Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:15.5:Update
gstreamer-plugins-bad.32023
gstreamer-plugins-bad-CVE-2023-44446.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File gstreamer-plugins-bad-CVE-2023-44446.patch of Package gstreamer-plugins-bad.32023
commit 274551d450e443a8c71baa95e3f8d5dad212737f (HEAD, 05_2023.10.20_CVE-2023-44446_274551d450e443a8c71baa95e3f8d5dad212737f) Author: Sebastian Dröge <sebastian@centricular.com> Date: Fri Oct 20 00:09:57 2023 +0300 mxfdemux: Store GstMXFDemuxEssenceTrack in their own fixed allocation Previously they were stored inline inside a GArray, but as references to the tracks were stored in various other places although the array could still be updated (and reallocated!), this could lead to dangling references in various places. Instead now store them in a GPtrArray in their own allocation so each track's memory position stays fixed. Fixes ZDI-CAN-22299 Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3055 Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5635> diff -Nura gst-plugins-bad-1.22.0/gst/mxf/mxfdemux.c gst-plugins-bad-1.22.0_new/gst/mxf/mxfdemux.c --- gst-plugins-bad-1.22.0/gst/mxf/mxfdemux.c 2023-01-24 03:29:34.000000000 +0800 +++ gst-plugins-bad-1.22.0_new/gst/mxf/mxfdemux.c 2023-12-17 18:00:24.858647426 +0800 @@ -170,10 +170,25 @@ } static void -gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux) +gst_mxf_demux_essence_track_free (GstMXFDemuxEssenceTrack * t) { - guint i; + if (t->offsets) + g_array_free (t->offsets, TRUE); + + g_free (t->mapping_data); + + if (t->tags) + gst_tag_list_unref (t->tags); + + if (t->caps) + gst_caps_unref (t->caps); + + g_free (t); +} +static void +gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux) +{ GST_DEBUG_OBJECT (demux, "Resetting MXF state"); g_list_foreach (demux->partitions, (GFunc) gst_mxf_demux_partition_free, @@ -182,23 +197,7 @@ demux->partitions = NULL; demux->current_partition = NULL; - - for (i = 0; i < demux->essence_tracks->len; i++) { - GstMXFDemuxEssenceTrack *t = - &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); - - if (t->offsets) - g_array_free (t->offsets, TRUE); - - g_free (t->mapping_data); - - if (t->tags) - gst_tag_list_unref (t->tags); - - if (t->caps) - gst_caps_unref (t->caps); - } - g_array_set_size (demux->essence_tracks, 0); + g_ptr_array_set_size (demux->essence_tracks, 0); } static void @@ -216,7 +215,7 @@ for (i = 0; i < demux->essence_tracks->len; i++) { GstMXFDemuxEssenceTrack *track = - &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); + g_ptr_array_index (demux->essence_tracks, i); track->source_package = NULL; track->delta_id = -1; @@ -419,7 +418,7 @@ for (i = 0; i < demux->essence_tracks->len; i++) { GstMXFDemuxEssenceTrack *cand = - &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); + g_ptr_array_index (demux->essence_tracks, i); if (cand->body_sid != partition->partition.body_sid) continue; @@ -866,8 +865,7 @@ for (k = 0; k < demux->essence_tracks->len; k++) { GstMXFDemuxEssenceTrack *tmp = - &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, - k); + g_ptr_array_index (demux->essence_tracks, k); if (tmp->track_number == track->parent.track_number && tmp->body_sid == edata->body_sid) { @@ -885,24 +883,23 @@ } if (!etrack) { - GstMXFDemuxEssenceTrack tmp; + GstMXFDemuxEssenceTrack *tmp = g_new0 (GstMXFDemuxEssenceTrack, 1); - memset (&tmp, 0, sizeof (tmp)); - tmp.body_sid = edata->body_sid; - tmp.index_sid = edata->index_sid; - tmp.track_number = track->parent.track_number; - tmp.track_id = track->parent.track_id; - memcpy (&tmp.source_package_uid, &package->parent.package_uid, 32); + tmp->body_sid = edata->body_sid; + tmp->index_sid = edata->index_sid; + tmp->track_number = track->parent.track_number; + tmp->track_id = track->parent.track_id; + memcpy (&tmp->source_package_uid, &package->parent.package_uid, 32); if (demux->current_partition->partition.body_sid == edata->body_sid && demux->current_partition->partition.body_offset == 0) - tmp.position = 0; + tmp->position = 0; else - tmp.position = -1; + tmp->position = -1; - g_array_append_val (demux->essence_tracks, tmp); + g_ptr_array_add (demux->essence_tracks, tmp); etrack = - &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, + g_ptr_array_index (demux->essence_tracks, demux->essence_tracks->len - 1); new = TRUE; } @@ -1050,13 +1047,7 @@ next: if (new) { - g_free (etrack->mapping_data); - if (etrack->tags) - gst_tag_list_unref (etrack->tags); - if (etrack->caps) - gst_caps_unref (etrack->caps); - - g_array_remove_index (demux->essence_tracks, + g_ptr_array_remove_index (demux->essence_tracks, demux->essence_tracks->len - 1); } } @@ -1069,7 +1060,7 @@ for (i = 0; i < demux->essence_tracks->len; i++) { GstMXFDemuxEssenceTrack *etrack = - &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); + g_ptr_array_index (demux->essence_tracks, i); if (!etrack->source_package || !etrack->source_track || !etrack->caps) { GST_ERROR_OBJECT (demux, "Failed to update essence track %u", i); @@ -1438,7 +1429,7 @@ for (k = 0; k < demux->essence_tracks->len; k++) { GstMXFDemuxEssenceTrack *tmp = - &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, k); + g_ptr_array_index (demux->essence_tracks, k); if (tmp->source_package == source_package && tmp->source_track == source_track) { @@ -1927,8 +1918,7 @@ pad->current_essence_track = NULL; for (k = 0; k < demux->essence_tracks->len; k++) { - GstMXFDemuxEssenceTrack *tmp = - &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, k); + GstMXFDemuxEssenceTrack *tmp = g_ptr_array_index (demux->essence_tracks, k); if (tmp->source_package == source_package && tmp->source_track == source_track) { @@ -2712,7 +2702,7 @@ if (!etrack) { for (i = 0; i < demux->essence_tracks->len; i++) { GstMXFDemuxEssenceTrack *tmp = - &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); + g_ptr_array_index (demux->essence_tracks, i); if (tmp->body_sid == demux->current_partition->partition.body_sid && (tmp->track_number == track_number || tmp->track_number == 0)) { @@ -3916,8 +3906,7 @@ gst_mxf_demux_set_partition_for_offset (demux, demux->offset); for (i = 0; i < demux->essence_tracks->len; i++) { - GstMXFDemuxEssenceTrack *t = - &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); + GstMXFDemuxEssenceTrack *t = g_ptr_array_index (demux->essence_tracks, i); if (index_start_position != -1 && t == etrack) t->position = index_start_position; @@ -3941,8 +3930,7 @@ /* Handle EOS */ for (i = 0; i < demux->essence_tracks->len; i++) { GstMXFDemuxEssenceTrack *t = - &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, - i); + g_ptr_array_index (demux->essence_tracks, i); if (t->position > 0) t->duration = t->position; @@ -4180,8 +4168,7 @@ guint i; for (i = 0; i < demux->essence_tracks->len; i++) { GstMXFDemuxEssenceTrack *etrack = - &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, - i); + g_ptr_array_index (demux->essence_tracks, i); if (etrack->body_sid != partition->partition.body_sid) continue; @@ -4652,9 +4639,8 @@ /* Get the corresponding essence track for the given source package and stream id */ for (i = 0; i < demux->essence_tracks->len; i++) { GstMXFDemuxEssenceTrack *track = - &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); - GST_LOG_OBJECT (pad, - "Looking at essence track body_sid:%d index_sid:%d", + g_ptr_array_index (demux->essence_tracks, i); + GST_LOG_OBJECT (pad, "Looking at essence track body_sid:%d index_sid:%d", track->body_sid, track->index_sid); if (clip->source_track_id == 0 || (track->track_id == clip->source_track_id && mxf_umid_is_equal (&clip->source_package_id, @@ -4903,8 +4889,7 @@ } for (i = 0; i < demux->essence_tracks->len; i++) { - GstMXFDemuxEssenceTrack *t = - &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); + GstMXFDemuxEssenceTrack *t = g_ptr_array_index (demux->essence_tracks, i); t->position = -1; } @@ -5342,8 +5327,7 @@ } for (i = 0; i < demux->essence_tracks->len; i++) { - GstMXFDemuxEssenceTrack *t = - &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); + GstMXFDemuxEssenceTrack *t = g_ptr_array_index (demux->essence_tracks, i); t->position = -1; } @@ -5642,7 +5626,7 @@ for (i = 0; i < demux->essence_tracks->len; i++) { GstMXFDemuxEssenceTrack *t = - &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); + g_ptr_array_index (demux->essence_tracks, i); if (t->position > 0) t->duration = t->position; @@ -5683,8 +5667,7 @@ for (i = 0; i < demux->essence_tracks->len; i++) { GstMXFDemuxEssenceTrack *etrack = - &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, - i); + g_ptr_array_index (demux->essence_tracks, i); etrack->position = -1; } ret = TRUE; @@ -5708,8 +5691,7 @@ for (i = 0; i < demux->essence_tracks->len; i++) { GstMXFDemuxEssenceTrack *t = - &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, - i); + g_ptr_array_index (demux->essence_tracks, i); t->position = -1; } demux->current_partition = NULL; @@ -5982,7 +5964,7 @@ g_ptr_array_free (demux->src, TRUE); demux->src = NULL; - g_array_free (demux->essence_tracks, TRUE); + g_ptr_array_free (demux->essence_tracks, TRUE); demux->essence_tracks = NULL; g_hash_table_destroy (demux->metadata); @@ -6059,8 +6041,8 @@ g_rw_lock_init (&demux->metadata_lock); demux->src = g_ptr_array_new (); - demux->essence_tracks = - g_array_new (FALSE, FALSE, sizeof (GstMXFDemuxEssenceTrack)); + demux->essence_tracks = g_ptr_array_new_with_free_func ((GDestroyNotify) + gst_mxf_demux_essence_track_free); gst_segment_init (&demux->segment, GST_FORMAT_TIME); diff -Nura gst-plugins-bad-1.22.0/gst/mxf/mxfdemux.h gst-plugins-bad-1.22.0_new/gst/mxf/mxfdemux.h --- gst-plugins-bad-1.22.0/gst/mxf/mxfdemux.h 2023-01-24 03:29:34.000000000 +0800 +++ gst-plugins-bad-1.22.0_new/gst/mxf/mxfdemux.h 2023-12-17 15:50:49.080358137 +0800 @@ -266,7 +266,7 @@ GList *partitions; GstMXFDemuxPartition *current_partition; - GArray *essence_tracks; + GPtrArray *essence_tracks; GList *pending_index_table_segments; GList *index_tables; /* one per BodySID / IndexSID */
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor