Revert gstreamer update to 1.19.2.

This reverts commits from e49190cf2b to
b2fe4c44e3.

Reason: 1.19 is an unstable (development) release rather than a stable one.
This commit is contained in:
Maxim Cournoyer 2021-10-08 14:31:54 -04:00
parent e151f94467
commit d8a0fc90b5
No known key found for this signature in database
GPG key ID: 1260E46482E63562
10 changed files with 845 additions and 58 deletions

View file

@ -1215,6 +1215,13 @@ dist_patch_DATA = \
%D%/packages/patches/grub-efi-fat-serial-number.patch \
%D%/packages/patches/grub-setup-root.patch \
%D%/packages/patches/gspell-dash-test.patch \
%D%/packages/patches/gst-libav-64channels-stack-corruption.patch \
%D%/packages/patches/gst-plugins-bad-fix-overflow.patch \
%D%/packages/patches/gst-plugins-base-fix-id3v2-invalid-read.patch \
%D%/packages/patches/gst-plugins-good-fix-test.patch \
%D%/packages/patches/gst-plugins-good-CVE-2021-3497.patch \
%D%/packages/patches/gst-plugins-good-CVE-2021-3498.patch \
%D%/packages/patches/gst-plugins-ugly-fix-out-of-bound-reads.patch \
%D%/packages/patches/guile-1.8-cpp-4.5.patch \
%D%/packages/patches/guile-2.2-skip-oom-test.patch \
%D%/packages/patches/guile-2.2-skip-so-test.patch \

View file

@ -5,7 +5,6 @@
;;; Copyright © 2018, 2019 Tobias Geerinckx-Rice <me@tobias.gr>
;;; Copyright © 2019 Guillaume Le Vaillant <glv@posteo.net>
;;; Copyright © 2020 Leo Famulari <leo@famulari.name>
;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@ -47,7 +46,7 @@ (define-module (gnu packages aidc)
(define-public zxing-cpp
(package
(name "zxing-cpp")
(version "1.2.0")
(version "1.0.8")
(source
(origin
(method git-fetch)
@ -57,14 +56,32 @@ (define-public zxing-cpp
(commit (string-append "v" version))))
(file-name (git-file-name name version))
(sha256
(base32 "1gjj9c7h634rrmmgzbc7cxjqsxdq0paj6113k02ncjm1s9abk7ik"))))
(base32 "011sq8wcjfxbnd8sj6bf2fgkamlp8gj6q835g61c952npvwsnl71"))))
(native-inputs
`(("googletest-source" ,(package-source googletest))))
(build-system cmake-build-system)
(arguments
;; The test suite build system is written in a way that required external
;; libraries such as googletest, fmt and others are to be fetched from
;; the network (see: https://github.com/nu-book/zxing-cpp/issues/260).
`(#:tests? #f
#:configure-flags '("-DBUILD_BLACKBOX_TESTS=OFF")))
`(#:out-of-source? #f
#:phases
(modify-phases %standard-phases
(add-after 'unpack 'unpack-googletest
;; Copy the googletest sources to where the CMake build expects them.
(lambda* (#:key inputs #:allow-other-keys)
(let ((source (assoc-ref inputs "googletest-source"))
(target "test/unit/googletest-src"))
(mkdir-p target)
(copy-recursively source target)
;; Disable downloading via ExternalProject.
(substitute* "test/unit/CMakeLists.txt.in"
(("ExternalProject_Add\\(") "message("))
#t)))
(replace 'check
(lambda _
(with-directory-excursion "test/unit"
(invoke "cmake" ".")
(invoke "make")
(invoke "./ZXingUnitTest"))
#t)))))
(synopsis "C++ port of ZXing")
(description "ZXing-CPP is a barcode scanning library.")
(home-page "https://github.com/nu-book/zxing-cpp")

