File CVE-2024-47776.patch of Package gstreamer-plugins-good.36929

From 526d0eef0d850c8f2fa1bf0aef15a836797f1a67 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Fri, 4 Oct 2024 13:27:27 +0300
Subject: [PATCH 6/7] wavparse: Fix clipping of size to the file size

The size does not include the 8 bytes tag and length, so an additional 8 bytes
must be removed here. 8 bytes are always available at this point because
otherwise the parsing of the tag and length right above would've failed.

Thanks to Antonio Morales for finding and reporting the issue.

Fixes GHSL-2024-260
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3888

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042>
---
diff -urp gst-plugins-good-1.24.7.orig/gst/wavparse/gstwavparse.c gst-plugins-good-1.24.7/gst/wavparse/gstwavparse.c
--- gst-plugins-good-1.24.7.orig/gst/wavparse/gstwavparse.c	2024-12-16 04:03:16.713842664 -0500
+++ gst-plugins-good-1.24.7/gst/wavparse/gstwavparse.c	2024-12-16 04:05:47.078317286 -0500
@@ -1316,10 +1316,11 @@ gst_wavparse_stream_headers (GstWavParse
     }
 
     /* Clip to upstream size if known */
-    if (upstream_size > 0 && size + wav->offset > upstream_size) {
+    if (upstream_size > 0 && size + 8 + wav->offset > upstream_size) {
       GST_WARNING_OBJECT (wav, "Clipping chunk size to file size");
       g_assert (upstream_size >= wav->offset);
-      size = upstream_size - wav->offset;
+      g_assert (upstream_size - wav->offset >= 8);
+      size = upstream_size - wav->offset - 8;
     }
 
     /* wav is a st00pid format, we don't know for sure where data starts.