From 17c13e443471a3565e748d2525f5d90c9a99d6c2 Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Wed, 18 Dec 2024 15:08:03 +0800 Subject: [PATCH] Fix cves --- CVE-2024-47537.patch | 58 +++ CVE-2024-47539.patch | 39 ++ CVE-2024-47540.patch | 51 +++ CVE-2024-47543.patch | 115 +++++ CVE-2024-47546.patch | 32 ++ CVE-2024-47596.patch | 33 ++ CVE-2024-47597-1.patch | 44 ++ CVE-2024-47597-2.patch | 93 ++++ CVE-2024-47598.patch | 58 +++ CVE-2024-47599.patch | 95 +++++ CVE-2024-47601-1.patch | 43 ++ CVE-2024-47601-2.patch | 44 ++ CVE-2024-47602.patch | 35 ++ CVE-2024-47603.patch | 35 ++ CVE-2024-47606.patch | 40 ++ CVE-2024-47613.patch | 49 +++ CVE-2024-47774.patch | 42 ++ ...-47776_CVE-2024-47777_CVE-2024-47778.patch | 402 ++++++++++++++++++ CVE-2024-47834.patch | 36 ++ gstreamer1-plugins-good.spec | 32 +- ...e-when-parsing-multi-channel-WavPack.patch | 27 ++ ...terate-over-all-trun-entries-if-none.patch | 32 ++ ...Fix-debug-output-during-trun-parsing.patch | 69 +++ 23 files changed, 1503 insertions(+), 1 deletion(-) create mode 100644 CVE-2024-47537.patch create mode 100644 CVE-2024-47539.patch create mode 100644 CVE-2024-47540.patch create mode 100644 CVE-2024-47543.patch create mode 100644 CVE-2024-47546.patch create mode 100644 CVE-2024-47596.patch create mode 100644 CVE-2024-47597-1.patch create mode 100644 CVE-2024-47597-2.patch create mode 100644 CVE-2024-47598.patch create mode 100644 CVE-2024-47599.patch create mode 100644 CVE-2024-47601-1.patch create mode 100644 CVE-2024-47601-2.patch create mode 100644 CVE-2024-47602.patch create mode 100644 CVE-2024-47603.patch create mode 100644 CVE-2024-47606.patch create mode 100644 CVE-2024-47613.patch create mode 100644 CVE-2024-47774.patch create mode 100644 CVE-2024-47775_CVE-2024-47776_CVE-2024-47777_CVE-2024-47778.patch create mode 100644 CVE-2024-47834.patch create mode 100644 matroskademux-Fix-off-by-one-when-parsing-multi-channel-WavPack.patch create mode 100644 qtdemux-Do-not-iterate-over-all-trun-entries-if-none.patch create mode 100644 qtdemux-Fix-debug-output-during-trun-parsing.patch diff --git a/CVE-2024-47537.patch b/CVE-2024-47537.patch new file mode 100644 index 0000000..edd2ce3 --- /dev/null +++ b/CVE-2024-47537.patch @@ -0,0 +1,58 @@ +From ae61a604c03ca07226a88e15fdb5487ad2096add Mon Sep 17 00:00:00 2001 +From: Antonio Morales +Date: Thu, 26 Sep 2024 18:39:37 +0300 +Subject: [PATCH 01/12] qtdemux: Fix integer overflow when allocating the + samples table for fragmented MP4 + +This can lead to out of bounds writes and NULL pointer dereferences. + +Fixes GHSL-2024-094, GHSL-2024-237, GHSL-2024-241 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3839 + +Part-of: +--- + gst/isomp4/qtdemux.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c +index c2d8b5e0f134..a88dcaf2d3ef 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -3364,6 +3364,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun, + gint i; + guint8 *data; + guint entry_size, dur_offset, size_offset, flags_offset = 0, ct_offset = 0; ++ guint new_n_samples; + QtDemuxSample *sample; + gboolean ismv = FALSE; + gint64 initial_offset; +@@ -3475,14 +3476,13 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun, + goto fail; + data = (guint8 *) gst_byte_reader_peek_data_unchecked (trun); + +- if (stream->n_samples + samples_count >= +- QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof (QtDemuxSample)) ++ if (!g_uint_checked_add (&new_n_samples, stream->n_samples, samples_count) || ++ new_n_samples >= QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof (QtDemuxSample)) + goto index_too_big; + + GST_DEBUG_OBJECT (qtdemux, "allocating n_samples %u * %u (%.2f MB)", +- stream->n_samples + samples_count, (guint) sizeof (QtDemuxSample), +- (stream->n_samples + samples_count) * +- sizeof (QtDemuxSample) / (1024.0 * 1024.0)); ++ new_n_samples, (guint) sizeof (QtDemuxSample), ++ (new_n_samples) * sizeof (QtDemuxSample) / (1024.0 * 1024.0)); + + /* create a new array of samples if it's the first sample parsed */ + if (stream->n_samples == 0) { +@@ -3491,7 +3491,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun, + /* or try to reallocate it with space enough to insert the new samples */ + } else + stream->samples = g_try_renew (QtDemuxSample, stream->samples, +- stream->n_samples + samples_count); ++ new_n_samples); + if (stream->samples == NULL) + goto out_of_memory; + +-- +GitLab diff --git a/CVE-2024-47539.patch b/CVE-2024-47539.patch new file mode 100644 index 0000000..2010403 --- /dev/null +++ b/CVE-2024-47539.patch @@ -0,0 +1,39 @@ +From 1d534ac209e4042d08513f8cd448b9b12187aacd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 26 Sep 2024 09:20:28 +0300 +Subject: [PATCH 05/12] qtdemux: Make sure only an even number of bytes is + processed when handling CEA608 data + +An odd number of bytes would lead to out of bound reads and writes, and doesn't +make any sense as CEA608 comes in byte pairs. + +Strip off any leftover bytes and assume everything before that is valid. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-195 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3841 + +Part-of: +--- + gst/isomp4/qtdemux.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c +index dbd42817c00b..4339943e347b 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -6145,6 +6145,11 @@ convert_to_s334_1a (const guint8 * ccpair, guint8 ccpair_size, guint field, + guint8 *storage; + gsize i; + ++ /* Strip off any leftover odd bytes and assume everything before is valid */ ++ if (ccpair_size % 2 != 0) { ++ ccpair_size -= 1; ++ } ++ + /* We are converting from pairs to triplets */ + *res = ccpair_size / 2 * 3; + storage = g_malloc (*res); +-- +GitLab diff --git a/CVE-2024-47540.patch b/CVE-2024-47540.patch new file mode 100644 index 0000000..5e38f52 --- /dev/null +++ b/CVE-2024-47540.patch @@ -0,0 +1,51 @@ +From c0dceda8e969f74f2326539c1f0368c2fd7afcd7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 16:32:48 +0300 +Subject: [PATCH 1/7] matroskademux: Only unmap GstMapInfo in WavPack header + extraction error paths if previously mapped + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-197 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3863 + +Part-of: +--- + gst/matroska/matroska-demux.