Version in base suite: 1.18.4-3

Base version: gst-plugins-bad1.0_1.18.4-3
Target version: gst-plugins-bad1.0_1.18.4-3+deb11u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/g/gst-plugins-bad1.0/gst-plugins-bad1.0_1.18.4-3.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/g/gst-plugins-bad1.0/gst-plugins-bad1.0_1.18.4-3+deb11u1.dsc

 changelog                   |    6 ++++++
 patches/GST-2023-0003.patch |   22 ++++++++++++++++++++++
 patches/series              |    1 +
 3 files changed, 29 insertions(+)

diff -Nru gst-plugins-bad1.0-1.18.4/debian/changelog gst-plugins-bad1.0-1.18.4/debian/changelog
--- gst-plugins-bad1.0-1.18.4/debian/changelog	2021-04-26 15:07:50.000000000 +0000
+++ gst-plugins-bad1.0-1.18.4/debian/changelog	2023-06-29 15:56:04.000000000 +0000
@@ -1,3 +1,9 @@
+gst-plugins-bad1.0 (1.18.4-3+deb11u1) bullseye-security; urgency=medium
+
+  * GST-2023-0003
+
+ -- Moritz Mühlenhoff <moritz@wikimedia.org>  Thu, 29 Jun 2023 17:56:04 +0200
+
 gst-plugins-bad1.0 (1.18.4-3) unstable; urgency=medium
 
   * Team upload.
diff -Nru gst-plugins-bad1.0-1.18.4/debian/patches/GST-2023-0003.patch gst-plugins-bad1.0-1.18.4/debian/patches/GST-2023-0003.patch
--- gst-plugins-bad1.0-1.18.4/debian/patches/GST-2023-0003.patch	1970-01-01 00:00:00.000000000 +0000
+++ gst-plugins-bad1.0-1.18.4/debian/patches/GST-2023-0003.patch	2023-06-29 14:46:35.000000000 +0000
@@ -0,0 +1,22 @@
+--- gst-plugins-bad1.0-1.18.4.orig/gst/dvdspu/gstspu-pgs.c
++++ gst-plugins-bad1.0-1.18.4/gst/dvdspu/gstspu-pgs.c
+@@ -593,6 +593,9 @@ parse_set_object_data (GstDVDSpu * dvdsp
+     obj->rle_data_size = GST_READ_UINT24_BE (payload);
+     payload += 3;
+ 
++    if (end - payload > obj->rle_data_size)
++      return 0;
++
+     PGS_DUMP ("%d bytes of RLE data, of %d bytes total.\n",
+         (int) (end - payload), obj->rle_data_size);
+ 
+@@ -604,7 +607,8 @@ parse_set_object_data (GstDVDSpu * dvdsp
+     PGS_DUMP ("%d bytes of additional RLE data\n", (int) (end - payload));
+     /* Check that the data chunk is for this object version, and fits in the buffer */
+     if (obj->rle_data_ver == obj_ver &&
+-        obj->rle_data_used + end - payload <= obj->rle_data_size) {
++        end - payload <= obj->rle_data_size &&
++        obj->rle_data_used <= obj->rle_data_size - (end - payload)) {
+ 
+       memcpy (obj->rle_data + obj->rle_data_used, payload, end - payload);
+       obj->rle_data_used += end - payload;
diff -Nru gst-plugins-bad1.0-1.18.4/debian/patches/series gst-plugins-bad1.0-1.18.4/debian/patches/series
--- gst-plugins-bad1.0-1.18.4/debian/patches/series	2021-04-26 15:07:50.000000000 +0000
+++ gst-plugins-bad1.0-1.18.4/debian/patches/series	2023-06-29 14:46:31.000000000 +0000
@@ -1,2 +1,3 @@
 02_opencv-data-path.patch
 0001-h2645parser-Catch-overflows-in-AVC-HEVC-NAL-unit-length.patch
+GST-2023-0003.patch