Package: gst-plugins-good1.0 / 1.14.4-1+deb10u1


Package Version Patches format
gst-plugins-good1.0 1.14.4-1+deb10u1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
0001 matroskademux Initialize track context out parameter to NULL.patch | (download)

gst/matroska/matroska-demux.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 [patch] matroskademux: initialize track context out parameter to null
 before parsing

Various error return paths don't set it to NULL and callers are only
checking if the pointer is NULL. As it's allocated on the stack this
usually contains random stack memory, and more often than not the memory
of a previously parsed track.

This then causes all kinds of memory corruptions further down the line.

Thanks to Natalie Silvanovich for reporting.


0002 matroskademux Fix extraction of multichannel WavPack.patch | (download)

gst/matroska/matroska-demux.c | 99 53 + 46 - 0 !
gst/matroska/matroska-ids.h | 2 2 + 0 - 0 !
2 files changed, 55 insertions(+), 46 deletions(-)

 [patch] matroskademux: fix extraction of multichannel wavpack

The old code had a couple of issues that all lead to potential memory
safety bugs.

  - Use a constant for the Wavpack4Header size instead of using sizeof.
    It's written out into the data and not from the struct and who knows
    what special alignment/padding requirements some C compilers have.
  - gst_buffer_set_size() does not realloc the buffer when setting a
    bigger size than allocated, it only allows growing up to the maximum
    allocated size. Instead use a GstAdapter to collect all the blocks
    and take out everything at once in the end.
  - Check that enough data is actually available in the input and
    otherwise handle it an error in all cases instead of silently
    ignoring it.

Among other things this fixes out of bounds writes because the code
assumed gst_buffer_set_size() can grow the buffer and simply wrote after
the end of the buffer.

Thanks to Natalie Silvanovich for reporting.