Commit 126b7fb3 authored by Leonardo Arena's avatar Leonardo Arena

main/gst-plugins-good1: upgrade to 1.8.3 - fixes #7205

CVE-2016-10198, CVE-2016-10199, CVE-2016-9634, CVE-2016-9635,
CVE-2016-9636, CVE-2016-9808, CVE-2017-5840, CVE-2017-5841,
CVE-2017-5845
parent 4d3dad5f
From af7f70e60e364b551c2589dee5fb458a83fa0e7e Mon Sep 17 00:00:00 2001
From: Matthew Waters <matthew@centricular.com>
Date: Tue, 22 Nov 2016 23:46:00 +1100
Subject: flxdec: fix some warnings comparing unsigned < 0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
bf43f44fcfada5ec4a3ce60cb374340486fe9fac was comparing an unsigned
expression to be < 0 which was always false.
gstflxdec.c: In function ‘flx_decode_brun’:
gstflxdec.c:322:33: warning: comparison of unsigned expression < 0 is always false [-Wtype-limits]
if ((glong) row - count < 0) {
^
gstflxdec.c:332:33: warning: comparison of unsigned expression < 0 is always false [-Wtype-limits]
if ((glong) row - count < 0) {
^
https://bugzilla.gnome.org/show_bug.cgi?id=774834
diff --git a/gst/flx/gstflxdec.c b/gst/flx/gstflxdec.c
index d51a8e6..e675c99 100644
--- a/gst/flx/gstflxdec.c
+++ b/gst/flx/gstflxdec.c
@@ -319,7 +319,7 @@ flx_decode_brun (GstFlxDec * flxdec, guchar * data, guchar * dest)
if (count > 0x7f) {
/* literal run */
count = 0x100 - count;
- if ((glong) row - count < 0) {
+ if ((glong) row - (glong) count < 0) {
GST_ERROR_OBJECT (flxdec, "Invalid BRUN packet detected.");
return FALSE;
}
@@ -329,7 +329,7 @@ flx_decode_brun (GstFlxDec * flxdec, guchar * data, guchar * dest)
*dest++ = *data++;
} else {
- if ((glong) row - count < 0) {
+ if ((glong) row - (glong) count < 0) {
GST_ERROR_OBJECT (flxdec, "Invalid BRUN packet detected.");
return FALSE;
}
--
cgit v0.10.2
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=gst-plugins-good1
pkgver=1.8.1
pkgrel=3
pkgver=1.8.3
pkgrel=0
pkgdesc="GStreamer Multimedia Framework Good Plugins"
url="http://gstreamer.freedesktop.org/"
arch="all"
......@@ -37,12 +37,33 @@ makedepends="$depends_dev
wavpack-dev
zlib-dev
"
replaces=
ldpath="/usr/lib/gstreamer-1.0"
source="http://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-good-$pkgver.tar.xz
CVE-2016-9634-9635.patch
002-flxdec-fix-some-warnings-comparing-unsigned.patch
CVE-2016-9636.patch
CVE-2016-9808.patch
CVE-2016-10198.patch
CVE-2016-10199.patch
CVE-2017-5840-1.patch
CVE-2017-5840-2.patch
CVE-2017-5841.patch
CVE-2017-5845.patch
"
# secfixes:
# 1.8.3-r0:
# - CVE-2016-9634
# - CVE-2016-9635
# - CVE-2016-9636
# - CVE-2016-9808
# - CVE-2016-10198
# - CVE-2016-10199
# - CVE-2017-5840
# - CVE-2017-5841
# - CVE-2017-5845
_builddir="$srcdir"/gst-plugins-good-$pkgver
prepare() {
......@@ -78,6 +99,36 @@ package() {
make DESTDIR="$pkgdir" install || return 1
}
md5sums="3eabe7277681b9bef8a64c312de03d47 gst-plugins-good-1.8.1.tar.xz"
sha256sums="2103e17921d67894e82eafdd64fb9b06518599952fd93e625bfbc83ffead0972 gst-plugins-good-1.8.1.tar.xz"
sha512sums="f3576180e55e38c6320ad44f2ed5a551088e566636b2b4d5f226d96b2a447a8c2addb2862759d7363eee7d05e01831bf093cdb6ac6c1689736a6673a76d5e75c gst-plugins-good-1.8.1.tar.xz"
