From d8a0fc90b5b781c163bef64366f27fcd1d564ebd Mon Sep 17 00:00:00 2001 From: Maxim Cournoyer Date: Fri, 8 Oct 2021 14:31:54 -0400 Subject: Revert gstreamer update to 1.19.2. This reverts commits from e49190cf2befec56246c2baa8697e30c7ba491ac to b2fe4c44e39f66d203d99b16aeed3bb69ccca6c8. Reason: 1.19 is an unstable (development) release rather than a stable one. --- gnu/local.mk | 7 + gnu/packages/aidc.scm | 33 ++- gnu/packages/gstreamer.scm | 120 ++++++---- .../gst-libav-64channels-stack-corruption.patch | 31 +++ .../patches/gst-plugins-bad-fix-overflow.patch | 263 +++++++++++++++++++++ .../gst-plugins-base-fix-id3v2-invalid-read.patch | 40 ++++ .../patches/gst-plugins-good-CVE-2021-3497.patch | 174 ++++++++++++++ .../patches/gst-plugins-good-CVE-2021-3498.patch | 22 ++ .../patches/gst-plugins-good-fix-test.patch | 94 ++++++++ .../gst-plugins-ugly-fix-out-of-bound-reads.patch | 119 ++++++++++ 10 files changed, 845 insertions(+), 58 deletions(-) create mode 100644 gnu/packages/patches/gst-libav-64channels-stack-corruption.patch create mode 100644 gnu/packages/patches/gst-plugins-bad-fix-overflow.patch create mode 100644 gnu/packages/patches/gst-plugins-base-fix-id3v2-invalid-read.patch create mode 100644 gnu/packages/patches/gst-plugins-good-CVE-2021-3497.patch create mode 100644 gnu/packages/patches/gst-plugins-good-CVE-2021-3498.patch create mode 100644 gnu/packages/patches/gst-plugins-good-fix-test.patch create mode 100644 gnu/packages/patches/gst-plugins-ugly-fix-out-of-bound-reads.patch diff --git a/gnu/local.mk b/gnu/local.mk index df840da601..f6b28e225d 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1215,6 +1215,13 @@ dist_patch_DATA = \ %D%/packages/patches/grub-efi-fat-serial-number.patch \ %D%/packages/patches/grub-setup-root.patch \ %D%/packages/patches/gspell-dash-test.patch \ + %D%/packages/patches/gst-libav-64channels-stack-corruption.patch \ + %D%/packages/patches/gst-plugins-bad-fix-overflow.patch \ + %D%/packages/patches/gst-plugins-base-fix-id3v2-invalid-read.patch \ + %D%/packages/patches/gst-plugins-good-fix-test.patch \ + %D%/packages/patches/gst-plugins-good-CVE-2021-3497.patch \ + %D%/packages/patches/gst-plugins-good-CVE-2021-3498.patch \ + %D%/packages/patches/gst-plugins-ugly-fix-out-of-bound-reads.patch \ %D%/packages/patches/guile-1.8-cpp-4.5.patch \ %D%/packages/patches/guile-2.2-skip-oom-test.patch \ %D%/packages/patches/guile-2.2-skip-so-test.patch \ diff --git a/gnu/packages/aidc.scm b/gnu/packages/aidc.scm index 0c89f1d8e2..21fc1957a2 100644 --- a/gnu/packages/aidc.scm +++ b/gnu/packages/aidc.scm @@ -5,7 +5,6 @@ ;;; Copyright © 2018, 2019 Tobias Geerinckx-Rice ;;; Copyright © 2019 Guillaume Le Vaillant ;;; Copyright © 2020 Leo Famulari -;;; Copyright © 2021 Maxim Cournoyer ;;; ;;; This file is part of GNU Guix. ;;; @@ -47,7 +46,7 @@ (define-public zxing-cpp (package (name "zxing-cpp") - (version "1.2.0") + (version "1.0.8") (source (origin (method git-fetch) @@ -57,14 +56,32 @@ (commit (string-append "v" version)))) (file-name (git-file-name name version)) (sha256 - (base32 "1gjj9c7h634rrmmgzbc7cxjqsxdq0paj6113k02ncjm1s9abk7ik")))) + (base32 "011sq8wcjfxbnd8sj6bf2fgkamlp8gj6q835g61c952npvwsnl71")))) + (native-inputs + `(("googletest-source" ,(package-source googletest)))) (build-system cmake-build-system) (arguments - ;; The test suite build system is written in a way that required external - ;; libraries such as googletest, fmt and others are to be fetched from - ;; the network (see: https://github.com/nu-book/zxing-cpp/issues/260). - `(#:tests? #f - #:configure-flags '("-DBUILD_BLACKBOX_TESTS=OFF"))) + `(#:out-of-source? #f + #:phases + (modify-phases %standard-phases + (add-after 'unpack 'unpack-googletest + ;; Copy the googletest sources to where the CMake build expects them. + (lambda* (#:key inputs #:allow-other-keys) + (let ((source (assoc-ref inputs "googletest-source")) + (target "test/unit/googletest-src")) + (mkdir-p target) + (copy-recursively source target) + ;; Disable downloading via ExternalProject. + (substitute* "test/unit/CMakeLists.txt.in" + (("ExternalProject_Add\\(") "message(")) + #t))) + (replace 'check + (lambda _ + (with-directory-excursion "test/unit" + (invoke "cmake" ".") + (invoke "make") + (invoke "./ZXingUnitTest")) + #t))))) (synopsis "C++ port of ZXing") (description "ZXing-CPP is a barcode scanning library.") (home-page "https://github.com/nu-book/zxing-cpp") diff --git a/gnu/packages/gstreamer.scm b/gnu/packages/gstreamer.scm index ed497e46ba..21368688f5 100644 --- a/gnu/packages/gstreamer.scm +++ b/gnu/packages/gstreamer.scm @@ -10,7 +10,6 @@ ;;; Copyright © 2019, 2020 Marius Bakke ;;; Copyright © 2020 Liliana Marie Prikler ;;; Copyright © 2020 Michael Rohleder -;;; Copyright © 2021 Maxim Cournoyer ;;; ;;; This file is part of GNU Guix. ;;; @@ -44,7 +43,6 @@ #:use-module (gnu packages base) #:use-module (gnu packages bash) #:use-module (gnu packages bison) - #:use-module (gnu packages build-tools) #:use-module (gnu packages cdrom) #:use-module (gnu packages curl) #:use-module (gnu packages compression) @@ -411,7 +409,7 @@ arrays of data.") (define-public gstreamer-docs (package (name "gstreamer-docs") - (version "1.19.2") + (version "1.18.2") (source (origin (method url-fetch) (uri (string-append @@ -419,7 +417,7 @@ arrays of data.") "/gstreamer-docs-" version ".tar.xz")) (sha256 (base32 - "1isrp3c9gm59br9vbidd1sgqdjgl1ka2p269bqxmh5dcn4f2gz6a")))) + "07hrgn11ll16yahyyh5684k8ms1j9npsyb8lj0skwbapin4czshm")))) (build-system trivial-build-system) (arguments `(#:modules ((guix build utils)) @@ -437,7 +435,8 @@ arrays of data.") (invoke (string-append tar "/bin/tar") "-xvf" source "--strip-components=3" (string-append ,name "-" ,version - "/devhelp/books/GStreamer"))))))) + "/devhelp/books/GStreamer"))) + #t)))) (native-inputs `(("tar" ,tar) ("xz" ,xz))) @@ -467,12 +466,13 @@ the GStreamer multimedia framework.") (("'CK_DEFAULT_TIMEOUT', '[0-9]*'") "'CK_DEFAULT_TIMEOUT', '600'") (("timeout ?: .