Version in base suite: 1.22.0-5+deb12u1 Base version: gst-plugins-good1.0_1.22.0-5+deb12u1 Target version: gst-plugins-good1.0_1.22.0-5+deb12u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/g/gst-plugins-good1.0/gst-plugins-good1.0_1.22.0-5+deb12u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/g/gst-plugins-good1.0/gst-plugins-good1.0_1.22.0-5+deb12u2.dsc changelog | 63 + patches/avisubtitle-Fix-size-checks-and-avoid-overflows-when.patch | 37 patches/gdkpixbufdec-Check-if-initializing-the-video-info-ac.patch | 44 + patches/jpegdec-Directly-error-out-on-negotiation-failures.patch | 91 ++ patches/matroskademux-Check-for-big-enough-WavPack-codec-pri.patch | 31 patches/matroskademux-Don-t-take-data-out-of-an-empty-adapte.patch | 39 patches/matroskademux-Fix-off-by-one-when-parsing-multi-chan.patch | 21 patches/matroskademux-Only-unmap-GstMapInfo-in-WavPack-heade.patch | 48 + patches/matroskademux-Put-a-copy-of-the-codec-data-into-the-.patch | 31 patches/matroskademux-Skip-over-laces-directly-when-postproc.patch | 40 patches/matroskademux-Skip-over-zero-sized-Xiph-stream-heade.patch | 31 patches/qtdemux-Actually-handle-errors-returns-from-various-.patch | 89 ++ patches/qtdemux-Add-size-check-for-parsing-SMI-SEQH-atom.patch | 29 patches/qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch | 36 patches/qtdemux-Check-for-invalid-atom-length-when-extractin.patch | 28 patches/qtdemux-Check-sizes-of-stsc-stco-stts-before-trying-.patch | 54 + patches/qtdemux-Don-t-iterate-over-all-trun-entries-if-none-.patch | 27 patches/qtdemux-Fix-debug-output-during-trun-parsing.patch | 64 + patches/qtdemux-Fix-error-handling-when-parsing-cenc-sample-.patch | 47 + patches/qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch | 55 + patches/qtdemux-Fix-length-checks-and-offsets-in-stsd-entry-.patch | 418 ++++++++++ patches/qtdemux-Make-sure-enough-data-is-available-before-re.patch | 111 ++ patches/qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch | 36 patches/qtdemux-Make-sure-there-are-enough-offsets-to-read-w.patch | 41 patches/series | 30 patches/wavparse-Check-for-short-reads-when-parsing-headers-.patch | 163 +++ patches/wavparse-Check-size-before-reading-ds64-chunk.patch | 30 patches/wavparse-Check-that-at-least-32-bytes-are-available-.patch | 29 patches/wavparse-Check-that-at-least-4-bytes-are-available-b.patch | 25 patches/wavparse-Fix-clipping-of-size-to-the-file-size.patch | 36 patches/wavparse-Fix-parsing-of-acid-chunk.patch | 53 + patches/wavparse-Make-sure-enough-data-for-the-tag-list-tag-.patch | 30 32 files changed, 1907 insertions(+) diff -Nru gst-plugins-good1.0-1.22.0/debian/changelog gst-plugins-good1.0-1.22.0/debian/changelog --- gst-plugins-good1.0-1.22.0/debian/changelog 2023-06-29 18:21:18.000000000 +0000 +++ gst-plugins-good1.0-1.22.0/debian/changelog 2024-12-21 13:32:49.000000000 +0000 @@ -1,3 +1,66 @@ +gst-plugins-good1.0 (1.22.0-5+deb12u2) bookworm-security; urgency=high + + * Non-maintainer upload by the Security Team. + * qtdemux: Avoid integer overflow when parsing Theora extension + (CVE-2024-47606, GHSL-2024-166) + * jpegdec: Directly error out on negotiation failures (CVE-2024-47599, + GHSL-2024-247) + * gdkpixbufdec: Check if initializing the video info actually succeeded + (CVE-2024-47613, GHSL-2024-118) + * wavparse: Check for short reads when parsing headers in pull mode + (CVE-2024-47778, GHSL-2024-258, CVE-2024-47776, GHSL-2024-260) + * wavparse: Make sure enough data for the tag list tag is available before + parsing (CVE-2024-47778, GHSL-2024-258) + * wavparse: Fix parsing of acid chunk + * wavparse: Check that at least 4 bytes are available before parsing cue + chunks + * wavparse: Check that at least 32 bytes are available before parsing smpl + chunks (CVE-2024-47777, GHSL-2024-259) + * wavparse: Fix clipping of size to the file size (CVE-2024-47776, + GHSL-2024-260) + * wavparse: Check size before reading ds64 chunk (CVE-2024-47775, + GHSL-2024-261) + * avisubtitle: Fix size checks and avoid overflows when checking sizes + (CVE-2024-47774, GHSL-2024-262) + * matroskademux: Only unmap GstMapInfo in WavPack header extraction error + paths if previously mapped (CVE-2024-47540, GHSL-2024-197) + * matroskademux: Fix off-by-one when parsing multi-channel WavPack + * matroskademux: Check for big enough WavPack codec private data before + accessing it (CVE-2024-47602, GHSL-2024-250) + * matroskademux: Don't take data out of an empty adapter when processing + WavPack frames (CVE-2024-47601, GHSL-2024-249) + * matroskademux: Skip over laces directly when postprocessing the frame + fails (CVE-2024-47601, GHSL-2024-249) + * matroskademux: Skip over zero-sized Xiph stream headers (CVE-2024-47603, + GHSL-2024-251) + * matroskademux: Put a copy of the codec data into the A_MS/ACM caps + (CVE-2024-47834, GHSL-2024-280) + * qtdemux: Fix integer overflow when allocating the samples table for + fragmented MP4 (CVE-2024-47537, GHSL-2024-094, GHSL-2024-237, + GHSL-2024-241) + * qtdemux: Fix debug output during trun parsing + * qtdemux: Don't iterate over all trun entries if none of the flags are set + * qtdemux: Check sizes of stsc/stco/stts before trying to merge entries + (CVE-2024-47598, GHSL-2024-246) + * qtdemux: Make sure only an even number of bytes is processed when handling + CEA608 data (CVE-2024-47539, GHSL-2024-195) + * qtdemux: Make sure enough data is available before reading wave header + node (CVE-2024-47543, GHSL-2024-236) + * qtdemux: Fix length checks and offsets in stsd entry parsing + (CVE-2024-47545, GHSL-2024-242) + * qtdemux: Fix error handling when parsing cenc sample groups fails + (CVE-2024-47544, GHSL-2024-238, GHSL-2024-239, GHSL-2024-240) + * qtdemux: Make sure there are enough offsets to read when parsing samples + (CVE-2024-47597, GHSL-2024-245) + * qtdemux: Actually handle errors returns from various functions instead of + ignoring them (CVE-2024-47597, GHSL-2024-245) + * qtdemux: Check for invalid atom length when extracting Closed Caption data + (CVE-2024-47546, GHSL-2024-243) + * qtdemux: Add size check for parsing SMI / SEQH atom (CVE-2024-47596, + GHSL-2024-244) + + -- Salvatore Bonaccorso Sat, 21 Dec 2024 14:32:49 +0100 + gst-plugins-good1.0 (1.22.0-5+deb12u1) bookworm-security; urgency=medium * GST-2023-0001 diff -Nru gst-plugins-good1.0-1.22.0/debian/patches/avisubtitle-Fix-size-checks-and-avoid-overflows-when.patch gst-plugins-good1.0-1.22.0/debian/patches/avisubtitle-Fix-size-checks-and-avoid-overflows-when.patch --- gst-plugins-good1.0-1.22.0/debian/patches/avisubtitle-Fix-size-checks-and-avoid-overflows-when.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-good1.0-1.22.0/debian/patches/avisubtitle-Fix-size-checks-and-avoid-overflows-when.patch 2024-12-21 13:32:49.000000000 +0000 @@ -0,0 +1,37 @@ +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 4 Oct 2024 14:04:03 +0300 +Subject: avisubtitle: Fix size checks and avoid overflows when checking sizes +Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/98c2175d255bd2459d7645ac6aee50be5cb57fe3 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47774 + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-262 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3890 + +Part-of: +--- + subprojects/gst-plugins-good/gst/avi/gstavisubtitle.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/gst/avi/gstavisubtitle.c ++++ b/gst/avi/gstavisubtitle.c +@@ -196,7 +196,7 @@ gst_avi_subtitle_parse_gab2_chunk (GstAv + /* read 'name' of subtitle */ + name_length = GST_READ_UINT32_LE (map.data + 5 + 2); + GST_LOG_OBJECT (sub, "length of name: %u", name_length); +- if (map.size <= 17 + name_length) ++ if (G_MAXUINT32 - 17 < name_length || map.size < 17 + name_length) + goto wrong_name_length; + + name_utf8 = +@@ -216,7 +216,8 @@ gst_avi_subtitle_parse_gab2_chunk (GstAv + file_length = GST_READ_UINT32_LE (map.data + 13 + name_length); + GST_LOG_OBJECT (sub, "length srt/ssa file: %u", file_length); + +- if (map.size < (17 + name_length + file_length)) ++ if (G_MAXUINT32 - 17 - name_length < file_length ++ || map.size < 17 + name_length + file_length) + goto wrong_total_length; + + /* store this, so we can send it again after a seek; note that we shouldn't diff -Nru gst-plugins-good1.0-1.22.0/debian/patches/gdkpixbufdec-Check-if-initializing-the-video-info-ac.patch gst-plugins-good1.0-1.22.0/debian/patches/gdkpixbufdec-Check-if-initializing-the-video-info-ac.patch --- gst-plugins-good1.0-1.22.0/debian/patches/gdkpixbufdec-Check-if-initializing-the-video-info-ac.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-good1.0-1.22.0/debian/patches/gdkpixbufdec-Check-if-initializing-the-video-info-ac.patch 2024-12-21 13:32:49.000000000 +0000 @@ -0,0 +1,44 @@ +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Wed, 2 Oct 2024 14:44:21 +0300 +Subject: gdkpixbufdec: Check if initializing the video info actually succeeded +Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/5106dc94fb9b2d8bd0db547e2c325244b7c1f32c +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47613 + +Otherwise a 0-byte buffer would be allocated, which gives NULL memory when +mapped. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-118 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3876 + +Part-of: +--- + .../gst-plugins-good/ext/gdk_pixbuf/gstgdkpixbufdec.