From 6508c2019c8a13b08ff51486cb6c1f8a291d02a5 Mon Sep 17 00:00:00 2001 From: zhuhongbo Date: Tue, 7 Jan 2025 14:14:54 +0800 Subject: [PATCH] fix cve CVE-2024-47615 --- 0001-cve-fix-CVE-2024-47615.patch | 160 ++++++++++++++++++++++++++++++ gstreamer1-plugins-good.spec | 11 +- 2 files changed, 169 insertions(+), 2 deletions(-) create mode 100644 0001-cve-fix-CVE-2024-47615.patch diff --git a/0001-cve-fix-CVE-2024-47615.patch b/0001-cve-fix-CVE-2024-47615.patch new file mode 100644 index 0000000..69a8efb --- /dev/null +++ b/0001-cve-fix-CVE-2024-47615.patch @@ -0,0 +1,160 @@ +From f76631ad9a22c3dcd7c7fa41d2cd9e21c3c15a18 Mon Sep 17 00:00:00 2001 +From: zhuhongbo +Date: Fri, 27 Dec 2024 09:45:33 +0800 +Subject: [PATCH] cve: fix CVE-2024-47615 + +--- + ext/gdk_pixbuf/gstgdkpixbufdec.c | 6 ++++++ + gst/isomp4/qtdemux.c | 16 ++++++++-------- + gst/isomp4/qtdemux_dump.c | 5 +++++ + gst/matroska/matroska-demux.c | 22 +++++++++++++++++++--- + 4 files changed, 38 insertions(+), 11 deletions(-) + +diff --git a/ext/gdk_pixbuf/gstgdkpixbufdec.c b/ext/gdk_pixbuf/gstgdkpixbufdec.c +index 1598c53..6dbb921 100644 +--- a/ext/gdk_pixbuf/gstgdkpixbufdec.c ++++ b/ext/gdk_pixbuf/gstgdkpixbufdec.c +@@ -379,6 +379,12 @@ channels_not_supported: + ("%d channels not supported", n_channels)); + return GST_FLOW_ERROR; + } ++format_not_supported: ++ { ++ GST_ELEMENT_ERROR (filter, STREAM, DECODE, (NULL), ++ ("%d channels with %dx%d not supported", n_channels, width, height)); ++ return GST_FLOW_ERROR; ++ } + no_buffer: + { + GST_DEBUG ("Failed to create outbuffer - %s", gst_flow_get_name (ret)); +diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c +index ba36a9e..a0bd8e7 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -2983,6 +2983,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun, + gint i; + guint8 *data; + guint entry_size, dur_offset, size_offset, flags_offset = 0, ct_offset = 0; ++ guint new_n_samples; + QtDemuxSample *sample; + gboolean ismv = FALSE; + gint64 initial_offset; +@@ -3082,14 +3083,13 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun, + goto fail; + data = (guint8 *) gst_byte_reader_peek_data_unchecked (trun); + +- if (stream->n_samples + samples_count >= +- QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof (QtDemuxSample)) ++ if (!g_uint_checked_add (&new_n_samples, stream->n_samples, samples_count) || ++ new_n_samples >= QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof (QtDemuxSample)) + goto index_too_big; + + GST_DEBUG_OBJECT (qtdemux, "allocating n_samples %u * %u (%.2f MB)", +- stream->n_samples + samples_count, (guint) sizeof (QtDemuxSample), +- (stream->n_samples + samples_count) * +- sizeof (QtDemuxSample) / (1024.0 * 1024.0)); ++ new_n_samples, (guint) sizeof (QtDemuxSample), ++ (new_n_samples) * sizeof (QtDemuxSample) / (1024.0 * 1024.0)); + + /* create a new array of samples if it's the first sample parsed */ + if (stream->n_samples == 0) { +@@ -3098,7 +3098,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun, + /* or try to reallocate it with space enough to insert the new samples */ + } else + stream->samples = g_try_renew (QtDemuxSample, stream->samples, +- stream->n_samples + samples_count); ++ new_n_samples); + if (stream->samples == NULL) + goto out_of_memory; + +@@ -7056,7 +7056,7 @@ qtdemux_parse_theora_extension (GstQTDemux * qtdemux, QtDemuxStream * stream, + end -= 8; + + while (buf < end) { +- gint size; ++ guint32 size; + guint32 type; + + size = QT_UINT32 (buf); +@@ -7064,7 +7064,7 @@ qtdemux_parse_theora_extension (GstQTDemux * qtdemux, QtDemuxStream * stream, + + GST_LOG_OBJECT (qtdemux, "%p %p", buf, end); + +- if (buf + size > end || size <= 0) ++ if (end - buf < size || size < 8) + break; + + buf += 8; +diff --git