From: Archana Polampalli <archana.polampa...@windriver.com> gst-plugins-bad: h265parser: Fix possible overflow using max_sub_layers_minus1
Signed-off-by: Archana Polampalli <archana.polampa...@windriver.com> Signed-off-by: Steve Sakoman <st...@sakoman.com> --- .../CVE-2023-40476.patch | 44 +++++++++++++++++++ .../gstreamer1.0-plugins-bad_1.20.7.bb | 1 + 2 files changed, 45 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40476.patch diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40476.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40476.patch new file mode 100644 index 0000000000..7810e98024 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40476.patch @@ -0,0 +1,44 @@ +From 1b51467ea640bcc73c97f3186350d72cbfba5cb4 Mon Sep 17 00:00:00 2001 +From: Nicolas Dufresne <nicolas.dufre...@collabora.com> +Date: Wed, 9 Aug 2023 12:49:19 -0400 +Subject: [PATCH] h265parser: Fix possible overflow using max_sub_layers_minus1 + +This fixes a possible overflow that can be triggered by an invalid value of +max_sub_layers_minus1 being set in the bitstream. The bitstream uses 3 bits, +but the allowed range is 0 to 6 only. + +Fixes ZDI-CAN-21768, CVE-2023-40476 + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2895 + +Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5364> + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ff91a3d8d6f7e2412c44663bf30fad5c7fdbc9d9] +CVE: CVE-2023-40476 + +Signed-off-by: Archana Polampalli <archana.polampa...@windriver.com> + +--- + gst-libs/gst/codecparsers/gsth265parser.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/gst-libs/gst/codecparsers/gsth265parser.c b/gst-libs/gst/codecparsers/gsth265parser.c +index a4e7549..3db1c38 100644 +--- a/gst-libs/gst/codecparsers/gsth265parser.c ++++ b/gst-libs/gst/codecparsers/gsth265parser.c +@@ -1670,6 +1670,7 @@ gst_h265_parse_vps (GstH265NalUnit * nalu, GstH265VPS * vps) + + READ_UINT8 (&nr, vps->max_layers_minus1, 6); + READ_UINT8 (&nr, vps->max_sub_layers_minus1, 3); ++ CHECK_ALLOWED (vps->max_sub_layers_minus1, 0, 6); + READ_UINT8 (&nr, vps->temporal_id_nesting_flag, 1); + + /* skip reserved_0xffff_16bits */ +@@ -1849,6 +1850,7 @@ gst_h265_parse_sps (GstH265Parser * parser, GstH265NalUnit * nalu, + sps->vps = vps; + + READ_UINT8 (&nr, sps->max_sub_layers_minus1, 3); ++ CHECK_ALLOWED (sps->max_sub_layers_minus1, 0, 6); + READ_UINT8 (&nr, sps->temporal_id_nesting_flag, 1); + + if (!gst_h265_parse_profile_tier_level (&sps->profile_tier_level, &nr, diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb index d5f1e794cd..fbaabda3f9 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb @@ -12,6 +12,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad file://0004-opencv-resolve-missing-opencv-data-dir-in-yocto-buil.patch \ file://CVE-2023-40474.patch \ file://CVE-2023-40475.patch \ + file://CVE-2023-40476.patch \ " SRC_URI[sha256sum] = "87251beebfd1325e5118cc67774061f6e8971761ca65a9e5957919610080d195" -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#188355): https://lists.openembedded.org/g/openembedded-core/message/188355 Mute This Topic: https://lists.openembedded.org/mt/101631318/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-