md5sums="473ebb1f15c67de99ddb6e4d027c0876 gst-plugins-good-1.8.3.tar.xz
3478bc474b86c1f69594c97d52c1a435 CVE-2016-9634-9635.patch
d3fa9170a9c109724e96be77a2f9e9b8 002-flxdec-fix-some-warnings-comparing-unsigned.patch
030eb22c27d6350cf2b13b62afc060b7 CVE-2016-9636.patch
526926ed987a5c26bc720ccbd59bd387 CVE-2016-9808.patch
26bbf7574634adfe76b0b3af2df0a99d CVE-2016-10198.patch
dffbb65093cee1cd2e27b15e628c965b CVE-2016-10199.patch
1d9ba2f16d0b8cb9b05a945923f007b6 CVE-2017-5840-1.patch
a76f687e93273d4751fe351e96e47108 CVE-2017-5840-2.patch
8d72b512b6dd1c84bbada6ed80fc15ff CVE-2017-5841.patch
8bcb98b626770ea30a7ad5f5c96aed25 CVE-2017-5845.patch"
sha256sums="a1d6579ba203a7734927c24b90bf6590d846c5a5fcec01a48201018c8ad2827a gst-plugins-good-1.8.3.tar.xz
ec2deb569fb63af0d678ff8ec5183d45dd8cea480f2c9ec859f06c04a111e678 CVE-2016-9634-9635.patch
71aeec02c26b8ea7bf7dbd6645be7be19e19d875ef961fd4d02c182f2cdde527 002-flxdec-fix-some-warnings-comparing-unsigned.patch
476159b1144a6278487aff2c263f43e79d1bc0006f77f1929b799e5d6f7d38e7 CVE-2016-9636.patch
c330a86f5e196096c7dd51c1ec0fb3e56bae3ac9260fe2417aae86f00a882fe6 CVE-2016-9808.patch
ec45cd206142ad57d17bad534eef2d600d84b201942ba2077f52b4024cb35ff8 CVE-2016-10198.patch
fb3b360387ff37617aceaeb50056f30e38932097440bb4bd94a416426d77127e CVE-2016-10199.patch
6dbfb2840af6af0b235a29540949ba42f5c1ffc26150292316f06a033b7a3738 CVE-2017-5840-1.patch
79f4afa03a2938dc5e0e720eef4faf55731eb752b99084dc8a53f4348b92d9ca CVE-2017-5840-2.patch
62bdc826f8f5fb518dcee6e14ce439c6ef3a2acb7ecacc971765cebf5a0cb4a8 CVE-2017-5841.patch
79869f5e2fc44967b04c98e12be2fed8b50a629b2e91fa6ce9a3609db5ee2363 CVE-2017-5845.patch"
sha512sums="4f35f6e20c6a3b448bbf2690b2ad36a496b8b0efadc67e0fec218ed33856588a2b937020791f7ec4ab8a406ce82c178164349e31d4fabe8c7362716b44015f4a gst-plugins-good-1.8.3.tar.xz
435e8e45d78c8793090427d1bef3afc0776f0477392a0b74b0e046e23b6b3f9e4eb7a11c55b77d4595c011fbce5a40224df9ce0f2bdde963efb861d1e8077d98 CVE-2016-9634-9635.patch
eb2b7cf42850d8870d0dd5266ec9c54f5c1761432ef7fc726408360c7a9189abfdf3d94a05f439a52239a37687e8ef370eed40282272ff81c1c9d84f6fbce07e 002-flxdec-fix-some-warnings-comparing-unsigned.patch
243ba890c377d77463e2d7d74e610e2336887d2a298c02a294472d089d534d71ad058036a7c5c04018e1629921abab4e71f2002282a739f89c92411182370c1c CVE-2016-9636.patch
ab24bf773bbf521b98e065be53f46959d3a3a47b2ac59494ecfd9947b0e66438dbfd713f522d98fcace923a3536b218a59e1ed890c6594a1034451fa60b7d333 CVE-2016-9808.patch
e6716c8f8f97abdeb6f5702ac5d1f6c331c5eb062d70eb2b20c286560a41c283e0cde241100b1ba8958f8e8e03fd96e9672cf3b5fd5bc0d93eb0876141b597c5 CVE-2016-10198.patch
2e2476e524a26e99a3d46a54ea9669b85e82bdaabe42379960b14b3b76b41a07c849418b62b0f851bce47b2371c41775e15785dcb913fd2e84ec7af2e41efbd3 CVE-2016-10199.patch
9d599da02acb6d266423461ace4aaa1876e933cecfffd5054bafd7a8481a580b72c00e0b8bc5dd28992ea229d2fd34aad20583282210f782c78d9c87cd945463 CVE-2017-5840-1.patch
