Could you send a V2 with the following changes? 1. Please combine the series with the previous gstreamer patch set you sent -- this second series doesn't apply cleanly on top of those changes 2. Patch file names should reflect the CVE being fixed, e.g. CVE-2024-47537.patch
Thanks! Steve On Thu, Jan 2, 2025 at 5:33 AM Vijay Anusuri via lists.openembedded.org <vanusuri=mvista....@lists.openembedded.org> wrote: > > From: Vijay Anusuri <vanus...@mvista.com> > > Fixes for below CVEs: > CVE-2024-47537 > CVE-2024-47539 > CVE-2024-47543 > CVE-2024-47544 > CVE-2024-47545 > CVE-2024-47546 > CVE-2024-47596 > CVE-2024-47597 > CVE-2024-47598 > > Signed-off-by: Vijay Anusuri <vanus...@mvista.com> > --- > ...o-sized-boxes-instead-of-stopping-to.patch | 124 +++++ > ...ger-overflow-when-allocating-the-sam.patch | 64 +++ > ...Fix-debug-output-during-trun-parsing.patch | 73 +++ > ...erate-over-all-trun-entries-if-none-.patch | 36 ++ > ...zes-of-stsc-stco-stts-before-trying-.patch | 63 +++ > ...e-only-an-even-number-of-bytes-is-pr.patch | 44 ++ > ...e-enough-data-is-available-before-re.patch | 120 +++++ > ...th-checks-and-offsets-in-stsd-entry-.patch | 449 ++++++++++++++++++ > ...r-handling-when-parsing-cenc-sample-.patch | 56 +++ > ...e-there-are-enough-offsets-to-read-w.patch | 49 ++ > ...-handle-errors-returns-from-various-.patch | 97 ++++ > ...r-invalid-atom-length-when-extractin.patch | 36 ++ > ...size-check-for-parsing-SMI-SEQH-atom.patch | 37 ++ > .../gstreamer1.0-plugins-good_1.20.7.bb | 13 + > 14 files changed, 1261 insertions(+) > create mode 100644 > meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0001-qtdemux-Skip-zero-sized-boxes-instead-of-stopping-to.patch > create mode 100644 > meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0002-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch > create mode 100644 > meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0003-qtdemux-Fix-debug-output-during-trun-parsing.patch > create mode 100644 > meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0004-qtdemux-Don-t-iterate-over-all-trun-entries-if-none-.patch > create mode 100644 > meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0005-qtdemux-Check-sizes-of-stsc-stco-stts-before-trying-.patch > create mode 100644 > meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0006-qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch > create mode 100644 > meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0007-qtdemux-Make-sure-enough-data-is-available-before-re.patch > create mode 100644 > meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0008-qtdemux-Fix-length-checks-and-offsets-in-stsd-entry-.patch > create mode 100644 > meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0009-qtdemux-Fix-error-handling-when-parsing-cenc-sample-.patch > create mode 100644 > meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0010-qtdemux-Make-sure-there-are-enough-offsets-to-read-w.patch > create mode 100644 > meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0011-qtdemux-Actually-handle-errors-returns-from-various-.patch > create mode 100644 > meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0012-qtdemux-Check-for-invalid-atom-length-when-extractin.patch > create mode 100644 > meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0013-qtdemux-Add-size-check-for-parsing-SMI-SEQH-atom.patch > > diff --git > a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0001-qtdemux-Skip-zero-sized-boxes-instead-of-stopping-to.patch > > b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0001-qtdemux-Skip-zero-sized-boxes-instead-of-stopping-to.patch > new file mode 100644 > index 0000000000..8af25e73fd > --- /dev/null > +++ > b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0001-qtdemux-Skip-zero-sized-boxes-instead-of-stopping-to.patch > @@ -0,0 +1,124 @@ > +From d4bab55077c6a77bd80cb12a8b0d28020ef412a9 Mon Sep 17 00:00:00 2001 > +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebast...@centricular.com> > +Date: Tue, 24 Sep 2024 09:50:34 +0300 > +Subject: [PATCH] qtdemux: Skip zero-sized boxes instead of stopping to look > at > + further boxes > + > +A zero-sized box is not really a problem and can be skipped to look at any > +possibly following ones. > + > +BMD ATEM devices specifically write a zero-sized bmdc box in the sample > +description, followed by the avcC box in case of h264. Previously the avcC > box > +would simply not be read at all and the file would be unplayable. > + > +Part-of: > <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/7564> > + > +Upstream-Status: Backport > [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/d4bab55077c6a77bd80cb12a8b0d28020ef412a9] > +Signed-off-by: Vijay Anusuri <vanus...@mvista.com> > +--- > + .../gst-plugins-good/gst/isomp4/qtdemux.c | 54 ++++++++++++------- > + 1 file changed, 36 insertions(+), 18 deletions(-) > + > +diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c > b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c > +index 32df6eeb85c1..5e5c21758058 100644 > +--- a/gst/isomp4/qtdemux.c > ++++ b/gst/isomp4/qtdemux.c > +@@ -12226,9 +12226,12 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * > trak) > + else > + size = len - 0x8; > + > +- if (size < 1) > +- /* No real data, so break out */ > +- break; > ++ /* No real data, so skip */ > ++ if (size < 1) { > ++ len -= 8; > ++ avc_data += 8; > ++ continue; > ++ } > + > + switch (QT_FOURCC (avc_data + 0x4)) { > + case FOURCC_avcC: > +@@ -12343,9 +12346,12 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * > trak) > + else > + size = len - 0x8; > + > +- if (size < 1) > +- /* No real data, so break out */ > +- break; > ++ /* No real data, so skip */ > ++ if (size < 1) { > ++ len -= 8; > ++ hevc_data += 8; > ++ continue; > ++ } > + > + switch (QT_FOURCC (hevc_data + 0x4)) { > + case FOURCC_hvcC: > +@@ -12767,9 +12773,12 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * > trak) > + else > + size = len - 8; > + > +- if (size < 1) > +- /* No real data, so break out */ > +- break; > ++ /* No real data, so skip */ > ++ if (size < 1) { > ++ len -= 8; > ++ vc1_data += 8; > ++ continue; > ++ } > + > + switch (QT_FOURCC (vc1_data + 0x4)) { > + case GST_MAKE_FOURCC ('d', 'v', 'c', '1'): > +@@ -12809,9 +12818,12 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * > trak) > + else > + size = len - 0x8; > + > +- if (size < 1) > +- /* No real data, so break out */ > +- break; > ++ /* No real data, so skip */ > ++ if (size < 1) { > ++ len -= 8; > ++ av1_data += 8; > ++ continue; > ++ } > + > + switch (QT_FOURCC (av1_data + 0x4)) { > + case FOURCC_av1C: > +@@ -12919,9 +12931,12 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * > trak) > + else > + size = len - 0x8; > + > +- if (size < 1) > +- /* No real data, so break out */ > +- break; > ++ /* No real data, so skip */ > ++ if (size < 1) { > ++ len -= 8; > ++ vpcc_data += 8; > ++ continue; > ++ } > + > + switch (QT_FOURCC (vpcc_data + 0x4)) { > + case FOURCC_vpcC: > +@@ -13421,9 +13436,12 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * > trak) > + else > + size = len - 8; > + > +- if (size < 1) > +- /* No real data, so break out */ > +- break; > ++ /* No real data, so skip */ > ++ if (size < 1) { > ++ len -= 8; > ++ wfex_data += 8; > ++ continue; > ++ } > + > + switch (QT_FOURCC (wfex_data + 4)) { > + case GST_MAKE_FOURCC ('w', 'f', 'e', 'x'): > +-- > +GitLab > + > diff --git > a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0002-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch > > b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0002-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch > new file mode 100644 > index 0000000000..ded7e1b1c5 > --- /dev/null > +++ > b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0002-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch > @@ -0,0 +1,64 @@ > +From c3a2af94c652513ac1b1858295688ac88c5cc737 Mon Sep 17 00:00:00 2001 > +From: Antonio Morales <antonio-mora...