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/ext/gdk_pixbuf/gstgdkpixbufdec.c ++++ b/ext/gdk_pixbuf/gstgdkpixbufdec.c +@@ -322,7 +322,8 @@ gst_gdk_pixbuf_dec_flush (GstGdkPixbufDe + + + gst_video_info_init (&info); +- gst_video_info_set_format (&info, fmt, width, height); ++ if (!gst_video_info_set_format (&info, fmt, width, height)) ++ goto format_not_supported; + info.fps_n = filter->in_fps_n; + info.fps_d = filter->in_fps_d; + caps = gst_video_info_to_caps (&info); +@@ -384,6 +385,12 @@ channels_not_supported: + ("%d channels not supported", n_channels)); + return GST_FLOW_ERROR; + } ++format_not_supported: ++ { ++ GST_ELEMENT_ERROR (filter, STREAM, DECODE, (NULL), ++ ("%d channels with %dx%d not supported", n_channels, width, height)); ++ return GST_FLOW_ERROR; ++ } + no_buffer: + { + GST_DEBUG ("Failed to create outbuffer - %s", gst_flow_get_name (ret)); diff -Nru gst-plugins-good1.0-1.22.0/debian/patches/jpegdec-Directly-error-out-on-negotiation-failures.patch gst-plugins-good1.0-1.22.0/debian/patches/jpegdec-Directly-error-out-on-negotiation-failures.patch --- gst-plugins-good1.0-1.22.0/debian/patches/jpegdec-Directly-error-out-on-negotiation-failures.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-good1.0-1.22.0/debian/patches/jpegdec-Directly-error-out-on-negotiation-failures.patch 2024-12-21 13:32:49.000000000 +0000 @@ -0,0 +1,91 @@ +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 16:22:19 +0300 +Subject: jpegdec: Directly error out on negotiation failures +Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/8b1c866e93749fd42d1908ec77a4f339343acbb2 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47599 + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-247 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3862 + +Part-of: +--- + .../gst-plugins-good/ext/jpeg/gstjpegdec.c | 22 ++++++++++++++----- + 1 file changed, 17 insertions(+), 5 deletions(-) + +--- a/ext/jpeg/gstjpegdec.c ++++ b/ext/jpeg/gstjpegdec.c +@@ -1068,13 +1068,14 @@ gst_jpeg_turbo_parse_ext_fmt_convert (Gs + } + #endif + +-static void ++static gboolean + gst_jpeg_dec_negotiate (GstJpegDec * dec, gint width, gint height, gint clrspc, + gboolean interlaced) + { + GstVideoCodecState *outstate; + GstVideoInfo *info; + GstVideoFormat format; ++ gboolean res; + + #ifdef JCS_EXTENSIONS + if (dec->format_convert) { +@@ -1104,7 +1105,7 @@ gst_jpeg_dec_negotiate (GstJpegDec * dec + height == GST_VIDEO_INFO_HEIGHT (info) && + format == GST_VIDEO_INFO_FORMAT (info)) { + gst_video_codec_state_unref (outstate); +- return; ++ return TRUE; + } + gst_video_codec_state_unref (outstate); + } +@@ -1118,6 +1119,8 @@ gst_jpeg_dec_negotiate (GstJpegDec * dec + outstate = + gst_video_decoder_set_output_state (GST_VIDEO_DECODER (dec), format, + width, height, dec->input_state); ++ if (!outstate) ++ return FALSE; + + switch (clrspc) { + case JCS_RGB: +@@ -1142,10 +1145,12 @@ gst_jpeg_dec_negotiate (GstJpegDec * dec + + gst_video_codec_state_unref (outstate); + +- gst_video_decoder_negotiate (GST_VIDEO_DECODER (dec)); ++ res = gst_video_decoder_negotiate (GST_VIDEO_DECODER (dec)); + + GST_DEBUG_OBJECT (dec, "max_v_samp_factor=%d", dec->cinfo.max_v_samp_factor); + GST_DEBUG_OBJECT (dec, "max_h_samp_factor=%d", dec->cinfo.max_h_samp_factor); ++ ++ return res; + } + + static GstFlowReturn +@@ -1424,8 +1429,9 @@ gst_jpeg_dec_handle_frame (GstVideoDecod + num_fields = 1; + } + +- gst_jpeg_dec_negotiate (dec, width, output_height, +- dec->cinfo.jpeg_color_space, num_fields == 2); ++ if (!gst_jpeg_dec_negotiate (dec, width, output_height, ++ dec->cinfo.jpeg_color_space, num_fields == 2)) ++ goto negotiation_failed; + + state = gst_video_decoder_get_output_state (bdec); + ret = gst_video_decoder_allocate_output_frame (bdec, frame); +@@ -1557,6 +1563,12 @@ map_failed: + ret = GST_FLOW_ERROR; + goto exit; + } ++negotiation_failed: ++ { ++ GST_ELEMENT_ERROR (dec, CORE, NEGOTIATION, (NULL), ("failed to negotiate")); ++ ret = GST_FLOW_NOT_NEGOTIATED; ++ goto exit; ++ } + decode_error: + { + gchar err_msg[JMSG_LENGTH_MAX]; diff -Nru gst-plugins-good1.0-1.22.0/debian/patches/matroskademux-Check-for-big-enough-WavPack-codec-pri.patch gst-plugins-good1.0-1.22.0/debian/patches/matroskademux-Check-for-big-enough-WavPack-codec-pri.patch --- gst-plugins-good1.0-1.22.0/debian/patches/matroskademux-Check-for-big-enough-WavPack-codec-pri.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-good1.0-1.22.0/debian/patches/matroskademux-Check-for-big-enough-WavPack-codec-pri.patch 2024-12-21 13:32:49.000000000 +0000 @@ -0,0 +1,31 @@ +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 18:25:53 +0300 +Subject: matroskademux: Check for big enough WavPack codec private data before + accessing it +Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/eec4043430d30956ad4aea02a7b67a5758d99f11 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47602 + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-250 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3866 + +Part-of: +--- + subprojects/gst-plugins-good/gst/matroska/matroska-demux.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/gst/matroska/matroska-demux.c ++++ b/gst/matroska/matroska-demux.c +@@ -3888,6 +3888,11 @@ gst_matroska_demux_add_wvpk_header (GstE + guint8 *buf_data, *data; + Wavpack4Header wvh; + ++ if (!stream->codec_priv || stream->codec_priv_size < 2) { ++ GST_ERROR_OBJECT (element, "No or too small wavpack codec private data"); ++ return GST_FLOW_ERROR; ++ } ++ + wvh.ck_id[0] = 'w'; + wvh.ck_id[1] = 'v'; + wvh.ck_id[2] = 'p'; diff -Nru gst-plugins-good1.0-1.22.0/debian/patches/matroskademux-Don-t-take-data-out-of-an-empty-adapte.patch gst-plugins-good1.0-1.22.0/debian/patches/matroskademux-Don-t-take-data-out-of-an-empty-adapte.patch --- gst-plugins-good1.0-1.22.0/debian/patches/matroskademux-Don-t-take-data-out-of-an-empty-adapte.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-good1.0-1.22.0/debian/patches/matroskademux-Don-t-take-data-out-of-an-empty-adapte.patch 2024-12-21 13:32:49.000000000 +0000 @@ -0,0 +1,39 @@ +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 19:04:51 +0300 +Subject: matroskademux: Don't take data out of an empty adapter when + processing WavPack frames +Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/2dcb071d4995032ed9242bb863189939b211f5cc +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47601 + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-249 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3865 + +Part-of: +--- + .../gst-plugins-good/gst/matroska/matroska-demux.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/gst/matroska/matroska-demux.c ++++ b/gst/matroska/matroska-demux.c +@@ -4036,11 +4036,16 @@ gst_matroska_demux_add_wvpk_header (GstE + } + gst_buffer_unmap (*buf, &map); + +- newbuf = gst_adapter_take_buffer (adapter, gst_adapter_available (adapter)); ++ size = gst_adapter_available (adapter); ++ if (size > 0) { ++ newbuf = gst_adapter_take_buffer (adapter, size); ++ gst_buffer_copy_into (newbuf, *buf, ++ GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1); ++ } else { ++ newbuf = NULL; ++ } + g_object_unref (adapter); + +- gst_buffer_copy_into (newbuf, *buf, +- GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1); + gst_buffer_unref (*buf); + *buf = newbuf; + diff -Nru gst-plugins-good1.0-1.22.0/debian/patches/matroskademux-Fix-off-by-one-when-parsing-multi-chan.patch gst-plugins-good1.0-1.22.0/debian/patches/matroskademux-Fix-off-by-one-when-parsing-multi-chan.patch --- gst-plugins-good1.0-1.22.0/debian/patches/matroskademux-Fix-off-by-one-when-parsing-multi-chan.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-good1.0-1.22.0/debian/patches/matroskademux-Fix-off-by-one-when-parsing-multi-chan.patch 2024-12-21 13:32:49.000000000 +0000 @@ -0,0 +1,21 @@ +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 16:33:39 +0300 +Subject: matroskademux: Fix off-by-one when parsing multi-channel WavPack +Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/816a970a042c96669da25b7a046f0ab8311a78d9 + +Part-of: +--- + subprojects/gst-plugins-good/gst/matroska/matroska-demux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/gst/matroska/matroska-demux.c ++++ b/gst/matroska/matroska-demux.c +@@ -3970,7 +3970,7 @@ gst_matroska_demux_add_wvpk_header (GstE + data += 4; + size -= 4; + +- while (size > 12) { ++ while (size >= 12) { + flags = GST_READ_UINT32_LE (data); + data += 4; + size -= 4; diff -Nru gst-plugins-good1.0-1.22.0/debian/patches/matroskademux-Only-unmap-GstMapInfo-in-WavPack-heade.patch gst-plugins-good1.0-1.22.0/debian/patches/matroskademux-Only-unmap-GstMapInfo-in-WavPack-heade.patch --- gst-plugins-good1.0-1.22.0/debian/patches/matroskademux-Only-unmap-GstMapInfo-in-WavPack-heade.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-good1.0-1.22.0/debian/patches/matroskademux-Only-unmap-GstMapInfo-in-WavPack-heade.patch 2024-12-21 13:32:49.000000000 +0000 @@ -0,0 +1,48 @@ +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 16:32:48 +0300 +Subject: matroskademux: Only unmap GstMapInfo in WavPack header extraction + error paths if previously mapped +Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/a16851ebf34a9f9be4285b2c0d75fe7844354efe +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47540 + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-197 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3863 + +Part-of: +--- + subprojects/gst-plugins-good/gst/matroska/matroska-demux.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/gst/matroska/matroska-demux.c ++++ b/gst/matroska/matroska-demux.c +@@ -3885,7 +3885,6 @@ gst_matroska_demux_add_wvpk_header (GstE + GstMatroskaTrackAudioContext *audiocontext = + (GstMatroskaTrackAudioContext *) stream; + GstBuffer *newbuf = NULL; +- GstMapInfo map, outmap; + guint8 *buf_data, *data; + Wavpack4Header wvh; + +@@ -3902,11 +3901,11 @@ gst_matroska_demux_add_wvpk_header (GstE + + if (audiocontext->channels <= 2) { + guint32 block_samples, tmp; ++ GstMapInfo outmap; + gsize size = gst_buffer_get_size (*buf); + + if (size < 4) { + GST_ERROR_OBJECT (element, "Too small wavpack buffer"); +- gst_buffer_unmap (*buf, &map); + return GST_FLOW_ERROR; + } + +@@ -3944,6 +3943,7 @@ gst_matroska_demux_add_wvpk_header (GstE + *buf = newbuf; + audiocontext->wvpk_block_index += block_samples; + } else { ++ GstMapInfo map, outmap; + guint8 *outdata = NULL; + gsize buf_size, size; + guint32 block_samples, flags, crc; diff -Nru gst-plugins-good1.0-1.22.0/debian/patches/matroskademux-Put-a-copy-of-the-codec-data-into-the-.patch gst-plugins-good1.0-1.22.0/debian/patches/matroskademux-Put-a-copy-of-the-codec-data-into-the-.patch --- gst-plugins-good1.0-1.22.0/debian/patches/matroskademux-Put-a-copy-of-the-codec-data-into-the-.