f0a26c7c66ec76e94b578ad75cc2a2558f8b65eaeb0dd6f4ecb0169dd70d107f38592871246444dd607cf1c72e9612930f9c51c3715d21cfd1bf6829b70e9027 CVE-2017-5840-2.patch
d49d9527d1ef56b44b2a254e5400641e47029aa449f2e71d5ab1aee1a6d6b8e66b12dbb4afdb55e33002cf86330e64c45ccc4605d7f11d8f63999f25b2302257 CVE-2017-5841.patch
bca6e06c8be9f023654510feb8f711b94148955d5ce9478ab87ce5c0eaa811d4a1894eb864b77313683746cf01a54b7961931abfb3680c259481e8e930a25da8 CVE-2017-5845.patch"
From 87a2c140ca54c5128093377e9b25a5c24b346727 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Thu, 1 Dec 2016 13:38:16 +0200
Subject: [PATCH] aacparse: Make sure we have enough data in the codec_data to
be able to parse it
Also error out cleanly if mapping the buffer failed.
https://bugzilla.gnome.org/show_bug.cgi?id=775450
---
gst/audioparsers/gstaacparse.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/gst/audioparsers/gstaacparse.c b/gst/audioparsers/gstaacparse.c
index d9dc424..bf424b2 100644
--- a/gst/audioparsers/gstaacparse.c
+++ b/gst/audioparsers/gstaacparse.c
@@ -306,11 +306,12 @@ gst_aac_parse_sink_setcaps (GstBaseParse * parse, GstCaps * caps)
if (value) {
GstBuffer *buf = gst_value_get_buffer (value);
- if (buf) {
+ if (buf && gst_buffer_get_size (buf) >= 2) {
GstMapInfo map;
guint sr_idx;
- gst_buffer_map (buf, &map, GST_MAP_READ);
+ if (!gst_buffer_map (buf, &map, GST_MAP_READ))
+ return FALSE;
sr_idx = ((map.data[0] & 0x07) << 1) | ((map.data[1] & 0x80) >> 7);
aacparse->object_type = (map.data[0] & 0xf8) >> 3;
From d0949baf3dadea6021d54abef6802fed5a06af75 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Thu, 1 Dec 2016 13:32:22 +0200
Subject: [PATCH] qtdemux: Fix out of bounds read in tag parsing code
We can't simply assume that the length of the tag value as given
inside the stream is correct but should also check against the amount of
data we have actually available.
https://bugzilla.gnome.org/show_bug.cgi?id=775451
---
gst/isomp4/qtdemux.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
index c5ff799..b1d2de8 100644
--- a/gst/isomp4/qtdemux.c
+++ b/gst/isomp4/qtdemux.c
@@ -11767,7 +11767,7 @@ qtdemux_tag_add_str_full (GstQTDemux * qtdemux, GstTagList * taglist,
} else {
len = QT_UINT32 (node->data);
type = QT_UINT32 ((guint8 *) node->data + 4);
- if ((type >> 24) == 0xa9) {
+ if ((type >> 24) == 0xa9 && len > 8 + 4) {
gint str_len;
gint lang_code;
@@ -11786,7 +11786,7 @@ qtdemux_tag_add_str_full (GstQTDemux * qtdemux, GstTagList * taglist,
}
offset = 12;
- len = str_len + 8 + 4; /* remove trailing strings that we don't use */
+ len = MIN (len, str_len + 8 + 4); /* remove trailing strings that we don't use */
GST_DEBUG_OBJECT (qtdemux, "found international text tag");
if (lang_code < 0x800) { /* MAC encoded string */
From bf43f44fcfada5ec4a3ce60cb374340486fe9fac Mon Sep 17 00:00:00 2001
From: Matthew Waters <matthew@centricular.com>
Date: Tue, 22 Nov 2016 19:05:00 +1100
Subject: flxdec: add some write bounds checking
Without checking the bounds of the frame we are writing into, we can
write off the end of the destination buffer.
