2 files changed, 65 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0010-id3v2-Don-t-try-parsing-extended-header-if-not-enoug.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0010-id3v2-Don-t-try-parsing-extended-header-if-not-enoug.patch
new file mode 100644
index 0000000000..4b514ff875
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0010-id3v2-Don-t-try-parsing-extended-header-if-not-enoug.patch
@@ -0,0 +1,64 @@
+From 537161868f36048571f400648ac7909f26c73d53 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Thu, 26 Sep 2024 13:43:06 +0300
+Subject: [PATCH] id3v2: Don't try parsing extended header if not enough data
+ is available
+Thanks to Antonio Morales for finding and reporting the issue.
+Fixes GHSL-2024-235
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3842
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8033>
+CVE: CVE-2024-47542
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/537161868f36048571f400648ac7909f26c73d53]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ gst-libs/gst/tag/id3v2.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+diff --git a/gst-libs/gst/tag/id3v2.c b/gst-libs/gst/tag/id3v2.c
+index 7db2cb7e12..70f975d133 100644
+--- a/gst-libs/gst/tag/id3v2.c
+++ b/gst-libs/gst/tag/id3v2.c
+@@ -29,7 +29,7 @@
+ 
+ #define HANDLE_INVALID_SYNCSAFE
+ 
+-static gboolean id3v2_frames_to_tag_list (ID3TagsWorking * work, guint size);
+static gboolean id3v2_frames_to_tag_list (ID3TagsWorking * work);
+ 
+ #ifndef GST_DISABLE_GST_DEBUG
+ 
+@@ -258,7 +258,7 @@ gst_tag_list_from_id3v2_tag (GstBuffer * buffer)
+     GST_MEMDUMP ("ID3v2 tag (un-unsyced)", uu_data, work.hdr.frame_data_size);
+   }
+ 
+-  id3v2_frames_to_tag_list (&work, work.hdr.frame_data_size);
+  id3v2_frames_to_tag_list (&work);
+ 
+   g_free (uu_data);
+ 
+@@ -440,12 +440,17 @@ id3v2_add_id3v2_frame_blob_to_taglist (ID3TagsWorking * work,
+ }
+ 
+ static gboolean
+-id3v2_frames_to_tag_list (ID3TagsWorking * work, guint size)
+id3v2_frames_to_tag_list (ID3TagsWorking * work)
+ {
+   guint frame_hdr_size;
+ 
+   /* Extended header if present */
+   if (work->hdr.flags & ID3V2_HDR_FLAG_EXTHDR) {
+    if (work->hdr.frame_data_size < 4) {
+      GST_DEBUG ("Tag has no extended header data. Broken tag");
+      return FALSE;
+    }
+
+     work->hdr.ext_hdr_size = id3v2_read_synch_uint (work->hdr.frame_data, 4);
+ 
+     /* In id3v2.4.x the header size is the size of the *whole*
+-- 
+2.30.2
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.12.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.12.bb
index e65de0036d..793b8afc3d 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.12.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.12.bb
@@ -16,6 +16,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-ba
           file://0007-oggstream-review-and-fix-per-format-min_packet_size.patch \
           file://0008-ssaparse-Search-for-closing-brace-after-opening-brac.patch \
           file://0009-ssaparse-Don-t-use-strstr-on-strings-that-are-potent.patch \
+           file://0010-id3v2-Don-t-try-parsing-extended-header-if-not-enoug.patch \
           "
 SRC_URI[sha256sum] = "73cfadc3a6ffe77ed974cfd6fb391c605e4531f48db21dd6b9f42b8cb69bd8c1"

diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0010-id3v2-Don-t-try-parsing-extended-header-if-not-enoug.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0010-id3v2-Don-t-try-parsing-extended-header-if-not-enoug.patch new file mode 100644 index 0000000000..4b514ff875 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/0010-id3v2-Don-t-try-parsing-extended-header-if-not-enoug.patch