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-good1.0-1.22.0/debian/patches/matroskademux-Put-a-copy-of-the-codec-data-into-the-.patch 2024-12-21 13:32:49.000000000 +0000 @@ -0,0 +1,31 @@ +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Wed, 9 Oct 2024 11:52:52 -0400 +Subject: matroskademux: Put a copy of the codec data into the A_MS/ACM caps +Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/2c9abe111bd9122967784ef2b55c9017dc2682b8 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47834 + +The original codec data buffer is owned by matroskademux and does not +necessarily live as long as the caps. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-280 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3894 + +Part-of: +--- + subprojects/gst-plugins-good/gst/matroska/matroska-demux.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/gst/matroska/matroska-demux.c ++++ b/gst/matroska/matroska-demux.c +@@ -7151,8 +7151,7 @@ gst_matroska_demux_audio_caps (GstMatros + + /* 18 is the waveformatex size */ + if (size > 18) { +- codec_data = gst_buffer_new_wrapped_full (GST_MEMORY_FLAG_READONLY, +- data + 18, size - 18, 0, size - 18, NULL, NULL); ++ codec_data = gst_buffer_new_memdup (data + 18, size - 18); + } + + if (riff_audio_fmt) diff -Nru gst-plugins-good1.0-1.22.0/debian/patches/matroskademux-Skip-over-laces-directly-when-postproc.patch gst-plugins-good1.0-1.22.0/debian/patches/matroskademux-Skip-over-laces-directly-when-postproc.patch --- gst-plugins-good1.0-1.22.0/debian/patches/matroskademux-Skip-over-laces-directly-when-postproc.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-good1.0-1.22.0/debian/patches/matroskademux-Skip-over-laces-directly-when-postproc.patch 2024-12-21 13:32:49.000000000 +0000 @@ -0,0 +1,40 @@ +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 19:06:03 +0300 +Subject: matroskademux: Skip over laces directly when postprocessing the frame + fails +Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/e5ffa9c9778454457665c1ee1c5bcc17ed3537ac +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47601 + +Otherwise NULL buffers might be handled afterwards. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-249 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3865 + +Part-of: +--- + .../gst-plugins-good/gst/matroska/matroska-demux.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/gst/matroska/matroska-demux.c ++++ b/gst/matroska/matroska-demux.c +@@ -4982,6 +4982,18 @@ gst_matroska_demux_parse_blockgroup_or_s + if (stream->postprocess_frame) { + GST_LOG_OBJECT (demux, "running post process"); + ret = stream->postprocess_frame (GST_ELEMENT (demux), stream, &sub); ++ if (ret != GST_FLOW_OK) { ++ gst_clear_buffer (&sub); ++ goto next_lace; ++ } ++ ++ if (sub == NULL) { ++ GST_WARNING_OBJECT (demux, ++ "Postprocessing buffer with timestamp %" GST_TIME_FORMAT ++ " for stream %d failed", GST_TIME_ARGS (buffer_timestamp), ++ stream_num); ++ goto next_lace; ++ } + } + + /* At this point, we have a sub-buffer pointing at data within a larger diff -Nru gst-plugins-good1.0-1.22.0/debian/patches/matroskademux-Skip-over-zero-sized-Xiph-stream-heade.patch gst-plugins-good1.0-1.22.0/debian/patches/matroskademux-Skip-over-zero-sized-Xiph-stream-heade.patch --- gst-plugins-good1.0-1.22.0/debian/patches/matroskademux-Skip-over-zero-sized-Xiph-stream-heade.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-good1.0-1.22.0/debian/patches/matroskademux-Skip-over-zero-sized-Xiph-stream-heade.patch 2024-12-21 13:32:49.000000000 +0000 @@ -0,0 +1,31 @@ +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Mon, 30 Sep 2024 19:19:42 +0300 +Subject: matroskademux: Skip over zero-sized Xiph stream headers +Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/09803e225de515c8881fd13ed464c23771a4d1a6 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47603 + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-251 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3867 + +Part-of: +--- + subprojects/gst-plugins-good/gst/matroska/matroska-ids.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/gst/matroska/matroska-ids.c ++++ b/gst/matroska/matroska-ids.c +@@ -189,8 +189,10 @@ gst_matroska_parse_xiph_stream_headers ( + if (offset + length[i] > codec_data_size) + goto error; + +- hdr = gst_buffer_new_memdup (p + offset, length[i]); +- gst_buffer_list_add (list, hdr); ++ if (length[i] > 0) { ++ hdr = gst_buffer_new_memdup (p + offset, length[i]); ++ gst_buffer_list_add (list, hdr); ++ } + + offset += length[i]; + } diff -Nru gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Actually-handle-errors-returns-from-various-.patch gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Actually-handle-errors-returns-from-various-.patch --- gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Actually-handle-errors-returns-from-various-.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Actually-handle-errors-returns-from-various-.patch 2024-12-21 13:32:49.000000000 +0000 @@ -0,0 +1,89 @@ +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 27 Sep 2024 10:39:30 +0300 +Subject: qtdemux: Actually handle errors returns from various functions + instead of ignoring them +Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/83056792a8bd179d7e4ba4b3d234ab75205e47d2 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47597 + +Ignoring them might cause the element to continue as if all is fine despite the +internal state being inconsistent. This can lead to all kinds of follow-up +issues, including memory safety issues. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-245 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3847 + +Part-of: +--- + .../gst-plugins-good/gst/isomp4/qtdemux.c | 29 +++++++++++++++---- + 1 file changed, 23 insertions(+), 6 deletions(-) + +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -4811,10 +4811,15 @@ gst_qtdemux_loop_state_header (GstQTDemu + beach: + if (ret == GST_FLOW_EOS && (qtdemux->got_moov || qtdemux->media_caps)) { + /* digested all data, show what we have */ +- qtdemux_prepare_streams (qtdemux); ++ ret = qtdemux_prepare_streams (qtdemux); ++ if (ret != GST_FLOW_OK) ++ return ret; ++ + QTDEMUX_EXPOSE_LOCK (qtdemux); + ret = qtdemux_expose_streams (qtdemux); + QTDEMUX_EXPOSE_UNLOCK (qtdemux); ++ if (ret != GST_FLOW_OK) ++ return ret; + + qtdemux->state = QTDEMUX_STATE_MOVIE; + GST_DEBUG_OBJECT (qtdemux, "switching state to STATE_MOVIE (%d)", +@@ -7464,13 +7469,21 @@ gst_qtdemux_process_adapter (GstQTDemux + gst_qtdemux_stream_concat (demux, + demux->old_streams, demux->active_streams); + +- qtdemux_parse_moov (demux, data, demux->neededbytes); ++ if (!qtdemux_parse_moov (demux, data, demux->neededbytes)) { ++ ret = GST_FLOW_ERROR; ++ break; ++ } + qtdemux_node_dump (demux, demux->moov_node); + qtdemux_parse_tree (demux); +- qtdemux_prepare_streams (demux); ++ ret = qtdemux_prepare_streams (demux); ++ if (ret != GST_FLOW_OK) ++ break; ++ + QTDEMUX_EXPOSE_LOCK (demux); +- qtdemux_expose_streams (demux); ++ ret = qtdemux_expose_streams (demux); + QTDEMUX_EXPOSE_UNLOCK (demux); ++ if (ret != GST_FLOW_OK) ++ break; + + demux->got_moov = TRUE; + +@@ -7561,8 +7574,10 @@ gst_qtdemux_process_adapter (GstQTDemux + /* in MSS we need to expose the pads after the first moof as we won't get a moov */ + if (demux->mss_mode && !demux->exposed) { + QTDEMUX_EXPOSE_LOCK (demux); +- qtdemux_expose_streams (demux); ++ ret = qtdemux_expose_streams (demux); + QTDEMUX_EXPOSE_UNLOCK (demux); ++ if (ret != GST_FLOW_OK) ++ goto done; + } + + gst_qtdemux_check_send_pending_segment (demux); +@@ -13589,8 +13604,10 @@ qtdemux_prepare_streams (GstQTDemux * qt + + /* parse the initial sample for use in setting the frame rate cap */ + while (sample_num == 0 && sample_num < stream->n_samples) { +- if (!qtdemux_parse_samples (qtdemux, stream, sample_num)) ++ if (!qtdemux_parse_samples (qtdemux, stream, sample_num)) { ++ ret = GST_FLOW_ERROR; + break; ++ } + ++sample_num; + } + } diff -Nru gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Add-size-check-for-parsing-SMI-SEQH-atom.patch gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Add-size-check-for-parsing-SMI-SEQH-atom.patch --- gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Add-size-check-for-parsing-SMI-SEQH-atom.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Add-size-check-for-parsing-SMI-SEQH-atom.patch 2024-12-21 13:32:49.000000000 +0000 @@ -0,0 +1,29 @@ +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 27 Sep 2024 00:31:36 +0300 +Subject: qtdemux: Add size check for parsing SMI / SEQH atom +Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/8603e78a07a307139fd45ee11e7623de01494bf3 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47596 + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-244 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3853 + +Part-of: +--- + subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -10545,8 +10545,9 @@ qtdemux_parse_svq3_stsd_data (GstQTDemux + GST_WARNING_OBJECT (qtdemux, "Unexpected second SEQH SMI atom " + " found, ignoring"); + } else { ++ /* Note: The size does *not* include the fourcc and the size field itself */ + seqh_size = QT_UINT32 (data + 4); +- if (seqh_size > 0) { ++ if (seqh_size > 0 && seqh_size <= size - 8) { + _seqh = gst_buffer_new_and_alloc (seqh_size); + gst_buffer_fill (_seqh, 0, data + 8, seqh_size); + } diff -Nru gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch --- gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch 2024-12-21 13:32:49.000000000 +0000 @@ -0,0 +1,36 @@ +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 26 Sep 2024 22:16:06 +0300 +Subject: qtdemux: Avoid integer overflow when parsing Theora extension +Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/2d7a11f5e6be5c323b2fed8158bc9df37752e495 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47606 + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-166 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3851 + +Part-of: +--- + subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -8172,7 +8172,7 @@ qtdemux_parse_theora_extension (GstQTDem + end -= 8; + + while (buf < end) { +- gint size; ++ guint32 size; + guint32 type; + + size = QT_UINT32 (buf); +@@ -8180,7 +8180,7 @@ qtdemux_parse_theora_extension (GstQTDem + + GST_LOG_OBJECT (qtdemux, "%p %p", buf, end); + +- if (buf + size > end || size <= 0) ++ if (end - buf < size || size < 8) + break; + + buf += 8; diff -Nru gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Check-for-invalid-atom-length-when-extractin.patch gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Check-for-invalid-atom-length-when-extractin.patch --- gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Check-for-invalid-atom-length-when-extractin.