@github.com> > +Date: Thu, 26 Sep 2024 18:39:37 +0300 > +Subject: [PATCH] qtdemux: Fix integer overflow when allocating the samples > + table for fragmented MP4 > + > +This can lead to out of bounds writes and NULL pointer dereferences. > + > +Fixes GHSL-2024-094, GHSL-2024-237, GHSL-2024-241 > +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3839 > + > +Part-of: > <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8060> > + > +Upstream-Status: Backport > [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/c3a2af94c652513ac1b1858295688ac88c5cc737] > +CVE: CVE-2024-47537 CVE-2024-47539 CVE-2024-47543 CVE-2024-47544 > +CVE-2024-47545 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 > +Signed-off-by: Vijay Anusuri <vanus...@mvista.com> > +--- > + subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 12 ++++++------ > + 1 file changed, 6 insertions(+), 6 deletions(-) > + > +diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c > b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c > +index de8fae8b02ee..2fb5b2b014db 100644 > +--- a/gst/isomp4/qtdemux.c > ++++ b/gst/isomp4/qtdemux.c > +@@ -3364,6 +3364,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, > GstByteReader * trun, > + gint i; > + guint8 *data; > + guint entry_size, dur_offset, size_offset, flags_offset = 0, ct_offset = > 0; > ++ guint new_n_samples; > + QtDemuxSample *sample; > + gboolean ismv = FALSE; > + gint64 initial_offset; > +@@ -3475,14 +3476,13 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, > GstByteReader * trun, > + goto fail; > + data = (guint8 *) gst_byte_reader_peek_data_unchecked (trun); > + > +- if (stream->n_samples + samples_count >= > +- QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof (QtDemuxSample)) > ++ if (!g_uint_checked_add (&new_n_samples, stream->n_samples, > samples_count) || > ++ new_n_samples >= QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof > (QtDemuxSample)) > + goto index_too_big; > + > + GST_DEBUG_OBJECT (qtdemux, "allocating n_samples %u * %u (%.2f MB)", > +- stream->n_samples + samples_count, (guint) sizeof (QtDemuxSample), > +- (stream->n_samples + samples_count) * > +- sizeof (QtDemuxSample) / (1024.0 * 1024.0)); > ++ new_n_samples, (guint) sizeof (QtDemuxSample), > ++ (new_n_samples) * sizeof (QtDemuxSample) / (1024.0 * 1024.0)); > + > + /* create a new array of samples if it's the first sample parsed */ > + if (stream->n_samples == 0) { > +@@ -3491,7 +3491,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, > GstByteReader * trun, > + /* or try to reallocate it with space enough to insert the new samples > */ > + } else > + stream->samples = g_try_renew (QtDemuxSample, stream->samples, > +- stream->n_samples + samples_count); > ++ new_n_samples); > + if (stream->samples == NULL) > + goto out_of_memory; > + > +-- > +GitLab > + > diff --git > a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0003-qtdemux-Fix-debug-output-during-trun-parsing.patch > > b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0003-qtdemux-Fix-debug-output-during-trun-parsing.patch > new file mode 100644 > index 0000000000..8c17c548df > --- /dev/null > +++ > b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0003-qtdemux-Fix-debug-output-during-trun-parsing.patch > @@ -0,0 +1,73 @@ > +From 812f175c580a2e702581859fd481c8f51d633508 Mon Sep 17 00:00:00 2001 > +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebast...@centricular.com> > +Date: Thu, 26 Sep 2024 18:40:56 +0300 > +Subject: [PATCH] qtdemux: Fix debug output during trun parsing > + > +Various integers are unsigned so print them as such. Also print the actual > +allocation size if allocation fails, not only parts of it. > + > +Part-of: > <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8060> > + > +Upstream-Status: Backport > [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/812f175c580a2e702581859fd481c8f51d633508] > +CVE: CVE-2024-47537 CVE-2024-47539 CVE-2024-47543 CVE-2024-47544 > CVE-2024-47545 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 > +Signed-off-by: Vijay Anusuri <vanus...@mvista.com> > +--- > + gst/isomp4/qtdemux.c | 17 +++++++++-------- > + 1 file changed, 9 insertions(+), 8 deletions(-) > + > +diff --git a/gst/isomp4/qtdemux.c b/gst/isomp4/qtdemux.c > +index e012ce1..0111912 100644 > +--- a/gst/isomp4/qtdemux.c > ++++ b/gst/isomp4/qtdemux.c > +@@ -3228,8 +3228,8 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, > GstByteReader * trun, > + gint64 initial_offset; > + gint32 min_ct = 0; > + > +- GST_LOG_OBJECT (qtdemux, "parsing trun track-id %d; " > +- "default dur %d, size %d, flags 0x%x, base offset %" G_GINT64_FORMAT > ", " > ++ GST_LOG_OBJECT (qtdemux, "parsing trun track-id %u; " > ++ "default dur %u, size %u, flags 0x%x, base offset %" G_GINT64_FORMAT > ", " > + "decode ts %" G_GINT64_FORMAT, stream->track_id, d_sample_duration, > + d_sample_size, d_sample_flags, *base_offset, decode_ts); > + > +@@ -3257,7 +3257,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, > GstByteReader * trun, > + /* note this is really signed */ > + if (!gst_byte_reader_get_int32_be (trun, &data_offset)) > + goto fail; > +- GST_LOG_OBJECT (qtdemux, "trun data offset %d", data_offset); > ++ GST_LOG_OBJECT (qtdemux, "trun data offset %u", data_offset); > + /* default base offset = first byte of moof */ > + if (*base_offset == -1) { > + GST_LOG_OBJECT (qtdemux, "base_offset at moof"); > +@@ -3279,7 +3279,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux, > GstByteReader * trun, > + > + GST_LOG_OBJECT (qtdemux, "running offset now %" G_GINT64_FORMAT, > + *running_offset); > +- GST_LOG_OBJECT (qtdemux, "trun offset %d, flags 0x%x, entries %d", > ++ GST_LOG_OBJECT (qtdemux, "trun offset %u, flags 0x%x, entries %u", > + data_offset, flags, samples_count); > + > + if (flags & TR_FIRST_SAMPLE_FLAGS) { > +@@ -3499,14 +3499,15 @@ fail: > + } > + out_of_memory: > + { > +- GST_WARNING_OBJECT (qtdemux, "failed to allocate %d samples", > +- stream->n_samples); > ++ GST_WARNING_OBJECT (qtdemux, "failed to allocate %u + %u samples", > ++ stream->n_samples, samples_count); > + return FALSE; > + } > + index_too_big: > + { > +- GST_WARNING_OBJECT (qtdemux, "not allocating index of %d samples, would > " > +- "be larger than %uMB (broken file?)", stream->n_samples, > ++ GST_WARNING_OBJECT (qtdemux, > ++ "not allocating index of %u + %u samples, would " > ++ "be larger than %uMB (broken file?)", stream->n_samples, > samples_count, > + QTDEMUX_MAX_SAMPLE_INDEX_SIZE >> 20); > + return FALSE; > + } > +-- > +2.25.1 > + > diff --git > a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0004-qtdemux-Don-t-iterate-over-all-trun-entries-if-none-.patch > > b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0004-qtdemux-Don-t-iterate-over-all-trun-entries-if-none-.patch > new file mode 100644 > index 0000000000..217387a4cd > --- /dev/null > +++ > b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0004-qtdemux-Don-t-iterate-over-all-trun-entries-if-none-.patch > @@ -0,0 +1,36 @@ > +From eb7f9331c2294bc28a549b79c9f931c3e6c6bc44 Mon Sep 17 00:00:00 2001 > +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebast...@centricular.com> > +Date: Thu, 26 Sep 2024 18:41:39 +0300 > +Subject: [PATCH] qtdemux: Don't iterate over all trun entries if none of the > + flags are set > + > +Nothing would be printed anyway. > + > +Part-of: > <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8060> > + > +Upstream-Status: Backport > [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/eb7f9331c2294bc28a549b79c9f931c3e6c6bc44] > +CVE: CVE-2024-47537 CVE-2024-47539 CVE-2024-47543 CVE-2024-47544 > CVE-2024-47545 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 > +Signed-off-by: Vijay Anusuri <vanus...@mvista.com> > +--- > + subprojects/gst-plugins-good/gst/isomp4/qtdemux_dump.c | 5 +++++ > + 1 file changed, 5 insertions(+) > + > +diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux_dump.c > b/subprojects/gst-plugins-good/gst/isomp4/qtdemux_dump.c > +index 22da35e9e7ad..297b580ef038 100644 > +--- a/gst/isomp4/qtdemux_dump.c > ++++ b/gst/isomp4/qtdemux_dump.c > +@@ -836,6 +836,11 @@ qtdemux_dump_trun (GstQTDemux * qtdemux, GstByteReader > * data, int depth) > + GST_LOG ("%*s first-sample-flags: %u", depth, "", > first_sample_flags); > + } > + > ++ /* Nothing to print below */ > ++ if ((flags & (TR_SAMPLE_DURATION | TR_SAMPLE_SIZE | TR_SAMPLE_FLAGS | > ++ TR_COMPOSITION_TIME_OFFSETS)) == 0) > ++ return TRUE; > ++ > + for (i = 0; i < samples_count; i++) { > + if (flags & TR_SAMPLE_DURATION) { > + if (!gst_byte_reader_get_uint32_be (data, &sample_duration)) > +-- > +GitLab > + > diff --git > a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0005-qtdemux-Check-sizes-of-stsc-stco-stts-before-trying-.patch > > b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0005-qtdemux-Check-sizes-of-stsc-stco-stts-before-trying-.patch > new file mode 100644 > index 0000000000..8b5bddbf5b > --- /dev/null > +++ > b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0005-qtdemux-Check-sizes-of-stsc-stco-stts-before-trying-.patch > @@ -0,0 +1,63 @@ > +From 1def2965d8da8cc74ab0036d7f8d59e81e676cad Mon Sep 17 00:00:00 2001 > +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebast...@centricular.com> > +Date: Fri, 27 Sep 2024 15:50:54 +0300 > +Subject: [PATCH] qtdemux: Check sizes of stsc/stco/stts before trying to > merge > + entries > + > +Thanks to Antonio Morales for finding and reporting the issue. > + > +Fixes GHSL-2024-246 > +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3854 > + > +Part-of: > <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8060> > + > +Upstream-Status: Backport > [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/1def2965d8da8cc74ab0036d7f8d59e81e676cad] > +CVE: CVE-2024-47537 CVE-2024-47539 CVE-2024-47543 CVE-2024-47544 > CVE-2024-47545 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 > +Signed-off-by: Vijay Anusuri <vanus...@mvista.com> > +--- > + .../gst-plugins-good/gst/isomp4/qtdemux.c | 22 +++++++++++++++++++ > + 1 file changed, 22 insertions(+) > + > +diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c > b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c > +index 0996292d0789..c14d939ee3c9 100644 > +--- a/gst/isomp4/qtdemux.c > ++++ b/gst/isomp4/qtdemux.c > +@@ -10033,6 +10033,21 @@ qtdemux_merge_sample_table (GstQTDemux * qtdemux, > QtDemuxStream * stream) > + return; > + } > + > ++ if (gst_byte_reader_get_remaining (&stream->stts) < 8) { > ++ GST_DEBUG_OBJECT (qtdemux, "Too small stts"); > ++ return; > ++ } > ++ > ++ if (stream->stco.size < 8) { > ++ GST_DEBUG_OBJECT (qtdemux, "Too small stco"); > ++ return; > ++ } > ++ > ++ if (stream->n_samples_per_chunk == 0) { > ++ GST_DEBUG_OBJECT (qtdemux, "No samples per chunk"); > ++ return; > ++ } > ++ > + /* Parse the stts to get the sample duration and number of samples */ > + gst_byte_reader_skip_unchecked (&stream->stts, 4); > + stts_duration = gst_byte_reader_get_uint32_be_unchecked (&stream->stts); > +@@ -10044,6 +10059,13 @@ qtdemux_merge_sample_table (GstQTDemux * qtdemux, > QtDemuxStream * stream) > + GST_DEBUG_OBJECT (qtdemux, "sample_duration %d, num_chunks %u", > stts_duration, > + num_chunks); > + > ++ if (gst_byte_reader_get_remaining (&stream->stsc) < > ++ stream->n_samples_per_chunk * 3 * 4 + > ++ (stream->n_samples_per_chunk - 1) * 4) { > ++ GST_DEBUG_OBJECT (qtdemux, "Too small stsc"); > ++ return; > ++ } > ++ > + /* Now parse stsc, convert chunks into single samples and generate a > + * new stsc, stts and stsz from this information */ > + gst_byte_writer_init (&stsc); > +-- > +GitLab > + > diff --git > a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0006-qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch > > b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0006-qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch > new file mode 100644 > index 0000000000..02d9cb278c > --- /dev/null > +++ > b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0006-qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch > @@ -0,0 +1,44 @@ > +From 314945426c7105ad90f44a188037bc43bb3b0300 Mon Sep 17 00:00:00 2001 > +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebast...@centricular.com> > +Date: Thu, 26 Sep 2024 09:20:28 +0300 > +Subject: [PATCH] qtdemux: Make sure only an even number of bytes is processed > + when handling CEA608 data > + > +An odd number of bytes would lead to out of bound reads and writes, and > doesn't > +make any sense as CEA608 comes in byte pairs. > + > +Strip off any leftover bytes and assume everything before that is valid. > + > +Thanks to Antonio Morales for finding and reporting the issue. > + > +Fixes GHSL-2024-195 > +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3841 > + > +Part-of: > <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8060> > + > +Upstream-Status: Backport > [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/314945426c7105ad90f44a188037bc43bb3b0300] > +CVE: CVE-2024-47537 CVE-2024-47539 CVE-2024-47543 CVE-2024-47544 > CVE-2024-47545 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 > +Signed-off-by: Vijay Anusuri <vanus...