diff --git a/SOURCES/0001-h264parse-Ensure-codec_data-has-the-required-size-wh.patch b/SOURCES/0001-h264parse-Ensure-codec_data-has-the-required-size-wh.patch new file mode 100644 index 0000000..d57e22a --- /dev/null +++ b/SOURCES/0001-h264parse-Ensure-codec_data-has-the-required-size-wh.patch @@ -0,0 +1,29 @@ +From 38c20972b843f200af22ab9206b1aa64605a8a04 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Wed, 23 Nov 2016 10:51:17 +0200 +Subject: [PATCH 1/4] h264parse: Ensure codec_data has the required size when + reading number of SPS + +https://bugzilla.gnome.org/show_bug.cgi?id=774896 +--- + gst/videoparsers/gsth264parse.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/gst/videoparsers/gsth264parse.c b/gst/videoparsers/gsth264parse.c +index 506cd61..36cfb69 100644 +--- a/gst/videoparsers/gsth264parse.c ++++ b/gst/videoparsers/gsth264parse.c +@@ -1942,6 +1942,10 @@ gst_h264_parse_set_caps (GstBaseParse * parse, GstCaps * caps) + off = nalu.offset + nalu.size; + } + ++ if (off >= size) { ++ gst_buffer_unmap (codec_data, &map); ++ goto avcc_too_small; ++ } + num_pps = data[off]; + off++; + +-- +2.9.3 + diff --git a/SOURCES/0001-vmncdec-Sanity-check-width-height-before-using-it.patch b/SOURCES/0001-vmncdec-Sanity-check-width-height-before-using-it.patch new file mode 100644 index 0000000..5b54a66 --- /dev/null +++ b/SOURCES/0001-vmncdec-Sanity-check-width-height-before-using-it.patch @@ -0,0 +1,50 @@ +From ed4f4a0acdfc72c822c727caf1e1a1d01f7b01fe Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Wed, 16 Nov 2016 20:41:39 +0200 +Subject: [PATCH] vmncdec: Sanity-check width/height before using it + +We will allocate a screen area of width*height*bpp bytes, however this +calculation can easily overflow if too high width or height are given +inside the stream. Nonetheless we would just assume that enough memory +was allocated, try to fill it and overwrite as much memory as wanted. + +Also allocate the screen area filled with zeroes to ensure that we start +with full-black and not any random (or not so random) data. + +https://scarybeastsecurity.blogspot.gr/2016/11/0day-poc-risky-design-decisions-in.html + +Ideally we should just remove this plugin in favour of the one in +gst-libav, which generally seems to be of better code quality. + +https://bugzilla.gnome.org/show_bug.cgi?id=774533 +--- + gst/vmnc/vmncdec.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/gst/vmnc/vmncdec.c b/gst/vmnc/vmncdec.c +index 6d33bdd..d46194c 100644 +--- a/gst/vmnc/vmncdec.c ++++ b/gst/vmnc/vmncdec.c +@@ -255,7 +255,7 @@ vmnc_handle_wmvi_rectangle (GstVMncDec * dec, struct RfbRectangle *rect, + gst_video_codec_state_unref (state); + + g_free (dec->imagedata); +- dec->imagedata = g_malloc (dec->format.width * dec->format.height * ++ dec->imagedata = g_malloc0 (dec->format.width * dec->format.height * + dec->format.bytes_per_pixel); + GST_DEBUG_OBJECT (dec, "Allocated image data at %p", dec->imagedata); + +@@ -785,6 +785,10 @@ vmnc_handle_packet (GstVMncDec * dec, const guint8 * data, int len, + GST_WARNING_OBJECT (dec, "Rectangle out of range, type %d", r.type); + return ERROR_INVALID; + } ++ } else if (r.width > 16384 || r.height > 16384) { ++ GST_WARNING_OBJECT (dec, "Width or height too high: %ux%u", r.width, ++ r.height); ++ return ERROR_INVALID; + } + + switch (r.type) { +-- +2.9.3 + diff --git a/SOURCES/0002-h265parse-Ensure-codec_data-has-the-required-size-wh.patch b/SOURCES/0002-h265parse-Ensure-codec_data-has-the-required-size-wh.patch new file mode 100644 index 0000000..6c4e2bb --- /dev/null +++ b/SOURCES/0002-h265parse-Ensure-codec_data-has-the-required-size-wh.patch @@ -0,0 +1,43 @@ +From 8d0543e3ee17619ac70c67d46b4c9deed9b77598 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Wed, 23 Nov 2016 10:52:05 +0200 +Subject: [PATCH 2/4] h265parse: Ensure codec_data has the required size when + reading number of NAL arrays + +https://bugzilla.gnome.org/show_bug.cgi?id=774896 +--- + gst/videoparsers/gsth265parse.