new file mode 100644
@@ -0,0 +1,118 @@
+From ce17e968e4cf900d28ca5b46f6e095febc42b4f0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Thu, 10 Aug 2023 15:45:01 +0300
+Subject: [PATCH] mxfdemux: Fix integer overflow causing out of bounds writes
+ when handling invalid uncompressed video
+
+Check ahead of time when parsing the track information whether
+width, height and bpp are valid and usable without overflows.
+
+Fixes ZDI-CAN-21660, CVE-2023-40474
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2896
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5362>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ce17e968e4cf900d28ca5b46f6e095febc42b4f0]
+CVE: CVE-2023-40474
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ gst/mxf/mxfup.c | 51 +++++++++++++++++----
+ 1 file changed, 43 insertions(+), 8 deletions(-)
+
+diff --git a/gst/mxf/mxfup.c b/gst/mxf/mxfup.c
+index d72ed22cb7..0c0178c1c9 100644
+--- a/gst/mxf/mxfup.c
++++ b/gst/mxf/mxfup.c
+@@ -118,6 +118,8 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
+ gpointer mapping_data, GstBuffer ** outbuf)
+ {
+ MXFUPMappingData *data = mapping_data;
++ gsize expected_in_stride = 0, out_stride = 0;
++ gsize expected_in_size = 0, out_size = 0;
+
+ /* SMPTE 384M 7.1 */
+ if (key->u[12] != 0x15 || (key->u[14] != 0x01 && key->u[14] != 0x02
+@@ -146,22 +148,25 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
+ }
+ }
+
+- if (gst_buffer_get_size (buffer) != data->bpp * data->width * data->height) {
++ // Checked for overflows when parsing the descriptor
++ expected_in_stride = data->bpp * data->width;
++ out_stride = GST_ROUND_UP_4 (expected_in_stride);
++ expected_in_size = expected_in_stride * data->height;
++ out_size = out_stride * data->height;
++
++ if (gst_buffer_get_size (buffer) != expected_in_size) {
+ GST_ERROR ("Invalid buffer size");
+ gst_buffer_unref (buffer);
+ return GST_FLOW_ERROR;
+ }
+
+- if (data->bpp != 4
+- || GST_ROUND_UP_4 (data->width * data->bpp) != data->width * data->bpp) {
++ if (data->bpp != 4 || out_stride != expected_in_stride) {
+ guint y;
+ GstBuffer *ret;
+ GstMapInfo inmap, outmap;
+ guint8 *indata, *outdata;
+
+- ret =
+- gst_buffer_new_and_alloc (GST_ROUND_UP_4 (data->width * data->bpp) *
+- data->height);
++ ret = gst_buffer_new_and_alloc (out_size);
+ gst_buffer_map (buffer, &inmap, GST_MAP_READ);
+ gst_buffer_map (ret, &outmap, GST_MAP_WRITE);
+ indata = inmap.data;
+@@ -169,8 +174,8 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
+
+ for (y = 0; y < data->height; y++) {
+ memcpy (outdata, indata, data->width * data->bpp);
+- outdata += GST_ROUND_UP_4 (data->width * data->bpp);
+- indata += data->width * data->bpp;
++ outdata += out_stride;
++ indata += expected_in_stride;
+ }
+
+ gst_buffer_unmap (buffer, &inmap);
+@@ -378,6 +383,36 @@ mxf_up_create_caps (MXFMetadataTimelineTrack * track, GstTagList ** tags,
+ return NULL;
+ }
+
++ if (caps) {
++ MXFUPMappingData *data = *mapping_data;
++ gsize expected_in_stride = 0, out_stride = 0;
++ gsize expected_in_size = 0, out_size = 0;
++
++ // Do some checking of the parameters to see if they're valid and
++ // we can actually work with them.
++ if (data->image_start_offset > data->image_end_offset) {
++ GST_WARNING ("Invalid image start/end offset");
++ g_free (data);
++ *mapping_data = NULL;
++ gst_clear_caps (&caps);
++
++ return NULL;
++ }
++
++ if (!g_size_checked_mul (&expected_in_stride, data->bpp, data->width) ||
++ (out_stride = GST_ROUND_UP_4 (expected_in_stride)) < expected_in_stride
++ || !g_size_checked_mul (&expected_in_size, expected_in_stride,
++ data->height)
++ || !g_size_checked_mul (&out_size, out_stride, data->height)) {
++ GST_ERROR ("Invalid resolution or bit depth");
++ g_free (data);
++ *mapping_data = NULL;
++ gst_clear_caps (&caps);
++
++ return NULL;
++ }
++ }
++
+ return caps;
+ }
+
+--
+2.40.0
@@ -10,6 +10,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad
file://0002-avoid-including-sys-poll.h-directly.patch \
file://0003-ensure-valid-sentinals-for-gst_structure_get-etc.patch \
file://0004-opencv-resolve-missing-opencv-data-dir-in-yocto-buil.patch \
+ file://CVE-2023-40474.patch \
"
SRC_URI[sha256sum] = "87251beebfd1325e5118cc67774061f6e8971761ca65a9e5957919610080d195"
gst-plugins-bad: Heap-based buffer overflow in the MXF file demuxer when handling malformed files with uncompressed video in GStreamer versions before 1.22.6 Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> --- .../CVE-2023-40474.patch | 118 ++++++++++++++++++ .../gstreamer1.0-plugins-bad_1.20.7.bb | 1 + 2 files changed, 119 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40474.patch