https://scarybeastsecurity.blogspot.dk/2016/11/0day-exploit-advancing-exploitation.html
https://bugzilla.gnome.org/show_bug.cgi?id=774834
diff --git a/gst/flx/gstflxdec.c b/gst/flx/gstflxdec.c
index 604be2f..d51a8e6 100644
--- a/gst/flx/gstflxdec.c
+++ b/gst/flx/gstflxdec.c
@@ -74,9 +74,9 @@ static gboolean gst_flxdec_src_query_handler (GstPad * pad, GstObject * parent,
GstQuery * query);
static void flx_decode_color (GstFlxDec *, guchar *, guchar *, gint);
-static void flx_decode_brun (GstFlxDec *, guchar *, guchar *);
-static void flx_decode_delta_fli (GstFlxDec *, guchar *, guchar *);
-static void flx_decode_delta_flc (GstFlxDec *, guchar *, guchar *);
+static gboolean flx_decode_brun (GstFlxDec *, guchar *, guchar *);
+static gboolean flx_decode_delta_fli (GstFlxDec *, guchar *, guchar *);
+static gboolean flx_decode_delta_flc (GstFlxDec *, guchar *, guchar *);
#define rndalign(off) ((off) + ((off) & 1))
@@ -203,13 +203,14 @@ gst_flxdec_sink_event_handler (GstPad * pad, GstObject * parent,
return ret;
}
-static void
+static gboolean
flx_decode_chunks (GstFlxDec * flxdec, gulong count, guchar * data,
guchar * dest)
{
FlxFrameChunk *hdr;
+ gboolean ret = TRUE;
- g_return_if_fail (data != NULL);
+ g_return_val_if_fail (data != NULL, FALSE);
while (count--) {
hdr = (FlxFrameChunk *) data;
@@ -228,17 +229,17 @@ flx_decode_chunks (GstFlxDec * flxdec, gulong count, guchar * data,
break;
case FLX_BRUN:
- flx_decode_brun (flxdec, data, dest);
+ ret = flx_decode_brun (flxdec, data, dest);
data += rndalign (hdr->size) - FlxFrameChunkSize;
break;
case FLX_LC:
- flx_decode_delta_fli (flxdec, data, dest);
+ ret = flx_decode_delta_fli (flxdec, data, dest);
data += rndalign (hdr->size) - FlxFrameChunkSize;
break;
case FLX_SS2:
- flx_decode_delta_flc (flxdec, data, dest);
+ ret = flx_decode_delta_flc (flxdec, data, dest);
data += rndalign (hdr->size) - FlxFrameChunkSize;
break;
@@ -256,7 +257,12 @@ flx_decode_chunks (GstFlxDec * flxdec, gulong count, guchar * data,
data += rndalign (hdr->size) - FlxFrameChunkSize;
break;
}
+
+ if (!ret)
+ break;
}
+
+ return ret;
}
@@ -289,13 +295,13 @@ flx_decode_color (GstFlxDec * flxdec, guchar * data, guchar * dest, gint scale)
}
}
-static void
+static gboolean
flx_decode_brun (GstFlxDec * flxdec, guchar * data, guchar * dest)
{
gulong count, lines, row;
guchar x;
- g_return_if_fail (flxdec != NULL);
+ g_return_val_if_fail (flxdec != NULL, FALSE);
lines = flxdec->hdr.height;
while (lines--) {
@@ -313,12 +319,21 @@ flx_decode_brun (GstFlxDec * flxdec, guchar * data, guchar * dest)
if (count > 0x7f) {
/* literal run */
count = 0x100 - count;
+ if ((glong) row - count < 0) {
+ GST_ERROR_OBJECT (flxdec, "Invalid BRUN packet detected.");
+ return FALSE;
+ }
row -= count;
while (count--)
*dest++ = *data++;
} else {
