From d2d60b3a97059d9f27b285644d776b555af6d329 Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 21 Dec 2024 14:32:49 +0100
Subject: [PATCH 1/3] Import Debian changes 1.22.0-5+deb12u2
---
debian/changelog | 63 +++
...size-checks-and-avoid-overflows-when.patch | 37 ++
...ck-if-initializing-the-video-info-ac.patch | 44 ++
...ly-error-out-on-negotiation-failures.patch | 91 ++++
...eck-for-big-enough-WavPack-codec-pri.patch | 31 ++
...n-t-take-data-out-of-an-empty-adapte.patch | 39 ++
...x-off-by-one-when-parsing-multi-chan.patch | 21 +
...ly-unmap-GstMapInfo-in-WavPack-heade.patch | 48 ++
...t-a-copy-of-the-codec-data-into-the-.patch | 31 ++
...ip-over-laces-directly-when-postproc.patch | 40 ++
...ip-over-zero-sized-Xiph-stream-heade.patch | 31 ++
...-handle-errors-returns-from-various-.patch | 89 ++++
...size-check-for-parsing-SMI-SEQH-atom.patch | 29 ++
...teger-overflow-when-parsing-Theora-e.patch | 36 ++
...r-invalid-atom-length-when-extractin.patch | 28 ++
...zes-of-stsc-stco-stts-before-trying-.patch | 54 +++
...erate-over-all-trun-entries-if-none-.patch | 27 ++
...Fix-debug-output-during-trun-parsing.patch | 64 +++
...r-handling-when-parsing-cenc-sample-.patch | 47 ++
...ger-overflow-when-allocating-the-sam.patch | 55 +++
...th-checks-and-offsets-in-stsd-entry-.patch | 418 ++++++++++++++++++
...e-enough-data-is-available-before-re.patch | 111 +++++
...e-only-an-even-number-of-bytes-is-pr.patch | 36 ++
...e-there-are-enough-offsets-to-read-w.patch | 41 ++
debian/patches/series | 30 ++
...or-short-reads-when-parsing-headers-.patch | 163 +++++++
...Check-size-before-reading-ds64-chunk.patch | 30 ++
...hat-at-least-32-bytes-are-available-.patch | 29 ++
...hat-at-least-4-bytes-are-available-b.patch | 25 ++
...ix-clipping-of-size-to-the-file-size.patch | 36 ++
.../wavparse-Fix-parsing-of-acid-chunk.patch | 53 +++
...re-enough-data-for-the-tag-list-tag-.patch | 30 ++
32 files changed, 1907 insertions(+)
create mode 100644 debian/patches/avisubtitle-Fix-size-checks-and-avoid-overflows-when.patch
create mode 100644 debian/patches/gdkpixbufdec-Check-if-initializing-the-video-info-ac.patch
create mode 100644 debian/patches/jpegdec-Directly-error-out-on-negotiation-failures.patch
create mode 100644 debian/patches/matroskademux-Check-for-big-enough-WavPack-codec-pri.patch
create mode 100644 debian/patches/matroskademux-Don-t-take-data-out-of-an-empty-adapte.patch
create mode 100644 debian/patches/matroskademux-Fix-off-by-one-when-parsing-multi-chan.patch
create mode 100644 debian/patches/matroskademux-Only-unmap-GstMapInfo-in-WavPack-heade.patch
create mode 100644 debian/patches/matroskademux-Put-a-copy-of-the-codec-data-into-the-.patch
create mode 100644 debian/patches/matroskademux-Skip-over-laces-directly-when-postproc.patch
create mode 100644 debian/patches/matroskademux-Skip-over-zero-sized-Xiph-stream-heade.patch
create mode 100644 debian/patches/qtdemux-Actually-handle-errors-returns-from-various-.patch
create mode 100644 debian/patches/qtdemux-Add-size-check-for-parsing-SMI-SEQH-atom.patch
create mode 100644 debian/patches/qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch
create mode 100644 debian/patches/qtdemux-Check-for-invalid-atom-length-when-extractin.patch
create mode 100644 debian/patches/qtdemux-Check-sizes-of-stsc-stco-stts-before-trying-.patch
create mode 100644 debian/patches/qtdemux-Don-t-iterate-over-all-trun-entries-if-none-.patch
create mode 100644 debian/patches/qtdemux-Fix-debug-output-during-trun-parsing.patch
create mode 100644 debian/patches/qtdemux-Fix-error-handling-when-parsing-cenc-sample-.patch
create mode 100644 debian/patches/qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch
create mode 100644 debian/patches/qtdemux-Fix-length-checks-and-offsets-in-stsd-entry-.patch
create mode 100644 debian/patches/qtdemux-Make-sure-enough-data-is-available-before-re.patch
create mode 100644 debian/patches/qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch
create mode 100644 debian/patches/qtdemux-Make-sure-there-are-enough-offsets-to-read-w.patch
create mode 100644 debian/patches/wavparse-Check-for-short-reads-when-parsing-headers-.patch
create mode 100644 debian/patches/wavparse-Check-size-before-reading-ds64-chunk.patch
create mode 100644 debian/patches/wavparse-Check-that-at-least-32-bytes-are-available-.patch
create mode 100644 debian/patches/wavparse-Check-that-at-least-4-bytes-are-available-b.patch
create mode 100644 debian/patches/wavparse-Fix-clipping-of-size-to-the-file-size.patch
create mode 100644 debian/patches/wavparse-Fix-parsing-of-acid-chunk.patch
create mode 100644 debian/patches/wavparse-Make-sure-enough-data-for-the-tag-list-tag-.patch
diff --git a/debian/changelog b/debian/changelog
index 2d5c510..b5d5137 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,66 @@
+gst-plugins-good1.0 (1.22.0-5+deb12u2) bookworm-security; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * qtdemux: Avoid integer overflow when parsing Theora extension
+ (CVE-2024-47606, GHSL-2024-166)
+ * jpegdec: Directly error out on negotiation failures (CVE-2024-47599,
+ GHSL-2024-247)
+ * gdkpixbufdec: Check if initializing the video info actually succeeded
+ (CVE-2024-47613, GHSL-2024-118)
+ * wavparse: Check for short reads when parsing headers in pull mode
+ (CVE-2024-47778, GHSL-2024-258, CVE-2024-47776, GHSL-2024-260)
+ * wavparse: Make sure enough data for the tag list tag is available before
+ parsing (CVE-2024-47778, GHSL-2024-258)
+ * wavparse: Fix parsing of acid chunk
+ * wavparse: Check that at least 4 bytes are available before parsing cue
+ chunks
+ * wavparse: Check that at least 32 bytes are available before parsing smpl
+ chunks (CVE-2024-47777, GHSL-2024-259)
+ * wavparse: Fix clipping of size to the file size (CVE-2024-47776,
+ GHSL-2024-260)
+ * wavparse: Check size before reading ds64 chunk (CVE-2024-47775,
+ GHSL-2024-261)
+ * avisubtitle: Fix size checks and avoid overflows when checking sizes
+ (CVE-2024-47774, GHSL-2024-262)
+ * matroskademux: Only unmap GstMapInfo in WavPack header extraction error
+ paths if previously mapped (CVE-2024-47540, GHSL-2024-197)
+ * matroskademux: Fix off-by-one when parsing multi-channel WavPack
+ * matroskademux: Check for big enough WavPack codec private data before
+ accessing it (CVE-2024-47602, GHSL-2024-250)
+ * matroskademux: Don't take data out of an empty adapter when processing
+ WavPack frames (CVE-2024-47601, GHSL-2024-249)
+ * matroskademux: Skip over laces directly when postprocessing the frame
+ fails (CVE-2024-47601, GHSL-2024-249)
+ * matroskademux: Skip over zero-sized Xiph stream headers (CVE-2024-47603,
+ GHSL-2024-251)
+ * matroskademux: Put a copy of the codec data into the A_MS/ACM caps
+ (CVE-2024-47834, GHSL-2024-280)
+ * qtdemux: Fix integer overflow when allocating the samples table for
+ fragmented MP4 (CVE-2024-47537, GHSL-2024-094, GHSL-2024-237,
+ GHSL-2024-241)
+ * qtdemux: Fix debug output during trun parsing
+ * qtdemux: Don't iterate over all trun entries if none of the flags are set
+ * qtdemux: Check sizes of stsc/stco/stts before trying to merge entries
+ (CVE-2024-47598, GHSL-2024-246)
+ * qtdemux: Make sure only an even number of bytes is processed when handling
+ CEA608 data (CVE-2024-47539, GHSL-2024-195)
+ * qtdemux: Make sure enough data is available before reading wave header
+ node (CVE-2024-47543, GHSL-2024-236)
+ * qtdemux: Fix length checks and offsets in stsd entry parsing
+ (CVE-2024-47545, GHSL-2024-242)
+ * qtdemux: Fix error handling when parsing cenc sample groups fails
+ (CVE-2024-47544, GHSL-2024-238, GHSL-2024-239, GHSL-2024-240)
