summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2025-3887-1.patch50
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2025-3887-2.patch95
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.22.12.bb2
3 files changed, 147 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2025-3887-1.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2025-3887-1.patch
new file mode 100644
index 0000000000..3508f62409
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2025-3887-1.patch
@@ -0,0 +1,50 @@
1From 5463f0e09768ca90aa8c58357c1f4c645db580db Mon Sep 17 00:00:00 2001
2From: Seungha Yang <seungha@centricular.com>
3Date: Sat, 15 Mar 2025 22:39:44 +0900
4Subject: [PATCH] h265parser: Fix max_dec_pic_buffering_minus1 bound check
5
6Allowed max value is MaxDpbSize - 1
7
8Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8885>
9
10Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/5463f0e09768ca90aa8c58357c1f4c645db580db]
11CVE: CVE-2025-3887
12Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
13---
14 gst-libs/gst/codecparsers/gsth265parser.c | 6 ++++--
15 1 file changed, 4 insertions(+), 2 deletions(-)
16
17diff --git a/gst-libs/gst/codecparsers/gsth265parser.c b/gst-libs/gst/codecparsers/gsth265parser.c
18index 44b7237..5d5a2db 100644
19--- a/gst-libs/gst/codecparsers/gsth265parser.c
20+++ b/gst-libs/gst/codecparsers/gsth265parser.c
21@@ -72,6 +72,8 @@
22 #include <string.h>
23 #include <math.h>
24
25+#define MAX_DPB_SIZE 16
26+
27 #ifndef GST_DISABLE_GST_DEBUG
28 #define GST_CAT_DEFAULT gst_h265_debug_category_get()
29 static GstDebugCategory *
30@@ -1861,7 +1863,7 @@ gst_h265_parse_vps (GstH265NalUnit * nalu, GstH265VPS * vps)
31 for (i =
32 (vps->sub_layer_ordering_info_present_flag ? 0 :
33 vps->max_sub_layers_minus1); i <= vps->max_sub_layers_minus1; i++) {
34- READ_UE_MAX (&nr, vps->max_dec_pic_buffering_minus1[i], G_MAXUINT32 - 1);
35+ READ_UE_MAX (&nr, vps->max_dec_pic_buffering_minus1[i], MAX_DPB_SIZE - 1);
36 READ_UE_MAX (&nr, vps->max_num_reorder_pics[i],
37 vps->max_dec_pic_buffering_minus1[i]);
38 READ_UE_MAX (&nr, vps->max_latency_increase_plus1[i], G_MAXUINT32 - 1);
39@@ -2048,7 +2050,7 @@ gst_h265_parse_sps (GstH265Parser * parser, GstH265NalUnit * nalu,
40 for (i =
41 (sps->sub_layer_ordering_info_present_flag ? 0 :
42 sps->max_sub_layers_minus1); i <= sps->max_sub_layers_minus1; i++) {
43- READ_UE_MAX (&nr, sps->max_dec_pic_buffering_minus1[i], 16);
44+ READ_UE_MAX (&nr, sps->max_dec_pic_buffering_minus1[i], MAX_DPB_SIZE - 1);
45 READ_UE_MAX (&nr, sps->max_num_reorder_pics[i],
46 sps->max_dec_pic_buffering_minus1[i]);
47 READ_UE_MAX (&nr, sps->max_latency_increase_plus1[i], G_MAXUINT32 - 1);
48--
492.25.1
50
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2025-3887-2.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2025-3887-2.patch
new file mode 100644
index 0000000000..be663c2530
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2025-3887-2.patch
@@ -0,0 +1,95 @@
1From bcaab3609805ea10fb3d9ac0c9d947b4c3563948 Mon Sep 17 00:00:00 2001
2From: Seungha Yang <seungha@centricular.com>
3Date: Sat, 15 Mar 2025 23:48:52 +0900
4Subject: [PATCH] h265parser: Fix num_long_term_pics bound check
5
6As defined in the spec 7.4.7.1, calculates allowed maximum
7value of num_long_term_pics
8
9Fixes ZDI-CAN-26596
10
11Fixes: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4285
12Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8885>
13
14Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/bcaab3609805ea10fb3d9ac0c9d947b4c3563948]
15CVE: CVE-2025-3887
16Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
17---
18 gst-libs/gst/codecparsers/gsth265parser.c | 40 +++++++++++++++++++++--
19 1 file changed, 37 insertions(+), 3 deletions(-)
20
21diff --git a/gst-libs/gst/codecparsers/gsth265parser.c b/gst-libs/gst/codecparsers/gsth265parser.c
22index 5d5a2db..abcc05d 100644
23--- a/gst-libs/gst/codecparsers/gsth265parser.c
24+++ b/gst-libs/gst/codecparsers/gsth265parser.c
25@@ -2779,6 +2779,8 @@ gst_h265_parser_parse_slice_hdr (GstH265Parser * parser,
26 READ_UINT8 (&nr, slice->colour_plane_id, 2);
27
28 if (!GST_H265_IS_NAL_TYPE_IDR (nalu->type)) {
29+ const GstH265ShortTermRefPicSet *ref_pic_sets = NULL;
30+
31 READ_UINT16 (&nr, slice->pic_order_cnt_lsb,
32 (sps->log2_max_pic_order_cnt_lsb_minus4 + 4));
33
34@@ -2795,23 +2797,55 @@ gst_h265_parser_parse_slice_hdr (GstH265Parser * parser,
35 slice->short_term_ref_pic_set_size =
36 (nal_reader_get_pos (&nr) - pos) -
37 (8 * (nal_reader_get_epb_count (&nr) - epb_pos));
38+
39+ ref_pic_sets = &slice->short_term_ref_pic_sets;
40 } else if (sps->num_short_term_ref_pic_sets > 1) {
41 const guint n = ceil_log2 (sps->num_short_term_ref_pic_sets);
42 READ_UINT8 (&nr, slice->short_term_ref_pic_set_idx, n);
43 CHECK_ALLOWED_MAX (slice->short_term_ref_pic_set_idx,
44 sps->num_short_term_ref_pic_sets - 1);
45+ ref_pic_sets =
46+ &sps->short_term_ref_pic_set[slice->short_term_ref_pic_set_idx];
47+ } else {
48+ ref_pic_sets = &sps->short_term_ref_pic_set[0];
49 }
50
51 if (sps->long_term_ref_pics_present_flag) {
52 guint32 limit;
53 guint pos = nal_reader_get_pos (&nr);
54 guint epb_pos = nal_reader_get_epb_count (&nr);
55+ gint max_num_long_term_pics = 0;
56+ gint TwoVersionsOfCurrDecPicFlag = 0;
57
58- if (sps->num_long_term_ref_pics_sps > 0)
59+ if (sps->num_long_term_ref_pics_sps > 0) {
60 READ_UE_MAX (&nr, slice->num_long_term_sps,
61 sps->num_long_term_ref_pics_sps);
62-
63- READ_UE_MAX (&nr, slice->num_long_term_pics, 16);
64+ }
65+
66+ /* 7.4.3.3.3 */
67+ if (pps->pps_scc_extension_flag &&
68+ pps->pps_scc_extension_params.pps_curr_pic_ref_enabled_flag &&
69+ (sps->sample_adaptive_offset_enabled_flag ||
70+ !pps->deblocking_filter_disabled_flag ||
71+ pps->deblocking_filter_override_enabled_flag)) {
72+ TwoVersionsOfCurrDecPicFlag = 1;
73+ }
74+
75+ /* Calculated upper bound num_long_term_pics can have. 7.4.7.1 */
76+ max_num_long_term_pics =
77+ /* sps_max_dec_pic_buffering_minus1[TemporalId], allowed max is
78+ * MaxDpbSize - 1 */
79+ MAX_DPB_SIZE - 1
80+ - (gint) slice->num_long_term_sps
81+ - (gint) ref_pic_sets->NumNegativePics
82+ - (gint) ref_pic_sets->NumPositivePics -
83+ TwoVersionsOfCurrDecPicFlag;
84+ if (max_num_long_term_pics < 0) {
85+ GST_WARNING ("Invalid stream, too many reference pictures");
86+ goto error;
87+ }
88+
89+ READ_UE_MAX (&nr, slice->num_long_term_pics, max_num_long_term_pics);
90 limit = slice->num_long_term_sps + slice->num_long_term_pics;
91 for (i = 0; i < limit; i++) {
92 if (i < slice->num_long_term_sps) {
93--
942.25.1
95
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.22.12.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.22.12.bb
index 01c95ac85f..e4fa2a412f 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.22.12.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.22.12.bb
@@ -9,6 +9,8 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad
9 file://0001-fix-maybe-uninitialized-warnings-when-compiling-with.patch \ 9 file://0001-fix-maybe-uninitialized-warnings-when-compiling-with.patch \
10 file://0002-avoid-including-sys-poll.h-directly.patch \ 10 file://0002-avoid-including-sys-poll.h-directly.patch \
11 file://0004-opencv-resolve-missing-opencv-data-dir-in-yocto-buil.patch \ 11 file://0004-opencv-resolve-missing-opencv-data-dir-in-yocto-buil.patch \
12 file://CVE-2025-3887-1.patch \
13 file://CVE-2025-3887-2.patch \
12 " 14 "
13SRC_URI[sha256sum] = "388b4c4412f42e36a38b17cc34119bc11879bd4d9fbd4ff6d03b2c7fc6b4d494" 15SRC_URI[sha256sum] = "388b4c4412f42e36a38b17cc34119bc11879bd4d9fbd4ff6d03b2c7fc6b4d494"
14 16
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-10-17 08:45:01 +0000