Fix h264 and h265 parser size checks
- fix mpegts size checks and pat parsing (#1401946)
This commit is contained in:
parent
168060d3a7
commit
ff18cecf91
|
@ -0,0 +1,43 @@
|
|||
From d1f953d2c2cb4148363aa026d6a85b8b68159e51 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
|
||||
Date: Wed, 23 Nov 2016 10:52:05 +0200
|
||||
Subject: [PATCH 1/4] h265parse: Ensure codec_data has the required size when
|
||||
reading number of NAL arrays
|
||||
|
||||
https://bugzilla.gnome.org/show_bug.cgi?id=774896
|
||||
---
|
||||
gst/videoparsers/gsth265parse.c | 10 +++++++++-
|
||||
1 file changed, 9 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/gst/videoparsers/gsth265parse.c b/gst/videoparsers/gsth265parse.c
|
||||
index 26e7c48..d8e32e6 100644
|
||||
--- a/gst/videoparsers/gsth265parse.c
|
||||
+++ b/gst/videoparsers/gsth265parse.c
|
||||
@@ -2018,6 +2018,7 @@ gst_h265_parse_set_caps (GstBaseParse * parse, GstCaps * caps)
|
||||
(value = gst_structure_get_value (str, "codec_data"))) {
|
||||
GstMapInfo map;
|
||||
guint8 *data;
|
||||
+ guint num_nal_arrays;
|
||||
|
||||
GST_DEBUG_OBJECT (h265parse, "have packetized h265");
|
||||
/* make note for optional split processing */
|
||||
@@ -2046,8 +2047,15 @@ gst_h265_parse_set_caps (GstBaseParse * parse, GstCaps * caps)
|
||||
GST_DEBUG_OBJECT (h265parse, "nal length size %u",
|
||||
h265parse->nal_length_size);
|
||||
|
||||
+ num_nal_arrays = data[22];
|
||||
off = 23;
|
||||
- for (i = 0; i < data[22]; i++) {
|
||||
+
|
||||
+ for (i = 0; i < num_nal_arrays; i++) {
|
||||
+ if (off + 3 >= size) {
|
||||
+ gst_buffer_unmap (codec_data, &map);
|
||||
+ goto hvcc_too_small;
|
||||
+ }
|
||||
+
|
||||
num_nals = GST_READ_UINT16_BE (data + off + 1);
|
||||
for (j = 0; j < num_nals; j++) {
|
||||
parseres = gst_h265_parser_identify_nalu_hevc (h265parse->nalparser,
|
||||
--
|
||||
2.9.3
|
||||
|
|
@ -0,0 +1,29 @@
|
|||
From cc8c2da2c3a267548f76b0d6c95b83e449dbe0f9 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
|
||||
Date: Wed, 23 Nov 2016 10:51:17 +0200
|
||||
Subject: [PATCH 2/4] h264parse: Ensure codec_data has the required size when
|
||||
reading number of SPS
|
||||
|
||||
https://bugzilla.gnome.org/show_bug.cgi?id=774896
|
||||
---
|
||||
gst/videoparsers/gsth264parse.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/gst/videoparsers/gsth264parse.c b/gst/videoparsers/gsth264parse.c
|
||||
index 05b6b75..a5cbe6e 100644
|
||||
--- a/gst/videoparsers/gsth264parse.c
|
||||
+++ b/gst/videoparsers/gsth264parse.c
|
||||
@@ -2534,6 +2534,10 @@ gst_h264_parse_set_caps (GstBaseParse * parse, GstCaps * caps)
|
||||
off = nalu.offset + nalu.size;
|
||||
}
|
||||
|
||||
+ if (off >= size) {
|
||||
+ gst_buffer_unmap (codec_data, &map);
|
||||
+ goto avcc_too_small;
|
||||
+ }
|
||||
num_pps = data[off];
|
||||
off++;
|
||||
|
||||
--
|
||||
2.9.3
|
||||
|
|
@ -0,0 +1,48 @@
|
|||
From e9f2b507e9bf7347427feceb40090dd24e8ebeec Mon Sep 17 00:00:00 2001
|
||||
From: Edward Hervey <edward@centricular.com>
|
||||
Date: Sat, 26 Nov 2016 10:23:01 +0100
|
||||
Subject: [PATCH 3/4] mpegtssection: Fix PAT parsing
|
||||
|
||||
Use the estimated number of programs for parsing. Avoids over-reading.