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/gst/videoparsers/gsth265parse.c b/gst/videoparsers/gsth265parse.c +index 9a98dcc..483f299 100644 +--- a/gst/videoparsers/gsth265parse.c ++++ b/gst/videoparsers/gsth265parse.c +@@ -1767,6 +1767,7 @@ gst_h265_parse_set_caps (GstBaseParse * parse, GstCaps * caps) + (value = gst_structure_get_value (str, "codec_data"))) { + GstMapInfo map; + guint8 *data; ++ guint num_nal_arrays; + + GST_DEBUG_OBJECT (h265parse, "have packetized h265"); + /* make note for optional split processing */ +@@ -1795,8 +1796,15 @@ gst_h265_parse_set_caps (GstBaseParse * parse, GstCaps * caps) + GST_DEBUG_OBJECT (h265parse, "nal length size %u", + h265parse->nal_length_size); + ++ num_nal_arrays = data[22]; + off = 23; +- for (i = 0; i < data[22]; i++) { ++ ++ for (i = 0; i < num_nal_arrays; i++) { ++ if (off + 3 >= size) { ++ gst_buffer_unmap (codec_data, &map); ++ goto hvcc_too_small; ++ } ++ + num_nals = GST_READ_UINT16_BE (data + off + 1); + for (j = 0; j < num_nals; j++) { + parseres = gst_h265_parser_identify_nalu_hevc (h265parse->nalparser, +-- +2.9.3 + diff --git a/SOURCES/0003-mpegtssection-Fix-PAT-parsing.patch b/SOURCES/0003-mpegtssection-Fix-PAT-parsing.patch new file mode 100644 index 0000000..04094b4 --- /dev/null +++ b/SOURCES/0003-mpegtssection-Fix-PAT-parsing.patch @@ -0,0 +1,48 @@ +From 83f33f4b70657b34acd75317314eb0d63a0c35bd Mon Sep 17 00:00:00 2001 +From: Edward Hervey +Date: Sat, 26 Nov 2016 10:23:01 +0100 +Subject: [PATCH 3/4] mpegtssection: Fix PAT parsing + +Use the estimated number of programs for parsing. Avoids over-reading. + +https://bugzilla.gnome.org/show_bug.cgi?id=775120 +--- + gst-libs/gst/mpegts/gstmpegtssection.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/gst-libs/gst/mpegts/gstmpegtssection.c b/gst-libs/gst/mpegts/gstmpegtssection.c +index 527ff38..62a1f56 100644 +--- a/gst-libs/gst/mpegts/gstmpegtssection.c ++++ b/gst-libs/gst/mpegts/gstmpegtssection.c +@@ -414,7 +414,7 @@ static gpointer + _parse_pat (GstMpegtsSection * section) + { + GPtrArray *pat; +- guint16 i = 0, nb_programs; ++ guint16 i, nb_programs; + GstMpegtsPatProgram *program; + guint8 *data, *end; + +@@ -430,7 +430,9 @@ _parse_pat (GstMpegtsSection * section) + g_ptr_array_new_full (nb_programs, + (GDestroyNotify) _mpegts_pat_program_free); + +- while (data < end - 4) { ++ GST_LOG ("nb_programs %u", nb_programs); ++ ++ for (i = 0; i < nb_programs; i++) { + program = g_slice_new0 (GstMpegtsPatProgram); + program->program_number = GST_READ_UINT16_BE (data); + data += 2; +@@ -439,8 +441,6 @@ _parse_pat (GstMpegtsSection * section) + data += 2; + + g_ptr_array_index (pat, i) = program; +- +- i++; + } + pat->len = nb_programs; + +-- +2.9.3 + diff --git a/SOURCES/0004-mpegtssection-Add-more-section-size-checks.patch b/SOURCES/0004-mpegtssection-Add-more-section-size-checks.patch new file mode 100644 index 0000000..504bfdf --- /dev/null +++ b/SOURCES/0004-mpegtssection-Add-more-section-size-checks.patch @@ -0,0 +1,72 @@ +From 6db2bc00fbc69aea6c70197db959baf167709b19 Mon Sep 17 00:00:00 2001 +From: Edward Hervey +Date: Sat, 26 Nov 2016 10:44:43 +0100 +Subject: [PATCH 4/4] mpegtssection: Add more section size checks + +The smallest section ever needs to be at least 3 bytes (i.e. just the short +header). +Non-short headers need to be at least 11 bytes long (3 for the minimum header, +5 for the non-short