View file

@ -10,7 +10,6 @@
;;; Copyright © 2019, 2020 Marius Bakke <mbakke@fastmail.com>
;;; Copyright © 2020 Liliana Marie Prikler <liliana.prikler@gmail.com>
;;; Copyright © 2020 Michael Rohleder <mike@rohleder.de>
;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@ -44,7 +43,6 @@ (define-module (gnu packages gstreamer)
#:use-module (gnu packages base)
#:use-module (gnu packages bash)
#:use-module (gnu packages bison)
#:use-module (gnu packages build-tools)
#:use-module (gnu packages cdrom)
#:use-module (gnu packages curl)
#:use-module (gnu packages compression)
@ -411,7 +409,7 @@ (define-public orc
(define-public gstreamer-docs
(package
(name "gstreamer-docs")
(version "1.19.2")
(version "1.18.2")
(source (origin
(method url-fetch)
(uri (string-append
@ -419,7 +417,7 @@ (define-public gstreamer-docs
"/gstreamer-docs-" version ".tar.xz"))
(sha256
(base32
"1isrp3c9gm59br9vbidd1sgqdjgl1ka2p269bqxmh5dcn4f2gz6a"))))
"07hrgn11ll16yahyyh5684k8ms1j9npsyb8lj0skwbapin4czshm"))))
(build-system trivial-build-system)
(arguments
`(#:modules ((guix build utils))
@ -437,7 +435,8 @@ (define-public gstreamer-docs
(invoke (string-append tar "/bin/tar") "-xvf" source
"--strip-components=3"
(string-append ,name "-" ,version
"/devhelp/books/GStreamer")))))))
"/devhelp/books/GStreamer")))
#t))))
(native-inputs
`(("tar" ,tar)
("xz" ,xz)))
@ -467,12 +466,13 @@ (define %common-gstreamer-phases
(("'CK_DEFAULT_TIMEOUT', '[0-9]*'")
"'CK_DEFAULT_TIMEOUT', '600'")
(("timeout ?: .*\\)")
"timeout: 90 * 60)"))))))
"timeout: 90 * 60)"))
#t))))
(define-public gstreamer
(package
(name "gstreamer")
(version "1.19.2")
(version "1.18.4")
(source
(origin
(method url-fetch)
@ -481,13 +481,26 @@ (define-public gstreamer
version ".tar.xz"))
(sha256
(base32
"03bfgsxd3njkaa5vm99hi36b4n98ywand60h3p18jlqyjfjpnnvf"))))
"1igv9l4hm21kp1jmlwlagzs7ly1vaxv1sbda29q8247372dwkvls"))))
(build-system meson-build-system)
(arguments
`(#:meson ,meson-0.55
#:phases
`(#:phases
(modify-phases %standard-phases
,@%common-gstreamer-phases)))
,@%common-gstreamer-phases
;; FIXME: Since switching to the meson-build-system, two tests
;; started failing on i686. See
;; <https://gitlab.freedesktop.org/gstreamer/gstreamer/issues/499>.
,@(if (string-prefix? "i686" (or (%current-target-system)
(%current-system)))
`((add-after 'unpack 'disable-some-tests
(lambda _
(substitute* "tests/check/gst/gstsystemclock.c"
(("tcase_add_test \\(tc_chain, test_stress_cleanup_unschedule.*")
"")
(("tcase_add_test \\(tc_chain, test_stress_reschedule.*")
""))
#t)))
'()))))
(propagated-inputs
;; In gstreamer-1.0.pc:
;; Requires: glib-2.0, gobject-2.0
@ -532,15 +545,16 @@ (define-public gstreamer
(define-public gst-plugins-base
(package
(name "gst-plugins-base")
(version "1.19.2")
(version "1.18.4")
(source
(origin
(method url-fetch)
(uri (string-append "https://gstreamer.freedesktop.org/src/" name "/"
name "-" version ".tar.xz"))
(patches (search-patches "gst-plugins-base-fix-id3v2-invalid-read.patch"))
(sha256
(base32
"04x5666vgg89dd9psxmnr99dszk8ykkc9dclg2ln2sq07kyh9qyd"))))
"08w3ivbc6n4vdds2ap6q7l8zdk9if8417nznyqidf0adm0lk5r99"))))
(build-system meson-build-system)
(propagated-inputs
`(("glib" ,glib) ;required by gstreamer-sdp-1.0.pc
@ -583,14 +597,14 @@ (define-public gst-plugins-base
("gettext" ,gettext-minimal)
("xorg-server" ,xorg-server-for-tests)))
(arguments
`(#:meson ,meson-0.55
#:phases
`(#:phases
(modify-phases %standard-phases
,@%common-gstreamer-phases
(add-before 'configure 'patch
(lambda _
(substitute* "tests/check/libs/pbutils.c"
(("/bin/sh") (which "sh")))))
(("/bin/sh") (which "sh")))
#t))
(add-before 'check 'pre-check
(lambda _
;; Tests require a running X server.
@ -601,7 +615,8 @@ (define-public gst-plugins-base
;; Tests look for $XDG_RUNTIME_DIR.
(setenv "XDG_RUNTIME_DIR" (getcwd))
;; For missing '/etc/machine-id'.
(setenv "DBUS_FATAL_WARNINGS" "0"))))))
(setenv "DBUS_FATAL_WARNINGS" "0")
#t)))))
(home-page "https://gstreamer.freedesktop.org/")
(synopsis
"Plugins for the GStreamer multimedia library")
@ -612,7 +627,7 @@ (define-public gst-plugins-base
(define-public gst-plugins-good
(package
(name "gst-plugins-good")
(version "1.19.2")
(version "1.18.4")
(source
(origin
(method url-fetch)
@ -620,12 +635,14 @@ (define-public gst-plugins-good
(string-append
"https://gstreamer.freedesktop.org/src/" name "/"
name "-" version ".tar.xz"))
(patches (search-patches "gst-plugins-good-fix-test.patch"
"gst-plugins-good-CVE-2021-3497.patch"
"gst-plugins-good-CVE-2021-3498.patch"))
(sha256
(base32 "0bjfipap6wc3w28hgf817hc6jvjbblkjil42a356vg242412xsab"))))
(base32 "1c1rpq709cy8maaykyn1n0kckj9c6fl3mhvixkk6xmdwkcx0xrdn"))))
(build-system meson-build-system)
(arguments
`(#:meson ,meson-0.55
#:glib-or-gtk? #t ; To wrap binaries and/or compile schemas
`(#:glib-or-gtk? #t ; To wrap binaries and/or compile schemas
#:phases
(modify-phases %standard-phases
,@%common-gstreamer-phases
@ -639,7 +656,8 @@ (define-public gst-plugins-good
;; Tests look for $XDG_RUNTIME_DIR.
