From a74d32a9af47f1945c0e10a029bfc9a2032d0d10 Mon Sep 17 00:00:00 2001 From: wk333 <13474090681@163.com> Date: Fri, 15 Dec 2023 14:51:05 +0800 Subject: [PATCH] Fix CVE-2023-44446,CVE-2023-37329 (cherry picked from commit 871e6774a1f14ec3db8768fad9bb09f91230f9f4) --- CVE-2023-37329.patch | 63 +++++++ CVE-2023-44446.patch | 305 +++++++++++++++++++++++++++++++ gstreamer1-plugins-bad-free.spec | 18 +- 3 files changed, 384 insertions(+), 2 deletions(-) create mode 100644 CVE-2023-37329.patch create mode 100644 CVE-2023-44446.patch diff --git a/CVE-2023-37329.patch b/CVE-2023-37329.patch new file mode 100644 index 0000000..da8f36f --- /dev/null +++ b/CVE-2023-37329.patch @@ -0,0 +1,63 @@ +From 7ed446dca9454dd66a0180823f57a34bc01845a4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Tue, 13 Jun 2023 14:23:47 +0300 +Subject: [PATCH 1/2] dvdspu: Make sure enough data is allocated for the + available data + +If the size read from the stream is smaller than the currently available +data then the size is bogus and the data should simply be discarded. + +Fixes ZDI-CAN-20994 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2660 + +Part-of: +--- + gst/dvdspu/gstspu-pgs.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/gst/dvdspu/gstspu-pgs.c b/gst/dvdspu/gstspu-pgs.c +index e609a284df9..e29f4f18826 100644 +--- a/gst/dvdspu/gstspu-pgs.c ++++ b/gst/dvdspu/gstspu-pgs.c +@@ -593,6 +593,9 @@ parse_set_object_data (GstDVDSpu * dvdspu, guint8 type, guint8 * payload, + obj->rle_data_size = GST_READ_UINT24_BE (payload); + payload += 3; + ++ if (end - payload > obj->rle_data_size) ++ return 0; ++ + PGS_DUMP ("%d bytes of RLE data, of %d bytes total.\n", + (int) (end - payload), obj->rle_data_size); + +-- +GitLab + + +From 0dabf0eb00723a26b88e13dcb3030744e84569da Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Tue, 13 Jun 2023 14:25:04 +0300 +Subject: [PATCH 2/2] dvdspu: Avoid integer overflow when checking if enough + data is available + +Part-of: +--- + subprojects/gst-plugins-bad/gst/dvdspu/gstspu-pgs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/gst/dvdspu/gstspu-pgs.c b/gst/dvdspu/gstspu-pgs.c +index e29f4f18826..49db6d13d8b 100644 +--- a/gst/dvdspu/gstspu-pgs.c ++++ b/gst/dvdspu/gstspu-pgs.c +@@ -607,7 +607,8 @@ parse_set_object_data (GstDVDSpu * dvdspu, guint8 type, guint8 * payload, + PGS_DUMP ("%d bytes of additional RLE data\n", (int) (end - payload)); + /* Check that the data chunk is for this object version, and fits in the buffer */ + if (obj->rle_data_ver == obj_ver && +- obj->rle_data_used + end - payload <= obj->rle_data_size) { ++ end - payload <= obj->rle_data_size && ++ obj->rle_data_used <= obj->rle_data_size - (end - payload)) { + + memcpy (obj->rle_data + obj->rle_data_used, payload, end - payload); + obj->rle_data_used += end - payload; +-- +GitLab + diff --git a/CVE-2023-44446.patch b/CVE-2023-44446.patch new file mode 100644 index 0000000..52e3b15 --- /dev/null +++ b/CVE-2023-44446.patch @@ -0,0 +1,305 @@ +From 2c92454ec06ce2c17aceceb14b1db006410791a7 Mon Sep 17 00:00:00 2001 +From: peijiankang +Date: Mon, 20 Nov 2023 16:25:54 +0800 +Subject: [PATCH] CVE-2023-44446 + +--- + gst/mxf/mxfdemux.c | 112 +++++++++++++++++++-------------------------- + gst/mxf/mxfdemux.h | 2 +- + 2 files changed, 49 insertions(+), 65 deletions(-) + +diff --git a/gst/mxf/mxfdemux.c b/gst/mxf/mxfdemux.c +index f6e5ac0..6dd0acb 100644 +--- a/gst/mxf/mxfdemux.c ++++ b/gst/mxf/mxfdemux.c +@@ -154,10 +154,25 @@ gst_mxf_demux_partition_free (GstMXFDemuxPartition * partition) + } + + static void +-gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux) ++gst_mxf_demux_essence_track_free (GstMXFDemuxEssenceTrack * t) + { +- guint i; ++ if (t->offsets) ++ g_array_free (t->offsets, TRUE); ++ ++ g_free (t->mapping_data); ++ ++ if (t->tags) ++ gst_tag_list_unref (t->tags); ++ ++ if (t->caps) ++ gst_caps_unref (t->caps); ++ ++ g_free (t); ++} + ++static void ++gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux) ++{ + GST_DEBUG_OBJECT (demux, "Resetting MXF state"); + + g_list_foreach (demux->partitions, (GFunc) gst_mxf_demux_partition_free, +@@ -166,23 +181,7 @@ gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux) + demux->partitions = NULL; + + demux->current_partition = NULL; +- +- for (i = 0; i < demux->essence_tracks->len; i++) { +- GstMXFDemuxEssenceTrack *t = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); +- +- if (t->offsets) +- g_array_free (t->offsets, TRUE); +- +- g_free (t->mapping_data); +- +- if (t->tags) +- gst_tag_list_unref (t->tags); +- +- if (t->caps) +- gst_caps_unref (t->caps); +- } +- g_array_set_size (demux->essence_tracks, 0); ++ g_ptr_array_set_size (demux->essence_tracks, 0); + } + + static void +@@ -200,7 +199,7 @@ gst_mxf_demux_reset_linked_metadata (GstMXFDemux * demux) + + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *track = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); ++ g_ptr_array_index (demux->essence_tracks, i); + + track->source_package = NULL; + track->source_track = NULL; +@@ -713,8 +712,7 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux) + + for (k = 0; k < demux->essence_tracks->len; k++) { + GstMXFDemuxEssenceTrack *tmp = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, +- k); ++ g_ptr_array_index (demux->essence_tracks, k); + + if (tmp->track_number == track->parent.track_number && + tmp->body_sid == edata->body_sid) { +@@ -732,24 +730,23 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux) + } + + if (!etrack) { +- GstMXFDemuxEssenceTrack tmp; ++ GstMXFDemuxEssenceTrack *tmp = g_new0 (GstMXFDemuxEssenceTrack, 1); + +- memset (&tmp, 0, sizeof (tmp)); +- tmp.body_sid = edata->body_sid; +- tmp.index_sid = edata->index_sid; +- tmp.track_number = track->parent.track_number; +- tmp.track_id = track->parent.track_id; +- memcpy (&tmp.source_package_uid, &package->parent.package_uid, 32); ++ tmp->body_sid = edata->body_sid; ++ tmp->index_sid = edata->index_sid; ++ tmp->track_number = track->parent.track_number; ++ tmp->track_id = track->parent.track_id; ++ memcpy (&tmp->source_package_uid, &package->parent.package_uid, 32); + + if (demux->current_partition->partition.body_sid == edata->body_sid && + demux->current_partition->partition.body_offset == 0) +- tmp.position = 0; ++ tmp->position = 0; + else +- tmp.position = -1; ++ tmp->position = -1; + +- g_array_append_val (demux->essence_tracks, tmp); ++ g_ptr_array_add (demux->essence_tracks, tmp); + etrack = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, ++ g_ptr_array_index (demux->essence_tracks, + demux->essence_tracks->len - 1); + new = TRUE; + } +@@ -876,13 +873,7 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux) + + next: + if (new) { +- g_free (etrack->mapping_data); +- if (etrack->tags) +- gst_tag_list_unref (etrack->tags); +- if (etrack->caps) +- gst_caps_unref (etrack->caps); +- +- g_array_remove_index (demux->essence_tracks, ++ g_ptr_array_remove_index (demux->essence_tracks, + demux->essence_tracks->len - 1); + } + } +@@ -895,7 +886,7 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux) + + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *etrack = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); ++ g_ptr_array_index (demux->essence_tracks, i); + + if (!etrack->source_package || !etrack->source_track || !etrack->caps) { + GST_ERROR_OBJECT (demux, "Failed to update essence track %u", i); +@@ -1117,7 +1108,7 @@ gst_mxf_demux_update_tracks (GstMXFDemux * demux) + + for (k = 0; k < demux->essence_tracks->len; k++) { + GstMXFDemuxEssenceTrack *tmp = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, k); ++ g_ptr_array_index (demux->essence_tracks, k); + + if (tmp->source_package == source_package && + tmp->source_track == source_track) { +@@ -1598,8 +1589,7 @@ gst_mxf_demux_pad_set_component (GstMXFDemux * demux, GstMXFDemuxPad * pad, + pad->current_essence_track = NULL; + + for (k = 0; k < demux->essence_tracks->len; k++) { +- GstMXFDemuxEssenceTrack *tmp = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, k); ++ GstMXFDemuxEssenceTrack *tmp = g_ptr_array_index (demux->essence_tracks, k); + + if (tmp->source_package == source_package && + tmp->source_track == source_track) { +@@ -1731,7 +1721,7 @@ gst_mxf_demux_handle_generic_container_essence_element (GstMXFDemux * demux, + + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *tmp = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); ++ g_ptr_array_index (demux->essence_tracks, i); + + if (tmp->body_sid == demux->current_partition->partition.body_sid && + (tmp->track_number == track_number || tmp->track_number == 0)) { +@@ -2656,7 +2646,7 @@ gst_mxf_demux_handle_klv_packet (GstMXFDemux * demux, const MXFUL * key, + + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *etrack = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); ++ g_ptr_array_index (demux->essence_tracks, i); + + if (etrack->body_sid != demux->current_partition->partition.body_sid) + continue; +@@ -2719,7 +2709,7 @@ gst_mxf_demux_handle_klv_packet (GstMXFDemux * demux, const MXFUL * key, + guint i; + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *etrack = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); ++ g_ptr_array_index (demux->essence_tracks, i); + + if (etrack->body_sid != demux->current_partition->partition.body_sid) + continue; +@@ -2913,8 +2903,7 @@ from_index: + gst_mxf_demux_set_partition_for_offset (demux, demux->offset); + + for (i = 0; i < demux->essence_tracks->len; i++) { +- GstMXFDemuxEssenceTrack *t = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); ++ GstMXFDemuxEssenceTrack *t = g_ptr_array_index (demux->essence_tracks, i); + + if (index_start_position != -1 && t == etrack) + t->position = index_start_position; +@@ -2937,8 +2926,7 @@ from_index: + if (ret == GST_FLOW_EOS) { + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *t = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, +- i); ++ g_ptr_array_index (demux->essence_tracks, i); + + if (t->position > 0) + t->duration = t->position; +@@ -3020,7 +3008,7 @@ gst_mxf_demux_pull_and_handle_klv_packet (GstMXFDemux * demux) + + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *t = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); ++ g_ptr_array_index (demux->essence_tracks, i); + + if (t->position > 0) + t->duration = t->position; +@@ -3627,8 +3615,7 @@ gst_mxf_demux_seek_push (GstMXFDemux * demux, GstEvent * event) + } + + for (i = 0; i < demux->essence_tracks->len; i++) { +- GstMXFDemuxEssenceTrack *t = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); ++ GstMXFDemuxEssenceTrack *t = g_ptr_array_index (demux->essence_tracks, i); + t->position = -1; + } + +@@ -4001,8 +3988,7 @@ gst_mxf_demux_seek_pull (GstMXFDemux * demux, GstEvent * event) + } + + for (i = 0; i < demux->essence_tracks->len; i++) { +- GstMXFDemuxEssenceTrack *t = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); ++ GstMXFDemuxEssenceTrack *t = g_ptr_array_index (demux->essence_tracks, i); + t->position = -1; + } + +@@ -4284,7 +4270,7 @@ gst_mxf_demux_sink_event (GstPad * pad, GstObject * parent, GstEvent * event) + + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *t = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); ++ g_ptr_array_index (demux->essence_tracks, i); + + if (t->position > 0) + t->duration = t->position; +@@ -4325,8 +4311,7 @@ gst_mxf_demux_sink_event (GstPad * pad, GstObject * parent, GstEvent * event) + + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *etrack = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, +- i); ++ g_ptr_array_index (demux->essence_tracks, i); + etrack->position = -1; + } + ret = TRUE; +@@ -4350,8 +4335,7 @@ gst_mxf_demux_sink_event (GstPad * pad, GstObject * parent, GstEvent * event) + + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *t = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, +- i); ++ g_ptr_array_index (demux->essence_tracks, i); + t->position = -1; + } + demux->current_partition = NULL; +@@ -4624,7 +4608,7 @@ gst_mxf_demux_finalize (GObject * object) + + g_ptr_array_free (demux->src, TRUE); + demux->src = NULL; +- g_array_free (demux->essence_tracks, TRUE); ++ g_ptr_array_free (demux->essence_tracks, TRUE); + demux->essence_tracks = NULL; + + g_hash_table_destroy (demux->metadata); +@@ -4701,8 +4685,8 @@ gst_mxf_demux_init (GstMXFDemux * demux) + g_rw_lock_init (&demux->metadata_lock); + + demux->src = g_ptr_array_new (); +- demux->essence_tracks = +- g_array_new (FALSE, FALSE, sizeof (GstMXFDemuxEssenceTrack)); ++ demux->essence_tracks = g_ptr_array_new_with_free_func ((GDestroyNotify) ++ gst_mxf_demux_essence_track_free); + + gst_segment_init (&demux->segment, GST_FORMAT_TIME); + +diff --git a/gst/mxf/mxfdemux.h b/gst/mxf/mxfdemux.h +index aac3e67..a452980 100644 +--- a/gst/mxf/mxfdemux.h ++++ b/gst/mxf/mxfdemux.h +@@ -182,7 +182,7 @@ struct _GstMXFDemux + GList *partitions; + GstMXFDemuxPartition *current_partition; + +- GArray *essence_tracks; ++ GPtrArray *essence_tracks; + + GList *pending_index_table_segments; + GList *index_tables; /* one per BodySID / IndexSID */ +-- +2.41.0 + diff --git a/gstreamer1-plugins-bad-free.spec b/gstreamer1-plugins-bad-free.spec index 66c7074..f479e97 100644 --- a/gstreamer1-plugins-bad-free.spec +++ b/gstreamer1-plugins-bad-free.spec @@ -3,7 +3,7 @@ Name: gstreamer1-plugins-bad-free Version: 1.16.2 -Release: 6 +Release: 9 Summary: Not well tested plugins for GStreamer framework License: LGPLv2+ and LGPLv2 URL: http://gstreamer.freedesktop.org/ @@ -17,6 +17,10 @@ Patch0003: CVE-2023-40474.patch Patch0004: CVE-2023-40475.patch # https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ff91a3d8d6f7e2412c44663bf30fad5c7fdbc9d9 Patch0005: CVE-2023-40476.patch +#https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/7dfaa57b6f9b55f17ffe824bd8988bb71ae11353 +Patch0006: CVE-2023-44446.patch +#https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4896.patch +Patch0007: CVE-2023-37329.patch BuildRequires: gstreamer1-devel >= %{version} autoconf BuildRequires: gstreamer1-plugins-base-devel >= %{version} @@ -31,6 +35,7 @@ BuildRequires: opus-devel nettle-devel libgcrypt-devel BuildRequires: gnutls-devel pkgconfig(gudev-1.0) pkgconfig(libusb-1.0) BuildRequires: gtk3-devel >= 3.4 bluez-libs-devel >= 5.0 libwebp-devel BuildRequires: mesa-libEGL-devel webrtc-audio-processing-devel gcc-g++ +BuildRequires: wayland-protocols-devel %if %{with extras} BuildRequires: libbs2b-devel >= 3.1.0 fluidsynth-devel libass-devel @@ -268,9 +273,18 @@ EOF %{_includedir}/gstreamer-%{majorminor}/gst/* %changelog -* Sat Oct 07 2023 yaoxin - 1.16.2-6 +* Fri Dec 15 2023 wangkai <13474090681@163.com> - 1.16.2-9 +- Fix CVE-2023-44446,CVE-2023-37329 + +* Sat Dec 09 2023 douyan - 1.16.2-8 +- modify compilation failed about libgstwaylandsink.so + +* Sat Oct 07 2023 yaoxin - 1.16.2-7 - Fix CVE-2023-40474,CVE-2023-40475 and CVE-2023-40476 +* Tue Jun 14 2022 houyingchao - 1.16.2-6 +- Fix compilation failed + * Fri Jan 14 2022 pei-jiankang - 1.16.2-5 - modify complie error -- Gitee