@mvista.com> > +--- > + subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 5 +++++ > + 1 file changed, 5 insertions(+) > + > +diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c > b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c > +index c14d939ee3c9..b9f466991adf 100644 > +--- a/gst/isomp4/qtdemux.c > ++++ b/gst/isomp4/qtdemux.c > +@@ -6145,6 +6145,11 @@ convert_to_s334_1a (const guint8 * ccpair, guint8 > ccpair_size, guint field, > + guint8 *storage; > + gsize i; > + > ++ /* Strip off any leftover odd bytes and assume everything before is valid > */ > ++ if (ccpair_size % 2 != 0) { > ++ ccpair_size -= 1; > ++ } > ++ > + /* We are converting from pairs to triplets */ > + *res = ccpair_size / 2 * 3; > + storage = g_malloc (*res); > +-- > +GitLab > + > diff --git > a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0007-qtdemux-Make-sure-enough-data-is-available-before-re.patch > > b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0007-qtdemux-Make-sure-enough-data-is-available-before-re.patch > new file mode 100644 > index 0000000000..5ff18baa7e > --- /dev/null > +++ > b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0007-qtdemux-Make-sure-enough-data-is-available-before-re.patch > @@ -0,0 +1,120 @@ > +From 8ef08a7a41da987aa630082df355ea651aa09132 Mon Sep 17 00:00:00 2001 > +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebast...@centricular.com> > +Date: Thu, 26 Sep 2024 14:17:02 +0300 > +Subject: [PATCH] qtdemux: Make sure enough data is available before reading > + wave header node > + > +Thanks to Antonio Morales for finding and reporting the issue. > + > +Fixes GHSL-2024-236 > +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3843 > + > +Part-of: > <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8060> > + > +Upstream-Status: Backport > [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/8ef08a7a41da987aa630082df355ea651aa09132] > +CVE: CVE-2024-47537 CVE-2024-47539 CVE-2024-47543 CVE-2024-47544 > CVE-2024-47545 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 > +Signed-off-by: Vijay Anusuri <vanus...@mvista.com> > +--- > + .../gst-plugins-good/gst/isomp4/qtdemux.c | 84 ++++++++++--------- > + 1 file changed, 45 insertions(+), 39 deletions(-) > + > +diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c > b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c > +index b9f466991adf..55ba59152c7a 100644 > +--- a/gst/isomp4/qtdemux.c > ++++ b/gst/isomp4/qtdemux.c > +@@ -13697,47 +13697,53 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * > trak) > + } else { > + guint32 datalen = QT_UINT32 (stsd_entry_data + offset + 16); > + const guint8 *data = stsd_entry_data + offset + 16; > +- GNode *wavenode; > +- GNode *waveheadernode; > +- > +- wavenode = g_node_new ((guint8 *) data); > +- if (qtdemux_parse_node (qtdemux, wavenode, data, datalen)) { > +- const guint8 *waveheader; > +- guint32 headerlen; > +- > +- waveheadernode = qtdemux_tree_get_child_by_type (wavenode, > fourcc); > +- if (waveheadernode) { > +- waveheader = (const guint8 *) waveheadernode->data; > +- headerlen = QT_UINT32 (waveheader); > +- > +- if (headerlen > 8) { > +- gst_riff_strf_auds *header = NULL; > +- GstBuffer *headerbuf; > +- GstBuffer *extra; > +- > +- waveheader += 8; > +- headerlen -= 8; > +- > +- headerbuf = gst_buffer_new_and_alloc (headerlen); > +- gst_buffer_fill (headerbuf, 0, waveheader, headerlen); > +- > +- if (gst_riff_parse_strf_auds (GST_ELEMENT_CAST (qtdemux), > +- headerbuf, &header, &extra)) { > +- gst_caps_unref (entry->caps); > +- /* FIXME: Need to do something with the channel reorder > map */ > +- entry->caps = > +- gst_riff_create_audio_caps (header->format, NULL, > header, > +- extra, NULL, NULL, NULL); > +- > +- if (extra) > +- gst_buffer_unref (extra); > +- g_free (header); > ++ > ++ if (len < datalen || len - datalen < offset + 16) { > ++ GST_WARNING_OBJECT (qtdemux, "Not enough data for > waveheadernode"); > ++ } else { > ++ GNode *wavenode; > ++ GNode *waveheadernode; > ++ > ++ wavenode = g_node_new ((guint8 *) data); > ++ if (qtdemux_parse_node (qtdemux, wavenode, data, datalen)) { > ++ const guint8 *waveheader; > ++ guint32 headerlen; > ++ > ++ waveheadernode = > ++ qtdemux_tree_get_child_by_type (wavenode, fourcc); > ++ if (waveheadernode) { > ++ waveheader = (const guint8 *) waveheadernode->data; > ++ headerlen = QT_UINT32 (waveheader); > ++ > ++ if (headerlen > 8) { > ++ gst_riff_strf_auds *header = NULL; > ++ GstBuffer *headerbuf; > ++ GstBuffer *extra; > ++ > ++ waveheader += 8; > ++ headerlen -= 8; > ++ > ++ headerbuf = gst_buffer_new_and_alloc (headerlen); > ++ gst_buffer_fill (headerbuf, 0, waveheader, headerlen); > ++ > ++ if (gst_riff_parse_strf_auds (GST_ELEMENT_CAST (qtdemux), > ++ headerbuf, &header, &extra)) { > ++ gst_caps_unref (entry->caps); > ++ /* FIXME: Need to do something with the channel reorder > map */ > ++ entry->caps = > ++ gst_riff_create_audio_caps (header->format, NULL, > ++ header, extra, NULL, NULL, NULL); > ++ > ++ if (extra) > ++ gst_buffer_unref (extra); > ++ g_free (header); > ++ } > + } > +- } > +- } else > +- GST_DEBUG ("Didn't find waveheadernode for this codec"); > ++ } else > ++ GST_DEBUG ("Didn't find waveheadernode for this codec"); > ++ } > ++ g_node_destroy (wavenode); > + } > +- g_node_destroy (wavenode); > + } > + } else if (esds) { > + gst_qtdemux_handle_esds (qtdemux, stream, entry, esds, > +-- > +GitLab > + > diff --git > a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0008-qtdemux-Fix-length-checks-and-offsets-in-stsd-entry-.patch > > b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0008-qtdemux-Fix-length-checks-and-offsets-in-stsd-entry-.patch > new file mode 100644 > index 0000000000..41cf4c7d00 > --- /dev/null > +++ > b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0008-qtdemux-Fix-length-checks-and-offsets-in-stsd-entry-.patch > @@ -0,0 +1,449 @@ > +From fe9d5d37234aca04fef7248184177168905a7a69 Mon Sep 17 00:00:00 2001 > +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebast...@centricular.com> > +Date: Fri, 27 Sep 2024 00:12:57 +0300 > +Subject: [PATCH] qtdemux: Fix length checks and offsets in stsd entry parsing > + > +Thanks to Antonio Morales for finding and reporting the issue. > + > +Fixes GHSL-2024-242 > +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3845 > + > +Part-of: > <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8060> > + > +Upstream-Status: Backport > [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/fe9d5d37234aca04fef7248184177168905a7a69] > +CVE: CVE-2024-47537 CVE-2024-47539 CVE-2024-47543 CVE-2024-47544 > CVE-2024-47545 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 > +Signed-off-by: Vijay Anusuri <vanus...@mvista.com> > +--- > + .../gst-plugins-good/gst/isomp4/qtdemux.c | 218 +++++++----------- > + 1 file changed, 79 insertions(+), 139 deletions(-) > + > +diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c > b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c > +index 55ba59152c7a..fb157552eb75 100644 > +--- a/gst/isomp4/qtdemux.c > ++++ b/gst/isomp4/qtdemux.c > +@@ -12237,43 +12237,35 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * > trak) > + case FOURCC_avc1: > + case FOURCC_avc3: > + { > +- guint len = QT_UINT32 (stsd_entry_data); > ++ guint32 len = QT_UINT32 (stsd_entry_data); > + len = len <= 0x56 ? 