+ if ((glong) row - count < 0) {
+ GST_ERROR_OBJECT (flxdec, "Invalid BRUN packet detected.");
+ return FALSE;
+ }
+
/* replicate run */
row -= count;
x = *data++;
@@ -328,22 +343,28 @@ flx_decode_brun (GstFlxDec * flxdec, guchar * data, guchar * dest)
}
}
}
+
+ return TRUE;
}
-static void
+static gboolean
flx_decode_delta_fli (GstFlxDec * flxdec, guchar * data, guchar * dest)
{
gulong count, packets, lines, start_line;
guchar *start_p, x;
- g_return_if_fail (flxdec != NULL);
- g_return_if_fail (flxdec->delta_data != NULL);
+ g_return_val_if_fail (flxdec != NULL, FALSE);
+ g_return_val_if_fail (flxdec->delta_data != NULL, FALSE);
/* use last frame for delta */
memcpy (dest, flxdec->delta_data, flxdec->size);
start_line = (data[0] + (data[1] << 8));
lines = (data[2] + (data[3] << 8));
+ if (start_line + lines > flxdec->hdr.height) {
+ GST_ERROR_OBJECT (flxdec, "Invalid FLI packet detected. too many lines.");
+ return FALSE;
+ }
data += 4;
/* start position of delta */
@@ -356,7 +377,8 @@ flx_decode_delta_fli (GstFlxDec * flxdec, guchar * data, guchar * dest)
while (packets--) {
/* skip count */
- dest += *data++;
+ guchar skip = *data++;
+ dest += skip;
/* RLE count */
count = *data++;
@@ -364,12 +386,24 @@ flx_decode_delta_fli (GstFlxDec * flxdec, guchar * data, guchar * dest)
if (count > 0x7f) {
/* literal run */
count = 0x100 - count;
- x = *data++;
+ if (skip + count > flxdec->hdr.width) {
+ GST_ERROR_OBJECT (flxdec, "Invalid FLI packet detected. "
+ "line too long.");
+ return FALSE;
+ }
+
+ x = *data++;
while (count--)
*dest++ = x;
} else {
+ if (skip + count > flxdec->hdr.width) {
+ GST_ERROR_OBJECT (flxdec, "Invalid FLI packet detected. "
+ "line too long.");
+ return FALSE;
+ }
+
/* replicate run */
while (count--)
*dest++ = *data++;
@@ -378,21 +412,27 @@ flx_decode_delta_fli (GstFlxDec * flxdec, guchar * data, guchar * dest)
start_p += flxdec->hdr.width;
dest = start_p;
}
+
+ return TRUE;
}
-static void
+static gboolean
flx_decode_delta_flc (GstFlxDec * flxdec, guchar * data, guchar * dest)
{
gulong count, lines, start_l, opcode;
guchar *start_p;
- g_return_if_fail (flxdec != NULL);
- g_return_if_fail (flxdec->delta_data != NULL);
+ g_return_val_if_fail (flxdec != NULL, FALSE);
+ g_return_val_if_fail (flxdec->delta_data != NULL, FALSE);
/* use last frame for delta */
memcpy (dest, flxdec->delta_data, flxdec->size);
lines = (data[0] + (data[1] << 8));
+ if (lines > flxdec->hdr.height) {
+ GST_ERROR_OBJECT (flxdec, "Invalid FLC packet detected. too many lines.");
+ return FALSE;
+ }
data += 2;
start_p = dest;
@@ -405,9 +445,15 @@ flx_decode_delta_flc (GstFlxDec * flxdec, guchar * data, guchar * dest)
while ((opcode = (data[0] + (data[1] << 8))) & 0xc000) {
data += 2;
if ((opcode & 0xc000) == 0xc000) {
- /* skip count */
