From patchwork Fri Sep 22 12:19:09 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Polampalli,
 Archana" <archana.polampalli@windriver.com>
X-Patchwork-Id: 30988
Return-Path: <archana.polampalli@windriver.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7DA16CE79A8
	for <webhook@archiver.kernel.org>; Fri, 22 Sep 2023 12:19:32 +0000 (UTC)
Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com
 [205.220.166.238])
 by mx.groups.io with SMTP id smtpd.web11.20187.1695385169718785729
 for <openembedded-core@lists.openembedded.org>;
 Fri, 22 Sep 2023 05:19:29 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=QSVtCV38;
 spf=permerror,
 err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}:
 invalid domain name (domain: windriver.com, ip: 205.220.166.238,
 mailfrom: prvs=7629d4b6b2=archana.polampalli@windriver.com)
Received: from pps.filterd (m0250810.ppops.net [127.0.0.1])
	by mx0a-0064b401.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id
 38MApKDM018346
	for <openembedded-core@lists.openembedded.org>;
 Fri, 22 Sep 2023 05:19:29 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com;
	 h=from:to:subject:date:message-id:mime-version
	:content-transfer-encoding:content-type; s=PPS06212021; bh=9XlyX
	X8LVn+yZ5ROBXE4NuQY6sXukJAHNYvsP0a8SdA=; b=QSVtCV38Ity7L7lrwzuDe
	T/1IrraGu/YkxKrFWRBTVA+BDsi/EGjSiR+oWVFV0QIuA35UOe4P3C73bkvJvV9L
	o9etdoMwwQ/c0mT+m4mWYXZScBe0zfQK1SbGPslwZBoh3Luw1Loa6hbQJamBKtwR
	BtfsI2exudwuqL7kXJ+EzWrRe9/Js7UCOhjrYEeybO127oHlJz3HQDaOu6xXGSWs
	Ni1jFfQQdopjC65DdQmhklJ2y/2kWn3YbzkO/hT2zhYg5gl5We/3420IZx8rro55
	RKxHUArCKaNhISuqJ1PMff/05Qp5L6lv7DClNFKmFuKCdpEKlPkzUMFu9C29NQGC
	A==
Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com
 [147.11.82.252])
	by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3t8tr5rsax-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT)
	for <openembedded-core@lists.openembedded.org>;
 Fri, 22 Sep 2023 05:19:29 -0700 (PDT)
Received: from blr-linux-engg1.wrs.com (147.11.136.210) by
 ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2507.32; Fri, 22 Sep 2023 05:19:26 -0700
From: Archana Polampalli <archana.polampalli@windriver.com>
To: <openembedded-core@lists.openembedded.org>
Subject: [oe-core][kirkstone][PATCH 1/3] gstreamer1.0-plugins-bad: fix
 CVE-2023-40474
Date: Fri, 22 Sep 2023 12:19:09 +0000
Message-ID: <20230922121911.2430838-1-archana.polampalli@windriver.com>
X-Mailer: git-send-email 2.35.5
MIME-Version: 1.0
X-Originating-IP: [147.11.136.210]
X-ClientProxiedBy: ala-exchng01.corp.ad.wrs.com (147.11.82.252) To
 ala-exchng01.corp.ad.wrs.com (147.11.82.252)
X-Proofpoint-ORIG-GUID: uLaeAEEYeTRSB2fbHEkHKr02V8yaSR6w
X-Proofpoint-GUID: uLaeAEEYeTRSB2fbHEkHKr02V8yaSR6w
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.254,Aquarius:18.0.980,Hydra:6.0.619,FMLib:17.11.176.26
 definitions=2023-09-22_10,2023-09-21_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=2
 impostorscore=0 adultscore=0
 spamscore=2 lowpriorityscore=0 malwarescore=0 bulkscore=0 mlxlogscore=160
 clxscore=1015 suspectscore=0 priorityscore=1501 phishscore=0 mlxscore=2
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2309180000
 definitions=main-2309220104
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Fri, 22 Sep 2023 12:19:32 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/188097

gst-plugins-bad: Heap-based buffer overflow in the MXF file demuxer when handling
malformed files with uncompressed video in GStreamer versions before 1.22.6