(setenv "XDG_RUNTIME_DIR" (getcwd))
;; For missing '/etc/machine-id'.
(setenv "DBUS_FATAL_WARNINGS" "0"))))))
(setenv "DBUS_FATAL_WARNINGS" "0")
#t)))))
(native-inputs
`(("gettext" ,gettext-minimal)
("glib:bin" ,glib "bin")
@ -702,14 +720,15 @@ (define-public gst-plugins-good
(define-public gst-plugins-bad
(package
(name "gst-plugins-bad")
(version "1.19.2")
(version "1.18.4")
(source (origin
(method url-fetch)
(uri (string-append "https://gstreamer.freedesktop.org/src/"
name "/" name "-" version ".tar.xz"))
(patches (search-patches "gst-plugins-bad-fix-overflow.patch"))
(sha256
(base32
"0y895s0jpfdpdqh2n55ki6gzvji5228v7z541if2xjgjka5gk0jk"))
"0py8k4pbalm9mxkpjbjxis0gp7g74wg5g4yax5q8rccmany0ds3l"))
(modules '((guix build utils)))
(snippet
'(begin
@ -718,7 +737,6 @@ (define-public gst-plugins-bad
(build-system meson-build-system)
(arguments
`(#:configure-flags '("-Dsctp-internal-usrsctp=disabled")
#:meson ,meson-0.55
#:glib-or-gtk? #t ; To wrap binaries and/or compile schemas
#:phases
(modify-phases %standard-phases
@ -756,7 +774,8 @@ (define-public gst-plugins-bad
;; https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/issues/932
((".*elements/curlhttpsrc\\.c.*") "")
;; https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/issues/1412
((".*elements/dtls\\.c.*") "")))))
((".*elements/dtls\\.c.*") ""))
#t)))
(add-before 'check 'pre-check
(lambda _
;; Tests require a running X server.
@ -767,7 +786,8 @@ (define-public gst-plugins-bad
;; Tests look for $XDG_RUNTIME_DIR.
(setenv "XDG_RUNTIME_DIR" (getcwd))
;; For missing '/etc/machine-id'.
(setenv "DBUS_FATAL_WARNINGS" "0"))))))
(setenv "DBUS_FATAL_WARNINGS" "0")
#t)))))
(propagated-inputs
`(("gstreamer" ,gstreamer)
("gst-plugins-base" ,gst-plugins-base)))
@ -890,19 +910,19 @@ (define-public gst-plugins-bad
(define-public gst-plugins-ugly
(package
(name "gst-plugins-ugly")
(version "1.19.2")
(version "1.18.4")
(source
(origin
(method url-fetch)
(uri
(string-append "https://gstreamer.freedesktop.org/src/"
name "/" name "-" version ".tar.xz"))
(patches (search-patches "gst-plugins-ugly-fix-out-of-bound-reads.patch"))
(sha256
(base32 "1pwz68qg40018ai655fdrjn5clmn0gp2b7dik0jzwx0fzbwzr87j"))))
(base32 "0g6i4db1883q3j0l2gdv46fcqwiiaw63n6mhvsfcms1i1p7g1391"))))
(build-system meson-build-system)
(arguments
`(#:meson ,meson-0.55
#:glib-or-gtk? #t ; To wrap binaries and/or compile schemas
`(#:glib-or-gtk? #t ; To wrap binaries and/or compile schemas
#:phases
(modify-phases %standard-phases
,@%common-gstreamer-phases
@ -916,7 +936,8 @@ (define-public gst-plugins-ugly
;; Tests look for $XDG_RUNTIME_DIR.
(setenv "XDG_RUNTIME_DIR" (getcwd))
;; For missing '/etc/machine-id'.
(setenv "DBUS_FATAL_WARNINGS" "0"))))))
(setenv "DBUS_FATAL_WARNINGS" "0")
#t)))))
(native-inputs
`(("gettext" ,gettext-minimal)
("glib:bin" ,glib "bin")
@ -949,17 +970,18 @@ (define-public gst-plugins-ugly
(define-public gst-libav
(package
(name "gst-libav")
(version "1.19.2")
(source (origin
(method url-fetch)
(uri(string-append
"https://gstreamer.freedesktop.org/src/" name "/"
name "-" version ".tar.xz"))
(sha256
(base32 "0rv4vxrqvlc8lm1afcg934k961gysx94xshmb5jv4xpwjkl8akzw"))))
(version "1.18.4")
(source
(origin
(method url-fetch)
(uri
(string-append
"https://gstreamer.freedesktop.org/src/" name "/"
name "-" version ".tar.xz"))
(patches (search-patches "gst-libav-64channels-stack-corruption.patch"))
(sha256
(base32 "15n3x3vhshqa3icw93g4vqmqd46122anzqvfxwn6q8famlxlcjil"))))
(build-system meson-build-system)
(arguments
`(#:meson ,meson-0.55))
(native-inputs
`(("perl" ,perl)
("pkg-config" ,pkg-config)
@ -979,7 +1001,7 @@ (define-public gst-libav
(define-public gst-editing-services
(package
(name "gst-editing-services")
(version "1.19.2")
(version "1.18.4")
(source (origin
(method url-fetch)
(uri (string-append
@ -987,12 +1009,11 @@ (define-public gst-editing-services
"gst-editing-services-" version ".tar.xz"))
(sha256
(base32
"007rd6vn9ly6djzgb8hilgj8rgdy2530w72vps0d0631fxckxh4g"))))
"010xg960qsh5dwmf0y9l1q13h0cymmrgapzla2zsw66ylxqbi1s6"))))
(build-system meson-build-system)
(arguments
;; FIXME: 16/22 failing tests.
`(#:meson ,meson-0.55
#:tests? #f
`(#:tests? #f
#:glib-or-gtk? #t ; To wrap binaries and/or compile schemas
#:phases (modify-phases %standard-phases
,@%common-gstreamer-phases)))
@ -1052,7 +1073,7 @@ (define-public gst-transcoder
(define-public python-gst
(package
(name "python-gst")
(version "1.19.2")
(version "1.18.2")
(source (origin
(method url-fetch)
(uri (string-append
@ -1060,11 +1081,10 @@ (define-public python-gst
"gst-python-" version ".tar.xz"))
(sha256
(base32
"1y5wkp0nzqks8q5dbqi0491yv2yia4jz3bwh7sa2v8whkg46v3c7"))))
"171qxzndii7ynn9ag3a12h9vyydxzwy1j4ip3cb8hgim1dv0z7g1"))))
(build-system meson-build-system)
(arguments
`(#:meson ,meson-0.55
#:modules ((guix build meson-build-system)
`(#:modules ((guix build meson-build-system)
(guix build utils)
((guix build python-build-system) #:prefix python:))
#:imported-modules (,@%meson-build-system-modules