- start_l += (0x10000 - opcode);
- dest += flxdec->hdr.width * (0x10000 - opcode);
+ /* line skip count */
+ gulong skip = (0x10000 - opcode);
+ if (skip > flxdec->hdr.height) {
+ GST_ERROR_OBJECT (flxdec, "Invalid FLC packet detected. "
+ "skip line count too big.");
+ return FALSE;
+ }
+ start_l += skip;
+ dest += flxdec->hdr.width * skip;
} else {
/* last pixel */
dest += flxdec->hdr.width;
@@ -419,7 +465,8 @@ flx_decode_delta_flc (GstFlxDec * flxdec, guchar * data, guchar * dest)
/* last opcode is the packet count */
while (opcode--) {
/* skip count */
- dest += *data++;
+ guchar skip = *data++;
+ dest += skip;
/* RLE count */
count = *data++;
@@ -427,12 +474,25 @@ flx_decode_delta_flc (GstFlxDec * flxdec, guchar * data, guchar * dest)
if (count > 0x7f) {
/* replicate word run */
count = 0x100 - count;
+
+ if (skip + count > flxdec->hdr.width) {
+ GST_ERROR_OBJECT (flxdec, "Invalid FLC packet detected. "
+ "line too long.");
+ return FALSE;
+ }
+
while (count--) {
*dest++ = data[0];
*dest++ = data[1];
}
data += 2;
} else {
+ if (skip + count > flxdec->hdr.width) {
+ GST_ERROR_OBJECT (flxdec, "Invalid FLC packet detected. "
+ "line too long.");
+ return FALSE;
+ }
+
/* literal word run */
while (count--) {
*dest++ = *data++;
@@ -442,6 +502,8 @@ flx_decode_delta_flc (GstFlxDec * flxdec, guchar * data, guchar * dest)
}
lines--;
}
+
+ return TRUE;
}
static GstFlowReturn
@@ -571,9 +633,13 @@ gst_flxdec_chain (GstPad * pad, GstObject * parent, GstBuffer * buf)
out = gst_buffer_new_and_alloc (flxdec->size * 4);
/* decode chunks */
- flx_decode_chunks (flxdec,
- ((FlxFrameType *) chunk)->chunks,
- chunk + FlxFrameTypeSize, flxdec->frame_data);
+ if (!flx_decode_chunks (flxdec,
+ ((FlxFrameType *) chunk)->chunks,
+ chunk + FlxFrameTypeSize, flxdec->frame_data)) {
+ GST_ELEMENT_ERROR (flxdec, STREAM, DECODE,
+ ("%s", "Could not decode chunk"), NULL);
+ return GST_FLOW_ERROR;
+ }
/* save copy of the current frame for possible delta. */
memcpy (flxdec->delta_data, flxdec->frame_data, flxdec->size);
--
cgit v0.10.2
From 1b574eddf789a59aff11ee0b6eb3fe1af288ff06 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Wed, 23 Nov 2016 11:20:49 +0200
Subject: flxdec: Don't unref() parent in the chain function
We don't own the reference here, it is owned by the caller and given to
us for the scope of this function. Leftover mistake from 0.10 porting.
https://bugzilla.gnome.org/show_bug.cgi?id=774897
diff --git a/gst/flx/gstflxdec.c b/gst/flx/gstflxdec.c
index e675c99..a237976 100644
--- a/gst/flx/gstflxdec.c
+++ b/gst/flx/gstflxdec.c
@@ -677,7 +677,6 @@ wrong_type:
{
GST_ELEMENT_ERROR (flxdec, STREAM, WRONG_TYPE, (NULL),
("not a flx file (type %x)", flxh->type));
- gst_object_unref (flxdec);
return GST_FLOW_ERROR;
}
}
--
cgit v0.10.2
This diff is collapsed.
