File CVE-2024-47596.patch of Package gstreamer-plugins-good.39306

From 519d86d9f36d80eb64148cd2d330b28a28be2755 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Fri, 27 Sep 2024 00:31:36 +0300
Subject: [PATCH 12/12] qtdemux: Add size check for parsing SMI / SEQH atom

Thanks to Antonio Morales for finding and reporting the issue.

Fixes GHSL-2024-244
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3853

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059>
---
diff -urp gst-plugins-good-1.24.7.orig/gst/isomp4/qtdemux.c gst-plugins-good-1.24.7/gst/isomp4/qtdemux.c
--- gst-plugins-good-1.24.7.orig/gst/isomp4/qtdemux.c	2024-12-16 03:33:17.813258770 -0500
+++ gst-plugins-good-1.24.7/gst/isomp4/qtdemux.c	2024-12-16 03:37:08.558417381 -0500
@@ -11144,8 +11144,9 @@ qtdemux_parse_svq3_stsd_data (GstQTDemux
                 GST_WARNING_OBJECT (qtdemux, "Unexpected second SEQH SMI atom "
                     " found, ignoring");
               } else {
+                /* Note: The size does *not* include the fourcc and the size field itself */
                 seqh_size = QT_UINT32 (data + 4);
-                if (seqh_size > 0) {
+                if (seqh_size > 0 && seqh_size <= size - 8) {
                   _seqh = gst_buffer_new_and_alloc (seqh_size);
                   gst_buffer_fill (_seqh, 0, data + 8, seqh_size);
                 }