View file

@ -0,0 +1,31 @@
Fix a stack corruption when handling files with more than 64 audio
channels:
https://gstreamer.freedesktop.org/security/sa-2021-0005.html
Patch copied from upstream source repository:
https://gitlab.freedesktop.org/gstreamer/gst-libav/-/commit/dcea8baa14a5fc3b796d876baaf2f238546ba2b1
diff --git a/ext/libav/gstavcodecmap.c b/ext/libav/gstavcodecmap.c
index b5be4bb7a5f2712f78383da9319754a8849e3307..be22f22cf5c7c7b22b13e44b10999adaacbcca2b 100644
--- a/ext/libav/gstavcodecmap.c
+++ b/ext/libav/gstavcodecmap.c
@@ -102,7 +102,7 @@ gst_ffmpeg_channel_layout_to_gst (guint64 channel_layout, gint channels,
guint nchannels = 0;
gboolean none_layout = FALSE;
- if (channel_layout == 0) {
+ if (channel_layout == 0 || channels > 64) {
nchannels = channels;
none_layout = TRUE;
} else {
@@ -163,7 +163,7 @@ gst_ffmpeg_channel_layout_to_gst (guint64 channel_layout, gint channels,
} else {
guint i;
- for (i = 0; i < nchannels; i++)
+ for (i = 0; i < nchannels && i < 64; i++)
pos[i] = GST_AUDIO_CHANNEL_POSITION_NONE;
}
}