header, and 4 for the CRC). + +https://bugzilla.gnome.org/show_bug.cgi?id=775048 +--- + gst-libs/gst/mpegts/gstmpegtssection.c | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +diff --git a/gst-libs/gst/mpegts/gstmpegtssection.c b/gst-libs/gst/mpegts/gstmpegtssection.c +index 62a1f56..d7874fd 100644 +--- a/gst-libs/gst/mpegts/gstmpegtssection.c ++++ b/gst-libs/gst/mpegts/gstmpegtssection.c +@@ -1175,13 +1175,20 @@ gst_mpegts_section_new (guint16 pid, guint8 * data, gsize data_size) + GstMpegtsSection *res = NULL; + guint8 tmp; + guint8 table_id; +- guint16 section_length; ++ guint16 section_length = 0; ++ ++ /* The smallest section ever is 3 bytes */ ++ if (G_UNLIKELY (data_size < 3)) ++ goto short_packet; + + /* Check for length */ + section_length = GST_READ_UINT16_BE (data + 1) & 0x0FFF; + if (G_UNLIKELY (data_size < section_length + 3)) + goto short_packet; + ++ GST_LOG ("data_size:%" G_GSIZE_FORMAT " section_length:%u", ++ data_size, section_length); ++ + /* Table id is in first byte */ + table_id = *data; + +@@ -1196,6 +1203,13 @@ gst_mpegts_section_new (guint16 pid, guint8 * data, gsize data_size) + /* section_length (already parsed) : 12 bit */ + res->section_length = section_length + 3; + if (!res->short_section) { ++ /* A long packet needs to be at least 11 bytes long ++ * _ 3 for the bytes above ++ * _ 5 for the bytes below ++ * _ 4 for the CRC */ ++ if (G_UNLIKELY (data_size < 11)) ++ goto bad_long_packet; ++ + /* CRC is after section_length (-4 for the size of the CRC) */ + res->crc = GST_READ_UINT32_BE (res->data + res->section_length - 4); + /* Skip to after section_length */ +@@ -1225,6 +1239,13 @@ short_packet: + g_free (data); + return NULL; + } ++bad_long_packet: ++ { ++ GST_WARNING ("PID 0x%04x long section is too short (%" G_GSIZE_FORMAT ++ " bytes, need at least 11)", pid, data_size); ++ gst_mpegts_section_unref (res); ++ return NULL; ++ } + } + + /** +-- +2.9.3 + diff --git a/SPECS/gstreamer1-plugins-bad-free.spec b/SPECS/gstreamer1-plugins-bad-free.spec index bbd4968..86cdd85 100644 --- a/SPECS/gstreamer1-plugins-bad-free.spec +++ b/SPECS/gstreamer1-plugins-bad-free.spec @@ -10,7 +10,7 @@ Name: gstreamer1-plugins-bad-free Version: 1.4.5 -Release: 4%{?dist} +Release: 6%{?dist} Summary: GStreamer streaming media framework "bad" plugins License: LGPLv2+ and LGPLv2 @@ -23,6 +23,11 @@ Source1: gst-p-bad-cleanup.sh Patch0: 0001-bayer-update-ORC-files.patch Patch1: update-test-check-orc-bayer.patch Patch2: 0001-tests-fix-audiomixer-test-on-big-endian-systems.patch +Patch3: 0001-vmncdec-Sanity-check-width-height-before-using-it.patch +Patch4: 0001-h264parse-Ensure-codec_data-has-the-required-size-wh.patch +Patch5: 0002-h265parse-Ensure-codec_data-has-the-required-size-wh.patch +Patch6: 0003-mpegtssection-Fix-PAT-parsing.patch +Patch7: 0004-mpegtssection-Add-more-section-size-checks.patch BuildRequires: gstreamer1-devel >= %{version} BuildRequires: gstreamer1-plugins-base-devel >= %{version} @@ -153,6 +158,11 @@ aren't tested well enough, or the code is not of good enough quality. %patch0 -p1 %patch1 -p1 %patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 %build @@ -349,6 +359,15 @@ chrpath --delete $RPM_BUILD_ROOT%{_libdir}/gstreamer-%{majorminor}/libgstcamerab %{_libdir}/pkgconfig/gstreamer-plugins-bad-%{majorminor}.pc %changelog +* Wed Dec 07 2016 Wim Taymans - 1.4.5-6 +- Fix h264 and h265 buffer size checks +- Fix mpegts pat parsing and add more size checks +Resolves: rhbz#1400897 + +* Tue Dec 06 2016 Wim Taymans - 1.4.5-5 +- vmncdec: Sanity-check width/height before using it +Resolves: rhbz#1400897 + * Thu May 26 2016 Wim Taymans - 1.4.5-4 - rebuild for libdvdnav update - Resolves: #1340047