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c +index 41725e83a607..9e0de058e64a 100644 +--- a/gst/matroska/matroska-demux.c ++++ b/gst/matroska/matroska-demux.c +@@ -3891,7 +3891,6 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + GstMatroskaTrackAudioContext *audiocontext = + (GstMatroskaTrackAudioContext *) stream; + GstBuffer *newbuf = NULL; +- GstMapInfo map, outmap; + guint8 *buf_data, *data; + Wavpack4Header wvh; + +@@ -3908,11 +3907,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + + if (audiocontext->channels <= 2) { + guint32 block_samples, tmp; ++ GstMapInfo outmap; + gsize size = gst_buffer_get_size (*buf); + + if (size < 4) { + GST_ERROR_OBJECT (element, "Too small wavpack buffer"); +- gst_buffer_unmap (*buf, &map); + return GST_FLOW_ERROR; + } + +@@ -3950,6 +3949,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + *buf = newbuf; + audiocontext->wvpk_block_index += block_samples; + } else { ++ GstMapInfo map, outmap; + guint8 *outdata = NULL; + gsize buf_size, size; + guint32 block_samples, flags, crc; +-- +GitLab diff --git a/CVE-2024-47543.patch b/CVE-2024-47543.patch new file mode 100644 index 0000000..dc7843c --- /dev/null +++ b/CVE-2024-47543.patch @@ -0,0 +1,115 @@ +From c1cd838706d29cab9479e7b5e6ec63ff8ad59b61 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 26 Sep 2024 14:17:02 +0300 +Subject: [PATCH 06/12] qtdemux: Make sure enough data is available before + reading wave header node + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-236 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3843 + +Part-of: +--- + gst/isomp4/qtdemux.c | 84 ++++++++++--------- + 1 file changed, 45 insertions(+), 39 deletions(-) + +diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c +index 4339943e347b..062140d3dd5f 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -13704,47 +13704,53 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak) + } else { + guint32 datalen = QT_UINT32 (stsd_entry_data + offset + 16); + const guint8 *data = stsd_entry_data + offset + 16; +- GNode *wavenode; +- GNode *waveheadernode; +- +- wavenode = g_node_new ((guint8 *) data); +- if (qtdemux_parse_node (qtdemux, wavenode, data, datalen)) { +- const guint8 *waveheader; +- guint32 headerlen; +- +- waveheadernode = qtdemux_tree_get_child_by_type (wavenode, fourcc); +- if (waveheadernode) { +- waveheader = (const guint8 *) waveheadernode->data; +- headerlen = QT_UINT32 (waveheader); +- +- if (headerlen > 8) { +- gst_riff_strf_auds *header = NULL; +- GstBuffer *headerbuf; +- GstBuffer *extra; +- +- waveheader += 8; +- headerlen -= 8; +- +- headerbuf = gst_buffer_new_and_alloc (headerlen); +- gst_buffer_fill (headerbuf, 0, waveheader, headerlen); +- +- if (gst_riff_parse_strf_auds (GST_ELEMENT_CAST (qtdemux), +- headerbuf, &header, &extra)) { +- gst_caps_unref (entry->caps); +- /* FIXME: Need to do something with the channel reorder map */ +- entry->caps = +- gst_riff_create_audio_caps (header->format, NULL, header, +- extra, NULL, NULL, NULL); +- +- if (extra) +- gst_buffer_unref (extra); +- g_free (header); ++ ++ if (len < datalen || len - datalen < offset + 16) { ++ GST_WARNING_OBJECT (qtdemux, "Not enough data for waveheadernode"); ++ } else { ++ GNode *wavenode; ++ GNode *waveheadernode; ++ ++ wavenode = g_node_new ((guint8 *) data); ++ if (qtdemux_parse_node (qtdemux, wavenode, data, datalen)) { ++ const guint8 *waveheader; ++ guint32 headerlen; ++ ++ waveheadernode = ++ qtdemux_tree_get_child_by_type (wavenode, fourcc); ++ if (waveheadernode) { ++ waveheader = (const guint8 *) waveheadernode->data; ++ headerlen = QT_UINT32 (waveheader); ++ ++ if (headerlen > 8) { ++ gst_riff_strf_auds *header = NULL; ++ GstBuffer *headerbuf; ++ GstBuffer *extra; ++ ++ waveheader += 8; ++ headerlen -= 8; ++ ++ headerbuf = gst_buffer_new_and_alloc (headerlen); ++ gst_buffer_fill (headerbuf, 0, waveheader, headerlen); ++ ++ if (gst_riff_parse_strf_auds (GST_ELEMENT_CAST (qtdemux), ++ headerbuf, &header, &extra)) { ++ gst_caps_unref (entry->caps); ++ /* FIXME: Need to do something with the channel reorder map */ ++ entry->caps = ++ gst_riff_create_audio_caps (header->format, NULL, ++ header, extra, NULL, NULL, NULL); ++ ++ if (extra) ++ gst_buffer_unref (extra); ++ g_free (header); ++ } + } +- } +- } else +- GST_DEBUG ("Didn't find waveheadernode for this codec"); ++ } else ++ GST_DEBUG ("Didn't find waveheadernode for this codec"); ++ } ++ g_node_destroy (wavenode); + } +- g_node_destroy (wavenode); + } + } else if (esds) { + gst_qtdemux_handle_esds (qtdemux, stream, entry, esds, +-- +GitLab diff --git a/CVE-2024-47546.patch b/CVE-2024-47546.patch new file mode 100644 index 0000000..606adc5 --- /dev/null +++ b/CVE-2024-47546.patch @@ -0,0 +1,32 @@ +From bfebca8307ae79223616fd27e8b402118787d394 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 26 Sep 2024 19:16:19 +0300 +Subject: [PATCH 11/12] qtdemux: Check for invalid atom length when extracting + Closed Caption data + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-243 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3849 + +Part-of: +--- + gst/isomp4/qtdemux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c +index 4b9ce20ad37b..7731b2c2c93b 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -6193,7 +6193,7 @@ extract_cc_from_data (QtDemuxStream * stream, const guint8 * data, gsize size, + goto invalid_cdat; + atom_length = QT_UINT32 (data); + fourcc = QT_FOURCC (data + 4); +- if (G_UNLIKELY (atom_length > size || atom_length == 8)) ++ if (G_UNLIKELY (atom_length > size || atom_length <= 8)) + goto invalid_cdat; + + GST_DEBUG_OBJECT (stream->pad, "here"); +-- +GitLab + diff --git a/CVE-2024-47596.patch b/CVE-2024-47596.patch new file mode 100644 index 0000000..927d759 --- /dev/null +++ b/CVE-2024-47596.patch @@ -0,0 +1,33 @@ +From 519d86d9f36d80eb64148cd2d330b28a28be2755 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 27 Sep 2024 00:31:36 +0300 +Subject: [PATCH 12/12] qtdemux: Add size check for parsing SMI / SEQH atom + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-244 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3853 + +Part-of: +--- + gst/isomp4/qtdemux.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c +index 7731b2c2c93b..5422e9f1d6f8 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -11198,8 +11198,9 @@ qtdemux_parse_svq3_stsd_data (GstQTDemux * qtdemux, + GST_WARNING_OBJECT (qtdemux, "Unexpected second SEQH SMI atom " + " found, ignoring"); + } else { ++ /* Note: The size does *not* include the fourcc and the size field itself */ + seqh_size = QT_UINT32 (data + 4); +- if (seqh_size > 0) { ++ if (seqh_size > 0 && seqh_size <= size - 8) { + _seqh = gst_buffer_new_and_alloc (seqh_size); + gst_buffer_fill (_seqh, 0, data + 8, seqh_size); + } +-- +GitLab + diff --git a/CVE-2024-47597-1.patch b/CVE-2024-47597-1.patch new file mode 100644 index 0000000..9b311d6 --- /dev/null +++ b/CVE-2024-47597-1.patch @@ -0,0 +1,44 @@ +From 19359e2b2548927cbfd46a526d704cce5a65c2b1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 27 Sep 2024 10:38:50 +0300 +Subject: [PATCH 09/12] qtdemux: Make sure there are enough offsets to read + when parsing samples + +While this specific case is also caught when initializing co_chunk, the error +is ignored in various places and calling into the function would lead to out of +bounds reads if the error message doesn't cause the pipeline to be shut down +fast enough. + +To avoid this, no matter what, make sure enough offsets are available when +parsing them. While this is potentially slower, the same is already done in the +non-chunks_are_samples case. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-245 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3847 + +Part-of: +--- + gst/isomp4/qtdemux.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c +index 127ed77f6dba..07272f38c421 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -10635,9 +10635,9 @@ qtdemux_parse_samples (GstQTDemux * qtdemux, QtDemuxStream * stream, guint32 n) + goto done; + } + +- cur->offset = +- qt_atom_parser_get_offset_unchecked (&stream->co_chunk, +- stream->co_size); ++ if (!qt_atom_parser_get_offset (&stream->co_chunk, ++ stream->co_size, &cur->offset)) ++ goto corrupt_file; + + GST_LOG_OBJECT (qtdemux, "Created entry %d with offset " + "%" G_GUINT64_FORMAT, j, cur->offset); +-- +GitLab diff --git a/CVE-2024-47597-2.patch b/CVE-2024-47597-2.patch new file mode 100644 index 0000000..d4b613f --- /dev/null +++ b/CVE-2024-47597-2.patch @@ -0,0 +1,93 @@ +From 7d3f221d8795cd6910f375774a50ffe7c19d0538 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 27 Sep 2024 10:39:30 +0300 +Subject: [PATCH 10/12] qtdemux: Actually handle errors returns from various + functions instead of ignoring them + +Ignoring them might cause the element to continue as if all is fine despite the +internal state being inconsistent. This can lead to all kinds of follow-up +issues, including memory safety issues. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-245 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3847 + +Part-of: +--- + gst/isomp4/qtdemux.c | 29 +++++++++++++++++++++++------ + 1 file changed, 23 insertions(+), 6 deletions(-) + +diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c +index ba80392..f5ea797 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -4657,10 +4657,15 @@ gst_qtdemux_loop_state_header (GstQTDemux * qtdemux) + beach: + if (ret == GST_FLOW_EOS && (qtdemux->got_moov || qtdemux->media_caps)) { + /* digested all data, show what we have */ +- qtdemux_prepare_streams (qtdemux); ++ ret = qtdemux_prepare_streams (qtdemux); ++ if (ret != GST_FLOW_OK) ++ return ret; ++ + QTDEMUX_EXPOSE_LOCK (qtdemux); + ret = qtdemux_expose_streams (qtdemux); + QTDEMUX_EXPOSE_UNLOCK (qtdemux); ++ if (ret != GST_FLOW_OK) ++ return ret; + + qtdemux->state = QTDEMUX_STATE_MOVIE; + GST_DEBUG_OBJECT (qtdemux, "switching state to STATE_MOVIE (%d)", +@@ -7275,13 +7280,21 @@ gst_qtdemux_process_adapter (GstQTDemux * demux, gboolean force) + gst_qtdemux_stream_concat (demux, + demux->old_streams, demux->active_streams); + +- qtdemux_parse_moov (demux, data, demux->neededbytes); ++ if (!qtdemux_parse_moov (demux, data, demux->neededbytes)) { ++ ret = GST_FLOW_ERROR; ++ break; ++ } + qtdemux_node_dump (demux, demux->moov_node); + qtdemux_parse_tree (demux); +- qtdemux_prepare_streams (demux); ++ ret = qtdemux_prepare_streams (demux); ++ if (ret != GST_FLOW_OK) ++ break; ++ + QTDEMUX_EXPOSE_LOCK (demux); +- qtdemux_expose_streams (demux); ++ ret = qtdemux_expose_streams (demux); + QTDEMUX_EXPOSE_UNLOCK (demux); ++ if (ret != GST_FLOW_OK) ++ break; + + demux->got_moov = TRUE; + +@@ -7372,8 +7385,10 @@ gst_qtdemux_process_adapter (GstQTDemux * demux, gboolean force) + /* in MSS we need to expose the pads after the first moof as we won't get a moov */ + if (demux->mss_mode && !demux->exposed) { + QTDEMUX_EXPOSE_LOCK (demux); +- qtdemux_expose_streams (demux); ++ ret = qtdemux_expose_streams (demux); + QTDEMUX_EXPOSE_UNLOCK (demux); ++ if (ret != GST_FLOW_OK) ++ goto done; + } + + gst_qtdemux_check_send_pending_segment (demux); +@@ -13350,8 +13365,10 @@ qtdemux_prepare_streams (GstQTDemux * qtdemux) + + /* parse the initial sample for use in setting the frame rate cap */ + while (sample_num == 0 && sample_num < stream->n_samples) { +- if (!qtdemux_parse_samples (qtdemux, stream, sample_num)) ++ if (!qtdemux_parse_samples (qtdemux, stream, sample_num)) { ++ ret = GST_FLOW_ERROR; + break; ++ } + ++sample_num; + } + } +-- +2.33.0 + diff --git a/CVE-2024-47598.patch b/CVE-2024-47598.patch new file mode 100644 index 0000000..0d6c2ed --- /dev/null +++ b/CVE-2024-47598.patch @@ -0,0 +1,58 @@ +From 5a9e80c01b4b49c6c7630a6d08b600114f38c0db Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 27 Sep 2024 15:50:54 +0300 +Subject: [PATCH 04/12] qtdemux: Check sizes of stsc/stco/stts before trying to + merge entries + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-246 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3854 + +Part-of: +--- + gst/isomp4/qtdemux.c | 22 +++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c +index 52d5a35c0ba0..dbd42817c00b 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -10040,6 +10040,21 @@ qtdemux_merge_sample_table (GstQTDemux * qtdemux, QtDemuxStream * stream) + return; + } + ++ if (gst_byte_reader_get_remaining (&stream->stts) < 8) { ++ GST_DEBUG_OBJECT (qtdemux, "Too small stts"); ++ return; ++ } ++ ++ if (stream->stco.size < 8) { ++ GST_DEBUG_OBJECT (qtdemux, "Too small stco"); ++ return; ++ } ++ ++ if (stream->n_samples_per_chunk == 0) { ++ GST_DEBUG_OBJECT (qtdemux, "No samples per chunk"); ++ return; ++ } ++ + /* Parse the stts to get the sample duration and number of samples */ + gst_byte_reader_skip_unchecked (&stream->stts, 4); + stts_duration = gst_byte_reader_get_uint32_be_unchecked (&stream->stts); +@@ -10051,6 +10066,13 @@ qtdemux_merge_sample_table (GstQTDemux * qtdemux, QtDemuxStream * stream) + GST_DEBUG_OBJECT (qtdemux, "sample_duration %d, num_chunks %u", stts_duration, + num_chunks); + ++ if (gst_byte_reader_get_remaining (&stream->stsc) < ++ stream->n_samples_per_chunk * 3 * 4 + ++ (stream->n_samples_per_chunk - 1) * 4) { ++ GST_DEBUG_OBJECT (qtdemux, "Too small stsc"); ++ return; ++ } ++ + /* Now parse stsc, convert chunks into single samples and generate a + * new stsc, stts and stsz from this information */ + gst_byte_writer_init (&stsc); +-- +GitLab diff --git a/CVE-2024-47599.patch b/CVE-2024-47599.patch