From 1744ecc25db1857e75339b7477b2b7f22070e43a Mon Sep 17 00:00:00 2001
From: songliyang <songliyang@kylinos.cn>
Date: Fri, 12 Sep 2025 15:46:01 +0800
Subject: [PATCH] Fixes CVE-2025-47183

(cherry picked from commit ede756e2cd658037f424d394f1affb991a4ed443)
---
 ...ux-Use-byte-reader-to-parse-mvhd-box.patch | 75 +++++++++++++++++++
 gstreamer1-plugins-good.spec                  |  6 +-
 2 files changed, 80 insertions(+), 1 deletion(-)
 create mode 100644 backport-qtdemux-Use-byte-reader-to-parse-mvhd-box.patch

diff --git a/backport-qtdemux-Use-byte-reader-to-parse-mvhd-box.patch b/backport-qtdemux-Use-byte-reader-to-parse-mvhd-box.patch
new file mode 100644
index 0000000..563172b
--- /dev/null
+++ b/backport-qtdemux-Use-byte-reader-to-parse-mvhd-box.patch
@@ -0,0 +1,75 @@
+From 48bf6a92d75051be7e5ffb66fcd1a49de74fe865 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Tue, 29 Apr 2025 09:43:58 +0300
+Subject: [PATCH] qtdemux: Use byte reader to parse mvhd box
+
+This avoids OOB reads.
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4394
+Fixes CVE-2025-47183
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/9131>
+---
+ gst/isomp4/qtdemux.c | 37 +++++++++++++++++++++++++++++--------
+ 1 file changed, 29 insertions(+), 8 deletions(-)
+
+diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
+index 9352022..d5a1e99 100644
+--- a/gst/isomp4/qtdemux.c
++++ b/gst/isomp4/qtdemux.c
+@@ -14131,7 +14131,8 @@ qtdemux_parse_tree (GstQTDemux * qtdemux)
+   GNode *pssh;
+   guint64 creation_time;
+   GstDateTime *datetime = NULL;
+-  gint version;
++  guint8 version;
++  GstByteReader mvhd_reader;
+ 
+   /* make sure we have a usable taglist */
+   qtdemux->tag_list = gst_tag_list_make_writable (qtdemux->tag_list);
+@@ -14142,15 +14143,35 @@ qtdemux_parse_tree (GstQTDemux * qtdemux)
+     return qtdemux_parse_redirects (qtdemux);
+   }
+ 
+-  version = QT_UINT8 ((guint8 *) mvhd->data + 8);
++  if (!gst_byte_reader_get_uint8 (&mvhd_reader, &version))
++    return FALSE;
++  /* flags */
++  if (!gst_byte_reader_skip (&mvhd_reader, 3))
++    return FALSE;
+   if (version == 1) {
+-    creation_time = QT_UINT64 ((guint8 *) mvhd->data + 12);
+-    qtdemux->timescale = QT_UINT32 ((guint8 *) mvhd->data + 28);
+-    qtdemux->duration = QT_UINT64 ((guint8 *) mvhd->data + 32);
++    if (!gst_byte_reader_get_uint64_be (&mvhd_reader, &creation_time))
++      return FALSE;
++    /* modification time */
++    if (!gst_byte_reader_skip (&mvhd_reader, 8))
++      return FALSE;
++    if (!gst_byte_reader_get_uint32_be (&mvhd_reader, &qtdemux->timescale))
++      return FALSE;
++    if (!gst_byte_reader_get_uint64_be (&mvhd_reader, &qtdemux->duration))
++      return FALSE;
+   } else if (version == 0) {
+-    creation_time = QT_UINT32 ((guint8 *) mvhd->data + 12);
+-    qtdemux->timescale = QT_UINT32 ((guint8 *) mvhd->data + 20);
+-    qtdemux->duration = QT_UINT32 ((guint8 *) mvhd->data + 24);
++    guint32 tmp;
++
++    if (!gst_byte_reader_get_uint32_be (&mvhd_reader, &tmp))
++      return FALSE;
++    creation_time = tmp;
++    /* modification time */
++    if (!gst_byte_reader_skip (&mvhd_reader, 4))
++      return FALSE;
++    if (!gst_byte_reader_get_uint32_be (&mvhd_reader, &qtdemux->timescale))
++      return FALSE;
++    if (!gst_byte_reader_get_uint32_be (&mvhd_reader, &tmp))
++      return FALSE;
++    qtdemux->duration = tmp;
+   } else {
+     GST_WARNING_OBJECT (qtdemux, "Unhandled mvhd version %d", version);
+     return FALSE;
+-- 
+2.43.0
+
diff --git a/gstreamer1-plugins-good.spec b/gstreamer1-plugins-good.spec
index b3ecfec..0904154 100644
--- a/gstreamer1-plugins-good.spec
+++ b/gstreamer1-plugins-good.spec
@@ -3,7 +3,7 @@
 
 Name:           gstreamer1-plugins-good
 Version:        1.20.3
-Release:        5
+Release:        6
 Summary:        GStreamer plugins with good code and licensing
 License:        LGPLv2+
 URL:            http://gstreamer.freedesktop.org/
@@ -38,6 +38,7 @@ Patch24:        CVE-2024-47545-pre2.patch
 Patch25:        CVE-2024-47545.patch
 Patch26:        CVE-2024-47544.patch
 Patch27:        CVE-2025-47219.patch
+Patch28:        backport-qtdemux-Use-byte-reader-to-parse-mvhd-box.patch
 
 BuildRequires:  meson >= 0.48.0
 BuildRequires:  gcc
@@ -203,6 +204,9 @@ install -p -D %{SOURCE1} %{buildroot}%{_metainfodir}/gstreamer-good.appdata.xml
 %endif
 
 %changelog
+* Fri Sep 12 2025 songliyang <songliyang@kylinos.cn> - 1.20.3-6
+- Fixes CVE-2025-47183
+
 * Sat May 31 2025 Funda Wang <fundawang@yeah.net> - 1.20.3-5
 - fix CVE-2025-47219
 
-- 
Gitee