File 0001-rmdemux-Use-GST_LOG_OBJECT-instead-of-GST_LOG.patch of Package gstreamer-plugins-ugly.30116
From 763d2bb43c18000771ff3b68b28b756a0035c914 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Fri, 7 Jul 2023 09:59:04 +0300
Subject: [PATCH 1/5] rmdemux: Use GST_LOG_OBJECT instead of GST_LOG
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5072>
---
subprojects/gst-plugins-ugly/gst/realmedia/rmdemux.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gst/realmedia/rmdemux.c b/gst/realmedia/rmdemux.c
index 1873cc10287..473aebe075d 100644
--- a/gst/realmedia/rmdemux.c
+++ b/gst/realmedia/rmdemux.c
@@ -2148,8 +2148,8 @@ gst_rmdemux_descramble_sipr_audio (GstRMDemux * rmdemux,
g_assert (stream->height == height);
- GST_LOG ("packet_size = %u, leaf_size = %u, height= %u", packet_size,
- stream->leaf_size, height);
+ GST_LOG_OBJECT (rmdemux, "packet_size = %u, leaf_size = %u, height= %u",
+ packet_size, stream->leaf_size, height);
outbuf = gst_buffer_new_and_alloc (height * packet_size);
gst_buffer_map (outbuf, &outmap, GST_MAP_WRITE);
--
GitLab
From b268b27cd8ff0dda1fda71890cd414f4cb2096db Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Fri, 7 Jul 2023 09:59:20 +0300
Subject: [PATCH 2/5] rmdemux: Check for integer overflows when calculating the
size of SIPR audio buffers
Fixes ZDI-CAN-21443
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2782
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5072>
---
subprojects/gst-plugins-ugly/gst/realmedia/rmdemux.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/gst/realmedia/rmdemux.c b/gst/realmedia/rmdemux.c
index 473aebe075d..eaee9acdd12 100644
--- a/gst/realmedia/rmdemux.c
+++ b/gst/realmedia/rmdemux.c
@@ -2144,6 +2144,7 @@ gst_rmdemux_descramble_sipr_audio (GstRMDemux * rmdemux,
GstMapInfo outmap;
guint packet_size = stream->packet_size;
guint height = stream->subpackets->len;
+ guint size;
guint p;
g_assert (stream->height == height);
@@ -2151,7 +2152,12 @@ gst_rmdemux_descramble_sipr_audio (GstRMDemux * rmdemux,
GST_LOG_OBJECT (rmdemux, "packet_size = %u, leaf_size = %u, height= %u",
packet_size, stream->leaf_size, height);
- outbuf = gst_buffer_new_and_alloc (height * packet_size);
+ if (!g_uint_checked_mul (&size, height, packet_size)) {
+ GST_ERROR_OBJECT (rmdemux, "overflowing SIPR audio packet size");
+ return GST_FLOW_ERROR;
+ }
+
+ outbuf = gst_buffer_new_and_alloc (size);
gst_buffer_map (outbuf, &outmap, GST_MAP_WRITE);
for (p = 0; p < height; ++p) {
--
GitLab
From aca056b01de482b5f10eeb966b3409dc40324c03 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Fri, 7 Jul 2023 10:00:19 +0300
Subject: [PATCH 3/5] rmdemux: Check that enough SIPR audio data is available
when copying
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5072>
---
subprojects/gst-plugins-ugly/gst/realmedia/rmdemux.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/gst/realmedia/rmdemux.c b/gst/realmedia/rmdemux.c
index eaee9acdd12..902092b24b3 100644
--- a/gst/realmedia/rmdemux.c
+++ b/gst/realmedia/rmdemux.c
@@ -2168,7 +2168,13 @@ gst_rmdemux_descramble_sipr_audio (GstRMDemux * rmdemux,
GST_BUFFER_PTS (outbuf) = GST_BUFFER_PTS (b);
}
- gst_buffer_extract (b, 0, outmap.data + packet_size * p, packet_size);
+ if (gst_buffer_extract (b, 0, outmap.data + packet_size * p,
+ packet_size) != packet_size) {
+ GST_ERROR_OBJECT (rmdemux, "not enough SIPR audio data available");
+ gst_buffer_unmap (outbuf, &outmap);
+ gst_buffer_unref (outbuf);
+ return GST_FLOW_ERROR;
+ }
}
gst_buffer_unmap (outbuf, &outmap);
--
GitLab
From d8d83ad435fa97ce00721a539ccab2ef6cf5cfa5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Fri, 7 Jul 2023 10:08:03 +0300
Subject: [PATCH 4/5] rmdemux: Use GST_LOG_OBJECT instead of GST_LOG
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5072>
---
subprojects/gst-plugins-ugly/gst/realmedia/rmdemux.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gst/realmedia/rmdemux.c b/gst/realmedia/rmdemux.c
index 902092b24b3..a0e38ef1d69 100644
--- a/gst/realmedia/rmdemux.c
+++ b/gst/realmedia/rmdemux.c
@@ -2011,8 +2011,8 @@ gst_rmdemux_descramble_audio (GstRMDemux * rmdemux, GstRMDemuxStream * stream)
g_assert (stream->height == height);
- GST_LOG ("packet_size = %u, leaf_size = %u, height= %u", packet_size,
- leaf_size, height);
+ GST_LOG_OBJECT (rmdemux, "packet_size = %u, leaf_size = %u, height= %u",
+ packet_size, leaf_size, height);
outbuf = gst_buffer_new_and_alloc (height * packet_size);
gst_buffer_map (outbuf, &outmap, GST_MAP_WRITE);
--
GitLab
From 67e38cf47b7683586c24de18d8253029042dc72f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Fri, 7 Jul 2023 10:08:21 +0300
Subject: [PATCH 5/5] rmdemux: Check for integer overflow when calculation
audio packet size
Fixes ZDI-CAN-21444
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2782
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5072>
---
subprojects/gst-plugins-ugly/gst/realmedia/rmdemux.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/gst/realmedia/rmdemux.c b/gst/realmedia/rmdemux.c
index a0e38ef1d69..981932675b3 100644
--- a/gst/realmedia/rmdemux.c
+++ b/gst/realmedia/rmdemux.c
@@ -2007,6 +2007,7 @@ gst_rmdemux_descramble_audio (GstRMDemux * rmdemux, GstRMDemuxStream * stream)
guint packet_size = stream->packet_size;
guint height = stream->subpackets->len;
guint leaf_size = stream->leaf_size;
+ guint size;
guint p, x;
g_assert (stream->height == height);
@@ -2014,7 +2015,12 @@ gst_rmdemux_descramble_audio (GstRMDemux * rmdemux, GstRMDemuxStream * stream)
GST_LOG_OBJECT (rmdemux, "packet_size = %u, leaf_size = %u, height= %u",
packet_size, leaf_size, height);
- outbuf = gst_buffer_new_and_alloc (height * packet_size);
+ if (!g_uint_checked_mul (&size, height, packet_size)) {
+ GST_ERROR_OBJECT (rmdemux, "overflowing audio packet size");
+ return GST_FLOW_ERROR;
+ }
+
+ outbuf = gst_buffer_new_and_alloc (size);
gst_buffer_map (outbuf, &outmap, GST_MAP_WRITE);
for (p = 0; p < height; ++p) {
--
GitLab