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
 .../CVE-2023-40474.patch                      | 118 ++++++++++++++++++
 .../gstreamer1.0-plugins-bad_1.20.7.bb        |   1 +
 2 files changed, 119 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40474.patch

diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40474.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40474.patch
new file mode 100644
index 0000000000..dd5886863d
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40474.patch
@@ -0,0 +1,118 @@
+From ce17e968e4cf900d28ca5b46f6e095febc42b4f0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Thu, 10 Aug 2023 15:45:01 +0300
+Subject: [PATCH] mxfdemux: Fix integer overflow causing out of bounds writes
+ when handling invalid uncompressed video
+
+Check ahead of time when parsing the track information whether
+width, height and bpp are valid and usable without overflows.
+
+Fixes ZDI-CAN-21660, CVE-2023-40474
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2896
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5362>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ce17e968e4cf900d28ca5b46f6e095febc42b4f0]
+CVE: CVE-2023-40474
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ gst/mxf/mxfup.c | 51 +++++++++++++++++----
+ 1 file changed, 43 insertions(+), 8 deletions(-)
+
+diff --git a/gst/mxf/mxfup.c b/gst/mxf/mxfup.c
+index d72ed22cb7..0c0178c1c9 100644
+--- a/gst/mxf/mxfup.c
++++ b/gst/mxf/mxfup.c
+@@ -118,6 +118,8 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
+     gpointer mapping_data, GstBuffer ** outbuf)
+ {
+   MXFUPMappingData *data = mapping_data;
++  gsize expected_in_stride = 0, out_stride = 0;
++  gsize expected_in_size = 0, out_size = 0;
+
+   /* SMPTE 384M 7.1 */
+   if (key->u[12] != 0x15 || (key->u[14] != 0x01 && key->u[14] != 0x02
+@@ -146,22 +148,25 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
+     }
+   }
+
+-  if (gst_buffer_get_size (buffer) != data->bpp * data->width * data->height) {
++  // Checked for overflows when parsing the descriptor
++  expected_in_stride = data->bpp * data->width;
++  out_stride = GST_ROUND_UP_4 (expected_in_stride);
++  expected_in_size = expected_in_stride * data->height;
++  out_size = out_stride * data->height;
++
++  if (gst_buffer_get_size (buffer) != expected_in_size) {
+     GST_ERROR ("Invalid buffer size");
+     gst_buffer_unref (buffer);
+     return GST_FLOW_ERROR;
+   }
+
+-  if (data->bpp != 4
+-      || GST_ROUND_UP_4 (data->width * data->bpp) != data->width * data->bpp) {
++  if (data->bpp != 4 || out_stride != expected_in_stride) {
+     guint y;
+     GstBuffer *ret;
+     GstMapInfo inmap, outmap;
+     guint8 *indata, *outdata;
+
+-    ret =
+-        gst_buffer_new_and_alloc (GST_ROUND_UP_4 (data->width * data->bpp) *
+-        data->height);
++    ret = gst_buffer_new_and_alloc (out_size);
+     gst_buffer_map (buffer, &inmap, GST_MAP_READ);
+     gst_buffer_map (ret, &outmap, GST_MAP_WRITE);
+     indata = inmap.data;
+@@ -169,8 +174,8 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
+
+     for (y = 0; y < data->height; y++) {
+       memcpy (outdata, indata, data->width * data->bpp);
+-      outdata += GST_ROUND_UP_4 (data->width * data->bpp);
+-      indata += data->width * data->bpp;
++      outdata += out_stride;
++      indata += expected_in_stride;
+     }
+
+     gst_buffer_unmap (buffer, &inmap);
+@@ -378,6 +383,36 @@ mxf_up_create_caps (MXFMetadataTimelineTrack * track, GstTagList ** tags,
+     return NULL;
+   }
+
++  if (caps) {
++    MXFUPMappingData *data = *mapping_data;
++    gsize expected_in_stride = 0, out_stride = 0;
++    gsize expected_in_size = 0, out_size = 0;
++
++    // Do some checking of the parameters to see if they're valid and
++    // we can actually work with them.
++    if (data->image_start_offset > data->image_end_offset) {
++      GST_WARNING ("Invalid image start/end offset");
++      g_free (data);
++      *mapping_data = NULL;
++      gst_clear_caps (&caps);
++
++      return NULL;
++    }
++
++    if (!g_size_checked_mul (&expected_in_stride, data->bpp, data->width) ||
++        (out_stride = GST_ROUND_UP_4 (expected_in_stride)) < expected_in_stride
++        || !g_size_checked_mul (&expected_in_size, expected_in_stride,
++            data->height)
++        || !g_size_checked_mul (&out_size, out_stride, data->height)) {
++      GST_ERROR ("Invalid resolution or bit depth");
++      g_free (data);
++      *mapping_data = NULL;
++      gst_clear_caps (&caps);
++
++      return NULL;
++    }
++  }
++
+   return caps;
+ }
+
+--
+2.40.0
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
index 86b5301d8e..52acb30d74 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
@@ -10,6 +10,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad
            file://0002-avoid-including-sys-poll.h-directly.patch \
            file://0003-ensure-valid-sentinals-for-gst_structure_get-etc.patch \
            file://0004-opencv-resolve-missing-opencv-data-dir-in-yocto-buil.patch \
+           file://CVE-2023-40474.patch \
            "
 SRC_URI[sha256sum] = "87251beebfd1325e5118cc67774061f6e8971761ca65a9e5957919610080d195"
 

