vmncdec: Sanity-check width/height before using it

- h264parse: Ensure codec_data has the required size when reading number of SPS
  (#1401945)

0001-vmncdec-Sanity-check-width-height-before-using-it.patch

@@ -0,0 +1,50 @@
+From 26f4b2c203d6d0ef0c8204a48dba504870c2cfdf Mon Sep 17 00:00:00 2001
+From: Wim Taymans <wtaymans@redhat.com>
+Date: Tue, 6 Dec 2016 10:24:03 +0100
+Subject: [PATCH 1/2] vmncdec: Sanity-check width/height before using it
+
+We will allocate a screen area of width*height*bpp bytes, however this
+calculation can easily overflow if too high width or height are given
+inside the stream. Nonetheless we would just assume that enough memory
+was allocated, try to fill it and overwrite as much memory as wanted.
+
+Also allocate the screen area filled with zeroes to ensure that we start
+with full-black and not any random (or not so random) data.
+
+https://scarybeastsecurity.blogspot.gr/2016/11/0day-poc-risky-design-decisions-in.html
+
+Ideally we should just remove this plugin in favour of the one in
+gst-libav, which generally seems to be of better code quality.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=774533
+---
+ gst/vmnc/vmncdec.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/gst/vmnc/vmncdec.c b/gst/vmnc/vmncdec.c
+index 08085b5..c83e315 100644
+--- a/gst/vmnc/vmncdec.c
++++ b/gst/vmnc/vmncdec.c
+@@ -370,7 +370,7 @@ vmnc_handle_wmvi_rectangle (GstVMncDec * dec, struct RfbRectangle *rect,
+ 
+   if (dec->imagedata)
+     g_free (dec->imagedata);
+-  dec->imagedata = g_malloc (dec->format.width * dec->format.height *
++  dec->imagedata = g_malloc0 (dec->format.width * dec->format.height *
+       dec->format.bytes_per_pixel);
+   GST_DEBUG_OBJECT (dec, "Allocated image data at %p", dec->imagedata);
+ 
+@@ -901,6 +901,10 @@ vmnc_handle_packet (GstVMncDec * dec, const guint8 * data, int len,
+             GST_WARNING_OBJECT (dec, "Rectangle out of range, type %d", r.type);
+             return ERROR_INVALID;
+           }
++        } else if (r.width > 16384 || r.height > 16384) {
++          GST_WARNING_OBJECT (dec, "Width or height too high: %ux%u", r.width,
++              r.height);
++          return ERROR_INVALID;
+         }
+ 
+         switch (r.type) {
+-- 
+2.9.3
+

0002-h264parse-Ensure-codec_data-has-the-required-size-wh.patch

@@ -0,0 +1,28 @@
+From 3003cbe1624cc6daa416caba9c1dce0180f3837c Mon Sep 17 00:00:00 2001
+From: Wim Taymans <wtaymans@redhat.com>
+Date: Wed, 7 Dec 2016 09:37:10 +0100
+Subject: [PATCH 2/2] h264parse: Ensure codec_data has the required size when
+ reading number of SPS
+
+https://bugzilla.gnome.org/show_bug.cgi?id=774896
+---
+ gst/videoparsers/gsth264parse.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/gst/videoparsers/gsth264parse.c b/gst/videoparsers/gsth264parse.c
+index cf81657..4c14f2b 100644
+--- a/gst/videoparsers/gsth264parse.c
++++ b/gst/videoparsers/gsth264parse.c
+@@ -1605,6 +1605,9 @@ gst_h264_parse_set_caps (GstBaseParse * parse, GstCaps * caps)
+       off = nalu.offset + nalu.size;
+     }
+ 
++    if (off >= size) {
++      goto avcc_too_small;
++    }
+     num_pps = data[off];
+     off++;
+ 
+-- 
+2.9.3
+

gstreamer-plugins-bad-free.spec

@@ -14,7 +14,7 @@
 Summary: GStreamer streaming media framework "bad" plug-ins
 Name: gstreamer-plugins-bad-free
 Version: 0.10.23
-Release: 32%{?dist}
+Release: 34%{?dist}
 # The freeze and nfs plugins are LGPLv2 (only)
 License: LGPLv2+ and LGPLv2
 Group: Applications/Multimedia
@@ -38,6 +38,9 @@ Patch7: 0001-Delete-unbuilt-plugins-from-the-docs.patch
 Patch8: 0001-modplug-Specify-directory-when-including-stdafx.h.patch
 # No longer needed, actually break build if we have them now.
 Patch9: gst-plugins-bad-0.10.23-drop-vpx-compat-defines.patch
+Patch10: put-api-version-in-html-book-name.patch
+Patch11: 0001-vmncdec-Sanity-check-width-height-before-using-it.patch
+Patch12: 0002-h264parse-Ensure-codec_data-has-the-required-size-wh.patch
 