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Check-for-invalid-atom-length-when-extractin.patch 2024-12-21 13:32:49.000000000 +0000 @@ -0,0 +1,28 @@ +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 26 Sep 2024 19:16:19 +0300 +Subject: qtdemux: Check for invalid atom length when extracting Closed Caption + data +Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/f31dbbc1bcc00096ab863ee6aaecad493c71c333 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47546 + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-243 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3849 + +Part-of: +--- + subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -5780,7 +5780,7 @@ extract_cc_from_data (QtDemuxStream * st + goto invalid_cdat; + atom_length = QT_UINT32 (data); + fourcc = QT_FOURCC (data + 4); +- if (G_UNLIKELY (atom_length > size || atom_length == 8)) ++ if (G_UNLIKELY (atom_length > size || atom_length <= 8)) + goto invalid_cdat; + + GST_DEBUG_OBJECT (stream->pad, "here"); diff -Nru gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Check-sizes-of-stsc-stco-stts-before-trying-.patch gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Check-sizes-of-stsc-stco-stts-before-trying-.patch --- gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Check-sizes-of-stsc-stco-stts-before-trying-.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Check-sizes-of-stsc-stco-stts-before-trying-.patch 2024-12-21 13:32:49.000000000 +0000 @@ -0,0 +1,54 @@ +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 27 Sep 2024 15:50:54 +0300 +Subject: qtdemux: Check sizes of stsc/stco/stts before trying to merge entries +Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/1def2965d8da8cc74ab0036d7f8d59e81e676cad +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47598 + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-246 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3854 + +Part-of: +--- + .../gst-plugins-good/gst/isomp4/qtdemux.c | 22 +++++++++++++++++++ + 1 file changed, 22 insertions(+) + +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -9392,6 +9392,21 @@ qtdemux_merge_sample_table (GstQTDemux * + return; + } + ++ if (gst_byte_reader_get_remaining (&stream->stts) < 8) { ++ GST_DEBUG_OBJECT (qtdemux, "Too small stts"); ++ return; ++ } ++ ++ if (stream->stco.size < 8) { ++ GST_DEBUG_OBJECT (qtdemux, "Too small stco"); ++ return; ++ } ++ ++ if (stream->n_samples_per_chunk == 0) { ++ GST_DEBUG_OBJECT (qtdemux, "No samples per chunk"); ++ return; ++ } ++ + /* Parse the stts to get the sample duration and number of samples */ + gst_byte_reader_skip_unchecked (&stream->stts, 4); + stts_duration = gst_byte_reader_get_uint32_be_unchecked (&stream->stts); +@@ -9403,6 +9418,13 @@ qtdemux_merge_sample_table (GstQTDemux * + GST_DEBUG_OBJECT (qtdemux, "sample_duration %d, num_chunks %u", stts_duration, + num_chunks); + ++ if (gst_byte_reader_get_remaining (&stream->stsc) < ++ stream->n_samples_per_chunk * 3 * 4 + ++ (stream->n_samples_per_chunk - 1) * 4) { ++ GST_DEBUG_OBJECT (qtdemux, "Too small stsc"); ++ return; ++ } ++ + /* Now parse stsc, convert chunks into single samples and generate a + * new stsc, stts and stsz from this information */ + gst_byte_writer_init (&stsc); diff -Nru gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Don-t-iterate-over-all-trun-entries-if-none-.patch gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Don-t-iterate-over-all-trun-entries-if-none-.patch --- gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Don-t-iterate-over-all-trun-entries-if-none-.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Don-t-iterate-over-all-trun-entries-if-none-.patch 2024-12-21 13:32:49.000000000 +0000 @@ -0,0 +1,27 @@ +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 26 Sep 2024 18:41:39 +0300 +Subject: qtdemux: Don't iterate over all trun entries if none of the flags are + set +Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/eb7f9331c2294bc28a549b79c9f931c3e6c6bc44 + +Nothing would be printed anyway. + +Part-of: +--- + subprojects/gst-plugins-good/gst/isomp4/qtdemux_dump.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/gst/isomp4/qtdemux_dump.c ++++ b/gst/isomp4/qtdemux_dump.c +@@ -836,6 +836,11 @@ qtdemux_dump_trun (GstQTDemux * qtdemux, + GST_LOG ("%*s first-sample-flags: %u", depth, "", first_sample_flags); + } + ++ /* Nothing to print below */ ++ if ((flags & (TR_SAMPLE_DURATION | TR_SAMPLE_SIZE | TR_SAMPLE_FLAGS | ++ TR_COMPOSITION_TIME_OFFSETS)) == 0) ++ return TRUE; ++ + for (i = 0; i < samples_count; i++) { + if (flags & TR_SAMPLE_DURATION) { + if (!gst_byte_reader_get_uint32_be (data, &sample_duration)) diff -Nru gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Fix-debug-output-during-trun-parsing.patch gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Fix-debug-output-during-trun-parsing.patch --- gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Fix-debug-output-during-trun-parsing.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Fix-debug-output-during-trun-parsing.patch 2024-12-21 13:32:49.000000000 +0000 @@ -0,0 +1,64 @@ +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 26 Sep 2024 18:40:56 +0300 +Subject: qtdemux: Fix debug output during trun parsing +Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/812f175c580a2e702581859fd481c8f51d633508 + +Various integers are unsigned so print them as such. Also print the actual +allocation size if allocation fails, not only parts of it. + +Part-of: +--- + .../gst-plugins-good/gst/isomp4/qtdemux.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -3338,8 +3338,8 @@ qtdemux_parse_trun (GstQTDemux * qtdemux + gint64 initial_offset; + gint32 min_ct = 0; + +- GST_LOG_OBJECT (qtdemux, "parsing trun track-id %d; " +- "default dur %d, size %d, flags 0x%x, base offset %" G_GINT64_FORMAT ", " ++ GST_LOG_OBJECT (qtdemux, "parsing trun track-id %u; " ++ "default dur %u, size %u, flags 0x%x, base offset %" G_GINT64_FORMAT ", " + "decode ts %" G_GINT64_FORMAT, stream->track_id, d_sample_duration, + d_sample_size, d_sample_flags, *base_offset, decode_ts); + +@@ -3367,7 +3367,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux + /* note this is really signed */ + if (!gst_byte_reader_get_int32_be (trun, &data_offset)) + goto fail; +- GST_LOG_OBJECT (qtdemux, "trun data offset %d", data_offset); ++ GST_LOG_OBJECT (qtdemux, "trun data offset %u", data_offset); + /* default base offset = first byte of moof */ + if (*base_offset == -1) { + GST_LOG_OBJECT (qtdemux, "base_offset at moof"); +@@ -3389,7 +3389,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux + + GST_LOG_OBJECT (qtdemux, "running offset now %" G_GINT64_FORMAT, + *running_offset); +- GST_LOG_OBJECT (qtdemux, "trun offset %d, flags 0x%x, entries %d", ++ GST_LOG_OBJECT (qtdemux, "trun offset %u, flags 0x%x, entries %u", + data_offset, flags, samples_count); + + if (flags & TR_FIRST_SAMPLE_FLAGS) { +@@ -3598,14 +3598,15 @@ fail: + } + out_of_memory: + { +- GST_WARNING_OBJECT (qtdemux, "failed to allocate %d samples", +- stream->n_samples); ++ GST_WARNING_OBJECT (qtdemux, "failed to allocate %u + %u samples", ++ stream->n_samples, samples_count); + return FALSE; + } + index_too_big: + { +- GST_WARNING_OBJECT (qtdemux, "not allocating index of %d samples, would " +- "be larger than %uMB (broken file?)", stream->n_samples, ++ GST_WARNING_OBJECT (qtdemux, ++ "not allocating index of %u + %u samples, would " ++ "be larger than %uMB (broken file?)", stream->n_samples, samples_count, + QTDEMUX_MAX_SAMPLE_INDEX_SIZE >> 20); + return FALSE; + } diff -Nru gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Fix-error-handling-when-parsing-cenc-sample-.patch gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Fix-error-handling-when-parsing-cenc-sample-.patch --- gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Fix-error-handling-when-parsing-cenc-sample-.