From patchwork Fri Sep 22 12:19:10 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Polampalli,
 Archana" <archana.polampalli@windriver.com>
X-Patchwork-Id: 30989
Return-Path: <archana.polampalli@windriver.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7AEB5E70719
	for <webhook@archiver.kernel.org>; Fri, 22 Sep 2023 12:19:32 +0000 (UTC)
Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com
 [205.220.166.238])
 by mx.groups.io with SMTP id smtpd.web11.20189.1695385171255540793
 for <openembedded-core@lists.openembedded.org>;
 Fri, 22 Sep 2023 05:19:31 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=joz3ZSuL;
 spf=permerror,
 err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}:
 invalid domain name (domain: windriver.com, ip: 205.220.166.238,
 mailfrom: prvs=7629d4b6b2=archana.polampalli@windriver.com)
Received: from pps.filterd (m0250809.ppops.net [127.0.0.1])
	by mx0a-0064b401.pphosted.com (8.17.1.22/8.17.1.22) with ESMTP id
 38MBrpmT022120
	for <openembedded-core@lists.openembedded.org>;
 Fri, 22 Sep 2023 05:19:31 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com;
	 h=from:to:subject:date:message-id:in-reply-to:references
	:mime-version:content-transfer-encoding:content-type; s=
	PPS06212021; bh=Uj9GfHiY4V4KiFvi0TwQEK53PPrXbcMmwJBI/GQpMv4=; b=
	joz3ZSuLv1/vdFHRNdowJ2C7DM8W9A6eVl7JjgakoqN+OxSYscna6GLEbcGrXdsI
	Hz5cUUsVf2v3P++XUEeTlr5/1nPw/3q84iqTSiePaBJS3kJ3HoZDEY4Zbgn+e5Ns
	V4UphZ/vvItJEgZRqeS9yawFXkYZutJZ5XHILs/5yNmXPqbf/ylMtCYP7L4YIatD
	+Dp/MOYxXIJ3d/12I4w1TLsIMF//pEAfoJIc6Lpr3wS/NaPIjG7RLYlkq312CnuU
	PE+imOPBNJkX5lBSe2XliQF0dWT9b7MX8jaPPZd6MYlW5+rWBBZlwHsmvoMFRKLR
	Qs1F5rYd4yuuVzKz+iLd7Q==
Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com
 [147.11.82.252])
	by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3t8tr1rs6m-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT)
	for <openembedded-core@lists.openembedded.org>;
 Fri, 22 Sep 2023 05:19:30 -0700 (PDT)
Received: from blr-linux-engg1.wrs.com (147.11.136.210) by
 ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2507.32; Fri, 22 Sep 2023 05:19:28 -0700
From: Archana Polampalli <archana.polampalli@windriver.com>
To: <openembedded-core@lists.openembedded.org>
Subject: [oe-core][kirkstone][PATCH 2/3] gstreamer1.0-plugins-bad: fix
 CVE-2023-40475
Date: Fri, 22 Sep 2023 12:19:10 +0000
Message-ID: <20230922121911.2430838-2-archana.polampalli@windriver.com>
X-Mailer: git-send-email 2.35.5
In-Reply-To: <20230922121911.2430838-1-archana.polampalli@windriver.com>
References: <20230922121911.2430838-1-archana.polampalli@windriver.com>
MIME-Version: 1.0
X-Originating-IP: [147.11.136.210]
X-ClientProxiedBy: ala-exchng01.corp.ad.wrs.com (147.11.82.252) To
 ala-exchng01.corp.ad.wrs.com (147.11.82.252)
X-Proofpoint-ORIG-GUID: EP3aSg8L_4rGijRa6A0GUT2YYGg6qS4r
X-Proofpoint-GUID: EP3aSg8L_4rGijRa6A0GUT2YYGg6qS4r
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.254,Aquarius:18.0.980,Hydra:6.0.619,FMLib:17.11.176.26
 definitions=2023-09-22_10,2023-09-21_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 priorityscore=1501
 lowpriorityscore=0 malwarescore=0 adultscore=0 bulkscore=0 mlxlogscore=241
 clxscore=1015 spamscore=0 impostorscore=0 phishscore=0 suspectscore=0
 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.19.0-2309180000 definitions=main-2309220104
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Fri, 22 Sep 2023 12:19:32 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/188098