 Requires: %{gstreamer} >= %{gst_minver}
 BuildRequires: %{gstreamer}-devel >= %{gst_minver}
@@ -171,6 +174,9 @@ aren't tested well enough, or the code is not of good enough quality.
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
 sed -i 's/opencv <= 2.3.1/opencv <= 2.4.3/g' configure
 
 
@@ -182,7 +188,7 @@ sed -i 's/opencv <= 2.3.1/opencv <= 2.4.3/g' configure
     --enable-debug --disable-static --enable-gtk-doc --enable-experimental \
     --disable-divx --disable-dts --disable-faac --disable-faad --disable-nas \
     --disable-mimic --disable-libmms --disable-mpeg2enc --disable-mplex \
-    --disable-neon --disable-openal --disable-rtmp --disable-xvid
+    --disable-neon --disable-openal --disable-rtmp --disable-xvid --disable-nsf
 make %{?_smp_mflags}
 
 
@@ -258,7 +264,6 @@ rm $RPM_BUILD_ROOT%{_libdir}/*.la
 %{_libdir}/gstreamer-%{majorminor}/libgstmpegvideoparse.so
 %{_libdir}/gstreamer-%{majorminor}/libgstmve.so
 %{_libdir}/gstreamer-%{majorminor}/libgstmxf.so
-%{_libdir}/gstreamer-%{majorminor}/libgstnsf.so
 %{_libdir}/gstreamer-%{majorminor}/libgstnuvdemux.so
 %{_libdir}/gstreamer-%{majorminor}/libgstpatchdetect.so
 %{_libdir}/gstreamer-%{majorminor}/libgstpcapparse.so
@@ -366,6 +371,15 @@ rm $RPM_BUILD_ROOT%{_libdir}/*.la
 
 
 %changelog
+* Wed Dec 07 2016 Wim Taymans <wtaymans@redhat.com> - 0.10.23-34
+- vmncdec: Sanity-check width/height before using it
+- h264parse: Ensure codec_data has the required size when reading number of SPS
+  (#1401945)
+
+* Wed Nov 30 2016 Wim Taymans <wtaymans@redhat.com> - 0.10.23-33
+- Remove insecure nsf plugin (#1395126)
+- Put api version in doc modules to fix doc build
+
 * Thu Feb 25 2016 Wim Taymans <wtaymans@redhat.com> - 0.10.23-32
 - rebuild for soundtouch (#1311323)
 
@@ -389,7 +403,7 @@ rm $RPM_BUILD_ROOT%{_libdir}/*.la
 - rebuild for libvpx 1.4.0
 - fix build against libvpx 1.4.0
 
-* Mon Aug 26 2014 Peter Robinson <pbrobinson@fedoraproject.org> 0.10.23-24
+* Tue Aug 26 2014 Peter Robinson <pbrobinson@fedoraproject.org> 0.10.23-24
 - Drop celt as it's long dead, should be using opus now
 
 * Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.10.23-23
@@ -461,7 +475,7 @@ rm $RPM_BUILD_ROOT%{_libdir}/*.la
 * Tue May 29 2012 Adel Gadllah <adel.gadllah@gmail.com> 0.10.23-4
 - Backport upstream patch to fix vp8enc (GNOME #676653, #676245)
 
-* Tue Mar 05 2012 Benjamin Otte <otte@redhat.com> 0.10.23-3
+* Mon Mar 05 2012 Benjamin Otte <otte@redhat.com> 0.10.23-3
 - Reorganize spec file to optionally build without extras package
 
 * Wed Feb 29 2012 Benjamin Otte <otte@redhat.com> 0.10.23-2
@@ -532,7 +546,7 @@ rm $RPM_BUILD_ROOT%{_libdir}/*.la
 * Fri Aug 06 2010 Benjamin Otte <otte@redhat.com> 0.10.19-6
 - Disable NAS now that it's obsolete
 
