diff --git a/SOURCES/0001-mxfdemux-Store-GstMXFDemuxEssenceTrack-in-their-own-.patch b/SOURCES/0001-mxfdemux-Store-GstMXFDemuxEssenceTrack-in-their-own-.patch new file mode 100644 index 0000000..b0e0f22 --- /dev/null +++ b/SOURCES/0001-mxfdemux-Store-GstMXFDemuxEssenceTrack-in-their-own-.patch @@ -0,0 +1,312 @@ +From 57bf1de1d515866398292907398355bba53fcf31 Mon Sep 17 00:00:00 2001 +From: Wim Taymans +Date: Wed, 13 Dec 2023 16:11:33 +0100 +Subject: [PATCH] mxfdemux: Store GstMXFDemuxEssenceTrack in their own fixed + allocation + +Previously they were stored inline inside a GArray, but as references to +the tracks were stored in various other places although the array could +still be updated (and reallocated!), this could lead to dangling +references in various places. + +Instead now store them in a GPtrArray in their own allocation so each +track's memory position stays fixed. + +Fixes ZDI-CAN-22299 + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3055 + +Part-of: +--- + gst/mxf/mxfdemux.c | 105 ++++++++++++++++++++------------------------- + gst/mxf/mxfdemux.h | 2 +- + 2 files changed, 48 insertions(+), 59 deletions(-) + +diff --git a/gst/mxf/mxfdemux.c b/gst/mxf/mxfdemux.c +index 13ab13b60..5428873ee 100644 +--- a/gst/mxf/mxfdemux.c ++++ b/gst/mxf/mxfdemux.c +@@ -144,10 +144,25 @@ gst_mxf_demux_partition_free (GstMXFDemuxPartition * partition) + } + + static void +-gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux) ++gst_mxf_demux_essence_track_free (GstMXFDemuxEssenceTrack * t) + { +- guint i; ++ if (t->offsets) ++ g_array_free (t->offsets, TRUE); ++ ++ g_free (t->mapping_data); ++ ++ if (t->tags) ++ gst_tag_list_unref (t->tags); ++ ++ if (t->caps) ++ gst_caps_unref (t->caps); ++ ++ g_free (t); ++} + ++static void ++gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux) ++{ + GST_DEBUG_OBJECT (demux, "Resetting MXF state"); + + g_list_foreach (demux->partitions, (GFunc) gst_mxf_demux_partition_free, +@@ -157,22 +172,7 @@ gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux) + + demux->current_partition = NULL; + +- for (i = 0; i < demux->essence_tracks->len; i++) { +- GstMXFDemuxEssenceTrack *t = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); +- +- if (t->offsets) +- g_array_free (t->offsets, TRUE); +- +- g_free (t->mapping_data); +- +- if (t->tags) +- gst_tag_list_free (t->tags); +- +- if (t->caps) +- gst_caps_unref (t->caps); +- } +- g_array_set_size (demux->essence_tracks, 0); ++ g_ptr_array_set_size (demux->essence_tracks, 0); + } + + static void +@@ -190,7 +190,7 @@ gst_mxf_demux_reset_linked_metadata (GstMXFDemux * demux) + + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *track = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); ++ g_ptr_array_index (demux->essence_tracks, i); + + track->source_package = NULL; + track->source_track = NULL; +@@ -698,8 +698,7 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux) + + for (k = 0; k < demux->essence_tracks->len; k++) { + GstMXFDemuxEssenceTrack *tmp = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, +- k); ++ g_ptr_array_index (demux->essence_tracks, k); + + if (tmp->track_number == track->parent.track_number && + tmp->body_sid == edata->body_sid) { +@@ -717,23 +716,22 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux) + } + + if (!etrack) { +- GstMXFDemuxEssenceTrack tmp; ++ GstMXFDemuxEssenceTrack *tmp = g_new0 (GstMXFDemuxEssenceTrack, 1); + +- memset (&tmp, 0, sizeof (tmp)); +- tmp.body_sid = edata->body_sid; +- tmp.track_number = track->parent.track_number; +- tmp.track_id = track->parent.track_id; +- memcpy (&tmp.source_package_uid, &package->parent.package_uid, 32); ++ tmp->body_sid = edata->body_sid; ++ tmp->track_number = track->parent.track_number; ++ tmp->track_id = track->parent.track_id; ++ memcpy (&tmp->source_package_uid, &package->parent.package_uid, 32); + + if (demux->current_partition->partition.body_sid == edata->body_sid && + demux->current_partition->partition.body_offset == 0) +- tmp.position = 0; ++ tmp->position = 0; + else +- tmp.position = -1; ++ tmp->position = -1; + +- g_array_append_val (demux->essence_tracks, tmp); ++ g_ptr_array_add (demux->essence_tracks, tmp); + etrack = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, ++ g_ptr_array_index (demux->essence_tracks, + demux->essence_tracks->len - 1); + new = TRUE; + } +@@ -843,13 +841,7 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux) + + next: + if (new) { +- g_free (etrack->mapping_data); +- if (etrack->tags) +- gst_tag_list_free (etrack->tags); +- if (etrack->caps) +- gst_caps_unref (etrack->caps); +- +- g_array_remove_index (demux->essence_tracks, ++ g_ptr_array_remove_index (demux->essence_tracks, + demux->essence_tracks->len - 1); + } + } +@@ -862,7 +854,7 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux) + + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *etrack = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); ++ g_ptr_array_index (demux->essence_tracks, i); + + if (!etrack->source_package || !etrack->source_track || !etrack->caps) { + GST_ERROR_OBJECT (demux, "Failed to update essence track %u", i); +@@ -1018,7 +1010,7 @@ gst_mxf_demux_update_tracks (GstMXFDemux * demux) + + for (k = 0; k < demux->essence_tracks->len; k++) { + GstMXFDemuxEssenceTrack *tmp = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, k); ++ g_ptr_array_index (demux->essence_tracks, k); + + if (tmp->source_package == source_package && + tmp->source_track == source_track) { +@@ -1456,7 +1448,7 @@ gst_mxf_demux_pad_set_component (GstMXFDemux * demux, GstMXFDemuxPad * pad, + + for (k = 0; k < demux->essence_tracks->len; k++) { + GstMXFDemuxEssenceTrack *tmp = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, k); ++ g_ptr_array_index (demux->essence_tracks, k); + + if (tmp->source_package == source_package && + tmp->source_track == source_track) { +@@ -1576,7 +1568,7 @@ gst_mxf_demux_handle_generic_container_essence_element (GstMXFDemux * demux, + + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *tmp = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); ++ g_ptr_array_index (demux->essence_tracks, i); + + if (tmp->body_sid == demux->current_partition->partition.body_sid && + (tmp->track_number == track_number || tmp->track_number == 0)) { +@@ -2288,7 +2280,7 @@ gst_mxf_demux_handle_klv_packet (GstMXFDemux * demux, const MXFUL * key, + + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *etrack = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); ++ g_ptr_array_index (demux->essence_tracks, i); + + if (etrack->body_sid != demux->current_partition->partition.body_sid) + continue; +@@ -2343,7 +2335,7 @@ gst_mxf_demux_handle_klv_packet (GstMXFDemux * demux, const MXFUL * key, + guint i; + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *etrack = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); ++ g_ptr_array_index (demux->essence_tracks, i); + + if (etrack->body_sid != demux->current_partition->partition.body_sid) + continue; +@@ -2466,7 +2458,7 @@ from_index: + + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *t = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); ++ g_ptr_array_index (demux->essence_tracks, i); + + t->position = (demux->offset == demux->run_in) ? 0 : -1; + } +@@ -2486,8 +2478,7 @@ from_index: + if (ret == GST_FLOW_UNEXPECTED) { + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *t = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, +- i); ++ g_ptr_array_index (demux->essence_tracks, i); + + if (t->position > 0) + t->duration = t->position; +@@ -2569,7 +2560,7 @@ gst_mxf_demux_pull_and_handle_klv_packet (GstMXFDemux * demux) + + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *t = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); ++ g_ptr_array_index (demux->essence_tracks, i); + + if (t->position > 0) + t->duration = t->position; +@@ -3149,7 +3140,7 @@ gst_mxf_demux_seek_push (GstMXFDemux * demux, GstEvent * event) + + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *t = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); ++ g_ptr_array_index (demux->essence_tracks, i); + t->position = -1; + } + +@@ -3347,7 +3338,7 @@ gst_mxf_demux_seek_pull (GstMXFDemux * demux, GstEvent * event) + + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *t = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); ++ g_ptr_array_index (demux->essence_tracks, i); + t->position = -1; + } + +@@ -3623,7 +3614,7 @@ gst_mxf_demux_sink_event (GstPad * pad, GstEvent * event) + + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *t = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); ++ g_ptr_array_index (demux->essence_tracks, i); + + if (t->position > 0) + t->duration = t->position; +@@ -3664,8 +3655,7 @@ gst_mxf_demux_sink_event (GstPad * pad, GstEvent * event) + + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *etrack = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, +- i); ++ g_ptr_array_index (demux->essence_tracks, i); + etrack->position = -1; + } + ret = TRUE; +@@ -3685,8 +3675,7 @@ gst_mxf_demux_sink_event (GstPad * pad, GstEvent * event) + + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *t = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, +- i); ++ g_ptr_array_index (demux->essence_tracks, i); + t->position = -1; + } + demux->current_partition = NULL; +@@ -3947,7 +3936,7 @@ gst_mxf_demux_finalize (GObject * object) + + g_ptr_array_free (demux->src, TRUE); + demux->src = NULL; +- g_array_free (demux->essence_tracks, TRUE); ++ g_ptr_array_free (demux->essence_tracks, TRUE); + demux->essence_tracks = NULL; + + g_hash_table_destroy (demux->metadata); +@@ -4031,8 +4020,8 @@ gst_mxf_demux_init (GstMXFDemux * demux, GstMXFDemuxClass * g_class) + g_static_rw_lock_init (&demux->metadata_lock); + + demux->src = g_ptr_array_new (); +- demux->essence_tracks = +- g_array_new (FALSE, FALSE, sizeof (GstMXFDemuxEssenceTrack)); ++ demux->essence_tracks = g_ptr_array_new_with_free_func ((GDestroyNotify) ++ gst_mxf_demux_essence_track_free); + + gst_segment_init (&demux->segment, GST_FORMAT_TIME); + +diff --git a/gst/mxf/mxfdemux.h b/gst/mxf/mxfdemux.h +index e8b90261e..b88b3da58 100644 +--- a/gst/mxf/mxfdemux.h ++++ b/gst/mxf/mxfdemux.h +@@ -148,7 +148,7 @@ struct _GstMXFDemux + GList *partitions; + GstMXFDemuxPartition *current_partition; + +- GArray *essence_tracks; ++ GPtrArray *essence_tracks; + GList *pending_index_table_segments; + + GArray *random_index_pack; +-- +2.43.0 + diff --git a/SPECS/gstreamer-plugins-bad-free.spec b/SPECS/gstreamer-plugins-bad-free.spec index a734ea0..adbb3e4 100644 --- a/SPECS/gstreamer-plugins-bad-free.spec +++ b/SPECS/gstreamer-plugins-bad-free.spec @@ -14,7 +14,7 @@ Summary: GStreamer streaming media framework "bad" plug-ins Name: gstreamer-plugins-bad-free Version: 0.10.23 -Release: 23%{?dist} +Release: 24%{?dist} # The freeze and nfs plugins are LGPLv2 (only) License: LGPLv2+ and LGPLv2 Group: Applications/Multimedia @@ -37,6 +37,7 @@ Patch6: 0006-geometrictransform-crash-fix2.patch Patch7: 0001-Delete-unbuilt-plugins-from-the-docs.patch Patch8: 0001-vmncdec-Sanity-check-width-height-before-using-it.patch Patch9: 0001-h264parse-Ensure-codec_data-has-the-required-size-wh.patch +Patch10: 0001-mxfdemux-Store-GstMXFDemuxEssenceTrack-in-their-own-.patch Requires: %{gstreamer} >= %{gst_minver} BuildRequires: %{gstreamer}-devel >= %{gst_minver} @@ -172,6 +173,7 @@ aren't tested well enough, or the code is not of good enough quality. %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 sed -i 's/opencv <= 2.3.1/opencv <= 2.4.3/g' configure @@ -180,7 +182,7 @@ sed -i 's/opencv <= 2.3.1/opencv <= 2.4.3/g' configure --with-package-name="Fedora gstreamer-plugins-bad package" \ --with-package-origin="http://download.fedora.redhat.com/fedora" \ %{!?with_extras:--disable-fbdev --disable-decklink --disable-linsys} \ - --enable-debug --disable-static --enable-gtk-doc --enable-experimental \ + --enable-debug --disable-static --disable-gtk-doc --enable-experimental \ --disable-divx --disable-dts --disable-faac --disable-faad --disable-nas \ --disable-mimic --disable-libmms --disable-mpeg2enc --disable-mplex \ --disable-neon --disable-openal --disable-rtmp --disable-xvid --disable-nsf @@ -363,11 +365,16 @@ rm $RPM_BUILD_ROOT%{_libdir}/*.la %{_libdir}/pkgconfig/gstreamer-plugins-bad-%{majorminor}.pc %files devel-docs -%doc %{_datadir}/gtk-doc/html/gst-plugins-bad-plugins-%{majorminor} +#doc %{_datadir}/gtk-doc/html/gst-plugins-bad-plugins-%{majorminor} %doc %{_datadir}/gtk-doc/html/gst-plugins-bad-libs-%{majorminor} %changelog +* Wed Dec 13 2023 Wim Taymans - 0.10.23-24 +- Patch CVE-2023-44446: MXF demuxer use-after-free +- Disable gtk-doc to fix the build +- Resolves: RHEL-16792 + * Tue Mar 07 2017 Wim Taymans - 0.10.23-23 - Rebuild with hardened flags Resolves: #1420764