gst-plugins-bad: Integer overflow leading to heap overwrite in MXF file handling with AES3 audio

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
 .../CVE-2023-40475.patch                      | 49 +++++++++++++++++++
 .../gstreamer1.0-plugins-bad_1.20.7.bb        |  1 +
 2 files changed, 50 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40475.patch

diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40475.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40475.patch
new file mode 100644
index 0000000000..ab9ac7afaa
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40475.patch
@@ -0,0 +1,49 @@
+From 72742dee30cce7bf909639f82de119871566ce39 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Thu, 10 Aug 2023 15:47:03 +0300
+Subject: [PATCH] mxfdemux: Check number of channels for AES3 audio
+
+Only up to 8 channels are allowed and using a higher number would cause
+integer overflows when copying the data, and lead to out of bound
+writes.
+
+Also check that each buffer is at least 4 bytes long to avoid another
+overflow.
+
+Fixes ZDI-CAN-21661, CVE-2023-40475
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2897
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5362>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/72742dee30cce7bf909639f82de119871566ce39]
+CVE: CVE-2023-40475
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ gst/mxf/mxfd10.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/gst/mxf/mxfd10.c b/gst/mxf/mxfd10.c
+index 03854d9303..0ad0d2d283 100644
+--- a/gst/mxf/mxfd10.c
++++ b/gst/mxf/mxfd10.c
+@@ -101,7 +101,7 @@ mxf_d10_sound_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
+   gst_buffer_map (buffer, &map, GST_MAP_READ);
+
+   /* Now transform raw AES3 into raw audio, see SMPTE 331M */
+-  if ((map.size - 4) % 32 != 0) {
++  if (map.size < 4 || (map.size - 4) % 32 != 0) {
+     gst_buffer_unmap (buffer, &map);
+     GST_ERROR ("Invalid D10 sound essence buffer size");
+     return GST_FLOW_ERROR;
+@@ -201,6 +201,7 @@ mxf_d10_create_caps (MXFMetadataTimelineTrack * track, GstTagList ** tags,
+     GstAudioFormat audio_format;
+
+     if (s->channel_count == 0 ||
++        s->channel_count > 8 ||
+         s->quantization_bits == 0 ||
+         s->audio_sampling_rate.n == 0 || s->audio_sampling_rate.d == 0) {
+       GST_ERROR ("Invalid descriptor");
+--
+2.40.0
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
index 52acb30d74..d5f1e794cd 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
@@ -11,6 +11,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad
            file://0003-ensure-valid-sentinals-for-gst_structure_get-etc.patch \
            file://0004-opencv-resolve-missing-opencv-data-dir-in-yocto-buil.patch \
            file://CVE-2023-40474.patch \
+           file://CVE-2023-40475.patch \
            "
 SRC_URI[sha256sum] = "87251beebfd1325e5118cc67774061f6e8971761ca65a9e5957919610080d195"
 

