATCH 10/13] qtdemux: Make sure there are enough offsets to read
5 when parsing samples
6
7While this specific case is also caught when initializing co_chunk, the error
8is ignored in various places and calling into the function would lead to out of
9bounds reads if the error message doesn't cause the pipeline to be shut down
10fast enough.
11
12To avoid this, no matter what, make sure enough offsets are available when
13parsing them. While this is potentially slower, the same is already done in the
14non-chunks_are_samples case.
15
16Thanks to Antonio Morales for finding and reporting the issue.
17
18Fixes GHSL-2024-245
19Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3847
20
21Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8109>
22
23CVE: CVE-2024-47597
24Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/20503e5dd90e21ef170488b2a8b8529ae8a4cab9]
25Signed-off-by: Peter Marko <peter.marko@siemens.com>
26---
27 gst/isomp4/qtdemux.c | 6 +++---
28 1 file changed, 3 insertions(+), 3 deletions(-)
29
30diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
31index e7a79be45b..5277952c5e 100644
32--- a/gst/isomp4/qtdemux.c
33+++ b/gst/isomp4/qtdemux.c
34@@ -10066,9 +10066,9 @@ qtdemux_parse_samples (GstQTDemux * qtdemux, QtDemuxStream * stream, guint32 n)
35 goto done;
36 }
37
38- cur->offset =
39- qt_atom_parser_get_offset_unchecked (&stream->co_chunk,
40- stream->co_size);
41+ if (!qt_atom_parser_get_offset (&stream->co_chunk,
42+ stream->co_size, &cur->offset))
43+ goto corrupt_file;
44
45 GST_LOG_OBJECT (qtdemux, "Created entry %d with offset "
46 "%" G_GUINT64_FORMAT, j, cur->offset);
47--
482.30.2
49
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0011-qtdemux-Actually-handle-errors-returns-from-various-.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0011-qtdemux-Actually-handle-errors-returns-from-various-.patch
new file mode 100644
index 0000000000..c57a3d6dac
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0011-qtdemux-Actually-handle-errors-returns-from-various-.patch
@@ -0,0 +1,97 @@
1From ed254790331a3fba2f68255a8f072552d622aac1 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
3Date: Fri, 27 Sep 2024 10:39:30 +0300
4Subject: [PATCH 11/13] qtdemux: Actually handle errors returns from various
5 functions instead of ignoring them
6
7Ignoring them might cause the element to continue as if all is fine despite the
8internal state being inconsistent. This can lead to all kinds of follow-up
9issues, including memory safety issues.
10
11Thanks to Antonio Morales for finding and reporting the issue.
12
13Fixes GHSL-2024-245
14Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3847
15
16Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8109>
17
18CVE: CVE-2024-47597
19Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ed254790331a3fba2f68255a8f072552d622aac1]
20Signed-off-by: Peter Marko <peter.marko@siemens.com>
21---
22 gst/isomp4/qtdemux.c | 29 +++++++++++++++++++++++------
23 1 file changed, 23 insertions(+), 6 deletions(-)
24
25diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
26index 5277952c5e..1de70f184f 100644
27--- a/gst/isomp4/qtdemux.c
28+++ b/gst/isomp4/qtdemux.c
29@@ -4853,10 +4853,15 @@ gst_qtdemux_loop_state_header (GstQTDemux * qtdemux)
30 beach:
31 if (ret == GST_FLOW_EOS && (qtdemux->got_moov || qtdemux->media_caps)) {
32 /* digested all data, show what we have */
33- qtdemux_prepare_streams (qtdemux);
34+ ret = qtdemux_prepare_streams (qtdemux);
35+ if (ret != GST_FLOW_OK)
36+ return ret;
37+
38 QTDEMUX_EXPOSE_LOCK (qtdemux);
39 ret = qtdemux_expose_streams (qtdemux);
40 QTDEMUX_EXPOSE_UNLOCK (qtdemux);
41+ if (ret != GST_FLOW_OK)
42+ return ret;
43
44 qtdemux->state = QTDEMUX_STATE_MOVIE;
45 GST_DEBUG_OBJECT (qtdemux, "switching state to STATE_MOVIE (%d)",
46@@ -7548,13 +7553,21 @@ gst_qtdemux_process_adapter (GstQTDemux * demux, gboolean force)
47 gst_qtdemux_stream_concat (demux,
