From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Thu, 26 Sep 2024 09:20:28 +0300
Subject: qtdemux: Make sure only an even number of bytes is processed when
 handling CEA608 data
Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/314945426c7105ad90f44a188037bc43bb3b0300
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47539

An odd number of bytes would lead to out of bound reads and writes, and doesn't
make any sense as CEA608 comes in byte pairs.

Strip off any leftover bytes and assume everything before that is valid.

Thanks to Antonio Morales for finding and reporting the issue.

Fixes GHSL-2024-195
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3841

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8060>
---
 subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 5 +++++
 1 file changed, 5 insertions(+)

--- a/gst/isomp4/qtdemux.c
+++ b/gst/isomp4/qtdemux.c
@@ -5737,6 +5737,11 @@ convert_to_s334_1a (const guint8 * ccpai
   guint8 *storage;
   gsize i;
 
+  /* Strip off any leftover odd bytes and assume everything before is valid */
+  if (ccpair_size % 2 != 0) {
+    ccpair_size -= 1;
+  }
+
   /* We are converting from pairs to triplets */
   *res = ccpair_size / 2 * 3;
   storage = g_malloc (*res);