0 : len - 0x56; > + const guint8 *avc_data = stsd_entry_data + 0x56; > + > + /* find avcC */ > +- while (len >= 0x8) { > +- guint size; > +- > +- if (QT_UINT32 (avc_data) <= 0x8) > +- size = 0; > +- else if (QT_UINT32 (avc_data) <= len) > +- size = QT_UINT32 (avc_data) - 0x8; > +- else > +- size = len - 0x8; > ++ while (len >= 8) { > ++ guint32 size = QT_UINT32 (avc_data); > + > +- /* No real data, so skip */ > +- if (size < 1) { > +- len -= 8; > +- avc_data += 8; > +- continue; > +- } > ++ if (size < 8 || size > len) > ++ break; > + > +- switch (QT_FOURCC (avc_data + 0x4)) { > ++ switch (QT_FOURCC (avc_data + 4)) { > + case FOURCC_avcC: > + { > + /* parse, if found */ > + GstBuffer *buf; > + > ++ if (size < 8 + 1) > ++ break; > ++ > + GST_DEBUG_OBJECT (qtdemux, "found avcC codec_data in > stsd"); > + > + /* First 4 bytes are the length of the atom, the next 4 > bytes > + * are the fourcc, the next 1 byte is the version, and the > + * subsequent bytes are profile_tier_level structure like > data. */ > + gst_codec_utils_h264_caps_set_level_and_profile > (entry->caps, > +- avc_data + 8 + 1, size - 1); > +- buf = gst_buffer_new_and_alloc (size); > +- gst_buffer_fill (buf, 0, avc_data + 0x8, size); > ++ avc_data + 8 + 1, size - 8 - 1); > ++ buf = gst_buffer_new_and_alloc (size - 8); > ++ gst_buffer_fill (buf, 0, avc_data + 8, size - 8); > + gst_caps_set_simple (entry->caps, > + "codec_data", GST_TYPE_BUFFER, buf, NULL); > + gst_buffer_unref (buf); > +@@ -12284,6 +12276,9 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * > trak) > + { > + GstBuffer *buf; > + > ++ if (size < 8 + 40 + 1) > ++ break; > ++ > + GST_DEBUG_OBJECT (qtdemux, "found strf codec_data in > stsd"); > + > + /* First 4 bytes are the length of the atom, the next 4 > bytes > +@@ -12291,17 +12286,14 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * > trak) > + * next 1 byte is the version, and the > + * subsequent bytes are sequence parameter set like data. > */ > + > +- size -= 40; /* we'll be skipping BITMAPINFOHEADER */ > +- if (size > 1) { > +- gst_codec_utils_h264_caps_set_level_and_profile > +- (entry->caps, avc_data + 8 + 40 + 1, size - 1); > ++ gst_codec_utils_h264_caps_set_level_and_profile > ++ (entry->caps, avc_data + 8 + 40 + 1, size - 8 - 40 - > 1); > + > +- buf = gst_buffer_new_and_alloc (size); > +- gst_buffer_fill (buf, 0, avc_data + 8 + 40, size); > +- gst_caps_set_simple (entry->caps, > +- "codec_data", GST_TYPE_BUFFER, buf, NULL); > +- gst_buffer_unref (buf); > +- } > ++ buf = gst_buffer_new_and_alloc (size - 8 - 40); > ++ gst_buffer_fill (buf, 0, avc_data + 8 + 40, size - 8 - > 40); > ++ gst_caps_set_simple (entry->caps, > ++ "codec_data", GST_TYPE_BUFFER, buf, NULL); > ++ gst_buffer_unref (buf); > + break; > + } > + case FOURCC_btrt: > +@@ -12309,11 +12301,11 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * > trak) > + guint avg_bitrate, max_bitrate; > + > + /* bufferSizeDB, maxBitrate and avgBitrate - 4 bytes each > */ > +- if (size < 12) > ++ if (size < 8 + 12) > + break; > + > +- max_bitrate = QT_UINT32 (avc_data + 0xc); > +- avg_bitrate = QT_UINT32 (avc_data + 0x10); > ++ max_bitrate = QT_UINT32 (avc_data + 8 + 4); > ++ avg_bitrate = QT_UINT32 (avc_data + 8 + 8); > + > + if (!max_bitrate && !avg_bitrate) > + break; > +@@ -12345,8 +12337,8 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * > trak) > + break; > + } > + > +- len -= size + 8; > +- avc_data += size + 8; > ++ len -= size; > ++ avc_data += size; > + } > + > + break; > +@@ -12357,44 +12349,36 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * > trak) > + case FOURCC_dvh1: > + case FOURCC_dvhe: > + { > +- guint len = QT_UINT32 (stsd_entry_data); > ++ guint32 len = QT_UINT32 (stsd_entry_data); > + len = len <= 0x56 ? 0 : len - 0x56; > + const guint8 *hevc_data = stsd_entry_data + 0x56; > + > + /* find hevc */ > +- while (len >= 0x8) { > +- guint size; > +- > +- if (QT_UINT32 (hevc_data) <= 0x8) > +- size = 0; > +- else if (QT_UINT32 (hevc_data) <= len) > +- size = QT_UINT32 (hevc_data) - 0x8; > +- else > +- size = len - 0x8; > ++ while (len >= 8) { > ++ guint32 size = QT_UINT32 (hevc_data); > + > +- /* No real data, so skip */ > +- if (size < 1) { > +- len -= 8; > +- hevc_data += 8; > +- continue; > +- } > ++ if (size < 8 || size > len) > ++ break; > + > +- switch (QT_FOURCC (hevc_data + 0x4)) { > ++ switch (QT_FOURCC (hevc_data + 4)) { > + case FOURCC_hvcC: > + { > + /* parse, if found */ > + GstBuffer *buf; > + > ++ if (size < 8 + 1) > ++ break; > ++ > + GST_DEBUG_OBJECT (qtdemux, "found hvcC codec_data in > stsd"); > + > + /* First 4 bytes are the length of the atom, the next 4 > bytes > + * are the fourcc, the next 1 byte is the version, and the > + * subsequent bytes are sequence parameter set like data. > */ > + gst_codec_utils_h265_caps_set_level_tier_and_profile > +- (entry->caps, hevc_data + 8 + 1, size - 1); > ++ (entry->caps, hevc_data + 8 + 1, size - 8 - 1); > + > +- buf = gst_buffer_new_and_alloc (size); > +- gst_buffer_fill (buf, 0, hevc_data + 0x8, size); > ++ buf = gst_buffer_new_and_alloc (size - 8); > ++ gst_buffer_fill (buf, 0, hevc_data + 8, size - 8); > + gst_caps_set_simple (entry->caps, > + "codec_data", GST_TYPE_BUFFER, buf, NULL); > + gst_buffer_unref (buf); > +@@ -12403,8 +12387,8 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * > trak) > + default: > + break; > + } > +- len -= size + 8; > +- hevc_data += size + 8; > ++ len -= size; > ++ hevc_data += size; > + } > + break; > + } > +@@ -12784,36 +12768,25 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * > trak) > + } > + case FOURCC_vc_1: > + { > +- guint len = QT_UINT32 (stsd_entry_data); > ++ guint32 len = QT_UINT32 (stsd_entry_data); > + len = len <= 0x56 ? 0 : len - 0x56; > + const guint8 *vc1_data = stsd_entry_data + 0x56; > + > + /* find dvc1 */ > + while (len >= 8) { > +- guint size; > +- > +- if (QT_UINT32 (vc1_data) <= 8) > +- size = 0; > +- else if (QT_UINT32 (vc1_data) <= len) > +- size = QT_UINT32 (vc1_data) - 8; > +- else > +- size = len - 8; > ++ guint32 size = QT_UINT32 (vc1_data); > + > +- /* No real data, so skip */ > +- if (size < 1) { > +- len -= 8; > +- vc1_data += 8; > +- continue; > +- } > ++ if (size < 8 || size > len) > ++ break; > + > +- switch (QT_FOURCC (vc1_data + 0x4)) { > ++ switch (QT_FOURCC (vc1_data + 4)) { > + case GST_MAKE_FOURCC ('d', 'v', 'c', '1'): > + { > + GstBuffer *buf; > + > + GST_DEBUG_OBJECT (qtdemux, "found dvc1 codec_data in > stsd"); > +- buf = gst_buffer_new_and_alloc (size); > +- gst_buffer_fill (buf, 0, vc1_data + 8, size); > ++ buf = gst_buffer_new_and_alloc (size - 8); > ++ gst_buffer_fill (buf, 0, vc1_data + 8, size - 8); > + gst_caps_set_simple (entry->caps, > + "codec_data", GST_TYPE_BUFFER, buf, NULL); > + gst_buffer_unref (buf); > +@@ -12822,36 +12795,25 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * > trak) > + default: > + break; > + } > +- len -= size + 8; > +- vc1_data += size + 8; > ++ len -= size; > ++ vc1_data += size; > + } > + break; > + } > + case FOURCC_av01: > + { > +- guint len = QT_UINT32 (stsd_entry_data); > ++ guint32 len = QT_UINT32 (stsd_entry_data); > + len = len <= 0x56 ? 