*\\)") - "timeout: 90 * 60)")))))) + "timeout: 90 * 60)")) + #t)))) (define-public gstreamer (package (name "gstreamer") - (version "1.19.2") + (version "1.18.4") (source (origin (method url-fetch) @@ -481,13 +481,26 @@ the GStreamer multimedia framework.") version ".tar.xz")) (sha256 (base32 - "03bfgsxd3njkaa5vm99hi36b4n98ywand60h3p18jlqyjfjpnnvf")))) + "1igv9l4hm21kp1jmlwlagzs7ly1vaxv1sbda29q8247372dwkvls")))) (build-system meson-build-system) (arguments - `(#:meson ,meson-0.55 - #:phases + `(#:phases (modify-phases %standard-phases - ,@%common-gstreamer-phases))) + ,@%common-gstreamer-phases + ;; FIXME: Since switching to the meson-build-system, two tests + ;; started failing on i686. See + ;; . + ,@(if (string-prefix? "i686" (or (%current-target-system) + (%current-system))) + `((add-after 'unpack 'disable-some-tests + (lambda _ + (substitute* "tests/check/gst/gstsystemclock.c" + (("tcase_add_test \\(tc_chain, test_stress_cleanup_unschedule.*") + "") + (("tcase_add_test \\(tc_chain, test_stress_reschedule.*") + "")) + #t))) + '())))) (propagated-inputs ;; In gstreamer-1.0.pc: ;; Requires: glib-2.0, gobject-2.0 @@ -532,15 +545,16 @@ This package provides the core library and elements.") (define-public gst-plugins-base (package (name "gst-plugins-base") - (version "1.19.2") + (version "1.18.4") (source (origin (method url-fetch) (uri (string-append "https://gstreamer.freedesktop.org/src/" name "/" name "-" version ".tar.xz")) + (patches (search-patches "gst-plugins-base-fix-id3v2-invalid-read.patch")) (sha256 (base32 - "04x5666vgg89dd9psxmnr99dszk8ykkc9dclg2ln2sq07kyh9qyd")))) + "08w3ivbc6n4vdds2ap6q7l8zdk9if8417nznyqidf0adm0lk5r99")))) (build-system meson-build-system) (propagated-inputs `(("glib" ,glib) ;required by gstreamer-sdp-1.0.pc @@ -583,14 +597,14 @@ This package provides the core library and elements.") ("gettext" ,gettext-minimal) ("xorg-server" ,xorg-server-for-tests))) (arguments - `(#:meson ,meson-0.55 - #:phases + `(#:phases (modify-phases %standard-phases ,@%common-gstreamer-phases (add-before 'configure 'patch (lambda _ (substitute* "tests/check/libs/pbutils.c" - (("/bin/sh") (which "sh"))))) + (("/bin/sh") (which "sh"))) + #t)) (add-before 'check 'pre-check (lambda _ ;; Tests require a running X server. @@ -601,7 +615,8 @@ This package provides the core library and elements.") ;; Tests look for $XDG_RUNTIME_DIR. (setenv "XDG_RUNTIME_DIR" (getcwd)) ;; For missing '/etc/machine-id'. - (setenv "DBUS_FATAL_WARNINGS" "0")))))) + (setenv "DBUS_FATAL_WARNINGS" "0") + #t))))) (home-page "https://gstreamer.freedesktop.org/") (synopsis "Plugins for the GStreamer multimedia library") @@ -612,7 +627,7 @@ for the GStreamer multimedia library.") (define-public gst-plugins-good (package (name "gst-plugins-good") - (version "1.19.2") + (version "1.18.4") (source (origin (method url-fetch) @@ -620,12 +635,14 @@ for the GStreamer multimedia library.") (string-append "https://gstreamer.freedesktop.org/src/" name "/" name "-" version ".tar.xz")) + (patches (search-patches "gst-plugins-good-fix-test.patch" + "gst-plugins-good-CVE-2021-3497.patch" + "gst-plugins-good-CVE-2021-3498.patch")) (sha256 - (base32 "0bjfipap6wc3w28hgf817hc6jvjbblkjil42a356vg242412xsab")))) + (base32 "1c1rpq709cy8maaykyn1n0kckj9c6fl3mhvixkk6xmdwkcx0xrdn")))) (build-system meson-build-system) (arguments - `(#:meson ,meson-0.55 - #:glib-or-gtk? #t ; To wrap binaries and/or compile schemas + `(#:glib-or-gtk? #t ; To wrap binaries and/or compile schemas #:phases (modify-phases %standard-phases ,@%common-gstreamer-phases @@ -639,7 +656,8 @@ for the GStreamer multimedia library.") ;; Tests look for $XDG_RUNTIME_DIR. (setenv "XDG_RUNTIME_DIR" (getcwd)) ;; For missing '/etc/machine-id'. - (setenv "DBUS_FATAL_WARNINGS" "0")))))) + (setenv "DBUS_FATAL_WARNINGS" "0") + #t))))) (native-inputs `(("gettext" ,gettext-minimal) ("glib:bin" ,glib "bin") @@ -702,14 +720,15 @@ model to base your own plug-in on, here it is.") (define-public gst-plugins-bad (package (name "gst-plugins-bad") - (version "1.19.2") + (version "1.18.4") (source (origin (method url-fetch) (uri (string-append "https://gstreamer.freedesktop.org/src/" name "/" name "-" version ".tar.xz")) + (patches (search-patches "gst-plugins-bad-fix-overflow.patch")) (sha256 (base32 - "0y895s0jpfdpdqh2n55ki6gzvji5228v7z541if2xjgjka5gk0jk")) + "0py8k4pbalm9mxkpjbjxis0gp7g74wg5g4yax5q8rccmany0ds3l")) (modules '((guix build utils))) (snippet '(begin @@ -718,7 +737,6 @@ model to base your own plug-in on, here it is.") (build-system meson-build-system) (arguments `(#:configure-flags '("-Dsctp-internal-usrsctp=disabled") - #:meson ,meson-0.55 #:glib-or-gtk? #t ; To wrap binaries and/or compile schemas #:phases (modify-phases %standard-phases @@ -756,7 +774,8 @@ model to base your own plug-in on, here it is.") ;; https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/issues/932 ((".