@@ -0,0 +1,64 @@
		1	From 537161868f36048571f400648ac7909f26c73d53 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
		3	Date: Thu, 26 Sep 2024 13:43:06 +0300
		4	Subject: [PATCH] id3v2: Don't try parsing extended header if not enough data
		5	is available
		6
		7	Thanks to Antonio Morales for finding and reporting the issue.
		8
		9	Fixes GHSL-2024-235
		10	Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3842
		11
		12	Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8033>
		13
		14	CVE: CVE-2024-47542
		15	Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/537161868f36048571f400648ac7909f26c73d53]
		16	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		17	---
		18	gst-libs/gst/tag/id3v2.c \| 11 ++++++++---
		19	1 file changed, 8 insertions(+), 3 deletions(-)
		20
		21	diff --git a/gst-libs/gst/tag/id3v2.c b/gst-libs/gst/tag/id3v2.c
		22	index 7db2cb7e12..70f975d133 100644
		23	--- a/gst-libs/gst/tag/id3v2.c
		24	+++ b/gst-libs/gst/tag/id3v2.c
		25	@@ -29,7 +29,7 @@
		26
		27	#define HANDLE_INVALID_SYNCSAFE
		28
		29	-static gboolean id3v2_frames_to_tag_list (ID3TagsWorking * work, guint size);
		30	+static gboolean id3v2_frames_to_tag_list (ID3TagsWorking * work);
		31
		32	#ifndef GST_DISABLE_GST_DEBUG
		33
		34	@@ -258,7 +258,7 @@ gst_tag_list_from_id3v2_tag (GstBuffer * buffer)
		35	GST_MEMDUMP ("ID3v2 tag (un-unsyced)", uu_data, work.hdr.frame_data_size);
		36	}
		37
		38	- id3v2_frames_to_tag_list (&work, work.hdr.frame_data_size);
		39	+ id3v2_frames_to_tag_list (&work);
		40
		41	g_free (uu_data);
		42
		43	@@ -440,12 +440,17 @@ id3v2_add_id3v2_frame_blob_to_taglist (ID3TagsWorking * work,
		44	}
		45
		46	static gboolean
		47	-id3v2_frames_to_tag_list (ID3TagsWorking * work, guint size)
		48	+id3v2_frames_to_tag_list (ID3TagsWorking * work)
		49	{
		50	guint frame_hdr_size;
		51
		52	/* Extended header if present */
		53	if (work->hdr.flags & ID3V2_HDR_FLAG_EXTHDR) {
		54	+ if (work->hdr.frame_data_size < 4) {
		55	+ GST_DEBUG ("Tag has no extended header data. Broken tag");
		56	+ return FALSE;
		57	+ }
		58	+
		59	work->hdr.ext_hdr_size = id3v2_read_synch_uint (work->hdr.frame_data, 4);
		60
		61	/* In id3v2.4.x the header size is the size of the whole
		62	--
		63	2.30.2
		64


diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.12.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.12.bb index e65de0036d..793b8afc3d 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.12.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.12.bb
@@ -16,6 +16,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-ba
16	file://0007-oggstream-review-and-fix-per-format-min_packet_size.patch \	16	file://0007-oggstream-review-and-fix-per-format-min_packet_size.patch \
17	file://0008-ssaparse-Search-for-closing-brace-after-opening-brac.patch \	17	file://0008-ssaparse-Search-for-closing-brace-after-opening-brac.patch \
18	file://0009-ssaparse-Don-t-use-strstr-on-strings-that-are-potent.patch \	18	file://0009-ssaparse-Don-t-use-strstr-on-strings-that-are-potent.patch \
		19	file://0010-id3v2-Don-t-try-parsing-extended-header-if-not-enoug.patch \
19	"	20	"
20	SRC_URI[sha256sum] = "73cfadc3a6ffe77ed974cfd6fb391c605e4531f48db21dd6b9f42b8cb69bd8c1"	21	SRC_URI[sha256sum] = "73cfadc3a6ffe77ed974cfd6fb391c605e4531f48db21dd6b9f42b8cb69bd8c1"
21		22