diff --git a/CVE-2024-0444.patch b/CVE-2024-0444.patch new file mode 100644 index 0000000000000000000000000000000000000000..5ef6ab881d71ea33424e591dc186c2d7a10a2935 --- /dev/null +++ b/CVE-2024-0444.patch @@ -0,0 +1,37 @@ +From f368d63ecd89e01fd2cf0b1c4def5fc782b2c390 Mon Sep 17 00:00:00 2001 +From: Seungha Yang +Date: Wed, 10 Jan 2024 03:33:59 +0900 +Subject: [PATCH] av1parser: Fix potential stack overflow during tile list + parsing + +The tile_count_minus_1 must be less than or equal to 511 as specified +in spec "6.11.1 General tile list OBU semantics" + +Fixes #3214 / CVE-2024-0444 / ZDI-CAN-22873 + +Part-of: +--- + .../gst-libs/gst/codecparsers/gstav1parser.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.c gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.c +index 33335c421f9..47b132476cf 100644 +--- gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.c ++++ gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.c +@@ -4344,6 +4344,13 @@ gst_av1_parser_parse_tile_list_obu (GstAV1Parser * parser, + tile_list->output_frame_width_in_tiles_minus_1 = AV1_READ_BITS (br, 8); + tile_list->output_frame_height_in_tiles_minus_1 = AV1_READ_BITS (br, 8); + tile_list->tile_count_minus_1 = AV1_READ_BITS (br, 16); ++ if (tile_list->tile_count_minus_1 + 1 > GST_AV1_MAX_TILE_COUNT) { ++ GST_WARNING ("Invalid tile_count_minus_1 %d", ++ tile_list->tile_count_minus_1); ++ retval = GST_AV1_PARSER_BITSTREAM_ERROR; ++ goto error; ++ } ++ + for (tile = 0; tile <= tile_list->tile_count_minus_1; tile++) { + if (AV1_REMAINING_BITS (br) < 8 + 8 + 8 + 16) { + retval = GST_AV1_PARSER_NO_MORE_DATA; +-- +GitLab + diff --git a/ZDI-CAN-22300.patch b/ZDI-CAN-22300.patch new file mode 100644 index 0000000000000000000000000000000000000000..f5ba4868cca9cb98d7261b40e5e2e6e15bdd0774 --- /dev/null +++ b/ZDI-CAN-22300.patch @@ -0,0 +1,66 @@ +From 890d59e97e291fe848147ebf4d5884bcec1101c9 Mon Sep 17 00:00:00 2001 +From: Seungha Yang +Date: Thu, 23 Nov 2023 20:24:42 +0900 +Subject: [PATCH] av1parser: Fix array sizes in scalability structure + +Since the AV1 specification is not explicitly mentioning about +the array size bounds, array sizes in scalability structure +should be defined as possible maximum sizes that can have. + +Also, this commit removes GST_AV1_MAX_SPATIAL_LAYERS define from +public header which is API break but the define is misleading +and this patch is introducing ABI break already + +ZDI-CAN-22300 + +Part-of: +--- + .../gst-libs/gst/codecparsers/gstav1parser.h | 11 +++++------ + .../gst-plugins-bad/gst/videoparsers/gstav1parse.c | 2 +- + 2 files changed, 6 insertions(+), 7 deletions(-) + +diff --git gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.h gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.h +index a5f1c761f6f..7d2ec69fb57 100644 +--- gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.h ++++ gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.h +@@ -71,9 +71,8 @@ G_BEGIN_DECLS + #define GST_AV1_MAX_TILE_COUNT 512 + #define GST_AV1_MAX_OPERATING_POINTS \ + (GST_AV1_MAX_NUM_TEMPORAL_LAYERS * GST_AV1_MAX_NUM_SPATIAL_LAYERS) +-#define GST_AV1_MAX_SPATIAL_LAYERS 2 /* correct? */ +-#define GST_AV1_MAX_TEMPORAL_GROUP_SIZE 8 /* correct? */ +-#define GST_AV1_MAX_TEMPORAL_GROUP_REFERENCES 8 /* correct? */ ++#define GST_AV1_MAX_TEMPORAL_GROUP_SIZE 255 ++#define GST_AV1_MAX_TEMPORAL_GROUP_REFERENCES 7 + #define GST_AV1_MAX_NUM_Y_POINTS 16 + #define GST_AV1_MAX_NUM_CB_POINTS 16 + #define GST_AV1_MAX_NUM_CR_POINTS 16 +@@ -968,9 +967,9 @@ struct _GstAV1MetadataScalability { + gboolean spatial_layer_dimensions_present_flag; + gboolean spatial_layer_description_present_flag; + gboolean temporal_group_description_present_flag; +- guint16 spatial_layer_max_width[GST_AV1_MAX_SPATIAL_LAYERS]; +- guint16 spatial_layer_max_height[GST_AV1_MAX_SPATIAL_LAYERS]; +- guint8 spatial_layer_ref_id[GST_AV1_MAX_SPATIAL_LAYERS]; ++ guint16 spatial_layer_max_width[GST_AV1_MAX_NUM_SPATIAL_LAYERS]; ++ guint16 spatial_layer_max_height[GST_AV1_MAX_NUM_SPATIAL_LAYERS]; ++ guint8 spatial_layer_ref_id[GST_AV1_MAX_NUM_SPATIAL_LAYERS]; + guint8 temporal_group_size; + + guint8 temporal_group_temporal_id[GST_AV1_MAX_TEMPORAL_GROUP_SIZE]; +diff --git gst-plugins-bad/gst/videoparsers/gstav1parse.c gst-plugins-bad/gst/videoparsers/gstav1parse.c +index b6ef0543c41..3d382893b16 100644 +--- gst-plugins-bad/gst/videoparsers/gstav1parse.c ++++ gst-plugins-bad/gst/videoparsers/gstav1parse.c +@@ -1321,7 +1321,7 @@ gst_av1_parse_handle_sequence_obu (GstAV1Parse * self, GstAV1OBU * obu) + } + + val = (self->parser->state.operating_point_idc >> 8) & 0x0f; +- for (i = 0; i < (1 << GST_AV1_MAX_SPATIAL_LAYERS); i++) { ++ for (i = 0; i < GST_AV1_MAX_NUM_SPATIAL_LAYERS; i++) { + if (val & (1 << i)) + self->highest_spatial_id = i; + } +-- +GitLab + diff --git a/gstreamer1-plugins-bad-free.spec b/gstreamer1-plugins-bad-free.spec index cfc9c3887735e03acedf140396c43eea8822ba2f..a941c6193fac491e05aef4edc3994c5053e15f28 100644 --- a/gstreamer1-plugins-bad-free.spec +++ b/gstreamer1-plugins-bad-free.spec @@ -1,4 +1,4 @@ -%define anolis_release 2 +%define anolis_release 3 %global majorminor 1.0 %global _gobject_introspection 1.31.1 @@ -17,6 +17,8 @@ Source1: gst-p-bad-cleanup.sh Patch1001: 1001-add-infos-for-appstream.patch Patch1002: CVE-2023-44429.patch Patch1003: CVE-2023-44446.patch +Patch1004: ZDI-CAN-22300.patch +Patch1005: CVE-2024-0444.patch BuildRequires: gcc-c++ meson >= 0.48.0 BuildRequires: check @@ -463,6 +465,9 @@ rm $RPM_BUILD_ROOT%{_bindir}/playout %changelog +* Sat Jan 27 2024 Funda Wang - 1.22.6-3 +- fix ZDI-CAN-22300 and CVE-2024-0444 + * Mon Nov 20 2023 Funda Wang - 1.22.6-2 - fix CVE-2023-44429 and CVE-2023-44446