Fix h264 and h265 parser size checks

- fix mpegts size checks and pat parsing
  (#1401946)

0001-h265parse-Ensure-codec_data-has-the-required-size-wh.patch

@@ -0,0 +1,43 @@
+From d1f953d2c2cb4148363aa026d6a85b8b68159e51 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Wed, 23 Nov 2016 10:52:05 +0200
+Subject: [PATCH 1/4] h265parse: Ensure codec_data has the required size when
+ reading number of NAL arrays
+
+https://bugzilla.gnome.org/show_bug.cgi?id=774896
+---
+ gst/videoparsers/gsth265parse.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/gst/videoparsers/gsth265parse.c b/gst/videoparsers/gsth265parse.c
+index 26e7c48..d8e32e6 100644
+--- a/gst/videoparsers/gsth265parse.c
++++ b/gst/videoparsers/gsth265parse.c
+@@ -2018,6 +2018,7 @@ gst_h265_parse_set_caps (GstBaseParse * parse, GstCaps * caps)
+       (value = gst_structure_get_value (str, "codec_data"))) {
+     GstMapInfo map;
+     guint8 *data;
++    guint num_nal_arrays;
+ 
+     GST_DEBUG_OBJECT (h265parse, "have packetized h265");
+     /* make note for optional split processing */
+@@ -2046,8 +2047,15 @@ gst_h265_parse_set_caps (GstBaseParse * parse, GstCaps * caps)
+     GST_DEBUG_OBJECT (h265parse, "nal length size %u",
+         h265parse->nal_length_size);
+ 
++    num_nal_arrays = data[22];
+     off = 23;
+-    for (i = 0; i < data[22]; i++) {
++
++    for (i = 0; i < num_nal_arrays; i++) {
++      if (off + 3 >= size) {
++        gst_buffer_unmap (codec_data, &map);
++        goto hvcc_too_small;
++      }
++
+       num_nals = GST_READ_UINT16_BE (data + off + 1);
+       for (j = 0; j < num_nals; j++) {
+         parseres = gst_h265_parser_identify_nalu_hevc (h265parse->nalparser,
+-- 
+2.9.3
+

0002-h264parse-Ensure-codec_data-has-the-required-size-wh.patch

@@ -0,0 +1,29 @@
+From cc8c2da2c3a267548f76b0d6c95b83e449dbe0f9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Wed, 23 Nov 2016 10:51:17 +0200
+Subject: [PATCH 2/4] h264parse: Ensure codec_data has the required size when
+ reading number of SPS
+
+https://bugzilla.gnome.org/show_bug.cgi?id=774896
+---
+ gst/videoparsers/gsth264parse.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/gst/videoparsers/gsth264parse.c b/gst/videoparsers/gsth264parse.c
+index 05b6b75..a5cbe6e 100644
+--- a/gst/videoparsers/gsth264parse.c
++++ b/gst/videoparsers/gsth264parse.c
+@@ -2534,6 +2534,10 @@ gst_h264_parse_set_caps (GstBaseParse * parse, GstCaps * caps)
+       off = nalu.offset + nalu.size;
+     }
+ 
++    if (off >= size) {
++      gst_buffer_unmap (codec_data, &map);
++      goto avcc_too_small;
++    }
+     num_pps = data[off];
+     off++;
+ 
+-- 
+2.9.3
+

0003-mpegtssection-Fix-PAT-parsing.patch

@@ -0,0 +1,48 @@
+From e9f2b507e9bf7347427feceb40090dd24e8ebeec Mon Sep 17 00:00:00 2001
+From: Edward Hervey <edward@centricular.com>
+Date: Sat, 26 Nov 2016 10:23:01 +0100
+Subject: [PATCH 3/4] mpegtssection: Fix PAT parsing
+
+Use the estimated number of programs for parsing. Avoids over-reading.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=775120
+---
+ gst-libs/gst/mpegts/gstmpegtssection.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/gst-libs/gst/mpegts/gstmpegtssection.c b/gst-libs/gst/mpegts/gstmpegtssection.c
+index dc62ac3..4b55280 100644
+--- a/gst-libs/gst/mpegts/gstmpegtssection.c
++++ b/gst-libs/gst/mpegts/gstmpegtssection.c
+@@ -414,7 +414,7 @@ static gpointer
+ _parse_pat (GstMpegtsSection * section)
+ {
+   GPtrArray *pat;
+-  guint16 i = 0, nb_programs;
++  guint16 i, nb_programs;
+   GstMpegtsPatProgram *program;
+   guint8 *data, *end;
+ 
+@@ -430,7 +430,9 @@ _parse_pat (GstMpegtsSection * section)
+       g_ptr_array_new_full (nb_programs,
+       (GDestroyNotify) _mpegts_pat_program_free);
+ 
+-  while (data < end - 4) {
++  GST_LOG ("nb_programs %u", nb_programs);
++
++  for (i = 0; i < nb_programs; i++) {
+     program = g_slice_new0 (GstMpegtsPatProgram);
+     program->program_number = GST_READ_UINT16_BE (data);
+     data += 2;
+@@ -439,8 +441,6 @@ _parse_pat (GstMpegtsSection * section)
+     data += 2;
+ 
+     g_ptr_array_index (pat, i) = program;
+-
+-    i++;
+   }
+   pat->len = nb_programs;
+ 
+-- 
+2.9.3
+

