From 83f0a6ea8f73c8b5e396ea54820375688d4ad814 Mon Sep 17 00:00:00 2001
From: songliyang <songliyang@kylinos.cn>
Date: Fri, 12 Sep 2025 15:52:42 +0800
Subject: [PATCH] Fixes CVE-2025-47183

---
 ...ux-Use-byte-reader-to-parse-mvhd-box.patch | 75 +++++++++++++++++++
 gstreamer1-plugins-good.spec                  |  6 +-
 2 files changed, 80 insertions(+), 1 deletion(-)
 create mode 100644 backport-qtdemux-Use-byte-reader-to-parse-mvhd-box.patch

diff --git a/backport-qtdemux-Use-byte-reader-to-parse-mvhd-box.patch b/backport-qtdemux-Use-byte-reader-to-parse-mvhd-box.patch
new file mode 100644
index 0000000..563172b
--- /dev/null
+++ b/backport-qtdemux-Use-byte-reader-to-parse-mvhd-box.patch
@@ -0,0 +1,75 @@
+From 48bf6a92d75051be7e5ffb66fcd1a49de74fe865 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Tue, 29 Apr 2025 09:43:58 +0300
+Subject: [PATCH] qtdemux: Use byte reader to parse mvhd box
+
+This avoids OOB reads.
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4394
+Fixes CVE-2025-47183
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/9131>
+---
+ gst/isomp4/qtdemux.c | 37 +++++++++++++++++++++++++++++--------
+ 1 file changed, 29 insertions(+), 8 deletions(-)
+
+diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
+index 9352022..d5a1e99 100644
+--- a/gst/isomp4/qtdemux.c
++++ b/gst/isomp4/qtdemux.c
+@@ -14131,7 +14131,8 @@ qtdemux_parse_tree (GstQTDemux * qtdemux)
+   GNode *pssh;
+   guint64 creation_time;
+   GstDateTime *datetime = NULL;
+-  gint version;
++  guint8 version;
++  GstByteReader mvhd_reader;
+ 
+   /* make sure we have a usable taglist */
+   qtdemux->tag_list = gst_tag_list_make_writable (qtdemux->tag_list);
+@@ -14142,15 +14143,35 @@ qtdemux_parse_tree (GstQTDemux * qtdemux)
+     return qtdemux_parse_redirects (qtdemux);
+   }
+ 
+-  version = QT_UINT8 ((guint8 *) mvhd->data + 8);
++  if (!gst_byte_reader_get_uint8 (&mvhd_reader, &version))
++    return FALSE;
++  /* flags */
++  if (!gst_byte_reader_skip (&mvhd_reader, 3))
++    return FALSE;
+   if (version == 1) {
+-    creation_time = QT_UINT64 ((guint8 *) mvhd->data + 12);
+-    qtdemux->timescale = QT_UINT32 ((guint8 *) mvhd->data + 28);
+-    qtdemux->duration = QT_UINT64 ((guint8 *) mvhd->data + 32);
++    if (!gst_byte_reader_get_uint64_be (&mvhd_reader, &creation_time))
++      return FALSE;
++    /* modification time */
++    if (!gst_byte_reader_skip (&mvhd_reader, 8))
++      return FALSE;
++    if (!gst_byte_reader_get_uint32_be (&mvhd_reader, &qtdemux->timescale))
++      return FALSE;
++    if (!gst_byte_reader_get_uint64_be (&mvhd_reader, &qtdemux->duration))
++      return FALSE;
+   } else if (version == 0) {
+-    creation_time = QT_UINT32 ((guint8 *) mvhd->data + 12);
+-    qtdemux->timescale = QT_UINT32 ((guint8 *) mvhd->data + 20);
+-    qtdemux->duration = QT_UINT32 ((guint8 *) mvhd->data + 24);
++    guint32 tmp;
++
++    if (!gst_byte_reader_get_uint32_be (&mvhd_reader, &tmp))
++      return FALSE;
++    creation_time = tmp;
++    /* modification time */
++    if (!gst_byte_reader_skip (&mvhd_reader, 4))
++      return FALSE;
++    if (!gst_byte_reader_get_uint32_be (&mvhd_reader, &qtdemux->timescale))
++      return FALSE;
++    if (!gst_byte_reader_get_uint32_be (&mvhd_reader, &tmp))
++      return FALSE;
++    qtdemux->duration = tmp;
+   } else {
+     GST_WARNING_OBJECT (qtdemux, "Unhandled mvhd version %d", version);
+     return FALSE;
+-- 
+2.43.0
+
diff --git a/gstreamer1-plugins-good.spec b/gstreamer1-plugins-good.spec
index 0bb732b..616404f 100644
--- a/gstreamer1-plugins-good.spec
+++ b/gstreamer1-plugins-good.spec
@@ -3,7 +3,7 @@
 
 Name:		    gstreamer1-plugins-good		
 Version:	    1.16.2
-Release:	    10
+Release:	    11
 Summary:	    GStreamer plugins with good code and licensing
 License:	    LGPLv2+	
 URL:		    http://gstreamer.freedesktop.org/
@@ -51,6 +51,7 @@ Patch0029:          CVE-2024-47545-pre2.patch
 Patch0030:          CVE-2024-47545.patch
 Patch0031:          CVE-2024-47544.patch
 Patch0032:          CVE-2025-47219.patch
+Patch0033:          backport-qtdemux-Use-byte-reader-to-parse-mvhd-box.patch
 
 BuildRequires:	gcc gcc-c++ gstreamer1-devel gstreamer1-plugins-base-devel flac-devel
 BuildRequires:  gdk-pixbuf2-devel libjpeg-devel libpng-devel libshout-devel orc-devel
@@ -135,6 +136,9 @@ echo "%{_libdir}" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf
 %doc %{_datadir}/gtk-doc/html/*
 
 %changelog
+* Fri Sep 12 2025 songliyang <songliyang@kylinos.cn> - 1.16.2-11
+- Fixes CVE-2025-47183
+
 * Sat May 31 2025 Funda Wang <fundawang@yeah.net> - 1.16.2-10
 - fix CVE-2025-47219
 
-- 
Gitee