2 files changed, 43 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2024-0444.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2024-0444.patch
new file mode 100644
index 0000000000..6265f4293e
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2024-0444.patch
@@ -0,0 +1,42 @@
+From 394d5066f8a7b728df02fe9084e955b2f7d7f6fe Mon Sep 17 00:00:00 2001
+From: Seungha Yang <seungha@centricular.com>
+Date: Wed, 10 Jan 2024 03:33:59 +0900
+Subject: [PATCH] av1parser: Fix potential stack overflow during tile list
+ parsing
+The tile_count_minus_1 must be less than or equal to 511 as specified
+in spec "6.11.1 General tile list OBU semantics"
+Fixes #3214 / CVE-2024-0444 / ZDI-CAN-22873
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5971>
+CVE: CVE-2024-0444
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/394d5066f8a7b728]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ gst-libs/gst/codecparsers/gstav1parser.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+diff --git a/gst-libs/gst/codecparsers/gstav1parser.c b/gst-libs/gst/codecparsers/gstav1parser.c
+index 68f8a76..bab404e 100644
+--- a/gst-libs/gst/codecparsers/gstav1parser.c
+++ b/gst-libs/gst/codecparsers/gstav1parser.c
+@@ -4352,6 +4352,13 @@ gst_av1_parser_parse_tile_list_obu (GstAV1Parser * parser,
+   tile_list->output_frame_width_in_tiles_minus_1 = AV1_READ_BITS (br, 8);
+   tile_list->output_frame_height_in_tiles_minus_1 = AV1_READ_BITS (br, 8);
+   tile_list->tile_count_minus_1 = AV1_READ_BITS (br, 16);
+  if (tile_list->tile_count_minus_1 + 1 > GST_AV1_MAX_TILE_COUNT) {
+    GST_WARNING ("Invalid tile_count_minus_1 %d",
+        tile_list->tile_count_minus_1);
+    retval = GST_AV1_PARSER_BITSTREAM_ERROR;
+    goto error;
+  }
+
+   for (tile = 0; tile <= tile_list->tile_count_minus_1; tile++) {
+     if (AV1_REMAINING_BITS (br) < 8 + 8 + 8 + 16) {
+       retval = GST_AV1_PARSER_NO_MORE_DATA;
+--
+2.40.0
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
index 504cfce1fd..219ebe4fa7 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
@@ -14,6 +14,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad
           file://CVE-2023-40475.patch \
           file://CVE-2023-40476.patch \
           file://CVE-2023-44429.patch \
+           file://CVE-2024-0444.patch \
           "
 SRC_URI[sha256sum] = "87251beebfd1325e5118cc67774061f6e8971761ca65a9e5957919610080d195"

diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2024-0444.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2024-0444.patch new file mode 100644 index 0000000000..6265f4293e --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2024-0444.patch
@@ -0,0 +1,42 @@
		1	From 394d5066f8a7b728df02fe9084e955b2f7d7f6fe Mon Sep 17 00:00:00 2001
		2	From: Seungha Yang <seungha@centricular.com>
		3	Date: Wed, 10 Jan 2024 03:33:59 +0900
		4	Subject: [PATCH] av1parser: Fix potential stack overflow during tile list
		5	parsing
		6
		7	The tile_count_minus_1 must be less than or equal to 511 as specified
		8	in spec "6.11.1 General tile list OBU semantics"
		9
		10	Fixes #3214 / CVE-2024-0444 / ZDI-CAN-22873
		11
		12	Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5971>
		13
		14	CVE: CVE-2024-0444
		15
		16	Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/394d5066f8a7b728]
		17
		18	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		19	---
		20	gst-libs/gst/codecparsers/gstav1parser.c \| 7 +++++++
		21	1 file changed, 7 insertions(+)
		22
		23	diff --git a/gst-libs/gst/codecparsers/gstav1parser.c b/gst-libs/gst/codecparsers/gstav1parser.c
		24	index 68f8a76..bab404e 100644
		25	--- a/gst-libs/gst/codecparsers/gstav1parser.c
		26	+++ b/gst-libs/gst/codecparsers/gstav1parser.c
		27	@@ -4352,6 +4352,13 @@ gst_av1_parser_parse_tile_list_obu (GstAV1Parser * parser,
		28	tile_list->output_frame_width_in_tiles_minus_1 = AV1_READ_BITS (br, 8);
		29	tile_list->output_frame_height_in_tiles_minus_1 = AV1_READ_BITS (br, 8);
		30	tile_list->tile_count_minus_1 = AV1_READ_BITS (br, 16);
		31	+ if (tile_list->tile_count_minus_1 + 1 > GST_AV1_MAX_TILE_COUNT) {
		32	+ GST_WARNING ("Invalid tile_count_minus_1 %d",
		33	+ tile_list->tile_count_minus_1);
		34	+ retval = GST_AV1_PARSER_BITSTREAM_ERROR;
		35	+ goto error;
		36	+ }
		37	+
		38	for (tile = 0; tile <= tile_list->tile_count_minus_1; tile++) {
		39	if (AV1_REMAINING_BITS (br) < 8 + 8 + 8 + 16) {
		40	retval = GST_AV1_PARSER_NO_MORE_DATA;
		41	--
		42	2.40.0


diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb index 504cfce1fd..219ebe4fa7 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
@@ -14,6 +14,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad
14	file://CVE-2023-40475.patch \	14	file://CVE-2023-40475.patch \
15	file://CVE-2023-40476.patch \	15	file://CVE-2023-40476.patch \
16	file://CVE-2023-44429.patch \	16	file://CVE-2023-44429.patch \
		17	file://CVE-2024-0444.patch \
17	"	18	"
18	SRC_URI[sha256sum] = "87251beebfd1325e5118cc67774061f6e8971761ca65a9e5957919610080d195"	19	SRC_URI[sha256sum] = "87251beebfd1325e5118cc67774061f6e8971761ca65a9e5957919610080d195"
19		20