View file

@ -0,0 +1,263 @@
Fix an overflow when calculating something for AVC/HEVC videos:
https://security-tracker.debian.org/tracker/TEMP-0000000-C6AAE1
Patch copied from upstream source repository:
https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/commit/0cfbf7ad91c7f121192c8ce135769f8eb276c41d
From 0cfbf7ad91c7f121192c8ce135769f8eb276c41d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Tue, 23 Mar 2021 19:19:14 +0200
Subject: [PATCH] h2645parser: Catch overflows in AVC/HEVC NAL unit length
calculations
Offset and size are stored as 32 bit guint and might overflow when
adding the nal_length_size, so let's avoid that.
For the size this would happen if the AVC/HEVC NAL unit size happens to
be stored in 4 bytes and is 4294967292 or higher, which is likely
corrupted data anyway.
For the offset this is something for the caller of these functions to
take care of but is unlikely to happen as it would require parsing on a
>4GB buffer.
Allowing these overflows causes all kinds of follow-up bugs in the
h2645parse elements, ranging from infinite loops and memory leaks to
potential memory corruptions.
Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/merge_requests/2107>
---
gst-libs/gst/codecparsers/gsth264parser.c | 16 +++++-
gst-libs/gst/codecparsers/gsth265parser.c | 16 +++++-
tests/check/libs/h264parser.c | 60 +++++++++++++++++++++++
tests/check/libs/h265parser.c | 60 +++++++++++++++++++++++
4 files changed, 150 insertions(+), 2 deletions(-)
diff --git a/gst-libs/gst/codecparsers/gsth264parser.c b/gst-libs/gst/codecparsers/gsth264parser.c
index 012f1d0d7..68aa25068 100644
--- a/gst-libs/gst/codecparsers/gsth264parser.c
+++ b/gst-libs/gst/codecparsers/gsth264parser.c
@@ -1556,6 +1556,14 @@ gst_h264_parser_identify_nalu_avc (GstH264NalParser * nalparser,
memset (nalu, 0, sizeof (*nalu));
+ /* Would overflow guint below otherwise: the callers needs to ensure that
+ * this never happens */
+ if (offset > G_MAXUINT32 - nal_length_size) {
+ GST_WARNING ("offset + nal_length_size overflow");
+ nalu->size = 0;
+ return GST_H264_PARSER_BROKEN_DATA;
+ }
+
if (size < offset + nal_length_size) {
GST_DEBUG ("Can't parse, buffer has too small size %" G_GSIZE_FORMAT
", offset %u", size, offset);
@@ -1570,7 +1578,13 @@ gst_h264_parser_identify_nalu_avc (GstH264NalParser * nalparser,
nalu->sc_offset = offset;
nalu->offset = offset + nal_length_size;
- if (size < nalu->size + nal_length_size) {
+ if (nalu->size > G_MAXUINT32 - nal_length_size) {
+ GST_WARNING ("NALU size + nal_length_size overflow");
+ nalu->size = 0;
+ return GST_H264_PARSER_BROKEN_DATA;
+ }
+
+ if (size < (gsize) nalu->size + nal_length_size) {
nalu->size = 0;
return GST_H264_PARSER_NO_NAL_END;
diff --git a/gst-libs/gst/codecparsers/gsth265parser.c b/gst-libs/gst/codecparsers/gsth265parser.c
index 26e68b276..dc7f27aa9 100644
--- a/gst-libs/gst/codecparsers/gsth265parser.c
+++ b/gst-libs/gst/codecparsers/gsth265parser.c
@@ -1531,6 +1531,14 @@ gst_h265_parser_identify_nalu_hevc (GstH265Parser * parser,
memset (nalu, 0, sizeof (*nalu));
+ /* Would overflow guint below otherwise: the callers needs to ensure that
+ * this never happens */
+ if (offset > G_MAXUINT32 - nal_length_size) {
+ GST_WARNING ("offset + nal_length_size overflow");
+ nalu->size = 0;
+ return GST_H265_PARSER_BROKEN_DATA;
+ }
+
if (size < offset + nal_length_size) {
GST_DEBUG ("Can't parse, buffer has too small size %" G_GSIZE_FORMAT
", offset %u", size, offset);
@@ -1545,7 +1553,13 @@ gst_h265_parser_identify_nalu_hevc (GstH265Parser * parser,
nalu->sc_offset = offset;
nalu->offset = offset + nal_length_size;
- if (size < nalu->size + nal_length_size) {
+ if (nalu->size > G_MAXUINT32 - nal_length_size) {
+ GST_WARNING ("NALU size + nal_length_size overflow");
+ nalu->size = 0;
+ return GST_H265_PARSER_BROKEN_DATA;
+ }
+
+ if (size < (gsize) nalu->size + nal_length_size) {
nalu->size = 0;
return GST_H265_PARSER_NO_NAL_END;
diff --git a/tests/check/libs/h264parser.c b/tests/check/libs/h264parser.c
index c7c46d9a2..d322dd8db 100644
--- a/tests/check/libs/h264parser.c
+++ b/tests/check/libs/h264parser.c
@@ -229,6 +229,65 @@ GST_START_TEST (test_h264_parse_slice_5bytes)
GST_END_TEST;
+GST_START_TEST (test_h264_parse_identify_nalu_avc)
+{
+ GstH264ParserResult res;
+ GstH264NalUnit nalu;
+ GstH264NalParser *const parser = gst_h264_nal_parser_new ();
+ /* Skip 3 bytes for the start code */
+ const gsize nal_size = sizeof (slice_dpa) - 3;
+ const gsize buf_size = 4 + nal_size;
+ guint8 *buf = g_new (guint8, buf_size);
+
+ memcpy (buf + 4, slice_dpa + 3, nal_size);
+
+ GST_WRITE_UINT16_BE (buf + 2, nal_size);
+ res = gst_h264_parser_identify_nalu_avc (parser, buf, 2, buf_size, 2, &nalu);
+
+ assert_equals_int (res, GST_H264_PARSER_OK);
+ assert_equals_int (nalu.type, GST_H264_NAL_SLICE_DPA);
+ assert_equals_int (nalu.offset, 4);
+ assert_equals_int (nalu.size, nal_size);
+
+ GST_WRITE_UINT32_BE (buf, nal_size);
+ res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu);
+
+ assert_equals_int (res, GST_H264_PARSER_OK);
+ assert_equals_int (nalu.type, GST_H264_NAL_SLICE_DPA);
+ assert_equals_int (nalu.offset, 4);
+ assert_equals_int (nalu.size, nal_size);
+
+ GST_WRITE_UINT32_BE (buf, G_MAXUINT32);
+ res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu);
+
+ assert_equals_int (res, GST_H264_PARSER_BROKEN_DATA);
+
+ GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 2);
+ res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu);
+
+ assert_equals_int (res, GST_H264_PARSER_BROKEN_DATA);
+
+ GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 3);
+ res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu);
+
+ assert_equals_int (res, GST_H264_PARSER_BROKEN_DATA);
+
+ GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 4);
+ res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu);
+
+ assert_equals_int (res, GST_H264_PARSER_NO_NAL_END);
+
+ GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 6);
+ res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu);
+
+ assert_equals_int (res, GST_H264_PARSER_NO_NAL_END);
+
+ g_free (buf);
+ gst_h264_nal_parser_free (parser);
+}
+
+GST_END_TEST;
+
static guint8 nalu_sps_with_vui[] = {
0x00, 0x00, 0x00, 0x01, 0x67, 0x64, 0x00, 0x28,
0xac, 0xd9, 0x40, 0x78, 0x04, 0x4f, 0xde, 0x03,
@@ -666,6 +725,7 @@ h264parser_suite (void)
tcase_add_test (tc_chain, test_h264_parse_slice_dpa);
tcase_add_test (tc_chain, test_h264_parse_slice_eoseq_slice);
tcase_add_test (tc_chain, test_h264_parse_slice_5bytes);
+ tcase_add_test (tc_chain, test_h264_parse_identify_nalu_avc);
tcase_add_test (tc_chain, test_h264_parse_invalid_sei);
tcase_add_test (tc_chain, test_h264_create_sei);
diff --git a/tests/check/libs/h265parser.c b/tests/check/libs/h265parser.c
index 0a0e4db97..5b6a215ec 100644
--- a/tests/check/libs/h265parser.c
+++ b/tests/check/libs/h265parser.c
@@ -255,6 +255,65 @@ GST_START_TEST (test_h265_parse_slice_6bytes)
GST_END_TEST;
+GST_START_TEST (test_h265_parse_identify_nalu_hevc)
+{
+ GstH265ParserResult res;
+ GstH265NalUnit nalu;
+ GstH265Parser *parser = gst_h265_parser_new ();
+ /* Skip 4 bytes for the start code */
+ const gsize nal_size = sizeof (slice_eos_slice_eob) - 4;
+ const gsize buf_size = 4 + nal_size;
+ guint8 *buf = g_new (guint8, buf_size);
+
+ memcpy (buf + 4, slice_eos_slice_eob + 4, nal_size);
+
+ GST_WRITE_UINT16_BE (buf + 2, nal_size);
+ res = gst_h265_parser_identify_nalu_hevc (parser, buf, 2, buf_size, 2, &nalu);
+
+ assert_equals_int (res, GST_H265_PARSER_OK);
+ assert_equals_int (nalu.type, GST_H265_NAL_SLICE_IDR_W_RADL);
+ assert_equals_int (nalu.offset, 4);
+ assert_equals_int (nalu.size, nal_size);
+
+ GST_WRITE_UINT32_BE (buf, nal_size);
+ res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu);
+
+ assert_equals_int (res, GST_H265_PARSER_OK);
+ assert_equals_int (nalu.type, GST_H265_NAL_SLICE_IDR_W_RADL);
+ assert_equals_int (nalu.offset, 4);
+ assert_equals_int (nalu.size, nal_size);
+
+ GST_WRITE_UINT32_BE (buf, G_MAXUINT32);
+ res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu);
+
+ assert_equals_int (res, GST_H265_PARSER_BROKEN_DATA);
+
+ GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 2);
+ res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu);
+
+ assert_equals_int (res, GST_H265_PARSER_BROKEN_DATA);
+
+ GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 3);
+ res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu);
+
+ assert_equals_int (res, GST_H265_PARSER_BROKEN_DATA);
+
+ GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 4);
+ res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu);
+
+ assert_equals_int (res, GST_H265_PARSER_NO_NAL_END);
+
+ GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 6);
+ res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu);
+
+ assert_equals_int (res, GST_H265_PARSER_NO_NAL_END);
+
+ g_free (buf);
+ gst_h265_parser_free (parser);
+}
+
+GST_END_TEST;
+
GST_START_TEST (test_h265_base_profiles)
{
GstH265ProfileTierLevel ptl;
@@ -1101,6 +1160,7 @@ h265parser_suite (void)
tcase_add_test (tc_chain, test_h265_parse_slice_eos_slice_eob);
tcase_add_test (tc_chain, test_h265_parse_pic_timing);
tcase_add_test (tc_chain, test_h265_parse_slice_6bytes);
+ tcase_add_test (tc_chain, test_h265_parse_identify_nalu_hevc);
tcase_add_test (tc_chain, test_h265_base_profiles);
tcase_add_test (tc_chain, test_h265_base_profiles_compat);
tcase_add_test (tc_chain, test_h265_format_range_profiles_exact_match);
--
2.31.1

