File gstreamer-plugins-bad-CVE-2023-40475.patch of Package gstreamer-plugins-bad.32822

commit 72742dee30cce7bf909639f82de119871566ce39 (HEAD -> 3_2023.8.10_CVE-2023-40475_72742dee30cce7bf909639f82de119871566ce39)
Author: Sebastian Dröge <sebastian@centricular.com>
Date:   Thu Aug 10 15:47:03 2023 +0300

    mxfdemux: Check number of channels for AES3 audio

    Only up to 8 channels are allowed and using a higher number would cause
    integer overflows when copying the data, and lead to out of bound
    writes.

    Also check that each buffer is at least 4 bytes long to avoid another
    overflow.

    Fixes ZDI-CAN-21661, CVE-2023-40475

    Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2897

    Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5362>

diff -Nura gst-plugins-bad-1.16.3/gst/mxf/mxfd10.c gst-plugins-bad-1.16.3_new/gst/mxf/mxfd10.c
--- gst-plugins-bad-1.16.3/gst/mxf/mxfd10.c	2019-04-19 17:16:36.000000000 +0800
+++ gst-plugins-bad-1.16.3_new/gst/mxf/mxfd10.c	2023-12-14 20:29:16.612945114 +0800
@@ -119,7 +119,7 @@
   gst_buffer_map (buffer, &map, GST_MAP_READ);
 
   /* Now transform raw AES3 into raw audio, see SMPTE 331M */
-  if ((map.size - 4) % 32 != 0) {
+  if (map.size < 4 || (map.size - 4) % 32 != 0) {
     gst_buffer_unmap (buffer, &map);
     GST_ERROR ("Invalid D10 sound essence buffer size");
     return GST_FLOW_ERROR;
@@ -219,6 +219,7 @@
     GstAudioFormat audio_format;
 
     if (s->channel_count == 0 ||
+        s->channel_count > 8 ||
         s->quantization_bits == 0 ||
         s->audio_sampling_rate.n == 0 || s->audio_sampling_rate.d == 0) {
       GST_ERROR ("Invalid descriptor");