48 demux->old_streams, demux->active_streams);
49
50- qtdemux_parse_moov (demux, data, demux->neededbytes);
51+ if (!qtdemux_parse_moov (demux, data, demux->neededbytes)) {
52+ ret = GST_FLOW_ERROR;
53+ break;
54+ }
55 qtdemux_node_dump (demux, demux->moov_node);
56 qtdemux_parse_tree (demux);
57- qtdemux_prepare_streams (demux);
58+ ret = qtdemux_prepare_streams (demux);
59+ if (ret != GST_FLOW_OK)
60+ break;
61+
62 QTDEMUX_EXPOSE_LOCK (demux);
63- qtdemux_expose_streams (demux);
64+ ret = qtdemux_expose_streams (demux);
65 QTDEMUX_EXPOSE_UNLOCK (demux);
66+ if (ret != GST_FLOW_OK)
67+ break;
68
69 demux->got_moov = TRUE;
70
71@@ -7645,8 +7658,10 @@ gst_qtdemux_process_adapter (GstQTDemux * demux, gboolean force)
72 /* in MSS we need to expose the pads after the first moof as we won't get a moov */
73 if (demux->variant == VARIANT_MSS_FRAGMENTED && !demux->exposed) {
74 QTDEMUX_EXPOSE_LOCK (demux);
75- qtdemux_expose_streams (demux);
76+ ret = qtdemux_expose_streams (demux);
77 QTDEMUX_EXPOSE_UNLOCK (demux);
78+ if (ret != GST_FLOW_OK)
79+ goto done;
80 }
81
82 gst_qtdemux_check_send_pending_segment (demux);
83@@ -13760,8 +13775,10 @@ qtdemux_prepare_streams (GstQTDemux * qtdemux)
84
85 /* parse the initial sample for use in setting the frame rate cap */
86 while (sample_num == 0 && sample_num < stream->n_samples) {
87- if (!qtdemux_parse_samples (qtdemux, stream, sample_num))
88+ if (!qtdemux_parse_samples (qtdemux, stream, sample_num)) {
89+ ret = GST_FLOW_ERROR;
90 break;
91+ }
92 ++sample_num;
93 }
94 }
95--
962.30.2
97
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0012-qtdemux-Check-for-invalid-atom-length-when-extractin.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0012-qtdemux-Check-for-invalid-atom-length-when-extractin.patch
new file mode 100644
index 0000000000..61f5ce3787
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0012-qtdemux-Check-for-invalid-atom-length-when-extractin.patch
@@ -0,0 +1,36 @@
1From 3153fda823cb91b1031dae69738c6c5d526fb6e1 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
3Date: Thu, 26 Sep 2024 19:16:19 +0300
4Subject: [PATCH 12/13] qtdemux: Check for invalid atom length when extracting
5 Closed Caption data
6
7Thanks to Antonio Morales for finding and reporting the issue.
8
9Fixes GHSL-2024-243
10Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3849
11
12Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8109>
13
14CVE: CVE-2024-47546
15Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/3153fda823cb91b1031dae69738c6c5d526fb6e1]
16Signed-off-by: Peter Marko <peter.marko@siemens.com>
17---
18 gst/isomp4/qtdemux.c | 2 +-
19 1 file changed, 1 insertion(+), 1 deletion(-)
20
21diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
22index 1de70f184f..8850d09321 100644
23--- a/gst/isomp4/qtdemux.c
24+++ b/gst/isomp4/qtdemux.c
25@@ -5827,7 +5827,7 @@ extract_cc_from_data (QtDemuxStream * stream, const guint8 * data, gsize size,
26 goto invalid_cdat;
27 atom_length = QT_UINT32 (data);
28 fourcc = QT_FOURCC (data + 4);
29- if (G_UNLIKELY (atom_length > size || atom_length == 8))
30+ if (G_UNLIKELY (atom_length > size || atom_length <= 8))
31 goto invalid_cdat;
32
33 GST_DEBUG_OBJECT (stream->pad, "here");
34--
352.30.2
36
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0013-qtdemux-Add-size-check-for-parsing-SMI-SEQH-atom.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0013-qtdemux-Add-size-check-for-parsing-SMI-SEQH-atom.patch
new file mode 100644
index 0000000000..b46f295c46
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0013-qtdemux-Add-size-check-for-parsing-SMI-SEQH-atom.patch
@@ -0,0 +1,37 @@
1From 3ce1b812a9531611288af286b5dc6631a11e3f4a Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
3Date: Fri, 27 Sep 2024 00:31:36 +0300
4Subject: [PATCH 13/13] qtdemux: Add size check for parsing SMI / SEQH atom
5
6Thanks to Antonio Morales for finding and reporting the issue.