|
||||
|
||||
https://bugzilla.gnome.org/show_bug.cgi?id=775120
|
||||
---
|
||||
gst-libs/gst/mpegts/gstmpegtssection.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/gst-libs/gst/mpegts/gstmpegtssection.c b/gst-libs/gst/mpegts/gstmpegtssection.c
|
||||
index dc62ac3..4b55280 100644
|
||||
--- a/gst-libs/gst/mpegts/gstmpegtssection.c
|
||||
+++ b/gst-libs/gst/mpegts/gstmpegtssection.c
|
||||
@@ -414,7 +414,7 @@ static gpointer
|
||||
_parse_pat (GstMpegtsSection * section)
|
||||
{
|
||||
GPtrArray *pat;
|
||||
- guint16 i = 0, nb_programs;
|
||||
+ guint16 i, nb_programs;
|
||||
GstMpegtsPatProgram *program;
|
||||
guint8 *data, *end;
|
||||
|
||||
@@ -430,7 +430,9 @@ _parse_pat (GstMpegtsSection * section)
|
||||
g_ptr_array_new_full (nb_programs,
|
||||
(GDestroyNotify) _mpegts_pat_program_free);
|
||||
|
||||
- while (data < end - 4) {
|
||||
+ GST_LOG ("nb_programs %u", nb_programs);
|
||||
+
|
||||
+ for (i = 0; i < nb_programs; i++) {
|
||||
program = g_slice_new0 (GstMpegtsPatProgram);
|
||||
program->program_number = GST_READ_UINT16_BE (data);
|
||||
data += 2;
|
||||
@@ -439,8 +441,6 @@ _parse_pat (GstMpegtsSection * section)
|
||||
data += 2;
|
||||
|
||||
g_ptr_array_index (pat, i) = program;
|
||||
-
|
||||
- i++;
|
||||
}
|
||||
pat->len = nb_programs;
|
||||
|
||||
--
|
||||
2.9.3
|
||||
|
|
@ -0,0 +1,72 @@
|
|||
From 1deb7a6603abfa62450e265f2b767316fff2ffa4 Mon Sep 17 00:00:00 2001
|
||||
From: Edward Hervey <edward@centricular.com>
|
||||
Date: Sat, 26 Nov 2016 10:44:43 +0100
|
||||
Subject: [PATCH 4/4] mpegtssection: Add more section size checks
|
||||
|
||||
The smallest section ever needs to be at least 3 bytes (i.e. just the short
|
||||
header).
|
||||
Non-short headers need to be at least 11 bytes long (3 for the minimum header,
|
||||
5 for the non-short header, and 4 for the CRC).
|
||||
|
||||
https://bugzilla.gnome.org/show_bug.cgi?id=775048
|
||||
---
|
||||
gst-libs/gst/mpegts/gstmpegtssection.c | 23 ++++++++++++++++++++++-
|
||||
1 file changed, 22 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/gst-libs/gst/mpegts/gstmpegtssection.c b/gst-libs/gst/mpegts/gstmpegtssection.c
|
||||
index 4b55280..cdcec36 100644
|
||||
--- a/gst-libs/gst/mpegts/gstmpegtssection.c
|
||||
+++ b/gst-libs/gst/mpegts/gstmpegtssection.c
|
||||
@@ -1178,13 +1178,20 @@ gst_mpegts_section_new (guint16 pid, guint8 * data, gsize data_size)
|
||||
GstMpegtsSection *res = NULL;
|
||||
guint8 tmp;
|
||||
guint8 table_id;
|
||||
- guint16 section_length;
|
||||
+ guint16 section_length = 0;
|
||||
+
|
||||
+ /* The smallest section ever is 3 bytes */
|
||||
+ if (G_UNLIKELY (data_size < 3))
|
||||
+ goto short_packet;
|
||||
|
||||
/* Check for length */
|
||||
section_length = GST_READ_UINT16_BE (data + 1) & 0x0FFF;
|
||||
if (G_UNLIKELY (data_size < section_length + 3))
|
||||
goto short_packet;
|
||||
|
||||
+ GST_LOG ("data_size:%" G_GSIZE_FORMAT " section_length:%u",
|
||||
+ data_size, section_length);
|
||||
+
|
||||
/* Table id is in first byte */
|
||||
table_id = *data;
|
||||
|
||||
@@ -1199,6 +1206,13 @@ gst_mpegts_section_new (guint16 pid, guint8 * data, gsize data_size)
|
||||
/* section_length (already parsed) : 12 bit */
|
||||
res->section_length = section_length + 3;
|
||||
if (!res->short_section) {
|
||||
+ /* A long packet needs to be at least 11 bytes long
|
||||
+ * _ 3 for the bytes above
|
||||
+ * _ 5 for the bytes below
|
||||
+ * _ 4 for the CRC */
|
||||
+ if (G_UNLIKELY (data_size < 11))
|
||||
+ goto bad_long_packet;
|
||||
+
|
||||
/* CRC is after section_length (-4 for the size of the CRC) */
|
||||
res->crc = GST_READ_UINT32_BE (res->data + res->section_length - 4);
|
||||
/* Skip to after section_length */
|
||||
@@ -1228,6 +1242,13 @@ short_packet:
|
||||
g_free (data);
|
||||
return NULL;
|
||||
}
|
||||
+bad_long_packet:
|
||||
+ {
|
||||
+ GST_WARNING ("PID 0x%04x long section is too short (%" G_GSIZE_FORMAT
|
||||
+ " bytes, need at least 11)", pid, data_size);
|
||||
+ gst_mpegts_section_unref (res);
|
||||
+ return NULL;
|
||||
+ }
|
||||
}
|
||||
|
||||
/**
|
||||
--
|
||||
2.9.3
|
||||
|
|
@ -14,7 +14,7 @@
|
|||
|
||||
Name: gstreamer1-plugins-bad-free
|
||||
Version: 1.8.3
|
||||
Release: 2%{?gitcommit:.git%{shortcommit}}%{?dist}
|
||||
Release: 3%{?gitcommit:.git%{shortcommit}}%{?dist}
|
||||
Summary: GStreamer streaming media framework "bad" plugins
|
||||
|
||||
License: LGPLv2+ and LGPLv2
|
||||
|
@ -31,6 +31,10 @@ URL: http://gstreamer.freedesktop.org/
|
|||
Source0: gst-plugins-bad-free-%{version}.tar.xz
|
||||
Source1: gst-p-bad-cleanup.sh
|
||||
Patch1: 0001-vmncdec-Sanity-check-width-height-before-using-it.patch
|
||||
Patch2: 0001-h265parse-Ensure-codec_data-has-the-required-size-wh.patch
|
||||
Patch3: 0002-h264parse-Ensure-codec_data-has-the-required-size-wh.patch
|
||||
Patch4: 0003-mpegtssection-Fix-PAT-parsing.patch
|
||||
Patch5: 0004-mpegtssection-Add-more-section-size-checks.patch
|
||||
|
||||
BuildRequires: gstreamer1-devel >= %{version}
|
||||
BuildRequires: gstreamer1-plugins-base-devel >= %{version}
|
||||
|
@ -169,7 +173,10 @@ aren't tested well enough, or the code is not of good enough quality.
|
|||
%prep
|
||||
%setup -q -n gst-plugins-bad-%{version}
|
||||
%patch1 -p1
|
||||
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
|
||||
%build
|
||||
%configure --disable-silent-rules --disable-fatal-warnings \
|
||||
|
@ -476,6 +483,11 @@ chrpath --delete $RPM_BUILD_ROOT%{_libdir}/libgstbadvideo-%{majorminor}.so
|
|||
%{_libdir}/pkgconfig/gstreamer-plugins-bad-%{majorminor}.pc
|
||||
|
||||
%changelog
|
||||
* Wed Dec 07 2016 Wim Taymans <wtaymans@redhat.com> - 1.8.3-3
|
||||
- Fix h264 and h265 parser size checks
|
||||
- fix mpegts size checks and pat parsing
|
||||
(#1401946)
|
||||
|
||||
* Mon Nov 28 2016 Wim Taymans <wtaymans@redhat.com> - 1.8.3-2
|
||||
- Fix Integer overflow when allocating render buffer in vmnc decoder
|
||||
(#1395769)
|
||||
|
|
Loading…
Reference in New Issue