+ * qtdemux: Make sure there are enough offsets to read when parsing samples
+ (CVE-2024-47597, GHSL-2024-245)
+ * qtdemux: Actually handle errors returns from various functions instead of
+ ignoring them (CVE-2024-47597, GHSL-2024-245)
+ * qtdemux: Check for invalid atom length when extracting Closed Caption data
+ (CVE-2024-47546, GHSL-2024-243)
+ * qtdemux: Add size check for parsing SMI / SEQH atom (CVE-2024-47596,
+ GHSL-2024-244)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Sat, 21 Dec 2024 14:32:49 +0100
+
gst-plugins-good1.0 (1.22.0-5+deb12u1) bookworm-security; urgency=medium
* GST-2023-0001
diff --git a/debian/patches/avisubtitle-Fix-size-checks-and-avoid-overflows-when.patch b/debian/patches/avisubtitle-Fix-size-checks-and-avoid-overflows-when.patch
new file mode 100644
index 0000000..e3b07a3
--- /dev/null
+++ b/debian/patches/avisubtitle-Fix-size-checks-and-avoid-overflows-when.patch
@@ -0,0 +1,37 @@
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Fri, 4 Oct 2024 14:04:03 +0300
+Subject: avisubtitle: Fix size checks and avoid overflows when checking sizes
+Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/98c2175d255bd2459d7645ac6aee50be5cb57fe3
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47774
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-262
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3890
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8055>
+---
+ subprojects/gst-plugins-good/gst/avi/gstavisubtitle.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/gst/avi/gstavisubtitle.c
++++ b/gst/avi/gstavisubtitle.c
+@@ -196,7 +196,7 @@ gst_avi_subtitle_parse_gab2_chunk (GstAv
+ /* read 'name' of subtitle */
+ name_length = GST_READ_UINT32_LE (map.data + 5 + 2);
+ GST_LOG_OBJECT (sub, "length of name: %u", name_length);
+- if (map.size <= 17 + name_length)
++ if (G_MAXUINT32 - 17 < name_length || map.size < 17 + name_length)
+ goto wrong_name_length;
+
+ name_utf8 =
+@@ -216,7 +216,8 @@ gst_avi_subtitle_parse_gab2_chunk (GstAv
+ file_length = GST_READ_UINT32_LE (map.data + 13 + name_length);
+ GST_LOG_OBJECT (sub, "length srt/ssa file: %u", file_length);
+
+- if (map.size < (17 + name_length + file_length))
++ if (G_MAXUINT32 - 17 - name_length < file_length
++ || map.size < 17 + name_length + file_length)
+ goto wrong_total_length;
+
+ /* store this, so we can send it again after a seek; note that we shouldn't
diff --git a/debian/patches/gdkpixbufdec-Check-if-initializing-the-video-info-ac.patch b/debian/patches/gdkpixbufdec-Check-if-initializing-the-video-info-ac.patch
new file mode 100644
index 0000000..8abde57
--- /dev/null
+++ b/debian/patches/gdkpixbufdec-Check-if-initializing-the-video-info-ac.patch
@@ -0,0 +1,44 @@
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Wed, 2 Oct 2024 14:44:21 +0300
+Subject: gdkpixbufdec: Check if initializing the video info actually succeeded
+Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/5106dc94fb9b2d8bd0db547e2c325244b7c1f32c
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47613
+
+Otherwise a 0-byte buffer would be allocated, which gives NULL memory when
+mapped.
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-118
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3876
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8053>
+---
+ .../gst-plugins-good/ext/gdk_pixbuf/gstgdkpixbufdec.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/ext/gdk_pixbuf/gstgdkpixbufdec.c
++++ b/ext/gdk_pixbuf/gstgdkpixbufdec.c
+@@ -322,7 +322,8 @@ gst_gdk_pixbuf_dec_flush (GstGdkPixbufDe
+
+
+ gst_video_info_init (&info);
+- gst_video_info_set_format (&info, fmt, width, height);
++ if (!gst_video_info_set_format (&info, fmt, width, height))
++ goto format_not_supported;
+ info.fps_n = filter->in_fps_n;
+ info.fps_d = filter->in_fps_d;
+ caps = gst_video_info_to_caps (&info);
+@@ -384,6 +385,12 @@ channels_not_supported:
+ ("%d channels not supported", n_channels));
+ return GST_FLOW_ERROR;
+ }
++format_not_supported:
++ {
++ GST_ELEMENT_ERROR (filter, STREAM, DECODE, (NULL),
++ ("%d channels with %dx%d not supported", n_channels, width, height));
++ return GST_FLOW_ERROR;
++ }
+ no_buffer:
+ {
+ GST_DEBUG ("Failed to create outbuffer - %s", gst_flow_get_name (ret));
diff --git a/debian/patches/jpegdec-Directly-error-out-on-negotiation-failures.patch b/debian/patches/jpegdec-Directly-error-out-on-negotiation-failures.patch
new file mode 100644
index 0000000..3cefb86
--- /dev/null
+++ b/debian/patches/jpegdec-Directly-error-out-on-negotiation-failures.patch
@@ -0,0 +1,91 @@
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Mon, 30 Sep 2024 16:22:19 +0300
+Subject: jpegdec: Directly error out on negotiation failures
+Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/8b1c866e93749fd42d1908ec77a4f339343acbb2
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47599
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-247
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3862
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8052>
+---
+ .../gst-plugins-good/ext/jpeg/gstjpegdec.c | 22 ++++++++++++++-----
+ 1 file changed, 17 insertions(+), 5 deletions(-)
+
+--- a/ext/jpeg/gstjpegdec.c
++++ b/ext/jpeg/gstjpegdec.c
+@@ -1068,13 +1068,14 @@ gst_jpeg_turbo_parse_ext_fmt_convert (Gs
+ }
+ #endif
+
+-static void
++static gboolean
+ gst_jpeg_dec_negotiate (GstJpegDec * dec, gint width, gint height, gint clrspc,
+ gboolean interlaced)
+ {
+ GstVideoCodecState *outstate;
+ GstVideoInfo *info;
+ GstVideoFormat format;
++ gboolean res;
+
+ #ifdef JCS_EXTENSIONS
+ if (dec->format_convert) {
+@@ -1104,7 +1105,7 @@ gst_jpeg_dec_negotiate (GstJpegDec * dec
+ height == GST_VIDEO_INFO_HEIGHT (info) &&
+ format == GST_VIDEO_INFO_FORMAT (info)) {
+ gst_video_codec_state_unref (outstate);
+- return;
++ return TRUE;
+ }
+ gst_video_codec_state_unref (outstate);
+ }
+@@ -1118,6 +1119,8 @@ gst_jpeg_dec_negotiate (GstJpegDec * dec
+ outstate =
+ gst_video_decoder_set_output_state (GST_VIDEO_DECODER (dec), format,
+ width, height, dec->input_state);
++ if (!outstate)
++ return FALSE;
+
+ switch (clrspc) {
+ case JCS_RGB:
+@@ -1142,10 +1145,12 @@ gst_jpeg_dec_negotiate (GstJpegDec * dec
+
+ gst_video_codec_state_unref (outstate);
+
+- gst_video_decoder_negotiate (GST_VIDEO_DECODER (dec));
++ res = gst_video_decoder_negotiate (GST_VIDEO_DECODER (dec));
+
+ GST_DEBUG_OBJECT (dec, "max_v_samp_factor=%d", dec->cinfo.max_v_samp_factor);
+ GST_DEBUG_OBJECT (dec, "max_h_samp_factor=%d", dec->cinfo.max_h_samp_factor);
++
++ return res;
+ }
+
+ static GstFlowReturn
+@@ -1424,8 +1429,9 @@ gst_jpeg_dec_handle_frame (GstVideoDecod
+ num_fields = 1;
+ }
+
+- gst_jpeg_dec_negotiate (dec, width, output_height,
+- dec->cinfo.jpeg_color_space, num_fields == 2);
++ if (!gst_jpeg_dec_negotiate (dec, width, output_height,
++ dec->cinfo.jpeg_color_space, num_fields == 2))
++ goto negotiation_failed;
+
+ state = gst_video_decoder_get_output_state (bdec);
+ ret = gst_video_decoder_allocate_output_frame (bdec, frame);
+@@ -1557,6 +1563,12 @@ map_failed:
+ ret = GST_FLOW_ERROR;
+ goto exit;
+ }
++negotiation_failed:
++ {
++ GST_ELEMENT_ERROR (dec, CORE, NEGOTIATION, (NULL), ("failed to negotiate"));
++ ret = GST_FLOW_NOT_NEGOTIATED;
++ goto exit;
++ }
+ decode_error:
+ {
+ gchar err_msg[JMSG_LENGTH_MAX];
diff --git a/debian/patches/matroskademux-Check-for-big-enough-WavPack-codec-pri.patch b/debian/patches/matroskademux-Check-for-big-enough-WavPack-codec-pri.patch
new file mode 100644
index 0000000..f0ceb1f
--- /dev/null
+++ b/debian/patches/matroskademux-Check-for-big-enough-WavPack-codec-pri.patch
@@ -0,0 +1,31 @@
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Mon, 30 Sep 2024 18:25:53 +0300