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Fix-error-handling-when-parsing-cenc-sample-.patch 2024-12-21 13:32:49.000000000 +0000 @@ -0,0 +1,47 @@ +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 27 Sep 2024 09:47:50 +0300 +Subject: qtdemux: Fix error handling when parsing cenc sample groups fails +Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/8e884e4e31649a9fc19095d6501a1143b074aba8 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47544 + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-238, GHSL-2024-239, GHSL-2024-240 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3846 + +Part-of: +--- + .../gst-plugins-good/gst/isomp4/qtdemux.c | 25 ++++++++++++++----- + 1 file changed, 19 insertions(+), 6 deletions(-) + +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -11316,12 +11316,15 @@ qtdemux_parse_trak (GstQTDemux * qtdemux + if (stream->subtype != FOURCC_soun) { + GST_ERROR_OBJECT (qtdemux, + "Unexpeced stsd type 'aavd' outside 'soun' track"); ++ goto corrupt_file; + } else { + /* encrypted audio with sound sample description v0 */ + GNode *enc = qtdemux_tree_get_child_by_type (stsd, fourcc); + stream->protected = TRUE; +- if (!qtdemux_parse_protection_aavd (qtdemux, stream, enc, &fourcc)) ++ if (!qtdemux_parse_protection_aavd (qtdemux, stream, enc, &fourcc)) { + GST_ERROR_OBJECT (qtdemux, "Failed to parse protection scheme info"); ++ goto corrupt_file; ++ } + } + } + +@@ -11330,8 +11333,10 @@ qtdemux_parse_trak (GstQTDemux * qtdemux + * with the same type */ + GNode *enc = qtdemux_tree_get_child_by_type (stsd, fourcc); + stream->protected = TRUE; +- if (!qtdemux_parse_protection_scheme_info (qtdemux, stream, enc, &fourcc)) ++ if (!qtdemux_parse_protection_scheme_info (qtdemux, stream, enc, &fourcc)) { + GST_ERROR_OBJECT (qtdemux, "Failed to parse protection scheme info"); ++ goto corrupt_file; ++ } + } + + if (stream->subtype == FOURCC_vide) { diff -Nru gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch --- gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch 2024-12-21 13:32:49.000000000 +0000 @@ -0,0 +1,55 @@ +From: Antonio Morales +Date: Thu, 26 Sep 2024 18:39:37 +0300 +Subject: qtdemux: Fix integer overflow when allocating the samples table for + fragmented MP4 +Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/c3a2af94c652513ac1b1858295688ac88c5cc737 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47537 + +This can lead to out of bounds writes and NULL pointer dereferences. + +Fixes GHSL-2024-094, GHSL-2024-237, GHSL-2024-241 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3839 + +Part-of: +--- + subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -3332,6 +3332,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux + gint i; + guint8 *data; + guint entry_size, dur_offset, size_offset, flags_offset = 0, ct_offset = 0; ++ guint new_n_samples; + QtDemuxSample *sample; + gboolean ismv = FALSE; + gint64 initial_offset; +@@ -3432,14 +3433,13 @@ qtdemux_parse_trun (GstQTDemux * qtdemux + goto fail; + data = (guint8 *) gst_byte_reader_peek_data_unchecked (trun); + +- if (stream->n_samples + samples_count >= +- QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof (QtDemuxSample)) ++ if (!g_uint_checked_add (&new_n_samples, stream->n_samples, samples_count) || ++ new_n_samples >= QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof (QtDemuxSample)) + goto index_too_big; + + GST_DEBUG_OBJECT (qtdemux, "allocating n_samples %u * %u (%.2f MB)", +- stream->n_samples + samples_count, (guint) sizeof (QtDemuxSample), +- (stream->n_samples + samples_count) * +- sizeof (QtDemuxSample) / (1024.0 * 1024.0)); ++ new_n_samples, (guint) sizeof (QtDemuxSample), ++ (new_n_samples) * sizeof (QtDemuxSample) / (1024.0 * 1024.0)); + + /* create a new array of samples if it's the first sample parsed */ + if (stream->n_samples == 0) { +@@ -3448,7 +3448,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux + /* or try to reallocate it with space enough to insert the new samples */ + } else + stream->samples = g_try_renew (QtDemuxSample, stream->samples, +- stream->n_samples + samples_count); ++ new_n_samples); + if (stream->samples == NULL) + goto out_of_memory; + diff -Nru gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Fix-length-checks-and-offsets-in-stsd-entry-.patch gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Fix-length-checks-and-offsets-in-stsd-entry-.patch --- gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Fix-length-checks-and-offsets-in-stsd-entry-.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Fix-length-checks-and-offsets-in-stsd-entry-.patch 2024-12-21 13:32:49.000000000 +0000 @@ -0,0 +1,418 @@ +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 27 Sep 2024 00:12:57 +0300 +Subject: qtdemux: Fix length checks and offsets in stsd entry parsing +Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/fe9d5d37234aca04fef7248184177168905a7a69 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47545 + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-242 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3845 + +Part-of: +--- + .../gst-plugins-good/gst/isomp4/qtdemux.c | 218 +++++++----------- + 1 file changed, 79 insertions(+), 139 deletions(-) + +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -11595,40 +11595,35 @@ qtdemux_parse_trak (GstQTDemux * qtdemux + case FOURCC_avc1: + case FOURCC_avc3: + { +- guint len = QT_UINT32 (stsd_entry_data); ++ guint32 len = QT_UINT32 (stsd_entry_data); + len = len <= 0x56 ? 0 : len - 0x56; + const guint8 *avc_data = stsd_entry_data + 0x56; + + /* find avcC */ +- while (len >= 0x8) { +- guint size; +- +- if (QT_UINT32 (avc_data) <= 0x8) +- size = 0; +- else if (QT_UINT32 (avc_data) <= len) +- size = QT_UINT32 (avc_data) - 0x8; +- else +- size = len - 0x8; ++ while (len >= 8) { ++ guint32 size = QT_UINT32 (avc_data); + +- if (size < 1) +- /* No real data, so break out */ ++ if (size < 8 || size > len) + break; + +- switch (QT_FOURCC (avc_data + 0x4)) { ++ switch (QT_FOURCC (avc_data + 4)) { + case FOURCC_avcC: + { + /* parse, if found */ + GstBuffer *buf; + ++ if (size < 8 + 1) ++ break; ++ + GST_DEBUG_OBJECT (qtdemux, "found avcC codec_data in stsd"); + + /* First 4 bytes are the length of the atom, the next 4 bytes + * are the fourcc, the next 1 byte is the version, and the + * subsequent bytes are profile_tier_level structure like data. */ + gst_codec_utils_h264_caps_set_level_and_profile (entry->caps, +- avc_data + 8 + 1, size - 1); +- buf = gst_buffer_new_and_alloc (size); +- gst_buffer_fill (buf, 0, avc_data + 0x8, size); ++ avc_data + 8 + 1, size - 8 - 1); ++ buf = gst_buffer_new_and_alloc (size - 8); ++ gst_buffer_fill (buf, 0, avc_data + 8, size - 8); + gst_caps_set_simple (entry->caps, + "codec_data", GST_TYPE_BUFFER, buf, NULL); + gst_buffer_unref (buf); +@@ -11639,6 +11634,9 @@ qtdemux_parse_trak (GstQTDemux * qtdemux + { + GstBuffer *buf; + ++ if (size < 8 + 40 + 1) ++ break; ++ + GST_DEBUG_OBJECT (qtdemux, "found strf codec_data in stsd"); + + /* First 4 bytes are the length of the atom, the next 4 bytes +@@ -11646,17 +11644,14 @@ qtdemux_parse_trak (GstQTDemux * qtdemux + * next 1 byte is the version, and the + * subsequent bytes are sequence parameter set like data. */ + +- size -= 40; /* we'll be skipping BITMAPINFOHEADER */ +- if (size > 1) { +- gst_codec_utils_h264_caps_set_level_and_profile +- (entry->caps, avc_data + 8 + 40 + 1, size - 1); ++ gst_codec_utils_h264_caps_set_level_and_profile ++ (entry->caps, avc_data + 8 + 40 + 1, size - 8 - 40 - 1); + +- buf = gst_buffer_new_and_alloc (size); +- gst_buffer_fill (buf, 0, avc_data + 8 + 40, size); +- gst_caps_set_simple (entry->caps, +- "codec_data", GST_TYPE_BUFFER, buf, NULL); +- gst_buffer_unref (buf); +- } ++ buf = gst_buffer_new_and_alloc (size - 8 - 40); ++ gst_buffer_fill (buf, 0, avc_data + 8 + 40, size - 8 - 40); ++ gst_caps_set_simple (entry->caps, ++ "codec_data", GST_TYPE_BUFFER, buf, NULL); ++ gst_buffer_unref (buf); + break; + } + case FOURCC_btrt: +@@ -11664,11 +11659,11 @@ qtdemux_parse_trak (GstQTDemux * qtdemux + guint avg_bitrate, max_bitrate; + + /* bufferSizeDB, maxBitrate and avgBitrate - 4 bytes each */ +- if (size < 12) ++ if (size < 8 + 12) + break; + +- max_bitrate = QT_UINT32 (avc_data + 0xc); +- avg_bitrate = QT_UINT32 (avc_data + 0x10); ++ max_bitrate = QT_UINT32 (avc_data + 8 + 4); ++ avg_bitrate = QT_UINT32 (avc_data + 8 + 8); + + if (!max_bitrate && !avg_bitrate) + break; +@@ -11700,8 +11695,8 @@ qtdemux_parse_trak (GstQTDemux * qtdemux + break; + } + +- len -= size + 8; +- avc_data += size + 8; ++ len -= size; ++ avc_data += size; + } + + break; +@@ -11712,41 +11707,36 @@ qtdemux_parse_trak (GstQTDemux * qtdemux + case FOURCC_dvh1: + case FOURCC_dvhe: + { +- guint len = QT_UINT32 (stsd_entry_data); ++ guint32 len = QT_UINT32 (stsd_entry_data); + len = len <= 0x56 ? 0 : len - 0x56; + const guint8 *hevc_data = stsd_entry_data + 0x56; + + /* find hevc */ +- while (len >= 0x8) { +- guint size; +- +- if (QT_UINT32 (hevc_data) <= 0x8) +- size = 0; +- else if (QT_UINT32 (hevc_data) <= len) +- size = QT_UINT32 (hevc_data) - 0x8; +- else +- size = len - 0x8; ++ while (len >= 8) { ++ guint32 size = QT_UINT32 (hevc_data); + +- if (size < 1) +- /* No real data, so break out */ ++ if (size < 8 || size > len) + break; + +- switch (QT_FOURCC (hevc_data + 0x4)) { ++ switch (QT_FOURCC (hevc_data + 4)) { + case FOURCC_hvcC: + { + /* parse, if found */ + GstBuffer *buf; + ++ if (size < 8 + 1) ++ break; ++ + GST_DEBUG_OBJECT (qtdemux, "found hvcC codec_data in stsd"); + + /* First 4 bytes are the length of the atom, the next 4 bytes + * are the fourcc, the next 1 byte is the version, and the + * subsequent bytes are sequence parameter set like data. */ + gst_codec_utils_h265_caps_set_level_tier_and_profile +- (entry->caps, hevc_data + 8 + 1, size - 1); ++ (entry->caps, hevc_data + 8 + 1, size - 8 - 1); + +- buf = gst_buffer_new_and_alloc (size); +- gst_buffer_fill (buf, 0, hevc_data + 0x8, size); ++ buf = gst_buffer_new_and_alloc (size - 8); ++ gst_buffer_fill (buf, 0, hevc_data + 8, size - 8); + gst_caps_set_simple (entry->caps, + "codec_data", GST_TYPE_BUFFER, buf, NULL); + gst_buffer_unref (buf); +@@ -11755,8 +11745,8 @@ qtdemux_parse_trak (GstQTDemux * qtdemux + default: + break; + } +- len -= size + 8; +- hevc_data += size + 8; ++ len -= size; ++ hevc_data += size; + } + break; + } +@@ -12136,33 +12126,25 @@ qtdemux_parse_trak (GstQTDemux * qtdemux + } + case FOURCC_vc_1: + { +- guint len = QT_UINT32 (stsd_entry_data); ++ guint32 len = QT_UINT32 (stsd_entry_data); + len = len <= 0x56 ? 