*elements/curlhttpsrc\\.c.*") "") ;; https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/issues/1412 - ((".*elements/dtls\\.c.*") ""))))) + ((".*elements/dtls\\.c.*") "")) + #t))) (add-before 'check 'pre-check (lambda _ ;; Tests require a running X server. @@ -767,7 +786,8 @@ model to base your own plug-in on, here it is.") ;; Tests look for $XDG_RUNTIME_DIR. (setenv "XDG_RUNTIME_DIR" (getcwd)) ;; For missing '/etc/machine-id'. - (setenv "DBUS_FATAL_WARNINGS" "0")))))) + (setenv "DBUS_FATAL_WARNINGS" "0") + #t))))) (propagated-inputs `(("gstreamer" ,gstreamer) ("gst-plugins-base" ,gst-plugins-base))) @@ -890,19 +910,19 @@ par compared to the rest.") (define-public gst-plugins-ugly (package (name "gst-plugins-ugly") - (version "1.19.2") + (version "1.18.4") (source (origin (method url-fetch) (uri (string-append "https://gstreamer.freedesktop.org/src/" name "/" name "-" version ".tar.xz")) + (patches (search-patches "gst-plugins-ugly-fix-out-of-bound-reads.patch")) (sha256 - (base32 "1pwz68qg40018ai655fdrjn5clmn0gp2b7dik0jzwx0fzbwzr87j")))) + (base32 "0g6i4db1883q3j0l2gdv46fcqwiiaw63n6mhvsfcms1i1p7g1391")))) (build-system meson-build-system) (arguments - `(#:meson ,meson-0.55 - #:glib-or-gtk? #t ; To wrap binaries and/or compile schemas + `(#:glib-or-gtk? #t ; To wrap binaries and/or compile schemas #:phases (modify-phases %standard-phases ,@%common-gstreamer-phases @@ -916,7 +936,8 @@ par compared to the rest.") ;; Tests look for $XDG_RUNTIME_DIR. (setenv "XDG_RUNTIME_DIR" (getcwd)) ;; For missing '/etc/machine-id'. - (setenv "DBUS_FATAL_WARNINGS" "0")))))) + (setenv "DBUS_FATAL_WARNINGS" "0") + #t))))) (native-inputs `(("gettext" ,gettext-minimal) ("glib:bin" ,glib "bin") @@ -949,17 +970,18 @@ think twice about shipping them.") (define-public gst-libav (package (name "gst-libav") - (version "1.19.2") - (source (origin - (method url-fetch) - (uri(string-append - "https://gstreamer.freedesktop.org/src/" name "/" - name "-" version ".tar.xz")) - (sha256 - (base32 "0rv4vxrqvlc8lm1afcg934k961gysx94xshmb5jv4xpwjkl8akzw")))) + (version "1.18.4") + (source + (origin + (method url-fetch) + (uri + (string-append + "https://gstreamer.freedesktop.org/src/" name "/" + name "-" version ".tar.xz")) + (patches (search-patches "gst-libav-64channels-stack-corruption.patch")) + (sha256 + (base32 "15n3x3vhshqa3icw93g4vqmqd46122anzqvfxwn6q8famlxlcjil")))) (build-system meson-build-system) - (arguments - `(#:meson ,meson-0.55)) (native-inputs `(("perl" ,perl) ("pkg-config" ,pkg-config) @@ -979,7 +1001,7 @@ decoders, muxers, and demuxers provided by FFmpeg.") (define-public gst-editing-services (package (name "gst-editing-services") - (version "1.19.2") + (version "1.18.4") (source (origin (method url-fetch) (uri (string-append @@ -987,12 +1009,11 @@ decoders, muxers, and demuxers provided by FFmpeg.") "gst-editing-services-" version ".tar.xz")) (sha256 (base32 - "007rd6vn9ly6djzgb8hilgj8rgdy2530w72vps0d0631fxckxh4g")))) + "010xg960qsh5dwmf0y9l1q13h0cymmrgapzla2zsw66ylxqbi1s6")))) (build-system meson-build-system) (arguments ;; FIXME: 16/22 failing tests. - `(#:meson ,meson-0.55 - #:tests? #f + `(#:tests? #f #:glib-or-gtk? #t ; To wrap binaries and/or compile schemas #:phases (modify-phases %standard-phases ,@%common-gstreamer-phases))) @@ -1052,7 +1073,7 @@ given, also pass them to the build system instead of the ones used by PKG." (define-public python-gst (package (name "python-gst") - (version "1.19.2") + (version "1.18.2") (source (origin (method url-fetch) (uri (string-append @@ -1060,11 +1081,10 @@ given, also pass them to the build system instead of the ones used by PKG." "gst-python-" version ".tar.xz")) (sha256 (base32 - "1y5wkp0nzqks8q5dbqi0491yv2yia4jz3bwh7sa2v8whkg46v3c7")))) + "171qxzndii7ynn9ag3a12h9vyydxzwy1j4ip3cb8hgim1dv0z7g1")))) (build-system meson-build-system) (arguments - `(#:meson ,meson-0.55 - #:modules ((guix build meson-build-system) + `(#:modules ((guix build meson-build-system) (guix build utils) ((guix build python-build-system) #:prefix python:)) #:imported-modules (,@%meson-build-system-modules diff --git a/gnu/packages/patches/gst-libav-64channels-stack-corruption.patch b/gnu/packages/patches/gst-libav-64channels-stack-corruption.patch new file mode 100644 index 0000000000..cc174e618d --- /dev/null +++ b/gnu/packages/patches/gst-libav-64channels-stack-corruption.patch @@ -0,0 +1,31 @@ +Fix a stack corruption when handling files with more than 64 audio +channels: + +https://gstreamer.freedesktop.org/security/sa-2021-0005.html + +Patch copied from upstream source repository: + +https://gitlab.freedesktop.org/gstreamer/gst-libav/-/commit/dcea8baa14a5fc3b796d876baaf2f238546ba2b1 + +diff --git a/ext/libav/gstavcodecmap.c b/ext/libav/gstavcodecmap.c +index b5be4bb7a5f2712f78383da9319754a8849e3307..be22f22cf5c7c7b22b13e44b10999adaacbcca2b 100644 +--- a/ext/libav/gstavcodecmap.c ++++ b/ext/libav/gstavcodecmap.c +@@ -102,7 +102,7 @@ gst_ffmpeg_channel_layout_to_gst (guint64 channel_layout, gint channels, + guint nchannels = 0; + gboolean none_layout = FALSE; + +- if (channel_layout == 0) { ++ if (channel_layout == 0 || channels > 64) { + nchannels = channels; + none_layout = TRUE; + } else { +@@ -163,7 +163,7 @@ gst_ffmpeg_channel_layout_to_gst (guint64 channel_layout, gint channels, + } else { + guint i; + +- for (i = 0; i < nchannels; i++) ++ for (i = 0; i < nchannels && i < 64; i++) + pos[i] = GST_AUDIO_CHANNEL_POSITION_NONE; + } + } diff --git a/gnu/packages/patches/gst-plugins-bad-fix-overflow.patch b/gnu/packages/patches/gst-plugins-bad-fix-overflow.patch new file mode 100644 index 0000000000..95ab13db51 --- /dev/null +++ b/gnu/packages/patches/gst-plugins-bad-fix-overflow.patch @@ -0,0 +1,263 @@ +Fix an overflow when calculating something for AVC/HEVC videos: + +https://security-tracker.debian.org/tracker/TEMP-0000000-C6AAE1 + +Patch copied from upstream source repository: + +https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/commit/0cfbf7ad91c7f121192c8ce135769f8eb276c41d +From 0cfbf7ad91c7f121192c8ce135769f8eb276c41d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Tue, 23 Mar 2021 19:19:14 +0200 +Subject: [PATCH] h2645parser: Catch overflows in AVC/HEVC NAL unit length + calculations + +Offset and size are stored as 32 bit guint and might overflow when +adding the nal_length_size, so let's avoid that. + +For the size this would happen if the AVC/HEVC NAL unit size happens to +be stored in 4 bytes and is 4294967292 or higher, which is likely +corrupted data anyway. + +For the offset this is something for the caller of these functions to +take care of but is unlikely to happen as it would require parsing on a +>4GB buffer. + +Allowing these overflows causes all kinds of follow-up bugs in the +h2645parse elements, ranging from infinite loops and memory leaks to +potential memory corruptions. + +Part-of: +--- + gst-libs/gst/codecparsers/gsth264parser.c | 16 +++++- + gst-libs/gst/codecparsers/gsth265parser.c | 16 +++++- + tests/check/libs/h264parser.c | 60 +++++++++++++++++++++++ + tests/check/libs/h265parser.c | 60 +++++++++++++++++++++++ + 4 files changed, 150 insertions(+), 2 deletions(-) + +diff --git a/gst-libs/gst/codecparsers/gsth264parser.c b/gst-libs/gst/codecparsers/gsth264parser.c +index 012f1d0d7..68aa25068 100644 +--- a/gst-libs/gst/codecparsers/gsth264parser.c ++++ b/gst-libs/gst/codecparsers/gsth264parser.c +@@ -1556,6 +1556,14 @@ gst_h264_parser_identify_nalu_avc (GstH264NalParser * nalparser, + + memset (nalu, 0, sizeof (*nalu)); + ++ /* Would overflow guint below otherwise: the callers needs to ensure that ++ * this never happens */ ++ if (offset > G_MAXUINT32 - nal_length_size) { ++ GST_WARNING ("offset + nal_length_size overflow"); ++ nalu->size = 0; ++ return GST_H264_PARSER_BROKEN_DATA; ++ } ++ + if (size < offset + nal_length_size) { + GST_DEBUG ("Can't parse, buffer has too small size %" G_GSIZE_FORMAT + ", offset %u", size, offset); +@@ -1570,7 +1578,13 @@ gst_h264_parser_identify_nalu_avc (GstH264NalParser * nalparser, + nalu->sc_offset = offset; + nalu->offset = offset + nal_length_size; + +- if (size < nalu->size + nal_length_size) { ++ if (nalu->size > G_MAXUINT32 - nal_length_size) { ++ GST_WARNING ("NALU size + nal_length_size overflow"); ++ nalu->size = 0; ++ return GST_H264_PARSER_BROKEN_DATA; ++ } ++ ++ if (size < (gsize) nalu->size + nal_length_size) { + nalu->size = 0; + + return GST_H264_PARSER_NO_NAL_END; +diff --git a/gst-libs/gst/codecparsers/gsth265parser.c b/gst-libs/gst/codecparsers/gsth265parser.c +index 26e68b276..dc7f27aa9 100644 +--- a/gst-libs/gst/codecparsers/gsth265parser.c ++++ b/gst-libs/gst/codecparsers/gsth265parser.c +@@ -1531,6 +1531,14 @@ gst_h265_parser_identify_nalu_hevc (GstH265Parser * parser, + + memset (nalu, 0, sizeof (*nalu)); + ++ /* Would overflow guint below otherwise: the callers needs to ensure that ++ * this never happens */ ++ if (offset > G_MAXUINT32 - nal_length_size) { ++ GST_WARNING ("offset + nal_length_size overflow"); ++ nalu->size = 0; ++ return GST_H265_PARSER_BROKEN_DATA; ++ } ++ + if (size < offset + nal_length_size) { + GST_DEBUG ("Can't parse, buffer has too small size %" G_GSIZE_FORMAT + ", offset %u", size, offset); +@@ -1545,7 +1553,13 @@ gst_h265_parser_identify_nalu_hevc (GstH265Parser * parser, + nalu->sc_offset = offset; + nalu->offset = offset + nal_length_size; + +- if (size < nalu->size + nal_length_size) { ++ if (nalu->size > G_MAXUINT32 - nal_length_size) { ++ GST_WARNING ("NALU size + nal_length_size overflow"); ++ nalu->size = 0; ++ return GST_H265_PARSER_BROKEN_DATA; ++ } ++ ++ if (size < (gsize) nalu->size + nal_length_size) { + nalu->size = 0; + + return GST_H265_PARSER_NO_NAL_END; +diff --git a/tests/check/libs/h264parser.c b/tests/check/libs/h264parser.c +index c7c46d9a2..d322dd8db 100644 +--- a/tests/check/libs/h264parser.c ++++ b/tests/check/libs/h264parser.c +@@ -229,6 +229,65 @@ GST_START_TEST (test_h264_parse_slice_5bytes) + + GST_END_TEST; + ++GST_START_TEST (test_h264_parse_identify_nalu_avc) ++{ ++ GstH264ParserResult res; ++ GstH264NalUnit nalu; ++ GstH264NalParser *const parser = gst_h264_nal_parser_new (); ++ /* Skip 3 bytes for the start code */ ++ const gsize nal_size = sizeof (slice_dpa) - 3; ++ const gsize buf_size = 4 + nal_size; ++ guint8 *buf = g_new (guint8, buf_size); ++ ++ memcpy (buf + 4, slice_dpa + 3, nal_size); ++ ++ GST_WRITE_UINT16_BE (buf + 2, nal_size); ++ res = gst_h264_parser_identify_nalu_avc (parser, buf, 2, buf_size, 2, &nalu); ++ ++ assert_equals_int (res, GST_H264_PARSER_OK); ++ assert_equals_int (nalu.type, GST_H264_NAL_SLICE_DPA); ++ assert_equals_int (nalu.offset, 4); ++ assert_equals_int (nalu.size, nal_size); ++ ++ GST_WRITE_UINT32_BE (buf, nal_size); ++ res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu); ++ ++ assert_equals_int (res, GST_H264_PARSER_OK); ++ assert_equals_int (nalu.type, GST_H264_NAL_SLICE_DPA); ++ assert_equals_int (nalu.offset, 4); ++ assert_equals_int (nalu.size, nal_size); ++ ++ GST_WRITE_UINT32_BE (buf, G_MAXUINT32); ++ res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu); ++ ++ assert_equals_int (res, GST_H264_PARSER_BROKEN_DATA); ++ ++ GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 2); ++ res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu); ++ ++ assert_equals_int (res, GST_H264_PARSER_BROKEN_DATA); ++ ++ GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 3); ++ res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu); ++ ++ assert_equals_int (res, GST_H264_PARSER_BROKEN_DATA); ++ ++ GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 4); ++ res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu); ++ ++ assert_equals_int (res, GST_H264_PARSER_NO_NAL_END); ++ ++ GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 6); ++ res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu); ++ ++ assert_equals_int (res, GST_H264_PARSER_NO_NAL_END); ++ ++ g_free (buf); ++ gst_h264_nal_parser_free (parser); ++} ++ ++GST_END_TEST; ++ + static guint8 nalu_sps_with_vui[] = { + 0x00, 0x00, 0x00, 0x01, 0x67, 0x64, 0x00, 0x28, + 0xac, 0xd9, 0x40, 0x78, 0x04, 0x4f, 0xde, 0x03, +@@ -666,6 +725,7 @@ h264parser_suite (void) + tcase_add_test (tc_chain, test_h264_parse_slice_dpa); + tcase_add_test (tc_chain, test_h264_parse_slice_eoseq_slice); + tcase_add_test (tc_chain, test_h264_parse_slice_5bytes); ++ tcase_add_test (tc_chain, test_h264_parse_identify_nalu_avc); + tcase_add_test (tc_chain, test_h264_parse_invalid_sei); + tcase_add_test (tc_chain, test_h264_create_sei); + +diff --git a/tests/check/libs/h265parser.c b/tests/check/libs/h265parser.c +index 0a0e4db97..5b6a215ec 100644 +--- a/tests/check/libs/h265parser.c ++++ b/tests/check/libs/h265parser.c +@@ -255,6 +255,65 @@ GST_START_TEST (test_h265_parse_slice_6bytes) + + GST_END_TEST; + ++GST_START_TEST (test_h265_parse_identify_nalu_hevc) ++{ ++ GstH265ParserResult res; ++ GstH265NalUnit nalu; ++ GstH265Parser *parser = gst_h265_parser_new (); ++ /* Skip 4 bytes for the start code */ ++ const gsize nal_size = sizeof (slice_eos_slice_eob) - 4; ++ const gsize buf_size = 4 + nal_size; ++ guint8 *buf = g_new (guint8, buf_size); ++ ++ memcpy (buf + 4, slice_eos_slice_eob + 4, nal_size); ++ ++ GST_WRITE_UINT16_BE (buf + 2, nal_size); ++ res = gst_h265_parser_identify_nalu_hevc (parser, buf, 2, buf_size, 2, &nalu); ++ ++ assert_equals_int (res, GST_H265_PARSER_OK); ++ assert_equals_int (nalu.type, GST_H265_NAL_SLICE_IDR_W_RADL); ++ assert_equals_int (nalu.offset, 4); ++ assert_equals_int (nalu.size, nal_size); ++ ++ GST_WRITE_UINT32_BE (buf, nal_size); ++ res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu); ++ ++ assert_equals_int (res, GST_H265_PARSER_OK); ++ assert_equals_int (nalu.type, GST_H265_NAL_SLICE_IDR_W_RADL); ++ assert_equals_int (nalu.offset, 4); ++ assert_equals_int (nalu.size, nal_size); ++ ++ GST_WRITE_UINT32_BE (buf, G_MAXUINT32); ++ res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu); ++ ++ assert_equals_int (res, GST_H265_PARSER_BROKEN_DATA); ++ ++ GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 2); ++ res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu); ++ ++ assert_equals_int (res, GST_H265_PARSER_BROKEN_DATA); ++ ++ GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 3); ++ res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu); ++ ++ assert_equals_int (res, GST_H265_PARSER_BROKEN_DATA); ++ ++ GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 4); ++ res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu); ++ ++ assert_equals_int (res, GST_H265_PARSER_NO_NAL_END); ++ ++ GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 6); ++ res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu); ++ ++ assert_equals_int (res, GST_H265_PARSER_NO_NAL_END); ++ ++ g_free (buf); ++ gst_h265_parser_free (parser); ++} ++ ++GST_END_TEST; ++ + GST_START_TEST (test_h265_base_profiles) + { + GstH265ProfileTierLevel ptl; +@@ -1101,6 +1160,7 @@ h265parser_suite (void) + tcase_add_test (tc_chain, test_h265_parse_slice_eos_slice_eob); + tcase_add_test (tc_chain, test_h265_parse_pic_timing); + tcase_add_test (tc_chain, test_h265_parse_slice_6bytes); ++ tcase_add_test (tc_chain, test_h265_parse_identify_nalu_hevc); + tcase_add_test (tc_chain, test_h265_base_profiles); + tcase_add_test (tc_chain, test_h265_base_profiles_compat); + tcase_add_test (tc_chain, test_h265_format_range_profiles_exact_match); +-- +2.31.1 + diff --git a/gnu/packages/patches/gst-plugins-base-fix-id3v2-invalid-read.patch b/gnu/packages/patches/gst-plugins-base-fix-id3v2-invalid-read.patch new file mode 100644 index 0000000000..b2dfef0118 --- /dev/null +++ b/gnu/packages/patches/gst-plugins-base-fix-id3v2-invalid-read.patch @@ -0,0 +1,40 @@ +Fix an "invalid read during ID3v2 tag parsing". + +https://security-tracker.debian.org/tracker/TEMP-0000000-57E7C1 +https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/issues/876 + +Patch copied from upstream source repository: + +https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/commit/f4a1428a6997658625d529b9db60fde812fbf1ee + +From f4a1428a6997658625d529b9db60fde812fbf1ee Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim-Philipp=20M=C3=BCller?