From: Archana Polampalli <[email protected]> Signed-off-by: Archana Polampalli <[email protected]> Signed-off-by: Steve Sakoman <[email protected]> --- .../CVE-2024-0444.patch | 42 +++++++++++++++++++ .../gstreamer1.0-plugins-bad_1.20.7.bb | 1 + 2 files changed, 43 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2024-0444.patch
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2024-0444.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2024-0444.patch new file mode 100644 index 0000000000..6265f4293e --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2024-0444.patch @@ -0,0 +1,42 @@ +From 394d5066f8a7b728df02fe9084e955b2f7d7f6fe Mon Sep 17 00:00:00 2001 +From: Seungha Yang <[email protected]> +Date: Wed, 10 Jan 2024 03:33:59 +0900 +Subject: [PATCH] av1parser: Fix potential stack overflow during tile list + parsing + +The tile_count_minus_1 must be less than or equal to 511 as specified +in spec "6.11.1 General tile list OBU semantics" + +Fixes #3214 / CVE-2024-0444 / ZDI-CAN-22873 + +Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5971> + +CVE: CVE-2024-0444 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/394d5066f8a7b728] + +Signed-off-by: Archana Polampalli <[email protected]> +--- + gst-libs/gst/codecparsers/gstav1parser.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/gst-libs/gst/codecparsers/gstav1parser.c b/gst-libs/gst/codecparsers/gstav1parser.c +index 68f8a76..bab404e 100644 +--- a/gst-libs/gst/codecparsers/gstav1parser.c ++++ b/gst-libs/gst/codecparsers/gstav1parser.c +@@ -4352,6 +4352,13 @@ gst_av1_parser_parse_tile_list_obu (GstAV1Parser * parser, + tile_list->output_frame_width_in_tiles_minus_1 = AV1_READ_BITS (br, 8); + tile_list->output_frame_height_in_tiles_minus_1 = AV1_READ_BITS (br, 8); + tile_list->tile_count_minus_1 = AV1_READ_BITS (br, 16); ++ if (tile_list->tile_count_minus_1 + 1 > GST_AV1_MAX_TILE_COUNT) { ++ GST_WARNING ("Invalid tile_count_minus_1 %d", ++ tile_list->tile_count_minus_1); ++ retval = GST_AV1_PARSER_BITSTREAM_ERROR; ++ goto error; ++ } ++ + for (tile = 0; tile <= tile_list->tile_count_minus_1; tile++) { + if (AV1_REMAINING_BITS (br) < 8 + 8 + 8 + 16) { + retval = GST_AV1_PARSER_NO_MORE_DATA; +-- +2.40.0 diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb index 504cfce1fd..219ebe4fa7 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb @@ -14,6 +14,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad file://CVE-2023-40475.patch \ file://CVE-2023-40476.patch \ file://CVE-2023-44429.patch \ + file://CVE-2024-0444.patch \ " SRC_URI[sha256sum] = "87251beebfd1325e5118cc67774061f6e8971761ca65a9e5957919610080d195" -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#199150): https://lists.openembedded.org/g/openembedded-core/message/199150 Mute This Topic: https://lists.openembedded.org/mt/105999448/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