a/gst/isomp4/qtdemux_dump.c b/gst/isomp4/qtdemux_dump.c +index 880bb74..efb8ea4 100644 +--- a/gst/isomp4/qtdemux_dump.c ++++ b/gst/isomp4/qtdemux_dump.c +@@ -737,6 +737,11 @@ qtdemux_dump_trun (GstQTDemux * qtdemux, GstByteReader * data, int depth) + GST_LOG ("%*s first-sample-flags: %u", depth, "", first_sample_flags); + } + ++ /* Nothing to print below */ ++ if ((flags & (TR_SAMPLE_DURATION | TR_SAMPLE_SIZE | TR_SAMPLE_FLAGS | ++ TR_COMPOSITION_TIME_OFFSETS)) == 0) ++ return TRUE; ++ + for (i = 0; i < samples_count; i++) { + if (flags & TR_SAMPLE_DURATION) { + if (!gst_byte_reader_get_uint32_be (data, &sample_duration)) +diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c +index e419a70..203da98 100644 +--- a/gst/matroska/matroska-demux.c ++++ b/gst/matroska/matroska-demux.c +@@ -2847,6 +2847,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + guint8 *buf_data, *data; + Wavpack4Header wvh; + ++ if (!stream->codec_priv || stream->codec_priv_size < 2) { ++ GST_ERROR_OBJECT (element, "No or too small wavpack codec private data"); ++ return GST_FLOW_ERROR; ++ } ++ + wvh.ck_id[0] = 'w'; + wvh.ck_id[1] = 'v'; + wvh.ck_id[2] = 'p'; +@@ -2918,7 +2923,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + data += 4; + size -= 4; + +- while (size > 12) { ++ while (size >= 12) { + flags = GST_READ_UINT32_LE (data); + data += 4; + size -= 4; +@@ -3784,6 +3789,18 @@ gst_matroska_demux_parse_blockgroup_or_simpleblock (GstMatroskaDemux * demux, + if (stream->postprocess_frame) { + GST_LOG_OBJECT (demux, "running post process"); + ret = stream->postprocess_frame (GST_ELEMENT (demux), stream, &sub); ++ if (ret != GST_FLOW_OK) { ++ gst_clear_buffer (&sub); ++ goto next_lace; ++ } ++ ++ if (sub == NULL) { ++ GST_WARNING_OBJECT (demux, ++ "Postprocessing buffer with timestamp %" GST_TIME_FORMAT ++ " for stream %d failed", GST_TIME_ARGS (buffer_timestamp), ++ stream_num); ++ goto next_lace; ++ } + } + + /* At this point, we have a sub-buffer pointing at data within a larger +@@ -5687,8 +5704,7 @@ gst_matroska_demux_audio_caps (GstMatroskaTrackAudioContext * + + /* 18 is the waveformatex size */ + if (size > 18) { +- codec_data = gst_buffer_new_wrapped_full (GST_MEMORY_FLAG_READONLY, +- data + 18, size - 18, 0, size - 18, NULL, NULL); ++ codec_data = gst_buffer_new_memdup (data + 18, size - 18); + } + + if (riff_audio_fmt) +-- +2.39.3 + diff --git a/gstreamer1-plugins-good.spec b/gstreamer1-plugins-good.spec index 9a2b10b..bd49b85 100644 --- a/gstreamer1-plugins-good.spec +++ b/gstreamer1-plugins-good.spec @@ -9,13 +9,14 @@ Name: gstreamer1-plugins-good Version: 1.10.4 -Release: 2%{?dist} +Release: 3%{?dist} Summary: GStreamer plugins with good code and licensing License: LGPLv2+ URL: http://gstreamer.freedesktop.org/ Source0: http://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-good-%{version}.tar.xz +Patch0: 0001-cve-fix-CVE-2024-47615.patch BuildRequires: gstreamer1-devel >= %{version} BuildRequires: gstreamer1-plugins-base-devel >= %{version} @@ -88,13 +89,14 @@ to be installed. %prep %setup -q -n gst-plugins-good-%{version} +#%patch0 -p1 %build %configure --disable-silent-rules --disable-fatal-warnings \ --with-package-name='GStreamer-plugins-good package' \ --with-package-origin='http://www.redhat.com' \ --enable-experimental \ - --enable-gtk-doc \ + --disable-gtk-doc \ --enable-orc \ --disable-monoscope \ --disable-aalib \ @@ -259,6 +261,11 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';' %changelog +* Wed Dec 25 2024 zhuhongbo - 1.10.4-3 +- cve: fix CVE-2024-47537 CVE-2024-47538 CVE-2024-47540 +- CVE-2024-47606 CVE-2024-47607 CVE-2024-47613 CVE-2024-47615 +- change enable gtk-doc to disable gtk-doc + * Thu Mar 09 2017 Wim Taymans - 1.10.4-2 - Fix origin Resolves: #1429577 -- Gitee