View file

@ -0,0 +1,40 @@
Fix an "invalid read during ID3v2 tag parsing".
https://security-tracker.debian.org/tracker/TEMP-0000000-57E7C1
https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/issues/876
Patch copied from upstream source repository:
https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/commit/f4a1428a6997658625d529b9db60fde812fbf1ee
From f4a1428a6997658625d529b9db60fde812fbf1ee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim-Philipp=20M=C3=BCller?= <tim@centricular.com>
Date: Wed, 3 Mar 2021 01:08:25 +0000
Subject: [PATCH] tag: id3v2: fix frame size check and potential invalid reads
Check the right variable when checking if there's
enough data left to read the frame size.
Closes https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/issues/876
Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/merge_requests/1065>
---
gst-libs/gst/tag/id3v2frames.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/gst-libs/gst/tag/id3v2frames.c b/gst-libs/gst/tag/id3v2frames.c
index 8e9f78254..f39659bf7 100644
--- a/gst-libs/gst/tag/id3v2frames.c
+++ b/gst-libs/gst/tag/id3v2frames.c
@@ -109,7 +109,7 @@ id3v2_parse_frame (ID3TagsWorking * work)
if (work->frame_flags & (ID3V2_FRAME_FORMAT_COMPRESSION |
ID3V2_FRAME_FORMAT_DATA_LENGTH_INDICATOR)) {
- if (work->hdr.frame_data_size <= 4)
+ if (frame_data_size <= 4)
return FALSE;
if (ID3V2_VER_MAJOR (work->hdr.version) == 3) {
work->parse_size = GST_READ_UINT32_BE (frame_data);
--
2.31.1

View file

@ -0,0 +1,174 @@
Fix CVE-2021-3497:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3497
https://gstreamer.freedesktop.org/security/sa-2021-0002.html
Patch copied from upstream source repository:
https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/commit/9181191511f9c0be6a89c98b311f49d66bd46dc3?merge_request_iid=903
diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
index 467815986c8c3d86fd8906a0d539b34f67d6693e..0e47ee7b5e25ac3331f30439710ae755235f2a22 100644
--- a/gst/matroska/matroska-demux.c
+++ b/gst/matroska/matroska-demux.c
@@ -3851,6 +3851,12 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
guint32 block_samples, tmp;
gsize size = gst_buffer_get_size (*buf);
+ if (size < 4) {
+ GST_ERROR_OBJECT (element, "Too small wavpack buffer");
+ gst_buffer_unmap (*buf, &map);
+ return GST_FLOW_ERROR;
+ }
+
gst_buffer_extract (*buf, 0, &tmp, sizeof (guint32));
block_samples = GUINT32_FROM_LE (tmp);
/* we need to reconstruct the header of the wavpack block */
@@ -3858,10 +3864,10 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
/* -20 because ck_size is the size of the wavpack block -8
* and lace_size is the size of the wavpack block + 12
* (the three guint32 of the header that already are in the buffer) */
- wvh.ck_size = size + sizeof (Wavpack4Header) - 20;
+ wvh.ck_size = size + WAVPACK4_HEADER_SIZE - 20;
/* block_samples, flags and crc are already in the buffer */
- newbuf = gst_buffer_new_allocate (NULL, sizeof (Wavpack4Header) - 12, NULL);
+ newbuf = gst_buffer_new_allocate (NULL, WAVPACK4_HEADER_SIZE - 12, NULL);
gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
data = outmap.data;
@@ -3886,9 +3892,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
audiocontext->wvpk_block_index += block_samples;
} else {
guint8 *outdata = NULL;
- guint outpos = 0;
- gsize buf_size, size, out_size = 0;
+ gsize buf_size, size;
guint32 block_samples, flags, crc, blocksize;
+ GstAdapter *adapter;
+
+ adapter = gst_adapter_new ();
gst_buffer_map (*buf, &map, GST_MAP_READ);
buf_data = map.data;
@@ -3897,6 +3905,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
if (buf_size < 4) {
GST_ERROR_OBJECT (element, "Too small wavpack buffer");
gst_buffer_unmap (*buf, &map);
+ g_object_unref (adapter);
return GST_FLOW_ERROR;
}
@@ -3918,59 +3927,57 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
data += 4;
size -= 4;
- if (blocksize == 0 || size < blocksize)
- break;
-
- g_assert ((newbuf == NULL) == (outdata == NULL));
+ if (blocksize == 0 || size < blocksize) {
+ GST_ERROR_OBJECT (element, "Too small wavpack buffer");
+ gst_buffer_unmap (*buf, &map);
+ g_object_unref (adapter);
+ return GST_FLOW_ERROR;
+ }
- if (newbuf == NULL) {
- out_size = sizeof (Wavpack4Header) + blocksize;
- newbuf = gst_buffer_new_allocate (NULL, out_size, NULL);
+ g_assert (newbuf == NULL);
- gst_buffer_copy_into (newbuf, *buf,
- GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1);
+ newbuf =
+ gst_buffer_new_allocate (NULL, WAVPACK4_HEADER_SIZE + blocksize,
+ NULL);
+ gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
+ outdata = outmap.data;
+
+ outdata[0] = 'w';
+ outdata[1] = 'v';
+ outdata[2] = 'p';
+ outdata[3] = 'k';
+ outdata += 4;
+
+ GST_WRITE_UINT32_LE (outdata, blocksize + WAVPACK4_HEADER_SIZE - 8);
+ GST_WRITE_UINT16_LE (outdata + 4, wvh.version);
+ GST_WRITE_UINT8 (outdata + 6, wvh.track_no);
+ GST_WRITE_UINT8 (outdata + 7, wvh.index_no);
+ GST_WRITE_UINT32_LE (outdata + 8, wvh.total_samples);
+ GST_WRITE_UINT32_LE (outdata + 12, wvh.block_index);
+ GST_WRITE_UINT32_LE (outdata + 16, block_samples);
+ GST_WRITE_UINT32_LE (outdata + 20, flags);
+ GST_WRITE_UINT32_LE (outdata + 24, crc);
+ outdata += 28;
+
+ memcpy (outdata, data, blocksize);
- outpos = 0;
- gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
- outdata = outmap.data;
- } else {
- gst_buffer_unmap (newbuf, &outmap);
- out_size += sizeof (Wavpack4Header) + blocksize;
- gst_buffer_set_size (newbuf, out_size);
- gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
- outdata = outmap.data;
- }
+ gst_buffer_unmap (newbuf, &outmap);
+ gst_adapter_push (adapter, newbuf);
+ newbuf = NULL;
- outdata[outpos] = 'w';
- outdata[outpos + 1] = 'v';
- outdata[outpos + 2] = 'p';
- outdata[outpos + 3] = 'k';
- outpos += 4;
-
- GST_WRITE_UINT32_LE (outdata + outpos,
- blocksize + sizeof (Wavpack4Header) - 8);
- GST_WRITE_UINT16_LE (outdata + outpos + 4, wvh.version);
- GST_WRITE_UINT8 (outdata + outpos + 6, wvh.track_no);
- GST_WRITE_UINT8 (outdata + outpos + 7, wvh.index_no);
- GST_WRITE_UINT32_LE (outdata + outpos + 8, wvh.total_samples);
- GST_WRITE_UINT32_LE (outdata + outpos + 12, wvh.block_index);
- GST_WRITE_UINT32_LE (outdata + outpos + 16, block_samples);
- GST_WRITE_UINT32_LE (outdata + outpos + 20, flags);
- GST_WRITE_UINT32_LE (outdata + outpos + 24, crc);
- outpos += 28;
-
- memmove (outdata + outpos, data, blocksize);
- outpos += blocksize;
data += blocksize;
size -= blocksize;
}
gst_buffer_unmap (*buf, &map);
- gst_buffer_unref (*buf);
- if (newbuf)
- gst_buffer_unmap (newbuf, &outmap);
+ newbuf = gst_adapter_take_buffer (adapter, gst_adapter_available (adapter));
+ g_object_unref (adapter);
+ gst_buffer_copy_into (newbuf, *buf,
+ GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1);
+ gst_buffer_unref (*buf);
*buf = newbuf;
+
audiocontext->wvpk_block_index += block_samples;
}
diff --git a/gst/matroska/matroska-ids.h b/gst/matroska/matroska-ids.h
index 429213f778063ba0063944ab64ad60373bbce5ee..8d4a685a910ec13100a3c3d156b2412d28ec0522 100644
--- a/gst/matroska/matroska-ids.h
+++ b/gst/matroska/matroska-ids.h
@@ -688,6 +688,8 @@ typedef struct _Wavpack4Header {
guint32 crc; /* crc for actual decoded data */
} Wavpack4Header;
+#define WAVPACK4_HEADER_SIZE (32)
+
typedef enum {
GST_MATROSKA_TRACK_ENCODING_SCOPE_FRAME = (1<<0),
GST_MATROSKA_TRACK_ENCODING_SCOPE_CODEC_DATA = (1<<1),