0004-mpegtssection-Add-more-section-size-checks.patch

@@ -0,0 +1,72 @@
+From 1deb7a6603abfa62450e265f2b767316fff2ffa4 Mon Sep 17 00:00:00 2001
+From: Edward Hervey <edward@centricular.com>
+Date: Sat, 26 Nov 2016 10:44:43 +0100
+Subject: [PATCH 4/4] mpegtssection: Add more section size checks
+
+The smallest section ever needs to be at least 3 bytes (i.e. just the short
+header).
+Non-short headers need to be at least 11 bytes long (3 for the minimum header,
+5 for the non-short header, and 4 for the CRC).
+
+https://bugzilla.gnome.org/show_bug.cgi?id=775048
+---
+ gst-libs/gst/mpegts/gstmpegtssection.c | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/gst-libs/gst/mpegts/gstmpegtssection.c b/gst-libs/gst/mpegts/gstmpegtssection.c
+index 4b55280..cdcec36 100644
+--- a/gst-libs/gst/mpegts/gstmpegtssection.c
++++ b/gst-libs/gst/mpegts/gstmpegtssection.c
+@@ -1178,13 +1178,20 @@ gst_mpegts_section_new (guint16 pid, guint8 * data, gsize data_size)
+   GstMpegtsSection *res = NULL;
+   guint8 tmp;
+   guint8 table_id;
+-  guint16 section_length;
++  guint16 section_length = 0;
++
++  /* The smallest section ever is 3 bytes */
++  if (G_UNLIKELY (data_size < 3))
++    goto short_packet;
+ 
+   /* Check for length */
+   section_length = GST_READ_UINT16_BE (data + 1) & 0x0FFF;
+   if (G_UNLIKELY (data_size < section_length + 3))
+     goto short_packet;
+ 
++  GST_LOG ("data_size:%" G_GSIZE_FORMAT " section_length:%u",
++      data_size, section_length);
++
+   /* Table id is in first byte */
+   table_id = *data;
+ 
+@@ -1199,6 +1206,13 @@ gst_mpegts_section_new (guint16 pid, guint8 * data, gsize data_size)
+   /* section_length (already parsed) : 12 bit */
+   res->section_length = section_length + 3;
+   if (!res->short_section) {
++    /* A long packet needs to be at least 11 bytes long
++     * _ 3 for the bytes above
++     * _ 5 for the bytes below
++     * _ 4 for the CRC */
++    if (G_UNLIKELY (data_size < 11))
++      goto bad_long_packet;
++
+     /* CRC is after section_length (-4 for the size of the CRC) */
+     res->crc = GST_READ_UINT32_BE (res->data + res->section_length - 4);
+     /* Skip to after section_length */
+@@ -1228,6 +1242,13 @@ short_packet:
+     g_free (data);
+     return NULL;
+   }
++bad_long_packet:
++  {
++    GST_WARNING ("PID 0x%04x long section is too short (%" G_GSIZE_FORMAT
++        " bytes, need at least 11)", pid, data_size);
++    gst_mpegts_section_unref (res);
++    return NULL;
++  }
+ }
+ 
+ /**
+-- 
+2.9.3
+

gstreamer1-plugins-bad-free.spec

@@ -14,7 +14,7 @@
 
 Name:           gstreamer1-plugins-bad-free
 Version:        1.8.3
-Release:        2%{?gitcommit:.git%{shortcommit}}%{?dist}
+Release:        3%{?gitcommit:.git%{shortcommit}}%{?dist}
 Summary:        GStreamer streaming media framework "bad" plugins
 
 License:        LGPLv2+ and LGPLv2
@@ -31,6 +31,10 @@ URL:            http://gstreamer.freedesktop.org/
 Source0:        gst-plugins-bad-free-%{version}.tar.xz
 Source1:        gst-p-bad-cleanup.sh
 Patch1:         0001-vmncdec-Sanity-check-width-height-before-using-it.patch
+Patch2:         0001-h265parse-Ensure-codec_data-has-the-required-size-wh.patch
+Patch3:         0002-h264parse-Ensure-codec_data-has-the-required-size-wh.patch
+Patch4:         0003-mpegtssection-Fix-PAT-parsing.patch
+Patch5:         0004-mpegtssection-Add-more-section-size-checks.patch
 
 BuildRequires:  gstreamer1-devel >= %{version}
 BuildRequires:  gstreamer1-plugins-base-devel >= %{version}
@@ -169,7 +173,10 @@ aren't tested well enough, or the code is not of good enough quality.
 %prep
 %setup -q -n gst-plugins-bad-%{version}
 %patch1 -p1
-
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
 
 %build
 %configure --disable-silent-rules --disable-fatal-warnings \
@@ -476,6 +483,11 @@ chrpath --delete $RPM_BUILD_ROOT%{_libdir}/libgstbadvideo-%{majorminor}.so
 %{_libdir}/pkgconfig/gstreamer-plugins-bad-%{majorminor}.pc
 
 %changelog
+* Wed Dec 07 2016 Wim Taymans <wtaymans@redhat.com> - 1.8.3-3
+- Fix h264 and h265 parser size checks
+- fix mpegts size checks and pat parsing
+  (#1401946)
+
 * Mon Nov 28 2016 Wim Taymans <wtaymans@redhat.com> - 1.8.3-2
 - Fix Integer overflow when allocating render buffer in vmnc decoder
   (#1395769)