commit gstreamer-plugins-base for openSUSE:Factory

[Source-Sync]

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package gstreamer-plugins-base for 
openSUSE:Factory checked in at 2024-05-30 15:32:24
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/gstreamer-plugins-base (Old)
 and      /work/SRC/openSUSE:Factory/.gstreamer-plugins-base.new.24587 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "gstreamer-plugins-base"

Thu May 30 15:32:24 2024 rev:104 rq:1177463 version:1.24.0

Changes:
--------
--- 
/work/SRC/openSUSE:Factory/gstreamer-plugins-base/gstreamer-plugins-base.changes
    2024-05-28 17:27:14.988564987 +0200
+++ 
/work/SRC/openSUSE:Factory/.gstreamer-plugins-base.new.24587/gstreamer-plugins-base.changes
 2024-05-30 15:32:28.916297052 +0200
@@ -4 +4 @@
-- Add gst-plugins-base-CVE-2024-4453.patch:
+- Add gstreamer-plugins-base-CVE-2024-4453.patch:

Old:
----
  gst-plugins-base-CVE-2024-4453.patch

New:
----
  gstreamer-plugins-base-CVE-2024-4453.patch

BETA DEBUG BEGIN:
  Old: WARN: gst-plugins-base-CVE-2024-4453.patch not found in changes
 
BETA DEBUG END:

BETA DEBUG BEGIN:
  New:
- Add gstreamer-plugins-base-CVE-2024-4453.patch:
  Backporting e68eccff from upstream, Prevent integer overflows
BETA DEBUG END:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ gstreamer-plugins-base.spec ++++++
--- /var/tmp/diff_new_pack.jszr2t/_old  2024-05-30 15:32:29.932334044 +0200
+++ /var/tmp/diff_new_pack.jszr2t/_new  2024-05-30 15:32:29.936334189 +0200
@@ -33,8 +33,8 @@
 Patch2:         MR-221-video-anc-add-two-new-CEA-608-caption-formats.patch
 # https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3303
 Patch3:         gst-plugins-base-audiobasesink-gap.patch
-# PATCH-FIX-UPSTREAM gst-plugins-base-CVE-2024-4453.patch CVE-2024-4453 
ZDI-24-467 ZDI-CAN-23896 bsc#1224806 qz...@suse.com -- Prevent integer 
overflows and out of bounds reads when handling undefined tags.
-Patch4:         gst-plugins-base-CVE-2024-4453.patch
+# PATCH-FIX-UPSTREAM gstreamer-plugins-base-CVE-2024-4453.patch CVE-2024-4453 
ZDI-24-467 ZDI-CAN-23896 bsc#1224806 qz...@suse.com -- Prevent integer 
overflows and out of bounds reads when handling undefined tags.
+Patch4:         gstreamer-plugins-base-CVE-2024-4453.patch
 BuildRequires:  Mesa-libGLESv3-devel
 BuildRequires:  cdparanoia-devel
 BuildRequires:  gcc-c++

++++++ gstreamer-plugins-base-CVE-2024-4453.patch ++++++
commit e68eccff103ab0e91e6d77a892f57131b33902f5
Author: Sebastian Dröge <sebast...@centricular.com>
Date:   Thu Apr 25 15:21:20 2024 +0300

    exiftag: Prevent integer overflows and out of bounds reads when handling 
undefined tags
    
    Fixes ZDI-CAN-23896
    Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3483
    
    Part-of: 
<https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/6766>

diff -Nura gst-plugins-base-1.24.0/gst-libs/gst/tag/gstexiftag.c 
gst-plugins-base-1.24.0_new/gst-libs/gst/tag/gstexiftag.c
--- gst-plugins-base-1.24.0/gst-libs/gst/tag/gstexiftag.c       2024-03-05 
07:51:42.000000000 +0800
+++ gst-plugins-base-1.24.0_new/gst-libs/gst/tag/gstexiftag.c   2024-05-27 
19:25:58.227183616 +0800
@@ -1383,6 +1383,7 @@
 
   if (count > 4) {
     GstMapInfo info;
+    gsize alloc_size;
 
     if (offset < reader->base_offset) {
       GST_WARNING ("Offset is smaller (%u) than base offset (%u)", offset,
@@ -1404,14 +1405,28 @@
       return;
     }
 
+    if (info.size - real_offset < count) {
+      GST_WARNING ("Invalid size %u for buffer of size %" G_GSIZE_FORMAT
+          ", not adding tag %s", count, info.size, tag->gst_tag);
+      gst_buffer_unmap (reader->buffer, &info);
+      return;
+    }
+
+    if (!g_size_checked_add (&alloc_size, count, 1)) {
+      GST_WARNING ("Invalid size %u for buffer of size %" G_GSIZE_FORMAT
+          ", not adding tag %s", real_offset, info.size, tag->gst_tag);
+      gst_buffer_unmap (reader->buffer, &info);
+      return;
+    }
+
     /* +1 because it could be a string without the \0 */
-    data = malloc (sizeof (guint8) * count + 1);
+    data = malloc (alloc_size);
     memcpy (data, info.data + real_offset, count);
     data[count] = 0;
 
     gst_buffer_unmap (reader->buffer, &info);
   } else {
-    data = malloc (sizeof (guint8) * count + 1);
+    data = malloc (count + 1);
     memcpy (data, (guint8 *) offset_as_data, count);
     data[count] = 0;
   }