0 : len - 0x56; + const guint8 *vc1_data = stsd_entry_data + 0x56; + + /* find dvc1 */ + while (len >= 8) { +- guint size; +- +- if (QT_UINT32 (vc1_data) <= 8) +- size = 0; +- else if (QT_UINT32 (vc1_data) <= len) +- size = QT_UINT32 (vc1_data) - 8; +- else +- size = len - 8; ++ guint32 size = QT_UINT32 (vc1_data); + +- if (size < 1) +- /* No real data, so break out */ ++ if (size < 8 || size > len) + break; + +- switch (QT_FOURCC (vc1_data + 0x4)) { ++ switch (QT_FOURCC (vc1_data + 4)) { + case GST_MAKE_FOURCC ('d', 'v', 'c', '1'): + { + GstBuffer *buf; + + GST_DEBUG_OBJECT (qtdemux, "found dvc1 codec_data in stsd"); +- buf = gst_buffer_new_and_alloc (size); +- gst_buffer_fill (buf, 0, vc1_data + 8, size); ++ buf = gst_buffer_new_and_alloc (size - 8); ++ gst_buffer_fill (buf, 0, vc1_data + 8, size - 8); + gst_caps_set_simple (entry->caps, + "codec_data", GST_TYPE_BUFFER, buf, NULL); + gst_buffer_unref (buf); +@@ -12171,33 +12153,25 @@ qtdemux_parse_trak (GstQTDemux * qtdemux + default: + break; + } +- len -= size + 8; +- vc1_data += size + 8; ++ len -= size; ++ vc1_data += size; + } + break; + } + case FOURCC_av01: + { +- guint len = QT_UINT32 (stsd_entry_data); ++ guint32 len = QT_UINT32 (stsd_entry_data); + len = len <= 0x56 ? 0 : len - 0x56; + const guint8 *av1_data = stsd_entry_data + 0x56; + + /* find av1C */ +- while (len >= 0x8) { +- guint size; +- +- if (QT_UINT32 (av1_data) <= 0x8) +- size = 0; +- else if (QT_UINT32 (av1_data) <= len) +- size = QT_UINT32 (av1_data) - 0x8; +- else +- size = len - 0x8; ++ while (len >= 8) { ++ guint32 size = QT_UINT32 (av1_data); + +- if (size < 1) +- /* No real data, so break out */ ++ if (size < 8 || size > len) + break; + +- switch (QT_FOURCC (av1_data + 0x4)) { ++ switch (QT_FOURCC (av1_data + 4)) { + case FOURCC_av1C: + { + /* parse, if found */ +@@ -12208,7 +12182,7 @@ qtdemux_parse_trak (GstQTDemux * qtdemux + "found av1C codec_data in stsd of size %d", size); + + /* not enough data, just ignore and hope for the best */ +- if (size < 5) ++ if (size < 8 + 5) + break; + + /* Content is: +@@ -12234,10 +12208,10 @@ qtdemux_parse_trak (GstQTDemux * qtdemux + "presentation-delay", G_TYPE_INT, + (gint) (pres_delay_field & 0x0F) + 1, NULL); + } +- if (size > 5) { +- buf = gst_buffer_new_and_alloc (size - 5); ++ if (size > 8 + 5) { ++ buf = gst_buffer_new_and_alloc (size - 8 - 5); + GST_BUFFER_FLAG_SET (buf, GST_BUFFER_FLAG_HEADER); +- gst_buffer_fill (buf, 0, av1_data + 13, size - 5); ++ gst_buffer_fill (buf, 0, av1_data + 13, size - 8 - 5); + gst_caps_set_simple (entry->caps, + "codec_data", GST_TYPE_BUFFER, buf, NULL); + gst_buffer_unref (buf); +@@ -12248,8 +12222,8 @@ qtdemux_parse_trak (GstQTDemux * qtdemux + break; + } + +- len -= size + 8; +- av1_data += size + 8; ++ len -= size; ++ av1_data += size; + } + + break; +@@ -12260,26 +12234,18 @@ qtdemux_parse_trak (GstQTDemux * qtdemux + * vp08, vp09, and vp10 fourcc. */ + case FOURCC_vp09: + { +- guint len = QT_UINT32 (stsd_entry_data); ++ guint32 len = QT_UINT32 (stsd_entry_data); + len = len <= 0x56 ? 0 : len - 0x56; + const guint8 *vpcc_data = stsd_entry_data + 0x56; + + /* find vpcC */ +- while (len >= 0x8) { +- guint size; +- +- if (QT_UINT32 (vpcc_data) <= 0x8) +- size = 0; +- else if (QT_UINT32 (vpcc_data) <= len) +- size = QT_UINT32 (vpcc_data) - 0x8; +- else +- size = len - 0x8; ++ while (len >= 8) { ++ guint32 size = QT_UINT32 (vpcc_data); + +- if (size < 1) +- /* No real data, so break out */ ++ if (size < 8 || size > len) + break; + +- switch (QT_FOURCC (vpcc_data + 0x4)) { ++ switch (QT_FOURCC (vpcc_data + 4)) { + case FOURCC_vpcC: + { + const gchar *profile_str = NULL; +@@ -12295,7 +12261,7 @@ qtdemux_parse_trak (GstQTDemux * qtdemux + + /* the meaning of "size" is length of the atom body, excluding + * atom length and fourcc fields */ +- if (size < 12) ++ if (size < 8 + 12) + break; + + /* Content is: +@@ -12401,8 +12367,8 @@ qtdemux_parse_trak (GstQTDemux * qtdemux + break; + } + +- len -= size + 8; +- vpcc_data += size + 8; ++ len -= size; ++ vpcc_data += size; + } + + break; +@@ -12733,7 +12699,7 @@ qtdemux_parse_trak (GstQTDemux * qtdemux + } + case FOURCC_wma_: + { +- guint len = QT_UINT32 (stsd_entry_data); ++ guint32 len = QT_UINT32 (stsd_entry_data); + len = len <= offset ? 0 : len - offset; + const guint8 *wfex_data = stsd_entry_data + offset; + const gchar *codec_name = NULL; +@@ -12758,17 +12724,9 @@ qtdemux_parse_trak (GstQTDemux * qtdemux + + /* find wfex */ + while (len >= 8) { +- guint size; +- +- if (QT_UINT32 (wfex_data) <= 0x8) +- size = 0; +- else if (QT_UINT32 (wfex_data) <= len) +- size = QT_UINT32 (wfex_data) - 8; +- else +- size = len - 8; ++ guint32 size = QT_UINT32 (wfex_data); + +- if (size < 1) +- /* No real data, so break out */ ++ if (size < 8 || size > len) + break; + + switch (QT_FOURCC (wfex_data + 4)) { +@@ -12814,12 +12772,12 @@ qtdemux_parse_trak (GstQTDemux * qtdemux + "width", G_TYPE_INT, wfex.wBitsPerSample, + "depth", G_TYPE_INT, wfex.wBitsPerSample, NULL); + +- if (size > wfex.cbSize) { ++ if (size > 8 + wfex.cbSize) { + GstBuffer *buf; + +- buf = gst_buffer_new_and_alloc (size - wfex.cbSize); ++ buf = gst_buffer_new_and_alloc (size - 8 - wfex.cbSize); + gst_buffer_fill (buf, 0, wfex_data + 8 + wfex.cbSize, +- size - wfex.cbSize); ++ size - 8 - wfex.cbSize); + gst_caps_set_simple (entry->caps, + "codec_data", GST_TYPE_BUFFER, buf, NULL); + gst_buffer_unref (buf); +@@ -12836,8 +12794,8 @@ qtdemux_parse_trak (GstQTDemux * qtdemux + default: + break; + } +- len -= size + 8; +- wfex_data += size + 8; ++ len -= size; ++ wfex_data += size; + } + break; + } diff -Nru gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Make-sure-enough-data-is-available-before-re.patch gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Make-sure-enough-data-is-available-before-re.patch --- gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Make-sure-enough-data-is-available-before-re.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Make-sure-enough-data-is-available-before-re.patch 2024-12-21 13:32:49.000000000 +0000 @@ -0,0 +1,111 @@ +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 26 Sep 2024 14:17:02 +0300 +Subject: qtdemux: Make sure enough data is available before reading wave + header node +Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/8ef08a7a41da987aa630082df355ea651aa09132 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47543 + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-236 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3843 + +Part-of: +--- + .../gst-plugins-good/gst/isomp4/qtdemux.c | 84 ++++++++++--------- + 1 file changed, 45 insertions(+), 39 deletions(-) + +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -12935,47 +12935,53 @@ qtdemux_parse_trak (GstQTDemux * qtdemux + } else { + guint32 datalen = QT_UINT32 (stsd_entry_data + offset + 16); + const guint8 *data = stsd_entry_data + offset + 16; +- GNode *wavenode; +- GNode *waveheadernode; + +- wavenode = g_node_new ((guint8 *) data); +- if (qtdemux_parse_node (qtdemux, wavenode, data, datalen)) { +- const guint8 *waveheader; +- guint32 headerlen; +- +- waveheadernode = qtdemux_tree_get_child_by_type (wavenode, fourcc); +- if (waveheadernode) { +- waveheader = (const guint8 *) waveheadernode->data; +- headerlen = QT_UINT32 (waveheader); +- +- if (headerlen > 8) { +- gst_riff_strf_auds *header = NULL; +- GstBuffer *headerbuf; +- GstBuffer *extra; +- +- waveheader += 8; +- headerlen -= 8; +- +- headerbuf = gst_buffer_new_and_alloc (headerlen); +- gst_buffer_fill (headerbuf, 0, waveheader, headerlen); +- +- if (gst_riff_parse_strf_auds (GST_ELEMENT_CAST (qtdemux), +- headerbuf, &header, &extra)) { +- gst_caps_unref (entry->caps); +- /* FIXME: Need to do something with the channel reorder map */ +- entry->caps = +- gst_riff_create_audio_caps (header->format, NULL, header, +- extra, NULL, NULL, NULL); +- +- if (extra) +- gst_buffer_unref (extra); +- g_free (header); ++ if (len < datalen || len - datalen < offset + 16) { ++ GST_WARNING_OBJECT (qtdemux, "Not enough data for waveheadernode"); ++ } else { ++ GNode *wavenode; ++ GNode *waveheadernode; ++ ++ wavenode = g_node_new ((guint8 *) data); ++ if (qtdemux_parse_node (qtdemux, wavenode, data, datalen)) { ++ const guint8 *waveheader; ++ guint32 headerlen; ++ ++ waveheadernode = ++ qtdemux_tree_get_child_by_type (wavenode, fourcc); ++ if (waveheadernode) { ++ waveheader = (const guint8 *) waveheadernode->data; ++ headerlen = QT_UINT32 (waveheader); ++ ++ if (headerlen > 8) { ++ gst_riff_strf_auds *header = NULL; ++ GstBuffer *headerbuf; ++ GstBuffer *extra; ++ ++ waveheader += 8; ++ headerlen -= 8; ++ ++ headerbuf = gst_buffer_new_and_alloc (headerlen); ++ gst_buffer_fill (headerbuf, 0, waveheader, headerlen); ++ ++ if (gst_riff_parse_strf_auds (GST_ELEMENT_CAST (qtdemux), ++ headerbuf, &header, &extra)) { ++ gst_caps_unref (entry->caps); ++ /* FIXME: Need to do something with the channel reorder map */ ++ entry->caps = ++ gst_riff_create_audio_caps (header->format, NULL, ++ header, extra, NULL, NULL, NULL); ++ ++ if (extra) ++ gst_buffer_unref (extra); ++ g_free (header); ++ } + } +- } +- } else +- GST_DEBUG ("Didn't find waveheadernode for this codec"); ++ } else ++ GST_DEBUG ("Didn't find waveheadernode for this codec"); ++ } ++ g_node_destroy (wavenode); + } +- g_node_destroy (wavenode); + } + } else if (esds) { + gst_qtdemux_handle_esds (qtdemux, stream, entry, esds, diff -Nru gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch --- gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch 2024-12-21 13:32:49.000000000 +0000 @@ -0,0 +1,36 @@ +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 26 Sep 2024 09:20:28 +0300 +Subject: qtdemux: Make sure only an even number of bytes is processed when + handling CEA608 data +Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/314945426c7105ad90f44a188037bc43bb3b0300 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47539 + +An odd number of bytes would lead to out of bound reads and writes, and doesn't +make any sense as CEA608 comes in byte pairs. + +Strip off any leftover bytes and assume everything before that is valid. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-195 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3841 + +Part-of: +--- + subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -5737,6 +5737,11 @@ convert_to_s334_1a (const guint8 * ccpai + guint8 *storage; + gsize i; + ++ /* Strip off any leftover odd bytes and assume everything before is valid */ ++ if (ccpair_size % 2 != 0) { ++ ccpair_size -= 1; ++ } ++ + /* We are converting from pairs to triplets */ + *res = ccpair_size / 2 * 3; + storage = g_malloc (*res); diff -Nru gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Make-sure-there-are-enough-offsets-to-read-w.patch gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Make-sure-there-are-enough-offsets-to-read-w.patch --- gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Make-sure-there-are-enough-offsets-to-read-w.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-good1.0-1.22.0/debian/patches/qtdemux-Make-sure-there-are-enough-offsets-to-read-w.patch 2024-12-21 13:32:49.000000000 +0000 @@ -0,0 +1,41 @@ +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 27 Sep 2024 10:38:50 +0300 +Subject: qtdemux: Make sure there are enough offsets to read when parsing + samples +Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/7f8f280555201f51898727919831259e68271868 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47597 + +While this specific case is also caught when initializing co_chunk, the error +is ignored in various places and calling into the function would lead to out of +bounds reads if the error message doesn't cause the pipeline to be shut down +fast enough. + +To avoid this, no matter what, make sure enough offsets are available when +parsing them. While this is potentially slower, the same is already done in the +non-chunks_are_samples case. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-245 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3847 + +Part-of: +--- + subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/gst/isomp4/qtdemux.c ++++ b/gst/isomp4/qtdemux.c +@@ -9982,9 +9982,9 @@ qtdemux_parse_samples (GstQTDemux * qtde + goto done; + } + +- cur->offset = +- qt_atom_parser_get_offset_unchecked (&stream->co_chunk, +- stream->co_size); ++ if (!qt_atom_parser_get_offset (&stream->co_chunk, ++ stream->co_size, &cur->offset)) ++ goto corrupt_file; + + GST_LOG_OBJECT (qtdemux, "Created entry %d with offset " + "%" G_GUINT64_FORMAT, j, cur->offset); diff -Nru gst-plugins-good1.0-1.22.0/debian/patches/series gst-plugins-good1.0-1.22.0/debian/patches/series --- gst-plugins-good1.0-1.22.0/debian/patches/series 2023-06-29 14:49:30.000000000 +0000 +++ gst-plugins-good1.0-1.22.0/debian/patches/series 2024-12-21 13:32:49.000000000 +0000 @@ -1,2 +1,32 @@ Skip-failing-tests.patch GST-2023-0001.patch +qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch +jpegdec-Directly-error-out-on-negotiation-failures.patch +gdkpixbufdec-Check-if-initializing-the-video-info-ac.patch +wavparse-Check-for-short-reads-when-parsing-headers-.patch +wavparse-Make-sure-enough-data-for-the-tag-list-tag-.patch +wavparse-Fix-parsing-of-acid-chunk.patch +wavparse-Check-that-at-least-4-bytes-are-available-b.patch +wavparse-Check-that-at-least-32-bytes-are-available-.patch +wavparse-Fix-clipping-of-size-to-the-file-size.patch +wavparse-Check-size-before-reading-ds64-chunk.patch +avisubtitle-Fix-size-checks-and-avoid-overflows-when.patch +matroskademux-Only-unmap-GstMapInfo-in-WavPack-heade.patch +matroskademux-Fix-off-by-one-when-parsing-multi-chan.patch +matroskademux-Check-for-big-enough-WavPack-codec-pri.patch +matroskademux-Don-t-take-data-out-of-an-empty-adapte.patch +matroskademux-Skip-over-laces-directly-when-postproc.patch +matroskademux-Skip-over-zero-sized-Xiph-stream-heade.patch +matroskademux-Put-a-copy-of-the-codec-data-into-the-.patch +qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch +qtdemux-Fix-debug-output-during-trun-parsing.patch +qtdemux-Don-t-iterate-over-all-trun-entries-if-none-.patch +qtdemux-Check-sizes-of-stsc-stco-stts-before-trying-.patch +qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch +qtdemux-Make-sure-enough-data-is-available-before-re.patch +qtdemux-Fix-length-checks-and-offsets-in-stsd-entry-.patch +qtdemux-Fix-error-handling-when-parsing-cenc-sample-.patch +qtdemux-Make-sure-there-are-enough-offsets-to-read-w.patch +qtdemux-Actually-handle-errors-returns-from-various-.patch +qtdemux-Check-for-invalid-atom-length-when-extractin.patch +qtdemux-Add-size-check-for-parsing-SMI-SEQH-atom.patch diff -Nru gst-plugins-good1.0-1.22.0/debian/patches/wavparse-Check-for-short-reads-when-parsing-headers-.patch gst-plugins-good1.0-1.22.0/debian/patches/wavparse-Check-for-short-reads-when-parsing-headers-.patch --- gst-plugins-good1.0-1.22.0/debian/patches/wavparse-Check-for-short-reads-when-parsing-headers-.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-good1.0-1.22.0/debian/patches/wavparse-Check-for-short-reads-when-parsing-headers-.patch 2024-12-21 13:32:49.000000000 +0000 @@ -0,0 +1,163 @@ +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 4 Oct 2024 13:00:57 +0300 +Subject: wavparse: Check for short reads when parsing headers in pull mode +Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/c627f3a28bc792580f9a9ebcbb309b2256e4a895 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47776 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47778 + +And also return the actual flow return to the caller instead of always returning +GST_FLOW_ERROR. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-258, GHSL-2024-260 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3886 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3888 + +Part-of: +--- + .../gst/wavparse/gstwavparse.c | 63 ++++++++++++++----- + 1 file changed, 46 insertions(+), 17 deletions(-) + +--- a/gst/wavparse/gstwavparse.c ++++ b/gst/wavparse/gstwavparse.c +@@ -1097,6 +1097,24 @@ parse_ds64 (GstWavParse * wav, GstBuffer + } + + static GstFlowReturn ++gst_wavparse_pull_range_exact (GstWavParse * wav, guint64 offset, guint size, ++ GstBuffer ** buffer) ++{ ++ GstFlowReturn res; ++ ++ res = gst_pad_pull_range (wav->sinkpad, offset, size, buffer); ++ if (res != GST_FLOW_OK) ++ return res; ++ ++ if (gst_buffer_get_size (*buffer) < size) { ++ gst_clear_buffer (buffer); ++ return GST_FLOW_EOS; ++ } ++ ++ return res; ++} ++ ++static GstFlowReturn + gst_wavparse_stream_headers (GstWavParse * wav) + { + GstFlowReturn res = GST_FLOW_OK; +@@ -1291,9 +1309,9 @@ gst_wavparse_stream_headers (GstWavParse + + buf = NULL; + if ((res = +- gst_pad_pull_range (wav->sinkpad, wav->offset, 8, ++ gst_wavparse_pull_range_exact (wav, wav->offset, 8, + &buf)) != GST_FLOW_OK) +- goto header_read_error; ++ goto header_pull_error; + gst_buffer_map (buf, &map, GST_MAP_READ); + tag = GST_READ_UINT32_LE (map.data); + size = GST_READ_UINT32_LE (map.data + 4); +@@ -1396,9 +1414,9 @@ gst_wavparse_stream_headers (GstWavParse + gst_buffer_unref (buf); + buf = NULL; + if ((res = +- gst_pad_pull_range (wav->sinkpad, wav->offset + 8, ++ gst_wavparse_pull_range_exact (wav, wav->offset + 8, + data_size, &buf)) != GST_FLOW_OK) +- goto header_read_error; ++ goto header_pull_error; + gst_buffer_extract (buf, 0, &wav->fact, 4); + wav->fact = GUINT32_FROM_LE (wav->fact); + gst_buffer_unref (buf); +@@ -1443,9 +1461,9 @@ gst_wavparse_stream_headers (GstWavParse + gst_buffer_unref (buf); + buf = NULL; + if ((res = +- gst_pad_pull_range (wav->sinkpad, wav->offset + 8, +- size, &buf)) != GST_FLOW_OK) +- goto header_read_error; ++ gst_wavparse_pull_range_exact (wav, wav->offset + 8, size, ++ &buf)) != GST_FLOW_OK) ++ goto header_pull_error; + gst_buffer_map (buf, &map, GST_MAP_READ); + acid = (const gst_riff_acid *) map.data; + tempo = acid->tempo; +@@ -1483,9 +1501,9 @@ gst_wavparse_stream_headers (GstWavParse + gst_buffer_unref (buf); + buf = NULL; + if ((res = +- gst_pad_pull_range (wav->sinkpad, wav->offset, 12, ++ gst_wavparse_pull_range_exact (wav, wav->offset, 12, + &buf)) != GST_FLOW_OK) +- goto header_read_error; ++ goto header_pull_error; + gst_buffer_extract (buf, 8, <ag, 4); + ltag = GUINT32_FROM_LE (ltag); + } +@@ -1512,9 +1530,9 @@ gst_wavparse_stream_headers (GstWavParse + buf = NULL; + if (data_size > 0) { + if ((res = +- gst_pad_pull_range (wav->sinkpad, wav->offset, ++ gst_wavparse_pull_range_exact (wav, wav->offset, + data_size, &buf)) != GST_FLOW_OK) +- goto header_read_error; ++ goto header_pull_error; + } + } + if (data_size > 0) { +@@ -1552,9 +1570,9 @@ gst_wavparse_stream_headers (GstWavParse + buf = NULL; + wav->offset += 12; + if ((res = +- gst_pad_pull_range (wav->sinkpad, wav->offset, ++ gst_wavparse_pull_range_exact (wav, wav->offset, + data_size, &buf)) != GST_FLOW_OK) +- goto header_read_error; ++ goto header_pull_error; + gst_buffer_map (buf, &map, GST_MAP_READ); + gst_wavparse_adtl_chunk (wav, (const guint8 *) map.data, + data_size); +@@ -1597,9 +1615,9 @@ gst_wavparse_stream_headers (GstWavParse + gst_buffer_unref (buf); + buf = NULL; + if ((res = +- gst_pad_pull_range (wav->sinkpad, wav->offset, ++ gst_wavparse_pull_range_exact (wav, wav->offset, + data_size, &buf)) != GST_FLOW_OK) +- goto header_read_error; ++ goto header_pull_error; + gst_buffer_map (buf, &map, GST_MAP_READ); + if (!gst_wavparse_cue_chunk (wav, (const guint8 *) map.data, + data_size)) { +@@ -1641,9 +1659,9 @@ gst_wavparse_stream_headers (GstWavParse + gst_buffer_unref (buf); + buf = NULL; + if ((res = +- gst_pad_pull_range (wav->sinkpad, wav->offset, ++ gst_wavparse_pull_range_exact (wav, wav->offset, + data_size, &buf)) != GST_FLOW_OK) +- goto header_read_error; ++ goto header_pull_error; + gst_buffer_map (buf, &map, GST_MAP_READ); + if (!gst_wavparse_smpl_chunk (wav, (const guint8 *) map.data, + data_size)) { +@@ -1795,6 +1813,17 @@ header_read_error: + ("Couldn't read in header %d (%s)", res, gst_flow_get_name (res))); + goto fail; + } ++header_pull_error: ++ { ++ if (res == GST_FLOW_EOS) { ++ GST_WARNING_OBJECT (wav, "Couldn't pull header %d (%s)", res, ++ gst_flow_get_name (res)); ++ } else { ++ GST_ELEMENT_ERROR (wav, STREAM, DEMUX, (NULL), ++ ("Couldn't pull header %d (%s)", res, gst_flow_get_name (res))); ++ } ++ goto exit; ++ } + } + + /* diff -Nru gst-plugins-good1.0-1.22.0/debian/patches/wavparse-Check-size-before-reading-ds64-chunk.patch gst-plugins-good1.0-1.22.0/debian/patches/wavparse-Check-size-before-reading-ds64-chunk.patch --- gst-plugins-good1.0-1.22.0/debian/patches/wavparse-Check-size-before-reading-ds64-chunk.