View file

@ -0,0 +1,22 @@
Fix CVE-2021-3498:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3498
https://gstreamer.freedesktop.org/security/sa-2021-0003.html
Patch copied from upstream source repository:
https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/commit/02174790726dd20a5c73ce2002189bf240ad4fe0?merge_request_iid=903
diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
index 4d0234743b8cf243b4521e56ef9027ba23b1b5d0..467815986c8c3d86fd8906a0d539b34f67d6693e 100644
--- a/gst/matroska/matroska-demux.c
+++ b/gst/matroska/matroska-demux.c
@@ -692,6 +692,8 @@ gst_matroska_demux_parse_stream (GstMatroskaDemux * demux, GstEbmlRead * ebml,
DEBUG_ELEMENT_START (demux, ebml, "TrackEntry");
+ *dest_context = NULL;
+
/* start with the master */
if ((ret = gst_ebml_read_master (ebml, &id)) != GST_FLOW_OK) {
DEBUG_ELEMENT_STOP (demux, ebml, "TrackEntry", ret);

View file

@ -0,0 +1,94 @@
Fix a broken test:
https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/issues/803
Patches copied from upstream source repository:
https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/commit/2ce5909f3a0b0da3abb7b794215d6b8b72a3b7fa
https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/commit/f5310ce346180a717f091f2f09bcbb3ddfb15436
From 2ce5909f3a0b0da3abb7b794215d6b8b72a3b7fa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim-Philipp=20M=C3=BCller?= <tim@centricular.com>
Date: Thu, 12 Nov 2020 23:38:21 +0000
Subject: [PATCH 1/2] tests: qtdemux: fix crash on 32-bit architectures
Fixes https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/issues/803
Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/merge_requests/815>
---
tests/check/elements/qtdemux.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/tests/check/elements/qtdemux.c b/tests/check/elements/qtdemux.c
index 5271c6576..0c748278b 100644
--- a/tests/check/elements/qtdemux.c
+++ b/tests/check/elements/qtdemux.c
@@ -797,9 +797,10 @@ GST_START_TEST (test_qtdemux_pad_names)
"protection-system", G_TYPE_STRING,
"9a04f079-9840-4286-ab92-e65be0885f95", NULL);
caps =
- gst_caps_new_simple ("video/quicktime", "variant", G_TYPE_STRING,
- "mss-fragmented", "timesacle", G_TYPE_UINT64, 10000000, "media-caps",
- GST_TYPE_CAPS, mediacaps, NULL);
+ gst_caps_new_simple ("video/quicktime",
+ "variant", G_TYPE_STRING, "mss-fragmented",
+ "timesacle", G_TYPE_UINT64, G_GUINT64_CONSTANT (10000000),
+ "media-caps", GST_TYPE_CAPS, mediacaps, NULL);
/* Send segment event* */
event = gst_event_new_caps (caps);
@@ -852,9 +853,10 @@ GST_START_TEST (test_qtdemux_pad_names)
"protection-system", G_TYPE_STRING,
"9a04f079-9840-4286-ab92-e65be0885f95", NULL);
caps =
- gst_caps_new_simple ("video/quicktime", "variant", G_TYPE_STRING,
- "mss-fragmented", "timesacle", G_TYPE_UINT64, 10000000, "media-caps",
- GST_TYPE_CAPS, mediacaps, NULL);
+ gst_caps_new_simple ("video/quicktime",
+ "variant", G_TYPE_STRING, "mss-fragmented",
+ "timesacle", G_TYPE_UINT64, G_GUINT64_CONSTANT (10000000),
+ "media-caps", GST_TYPE_CAPS, mediacaps, NULL);
/* Send segment event* */
event = gst_event_new_caps (caps);
--
2.30.0
From f5310ce346180a717f091f2f09bcbb3ddfb15436 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim-Philipp=20M=C3=BCller?= <tim@centricular.com>
Date: Thu, 12 Nov 2020 23:39:21 +0000
Subject: [PATCH 2/2] tests: qtdemux: fix typo in caps field
timesacle -> timescale
Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/merge_requests/815>
---
tests/check/elements/qtdemux.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tests/check/elements/qtdemux.c b/tests/check/elements/qtdemux.c
index 0c748278b..4a14c45c0 100644
--- a/tests/check/elements/qtdemux.c
+++ b/tests/check/elements/qtdemux.c
@@ -799,7 +799,7 @@ GST_START_TEST (test_qtdemux_pad_names)
caps =
gst_caps_new_simple ("video/quicktime",
"variant", G_TYPE_STRING, "mss-fragmented",
- "timesacle", G_TYPE_UINT64, G_GUINT64_CONSTANT (10000000),
+ "timescale", G_TYPE_UINT64, G_GUINT64_CONSTANT (10000000),
"media-caps", GST_TYPE_CAPS, mediacaps, NULL);
/* Send segment event* */
@@ -855,7 +855,7 @@ GST_START_TEST (test_qtdemux_pad_names)
caps =
gst_caps_new_simple ("video/quicktime",
"variant", G_TYPE_STRING, "mss-fragmented",
- "timesacle", G_TYPE_UINT64, G_GUINT64_CONSTANT (10000000),
+ "timescale", G_TYPE_UINT64, G_GUINT64_CONSTANT (10000000),
"media-caps", GST_TYPE_CAPS, mediacaps, NULL);
/* Send segment event* */
--
2.30.0