= +Date: Wed, 3 Mar 2021 01:08:25 +0000 +Subject: [PATCH] tag: id3v2: fix frame size check and potential invalid reads + +Check the right variable when checking if there's +enough data left to read the frame size. + +Closes https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/issues/876 + +Part-of: +--- + gst-libs/gst/tag/id3v2frames.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/gst-libs/gst/tag/id3v2frames.c b/gst-libs/gst/tag/id3v2frames.c +index 8e9f78254..f39659bf7 100644 +--- a/gst-libs/gst/tag/id3v2frames.c ++++ b/gst-libs/gst/tag/id3v2frames.c +@@ -109,7 +109,7 @@ id3v2_parse_frame (ID3TagsWorking * work) + + if (work->frame_flags & (ID3V2_FRAME_FORMAT_COMPRESSION | + ID3V2_FRAME_FORMAT_DATA_LENGTH_INDICATOR)) { +- if (work->hdr.frame_data_size <= 4) ++ if (frame_data_size <= 4) + return FALSE; + if (ID3V2_VER_MAJOR (work->hdr.version) == 3) { + work->parse_size = GST_READ_UINT32_BE (frame_data); +-- +2.31.1 + diff --git a/gnu/packages/patches/gst-plugins-good-CVE-2021-3497.patch b/gnu/packages/patches/gst-plugins-good-CVE-2021-3497.patch new file mode 100644 index 0000000000..c8c3ee6cf1 --- /dev/null +++ b/gnu/packages/patches/gst-plugins-good-CVE-2021-3497.patch @@ -0,0 +1,174 @@ +Fix CVE-2021-3497: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3497 +https://gstreamer.freedesktop.org/security/sa-2021-0002.html + +Patch copied from upstream source repository: + +https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/commit/9181191511f9c0be6a89c98b311f49d66bd46dc3?merge_request_iid=903 + +diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c +index 467815986c8c3d86fd8906a0d539b34f67d6693e..0e47ee7b5e25ac3331f30439710ae755235f2a22 100644 +--- a/gst/matroska/matroska-demux.c ++++ b/gst/matroska/matroska-demux.c +@@ -3851,6 +3851,12 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + guint32 block_samples, tmp; + gsize size = gst_buffer_get_size (*buf); + ++ if (size < 4) { ++ GST_ERROR_OBJECT (element, "Too small wavpack buffer"); ++ gst_buffer_unmap (*buf, &map); ++ return GST_FLOW_ERROR; ++ } ++ + gst_buffer_extract (*buf, 0, &tmp, sizeof (guint32)); + block_samples = GUINT32_FROM_LE (tmp); + /* we need to reconstruct the header of the wavpack block */ +@@ -3858,10 +3864,10 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + /* -20 because ck_size is the size of the wavpack block -8 + * and lace_size is the size of the wavpack block + 12 + * (the three guint32 of the header that already are in the buffer) */ +- wvh.ck_size = size + sizeof (Wavpack4Header) - 20; ++ wvh.ck_size = size + WAVPACK4_HEADER_SIZE - 20; + + /* block_samples, flags and crc are already in the buffer */ +- newbuf = gst_buffer_new_allocate (NULL, sizeof (Wavpack4Header) - 12, NULL); ++ newbuf = gst_buffer_new_allocate (NULL, WAVPACK4_HEADER_SIZE - 12, NULL); + + gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE); + data = outmap.data; +@@ -3886,9 +3892,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + audiocontext->wvpk_block_index += block_samples; + } else { + guint8 *outdata = NULL; +- guint outpos = 0; +- gsize buf_size, size, out_size = 0; ++ gsize buf_size, size; + guint32 block_samples, flags, crc, blocksize; ++ GstAdapter *adapter; ++ ++ adapter = gst_adapter_new (); + + gst_buffer_map (*buf, &map, GST_MAP_READ); + buf_data = map.data; +@@ -3897,6 +3905,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + if (buf_size < 4) { + GST_ERROR_OBJECT (element, "Too small wavpack buffer"); + gst_buffer_unmap (*buf, &map); ++ g_object_unref (adapter); + return GST_FLOW_ERROR; + } + +@@ -3918,59 +3927,57 @@ gst_matroska_demux_add_wvpk_header (GstElement * element, + data += 4; + size -= 4; + +- if (blocksize == 0 || size < blocksize) +- break; +- +- g_assert ((newbuf == NULL) == (outdata == NULL)); ++ if (blocksize == 0 || size < blocksize) { ++ GST_ERROR_OBJECT (element, "Too small wavpack buffer"); ++ gst_buffer_unmap (*buf, &map); ++ g_object_unref (adapter); ++ return GST_FLOW_ERROR; ++ } + +- if (newbuf == NULL) { +- out_size = sizeof (Wavpack4Header) + blocksize; +- newbuf = gst_buffer_new_allocate (NULL, out_size, NULL); ++ g_assert (newbuf == NULL); + +- gst_buffer_copy_into (newbuf, *buf, +- GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1); ++ newbuf = ++ gst_buffer_new_allocate (NULL, WAVPACK4_HEADER_SIZE + blocksize, ++ NULL); ++ gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE); ++ outdata = outmap.data; ++ ++ outdata[0] = 'w'; ++ outdata[1] = 'v'; ++ outdata[2] = 'p'; ++ outdata[3] = 'k'; ++ outdata += 4; ++ ++ GST_WRITE_UINT32_LE (outdata, blocksize + WAVPACK4_HEADER_SIZE - 8); ++ GST_WRITE_UINT16_LE (outdata + 4, wvh.version); ++ GST_WRITE_UINT8 (outdata + 6, wvh.track_no); ++ GST_WRITE_UINT8 (outdata + 7, wvh.index_no); ++ GST_WRITE_UINT32_LE (outdata + 8, wvh.total_samples); ++ GST_WRITE_UINT32_LE (outdata + 12, wvh.block_index); ++ GST_WRITE_UINT32_LE (outdata + 16, block_samples); ++ GST_WRITE_UINT32_LE (outdata + 20, flags); ++ GST_WRITE_UINT32_LE (outdata + 24, crc); ++ outdata += 28; ++ ++ memcpy (outdata, data, blocksize); + +- outpos = 0; +- gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE); +- outdata = outmap.data; +- } else { +- gst_buffer_unmap (newbuf, &outmap); +- out_size += sizeof (Wavpack4Header) + blocksize; +- gst_buffer_set_size (newbuf, out_size); +- gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE); +- outdata = outmap.data; +- } ++ gst_buffer_unmap (newbuf, &outmap); ++ gst_adapter_push (adapter, newbuf); ++ newbuf = NULL; + +- outdata[outpos] = 'w'; +- outdata[outpos + 1] = 'v'; +- outdata[outpos + 2] = 'p'; +- outdata[outpos + 3] = 'k'; +- outpos += 4; +- +- GST_WRITE_UINT32_LE (outdata + outpos, +- blocksize + sizeof (Wavpack4Header) - 8); +- GST_WRITE_UINT16_LE (outdata + outpos + 4, wvh.version); +- GST_WRITE_UINT8 (outdata + outpos + 6, wvh.track_no); +- GST_WRITE_UINT8 (outdata + outpos + 7, wvh.index_no); +- GST_WRITE_UINT32_LE (outdata + outpos + 8, wvh.total_samples); +- GST_WRITE_UINT32_LE (outdata + outpos + 12, wvh.block_index); +- GST_WRITE_UINT32_LE (outdata + outpos + 16, block_samples); +- GST_WRITE_UINT32_LE (outdata + outpos + 20, flags); +- GST_WRITE_UINT32_LE (outdata + outpos + 24, crc); +- outpos += 28; +- +- memmove (outdata + outpos, data, blocksize); +- outpos += blocksize; + data += blocksize; + size -= blocksize; + } + gst_buffer_unmap (*buf, &map); +- gst_buffer_unref (*buf); + +- if (newbuf) +- gst_buffer_unmap (newbuf, &outmap); ++ newbuf = gst_adapter_take_buffer (adapter, gst_adapter_available (adapter)); ++ g_object_unref (adapter); + ++ gst_buffer_copy_into (newbuf, *buf, ++ GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1); ++ gst_buffer_unref (*buf); + *buf = newbuf; ++ + audiocontext->wvpk_block_index += block_samples; + } + +diff --git a/gst/matroska/matroska-ids.h b/gst/matroska/matroska-ids.h +index 429213f778063ba0063944ab64ad60373bbce5ee..8d4a685a910ec13100a3c3d156b2412d28ec0522 100644 +--- a/gst/matroska/matroska-ids.h ++++ b/gst/matroska/matroska-ids.h +@@ -688,6 +688,8 @@ typedef struct _Wavpack4Header { + guint32 crc; /* crc for actual decoded data */ + } Wavpack4Header; + ++#define WAVPACK4_HEADER_SIZE (32) ++ + typedef enum { + GST_MATROSKA_TRACK_ENCODING_SCOPE_FRAME = (1<<0), + GST_MATROSKA_TRACK_ENCODING_SCOPE_CODEC_DATA = (1<<1), diff --git a/gnu/packages/patches/gst-plugins-good-CVE-2021-3498.patch b/gnu/packages/patches/gst-plugins-good-CVE-2021-3498.patch new file mode 100644 index 0000000000..50eb42f126 --- /dev/null +++ b/gnu/packages/patches/gst-plugins-good-CVE-2021-3498.patch @@ -0,0 +1,22 @@ +Fix CVE-2021-3498: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3498 +https://gstreamer.freedesktop.org/security/sa-2021-0003.html + +Patch copied from upstream source repository: + +https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/commit/02174790726dd20a5c73ce2002189bf240ad4fe0?merge_request_iid=903 + +diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c +index 4d0234743b8cf243b4521e56ef9027ba23b1b5d0..467815986c8c3d86fd8906a0d539b34f67d6693e 100644 +--- a/gst/matroska/matroska-demux.c ++++ b/gst/matroska/matroska-demux.c +@@ -692,6 +692,8 @@ gst_matroska_demux_parse_stream (GstMatroskaDemux * demux, GstEbmlRead * ebml, + + DEBUG_ELEMENT_START (demux, ebml, "TrackEntry"); + ++ *dest_context = NULL; ++ + /* start with the master */ + if ((ret = gst_ebml_read_master (ebml, &id)) != GST_FLOW_OK) { + DEBUG_ELEMENT_STOP (demux, ebml, "TrackEntry", ret); diff --git a/gnu/packages/patches/gst-plugins-good-fix-test.patch b/gnu/packages/patches/gst-plugins-good-fix-test.patch new file mode 100644 index 0000000000..38ec0ba802 --- /dev/null +++ b/gnu/packages/patches/gst-plugins-good-fix-test.patch @@ -0,0 +1,94 @@ +Fix a broken test: + +https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/issues/803 + +Patches copied from upstream source repository: + +https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/commit/2ce5909f3a0b0da3abb7b794215d6b8b72a3b7fa +https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/commit/f5310ce346180a717f091f2f09bcbb3ddfb15436 + +From 2ce5909f3a0b0da3abb7b794215d6b8b72a3b7fa Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim-Philipp=20M=C3=BCller?= +Date: Thu, 12 Nov 2020 23:38:21 +0000 +Subject: [PATCH 1/2] tests: qtdemux: fix crash on 32-bit architectures + +Fixes https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/issues/803 + +Part-of: +--- + tests/check/elements/qtdemux.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/tests/check/elements/qtdemux.c b/tests/check/elements/qtdemux.c +index 5271c6576..0c748278b 100644 +--- a/tests/check/elements/qtdemux.c ++++ b/tests/check/elements/qtdemux.c +@@ -797,9 +797,10 @@ GST_START_TEST (test_qtdemux_pad_names) + "protection-system", G_TYPE_STRING, + "9a04f079-9840-4286-ab92-e65be0885f95", NULL); + caps = +- gst_caps_new_simple ("video/quicktime", "variant", G_TYPE_STRING, +- "mss-fragmented", "timesacle", G_TYPE_UINT64, 10000000, "media-caps", +- GST_TYPE_CAPS, mediacaps, NULL); ++ gst_caps_new_simple ("video/quicktime", ++ "variant", G_TYPE_STRING, "mss-fragmented", ++ "timesacle", G_TYPE_UINT64, G_GUINT64_CONSTANT (10000000), ++ "media-caps", GST_TYPE_CAPS, mediacaps, NULL); + + /* Send segment event* */ + event = gst_event_new_caps (caps); +@@ -852,9 +853,10 @@ GST_START_TEST (test_qtdemux_pad_names) + "protection-system", G_TYPE_STRING, + "9a04f079-9840-4286-ab92-e65be0885f95", NULL); + caps = +- gst_caps_new_simple ("video/quicktime", "variant", G_TYPE_STRING, +- "mss-fragmented", "timesacle", G_TYPE_UINT64, 10000000, "media-caps", +- GST_TYPE_CAPS, mediacaps, NULL); ++ gst_caps_new_simple ("video/quicktime", ++ "variant", G_TYPE_STRING, "mss-fragmented", ++ "timesacle", G_TYPE_UINT64, G_GUINT64_CONSTANT (10000000), ++ "media-caps", GST_TYPE_CAPS, mediacaps, NULL); + + /* Send segment event* */ + event = gst_event_new_caps (caps); +-- +2.30.0 + + +From f5310ce346180a717f091f2f09bcbb3ddfb15436 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim-Philipp=20M=C3=BCller?