+Subject: matroskademux: Check for big enough WavPack codec private data before
+ accessing it
+Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/eec4043430d30956ad4aea02a7b67a5758d99f11
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47602
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-250
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3866
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8058>
+---
+ subprojects/gst-plugins-good/gst/matroska/matroska-demux.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/gst/matroska/matroska-demux.c
++++ b/gst/matroska/matroska-demux.c
+@@ -3888,6 +3888,11 @@ gst_matroska_demux_add_wvpk_header (GstE
+ guint8 *buf_data, *data;
+ Wavpack4Header wvh;
+
++ if (!stream->codec_priv || stream->codec_priv_size < 2) {
++ GST_ERROR_OBJECT (element, "No or too small wavpack codec private data");
++ return GST_FLOW_ERROR;
++ }
++
+ wvh.ck_id[0] = 'w';
+ wvh.ck_id[1] = 'v';
+ wvh.ck_id[2] = 'p';
diff --git a/debian/patches/matroskademux-Don-t-take-data-out-of-an-empty-adapte.patch b/debian/patches/matroskademux-Don-t-take-data-out-of-an-empty-adapte.patch
new file mode 100644
index 0000000..ed84d9c
--- /dev/null
+++ b/debian/patches/matroskademux-Don-t-take-data-out-of-an-empty-adapte.patch
@@ -0,0 +1,39 @@
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Mon, 30 Sep 2024 19:04:51 +0300
+Subject: matroskademux: Don't take data out of an empty adapter when
+ processing WavPack frames
+Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/2dcb071d4995032ed9242bb863189939b211f5cc
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47601
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-249
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3865
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8058>
+---
+ .../gst-plugins-good/gst/matroska/matroska-demux.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/gst/matroska/matroska-demux.c
++++ b/gst/matroska/matroska-demux.c
+@@ -4036,11 +4036,16 @@ gst_matroska_demux_add_wvpk_header (GstE
+ }
+ gst_buffer_unmap (*buf, &map);
+
+- newbuf = gst_adapter_take_buffer (adapter, gst_adapter_available (adapter));
++ size = gst_adapter_available (adapter);
++ if (size > 0) {
++ newbuf = gst_adapter_take_buffer (adapter, size);
++ gst_buffer_copy_into (newbuf, *buf,
++ GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1);
++ } else {
++ newbuf = NULL;
++ }
+ g_object_unref (adapter);
+
+- gst_buffer_copy_into (newbuf, *buf,
+- GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1);
+ gst_buffer_unref (*buf);
+ *buf = newbuf;
+
diff --git a/debian/patches/matroskademux-Fix-off-by-one-when-parsing-multi-chan.patch b/debian/patches/matroskademux-Fix-off-by-one-when-parsing-multi-chan.patch
new file mode 100644
index 0000000..d80641a
--- /dev/null
+++ b/debian/patches/matroskademux-Fix-off-by-one-when-parsing-multi-chan.patch
@@ -0,0 +1,21 @@
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Mon, 30 Sep 2024 16:33:39 +0300
+Subject: matroskademux: Fix off-by-one when parsing multi-channel WavPack
+Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/816a970a042c96669da25b7a046f0ab8311a78d9
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8058>
+---
+ subprojects/gst-plugins-good/gst/matroska/matroska-demux.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/gst/matroska/matroska-demux.c
++++ b/gst/matroska/matroska-demux.c
+@@ -3970,7 +3970,7 @@ gst_matroska_demux_add_wvpk_header (GstE
+ data += 4;
+ size -= 4;
+
+- while (size > 12) {
++ while (size >= 12) {
+ flags = GST_READ_UINT32_LE (data);
+ data += 4;
+ size -= 4;
diff --git a/debian/patches/matroskademux-Only-unmap-GstMapInfo-in-WavPack-heade.patch b/debian/patches/matroskademux-Only-unmap-GstMapInfo-in-WavPack-heade.patch
new file mode 100644
index 0000000..4ff3f9c
--- /dev/null
+++ b/debian/patches/matroskademux-Only-unmap-GstMapInfo-in-WavPack-heade.patch
@@ -0,0 +1,48 @@
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Mon, 30 Sep 2024 16:32:48 +0300
+Subject: matroskademux: Only unmap GstMapInfo in WavPack header extraction
+ error paths if previously mapped
+Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/a16851ebf34a9f9be4285b2c0d75fe7844354efe
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47540
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-197
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3863
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8058>
+---
+ subprojects/gst-plugins-good/gst/matroska/matroska-demux.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/gst/matroska/matroska-demux.c
++++ b/gst/matroska/matroska-demux.c
+@@ -3885,7 +3885,6 @@ gst_matroska_demux_add_wvpk_header (GstE
+ GstMatroskaTrackAudioContext *audiocontext =
+ (GstMatroskaTrackAudioContext *) stream;
+ GstBuffer *newbuf = NULL;
+- GstMapInfo map, outmap;
+ guint8 *buf_data, *data;
+ Wavpack4Header wvh;
+
+@@ -3902,11 +3901,11 @@ gst_matroska_demux_add_wvpk_header (GstE
+
+ if (audiocontext->channels <= 2) {
+ guint32 block_samples, tmp;
++ GstMapInfo outmap;
+ gsize size = gst_buffer_get_size (*buf);
+
+ if (size < 4) {
+ GST_ERROR_OBJECT (element, "Too small wavpack buffer");
+- gst_buffer_unmap (*buf, &map);
+ return GST_FLOW_ERROR;
+ }
+
+@@ -3944,6 +3943,7 @@ gst_matroska_demux_add_wvpk_header (GstE
+ *buf = newbuf;
+ audiocontext->wvpk_block_index += block_samples;
+ } else {
++ GstMapInfo map, outmap;
+ guint8 *outdata = NULL;
+ gsize buf_size, size;
+ guint32 block_samples, flags, crc;
diff --git a/debian/patches/matroskademux-Put-a-copy-of-the-codec-data-into-the-.patch b/debian/patches/matroskademux-Put-a-copy-of-the-codec-data-into-the-.patch
new file mode 100644
index 0000000..43ff1c7
--- /dev/null
+++ b/debian/patches/matroskademux-Put-a-copy-of-the-codec-data-into-the-.patch
@@ -0,0 +1,31 @@
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Wed, 9 Oct 2024 11:52:52 -0400
+Subject: matroskademux: Put a copy of the codec data into the A_MS/ACM caps
+Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/2c9abe111bd9122967784ef2b55c9017dc2682b8
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47834
+
+The original codec data buffer is owned by matroskademux and does not
+necessarily live as long as the caps.
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-280
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3894
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8058>
+---
+ subprojects/gst-plugins-good/gst/matroska/matroska-demux.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/gst/matroska/matroska-demux.c
++++ b/gst/matroska/matroska-demux.c
+@@ -7151,8 +7151,7 @@ gst_matroska_demux_audio_caps (GstMatros
+
+ /* 18 is the waveformatex size */
+ if (size > 18) {
+- codec_data = gst_buffer_new_wrapped_full (GST_MEMORY_FLAG_READONLY,
+- data + 18, size - 18, 0, size - 18, NULL, NULL);
++ codec_data = gst_buffer_new_memdup (data + 18, size - 18);
+ }
+
+ if (riff_audio_fmt)
diff --git a/debian/patches/matroskademux-Skip-over-laces-directly-when-postproc.patch b/debian/patches/matroskademux-Skip-over-laces-directly-when-postproc.patch
new file mode 100644
index 0000000..ef0ac11
--- /dev/null
+++ b/debian/patches/matroskademux-Skip-over-laces-directly-when-postproc.patch
@@ -0,0 +1,40 @@
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Mon, 30 Sep 2024 19:06:03 +0300
+Subject: matroskademux: Skip over laces directly when postprocessing the frame
+ fails
+Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/e5ffa9c9778454457665c1ee1c5bcc17ed3537ac
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47601
+
+Otherwise NULL buffers might be handled afterwards.