View file

@ -0,0 +1,119 @@
Fix out of bounds reads when parsing audio and video packets:
https://security-tracker.debian.org/tracker/TEMP-0000000-4DAA44
https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/issues/37
Patch copied from upstream source repository:
https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/commit/3aba7d1e625554b2407bc77b3d09b4928b937d5f
From 3aba7d1e625554b2407bc77b3d09b4928b937d5f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Wed, 3 Mar 2021 11:05:14 +0200
Subject: [PATCH] rmdemux: Make sure we have enough data available when parsing
audio/video packets
Otherwise there will be out-of-bounds reads and potential crashes.
Thanks to Natalie Silvanovich for reporting.
Fixes https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/issues/37
Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/merge_requests/74>
---
gst/realmedia/rmdemux.c | 35 +++++++++++++++++++++++++++++++++++
1 file changed, 35 insertions(+)
diff --git a/gst/realmedia/rmdemux.c b/gst/realmedia/rmdemux.c
index 6cc659a1..68b0736b 100644
--- a/gst/realmedia/rmdemux.c
+++ b/gst/realmedia/rmdemux.c
@@ -2223,6 +2223,9 @@ gst_rmdemux_parse_video_packet (GstRMDemux * rmdemux, GstRMDemuxStream * stream,
gst_buffer_map (in, &map, GST_MAP_READ);
+ if (map.size < offset)
+ goto not_enough_data;
+
data = map.data + offset;
size = map.size - offset;
@@ -2289,6 +2292,9 @@ gst_rmdemux_parse_video_packet (GstRMDemux * rmdemux, GstRMDemuxStream * stream,
}
GST_DEBUG_OBJECT (rmdemux, "fragment size %d", fragment_size);
+ if (map.size < (data - map.data) + fragment_size)
+ goto not_enough_data;
+
/* get the fragment */
fragment =
gst_buffer_copy_region (in, GST_BUFFER_COPY_ALL, data - map.data,
@@ -2437,6 +2443,9 @@ gst_rmdemux_parse_audio_packet (GstRMDemux * rmdemux, GstRMDemuxStream * stream,
GstFlowReturn ret;
GstBuffer *buffer;
+ if (gst_buffer_get_size (in) < offset)
+ goto not_enough_data;
+
buffer = gst_buffer_copy_region (in, GST_BUFFER_COPY_MEMORY, offset, -1);
if (rmdemux->first_ts != -1 && timestamp > rmdemux->first_ts)
@@ -2467,9 +2476,19 @@ gst_rmdemux_parse_audio_packet (GstRMDemux * rmdemux, GstRMDemuxStream * stream,
ret = gst_pad_push (stream->pad, buffer);
}
+done:
gst_buffer_unref (in);
return ret;
+
+ /* ERRORS */
+not_enough_data:
+ {
+ GST_ELEMENT_WARNING (rmdemux, STREAM, DECODE, ("Skipping bad packet."),
+ (NULL));
+ ret = GST_FLOW_OK;
+ goto done;
+ }
}
static GstFlowReturn
@@ -2490,6 +2509,9 @@ gst_rmdemux_parse_packet (GstRMDemux * rmdemux, GstBuffer * in, guint16 version)
data = map.data;
size = map.size;
+ if (size < 4 + 6 + 1 + 2)
+ goto not_enough_data;
+
/* stream number */
id = RMDEMUX_GUINT16_GET (data);
@@ -2525,6 +2547,9 @@ gst_rmdemux_parse_packet (GstRMDemux * rmdemux, GstBuffer * in, guint16 version)
/* version 1 has an extra byte */
if (version == 1) {
+ if (size < 1)
+ goto not_enough_data;
+
data += 1;
size -= 1;
}
@@ -2596,6 +2621,16 @@ unknown_stream:
gst_buffer_unref (in);
return GST_FLOW_OK;
}
+
+ /* ERRORS */
+not_enough_data:
+ {
+ GST_ELEMENT_WARNING (rmdemux, STREAM, DECODE, ("Skipping bad packet."),
+ (NULL));
+ gst_buffer_unmap (in, &map);
+ gst_buffer_unref (in);
+ return GST_FLOW_OK;
+ }
}
gboolean
--
2.31.1