From patchwork Fri Sep 22 12:19:11 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Polampalli,
 Archana" <archana.polampalli@windriver.com>
X-Patchwork-Id: 30990
Return-Path: <archana.polampalli@windriver.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 78D00E71098
	for <webhook@archiver.kernel.org>; Fri, 22 Sep 2023 12:19:42 +0000 (UTC)
Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com
 [205.220.166.238])
 by mx.groups.io with SMTP id smtpd.web11.20191.1695385172780264028
 for <openembedded-core@lists.openembedded.org>;
 Fri, 22 Sep 2023 05:19:32 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=qiQJXfnx;
 spf=permerror,
 err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}:
 invalid domain name (domain: windriver.com, ip: 205.220.166.238,
 mailfrom: prvs=7629d4b6b2=archana.polampalli@windriver.com)
Received: from pps.filterd (m0250809.ppops.net [127.0.0.1])
	by mx0a-0064b401.pphosted.com (8.17.1.22/8.17.1.22) with ESMTP id
 38M8dkoW020212
	for <openembedded-core@lists.openembedded.org>;
 Fri, 22 Sep 2023 05:19:32 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com;
	 h=from:to:subject:date:message-id:in-reply-to:references
	:mime-version:content-transfer-encoding:content-type; s=
	PPS06212021; bh=zXmo8F3EJH2AF9+lstV1fhhNKKhJpQYwC5in68/WJ8Y=; b=
	qiQJXfnxxUidPK7//KVhvoA+D3lJW7cD5JxdxJVMIAIXuRwEtJOGFHsq3ChdjX6g
	MvygElgJOf6KxVtxOJIB0c8k+Ap6UbCatoc19l3C2+8gsMNOKE4o2HDp9n4uGIlg
	WEyW7zTpko1VFT5/hmu6sRyWUmHd5a3YkwtTkwHuSYZd/RjFHM5elHip0vgL9bLK
	7Wpt5bfaamobQZ9Ze6FDxyv+wEEBbaaZbKUUOp50ZAOyPWPLGFZmnu9gXmZJFo55
	GblgExvmN3EwB+BJ1ukpzpdeKLpdP5jwIlWo5PdeOr1c8QXHGgqMqFLfFyWetMb/
	IuZaTq25GHUEI0J4iUrvPQ==
Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com
 [147.11.82.252])
	by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3t8tr1rs6n-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT)
	for <openembedded-core@lists.openembedded.org>;
 Fri, 22 Sep 2023 05:19:32 -0700 (PDT)
Received: from blr-linux-engg1.wrs.com (147.11.136.210) by
 ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2507.32; Fri, 22 Sep 2023 05:19:30 -0700
From: Archana Polampalli <archana.polampalli@windriver.com>
To: <openembedded-core@lists.openembedded.org>
Subject: [oe-core][kirkstone][PATCH 3/3] gstreamer1.0-plugins-bad: fix
 CVE-2023-40476
Date: Fri, 22 Sep 2023 12:19:11 +0000
Message-ID: <20230922121911.2430838-3-archana.polampalli@windriver.com>
X-Mailer: git-send-email 2.35.5
In-Reply-To: <20230922121911.2430838-1-archana.polampalli@windriver.com>
References: <20230922121911.2430838-1-archana.polampalli@windriver.com>
MIME-Version: 1.0
X-Originating-IP: [147.11.136.210]
X-ClientProxiedBy: ala-exchng01.corp.ad.wrs.com (147.11.82.252) To
 ala-exchng01.corp.ad.wrs.com (147.11.82.252)
X-Proofpoint-ORIG-GUID: jWAuM2ZdVgCMiE4390iwWJH6aPVqQpj7
X-Proofpoint-GUID: jWAuM2ZdVgCMiE4390iwWJH6aPVqQpj7
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.254,Aquarius:18.0.980,Hydra:6.0.619,FMLib:17.11.176.26
 definitions=2023-09-22_10,2023-09-21_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 priorityscore=1501
 lowpriorityscore=0 malwarescore=0 adultscore=0 bulkscore=0 mlxlogscore=905
 clxscore=1015 spamscore=0 impostorscore=0 phishscore=0 suspectscore=0
 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.19.0-2309180000 definitions=main-2309220104
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Fri, 22 Sep 2023 12:19:42 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/188099