7
8Fixes GHSL-2024-244
9Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3853
10
11Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8109>
12
13CVE: CVE-2024-47596
14Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/3ce1b812a9531611288af286b5dc6631a11e3f4a]
15Signed-off-by: Peter Marko <peter.marko@siemens.com>
16---
17 gst/isomp4/qtdemux.c | 3 ++-
18 1 file changed, 2 insertions(+), 1 deletion(-)
19
20diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
21index 8850d09321..dc70287a8a 100644
22--- a/gst/isomp4/qtdemux.c
23+++ b/gst/isomp4/qtdemux.c
24@@ -10629,8 +10629,9 @@ qtdemux_parse_svq3_stsd_data (GstQTDemux * qtdemux,
25 GST_WARNING_OBJECT (qtdemux, "Unexpected second SEQH SMI atom "
26 " found, ignoring");
27 } else {
28+ /* Note: The size does *not* include the fourcc and the size field itself */
29 seqh_size = QT_UINT32 (data + 4);
30- if (seqh_size > 0) {
31+ if (seqh_size > 0 && seqh_size <= size - 8) {
32 _seqh = gst_buffer_new_and_alloc (seqh_size);
33 gst_buffer_fill (_seqh, 0, data + 8, seqh_size);
34 }
35--
362.30.2
37
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.12.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.12.bb
index 8099d70791..94c34cf908 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.12.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.22.12.bb
@@ -6,7 +6,21 @@ BUGTRACKER = "https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/issues
6 6
7SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-good-${PV}.tar.xz \ 7SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-good-${PV}.tar.xz \
8 file://0001-qt-include-ext-qt-gstqtgl.h-instead-of-gst-gl-gstglf.patch \ 8 file://0001-qt-include-ext-qt-gstqtgl.h-instead-of-gst-gl-gstglf.patch \
9 file://0001-v4l2-Define-ioctl_req_t-for-posix-linux-case.patch" 9 file://0001-v4l2-Define-ioctl_req_t-for-posix-linux-case.patch \
10 file://0001-qtdemux-Skip-zero-sized-boxes-instead-of-stopping-to.patch \
11 file://0002-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch \
12 file://0003-qtdemux-Fix-debug-output-during-trun-parsing.patch \
13 file://0004-qtdemux-Don-t-iterate-over-all-trun-entries-if-none-.patch \
14 file://0005-qtdemux-Check-sizes-of-stsc-stco-stts-before-trying-.patch \
15 file://0006-qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch \
16 file://0007-qtdemux-Make-sure-enough-data-is-available-before-re.patch \
17 file://0008-qtdemux-Fix-length-checks-and-offsets-in-stsd-entry-.patch \
18 file://0009-qtdemux-Fix-error-handling-when-parsing-cenc-sample-.patch \
19 file://0010-qtdemux-Make-sure-there-are-enough-offsets-to-read-w.patch \
20 file://0011-qtdemux-Actually-handle-errors-returns-from-various-.patch \
21 file://0012-qtdemux-Check-for-invalid-atom-length-when-extractin.patch \
22 file://0013-qtdemux-Add-size-check-for-parsing-SMI-SEQH-atom.patch \
23 "
10 24
11SRC_URI[sha256sum] = "9c1913f981900bd8867182639b20907b28ed78ef7a222cfbf2d8ba9dab992fa7" 25SRC_URI[sha256sum] = "9c1913f981900bd8867182639b20907b28ed78ef7a222cfbf2d8ba9dab992fa7"
12 26
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-10-11 05:34:32 +0000