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-249
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3865
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8058>
+---
+ .../gst-plugins-good/gst/matroska/matroska-demux.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/gst/matroska/matroska-demux.c
++++ b/gst/matroska/matroska-demux.c
+@@ -4982,6 +4982,18 @@ gst_matroska_demux_parse_blockgroup_or_s
+ if (stream->postprocess_frame) {
+ GST_LOG_OBJECT (demux, "running post process");
+ ret = stream->postprocess_frame (GST_ELEMENT (demux), stream, &sub);
++ if (ret != GST_FLOW_OK) {
++ gst_clear_buffer (&sub);
++ goto next_lace;
++ }
++
++ if (sub == NULL) {
++ GST_WARNING_OBJECT (demux,
++ "Postprocessing buffer with timestamp %" GST_TIME_FORMAT
++ " for stream %d failed", GST_TIME_ARGS (buffer_timestamp),
++ stream_num);
++ goto next_lace;
++ }
+ }
+
+ /* At this point, we have a sub-buffer pointing at data within a larger
diff --git a/debian/patches/matroskademux-Skip-over-zero-sized-Xiph-stream-heade.patch b/debian/patches/matroskademux-Skip-over-zero-sized-Xiph-stream-heade.patch
new file mode 100644
index 0000000..21521dc
--- /dev/null
+++ b/debian/patches/matroskademux-Skip-over-zero-sized-Xiph-stream-heade.patch
@@ -0,0 +1,31 @@
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Mon, 30 Sep 2024 19:19:42 +0300
+Subject: matroskademux: Skip over zero-sized Xiph stream headers
+Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/09803e225de515c8881fd13ed464c23771a4d1a6
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47603
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-251
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3867
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8058>
+---
+ subprojects/gst-plugins-good/gst/matroska/matroska-ids.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/gst/matroska/matroska-ids.c
++++ b/gst/matroska/matroska-ids.c
+@@ -189,8 +189,10 @@ gst_matroska_parse_xiph_stream_headers (
+ if (offset + length[i] > codec_data_size)
+ goto error;
+
+- hdr = gst_buffer_new_memdup (p + offset, length[i]);
+- gst_buffer_list_add (list, hdr);
++ if (length[i] > 0) {
++ hdr = gst_buffer_new_memdup (p + offset, length[i]);
++ gst_buffer_list_add (list, hdr);
++ }
+
+ offset += length[i];
+ }
diff --git a/debian/patches/qtdemux-Actually-handle-errors-returns-from-various-.patch b/debian/patches/qtdemux-Actually-handle-errors-returns-from-various-.patch
new file mode 100644
index 0000000..5343e38
--- /dev/null
+++ b/debian/patches/qtdemux-Actually-handle-errors-returns-from-various-.patch
@@ -0,0 +1,89 @@
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Fri, 27 Sep 2024 10:39:30 +0300
+Subject: qtdemux: Actually handle errors returns from various functions
+ instead of ignoring them
+Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/83056792a8bd179d7e4ba4b3d234ab75205e47d2
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47597
+
+Ignoring them might cause the element to continue as if all is fine despite the
+internal state being inconsistent. This can lead to all kinds of follow-up
+issues, including memory safety issues.
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-245
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3847
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8060>
+---
+ .../gst-plugins-good/gst/isomp4/qtdemux.c | 29 +++++++++++++++----
+ 1 file changed, 23 insertions(+), 6 deletions(-)
+
+--- a/gst/isomp4/qtdemux.c
++++ b/gst/isomp4/qtdemux.c
+@@ -4811,10 +4811,15 @@ gst_qtdemux_loop_state_header (GstQTDemu
+ beach:
+ if (ret == GST_FLOW_EOS && (qtdemux->got_moov || qtdemux->media_caps)) {
+ /* digested all data, show what we have */
+- qtdemux_prepare_streams (qtdemux);
++ ret = qtdemux_prepare_streams (qtdemux);
++ if (ret != GST_FLOW_OK)
++ return ret;
++
+ QTDEMUX_EXPOSE_LOCK (qtdemux);
+ ret = qtdemux_expose_streams (qtdemux);
+ QTDEMUX_EXPOSE_UNLOCK (qtdemux);
++ if (ret != GST_FLOW_OK)
++ return ret;
+
+ qtdemux->state = QTDEMUX_STATE_MOVIE;
+ GST_DEBUG_OBJECT (qtdemux, "switching state to STATE_MOVIE (%d)",
+@@ -7464,13 +7469,21 @@ gst_qtdemux_process_adapter (GstQTDemux
+ gst_qtdemux_stream_concat (demux,
+ demux->old_streams, demux->active_streams);
+
+- qtdemux_parse_moov (demux, data, demux->neededbytes);
++ if (!qtdemux_parse_moov (demux, data, demux->neededbytes)) {
++ ret = GST_FLOW_ERROR;
++ break;
++ }
+ qtdemux_node_dump (demux, demux->moov_node);
+ qtdemux_parse_tree (demux);
+- qtdemux_prepare_streams (demux);
++ ret = qtdemux_prepare_streams (demux);
++ if (ret != GST_FLOW_OK)
++ break;
++
+ QTDEMUX_EXPOSE_LOCK (demux);
+- qtdemux_expose_streams (demux);
++ ret = qtdemux_expose_streams (demux);
+ QTDEMUX_EXPOSE_UNLOCK (demux);
++ if (ret != GST_FLOW_OK)
++ break;
+
+ demux->got_moov = TRUE;
+
+@@ -7561,8 +7574,10 @@ gst_qtdemux_process_adapter (GstQTDemux
+ /* in MSS we need to expose the pads after the first moof as we won't get a moov */
+ if (demux->mss_mode && !demux->exposed) {
+ QTDEMUX_EXPOSE_LOCK (demux);
+- qtdemux_expose_streams (demux);
++ ret = qtdemux_expose_streams (demux);
+ QTDEMUX_EXPOSE_UNLOCK (demux);
++ if (ret != GST_FLOW_OK)
++ goto done;
+ }
+
+ gst_qtdemux_check_send_pending_segment (demux);
+@@ -13589,8 +13604,10 @@ qtdemux_prepare_streams (GstQTDemux * qt
+
+ /* parse the initial sample for use in setting the frame rate cap */
+ while (sample_num == 0 && sample_num < stream->n_samples) {
+- if (!qtdemux_parse_samples (qtdemux, stream, sample_num))
++ if (!qtdemux_parse_samples (qtdemux, stream, sample_num)) {
++ ret = GST_FLOW_ERROR;
+ break;
++ }
+ ++sample_num;
+ }
+ }
diff --git a/debian/patches/qtdemux-Add-size-check-for-parsing-SMI-SEQH-atom.patch b/debian/patches/qtdemux-Add-size-check-for-parsing-SMI-SEQH-atom.patch
new file mode 100644
index 0000000..555caa7
--- /dev/null
+++ b/debian/patches/qtdemux-Add-size-check-for-parsing-SMI-SEQH-atom.patch
@@ -0,0 +1,29 @@
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Fri, 27 Sep 2024 00:31:36 +0300
+Subject: qtdemux: Add size check for parsing SMI / SEQH atom
+Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/8603e78a07a307139fd45ee11e7623de01494bf3
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47596
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-244
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3853
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8060>
+---
+ subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/gst/isomp4/qtdemux.c
++++ b/gst/isomp4/qtdemux.c
+@@ -10545,8 +10545,9 @@ qtdemux_parse_svq3_stsd_data (GstQTDemux
+ GST_WARNING_OBJECT (qtdemux, "Unexpected second SEQH SMI atom "
+ " found, ignoring");
+ } else {
++ /* Note: The size does *not* include the fourcc and the size field itself */
+ seqh_size = QT_UINT32 (data + 4);
+- if (seqh_size > 0) {
++ if (seqh_size > 0 && seqh_size <= size - 8) {
+ _seqh = gst_buffer_new_and_alloc (seqh_size);
+ gst_buffer_fill (_seqh, 0, data + 8, seqh_size);
+ }
diff --git a/debian/patches/qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch b/debian/patches/qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch
new file mode 100644
index 0000000..dbf1c97
--- /dev/null
+++ b/debian/patches/qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch
@@ -0,0 +1,36 @@
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Thu, 26 Sep 2024 22:16:06 +0300
+Subject: qtdemux: Avoid integer overflow when parsing Theora extension
+Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/2d7a11f5e6be5c323b2fed8158bc9df37752e495
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47606
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-166
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3851
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8044>
+---
+ subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/gst/isomp4/qtdemux.c
++++ b/gst/isomp4/qtdemux.c
+@@ -8172,7 +8172,7 @@ qtdemux_parse_theora_extension (GstQTDem
+ end -= 8;
+
+ while (buf < end) {
+- gint size;
++ guint32 size;
+ guint32 type;
+
+ size = QT_UINT32 (buf);
+@@ -8180,7 +8180,7 @@ qtdemux_parse_theora_extension (GstQTDem
+
+ GST_LOG_OBJECT (qtdemux, "%p %p", buf, end);
+
+- if (buf + size > end || size <= 0)
++ if (end - buf < size || size < 8)
+ break;
+
+ buf += 8;
diff --git a/debian/patches/qtdemux-Check-for-invalid-atom-length-when-extractin.patch b/debian/patches/qtdemux-Check-for-invalid-atom-length-when-extractin.patch
new file mode 100644
index 0000000..c699f27
--- /dev/null
+++ b/debian/patches/qtdemux-Check-for-invalid-atom-length-when-extractin.patch
@@ -0,0 +1,28 @@
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Thu, 26 Sep 2024 19:16:19 +0300
+Subject: qtdemux: Check for invalid atom length when extracting Closed Caption
+ data
+Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/f31dbbc1bcc00096ab863ee6aaecad493c71c333
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47546
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-243
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3849
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8060>
+---
+ subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/gst/isomp4/qtdemux.c
++++ b/gst/isomp4/qtdemux.c
+@@ -5780,7 +5780,7 @@ extract_cc_from_data (QtDemuxStream * st
+ goto invalid_cdat;
+ atom_length = QT_UINT32 (data);
+ fourcc = QT_FOURCC (data + 4);