= +Date: Thu, 12 Nov 2020 23:39:21 +0000 +Subject: [PATCH 2/2] tests: qtdemux: fix typo in caps field + +timesacle -> timescale + +Part-of: +--- + tests/check/elements/qtdemux.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tests/check/elements/qtdemux.c b/tests/check/elements/qtdemux.c +index 0c748278b..4a14c45c0 100644 +--- a/tests/check/elements/qtdemux.c ++++ b/tests/check/elements/qtdemux.c +@@ -799,7 +799,7 @@ GST_START_TEST (test_qtdemux_pad_names) + caps = + gst_caps_new_simple ("video/quicktime", + "variant", G_TYPE_STRING, "mss-fragmented", +- "timesacle", G_TYPE_UINT64, G_GUINT64_CONSTANT (10000000), ++ "timescale", G_TYPE_UINT64, G_GUINT64_CONSTANT (10000000), + "media-caps", GST_TYPE_CAPS, mediacaps, NULL); + + /* Send segment event* */ +@@ -855,7 +855,7 @@ GST_START_TEST (test_qtdemux_pad_names) + caps = + gst_caps_new_simple ("video/quicktime", + "variant", G_TYPE_STRING, "mss-fragmented", +- "timesacle", G_TYPE_UINT64, G_GUINT64_CONSTANT (10000000), ++ "timescale", G_TYPE_UINT64, G_GUINT64_CONSTANT (10000000), + "media-caps", GST_TYPE_CAPS, mediacaps, NULL); + + /* Send segment event* */ +-- +2.30.0 + diff --git a/gnu/packages/patches/gst-plugins-ugly-fix-out-of-bound-reads.patch b/gnu/packages/patches/gst-plugins-ugly-fix-out-of-bound-reads.patch new file mode 100644 index 0000000000..3c6a96f45d --- /dev/null +++ b/gnu/packages/patches/gst-plugins-ugly-fix-out-of-bound-reads.patch @@ -0,0 +1,119 @@ +Fix out of bounds reads when parsing audio and video packets: + +https://security-tracker.debian.org/tracker/TEMP-0000000-4DAA44 +https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/issues/37 + +Patch copied from upstream source repository: + +https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/commit/3aba7d1e625554b2407bc77b3d09b4928b937d5f +From 3aba7d1e625554b2407bc77b3d09b4928b937d5f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Wed, 3 Mar 2021 11:05:14 +0200 +Subject: [PATCH] rmdemux: Make sure we have enough data available when parsing + audio/video packets + +Otherwise there will be out-of-bounds reads and potential crashes. + +Thanks to Natalie Silvanovich for reporting. + +Fixes https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/issues/37 + +Part-of: +--- + gst/realmedia/rmdemux.c | 35 +++++++++++++++++++++++++++++++++++ + 1 file changed, 35 insertions(+) + +diff --git a/gst/realmedia/rmdemux.c b/gst/realmedia/rmdemux.c +index 6cc659a1..68b0736b 100644 +--- a/gst/realmedia/rmdemux.c ++++ b/gst/realmedia/rmdemux.c +@@ -2223,6 +2223,9 @@ gst_rmdemux_parse_video_packet (GstRMDemux * rmdemux, GstRMDemuxStream * stream, + + gst_buffer_map (in, &map, GST_MAP_READ); + ++ if (map.size < offset) ++ goto not_enough_data; ++ + data = map.data + offset; + size = map.size - offset; + +@@ -2289,6 +2292,9 @@ gst_rmdemux_parse_video_packet (GstRMDemux * rmdemux, GstRMDemuxStream * stream, + } + GST_DEBUG_OBJECT (rmdemux, "fragment size %d", fragment_size); + ++ if (map.size < (data - map.data) + fragment_size) ++ goto not_enough_data; ++ + /* get the fragment */ + fragment = + gst_buffer_copy_region (in, GST_BUFFER_COPY_ALL, data - map.data, +@@ -2437,6 +2443,9 @@ gst_rmdemux_parse_audio_packet (GstRMDemux * rmdemux, GstRMDemuxStream * stream, + GstFlowReturn ret; + GstBuffer *buffer; + ++ if (gst_buffer_get_size (in) < offset) ++ goto not_enough_data; ++ + buffer = gst_buffer_copy_region (in, GST_BUFFER_COPY_MEMORY, offset, -1); + + if (rmdemux->first_ts != -1 && timestamp > rmdemux->first_ts) +@@ -2467,9 +2476,19 @@ gst_rmdemux_parse_audio_packet (GstRMDemux * rmdemux, GstRMDemuxStream * stream, + ret = gst_pad_push (stream->pad, buffer); + } + ++done: + gst_buffer_unref (in); + + return ret; ++ ++ /* ERRORS */ ++not_enough_data: ++ { ++ GST_ELEMENT_WARNING (rmdemux, STREAM, DECODE, ("Skipping bad packet."), ++ (NULL)); ++ ret = GST_FLOW_OK; ++ goto done; ++ } + } + + static GstFlowReturn +@@ -2490,6 +2509,9 @@ gst_rmdemux_parse_packet (GstRMDemux * rmdemux, GstBuffer * in, guint16 version) + data = map.data; + size = map.size; + ++ if (size < 4 + 6 + 1 + 2) ++ goto not_enough_data; ++ + /* stream number */ + id = RMDEMUX_GUINT16_GET (data); + +@@ -2525,6 +2547,9 @@ gst_rmdemux_parse_packet (GstRMDemux * rmdemux, GstBuffer * in, guint16 version) + + /* version 1 has an extra byte */ + if (version == 1) { ++ if (size < 1) ++ goto not_enough_data; ++ + data += 1; + size -= 1; + } +@@ -2596,6 +2621,16 @@ unknown_stream: + gst_buffer_unref (in); + return GST_FLOW_OK; + } ++ ++ /* ERRORS */ ++not_enough_data: ++ { ++ GST_ELEMENT_WARNING (rmdemux, STREAM, DECODE, ("Skipping bad packet."), ++ (NULL)); ++ gst_buffer_unmap (in, &map); ++ gst_buffer_unref (in); ++ return GST_FLOW_OK; ++ } + } + + gboolean +-- +2.31.1 + -- cgit v1.2.3