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-good1.0-1.22.0/debian/patches/wavparse-Check-size-before-reading-ds64-chunk.patch 2024-12-21 13:32:49.000000000 +0000 @@ -0,0 +1,30 @@ +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 4 Oct 2024 13:51:00 +0300 +Subject: wavparse: Check size before reading ds64 chunk +Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ba8476d3448eeaf016345ae0697b8447c0f62636 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47775 + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-261 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3889 + +Part-of: +--- + subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/gst/wavparse/gstwavparse.c ++++ b/gst/wavparse/gstwavparse.c +@@ -1087,6 +1087,11 @@ parse_ds64 (GstWavParse * wav, GstBuffer + guint32 sampleCountLow, sampleCountHigh; + + gst_buffer_map (buf, &map, GST_MAP_READ); ++ if (map.size < 6 * 4) { ++ GST_WARNING_OBJECT (wav, "Too small ds64 chunk (%" G_GSIZE_FORMAT ")", ++ map.size); ++ return FALSE; ++ } + dataSizeLow = GST_READ_UINT32_LE (map.data + 2 * 4); + dataSizeHigh = GST_READ_UINT32_LE (map.data + 3 * 4); + sampleCountLow = GST_READ_UINT32_LE (map.data + 4 * 4); diff -Nru gst-plugins-good1.0-1.22.0/debian/patches/wavparse-Check-that-at-least-32-bytes-are-available-.patch gst-plugins-good1.0-1.22.0/debian/patches/wavparse-Check-that-at-least-32-bytes-are-available-.patch --- gst-plugins-good1.0-1.22.0/debian/patches/wavparse-Check-that-at-least-32-bytes-are-available-.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-good1.0-1.22.0/debian/patches/wavparse-Check-that-at-least-32-bytes-are-available-.patch 2024-12-21 13:32:49.000000000 +0000 @@ -0,0 +1,29 @@ +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 4 Oct 2024 13:22:02 +0300 +Subject: wavparse: Check that at least 32 bytes are available before parsing + smpl chunks +Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/3d2a5841d777dd95afdea30ad134f96c876f84ab +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47777 + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-259 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3887 + +Part-of: +--- + subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/gst/wavparse/gstwavparse.c ++++ b/gst/wavparse/gstwavparse.c +@@ -893,6 +893,9 @@ gst_wavparse_smpl_chunk (GstWavParse * w + { + guint32 note_number; + ++ if (size < 32) ++ return FALSE; ++ + /* + manufacturer_id = GST_READ_UINT32_LE (data); + product_id = GST_READ_UINT32_LE (data + 4); diff -Nru gst-plugins-good1.0-1.22.0/debian/patches/wavparse-Check-that-at-least-4-bytes-are-available-b.patch gst-plugins-good1.0-1.22.0/debian/patches/wavparse-Check-that-at-least-4-bytes-are-available-b.patch --- gst-plugins-good1.0-1.22.0/debian/patches/wavparse-Check-that-at-least-4-bytes-are-available-b.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-good1.0-1.22.0/debian/patches/wavparse-Check-that-at-least-4-bytes-are-available-b.patch 2024-12-21 13:32:49.000000000 +0000 @@ -0,0 +1,25 @@ +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 4 Oct 2024 13:21:44 +0300 +Subject: wavparse: Check that at least 4 bytes are available before parsing + cue chunks +Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/8f04506d7e68a653c8d7c5e2fb0a19ef93c6ea35 + +Part-of: +--- + subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/gst/wavparse/gstwavparse.c ++++ b/gst/wavparse/gstwavparse.c +@@ -789,6 +789,11 @@ gst_wavparse_cue_chunk (GstWavParse * wa + return TRUE; + } + ++ if (size < 4) { ++ GST_WARNING_OBJECT (wav, "broken file %d", size); ++ return FALSE; ++ } ++ + ncues = GST_READ_UINT32_LE (data); + + if (size < 4 + ncues * 24) { diff -Nru gst-plugins-good1.0-1.22.0/debian/patches/wavparse-Fix-clipping-of-size-to-the-file-size.patch gst-plugins-good1.0-1.22.0/debian/patches/wavparse-Fix-clipping-of-size-to-the-file-size.patch --- gst-plugins-good1.0-1.22.0/debian/patches/wavparse-Fix-clipping-of-size-to-the-file-size.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-good1.0-1.22.0/debian/patches/wavparse-Fix-clipping-of-size-to-the-file-size.patch 2024-12-21 13:32:49.000000000 +0000 @@ -0,0 +1,36 @@ +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 4 Oct 2024 13:27:27 +0300 +Subject: wavparse: Fix clipping of size to the file size +Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/34cfd6b82c3ae6772b9b43b3f6243f85cea35c38 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47776 + +The size does not include the 8 bytes tag and length, so an additional 8 bytes +must be removed here. 8 bytes are always available at this point because +otherwise the parsing of the tag and length right above would've failed. + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-260 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3888 + +Part-of: +--- + subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/gst/wavparse/gstwavparse.c ++++ b/gst/wavparse/gstwavparse.c +@@ -1337,10 +1337,11 @@ gst_wavparse_stream_headers (GstWavParse + } + + /* Clip to upstream size if known */ +- if (upstream_size > 0 && size + wav->offset > upstream_size) { ++ if (upstream_size > 0 && size + 8 + wav->offset > upstream_size) { + GST_WARNING_OBJECT (wav, "Clipping chunk size to file size"); + g_assert (upstream_size >= wav->offset); +- size = upstream_size - wav->offset; ++ g_assert (upstream_size - wav->offset >= 8); ++ size = upstream_size - wav->offset - 8; + } + + /* wav is a st00pid format, we don't know for sure where data starts. diff -Nru gst-plugins-good1.0-1.22.0/debian/patches/wavparse-Fix-parsing-of-acid-chunk.patch gst-plugins-good1.0-1.22.0/debian/patches/wavparse-Fix-parsing-of-acid-chunk.patch --- gst-plugins-good1.0-1.22.0/debian/patches/wavparse-Fix-parsing-of-acid-chunk.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-good1.0-1.22.0/debian/patches/wavparse-Fix-parsing-of-acid-chunk.patch 2024-12-21 13:32:49.000000000 +0000 @@ -0,0 +1,53 @@ +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 4 Oct 2024 13:15:27 +0300 +Subject: wavparse: Fix parsing of acid chunk +Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/8911020ae3da65b224dd1c87de3437a532e9efa4 + +Simply casting the bytes to a struct can lead to crashes because of unaligned +reads, and is also missing the endianness swapping that is necessary on big +endian architectures. + +Part-of: +--- + .../gst-plugins-good/gst/wavparse/gstwavparse.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +--- a/gst/wavparse/gstwavparse.c ++++ b/gst/wavparse/gstwavparse.c +@@ -1433,8 +1433,7 @@ gst_wavparse_stream_headers (GstWavParse + break; + } + case GST_RIFF_TAG_acid:{ +- const gst_riff_acid *acid = NULL; +- const guint data_size = sizeof (gst_riff_acid); ++ const guint data_size = 24; + gfloat tempo; + + GST_INFO_OBJECT (wav, "Have acid chunk"); +@@ -1448,13 +1447,13 @@ gst_wavparse_stream_headers (GstWavParse + break; + } + if (wav->streaming) { ++ const guint8 *data; + if (!gst_wavparse_peek_chunk (wav, &tag, &size)) { + goto exit; + } + gst_adapter_flush (wav->adapter, 8); +- acid = (const gst_riff_acid *) gst_adapter_map (wav->adapter, +- data_size); +- tempo = acid->tempo; ++ data = gst_adapter_map (wav->adapter, data_size); ++ tempo = GST_READ_FLOAT_LE (data + 20); + gst_adapter_unmap (wav->adapter); + } else { + GstMapInfo map; +@@ -1465,8 +1464,7 @@ gst_wavparse_stream_headers (GstWavParse + &buf)) != GST_FLOW_OK) + goto header_pull_error; + gst_buffer_map (buf, &map, GST_MAP_READ); +- acid = (const gst_riff_acid *) map.data; +- tempo = acid->tempo; ++ tempo = GST_READ_FLOAT_LE (map.data + 20); + gst_buffer_unmap (buf, &map); + } + /* send data as tags */ diff -Nru gst-plugins-good1.0-1.22.0/debian/patches/wavparse-Make-sure-enough-data-for-the-tag-list-tag-.patch gst-plugins-good1.0-1.22.0/debian/patches/wavparse-Make-sure-enough-data-for-the-tag-list-tag-.patch --- gst-plugins-good1.0-1.22.0/debian/patches/wavparse-Make-sure-enough-data-for-the-tag-list-tag-.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-good1.0-1.22.0/debian/patches/wavparse-Make-sure-enough-data-for-the-tag-list-tag-.patch 2024-12-21 13:32:49.000000000 +0000 @@ -0,0 +1,30 @@ +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 4 Oct 2024 13:09:43 +0300 +Subject: wavparse: Make sure enough data for the tag list tag is available + before parsing +Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/f5fa594695e5a9b347e88719b487d9779f80926a +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47778 + +Thanks to Antonio Morales for finding and reporting the issue. + +Fixes GHSL-2024-258 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3886 + +Part-of: +--- + subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/gst/wavparse/gstwavparse.c ++++ b/gst/wavparse/gstwavparse.c +@@ -1488,6 +1488,10 @@ gst_wavparse_stream_headers (GstWavParse + case GST_RIFF_TAG_LIST:{ + guint32 ltag; + ++ /* Need at least the ltag */ ++ if (size < 4) ++ goto exit; ++ + if (wav->streaming) { + const guint8 *data = NULL; +