From e24e1608a5e62551d850d6825d9d98cf8a5154e8 Mon Sep 17 00:00:00 2001
From: Funda Wang <fundawang@yeah.net>
Date: Fri, 27 Jun 2025 09:51:31 +0800
Subject: [PATCH] 1.18.1

---
 backport-CVE-2025-6663.patch     | 62 ++++++++++++++++++++++++++++++++
 gstreamer1-plugins-bad-free.spec |  8 +++--
 2 files changed, 68 insertions(+), 2 deletions(-)
 create mode 100644 backport-CVE-2025-6663.patch

diff --git a/backport-CVE-2025-6663.patch b/backport-CVE-2025-6663.patch
new file mode 100644
index 0000000..42058ef
--- /dev/null
+++ b/backport-CVE-2025-6663.patch
@@ -0,0 +1,62 @@
+From eedd01ac3dfeb60e36a44bb61a6d0418454e8416 Mon Sep 17 00:00:00 2001
+From: He Junyan <junyan.he@intel.com>
+Date: Tue, 24 Jun 2025 21:40:26 +0800
+Subject: [PATCH] h266parser: Fix overflow when parsing subpic_level_info
+
+1. non_subpic_layers_fraction, ref_level_idc and ref_level_fraction_minus1
+   fields should not have the GST_H266_MAX_SUBLAYERS limitation.
+2. Should check max_sublayers_minus1, no more than GST_H266_MAX_SUBLAYERS-1
+
+Fixes ZDI-CAN-27381, CVE-2025-6663
+
+Closes: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4503
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/9294>
+---
+ .../gst-libs/gst/codecparsers/gsth266parser.c             | 4 ++++
+ .../gst-libs/gst/codecparsers/gsth266parser.h             | 8 +++++---
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gsth266parser.c b/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gsth266parser.c
+index ec861dea474f..0f52e5fa4eae 100644
+--- a/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gsth266parser.c
++++ b/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gsth266parser.c
+@@ -1620,6 +1620,10 @@ gst_h266_parser_parse_subpic_level_info (GstH266SubPicLevelInfo * sli,
+     READ_UE_MAX (nr, sli->num_subpics_minus1, GST_H266_MAX_SLICES_PER_AU - 1);
+ 
+   READ_UINT8 (nr, sli->max_sublayers_minus1, 3);
++  /* The value of sli_max_sublayers_minus1 shall be equal to
++     vps_max_sublayers_minus1. */
++  CHECK_ALLOWED_MAX (sli->max_sublayers_minus1, GST_H266_MAX_SUBLAYERS - 1);
++
+   READ_UINT8 (nr, sli->sublayer_info_present_flag, 1);
+ 
+   while (!nal_reader_is_byte_aligned (nr))
+diff --git a/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gsth266parser.h b/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gsth266parser.h
+index a53e0ea61531..a9df8d86c725 100644
+--- a/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gsth266parser.h
++++ b/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gsth266parser.h
+@@ -43,6 +43,8 @@ G_BEGIN_DECLS
+ /* 7.4.3.3 The value of vps_max_sublayers_minus1
+  * shall be in the range of 0 to 6, inclusive */
+ #define GST_H266_MAX_SUBLAYERS 7
++/* 3-bit minus1 value, so max is 7+1 */
++#define GST_H266_MAX_SLI_REF_LEVELS 8
+ /* 7.4.3.3 vps_num_output_layer_sets_minus2 is u(8) */
+ #define GST_H266_MAX_TOTAL_NUM_OLSS 257
+ /* 7.4.3.3 vps_num_ptls_minus1 shall be less than TotalNumOlss,
+@@ -3171,9 +3173,9 @@ struct _GstH266SubPicLevelInfo {
+   guint16 num_subpics_minus1;
+   guint8 max_sublayers_minus1;
+   guint8 sublayer_info_present_flag;
+-  guint8 non_subpic_layers_fraction[GST_H266_MAX_SUBLAYERS][GST_H266_MAX_SUBLAYERS];
+-  guint8 ref_level_idc[GST_H266_MAX_SUBLAYERS][GST_H266_MAX_SUBLAYERS];
+-  guint8 ref_level_fraction_minus1[GST_H266_MAX_SUBLAYERS][GST_H266_MAX_SLICES_PER_AU][GST_H266_MAX_SUBLAYERS];
++  guint8 non_subpic_layers_fraction[GST_H266_MAX_SLI_REF_LEVELS][GST_H266_MAX_SUBLAYERS];
++  guint8 ref_level_idc[GST_H266_MAX_SLI_REF_LEVELS][GST_H266_MAX_SUBLAYERS];
++  guint8 ref_level_fraction_minus1[GST_H266_MAX_SLI_REF_LEVELS][GST_H266_MAX_SLICES_PER_AU][GST_H266_MAX_SUBLAYERS];
+ };
+ 
+ /**
+-- 
+GitLab
+
diff --git a/gstreamer1-plugins-bad-free.spec b/gstreamer1-plugins-bad-free.spec
index 88adb06..3d0376a 100644
--- a/gstreamer1-plugins-bad-free.spec
+++ b/gstreamer1-plugins-bad-free.spec
@@ -3,11 +3,12 @@
 
 Name:           gstreamer1-plugins-bad-free
 Version:        1.26.2
-Release:        1
+Release:        2
 Summary:        Not well tested plugins for GStreamer framework
 License:        LGPL-2.0-or-later and LGPL-2.1-or-later
 URL:            https://gstreamer.freedesktop.org/
 Source0:        https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad-%{version}.tar.xz
+Patch6001:      backport-CVE-2025-6663.patch
 
 BuildRequires:  meson >= 1.1
 BuildRequires:  gcc
@@ -152,7 +153,7 @@ Requires:       gstreamer1-plugins-base-devel
 This package provides the development files for GStreamer not-well-tested plugins.
 
 %prep
-%autosetup -n gst-plugins-bad-%{version} -p1
+%autosetup -n gst-plugins-bad-%{version} -p3
 
 %build
 %meson \
@@ -606,6 +607,9 @@ EOF
 %endif
 
 %changelog
+* Fri Jun 27 2025 Funda Wang <fundawang@yeah.net> - 1.26.2-2
+- fix CVE-2025-6663
+
 * Sat Jun 14 2025 Funda Wang <fundawang@yeah.net> - 1.26.2-1
 - update to 1.26.2
 
-- 
Gitee