From 4ab9eac7b04184434b7f7ce9d96d42162eacf27c Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jan 05 2017 08:43:00 +0000 Subject: import gstreamer-plugins-bad-free-0.10.23-22.el7_3 --- diff --git a/SOURCES/0001-h264parse-Ensure-codec_data-has-the-required-size-wh.patch b/SOURCES/0001-h264parse-Ensure-codec_data-has-the-required-size-wh.patch new file mode 100644 index 0000000..2bc93b8 --- /dev/null +++ b/SOURCES/0001-h264parse-Ensure-codec_data-has-the-required-size-wh.patch @@ -0,0 +1,28 @@ +From 3003cbe1624cc6daa416caba9c1dce0180f3837c Mon Sep 17 00:00:00 2001 +From: Wim Taymans +Date: Wed, 7 Dec 2016 09:37:10 +0100 +Subject: [PATCH] h264parse: Ensure codec_data has the required size when + reading number of SPS + +https://bugzilla.gnome.org/show_bug.cgi?id=774896 +--- + gst/videoparsers/gsth264parse.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/gst/videoparsers/gsth264parse.c b/gst/videoparsers/gsth264parse.c +index cf81657..4c14f2b 100644 +--- a/gst/videoparsers/gsth264parse.c ++++ b/gst/videoparsers/gsth264parse.c +@@ -1605,6 +1605,9 @@ gst_h264_parse_set_caps (GstBaseParse * parse, GstCaps * caps) + off = nalu.offset + nalu.size; + } + ++ if (off >= size) { ++ goto avcc_too_small; ++ } + num_pps = data[off]; + off++; + +-- +2.9.3 + diff --git a/SOURCES/0001-vmncdec-Sanity-check-width-height-before-using-it.patch b/SOURCES/0001-vmncdec-Sanity-check-width-height-before-using-it.patch new file mode 100644 index 0000000..1543499 --- /dev/null +++ b/SOURCES/0001-vmncdec-Sanity-check-width-height-before-using-it.patch @@ -0,0 +1,50 @@ +From 26f4b2c203d6d0ef0c8204a48dba504870c2cfdf Mon Sep 17 00:00:00 2001 +From: Wim Taymans +Date: Tue, 6 Dec 2016 10:24:03 +0100 +Subject: [PATCH] vmncdec: Sanity-check width/height before using it + +We will allocate a screen area of width*height*bpp bytes, however this +calculation can easily overflow if too high width or height are given +inside the stream. Nonetheless we would just assume that enough memory +was allocated, try to fill it and overwrite as much memory as wanted. + +Also allocate the screen area filled with zeroes to ensure that we start +with full-black and not any random (or not so random) data. + +https://scarybeastsecurity.blogspot.gr/2016/11/0day-poc-risky-design-decisions-in.html + +Ideally we should just remove this plugin in favour of the one in +gst-libav, which generally seems to be of better code quality. + +https://bugzilla.gnome.org/show_bug.cgi?id=774533 +--- + gst/vmnc/vmncdec.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/gst/vmnc/vmncdec.c b/gst/vmnc/vmncdec.c +index 08085b5..c83e315 100644 +--- a/gst/vmnc/vmncdec.c ++++ b/gst/vmnc/vmncdec.c +@@ -370,7 +370,7 @@ vmnc_handle_wmvi_rectangle (GstVMncDec * dec, struct RfbRectangle *rect, + + if (dec->imagedata) + g_free (dec->imagedata); +- dec->imagedata = g_malloc (dec->format.width * dec->format.height * ++ dec->imagedata = g_malloc0 (dec->format.width * dec->format.height * + dec->format.bytes_per_pixel); + GST_DEBUG_OBJECT (dec, "Allocated image data at %p", dec->imagedata); + +@@ -901,6 +901,10 @@ vmnc_handle_packet (GstVMncDec * dec, const guint8 * data, int len, + GST_WARNING_OBJECT (dec, "Rectangle out of range, type %d", r.type); + return ERROR_INVALID; + } ++ } else if (r.width > 16384 || r.height > 16384) { ++ GST_WARNING_OBJECT (dec, "Width or height too high: %ux%u", r.width, ++ r.height); ++ return ERROR_INVALID; + } + + switch (r.type) { +-- +2.9.3 + diff --git a/SPECS/gstreamer-plugins-bad-free.spec b/SPECS/gstreamer-plugins-bad-free.spec index fdde047..4e40f8a 100644 --- a/SPECS/gstreamer-plugins-bad-free.spec +++ b/SPECS/gstreamer-plugins-bad-free.spec @@ -14,7 +14,7 @@ Summary: GStreamer streaming media framework "bad" plug-ins Name: gstreamer-plugins-bad-free Version: 0.10.23 -Release: 20%{?dist} +Release: 22%{?dist} # The freeze and nfs plugins are LGPLv2 (only) License: LGPLv2+ and LGPLv2 Group: Applications/Multimedia @@ -35,6 +35,8 @@ Patch4: 0004-camerabin-Set-src_filter-and-zoom_src_filter-caps-wh.patch Patch5: 0005-geometrictransform-crash-fix1.patch Patch6: 0006-geometrictransform-crash-fix2.patch Patch7: 0001-Delete-unbuilt-plugins-from-the-docs.patch +Patch8: 0001-vmncdec-Sanity-check-width-height-before-using-it.patch +Patch9: 0001-h264parse-Ensure-codec_data-has-the-required-size-wh.patch Requires: %{gstreamer} >= %{gst_minver} BuildRequires: %{gstreamer}-devel >= %{gst_minver} @@ -168,6 +170,8 @@ aren't tested well enough, or the code is not of good enough quality. %patch5 -p1 %patch6 -p1 %patch7 -p1 +%patch8 -p1 +%patch9 -p1 sed -i 's/opencv <= 2.3.1/opencv <= 2.4.3/g' configure @@ -179,7 +183,7 @@ sed -i 's/opencv <= 2.3.1/opencv <= 2.4.3/g' configure --enable-debug --disable-static --enable-gtk-doc --enable-experimental \ --disable-divx --disable-dts --disable-faac --disable-faad --disable-nas \ --disable-mimic --disable-libmms --disable-mpeg2enc --disable-mplex \ - --disable-neon --disable-openal --disable-rtmp --disable-xvid + --disable-neon --disable-openal --disable-rtmp --disable-xvid --disable-nsf make %{?_smp_mflags} @@ -255,7 +259,6 @@ rm $RPM_BUILD_ROOT%{_libdir}/*.la %{_libdir}/gstreamer-%{majorminor}/libgstmpegvideoparse.so %{_libdir}/gstreamer-%{majorminor}/libgstmve.so %{_libdir}/gstreamer-%{majorminor}/libgstmxf.so -%{_libdir}/gstreamer-%{majorminor}/libgstnsf.so %{_libdir}/gstreamer-%{majorminor}/libgstnuvdemux.so %{_libdir}/gstreamer-%{majorminor}/libgstpatchdetect.so %{_libdir}/gstreamer-%{majorminor}/libgstpcapparse.so @@ -365,6 +368,15 @@ rm $RPM_BUILD_ROOT%{_libdir}/*.la %changelog +* Wed Dec 07 2016 Wim Taymans - 0.10.23-22 +- h264parse: Ensure codec_data has the required size when reading number of SPS +Resolves: rhbz#1400838 + +* Tue Dec 06 2016 Wim Taymans - 0.10.23-21 +- Remove insecure NSF plugin +- vmncdec: Sanity-check width/height before using it +Resolves: rhbz#1400838 + * Fri Jan 24 2014 Daniel Mach - 0.10.23-20 - Mass rebuild 2014-01-24