0 : len - 0x56; > + const guint8 *av1_data = stsd_entry_data + 0x56; > + > + /* find av1C */ > +- while (len >= 0x8) { > +- guint size; > +- > +- if (QT_UINT32 (av1_data) <= 0x8) > +- size = 0; > +- else if (QT_UINT32 (av1_data) <= len) > +- size = QT_UINT32 (av1_data) - 0x8; > +- else > +- size = len - 0x8; > ++ while (len >= 8) { > ++ guint32 size = QT_UINT32 (av1_data); > + > +- /* No real data, so skip */ > +- if (size < 1) { > +- len -= 8; > +- av1_data += 8; > +- continue; > +- } > ++ if (size < 8 || size > len) > ++ break; > + > +- switch (QT_FOURCC (av1_data + 0x4)) { > ++ switch (QT_FOURCC (av1_data + 4)) { > + case FOURCC_av1C: > + { > + /* parse, if found */ > +@@ -12861,7 +12823,7 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * > trak) > + "found av1C codec_data in stsd of size %d", size); > + > + /* not enough data, just ignore and hope for the best */ > +- if (size < 4) > ++ if (size < 8 + 4) > + break; > + > + /* Content is: > +@@ -12910,9 +12872,9 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * > trak) > + (gint) (pres_delay_field & 0x0F) + 1, NULL); > + } > + > +- buf = gst_buffer_new_and_alloc (size); > ++ buf = gst_buffer_new_and_alloc (size - 8); > + GST_BUFFER_FLAG_SET (buf, GST_BUFFER_FLAG_HEADER); > +- gst_buffer_fill (buf, 0, av1_data + 8, size); > ++ gst_buffer_fill (buf, 0, av1_data + 8, size - 8); > + gst_caps_set_simple (entry->caps, > + "codec_data", GST_TYPE_BUFFER, buf, NULL); > + gst_buffer_unref (buf); > +@@ -12930,8 +12892,8 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * > trak) > + break; > + } > + > +- len -= size + 8; > +- av1_data += size + 8; > ++ len -= size; > ++ av1_data += size; > + } > + > + break; > +@@ -12942,29 +12904,18 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * > trak) > + * vp08, vp09, and vp10 fourcc. */ > + case FOURCC_vp09: > + { > +- guint len = QT_UINT32 (stsd_entry_data); > ++ guint32 len = QT_UINT32 (stsd_entry_data); > + len = len <= 0x56 ? 0 : len - 0x56; > + const guint8 *vpcc_data = stsd_entry_data + 0x56; > + > + /* find vpcC */ > +- while (len >= 0x8) { > +- guint size; > +- > +- if (QT_UINT32 (vpcc_data) <= 0x8) > +- size = 0; > +- else if (QT_UINT32 (vpcc_data) <= len) > +- size = QT_UINT32 (vpcc_data) - 0x8; > +- else > +- size = len - 0x8; > ++ while (len >= 8) { > ++ guint32 size = QT_UINT32 (vpcc_data); > + > +- /* No real data, so skip */ > +- if (size < 1) { > +- len -= 8; > +- vpcc_data += 8; > +- continue; > +- } > ++ if (size < 8 || size > len) > ++ break; > + > +- switch (QT_FOURCC (vpcc_data + 0x4)) { > ++ switch (QT_FOURCC (vpcc_data + 4)) { > + case FOURCC_vpcC: > + { > + const gchar *profile_str = NULL; > +@@ -12980,7 +12931,7 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * > trak) > + > + /* the meaning of "size" is length of the atom body, > excluding > + * atom length and fourcc fields */ > +- if (size < 12) > ++ if (size < 8 + 12) > + break; > + > + /* Content is: > +@@ -13086,8 +13037,8 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * > trak) > + break; > + } > + > +- len -= size + 8; > +- vpcc_data += size + 8; > ++ len -= size; > ++ vpcc_data += size; > + } > + > + break; > +@@ -13428,7 +13379,7 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * > trak) > + } > + case FOURCC_wma_: > + { > +- guint len = QT_UINT32 (stsd_entry_data); > ++ guint32 len = QT_UINT32 (stsd_entry_data); > + len = len <= offset ? 0 : len - offset; > + const guint8 *wfex_data = stsd_entry_data + offset; > + const gchar *codec_name = NULL; > +@@ -13453,21 +13404,10 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * > trak) > + > + /* find wfex */ > + while (len >= 8) { > +- guint size; > ++ guint32 size = QT_UINT32 (wfex_data); > + > +- if (QT_UINT32 (wfex_data) <= 0x8) > +- size = 0; > +- else if (QT_UINT32 (wfex_data) <= len) > +- size = QT_UINT32 (wfex_data) - 8; > +- else > +- size = len - 8; > +- > +- /* No real data, so skip */ > +- if (size < 1) { > +- len -= 8; > +- wfex_data += 8; > +- continue; > +- } > ++ if (size < 8 || size > len) > ++ break; > + > + switch (QT_FOURCC (wfex_data + 4)) { > + case GST_MAKE_FOURCC ('w', 'f', 'e', 'x'): > +@@ -13512,12 +13452,12 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * > trak) > + "width", G_TYPE_INT, wfex.wBitsPerSample, > + "depth", G_TYPE_INT, wfex.wBitsPerSample, NULL); > + > +- if (size > wfex.cbSize) { > ++ if (size > 8 + wfex.cbSize) { > + GstBuffer *buf; > + > +- buf = gst_buffer_new_and_alloc (size - wfex.cbSize); > ++ buf = gst_buffer_new_and_alloc (size - 8 - wfex.cbSize); > + gst_buffer_fill (buf, 0, wfex_data + 8 + wfex.cbSize, > +- size - wfex.cbSize); > ++ size - 8 - wfex.cbSize); > + gst_caps_set_simple (entry->caps, > + "codec_data", GST_TYPE_BUFFER, buf, NULL); > + gst_buffer_unref (buf); > +@@ -13534,8 +13474,8 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * > trak) > + default: > + break; > + } > +- len -= size + 8; > +- wfex_data += size + 8; > ++ len -= size; > ++ wfex_data += size; > + } > + break; > + } > +-- > +GitLab > + > diff --git > a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0009-qtdemux-Fix-error-handling-when-parsing-cenc-sample-.patch > > b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0009-qtdemux-Fix-error-handling-when-parsing-cenc-sample-.patch > new file mode 100644 > index 0000000000..a84575199e > --- /dev/null > +++ > b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0009-qtdemux-Fix-error-handling-when-parsing-cenc-sample-.patch > @@ -0,0 +1,56 @@ > +From da3b4e903ae990193988a873368bdd1865350521 Mon Sep 17 00:00:00 2001 > +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebast...@centricular.com> > +Date: Fri, 27 Sep 2024 09:47:50 +0300 > +Subject: [PATCH] qtdemux: Fix error handling when parsing cenc sample groups > + fails > + > +Thanks to Antonio Morales for finding and reporting the issue. > + > +Fixes GHSL-2024-238, GHSL-2024-239, GHSL-2024-240 > +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3846 > + > +Part-of: > <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8109> > + > +Upstream-Status: Backport > [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/da3b4e903ae990193988a873368bdd1865350521] > +CVE: CVE-2024-47537 CVE-2024-47539 CVE-2024-47543 CVE-2024-47544 > CVE-2024-47545 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 > +Signed-off-by: Vijay Anusuri <vanus...