+- if (G_UNLIKELY (atom_length > size || atom_length == 8))
++ if (G_UNLIKELY (atom_length > size || atom_length <= 8))
+ goto invalid_cdat;
+
+ GST_DEBUG_OBJECT (stream->pad, "here");
diff --git a/debian/patches/qtdemux-Check-sizes-of-stsc-stco-stts-before-trying-.patch b/debian/patches/qtdemux-Check-sizes-of-stsc-stco-stts-before-trying-.patch
new file mode 100644
index 0000000..23a67d6
--- /dev/null
+++ b/debian/patches/qtdemux-Check-sizes-of-stsc-stco-stts-before-trying-.patch
@@ -0,0 +1,54 @@
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Fri, 27 Sep 2024 15:50:54 +0300
+Subject: qtdemux: Check sizes of stsc/stco/stts before trying to merge entries
+Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/1def2965d8da8cc74ab0036d7f8d59e81e676cad
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47598
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-246
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3854
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8060>
+---
+ .../gst-plugins-good/gst/isomp4/qtdemux.c | 22 +++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+--- a/gst/isomp4/qtdemux.c
++++ b/gst/isomp4/qtdemux.c
+@@ -9392,6 +9392,21 @@ qtdemux_merge_sample_table (GstQTDemux *
+ return;
+ }
+
++ if (gst_byte_reader_get_remaining (&stream->stts) < 8) {
++ GST_DEBUG_OBJECT (qtdemux, "Too small stts");
++ return;
++ }
++
++ if (stream->stco.size < 8) {
++ GST_DEBUG_OBJECT (qtdemux, "Too small stco");
++ return;
++ }
++
++ if (stream->n_samples_per_chunk == 0) {
++ GST_DEBUG_OBJECT (qtdemux, "No samples per chunk");
++ return;
++ }
++
+ /* Parse the stts to get the sample duration and number of samples */
+ gst_byte_reader_skip_unchecked (&stream->stts, 4);
+ stts_duration = gst_byte_reader_get_uint32_be_unchecked (&stream->stts);
+@@ -9403,6 +9418,13 @@ qtdemux_merge_sample_table (GstQTDemux *
+ GST_DEBUG_OBJECT (qtdemux, "sample_duration %d, num_chunks %u", stts_duration,
+ num_chunks);
+
++ if (gst_byte_reader_get_remaining (&stream->stsc) <
++ stream->n_samples_per_chunk * 3 * 4 +
++ (stream->n_samples_per_chunk - 1) * 4) {
++ GST_DEBUG_OBJECT (qtdemux, "Too small stsc");
++ return;
++ }
++
+ /* Now parse stsc, convert chunks into single samples and generate a
+ * new stsc, stts and stsz from this information */
+ gst_byte_writer_init (&stsc);
diff --git a/debian/patches/qtdemux-Don-t-iterate-over-all-trun-entries-if-none-.patch b/debian/patches/qtdemux-Don-t-iterate-over-all-trun-entries-if-none-.patch
new file mode 100644
index 0000000..1ff18b0
--- /dev/null
+++ b/debian/patches/qtdemux-Don-t-iterate-over-all-trun-entries-if-none-.patch
@@ -0,0 +1,27 @@
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Thu, 26 Sep 2024 18:41:39 +0300
+Subject: qtdemux: Don't iterate over all trun entries if none of the flags are
+ set
+Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/eb7f9331c2294bc28a549b79c9f931c3e6c6bc44
+
+Nothing would be printed anyway.
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8060>
+---
+ subprojects/gst-plugins-good/gst/isomp4/qtdemux_dump.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/gst/isomp4/qtdemux_dump.c
++++ b/gst/isomp4/qtdemux_dump.c
+@@ -836,6 +836,11 @@ qtdemux_dump_trun (GstQTDemux * qtdemux,
+ GST_LOG ("%*s first-sample-flags: %u", depth, "", first_sample_flags);
+ }
+
++ /* Nothing to print below */
++ if ((flags & (TR_SAMPLE_DURATION | TR_SAMPLE_SIZE | TR_SAMPLE_FLAGS |
++ TR_COMPOSITION_TIME_OFFSETS)) == 0)
++ return TRUE;
++
+ for (i = 0; i < samples_count; i++) {
+ if (flags & TR_SAMPLE_DURATION) {
+ if (!gst_byte_reader_get_uint32_be (data, &sample_duration))
diff --git a/debian/patches/qtdemux-Fix-debug-output-during-trun-parsing.patch b/debian/patches/qtdemux-Fix-debug-output-during-trun-parsing.patch
new file mode 100644
index 0000000..7f6783e
--- /dev/null
+++ b/debian/patches/qtdemux-Fix-debug-output-during-trun-parsing.patch
@@ -0,0 +1,64 @@
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Thu, 26 Sep 2024 18:40:56 +0300
+Subject: qtdemux: Fix debug output during trun parsing
+Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/812f175c580a2e702581859fd481c8f51d633508
+
+Various integers are unsigned so print them as such. Also print the actual
+allocation size if allocation fails, not only parts of it.
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8060>
+---
+ .../gst-plugins-good/gst/isomp4/qtdemux.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+--- a/gst/isomp4/qtdemux.c
++++ b/gst/isomp4/qtdemux.c
+@@ -3338,8 +3338,8 @@ qtdemux_parse_trun (GstQTDemux * qtdemux
+ gint64 initial_offset;
+ gint32 min_ct = 0;
+
+- GST_LOG_OBJECT (qtdemux, "parsing trun track-id %d; "
+- "default dur %d, size %d, flags 0x%x, base offset %" G_GINT64_FORMAT ", "
++ GST_LOG_OBJECT (qtdemux, "parsing trun track-id %u; "
++ "default dur %u, size %u, flags 0x%x, base offset %" G_GINT64_FORMAT ", "
+ "decode ts %" G_GINT64_FORMAT, stream->track_id, d_sample_duration,
+ d_sample_size, d_sample_flags, *base_offset, decode_ts);
+
+@@ -3367,7 +3367,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux
+ /* note this is really signed */
+ if (!gst_byte_reader_get_int32_be (trun, &data_offset))
+ goto fail;
+- GST_LOG_OBJECT (qtdemux, "trun data offset %d", data_offset);
++ GST_LOG_OBJECT (qtdemux, "trun data offset %u", data_offset);
+ /* default base offset = first byte of moof */
+ if (*base_offset == -1) {
+ GST_LOG_OBJECT (qtdemux, "base_offset at moof");
+@@ -3389,7 +3389,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux
+
+ GST_LOG_OBJECT (qtdemux, "running offset now %" G_GINT64_FORMAT,
+ *running_offset);
+- GST_LOG_OBJECT (qtdemux, "trun offset %d, flags 0x%x, entries %d",
++ GST_LOG_OBJECT (qtdemux, "trun offset %u, flags 0x%x, entries %u",
+ data_offset, flags, samples_count);
+
+ if (flags & TR_FIRST_SAMPLE_FLAGS) {
+@@ -3598,14 +3598,15 @@ fail:
+ }
+ out_of_memory:
+ {
+- GST_WARNING_OBJECT (qtdemux, "failed to allocate %d samples",
+- stream->n_samples);
++ GST_WARNING_OBJECT (qtdemux, "failed to allocate %u + %u samples",
++ stream->n_samples, samples_count);
+ return FALSE;
+ }
+ index_too_big:
+ {
+- GST_WARNING_OBJECT (qtdemux, "not allocating index of %d samples, would "
+- "be larger than %uMB (broken file?)", stream->n_samples,
++ GST_WARNING_OBJECT (qtdemux,
++ "not allocating index of %u + %u samples, would "
++ "be larger than %uMB (broken file?)", stream->n_samples, samples_count,
+ QTDEMUX_MAX_SAMPLE_INDEX_SIZE >> 20);
+ return FALSE;
+ }
diff --git a/debian/patches/qtdemux-Fix-error-handling-when-parsing-cenc-sample-.patch b/debian/patches/qtdemux-Fix-error-handling-when-parsing-cenc-sample-.patch
new file mode 100644
index 0000000..e32e87a
--- /dev/null
+++ b/debian/patches/qtdemux-Fix-error-handling-when-parsing-cenc-sample-.patch
@@ -0,0 +1,47 @@
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Fri, 27 Sep 2024 09:47:50 +0300
+Subject: qtdemux: Fix error handling when parsing cenc sample groups fails
+Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/8e884e4e31649a9fc19095d6501a1143b074aba8
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47544
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-238, GHSL-2024-239, GHSL-2024-240
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3846
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8060>
+---
+ .../gst-plugins-good/gst/isomp4/qtdemux.c | 25 ++++++++++++++-----
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+--- a/gst/isomp4/qtdemux.c
++++ b/gst/isomp4/qtdemux.c
+@@ -11316,12 +11316,15 @@ qtdemux_parse_trak (GstQTDemux * qtdemux
+ if (stream->subtype != FOURCC_soun) {
+ GST_ERROR_OBJECT (qtdemux,
+ "Unexpeced stsd type 'aavd' outside 'soun' track");
++ goto corrupt_file;
+ } else {
+ /* encrypted audio with sound sample description v0 */
+ GNode *enc = qtdemux_tree_get_child_by_type (stsd, fourcc);
+ stream->protected = TRUE;
+- if (!qtdemux_parse_protection_aavd (qtdemux, stream, enc, &fourcc))
++ if (!qtdemux_parse_protection_aavd (qtdemux, stream, enc, &fourcc)) {
+ GST_ERROR_OBJECT (qtdemux, "Failed to parse protection scheme info");
++ goto corrupt_file;
++ }
+ }
+ }
+
+@@ -11330,8 +11333,10 @@ qtdemux_parse_trak (GstQTDemux * qtdemux
+ * with the same type */
+ GNode *enc = qtdemux_tree_get_child_by_type (stsd, fourcc);
+ stream->protected = TRUE;
+- if (!qtdemux_parse_protection_scheme_info (qtdemux, stream, enc, &fourcc))
++ if (!qtdemux_parse_protection_scheme_info (qtdemux, stream, enc, &fourcc)) {
+ GST_ERROR_OBJECT (qtdemux, "Failed to parse protection scheme info");
++ goto corrupt_file;
++ }
+ }
+
+ if (stream->subtype == FOURCC_vide) {
diff --git a/debian/patches/qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch b/debian/patches/qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch
new file mode 100644
index 0000000..a69ce10
--- /dev/null
+++ b/debian/patches/qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch
@@ -0,0 +1,55 @@
+From: Antonio Morales <antonio-morales@github.com>
+Date: Thu, 26 Sep 2024 18:39:37 +0300
+Subject: qtdemux: Fix integer overflow when allocating the samples table for
+ fragmented MP4
+Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/c3a2af94c652513ac1b1858295688ac88c5cc737
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47537
+
+This can lead to out of bounds writes and NULL pointer dereferences.
