From dc4fc627ed04eb07c9203a3d02bfcfc569b3b60c2dba08d04aced64d4ae37882 Mon Sep 17 00:00:00 2001
From: Dominique Leuenberger <dimstar@opensuse.org>
Date: Mon, 27 May 2024 16:05:50 +0000
Subject: [PATCH] Accepting request 1177125 from
 home:qzhao:branches:multimedia:libs

Add gst-plugins-base-CVE-2024-4453.patch: Backporting e68eccff from upstream, Prevent integer overflows and out of bounds reads when handling undefined tags. (CVE-2024-4453 ZDI-24-467 ZDI-CAN-23896 bsc#1224806)

OBS-URL: https://build.opensuse.org/request/show/1177125
OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/gstreamer-plugins-base?expand=0&rev=219
---
 gst-plugins-base-CVE-2024-4453.patch | 53 ++++++++++++++++++++++++++++
 gstreamer-plugins-base.changes       |  8 +++++
 gstreamer-plugins-base.spec          |  4 +--
 3 files changed, 63 insertions(+), 2 deletions(-)
 create mode 100644 gst-plugins-base-CVE-2024-4453.patch

diff --git a/gst-plugins-base-CVE-2024-4453.patch b/gst-plugins-base-CVE-2024-4453.patch
new file mode 100644
index 0000000..bb0c317
--- /dev/null
+++ b/gst-plugins-base-CVE-2024-4453.patch
@@ -0,0 +1,53 @@
+commit e68eccff103ab0e91e6d77a892f57131b33902f5
+Author: Sebastian Dröge <sebastian@centricular.com>
+Date:   Thu Apr 25 15:21:20 2024 +0300
+
+    exiftag: Prevent integer overflows and out of bounds reads when handling undefined tags
+    
+    Fixes ZDI-CAN-23896
+    Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3483
+    
+    Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/6766>
+
+diff -Nura gst-plugins-base-1.24.0/gst-libs/gst/tag/gstexiftag.c gst-plugins-base-1.24.0_new/gst-libs/gst/tag/gstexiftag.c
+--- gst-plugins-base-1.24.0/gst-libs/gst/tag/gstexiftag.c	2024-03-05 07:51:42.000000000 +0800
++++ gst-plugins-base-1.24.0_new/gst-libs/gst/tag/gstexiftag.c	2024-05-27 19:25:58.227183616 +0800
+@@ -1383,6 +1383,7 @@
+ 
+   if (count > 4) {
+     GstMapInfo info;
++    gsize alloc_size;
+ 
+     if (offset < reader->base_offset) {
+       GST_WARNING ("Offset is smaller (%u) than base offset (%u)", offset,
+@@ -1404,14 +1405,28 @@
+       return;
+     }
+ 
++    if (info.size - real_offset < count) {
++      GST_WARNING ("Invalid size %u for buffer of size %" G_GSIZE_FORMAT
++          ", not adding tag %s", count, info.size, tag->gst_tag);
++      gst_buffer_unmap (reader->buffer, &info);
++      return;
++    }
++
++    if (!g_size_checked_add (&alloc_size, count, 1)) {
++      GST_WARNING ("Invalid size %u for buffer of size %" G_GSIZE_FORMAT
++          ", not adding tag %s", real_offset, info.size, tag->gst_tag);
++      gst_buffer_unmap (reader->buffer, &info);
++      return;
++    }
++
+     /* +1 because it could be a string without the \0 */
+-    data = malloc (sizeof (guint8) * count + 1);
++    data = malloc (alloc_size);
+     memcpy (data, info.data + real_offset, count);
+     data[count] = 0;
+ 
+     gst_buffer_unmap (reader->buffer, &info);
+   } else {
+-    data = malloc (sizeof (guint8) * count + 1);
++    data = malloc (count + 1);
+     memcpy (data, (guint8 *) offset_as_data, count);
+     data[count] = 0;
+   }
diff --git a/gstreamer-plugins-base.changes b/gstreamer-plugins-base.changes
index 5047cdb..a594a9e 100644
--- a/gstreamer-plugins-base.changes
+++ b/gstreamer-plugins-base.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Wed May 22 12:45:03 UTC 2024 - Cliff Zhao <qzhao@suse.com>
+
+- Add gst-plugins-base-CVE-2024-4453.patch:
+  Backporting e68eccff from upstream, Prevent integer overflows
+  and out of bounds reads when handling undefined tags.
+  (CVE-2024-4453 ZDI-24-467 ZDI-CAN-23896 bsc#1224806)
+
 -------------------------------------------------------------------
 Tue Mar  5 06:20:51 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
 
diff --git a/gstreamer-plugins-base.spec b/gstreamer-plugins-base.spec
index 23ca61e..7f18c93 100644
--- a/gstreamer-plugins-base.spec
+++ b/gstreamer-plugins-base.spec
@@ -29,12 +29,12 @@ URL:            https://gstreamer.freedesktop.org
 Source0:        %{url}/src/%{_name}/%{_name}-%{version}.tar.xz
 Source1:        gstreamer-plugins-base.appdata.xml
 Source2:        baselibs.conf
-
 Patch1:         add_wayland_dep_to_tests.patch
 Patch2:         MR-221-video-anc-add-two-new-CEA-608-caption-formats.patch
 # https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3303
 Patch3:         gst-plugins-base-audiobasesink-gap.patch
-
+# PATCH-FIX-UPSTREAM gst-plugins-base-CVE-2024-4453.patch CVE-2024-4453 ZDI-24-467 ZDI-CAN-23896 bsc#1224806 qzhao@suse.com -- Prevent integer overflows and out of bounds reads when handling undefined tags.
+Patch4:         gst-plugins-base-CVE-2024-4453.patch
 BuildRequires:  Mesa-libGLESv3-devel
 BuildRequires:  cdparanoia-devel
 BuildRequires:  gcc-c++