@mvista.com> > +--- > + subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 9 +++++++-- > + 1 file changed, 7 insertions(+), 2 deletions(-) > + > +diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c > b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c > +index 94ce75b2d42d..e7a79be45b29 100644 > +--- a/gst/isomp4/qtdemux.c > ++++ b/gst/isomp4/qtdemux.c > +@@ -11404,12 +11404,15 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * > trak) > + if (stream->subtype != FOURCC_soun) { > + GST_ERROR_OBJECT (qtdemux, > + "Unexpeced stsd type 'aavd' outside 'soun' track"); > ++ goto corrupt_file; > + } else { > + /* encrypted audio with sound sample description v0 */ > + GNode *enc = qtdemux_tree_get_child_by_type (stsd, fourcc); > + stream->protected = TRUE; > +- if (!qtdemux_parse_protection_aavd (qtdemux, stream, enc, &fourcc)) > ++ if (!qtdemux_parse_protection_aavd (qtdemux, stream, enc, &fourcc)) > { > + GST_ERROR_OBJECT (qtdemux, "Failed to parse protection scheme > info"); > ++ goto corrupt_file; > ++ } > + } > + } > + > +@@ -11418,8 +11421,10 @@ qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * > trak) > + * with the same type */ > + GNode *enc = qtdemux_tree_get_child_by_type (stsd, fourcc); > + stream->protected = TRUE; > +- if (!qtdemux_parse_protection_scheme_info (qtdemux, stream, enc, > &fourcc)) > ++ if (!qtdemux_parse_protection_scheme_info (qtdemux, stream, enc, > &fourcc)) { > + GST_ERROR_OBJECT (qtdemux, "Failed to parse protection scheme > info"); > ++ goto corrupt_file; > ++ } > + } > + > + if (stream->subtype == FOURCC_vide) { > +-- > +GitLab > + > diff --git > a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0010-qtdemux-Make-sure-there-are-enough-offsets-to-read-w.patch > > b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0010-qtdemux-Make-sure-there-are-enough-offsets-to-read-w.patch > new file mode 100644 > index 0000000000..af0d1ed633 > --- /dev/null > +++ > b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0010-qtdemux-Make-sure-there-are-enough-offsets-to-read-w.patch > @@ -0,0 +1,49 @@ > +From 20503e5dd90e21ef170488b2a8b8529ae8a4cab9 Mon Sep 17 00:00:00 2001 > +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebast...@centricular.com> > +Date: Fri, 27 Sep 2024 10:38:50 +0300 > +Subject: [PATCH] qtdemux: Make sure there are enough offsets to read when > + parsing samples > + > +While this specific case is also caught when initializing co_chunk, the error > +is ignored in various places and calling into the function would lead to out > of > +bounds reads if the error message doesn't cause the pipeline to be shut down > +fast enough. > + > +To avoid this, no matter what, make sure enough offsets are available when > +parsing them. While this is potentially slower, the same is already done in > the > +non-chunks_are_samples case. > + > +Thanks to Antonio Morales for finding and reporting the issue. > + > +Fixes GHSL-2024-245 > +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3847 > + > +Part-of: > <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8109> > + > +Upstream-Status: Backport > [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/20503e5dd90e21ef170488b2a8b8529ae8a4cab9] > +CVE: CVE-2024-47537 CVE-2024-47539 CVE-2024-47543 CVE-2024-47544 > CVE-2024-47545 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 > +Signed-off-by: Vijay Anusuri <vanus...@mvista.com> > +--- > + subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 6 +++--- > + 1 file changed, 3 insertions(+), 3 deletions(-) > + > +diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c > b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c > +index e7a79be45b29..5277952c5ea5 100644 > +--- a/gst/isomp4/qtdemux.c > ++++ b/gst/isomp4/qtdemux.c > +@@ -10070,9 +10070,9 @@ qtdemux_parse_samples (GstQTDemux * qtdemux, > QtDemuxStream * stream, guint32 n) > + goto done; > + } > + > +- cur->offset = > +- qt_atom_parser_get_offset_unchecked (&stream->co_chunk, > +- stream->co_size); > ++ if (!qt_atom_parser_get_offset (&stream->co_chunk, > ++ stream->co_size, &cur->offset)) > ++ goto corrupt_file; > + > + GST_LOG_OBJECT (qtdemux, "Created entry %d with offset " > + "%" G_GUINT64_FORMAT, j, cur->offset); > +-- > +GitLab > + > diff --git > a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0011-qtdemux-Actually-handle-errors-returns-from-various-.patch > > b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0011-qtdemux-Actually-handle-errors-returns-from-various-.patch > new file mode 100644 > index 0000000000..c864deb635 > --- /dev/null > +++ > b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0011-qtdemux-Actually-handle-errors-returns-from-various-.patch > @@ -0,0 +1,97 @@ > +From ed254790331a3fba2f68255a8f072552d622aac1 Mon Sep 17 00:00:00 2001 > +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebast...@centricular.com> > +Date: Fri, 27 Sep 2024 10:39:30 +0300 > +Subject: [PATCH] qtdemux: Actually handle errors returns from various > + functions instead of ignoring them > + > +Ignoring them might cause the element to continue as if all is fine despite > the > +internal state being inconsistent. This can lead to all kinds of follow-up > +issues, including memory safety issues. > + > +Thanks to Antonio Morales for finding and reporting the issue. > + > +Fixes GHSL-2024-245 > +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3847 > + > +Part-of: > <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8109> > + > +Upstream-Status: Backport > [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ed254790331a3fba2f68255a8f072552d622aac1] > +CVE: CVE-2024-47537 CVE-2024-47539 CVE-2024-47543 CVE-2024-47544 > CVE-2024-47545 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 > +Signed-off-by: Vijay Anusuri <vanus...@mvista.com> > +--- > + .../gst-plugins-good/gst/isomp4/qtdemux.c | 29 +++++++++++++++---- > + 1 file changed, 23 insertions(+), 6 deletions(-) > + > +diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c > b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c > +index 5277952c5ea5..1de70f184f50 100644 > +--- a/gst/isomp4/qtdemux.c > ++++ b/gst/isomp4/qtdemux.c > +@@ -4853,10 +4853,15 @@ gst_qtdemux_loop_state_header (GstQTDemux * qtdemux) > + beach: > + if (ret == GST_FLOW_EOS && (qtdemux->got_moov || qtdemux->media_caps)) { > + /* digested all data, show what we have */ > +- qtdemux_prepare_streams (qtdemux); > ++ ret = qtdemux_prepare_streams (qtdemux); > ++ if (ret != GST_FLOW_OK) > ++ return ret; > ++ > + QTDEMUX_EXPOSE_LOCK (qtdemux); > + ret = qtdemux_expose_streams (qtdemux); > + QTDEMUX_EXPOSE_UNLOCK (qtdemux); > ++ if (ret != GST_FLOW_OK) > ++ return ret; > + > + qtdemux->state = QTDEMUX_STATE_MOVIE; > + GST_DEBUG_OBJECT (qtdemux, "switching state to STATE_MOVIE (%d)", > +@@ -7552,13 +7557,21 @@ gst_qtdemux_process_adapter (GstQTDemux * demux, > gboolean force) > + gst_qtdemux_stream_concat (demux, > + demux->old_streams, demux->active_streams); > + > +- qtdemux_parse_moov (demux, data, demux->neededbytes); > ++ if (!qtdemux_parse_moov (demux, data, demux->neededbytes)) { > ++ ret = GST_FLOW_ERROR; > ++ break; > ++ } > + qtdemux_node_dump (demux, demux->moov_node); > + qtdemux_parse_tree (demux); > +- qtdemux_prepare_streams (demux); > ++ ret = qtdemux_prepare_streams (demux); > ++ if (ret != GST_FLOW_OK) > ++ break; > ++ > + QTDEMUX_EXPOSE_LOCK (demux); > +- qtdemux_expose_streams (demux); > ++ ret = qtdemux_expose_streams (demux); > + QTDEMUX_EXPOSE_UNLOCK (demux); > ++ if (ret != GST_FLOW_OK) > ++ break; > + > + demux->got_moov = TRUE; > + > +@@ -7649,8 +7662,10 @@ gst_qtdemux_process_adapter (GstQTDemux * demux, > gboolean force) > + /* in MSS we need to expose the pads after the first moof as we > won't get a moov */ > + if (demux->variant == VARIANT_MSS_FRAGMENTED && > !demux->exposed) { > + QTDEMUX_EXPOSE_LOCK (demux); > +- qtdemux_expose_streams (demux); > ++ ret = qtdemux_expose_streams (demux); > + QTDEMUX_EXPOSE_UNLOCK (demux); > ++ if (ret != GST_FLOW_OK) > ++ goto done; > + } > + > + gst_qtdemux_check_send_pending_segment (demux); > +@@ -13764,8 +13779,10 @@ qtdemux_prepare_streams (GstQTDemux * qtdemux) > + > + /* parse the initial sample for use in setting the frame rate cap */ > + while (sample_num == 0 && sample_num < stream->n_samples) { > +- if (!qtdemux_parse_samples (qtdemux, stream, sample_num)) > ++ if (!qtdemux_parse_samples (qtdemux, stream, sample_num)) { > ++ ret = GST_FLOW_ERROR; > + break; > ++ } > + ++sample_num; > + } > + } > +-- > +GitLab > + > diff --git > a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0012-qtdemux-Check-for-invalid-atom-length-when-extractin.patch > > b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0012-qtdemux-Check-for-invalid-atom-length-when-extractin.patch > new file mode 100644 > index 0000000000..7096a75a71 > --- /dev/null > +++ > b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0012-qtdemux-Check-for-invalid-atom-length-when-extractin.patch > @@ -0,0 +1,36 @@ > +From 3153fda823cb91b1031dae69738c6c5d526fb6e1 Mon Sep 17 00:00:00 2001 > +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebast...@centricular.com> > +Date: Thu, 26 Sep 2024 19:16:19 +0300 > +Subject: [PATCH] qtdemux: Check for invalid atom length when extracting > Closed > + Caption data > + > +Thanks to Antonio Morales for finding and reporting the issue. > + > +Fixes GHSL-2024-243 > +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3849 > + > +Part-of: > <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8109> > + > +Upstream-Status: Backport > [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/3153fda823cb91b1031dae69738c6c5d526fb6e1] > +CVE: CVE-2024-47537 CVE-2024-47539 CVE-2024-47543 CVE-2024-47544 > CVE-2024-47545 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 > +Signed-off-by: Vijay Anusuri <vanus...@mvista.com> > +--- > + subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c > b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c > +index 1de70f184f50..8850d09321e8 100644 > +--- a/gst/isomp4/qtdemux.c > ++++ b/gst/isomp4/qtdemux.c > +@@ -5827,7 +5827,7 @@ extract_cc_from_data (QtDemuxStream * stream, const > guint8 * data, gsize size, > + goto invalid_cdat; > + atom_length = QT_UINT32 (data); > + fourcc = QT_FOURCC (data + 4); > +- if (G_UNLIKELY (atom_length > size || atom_length == 8)) > ++ if (G_UNLIKELY (atom_length > size || atom_length <= 8)) > + goto invalid_cdat; > + > + GST_DEBUG_OBJECT (stream->pad, "here"); > +-- > +GitLab > + > diff --git > a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0013-qtdemux-Add-size-check-for-parsing-SMI-SEQH-atom.patch > > b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0013-qtdemux-Add-size-check-for-parsing-SMI-SEQH-atom.patch > new file mode 100644 > index 0000000000..b379c2f88c > --- /dev/null > +++ > b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0013-qtdemux-Add-size-check-for-parsing-SMI-SEQH-atom.patch > @@ -0,0 +1,37 @@ > +From 3ce1b812a9531611288af286b5dc6631a11e3f4a Mon Sep 17 00:00:00 2001 > +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebast...@centricular.com> > +Date: Fri, 27 Sep 2024 00:31:36 +0300 > +Subject: [PATCH] qtdemux: Add size check for parsing SMI / SEQH atom > + > +Thanks to Antonio Morales for finding and reporting the issue. > + > +Fixes GHSL-2024-244 > +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3853 > + > +Part-of: > <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8109> > + > +Upstream-Status: Backport > [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/3ce1b812a9531611288af286b5dc6631a11e3f4a] > +CVE: CVE-2024-47537 CVE-2024-47539 CVE-2024-47543 CVE-2024-47544 > CVE-2024-47545 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 > +Signed-off-by: Vijay Anusuri <vanus...@mvista.com> > +--- > + subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 3 ++- > + 1 file changed, 2 insertions(+), 1 deletion(-) > + > +diff --git a/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c > b/subprojects/gst-plugins-good/gst/isomp4/qtdemux.c > +index 8850d09321e8..dc70287a8a9b 100644 > +--- a/gst/isomp4/qtdemux.c > ++++ b/gst/isomp4/qtdemux.c > +@@ -10633,8 +10633,9 @@ qtdemux_parse_svq3_stsd_data (GstQTDemux * qtdemux, > + GST_WARNING_OBJECT (qtdemux, "Unexpected second SEQH SMI > atom " > + " found, ignoring"); > + } else { > ++ /* Note: The size does *not* include the fourcc and the > size field itself */ > + seqh_size = QT_UINT32 (data + 4); > +- if (seqh_size > 0) { > ++ if (seqh_size > 0 && seqh_size <= size - 8) { > + _seqh = gst_buffer_new_and_alloc (seqh_size); > + gst_buffer_fill (_seqh, 0, data + 8, seqh_size); > + } > +-- > +GitLab > + > diff --git > a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb > b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb > index dfb0c0f342..5427cdb75d 100644 > --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb > +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.7.bb > @@ -6,6 +6,19 @@ BUGTRACKER = > "https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/issues > > SRC_URI = > "https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-good-${PV}.tar.xz > \ > > file://0001-qt-include-ext-qt-gstqtgl.h-instead-of-gst-gl-gstglf.patch \ > + > file://0001-qtdemux-Skip-zero-sized-boxes-instead-of-stopping-to.patch \ > + > file://0002-qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch \ > + file://0003-qtdemux-Fix-debug-output-during-trun-parsing.patch \ > + > file://0004-qtdemux-Don-t-iterate-over-all-trun-entries-if-none-.patch \ > + > file://0005-qtdemux-Check-sizes-of-stsc-stco-stts-before-trying-.patch \ > + > file://0006-qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch \ > + > file://0007-qtdemux-Make-sure-enough-data-is-available-before-re.patch \ > + > file://0008-qtdemux-Fix-length-checks-and-offsets-in-stsd-entry-.patch \ > + > file://0009-qtdemux-Fix-error-handling-when-parsing-cenc-sample-.patch \ > + > file://0010-qtdemux-Make-sure-there-are-enough-offsets-to-read-w.patch \ > + > file://0011-qtdemux-Actually-handle-errors-returns-from-various-.patch \ > + > file://0012-qtdemux-Check-for-invalid-atom-length-when-extractin.patch \ > + > file://0013-qtdemux-Add-size-check-for-parsing-SMI-SEQH-atom.patch \ > " > > SRC_URI[sha256sum] = > "599f093cc833a1e346939ab6e78a3f8046855b6da13520aae80dd385434f4ab2" > -- > 2.25.1 > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#209310): https://lists.openembedded.org/g/openembedded-core/message/209310 Mute This Topic: https://lists.openembedded.org/mt/110388307/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