-* Thu Jul 04 2010 Benjamin Otte <otte@redhat.com> 0.10.19-5
+* Sun Jul 04 2010 Benjamin Otte <otte@redhat.com> 0.10.19-5
 - Disable celt now that an update broke it
 
 * Thu Jun 17 2010 Benjamin Otte <otte@redhat.com> 0.10.19-4
@@ -547,11 +561,11 @@ rm $RPM_BUILD_ROOT%{_libdir}/*.la
 * Mon May 31 2010 Benjamin Otte <otte@redhat.com> 0.10.19-1
 - Update to 0.10.19
 
-* Fri May 15 2010 Benjamin Otte <otte@redhat.com> 0.10.18.3-1
+* Sat May 15 2010 Benjamin Otte <otte@redhat.com> 0.10.18.3-1
 - Update pre-release
 - Add vp8 elements
 
-* Fri May 15 2010 Benjamin Otte <otte@redhat.com> 0.10.18.2-1
+* Sat May 15 2010 Benjamin Otte <otte@redhat.com> 0.10.18.2-1
 - Update to pre-release
 
 * Thu Apr 15 2010 Benjamin Otte <otte@redhat.com> 0.10.18-2

put-api-version-in-html-book-name.patch

@@ -0,0 +1,112 @@
+diff -ur gst-plugins-bad-0.10.23/common/gtk-doc.mak gst-plugins-bad-0.10.23.new/common/gtk-doc.mak
+--- gst-plugins-bad-0.10.23/common/gtk-doc.mak	2011-12-30 19:32:24.000000000 +0100
++++ gst-plugins-bad-0.10.23.new/common/gtk-doc.mak	2016-11-30 12:17:45.944345829 +0100
+@@ -130,10 +130,7 @@
+ 	if test "$(?)" = "0"; then \
+ 	  mkhtml_options=--path="$(abs_srcdir)"; \
+ 	fi; \
+-	cd html && gtkdoc-mkhtml $$mkhtml_options $(MKHTML_OPTIONS) $(DOC_MODULE) ../$(DOC_MAIN_SGML_FILE)
+-	@mv html/index.sgml html/index.sgml.bak
+-	@$(SED) "s/ href=\"$(DOC_MODULE)\// href=\"$(DOC_MODULE)-@GST_MAJORMINOR@\//g" html/index.sgml.bak >html/index.sgml
+-	@rm -f html/index.sgml.bak
++	cd html && gtkdoc-mkhtml $$mkhtml_options $(MKHTML_OPTIONS) $(DOC_MODULE)-@GST_MAJORMINOR@ ../$(DOC_MAIN_SGML_FILE)
+ 	@rm -rf html/xml
+ 	@rm -f version.entities
+ 	@test "x$(HTML_IMAGES)" = "x" ||  ( cd $(srcdir) && cp $(HTML_IMAGES) $(abs_builddir)/html )
+@@ -189,9 +186,9 @@
+ 	    echo '-- Installing '$$i ; \
+ 	    $(INSTALL_DATA) $$i $(DESTDIR)$(TARGET_DIR); \
+ 	  done; \
+-	  echo '-- Installing $(builddir)/html/$(DOC_MODULE).devhelp2' ; \
+-	  if test -e $(builddir)/html/$(DOC_MODULE).devhelp2; then \
+-	            $(INSTALL_DATA) $(builddir)/html/$(DOC_MODULE).devhelp2 \
++	  echo '-- Installing $(builddir)/html/$(DOC_MODULE)-@GST_MAJORMINOR@.devhelp2' ; \
++	  if test -e $(builddir)/html/$(DOC_MODULE)-@GST_MAJORMINOR@.devhelp2; then \
++	            $(INSTALL_DATA) $(builddir)/html/$(DOC_MODULE)-@GST_MAJORMINOR@.devhelp2 \
+ 	            $(DESTDIR)$(TARGET_DIR)/$(DOC_MODULE)-@GST_MAJORMINOR@.devhelp2; \
+ 	  fi; \
+ 	  (which gtkdoc-rebase >/dev/null && \
+diff -ur gst-plugins-bad-0.10.23/common/gtk-doc-plugins.mak gst-plugins-bad-0.10.23.new/common/gtk-doc-plugins.mak
+--- gst-plugins-bad-0.10.23/common/gtk-doc-plugins.mak	2011-12-30 19:32:24.000000000 +0100
++++ gst-plugins-bad-0.10.23.new/common/gtk-doc-plugins.mak	2016-11-30 12:19:04.598520343 +0100
+@@ -223,10 +223,7 @@
+ 	    mkhtml_options="$$mkhtml_options --verbose"; \
+ 	  fi; \
+ 	fi; \
+-	cd html && gtkdoc-mkhtml $$mkhtml_options $(DOC_MODULE) $(DOC_MAIN_SGML_FILE)
+-	@mv html/index.sgml html/index.sgml.bak
+-	@$(SED) "s/ href=\"$(DOC_MODULE)\// href=\"$(DOC_MODULE)-@GST_MAJORMINOR@\//g" html/index.sgml.bak >html/index.sgml
+-	@rm -f html/index.sgml.bak
++	cd html && gtkdoc-mkhtml $$mkhtml_options $(DOC_MODULE)-@GST_MAJORMINOR@ $(DOC_MAIN_SGML_FILE)
+ 	@rm -f html/$(DOC_MAIN_SGML_FILE)
+ 	@rm -rf html/xml
+ 	@rm -f html/version.entities
+@@ -290,9 +287,9 @@
+ 	      $(INSTALL_DATA) $$i $(DESTDIR)$(TARGET_DIR); \
+ 	    done; \
+ 	  fi; \
+-	  echo '-- Installing $(builddir)/html/$(DOC_MODULE).devhelp2' ; \
+-	  if test -e $(builddir)/html/$(DOC_MODULE).devhelp2; then \
+-	            $(INSTALL_DATA) $(builddir)/html/$(DOC_MODULE).devhelp2 \
++	  echo '-- Installing $(builddir)/html/$(DOC_MODULE)-@GST_MAJORMINOR@.devhelp2' ; \
++	  if test -e $(builddir)/html/$(DOC_MODULE)-@GST_MAJORMINOR@.devhelp2; then \
++	            $(INSTALL_DATA) $(builddir)/html/$(DOC_MODULE)-@GST_MAJORMINOR@.devhelp2 \
+ 	            $(DESTDIR)$(TARGET_DIR)/$(DOC_MODULE)-@GST_MAJORMINOR@.devhelp2; \
+ 	  fi; \
+ 	  (which gtkdoc-rebase >/dev/null && \
+diff -ru gst-plugins-bad-0.10.23/docs/libs/Makefile.in gst-plugins-bad-0.10.23.new/docs/libs/Makefile.in
+--- gst-plugins-bad-0.10.23/docs/libs/Makefile.in	2012-02-28 20:13:59.000000000 +0100
++++ gst-plugins-bad-0.10.23.new/docs/libs/Makefile.in	2016-11-30 12:35:40.609390956 +0100
+@@ -942,10 +942,7 @@
+ @ENABLE_GTK_DOC_TRUE@	if test "$(?)" = "0"; then \
+ @ENABLE_GTK_DOC_TRUE@	  mkhtml_options=--path="$(abs_srcdir)"; \
+ @ENABLE_GTK_DOC_TRUE@	fi; \
+-@ENABLE_GTK_DOC_TRUE@	cd html && gtkdoc-mkhtml $$mkhtml_options $(MKHTML_OPTIONS) $(DOC_MODULE) ../$(DOC_MAIN_SGML_FILE)
+-@ENABLE_GTK_DOC_TRUE@	@mv html/index.sgml html/index.sgml.bak
+-@ENABLE_GTK_DOC_TRUE@	@$(SED) "s/ href=\"$(DOC_MODULE)\// href=\"$(DOC_MODULE)-@GST_MAJORMINOR@\//g" html/index.sgml.bak >html/index.sgml
+-@ENABLE_GTK_DOC_TRUE@	@rm -f html/index.sgml.bak
++@ENABLE_GTK_DOC_TRUE@	cd html && gtkdoc-mkhtml $$mkhtml_options $(MKHTML_OPTIONS) $(DOC_MODULE)-@GST_MAJORMINOR@ ../$(DOC_MAIN_SGML_FILE)
+ @ENABLE_GTK_DOC_TRUE@	@rm -rf html/xml
+ @ENABLE_GTK_DOC_TRUE@	@rm -f version.entities