+
+Fixes GHSL-2024-094, GHSL-2024-237, GHSL-2024-241
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3839
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8060>
+---
+ subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/gst/isomp4/qtdemux.c
++++ b/gst/isomp4/qtdemux.c
+@@ -3332,6 +3332,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux
+ gint i;
+ guint8 *data;
+ guint entry_size, dur_offset, size_offset, flags_offset = 0, ct_offset = 0;
++ guint new_n_samples;
+ QtDemuxSample *sample;
+ gboolean ismv = FALSE;
+ gint64 initial_offset;
+@@ -3432,14 +3433,13 @@ qtdemux_parse_trun (GstQTDemux * qtdemux
+ goto fail;
+ data = (guint8 *) gst_byte_reader_peek_data_unchecked (trun);
+
+- if (stream->n_samples + samples_count >=
+- QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof (QtDemuxSample))
++ if (!g_uint_checked_add (&new_n_samples, stream->n_samples, samples_count) ||
++ new_n_samples >= QTDEMUX_MAX_SAMPLE_INDEX_SIZE / sizeof (QtDemuxSample))
+ goto index_too_big;
+
+ GST_DEBUG_OBJECT (qtdemux, "allocating n_samples %u * %u (%.2f MB)",
+- stream->n_samples + samples_count, (guint) sizeof (QtDemuxSample),
+- (stream->n_samples + samples_count) *
+- sizeof (QtDemuxSample) / (1024.0 * 1024.0));
++ new_n_samples, (guint) sizeof (QtDemuxSample),
++ (new_n_samples) * sizeof (QtDemuxSample) / (1024.0 * 1024.0));
+
+ /* create a new array of samples if it's the first sample parsed */
+ if (stream->n_samples == 0) {
+@@ -3448,7 +3448,7 @@ qtdemux_parse_trun (GstQTDemux * qtdemux
+ /* or try to reallocate it with space enough to insert the new samples */
+ } else
+ stream->samples = g_try_renew (QtDemuxSample, stream->samples,
+- stream->n_samples + samples_count);
++ new_n_samples);
+ if (stream->samples == NULL)
+ goto out_of_memory;
+
diff --git a/debian/patches/qtdemux-Fix-length-checks-and-offsets-in-stsd-entry-.patch b/debian/patches/qtdemux-Fix-length-checks-and-offsets-in-stsd-entry-.patch
new file mode 100644
index 0000000..24ba91c
--- /dev/null
+++ b/debian/patches/qtdemux-Fix-length-checks-and-offsets-in-stsd-entry-.patch
@@ -0,0 +1,418 @@
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Fri, 27 Sep 2024 00:12:57 +0300
+Subject: qtdemux: Fix length checks and offsets in stsd entry parsing
+Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/fe9d5d37234aca04fef7248184177168905a7a69
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47545
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-242
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3845
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8060>
+---
+ .../gst-plugins-good/gst/isomp4/qtdemux.c | 218 +++++++-----------
+ 1 file changed, 79 insertions(+), 139 deletions(-)
+
+--- a/gst/isomp4/qtdemux.c
++++ b/gst/isomp4/qtdemux.c
+@@ -11595,40 +11595,35 @@ qtdemux_parse_trak (GstQTDemux * qtdemux
+ case FOURCC_avc1:
+ case FOURCC_avc3:
+ {
+- guint len = QT_UINT32 (stsd_entry_data);
++ guint32 len = QT_UINT32 (stsd_entry_data);
+ len = len <= 0x56 ? 0 : len - 0x56;
+ const guint8 *avc_data = stsd_entry_data + 0x56;
+
+ /* find avcC */
+- while (len >= 0x8) {
+- guint size;
+-
+- if (QT_UINT32 (avc_data) <= 0x8)
+- size = 0;
+- else if (QT_UINT32 (avc_data) <= len)
+- size = QT_UINT32 (avc_data) - 0x8;
+- else
+- size = len - 0x8;
++ while (len >= 8) {
++ guint32 size = QT_UINT32 (avc_data);
+
+- if (size < 1)
+- /* No real data, so break out */
++ if (size < 8 || size > len)
+ break;
+
+- switch (QT_FOURCC (avc_data + 0x4)) {
++ switch (QT_FOURCC (avc_data + 4)) {
+ case FOURCC_avcC:
+ {
+ /* parse, if found */
+ GstBuffer *buf;
+
++ if (size < 8 + 1)
++ break;
++
+ GST_DEBUG_OBJECT (qtdemux, "found avcC codec_data in stsd");
+
+ /* First 4 bytes are the length of the atom, the next 4 bytes
+ * are the fourcc, the next 1 byte is the version, and the
+ * subsequent bytes are profile_tier_level structure like data. */
+ gst_codec_utils_h264_caps_set_level_and_profile (entry->caps,
+- avc_data + 8 + 1, size - 1);
+- buf = gst_buffer_new_and_alloc (size);
+- gst_buffer_fill (buf, 0, avc_data + 0x8, size);
++ avc_data + 8 + 1, size - 8 - 1);
++ buf = gst_buffer_new_and_alloc (size - 8);
++ gst_buffer_fill (buf, 0, avc_data + 8, size - 8);
+ gst_caps_set_simple (entry->caps,
+ "codec_data", GST_TYPE_BUFFER, buf, NULL);
+ gst_buffer_unref (buf);
+@@ -11639,6 +11634,9 @@ qtdemux_parse_trak (GstQTDemux * qtdemux
+ {
+ GstBuffer *buf;
+
++ if (size < 8 + 40 + 1)
++ break;
++
+ GST_DEBUG_OBJECT (qtdemux, "found strf codec_data in stsd");
+
+ /* First 4 bytes are the length of the atom, the next 4 bytes
+@@ -11646,17 +11644,14 @@ qtdemux_parse_trak (GstQTDemux * qtdemux
+ * next 1 byte is the version, and the
+ * subsequent bytes are sequence parameter set like data. */
+
+- size -= 40; /* we'll be skipping BITMAPINFOHEADER */
+- if (size > 1) {
+- gst_codec_utils_h264_caps_set_level_and_profile
+- (entry->caps, avc_data + 8 + 40 + 1, size - 1);
++ gst_codec_utils_h264_caps_set_level_and_profile
++ (entry->caps, avc_data + 8 + 40 + 1, size - 8 - 40 - 1);
+
+- buf = gst_buffer_new_and_alloc (size);
+- gst_buffer_fill (buf, 0, avc_data + 8 + 40, size);
+- gst_caps_set_simple (entry->caps,
+- "codec_data", GST_TYPE_BUFFER, buf, NULL);
+- gst_buffer_unref (buf);
+- }
++ buf = gst_buffer_new_and_alloc (size - 8 - 40);
++ gst_buffer_fill (buf, 0, avc_data + 8 + 40, size - 8 - 40);
++ gst_caps_set_simple (entry->caps,
++ "codec_data", GST_TYPE_BUFFER, buf, NULL);
++ gst_buffer_unref (buf);
+ break;
+ }
+ case FOURCC_btrt:
+@@ -11664,11 +11659,11 @@ qtdemux_parse_trak (GstQTDemux * qtdemux
+ guint avg_bitrate, max_bitrate;
+
+ /* bufferSizeDB, maxBitrate and avgBitrate - 4 bytes each */
+- if (size < 12)
++ if (size < 8 + 12)
+ break;
+
+- max_bitrate = QT_UINT32 (avc_data + 0xc);
+- avg_bitrate = QT_UINT32 (avc_data + 0x10);
++ max_bitrate = QT_UINT32 (avc_data + 8 + 4);
++ avg_bitrate = QT_UINT32 (avc_data + 8 + 8);
+
+ if (!max_bitrate && !avg_bitrate)
+ break;
+@@ -11700,8 +11695,8 @@ qtdemux_parse_trak (GstQTDemux * qtdemux
+ break;
+ }
+
+- len -= size + 8;
+- avc_data += size + 8;
++ len -= size;
++ avc_data += size;
+ }
+
+ break;
+@@ -11712,41 +11707,36 @@ qtdemux_parse_trak (GstQTDemux * qtdemux
+ case FOURCC_dvh1:
+ case FOURCC_dvhe:
+ {
+- guint len = QT_UINT32 (stsd_entry_data);
++ guint32 len = QT_UINT32 (stsd_entry_data);
+ len = len <= 0x56 ? 0 : len - 0x56;
+ const guint8 *hevc_data = stsd_entry_data + 0x56;
+
+ /* find hevc */
+- while (len >= 0x8) {
+- guint size;
+-
+- if (QT_UINT32 (hevc_data) <= 0x8)
+- size = 0;
+- else if (QT_UINT32 (hevc_data) <= len)
+- size = QT_UINT32 (hevc_data) - 0x8;
+- else
+- size = len - 0x8;
++ while (len >= 8) {
++ guint32 size = QT_UINT32 (hevc_data);
+
+- if (size < 1)
+- /* No real data, so break out */
++ if (size < 8 || size > len)
+ break;
+
+- switch (QT_FOURCC (hevc_data + 0x4)) {
++ switch (QT_FOURCC (hevc_data + 4)) {
+ case FOURCC_hvcC:
+ {
+ /* parse, if found */
+ GstBuffer *buf;
+
++ if (size < 8 + 1)
++ break;
++
+ GST_DEBUG_OBJECT (qtdemux, "found hvcC codec_data in stsd");
+
+ /* First 4 bytes are the length of the atom, the next 4 bytes
+ * are the fourcc, the next 1 byte is the version, and the
+ * subsequent bytes are sequence parameter set like data. */
+ gst_codec_utils_h265_caps_set_level_tier_and_profile
+- (entry->caps, hevc_data + 8 + 1, size - 1);
++ (entry->caps, hevc_data + 8 + 1, size - 8 - 1);
+
+- buf = gst_buffer_new_and_alloc (size);
+- gst_buffer_fill (buf, 0, hevc_data + 0x8, size);
++ buf = gst_buffer_new_and_alloc (size - 8);
++ gst_buffer_fill (buf, 0, hevc_data + 8, size - 8);
+ gst_caps_set_simple (entry->caps,
+ "codec_data", GST_TYPE_BUFFER, buf, NULL);
+ gst_buffer_unref (buf);
+@@ -11755,8 +11745,8 @@ qtdemux_parse_trak (GstQTDemux * qtdemux
+ default:
+ break;
+ }
+- len -= size + 8;
+- hevc_data += size + 8;
++ len -= size;
++ hevc_data += size;
+ }
+ break;
+ }
+@@ -12136,33 +12126,25 @@ qtdemux_parse_trak (GstQTDemux * qtdemux
+ }
+ case FOURCC_vc_1:
+ {
+- guint len = QT_UINT32 (stsd_entry_data);
++ guint32 len = QT_UINT32 (stsd_entry_data);
+ len = len <= 0x56 ? 0 : len - 0x56;
+ const guint8 *vc1_data = stsd_entry_data + 0x56;
+
+ /* find dvc1 */
+ while (len >= 8) {
+- guint size;
+-
+- if (QT_UINT32 (vc1_data) <= 8)
+- size = 0;
+- else if (QT_UINT32 (vc1_data) <= len)
+- size = QT_UINT32 (vc1_data) - 8;
+- else
+- size = len - 8;
++ guint32 size = QT_UINT32 (vc1_data);
+
+- if (size < 1)
+- /* No real data, so break out */
++ if (size < 8 || size > len)
+ break;
+
+- switch (QT_FOURCC (vc1_data + 0x4)) {
++ switch (QT_FOURCC (vc1_data + 4)) {
+ case GST_MAKE_FOURCC ('d', 'v', 'c', '1'):
+ {
+ GstBuffer *buf;
+
+ GST_DEBUG_OBJECT (qtdemux, "found dvc1 codec_data in stsd");
+- buf = gst_buffer_new_and_alloc (size);
+- gst_buffer_fill (buf, 0, vc1_data + 8, size);
++ buf = gst_buffer_new_and_alloc (size - 8);
++ gst_buffer_fill (buf, 0, vc1_data + 8, size - 8);
+ gst_caps_set_simple (entry->caps,
+ "codec_data", GST_TYPE_BUFFER, buf, NULL);
+ gst_buffer_unref (buf);
+@@ -12171,33 +12153,25 @@ qtdemux_parse_trak (GstQTDemux * qtdemux
+ default:
+ break;
+ }
+- len -= size + 8;
+- vc1_data += size + 8;
++ len -= size;
++ vc1_data += size;
+ }
+ break;
+ }
+ case FOURCC_av01:
+ {
+- guint len = QT_UINT32 (stsd_entry_data);
++ guint32 len = QT_UINT32 (stsd_entry_data);
+ len = len <= 0x56 ? 0 : len - 0x56;
+ const guint8 *av1_data = stsd_entry_data + 0x56;
+
+ /* find av1C */
+- while (len >= 0x8) {
+- guint size;
+-
+- if (QT_UINT32 (av1_data) <= 0x8)
+- size = 0;
+- else if (QT_UINT32 (av1_data) <= len)
+- size = QT_UINT32 (av1_data) - 0x8;
+- else
+- size = len - 0x8;
++ while (len >= 8) {
++ guint32 size = QT_UINT32 (av1_data);
+
+- if (size < 1)
+- /* No real data, so break out */
++ if (size < 8 || size > len)
+ break;
+
+- switch (QT_FOURCC (av1_data + 0x4)) {
++ switch (QT_FOURCC (av1_data + 4)) {
+ case FOURCC_av1C:
+ {
+ /* parse, if found */
+@@ -12208,7 +12182,7 @@ qtdemux_parse_trak (GstQTDemux * qtdemux
+ "found av1C codec_data in stsd of size %d", size);
+
+ /* not enough data, just ignore and hope for the best */
+- if (size < 5)
++ if (size < 8 + 5)
+ break;
+
+ /* Content is:
+@@ -12234,10 +12208,10 @@ qtdemux_parse_trak (GstQTDemux * qtdemux
+ "presentation-delay", G_TYPE_INT,
+ (gint) (pres_delay_field & 0x0F) + 1, NULL);
+ }
+- if (size > 5) {
+- buf = gst_buffer_new_and_alloc (size - 5);
++ if (size > 8 + 5) {
++ buf = gst_buffer_new_and_alloc (size - 8 - 5);
+ GST_BUFFER_FLAG_SET (buf, GST_BUFFER_FLAG_HEADER);
+- gst_buffer_fill (buf, 0, av1_data + 13, size - 5);
++ gst_buffer_fill (buf, 0, av1_data + 13, size - 8 - 5);
+ gst_caps_set_simple (entry->caps,
+ "codec_data", GST_TYPE_BUFFER, buf, NULL);
+ gst_buffer_unref (buf);
+@@ -12248,8 +12222,8 @@ qtdemux_parse_trak (GstQTDemux * qtdemux
+ break;
+ }
+
+- len -= size + 8;
+- av1_data += size + 8;
++ len -= size;
++ av1_data += size;
+ }
+
+ break;
+@@ -12260,26 +12234,18 @@ qtdemux_parse_trak (GstQTDemux * qtdemux
+ * vp08, vp09, and vp10 fourcc. */
+ case FOURCC_vp09:
+ {
+- guint len = QT_UINT32 (stsd_entry_data);
++ guint32 len = QT_UINT32 (stsd_entry_data);
+ len = len <= 0x56 ? 0 : len - 0x56;
+ const guint8 *vpcc_data = stsd_entry_data + 0x56;
+
+ /* find vpcC */
+- while (len >= 0x8) {
+- guint size;
+-
+- if (QT_UINT32 (vpcc_data) <= 0x8)
+- size = 0;
+- else if (QT_UINT32 (vpcc_data) <= len)
+- size = QT_UINT32 (vpcc_data) - 0x8;
+- else
+- size = len - 0x8;
++ while (len >= 8) {
++ guint32 size = QT_UINT32 (vpcc_data);
+
+- if (size < 1)
+- /* No real data, so break out */
++ if (size < 8 || size > len)
+ break;
+
+- switch (QT_FOURCC (vpcc_data + 0x4)) {
++ switch (QT_FOURCC (vpcc_data + 4)) {
+ case FOURCC_vpcC:
+ {
+ const gchar *profile_str = NULL;
+@@ -12295,7 +12261,7 @@ qtdemux_parse_trak (GstQTDemux * qtdemux
+
+ /* the meaning of "size" is length of the atom body, excluding
+ * atom length and fourcc fields */
+- if (size < 12)
++ if (size < 8 + 12)
+ break;
+
+ /* Content is:
+@@ -12401,8 +12367,8 @@ qtdemux_parse_trak (GstQTDemux * qtdemux
+ break;
+ }
+
+- len -= size + 8;
+- vpcc_data += size + 8;
++ len -= size;
++ vpcc_data += size;
+ }
+
+ break;
+@@ -12733,7 +12699,7 @@ qtdemux_parse_trak (GstQTDemux * qtdemux
+ }
+ case FOURCC_wma_:
+ {
+- guint len = QT_UINT32 (stsd_entry_data);
++ guint32 len = QT_UINT32 (stsd_entry_data);
+ len = len <= offset ? 0 : len - offset;
+ const guint8 *wfex_data = stsd_entry_data + offset;