new file mode 100644 index 0000000..70510c4 --- /dev/null +++ b/CVE-2024-47599.patch @@ -0,0 +1,95 @@ +From 3cdf206f4fc5a9860bfe1437ed3d01e7d23c6c3e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 16:22:19 +0300 +Subject: [PATCH] jpegdec: Directly error out on negotiation failures + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-247 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3862 + +Part-of: +--- + ext/jpeg/gstjpegdec.c | 22 ++++++++++++++----- + 1 file changed, 17 insertions(+), 5 deletions(-) + +diff --git a/ext/jpeg/gstjpegdec.c b/ext/jpeg/gstjpegdec.c +index 51bc2d14bf0e..7523419835ee 100644 +--- a/ext/jpeg/gstjpegdec.c ++++ b/ext/jpeg/gstjpegdec.c +@@ -1068,13 +1068,14 @@ gst_jpeg_turbo_parse_ext_fmt_convert (GstJpegDec * dec, gint * clrspc) + } + #endif + +-static void ++static gboolean + gst_jpeg_dec_negotiate (GstJpegDec * dec, gint width, gint height, gint clrspc, + gboolean interlaced) + { + GstVideoCodecState *outstate; + GstVideoInfo *info; + GstVideoFormat format; ++ gboolean res; + + #ifdef JCS_EXTENSIONS + if (dec->format_convert) { +@@ -1104,7 +1105,7 @@ gst_jpeg_dec_negotiate (GstJpegDec * dec, gint width, gint height, gint clrspc, + height == GST_VIDEO_INFO_HEIGHT (info) && + format == GST_VIDEO_INFO_FORMAT (info)) { + gst_video_codec_state_unref (outstate); +- return; ++ return TRUE; + } + gst_video_codec_state_unref (outstate); + } +@@ -1118,6 +1119,8 @@ gst_jpeg_dec_negotiate (GstJpegDec * dec, gint width, gint height, gint clrspc, + outstate = + gst_video_decoder_set_output_state (GST_VIDEO_DECODER (dec), format, + width, height, dec->input_state); ++ if (!outstate) ++ return FALSE; + + switch (clrspc) { + case JCS_RGB: +@@ -1142,10 +1145,12 @@ gst_jpeg_dec_negotiate (GstJpegDec * dec, gint width, gint height, gint clrspc, + + gst_video_codec_state_unref (outstate); + +- gst_video_decoder_negotiate (GST_VIDEO_DECODER (dec)); ++ res = gst_video_decoder_negotiate (GST_VIDEO_DECODER (dec)); + + GST_DEBUG_OBJECT (dec, "max_v_samp_factor=%d", dec->cinfo.max_v_samp_factor); + GST_DEBUG_OBJECT (dec, "max_h_samp_factor=%d", dec->cinfo.max_h_samp_factor); ++ ++ return res; + } + + static GstFlowReturn +@@ -1425,8 +1430,9 @@ gst_jpeg_dec_handle_frame (GstVideoDecoder * bdec, GstVideoCodecFrame * frame) + num_fields = 1; + } + +- gst_jpeg_dec_negotiate (dec, width, output_height, +- dec->cinfo.jpeg_color_space, num_fields == 2); ++ if (!gst_jpeg_dec_negotiate (dec, width, output_height, ++ dec->cinfo.jpeg_color_space, num_fields == 2)) ++ goto negotiation_failed; + + state = gst_video_decoder_get_output_state (bdec); + ret = gst_video_decoder_allocate_output_frame (bdec, frame); +@@ -1558,6 +1564,12 @@ map_failed: + ret = GST_FLOW_ERROR; + goto exit; + } ++negotiation_failed: ++ { ++ GST_ELEMENT_ERROR (dec, CORE, NEGOTIATION, (NULL), ("failed to negotiate")); ++ ret = GST_FLOW_NOT_NEGOTIATED; ++ goto exit; ++ } + decode_error: + { + gchar err_msg[JMSG_LENGTH_MAX]; +-- +GitLab + diff --git a/CVE-2024-47601-1.patch b/CVE-2024-47601-1.patch new file mode 100644 index 0000000..6f6c50b --- /dev/null +++ b/CVE-2024-47601-1.patch @@ -0,0 +1,43 @@ +From 395f2b3ffdc5e600b49e950f62df46e4ad2265ad Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 19:04:51 +0300 +Subject: [PATCH] matroskademux: Don't take data out of an empty adapter when + processing WavPack frames + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-249 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3865 + +Part-of: +--- + gst/matroska/matroska-demux.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c +index 2a3df8b6c512..4e546b439ccc 100644 +--- a/gst/matroska/matroska-demux.c ++++ b/gst/matroska/matroska-demux.c +@@ -4042,11 +4042,16 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + } + gst_buffer_unmap (*buf, &map); + +- newbuf = gst_adapter_take_buffer (adapter, gst_adapter_available (adapter)); ++ size = gst_adapter_available (adapter); ++ if (size > 0) { ++ newbuf = gst_adapter_take_buffer (adapter, size); ++ gst_buffer_copy_into (newbuf, *buf, ++ GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1); ++ } else { ++ newbuf = NULL; ++ } + g_object_unref (adapter); + +- gst_buffer_copy_into (newbuf, *buf, +- GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1); + gst_buffer_unref (*buf); + *buf = newbuf; + +-- +GitLab + diff --git a/CVE-2024-47601-2.patch b/CVE-2024-47601-2.patch new file mode 100644 index 0000000..13fd7bc --- /dev/null +++ b/CVE-2024-47601-2.patch @@ -0,0 +1,44 @@ +From c20eff779d932fd1c1dbac1e62397578d8861241 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 19:06:03 +0300 +Subject: [PATCH] matroskademux: Skip over laces directly when postprocessing + the frame fails + +Otherwise NULL buffers might be handled afterwards. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-249 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3865 + +Part-of: +--- + gst/matroska/matroska-demux.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c +index 4e546b439ccc..a35f79f02381 100644 +--- a/gst/matroska/matroska-demux.c ++++ b/gst/matroska/matroska-demux.c +@@ -4988,6 +4988,18 @@ gst_matroska_demux_parse_blockgroup_or_simpleblock (GstMatroskaDemux * demux, + if (stream->postprocess_frame) { + GST_LOG_OBJECT (demux, "running post process"); + ret = stream->postprocess_frame (GST_ELEMENT (demux), stream, &sub); ++ if (ret != GST_FLOW_OK) { ++ gst_clear_buffer (&sub); ++ goto next_lace; ++ } ++ ++ if (sub == NULL) { ++ GST_WARNING_OBJECT (demux, ++ "Postprocessing buffer with timestamp %" GST_TIME_FORMAT ++ " for stream %d failed", GST_TIME_ARGS (buffer_timestamp), ++ stream_num); ++ goto next_lace; ++ } + } + + /* At this point, we have a sub-buffer pointing at data within a larger +-- +GitLab + diff --git a/CVE-2024-47602.patch b/CVE-2024-47602.patch new file mode 100644 index 0000000..e6cbd48 --- /dev/null +++ b/CVE-2024-47602.patch @@ -0,0 +1,35 @@ +From 8aa1c185cf47042a0cc624ae3ff5b0545455fedf Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 18:25:53 +0300 +Subject: [PATCH] matroskademux: Check for big enough WavPack codec private + data before accessing it + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-250 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3866 + +Part-of: +--- + gst/matroska/matroska-demux.