From 0c0b5b54ab4786029c291981caa6d106c31135e2 Mon Sep 17 00:00:00 2001
From: Leonardo Arena <rnalrd@alpinelinux.org>
Date: Fri, 28 Apr 2017 12:35:55 +0000
Subject: [PATCH] qtdemux: Increment current stts index in all code paths after
reading one chunk
---
gst/isomp4/qtdemux.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
index f9bbdc7..d2b78ed 100644
--- a/gst/isomp4/qtdemux.c
+++ b/gst/isomp4/qtdemux.c
@@ -8003,6 +8003,7 @@ done2:
/* save values */
stream->stts_time = stts_time;
stream->stts_sample_index = j + 1;
+ stream->stts_index++;
goto done3;
}
}
--
2.11.1
From 612b7578ccc8586f86620435ee1c2cdbc3ba1795 Mon Sep 17 00:00:00 2001
From: Leonardo Arena <rnalrd@alpinelinux.org>
Date: Fri, 28 Apr 2017 12:40:11 +0000
Subject: [PATCH] qtdemux: Increment current stts index whenever we finished
one stts entry
---
gst/isomp4/qtdemux.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c
index d2b78ed..ba40a09 100644
--- a/gst/isomp4/qtdemux.c
+++ b/gst/isomp4/qtdemux.c
@@ -8003,7 +8003,8 @@ done2:
/* save values */
stream->stts_time = stts_time;
stream->stts_sample_index = j + 1;
- stream->stts_index++;
+ if (stream->stts_sample_index >= stream->stts_samples)
+ stream->stts_index++;
goto done3;
}
}
--
2.11.1
From 32d9f3c158b58984be7731434df619131c0736f7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Fri, 20 Jan 2017 07:58:26 +0200
Subject: [PATCH] avidemux: Fix various out of bounds reads when parsing ncdt
tags
https://bugzilla.gnome.org/show_bug.cgi?id=777500
---
gst/avi/gstavidemux.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/gst/avi/gstavidemux.c b/gst/avi/gstavidemux.c
index 4475576..d7afd1e 100644
--- a/gst/avi/gstavidemux.c
+++ b/gst/avi/gstavidemux.c
@@ -3912,6 +3912,7 @@ gst_avi_demux_parse_ncdt (GstAviDemux * avi, GstBuffer * buf,
tsize -= 4;
ptr += 4;
+ left -= 4;
GST_DEBUG_OBJECT (avi, "sub-tag %u, size %u", sub_tag, sub_size);
/* http://www.sno.phy.queensu.ca/~phil/exiftool/TagNames/Nikon.html#NCTG
@@ -3930,10 +3931,12 @@ gst_avi_demux_parse_ncdt (GstAviDemux * avi, GstBuffer * buf,
break;
case 0x13: /* CreationDate */
type = GST_TAG_DATE_TIME;
- if (ptr[4] == ':')
- ptr[4] = '-';
- if (ptr[7] == ':')
- ptr[7] = '-';
+ if (left > 7) {
+ if (ptr[4] == ':')
+ ptr[4] = '-';
+ if (ptr[7] == ':')
+ ptr[7] = '-';
+ }
break;
default:
type = NULL;
@@ -3947,6 +3950,7 @@ gst_avi_demux_parse_ncdt (GstAviDemux * avi, GstBuffer * buf,
ptr += sub_size;
tsize -= sub_size;
+ left -= sub_size;
}
break;
default:
From 4f478357ae21efd299735f678889a60ea8291d88 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Fri, 20 Jan 2017 17:16:10 +0200
Subject: [PATCH] avidemux: Stop reading a ncdt sub-tag if it goes behind the
surrounding tag
https://bugzilla.gnome.org/show_bug.cgi?id=777532
---
gst/avi/gstavidemux.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/gst/avi/gstavidemux.c b/gst/avi/gstavidemux.c
index d7afd1e..3e21dbd 100644
--- a/gst/avi/gstavidemux.c
+++ b/gst/avi/gstavidemux.c
@@ -3914,6 +3914,9 @@ gst_avi_demux_parse_ncdt (GstAviDemux * avi, GstBuffer * buf,
ptr += 4;
left -= 4;
+ if (sub_size > tsize)
+ break;
+
GST_DEBUG_OBJECT (avi, "sub-tag %u, size %u", sub_tag, sub_size);
/* http://www.sno.phy.queensu.ca/~phil/exiftool/TagNames/Nikon.html#NCTG
* for some reason the sub_tag has a +2 offset
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment