2 files changed, 50 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2025-47807.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2025-47807.patch
new file mode 100644
index 0000000000..03a5d938b5
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2025-47807.patch
@@ -0,0 +1,49 @@
+From 9e2238adc1cad1fba5aad23bc8c2a6c2a65794d2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Thu, 8 May 2025 09:14:15 +0300
+Subject: [PATCH] subparse: Check for valid UTF-8 before cleaning up lines and
+ check for regex replace errors
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4418
+Fixes CVE-2025-47807
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/9132>
+CVE: CVE-2025-47807
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/9e2238adc1cad1fba5aad23bc8c2a6c2a65794d2]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ gst/subparse/gstsubparse.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+diff --git a/gst/subparse/gstsubparse.c b/gst/subparse/gstsubparse.c
+index 81a7f65..5e8769c 100644
+--- a/gst/subparse/gstsubparse.c
+++ b/gst/subparse/gstsubparse.c
+@@ -666,6 +666,12 @@ subrip_unescape_formatting (gchar * txt, gconstpointer allowed_tags_ptr,
+   res = g_regex_replace (tag_regex, txt, strlen (txt), 0,
+       replace_pattern, 0, NULL);
+ 
+  /* Replacing can fail. Return an empty string in that case. */
+  if (!res) {
+    strcpy (txt, "");
+    return;
+  }
+
+   /* res will always be shorter than the input or identical, so this
+    * copy is OK */
+   strcpy (txt, res);
+@@ -1046,6 +1052,10 @@ parse_subrip (ParserState * state, const gchar * line)
+         g_string_append_c (state->buf, '\n');
+       g_string_append (state->buf, line);
+       if (strlen (line) == 0) {
+        if (!g_utf8_validate (state->buf->str, state->buf->len, NULL)) {
+          g_string_truncate (state->buf, 0);
+          return NULL;
+        }
+         ret = g_markup_escape_text (state->buf->str, state->buf->len);
+         g_string_truncate (state->buf, 0);
+         state->state = 0;
+-- 
+2.50.1
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.20.7.bb
index 05d58e83b0..6bffd2a872 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.20.7.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.20.7.bb
@@ -22,6 +22,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-ba
           file://CVE-2024-47835.patch \
           file://CVE-2025-47806.patch \
           file://CVE-2025-47808.patch \
+           file://CVE-2025-47807.patch \
           "
 SRC_URI[sha256sum] = "fde6696a91875095d82c1012b5777c28ba926047ffce08508e12c1d2c66f0057"

diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2025-47807.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2025-47807.patch new file mode 100644 index 0000000000..03a5d938b5 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2025-47807.patch
@@ -0,0 +1,49 @@
		1	From 9e2238adc1cad1fba5aad23bc8c2a6c2a65794d2 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
		3	Date: Thu, 8 May 2025 09:14:15 +0300
		4	Subject: [PATCH] subparse: Check for valid UTF-8 before cleaning up lines and
		5	check for regex replace errors
		6
		7	Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4418
		8	Fixes CVE-2025-47807
		9
		10	Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/9132>
		11
		12	CVE: CVE-2025-47807
		13	Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/9e2238adc1cad1fba5aad23bc8c2a6c2a65794d2]
		14	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		15	---
		16	gst/subparse/gstsubparse.c \| 10 ++++++++++
		17	1 file changed, 10 insertions(+)
		18
		19	diff --git a/gst/subparse/gstsubparse.c b/gst/subparse/gstsubparse.c
		20	index 81a7f65..5e8769c 100644
		21	--- a/gst/subparse/gstsubparse.c
		22	+++ b/gst/subparse/gstsubparse.c
		23	@@ -666,6 +666,12 @@ subrip_unescape_formatting (gchar * txt, gconstpointer allowed_tags_ptr,
		24	res = g_regex_replace (tag_regex, txt, strlen (txt), 0,
		25	replace_pattern, 0, NULL);
		26
		27	+ /* Replacing can fail. Return an empty string in that case. */
		28	+ if (!res) {
		29	+ strcpy (txt, "");
		30	+ return;
		31	+ }
		32	+
		33	/* res will always be shorter than the input or identical, so this
		34	* copy is OK */
		35	strcpy (txt, res);
		36	@@ -1046,6 +1052,10 @@ parse_subrip (ParserState * state, const gchar * line)
		37	g_string_append_c (state->buf, '\n');
		38	g_string_append (state->buf, line);
		39	if (strlen (line) == 0) {
		40	+ if (!g_utf8_validate (state->buf->str, state->buf->len, NULL)) {
		41	+ g_string_truncate (state->buf, 0);
		42	+ return NULL;
		43	+ }
		44	ret = g_markup_escape_text (state->buf->str, state->buf->len);
		45	g_string_truncate (state->buf, 0);
		46	state->state = 0;
		47	--
		48	2.50.1
		49


diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.20.7.bb index 05d58e83b0..6bffd2a872 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.20.7.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.20.7.bb
@@ -22,6 +22,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-ba
22	file://CVE-2024-47835.patch \	22	file://CVE-2024-47835.patch \
23	file://CVE-2025-47806.patch \	23	file://CVE-2025-47806.patch \
24	file://CVE-2025-47808.patch \	24	file://CVE-2025-47808.patch \
		25	file://CVE-2025-47807.patch \
25	"	26	"
26	SRC_URI[sha256sum] = "fde6696a91875095d82c1012b5777c28ba926047ffce08508e12c1d2c66f0057"	27	SRC_URI[sha256sum] = "fde6696a91875095d82c1012b5777c28ba926047ffce08508e12c1d2c66f0057"
27		28