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c +index 2ed77b50d078..2a3df8b6c512 100644 +--- a/gst/matroska/matroska-demux.c ++++ b/gst/matroska/matroska-demux.c +@@ -3894,6 +3894,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + guint8 *buf_data, *data; + Wavpack4Header wvh; + ++ if (!stream->codec_priv || stream->codec_priv_size < 2) { ++ GST_ERROR_OBJECT (element, "No or too small wavpack codec private data"); ++ return GST_FLOW_ERROR; ++ } ++ + wvh.ck_id[0] = 'w'; + wvh.ck_id[1] = 'v'; + wvh.ck_id[2] = 'p'; +-- +GitLab + diff --git a/CVE-2024-47603.patch b/CVE-2024-47603.patch new file mode 100644 index 0000000..4de9cd2 --- /dev/null +++ b/CVE-2024-47603.patch @@ -0,0 +1,35 @@ +From b84a0f326350989b81b95f55ef513fdaa16487fa Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 19:19:42 +0300 +Subject: [PATCH] matroskademux: Skip over zero-sized Xiph stream headers + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-251 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3867 + +Part-of: +--- + gst/matroska/matroska-ids.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/gst/matroska/matroska-ids.c b/gst/matroska/matroska-ids.c +index f11b7c2ce31f..ba645f7306d9 100644 +--- a/gst/matroska/matroska-ids.c ++++ b/gst/matroska/matroska-ids.c +@@ -189,8 +189,10 @@ gst_matroska_parse_xiph_stream_headers (gpointer codec_data, + if (offset + length[i] > codec_data_size) + goto error; + +- hdr = gst_buffer_new_memdup (p + offset, length[i]); +- gst_buffer_list_add (list, hdr); ++ if (length[i] > 0) { ++ hdr = gst_buffer_new_memdup (p + offset, length[i]); ++ gst_buffer_list_add (list, hdr); ++ } + + offset += length[i]; + } +-- +GitLab + diff --git a/CVE-2024-47606.patch b/CVE-2024-47606.patch new file mode 100644 index 0000000..6d7c2e1 --- /dev/null +++ b/CVE-2024-47606.patch @@ -0,0 +1,40 @@ +From f8e398c46fc074f266edb3f20479c0ca31b52448 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 26 Sep 2024 22:16:06 +0300 +Subject: [PATCH] qtdemux: Avoid integer overflow when parsing Theora extension + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-166 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3851 + +Part-of: +--- + gst/isomp4/qtdemux.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c +index 5e3cb1b9e699..c2d8b5e0f134 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -8822,7 +8822,7 @@ qtdemux_parse_theora_extension (GstQTDemux * qtdemux, QtDemuxStream * stream, + end -= 8; + + while (buf < end) { +- gint size; ++ guint32 size; + guint32 type; + + size = QT_UINT32 (buf); +@@ -8830,7 +8830,7 @@ qtdemux_parse_theora_extension (GstQTDemux * qtdemux, QtDemuxStream * stream, + + GST_LOG_OBJECT (qtdemux, "%p %p", buf, end); + +- if (buf + size > end || size <= 0) ++ if (end - buf < size || size < 8) + break; + + buf += 8; +-- +GitLab + diff --git a/CVE-2024-47613.patch b/CVE-2024-47613.patch new file mode 100644 index 0000000..3aa1f22 --- /dev/null +++ b/CVE-2024-47613.patch @@ -0,0 +1,49 @@ +From 1d1c9d63be51d85f9b80f0c227d4b3469fee2534 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Wed, 2 Oct 2024 14:44:21 +0300 +Subject: [PATCH] gdkpixbufdec: Check if initializing the video info actually + succeeded + +Otherwise a 0-byte buffer would be allocated, which gives NULL memory when +mapped. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-118 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3876 + +Part-of: +--- + ext/gdk_pixbuf/gstgdkpixbufdec.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/ext/gdk_pixbuf/gstgdkpixbufdec.c b/ext/gdk_pixbuf/gstgdkpixbufdec.c +index 5482998c0d60..de5f05496466 100644 +--- a/ext/gdk_pixbuf/gstgdkpixbufdec.c ++++ b/ext/gdk_pixbuf/gstgdkpixbufdec.c +@@ -322,7 +322,8 @@ gst_gdk_pixbuf_dec_flush (GstGdkPixbufDec * filter) + + + gst_video_info_init (&info); +- gst_video_info_set_format (&info, fmt, width, height); ++ if (!gst_video_info_set_format (&info, fmt, width, height)) ++ goto format_not_supported; + info.fps_n = filter->in_fps_n; + info.fps_d = filter->in_fps_d; + caps = gst_video_info_to_caps (&info); +@@ -384,6 +385,12 @@ channels_not_supported: + ("%d channels not supported", n_channels)); + return GST_FLOW_ERROR; + } ++format_not_supported: ++ { ++ GST_ELEMENT_ERROR (filter, STREAM, DECODE, (NULL), ++ ("%d channels with %dx%d not supported", n_channels, width, height)); ++ return GST_FLOW_ERROR; ++ } + no_buffer: + { + GST_DEBUG ("Failed to create outbuffer - %s", gst_flow_get_name (ret)); +-- +GitLab + diff --git a/CVE-2024-47774.patch b/CVE-2024-47774.patch new file mode 100644 index 0000000..e2d44a9 --- /dev/null +++ b/CVE-2024-47774.patch @@ -0,0 +1,42 @@ +From 0870e87c7c02e28e22a09a7de0c5b1e5bed68c14 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 4 Oct 2024 14:04:03 +0300 +Subject: [PATCH] avisubtitle: Fix size checks and avoid overflows when + checking sizes + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-262 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3890 + +Part-of: +--- + gst/avi/gstavisubtitle.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/gst/avi/gstavisubtitle.c b/gst/avi/gstavisubtitle.c +index efc5f0405186..c816934da61c 100644 +--- a/gst/avi/gstavisubtitle.c ++++ b/gst/avi/gstavisubtitle.c +@@ -196,7 +196,7 @@ gst_avi_subtitle_parse_gab2_chunk (GstAviSubtitle * sub, GstBuffer * buf) + /* read 'name' of subtitle */ + name_length = GST_READ_UINT32_LE (map.data + 5 + 2); + GST_LOG_OBJECT (sub, "length of name: %u", name_length); +- if (map.size <= 17 + name_length) ++ if (G_MAXUINT32 - 17 < name_length || map.size < 17 + name_length) + goto wrong_name_length; + + name_utf8 = +@@ -216,7 +216,8 @@ gst_avi_subtitle_parse_gab2_chunk (GstAviSubtitle * sub, GstBuffer * buf) + file_length = GST_READ_UINT32_LE (map.data + 13 + name_length); + GST_LOG_OBJECT (sub, "length srt/ssa file: %u", file_length); + +- if (map.size < (17 + name_length + file_length)) ++ if (G_MAXUINT32 - 17 - name_length < file_length ++ || map.size < 17 + name_length + file_length) + goto wrong_total_length; + + /* store this, so we can send it again after a seek; note that we shouldn't +-- +GitLab + diff --git a/CVE-2024-47775_CVE-2024-47776_CVE-2024-47777_CVE-2024-47778.patch b/CVE-2024-47775_CVE-2024-47776_CVE-2024-47777_CVE-2024-47778.patch new file mode 100644 index 0000000..a53ea4b --- /dev/null +++ b/CVE-2024-47775_CVE-2024-47776_CVE-2024-47777_CVE-2024-47778.patch @@ -0,0 +1,402 @@ +From 13b48016b3ef1e822c393c2871b0a561ce19ecb3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 4 Oct 2024 13:00:57 +0300 +Subject: [PATCH 1/7] wavparse: Check for short reads when parsing headers in + pull mode + +And also return the actual flow return to the caller instead of always returning +GST_FLOW_ERROR. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-258, GHSL-2024-260 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3886 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3888 + +Part-of: +--- + gst/wavparse/gstwavparse.c | 63 ++++++++++++++----- + 1 file changed, 46 insertions(+), 17 deletions(-) + +diff --git a/gst/wavparse/gstwavparse.c b/gst/wavparse/gstwavparse.c +index d074f273c501..97d5591fae8f 100644 +--- a/gst/wavparse/gstwavparse.c ++++ b/gst/wavparse/gstwavparse.c +@@ -1097,6 +1097,24 @@ parse_ds64 (GstWavParse * wav, GstBuffer * buf) + return TRUE; + } + ++static GstFlowReturn ++gst_wavparse_pull_range_exact (GstWavParse * wav, guint64 offset, guint size, ++ GstBuffer ** buffer) ++{ ++ GstFlowReturn res; ++ ++ res = gst_pad_pull_range (wav->sinkpad, offset, size, buffer); ++ if (res != GST_FLOW_OK) ++ return res; ++ ++ if (gst_buffer_get_size (*buffer) < size) { ++ gst_clear_buffer (buffer); ++ return GST_FLOW_EOS; ++ } ++ ++ return res; ++} ++ + static GstFlowReturn + gst_wavparse_stream_headers (GstWavParse * wav) + { +@@ -1292,9 +1310,9 @@ gst_wavparse_stream_headers (GstWavParse * wav) + + buf = NULL; + if ((res = +- gst_pad_pull_range (wav->sinkpad, wav->offset, 8, ++ gst_wavparse_pull_range_exact (wav, wav->offset, 8, + &buf)) != GST_FLOW_OK) +- goto header_read_error; ++ goto header_pull_error; + gst_buffer_map (buf, &map, GST_MAP_READ); + tag = GST_READ_UINT32_LE (map.data); + size = GST_READ_UINT32_LE (map.data + 4); +@@ -1397,9 +1415,9 @@ gst_wavparse_stream_headers (GstWavParse * wav) + gst_buffer_unref (buf); + buf = NULL; + if ((res = +- gst_pad_pull_range (wav->sinkpad, wav->offset + 8, ++ gst_wavparse_pull_range_exact (wav, wav->offset + 8, + data_size, &buf)) != GST_FLOW_OK) +- goto header_read_error; ++ goto header_pull_error; + gst_buffer_extract (buf, 0, &wav->fact, 4); + wav->fact = GUINT32_FROM_LE (wav->fact); + gst_buffer_unref (buf); +@@ -1444,9 +1462,9 @@ gst_wavparse_stream_headers (GstWavParse * wav) + gst_buffer_unref (buf); + buf = NULL; + if ((res = +- gst_pad_pull_range (wav->sinkpad, wav->offset + 8, +- size, &buf)) != GST_FLOW_OK) +- goto header_read_error; ++ gst_wavparse_pull_range_exact (wav, wav->offset + 8, size, ++ &buf)) != GST_FLOW_OK) ++ goto header_pull_error; + gst_buffer_map (buf, &map, GST_MAP_READ); + acid = (const gst_riff_acid *) map.data; + tempo = acid->tempo; +@@ -1484,9 +1502,9 @@ gst_wavparse_stream_headers (GstWavParse * wav) + gst_buffer_unref (buf); + buf = NULL; + if ((res = +- gst_pad_pull_range (wav->sinkpad, wav->offset, 12, ++ gst_wavparse_pull_range_exact (wav, wav->offset, 12, + &buf)) != GST_FLOW_OK) +- goto header_read_error; ++ goto header_pull_error; + gst_buffer_extract (buf, 8, <ag, 4); + ltag = GUINT32_FROM_LE (ltag); + } +@@ -1513,9 +1531,9 @@ gst_wavparse_stream_headers (GstWavParse * wav) + buf = NULL; + if (data_size > 0) { + if ((res = +- gst_pad_pull_range (wav->sinkpad, wav->offset, ++ gst_wavparse_pull_range_exact (wav, wav->offset, + data_size, &buf)) != GST_FLOW_OK) +- goto header_read_error; ++ goto header_pull_error; + } + } + if (data_size > 0) { +@@ -1553,9 +1571,9 @@ gst_wavparse_stream_headers (GstWavParse * wav) + buf = NULL; + wav->offset += 12; + if ((res = +- gst_pad_pull_range (wav->sinkpad, wav->offset, ++ gst_wavparse_pull_range_exact (wav, wav->offset, + data_size, &buf)) != GST_FLOW_OK) +- goto header_read_error; ++ goto header_pull_error; + gst_buffer_map (buf, &map, GST_MAP_READ); + gst_wavparse_adtl_chunk (wav, (const guint8 *) map.data, + data_size); +@@ -1599,9 +1617,9 @@ gst_wavparse_stream_headers (GstWavParse * wav) + gst_buffer_unref (buf); + buf = NULL; + if ((res = +- gst_pad_pull_range (wav->sinkpad, wav->offset, ++ gst_wavparse_pull_range_exact (wav, wav->offset, + data_size, &buf)) != GST_FLOW_OK) +- goto header_read_error; ++ goto header_pull_error; + gst_buffer_map (buf, &map, GST_MAP_READ); + if (!gst_wavparse_cue_chunk (wav, (const guint8 *) map.data, + data_size)) { +@@ -1643,9 +1661,9 @@ gst_wavparse_stream_headers (GstWavParse * wav) + gst_buffer_unref (buf); + buf = NULL; + if ((res = +- gst_pad_pull_range (wav->sinkpad, wav->offset, ++ gst_wavparse_pull_range_exact (wav, wav->offset, + data_size, &buf)) != GST_FLOW_OK) +- goto header_read_error; ++ goto header_pull_error; + gst_buffer_map (buf, &map, GST_MAP_READ); + if (!gst_wavparse_smpl_chunk (wav, (const guint8 *) map.data, + data_size)) { +@@ -1797,6 +1815,17 @@ header_read_error: + ("Couldn't read in header %d (%s)", res, gst_flow_get_name (res))); + goto fail; + } ++header_pull_error: ++ { ++ if (res == GST_FLOW_EOS) { ++ GST_WARNING_OBJECT (wav, "Couldn't pull header %d (%s)", res, ++ gst_flow_get_name (res)); ++ } else { ++ GST_ELEMENT_ERROR (wav, STREAM, DEMUX, (NULL), ++ ("Couldn't pull header %d (%s)", res, gst_flow_get_name (res))); ++ } ++ goto exit; ++ } + } + + /* +-- +GitLab + + +From 4c198f4891cfabde868944d55ff98925e7beb757 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 4 Oct 2024 13:09:43 +0300 +Subject: [PATCH 2/7] wavparse: Make sure enough data for the tag list tag is + available before parsing + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-258 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3886 + +Part-of: +--- + gst/wavparse/gstwavparse.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/gst/wavparse/gstwavparse.c b/gst/wavparse/gstwavparse.c +index 97d5591fae8f..21cb48c07eb3 100644 +--- a/gst/wavparse/gstwavparse.c ++++ b/gst/wavparse/gstwavparse.c +@@ -1489,6 +1489,10 @@ gst_wavparse_stream_headers (GstWavParse * wav) + case GST_RIFF_TAG_LIST:{ + guint32 ltag; + ++ /* Need at least the ltag */ ++ if (size < 4) ++ goto exit; ++ + if (wav->streaming) { + const guint8 *data = NULL; + +-- +GitLab + + +From 296e17b4ea81e5c228bb853f6037b654fdca7d47 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 4 Oct 2024 13:15:27 +0300 +Subject: [PATCH 3/7] wavparse: Fix parsing of acid chunk + +Simply casting the bytes to a struct can lead to crashes because of unaligned +reads, and is also missing the endianness swapping that is necessary on big +endian architectures. + +Part-of: +--- + gst/wavparse/gstwavparse.