gst-plugins-bad: h265parser: Fix possible overflow using max_sub_layers_minus1

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
 .../CVE-2023-40476.patch                      | 44 +++++++++++++++++++
 .../gstreamer1.0-plugins-bad_1.20.7.bb        |  1 +
 2 files changed, 45 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40476.patch

diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40476.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40476.patch
new file mode 100644
index 0000000000..7810e98024
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40476.patch
@@ -0,0 +1,44 @@
+From 1b51467ea640bcc73c97f3186350d72cbfba5cb4 Mon Sep 17 00:00:00 2001
+From: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Date: Wed, 9 Aug 2023 12:49:19 -0400
+Subject: [PATCH] h265parser: Fix possible overflow using max_sub_layers_minus1
+
+This fixes a possible overflow that can be triggered by an invalid value of
+max_sub_layers_minus1 being set in the bitstream. The bitstream uses 3 bits,
+but the allowed range is 0 to 6 only.
+
+Fixes ZDI-CAN-21768, CVE-2023-40476
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2895
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5364>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ff91a3d8d6f7e2412c44663bf30fad5c7fdbc9d9]
+CVE: CVE-2023-40476
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+
+---
+ gst-libs/gst/codecparsers/gsth265parser.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/gst-libs/gst/codecparsers/gsth265parser.c b/gst-libs/gst/codecparsers/gsth265parser.c
+index a4e7549..3db1c38 100644
+--- a/gst-libs/gst/codecparsers/gsth265parser.c
++++ b/gst-libs/gst/codecparsers/gsth265parser.c
+@@ -1670,6 +1670,7 @@ gst_h265_parse_vps (GstH265NalUnit * nalu, GstH265VPS * vps)
+
+   READ_UINT8 (&nr, vps->max_layers_minus1, 6);
+   READ_UINT8 (&nr, vps->max_sub_layers_minus1, 3);
++  CHECK_ALLOWED (vps->max_sub_layers_minus1, 0, 6);
+   READ_UINT8 (&nr, vps->temporal_id_nesting_flag, 1);
+
+   /* skip reserved_0xffff_16bits */
+@@ -1849,6 +1850,7 @@ gst_h265_parse_sps (GstH265Parser * parser, GstH265NalUnit * nalu,
+   sps->vps = vps;
+
+   READ_UINT8 (&nr, sps->max_sub_layers_minus1, 3);
++  CHECK_ALLOWED (sps->max_sub_layers_minus1, 0, 6);
+   READ_UINT8 (&nr, sps->temporal_id_nesting_flag, 1);
+
+   if (!gst_h265_parse_profile_tier_level (&sps->profile_tier_level, &nr,
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
index d5f1e794cd..fbaabda3f9 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
@@ -12,6 +12,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad
            file://0004-opencv-resolve-missing-opencv-data-dir-in-yocto-buil.patch \
            file://CVE-2023-40474.patch \
            file://CVE-2023-40475.patch \
+           file://CVE-2023-40476.patch \
            "
 SRC_URI[sha256sum] = "87251beebfd1325e5118cc67774061f6e8971761ca65a9e5957919610080d195"