+ @ENABLE_GTK_DOC_TRUE@	@test "x$(HTML_IMAGES)" = "x" ||  ( cd $(srcdir) && cp $(HTML_IMAGES) $(abs_builddir)/html )
+@@ -999,9 +996,9 @@
+ 	    echo '-- Installing '$$i ; \
+ 	    $(INSTALL_DATA) $$i $(DESTDIR)$(TARGET_DIR); \
+ 	  done; \
+-	  echo '-- Installing $(builddir)/html/$(DOC_MODULE).devhelp2' ; \
+-	  if test -e $(builddir)/html/$(DOC_MODULE).devhelp2; then \
+-	            $(INSTALL_DATA) $(builddir)/html/$(DOC_MODULE).devhelp2 \
++	  echo '-- Installing $(builddir)/html/$(DOC_MODULE)-@GST_MAJORMINOR@.devhelp2' ; \
++	  if test -e $(builddir)/html/$(DOC_MODULE)-@GST_MAJORMINOR@.devhelp2; then \
++	            $(INSTALL_DATA) $(builddir)/html/$(DOC_MODULE)-@GST_MAJORMINOR@.devhelp2 \
+ 	            $(DESTDIR)$(TARGET_DIR)/$(DOC_MODULE)-@GST_MAJORMINOR@.devhelp2; \
+ 	  fi; \
+ 	  (which gtkdoc-rebase >/dev/null && \
+diff -ru gst-plugins-bad-0.10.23/docs/plugins/Makefile.in gst-plugins-bad-0.10.23.new/docs/plugins/Makefile.in
+--- gst-plugins-bad-0.10.23/docs/plugins/Makefile.in	2012-02-28 20:13:59.000000000 +0100
++++ gst-plugins-bad-0.10.23.new/docs/plugins/Makefile.in	2016-11-30 12:36:27.440303335 +0100
+@@ -1379,10 +1379,7 @@
+ @ENABLE_GTK_DOC_TRUE@	    mkhtml_options="$$mkhtml_options --verbose"; \
+ @ENABLE_GTK_DOC_TRUE@	  fi; \
+ @ENABLE_GTK_DOC_TRUE@	fi; \
+-@ENABLE_GTK_DOC_TRUE@	cd html && gtkdoc-mkhtml $$mkhtml_options $(DOC_MODULE) $(DOC_MAIN_SGML_FILE)
+-@ENABLE_GTK_DOC_TRUE@	@mv html/index.sgml html/index.sgml.bak
+-@ENABLE_GTK_DOC_TRUE@	@$(SED) "s/ href=\"$(DOC_MODULE)\// href=\"$(DOC_MODULE)-@GST_MAJORMINOR@\//g" html/index.sgml.bak >html/index.sgml
+-@ENABLE_GTK_DOC_TRUE@	@rm -f html/index.sgml.bak
++@ENABLE_GTK_DOC_TRUE@	cd html && gtkdoc-mkhtml $$mkhtml_options $(DOC_MODULE)-@GST_MAJORMINOR@ $(DOC_MAIN_SGML_FILE)
+ @ENABLE_GTK_DOC_TRUE@	@rm -f html/$(DOC_MAIN_SGML_FILE)
+ @ENABLE_GTK_DOC_TRUE@	@rm -rf html/xml
+ @ENABLE_GTK_DOC_TRUE@	@rm -f html/version.entities
+@@ -1442,9 +1439,9 @@
+ 	      $(INSTALL_DATA) $$i $(DESTDIR)$(TARGET_DIR); \
+ 	    done; \
+ 	  fi; \
+-	  echo '-- Installing $(builddir)/html/$(DOC_MODULE).devhelp2' ; \
+-	  if test -e $(builddir)/html/$(DOC_MODULE).devhelp2; then \
+-	            $(INSTALL_DATA) $(builddir)/html/$(DOC_MODULE).devhelp2 \
++	  echo '-- Installing $(builddir)/html/$(DOC_MODULE)-@GST_MAJORMINOR@.devhelp2' ; \
++	  if test -e $(builddir)/html/$(DOC_MODULE)-@GST_MAJORMINOR@.devhelp2; then \
++	            $(INSTALL_DATA) $(builddir)/html/$(DOC_MODULE)-@GST_MAJORMINOR@.devhelp2 \
+ 	            $(DESTDIR)$(TARGET_DIR)/$(DOC_MODULE)-@GST_MAJORMINOR@.devhelp2; \
+ 	  fi; \
+ 	  (which gtkdoc-rebase >/dev/null && \