Package: gst-plugins-good1.0 / 1.4.4-2+deb8u3

Metadata

Package Version Patches format
gst-plugins-good1.0 1.4.4-2+deb8u3 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
flxdec add some write bounds checking.patch | (download)

gst/flx/gstflxdec.c | 116 91 + 25 - 0 !
1 file changed, 91 insertions(+), 25 deletions(-)

 [patch] flxdec: add some write bounds checking

Without checking the bounds of the frame we are writing into, we can
write off the end of the destination buffer.

https://scarybeastsecurity.blogspot.dk/2016/11/0day-exploit-advancing-exploitation.html

https://bugzilla.gnome.org/show_bug.cgi?id=774834

flxdec fix some warnings comparing unsigned 0.patch | (download)

gst/flx/gstflxdec.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch] flxdec: fix some warnings comparing unsigned < 0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

bf43f44fcfada5ec4a3ce60cb374340486fe9fac was comparing an unsigned
expression to be < 0 which was always false.

gstflxdec.c: In function ‘flx_decode_brun’:
gstflxdec.c:322:33: warning: comparison of unsigned expression < 0 is always false [-Wtype-limits]
         if ((glong) row - count < 0) {
                                 ^
gstflxdec.c:332:33: warning: comparison of unsigned expression < 0 is always false [-Wtype-limits]
         if ((glong) row - count < 0) {
                                 ^

https://bugzilla.gnome.org/show_bug.cgi?id=774834

flxdec Don t unref parent in the chain function.patch | (download)

gst/flx/gstflxdec.c | 1 0 + 1 - 0 !
1 file changed, 1 deletion(-)

 [patch] flxdec: don't unref() parent in the chain function

We don't own the reference here, it is owned by the caller and given to
us for the scope of this function. Leftover mistake from 0.10 porting.

https://bugzilla.gnome.org/show_bug.cgi?id=774897

flxdec rewrite logic based on GstByteReader Writer.patch | (download)

gst/flx/flx_color.c | 1 0 + 1 - 0 !
gst/flx/flx_fmt.h | 72 0 + 72 - 0 !
gst/flx/gstflxdec.c | 640 453 + 187 - 0 !
gst/flx/gstflxdec.h | 4 3 + 1 - 0 !
4 files changed, 456 insertions(+), 261 deletions(-)

 [patch] flxdec: rewrite logic based on gstbytereader/writer

Solves overreading/writing the given arrays and will error out if the
streams asks to do that.

Also does more error checking that the stream is valid and won't
overrun any allocated arrays.  Also mitigate integer overflow errors
calculating allocation sizes.

https://bugzilla.gnome.org/show_bug.cgi?id=774859
[Sebastian Dröge: backport for 1.4.4]

0001 aacparse Make sure we have enough data in the codec_.patch | (download)

gst/audioparsers/gstaacparse.c | 5 3 + 2 - 0 !
1 file changed, 3 insertions(+), 2 deletions(-)

 [patch] aacparse: make sure we have enough data in the codec_data to
 be able to parse it

Also error out cleanly if mapping the buffer failed.

https://bugzilla.gnome.org/show_bug.cgi?id=775450

0002 avidemux Fix various out of bounds reads when parsin.patch | (download)

gst/avi/gstavidemux.c | 12 8 + 4 - 0 !
1 file changed, 8 insertions(+), 4 deletions(-)

 [patch] avidemux: fix various out of bounds reads when parsing ncdt
 tags

https://bugzilla.gnome.org/show_bug.cgi?id=777500

0003 avidemux Stop reading a ncdt sub tag if it goes behi.patch | (download)

gst/avi/gstavidemux.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 [patch] avidemux: stop reading a ncdt sub-tag if it goes behind the
 surrounding tag

https://bugzilla.gnome.org/show_bug.cgi?id=777532

0004 qtdemux Fix out of bounds read in tag parsing code.patch | (download)

gst/isomp4/qtdemux.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch] qtdemux: fix out of bounds read in tag parsing code

We can't simply assume that the length of the tag value as given
inside the stream is correct but should also check against the amount of
data we have actually available.

https://bugzilla.gnome.org/show_bug.cgi?id=775451

0005 qtdemux Increment current stts index whenever we fin.patch | (download)

gst/isomp4/qtdemux.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 [patch] qtdemux: increment current stts index whenever we finished
 one stts entry

Otherwise we could read more chunks than there are available, doing an
out of bounds read and potentially crash.

https://bugzilla.gnome.org/show_bug.cgi?id=777469