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/gst/wavparse/gstwavparse.c b/gst/wavparse/gstwavparse.c +index 21cb48c07eb3..6a0c44638ea2 100644 +--- a/gst/wavparse/gstwavparse.c ++++ b/gst/wavparse/gstwavparse.c +@@ -1434,8 +1434,7 @@ gst_wavparse_stream_headers (GstWavParse * wav) + break; + } + case GST_RIFF_TAG_acid:{ +- const gst_riff_acid *acid = NULL; +- const guint data_size = sizeof (gst_riff_acid); ++ const guint data_size = 24; + gfloat tempo; + + GST_INFO_OBJECT (wav, "Have acid chunk"); +@@ -1449,13 +1448,13 @@ gst_wavparse_stream_headers (GstWavParse * wav) + break; + } + if (wav->streaming) { ++ const guint8 *data; + if (!gst_wavparse_peek_chunk (wav, &tag, &size)) { + goto exit; + } + gst_adapter_flush (wav->adapter, 8); +- acid = (const gst_riff_acid *) gst_adapter_map (wav->adapter, +- data_size); +- tempo = acid->tempo; ++ data = gst_adapter_map (wav->adapter, data_size); ++ tempo = GST_READ_FLOAT_LE (data + 20); + gst_adapter_unmap (wav->adapter); + } else { + GstMapInfo map; +@@ -1466,8 +1465,7 @@ gst_wavparse_stream_headers (GstWavParse * wav) + &buf)) != GST_FLOW_OK) + goto header_pull_error; + gst_buffer_map (buf, &map, GST_MAP_READ); +- acid = (const gst_riff_acid *) map.data; +- tempo = acid->tempo; ++ tempo = GST_READ_FLOAT_LE (map.data + 20); + gst_buffer_unmap (buf, &map); + } + /* send data as tags */ +-- +GitLab + + +From c72025cabdfcb2fe30d24eda7bb9d1d01a1b6555 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 4 Oct 2024 13:21:44 +0300 +Subject: [PATCH 4/7] wavparse: Check that at least 4 bytes are available + before parsing cue chunks + +Part-of: +--- + gst/wavparse/gstwavparse.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/gst/wavparse/gstwavparse.c b/gst/wavparse/gstwavparse.c +index 6a0c44638ea2..5655ee3825ca 100644 +--- a/gst/wavparse/gstwavparse.c ++++ b/gst/wavparse/gstwavparse.c +@@ -790,6 +790,11 @@ gst_wavparse_cue_chunk (GstWavParse * wav, const guint8 * data, guint32 size) + return TRUE; + } + ++ if (size < 4) { ++ GST_WARNING_OBJECT (wav, "broken file %d", size); ++ return FALSE; ++ } ++ + ncues = GST_READ_UINT32_LE (data); + + if (size < 4 + ncues * 24) { +-- +GitLab + + +From 93d79c22a82604adc5512557c1238f72f41188c4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 4 Oct 2024 13:22:02 +0300 +Subject: [PATCH 5/7] wavparse: Check that at least 32 bytes are available + before parsing smpl chunks + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-259 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3887 + +Part-of: +--- + gst/wavparse/gstwavparse.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/gst/wavparse/gstwavparse.c b/gst/wavparse/gstwavparse.c +index 5655ee3825ca..8a04805ed427 100644 +--- a/gst/wavparse/gstwavparse.c ++++ b/gst/wavparse/gstwavparse.c +@@ -894,6 +894,9 @@ gst_wavparse_smpl_chunk (GstWavParse * wav, const guint8 * data, guint32 size) + { + guint32 note_number; + ++ if (size < 32) ++ return FALSE; ++ + /* + manufacturer_id = GST_READ_UINT32_LE (data); + product_id = GST_READ_UINT32_LE (data + 4); +-- +GitLab + + +From 526d0eef0d850c8f2fa1bf0aef15a836797f1a67 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 4 Oct 2024 13:27:27 +0300 +Subject: [PATCH 6/7] wavparse: Fix clipping of size to the file size + +The size does not include the 8 bytes tag and length, so an additional 8 bytes +must be removed here. 8 bytes are always available at this point because +otherwise the parsing of the tag and length right above would've failed. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-260 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3888 + +Part-of: +--- + gst/wavparse/gstwavparse.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/gst/wavparse/gstwavparse.c b/gst/wavparse/gstwavparse.c +index 8a04805ed427..998cbb276dbf 100644 +--- a/gst/wavparse/gstwavparse.c ++++ b/gst/wavparse/gstwavparse.c +@@ -1338,10 +1338,11 @@ gst_wavparse_stream_headers (GstWavParse * wav) + } + + /* Clip to upstream size if known */ +- if (upstream_size > 0 && size + wav->offset > upstream_size) { ++ if (upstream_size > 0 && size + 8 + wav->offset > upstream_size) { + GST_WARNING_OBJECT (wav, "Clipping chunk size to file size"); + g_assert (upstream_size >= wav->offset); +- size = upstream_size - wav->offset; ++ g_assert (upstream_size - wav->offset >= 8); ++ size = upstream_size - wav->offset - 8; + } + + /* wav is a st00pid format, we don't know for sure where data starts. +-- +GitLab + + +From 4f381d15014471b026020d0990a5f5a9f420a22b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 4 Oct 2024 13:51:00 +0300 +Subject: [PATCH 7/7] wavparse: Check size before reading ds64 chunk + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-261 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3889 + +Part-of: +--- + gst/wavparse/gstwavparse.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/gst/wavparse/gstwavparse.c b/gst/wavparse/gstwavparse.c +index 998cbb276dbf..958868de6d9e 100644 +--- a/gst/wavparse/gstwavparse.c ++++ b/gst/wavparse/gstwavparse.c +@@ -1088,6 +1088,11 @@ parse_ds64 (GstWavParse * wav, GstBuffer * buf) + guint32 sampleCountLow, sampleCountHigh; + + gst_buffer_map (buf, &map, GST_MAP_READ); ++ if (map.size < 6 * 4) { ++ GST_WARNING_OBJECT (wav, "Too small ds64 chunk (%" G_GSIZE_FORMAT ")", ++ map.size); ++ return FALSE; ++ } + dataSizeLow = GST_READ_UINT32_LE (map.data + 2 * 4); + dataSizeHigh = GST_READ_UINT32_LE (map.data + 3 * 4); + sampleCountLow = GST_READ_UINT32_LE (map.data + 4 * 4); +-- +GitLab + diff --git a/CVE-2024-47834.patch b/CVE-2024-47834.patch new file mode 100644 index 0000000..713e57e --- /dev/null +++ b/CVE-2024-47834.patch @@ -0,0 +1,36 @@ +From 474eb62d85b65de1f4a9389d28e4a380a0bf1d7b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Wed, 9 Oct 2024 11:52:52 -0400 +Subject: [PATCH] matroskademux: Put a copy of the codec data into the A_MS/ACM + caps + +The original codec data buffer is owned by matroskademux and does not +necessarily live as long as the caps. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-280 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3894 + +Part-of: +--- + gst/matroska/matroska-demux.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c +index a35f79f02381..afde4ee62897 100644 +--- a/gst/matroska/matroska-demux.c ++++ b/gst/matroska/matroska-demux.c +@@ -7183,8 +7183,7 @@ gst_matroska_demux_audio_caps (GstMatroskaTrackAudioContext * + + /* 18 is the waveformatex size */ + if (size > 18) { +- codec_data = gst_buffer_new_wrapped_full (GST_MEMORY_FLAG_READONLY, +- data + 18, size - 18, 0, size - 18, NULL, NULL); ++ codec_data = gst_buffer_new_memdup (data + 18, size - 18); + } + + if (riff_audio_fmt) +-- +GitLab + diff --git a/gstreamer1-plugins-good.spec b/gstreamer1-plugins-good.spec index ccf7fdc..8897dd8 100644 --- a/gstreamer1-plugins-good.spec +++ b/gstreamer1-plugins-good.spec @@ -3,7 +3,7 @@ Name: gstreamer1-plugins-good Version: 1.20.3 -Release: 2 +Release: 3 Summary: GStreamer plugins with good code and licensing License: LGPLv2+ URL: http://gstreamer.freedesktop.org/ @@ -11,6 +11,28 @@ Source0: http://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugin Source1: gstreamer-good.appdata.xml #https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4894.patch Patch0: CVE-2023-37327.patch +Patch1: CVE-2024-47606.patch +Patch2: CVE-2024-47599.patch +Patch3: CVE-2024-47613.patch +Patch4: CVE-2024-47775_CVE-2024-47776_CVE-2024-47777_CVE-2024-47778.patch +Patch5: CVE-2024-47774.patch +Patch6: CVE-2024-47540.patch +Patch7: CVE-2024-47602.patch +Patch8: CVE-2024-47601-1.patch +Patch9: CVE-2024-47601-2.patch +Patch10: CVE-2024-47603.patch +Patch11: CVE-2024-47834.patch +Patch12: CVE-2024-47537.patch +Patch13: CVE-2024-47597-1.patch +Patch14: CVE-2024-47597-2.patch +Patch15: CVE-2024-47543.patch +Patch16: CVE-2024-47596.patch +Patch17: CVE-2024-47539.patch +Patch18: CVE-2024-47546.patch +Patch19: CVE-2024-47598.patch +Patch20: matroskademux-Fix-off-by-one-when-parsing-multi-channel-WavPack.patch +Patch21: qtdemux-Do-not-iterate-over-all-trun-entries-if-none.patch +Patch22: qtdemux-Fix-debug-output-during-trun-parsing.patch BuildRequires: meson >= 0.48.0 BuildRequires: gcc @@ -176,6 +198,14 @@ install -p -D %{SOURCE1} %{buildroot}%{_metainfodir}/gstreamer-good.appdata.xml %endif %changelog +* Wed Dec 18 2024 yaoxin - 1.20.3-3 +- Fix cves: + CVE-2024-47606,CVE-2024-47599,CVE-2024-47613,CVE-2024-47775 + CVE-2024-47776,CVE-2024-47777,CVE-2024-47778,CVE-2024-47774 + CVE-2024-47540,CVE-2024-47602,CVE-2024-47601,CVE-2024-47603 + CVE-2024-47834,CVE-2024-47537,CVE-2024-47597,CVE-2024-47543 + CVE-2024-47596,CVE-2024-47539,CVE-2024-47546,CVE-2024-47598 + * Fri Dec 15 2023 wangkai <13474090681@163.com> - 1.20.3-2 - Fix CVE-2023-37327 diff --git a/matroskademux-Fix-off-by-one-when-parsing-multi-channel-WavPack.patch b/matroskademux-Fix-off-by-one-when-parsing-multi-channel-WavPack.patch new file mode 100644 index 0000000..bbe27af --- /dev/null +++ b/matroskademux-Fix-off-by-one-when-parsing-multi-channel-WavPack.patch @@ -0,0 +1,27 @@ +From b7ad9a2c5d2b1d87a33dfd73b5e10b184b31a3d2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 16:33:39 +0300 +Subject: [PATCH] matroskademux: Fix off-by-one when parsing multi-channel + WavPack + +Part-of: +--- + gst/matroska/matroska-demux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c +index 9e0de058e64a..2ed77b50d078 100644 +--- a/gst/matroska/matroska-demux.c ++++ b/gst/matroska/matroska-demux.c +@@ -3976,7 +3976,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + data += 4; + size -= 4; + +- while (size > 12) { ++ while (size >= 12) { + flags = GST_READ_UINT32_LE (data); + data += 4; + size -= 4; +-- +GitLab + diff --git a/qtdemux-Do-not-iterate-over-all-trun-entries-if-none.patch b/qtdemux-Do-not-iterate-over-all-trun-entries-if-none.patch new file mode 100644 index 0000000..7c9735f --- /dev/null +++ b/qtdemux-Do-not-iterate-over-all-trun-entries-if-none.patch @@ -0,0 +1,32 @@ +From 0f4dae9b01fcc4ec3a16d2386dfac432e011465b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 26 Sep 2024 18:41:39 +0300 +Subject: [PATCH] qtdemux: Don't iterate over all trun entries if none of the + flags are set + +Nothing would be printed anyway. + +Part-of: +--- + gst/isomp4/qtdemux_dump.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/gst/isomp4/qtdemux_dump.c b/gst/isomp4/qtdemux_dump.c +index 22da35e9e7ad..297b580ef038 100644 +--- a/gst/isomp4/qtdemux_dump.c ++++ b/gst/isomp4/qtdemux_dump.c +@@ -836,6 +836,11 @@ qtdemux_dump_trun (GstQTDemux * qtdemux, GstByteReader * data, int depth) + GST_LOG ("%*s first-sample-flags: %u", depth, "", first_sample_flags); + } + ++ /* Nothing to print below */ ++ if ((flags & (TR_SAMPLE_DURATION | TR_SAMPLE_SIZE | TR_SAMPLE_FLAGS | ++ TR_COMPOSITION_TIME_OFFSETS)) == 0) ++ return TRUE; ++ + for (i = 0; i < samples_count; i++) { + if (flags & TR_SAMPLE_DURATION) { + if (!gst_byte_reader_get_uint32_be (data, &sample_duration)) +-- +GitLab + diff --git a/qtdemux-Fix-debug-output-during-trun-parsing.patch b/qtdemux-Fix-debug-output-during-trun-parsing.patch new file mode 100644 index 0000000..005404f --- /dev/null +++ b/qtdemux-Fix-debug-output-during-trun-parsing.patch @@ -0,0 +1,69 @@ +From cbd659c58f3236596a47b45a2afe6130139cf661 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 26 Sep 2024 18:40:56 +0300 +Subject: [PATCH] qtdemux: Fix debug output during trun parsing + +Various integers are unsigned so print them as such. Also print the actual +allocation size if allocation fails, not only parts of it. + +Part-of: +--- + gst/isomp4/qtdemux.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c +index f71d04b..ba80392 100644 +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -3221,8 +3221,8 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun, + gint64 initial_offset; + gint32 min_ct = 0; + +- GST_LOG_OBJECT (qtdemux, "parsing trun track-id %d; " +- "default dur %d, size %d, flags 0x%x, base offset %" G_GINT64_FORMAT ", " ++ GST_LOG_OBJECT (qtdemux, "parsing trun track-id %u; " ++ "default dur %u, size %u, flags 0x%x, base offset %" G_GINT64_FORMAT ", " + "decode ts %" G_GINT64_FORMAT, stream->track_id, d_sample_duration, + d_sample_size, d_sample_flags, *base_offset, decode_ts); + +@@ -3250,7 +3250,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun, + /* note this is really signed */ + if (!gst_byte_reader_get_int32_be (trun, &data_offset)) + goto fail; +- GST_LOG_OBJECT (qtdemux, "trun data offset %d", data_offset); ++ GST_LOG_OBJECT (qtdemux, "trun data offset %u", data_offset); + /* default base offset = first byte of moof */ + if (*base_offset == -1) { + GST_LOG_OBJECT (qtdemux, "base_offset at moof"); +@@ -3272,7 +3272,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, GstByteReader * trun, + + GST_LOG_OBJECT (qtdemux, "running offset now %" G_GINT64_FORMAT, + *running_offset); +- GST_LOG_OBJECT (qtdemux, "trun offset %d, flags 0x%x, entries %d", ++ GST_LOG_OBJECT (qtdemux, "trun offset %u, flags 0x%x, entries %u", + data_offset, flags, samples_count); + + if (flags & TR_FIRST_SAMPLE_FLAGS) { +@@ -3492,14 +3492,15 @@ fail: + } + out_of_memory: + { +- GST_WARNING_OBJECT (qtdemux, "failed to allocate %d samples", +- stream->n_samples); ++ GST_WARNING_OBJECT (qtdemux, "failed to allocate %u + %u samples", ++ stream->n_samples, samples_count); + return FALSE; + } + index_too_big: + { +- GST_WARNING_OBJECT (qtdemux, "not allocating index of %d samples, would " +- "be larger than %uMB (broken file?)", stream->n_samples, ++ GST_WARNING_OBJECT (qtdemux, ++ "not allocating index of %u + %u samples, would " ++ "be larger than %uMB (broken file?)", stream->n_samples, samples_count, + QTDEMUX_MAX_SAMPLE_INDEX_SIZE >> 20); + return FALSE; + } +-- +2.33.0 + -- Gitee