+ const gchar *codec_name = NULL;
+@@ -12758,17 +12724,9 @@ qtdemux_parse_trak (GstQTDemux * qtdemux
+
+ /* find wfex */
+ while (len >= 8) {
+- guint size;
+-
+- if (QT_UINT32 (wfex_data) <= 0x8)
+- size = 0;
+- else if (QT_UINT32 (wfex_data) <= len)
+- size = QT_UINT32 (wfex_data) - 8;
+- else
+- size = len - 8;
++ guint32 size = QT_UINT32 (wfex_data);
+
+- if (size < 1)
+- /* No real data, so break out */
++ if (size < 8 || size > len)
+ break;
+
+ switch (QT_FOURCC (wfex_data + 4)) {
+@@ -12814,12 +12772,12 @@ qtdemux_parse_trak (GstQTDemux * qtdemux
+ "width", G_TYPE_INT, wfex.wBitsPerSample,
+ "depth", G_TYPE_INT, wfex.wBitsPerSample, NULL);
+
+- if (size > wfex.cbSize) {
++ if (size > 8 + wfex.cbSize) {
+ GstBuffer *buf;
+
+- buf = gst_buffer_new_and_alloc (size - wfex.cbSize);
++ buf = gst_buffer_new_and_alloc (size - 8 - wfex.cbSize);
+ gst_buffer_fill (buf, 0, wfex_data + 8 + wfex.cbSize,
+- size - wfex.cbSize);
++ size - 8 - wfex.cbSize);
+ gst_caps_set_simple (entry->caps,
+ "codec_data", GST_TYPE_BUFFER, buf, NULL);
+ gst_buffer_unref (buf);
+@@ -12836,8 +12794,8 @@ qtdemux_parse_trak (GstQTDemux * qtdemux
+ default:
+ break;
+ }
+- len -= size + 8;
+- wfex_data += size + 8;
++ len -= size;
++ wfex_data += size;
+ }
+ break;
+ }
diff --git a/debian/patches/qtdemux-Make-sure-enough-data-is-available-before-re.patch b/debian/patches/qtdemux-Make-sure-enough-data-is-available-before-re.patch
new file mode 100644
index 0000000..1e7681c
--- /dev/null
+++ b/debian/patches/qtdemux-Make-sure-enough-data-is-available-before-re.patch
@@ -0,0 +1,111 @@
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Thu, 26 Sep 2024 14:17:02 +0300
+Subject: qtdemux: Make sure enough data is available before reading wave
+ header node
+Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/8ef08a7a41da987aa630082df355ea651aa09132
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47543
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-236
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3843
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8060>
+---
+ .../gst-plugins-good/gst/isomp4/qtdemux.c | 84 ++++++++++---------
+ 1 file changed, 45 insertions(+), 39 deletions(-)
+
+--- a/gst/isomp4/qtdemux.c
++++ b/gst/isomp4/qtdemux.c
+@@ -12935,47 +12935,53 @@ qtdemux_parse_trak (GstQTDemux * qtdemux
+ } else {
+ guint32 datalen = QT_UINT32 (stsd_entry_data + offset + 16);
+ const guint8 *data = stsd_entry_data + offset + 16;
+- GNode *wavenode;
+- GNode *waveheadernode;
+
+- wavenode = g_node_new ((guint8 *) data);
+- if (qtdemux_parse_node (qtdemux, wavenode, data, datalen)) {
+- const guint8 *waveheader;
+- guint32 headerlen;
+-
+- waveheadernode = qtdemux_tree_get_child_by_type (wavenode, fourcc);
+- if (waveheadernode) {
+- waveheader = (const guint8 *) waveheadernode->data;
+- headerlen = QT_UINT32 (waveheader);
+-
+- if (headerlen > 8) {
+- gst_riff_strf_auds *header = NULL;
+- GstBuffer *headerbuf;
+- GstBuffer *extra;
+-
+- waveheader += 8;
+- headerlen -= 8;
+-
+- headerbuf = gst_buffer_new_and_alloc (headerlen);
+- gst_buffer_fill (headerbuf, 0, waveheader, headerlen);
+-
+- if (gst_riff_parse_strf_auds (GST_ELEMENT_CAST (qtdemux),
+- headerbuf, &header, &extra)) {
+- gst_caps_unref (entry->caps);
+- /* FIXME: Need to do something with the channel reorder map */
+- entry->caps =
+- gst_riff_create_audio_caps (header->format, NULL, header,
+- extra, NULL, NULL, NULL);
+-
+- if (extra)
+- gst_buffer_unref (extra);
+- g_free (header);
++ if (len < datalen || len - datalen < offset + 16) {
++ GST_WARNING_OBJECT (qtdemux, "Not enough data for waveheadernode");
++ } else {
++ GNode *wavenode;
++ GNode *waveheadernode;
++
++ wavenode = g_node_new ((guint8 *) data);
++ if (qtdemux_parse_node (qtdemux, wavenode, data, datalen)) {
++ const guint8 *waveheader;
++ guint32 headerlen;
++
++ waveheadernode =
++ qtdemux_tree_get_child_by_type (wavenode, fourcc);
++ if (waveheadernode) {
++ waveheader = (const guint8 *) waveheadernode->data;
++ headerlen = QT_UINT32 (waveheader);
++
++ if (headerlen > 8) {
++ gst_riff_strf_auds *header = NULL;
++ GstBuffer *headerbuf;
++ GstBuffer *extra;
++
++ waveheader += 8;
++ headerlen -= 8;
++
++ headerbuf = gst_buffer_new_and_alloc (headerlen);
++ gst_buffer_fill (headerbuf, 0, waveheader, headerlen);
++
++ if (gst_riff_parse_strf_auds (GST_ELEMENT_CAST (qtdemux),
++ headerbuf, &header, &extra)) {
++ gst_caps_unref (entry->caps);
++ /* FIXME: Need to do something with the channel reorder map */
++ entry->caps =
++ gst_riff_create_audio_caps (header->format, NULL,
++ header, extra, NULL, NULL, NULL);
++
++ if (extra)
++ gst_buffer_unref (extra);
++ g_free (header);
++ }
+ }
+- }
+- } else
+- GST_DEBUG ("Didn't find waveheadernode for this codec");
++ } else
++ GST_DEBUG ("Didn't find waveheadernode for this codec");
++ }
++ g_node_destroy (wavenode);
+ }
+- g_node_destroy (wavenode);
+ }
+ } else if (esds) {
+ gst_qtdemux_handle_esds (qtdemux, stream, entry, esds,
diff --git a/debian/patches/qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch b/debian/patches/qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch
new file mode 100644
index 0000000..f32b5c1
--- /dev/null
+++ b/debian/patches/qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch
@@ -0,0 +1,36 @@
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Thu, 26 Sep 2024 09:20:28 +0300
+Subject: qtdemux: Make sure only an even number of bytes is processed when
+ handling CEA608 data
+Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/314945426c7105ad90f44a188037bc43bb3b0300
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47539
+
+An odd number of bytes would lead to out of bound reads and writes, and doesn't
+make any sense as CEA608 comes in byte pairs.
+
+Strip off any leftover bytes and assume everything before that is valid.
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-195
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3841
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8060>
+---
+ subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/gst/isomp4/qtdemux.c
++++ b/gst/isomp4/qtdemux.c
+@@ -5737,6 +5737,11 @@ convert_to_s334_1a (const guint8 * ccpai
+ guint8 *storage;
+ gsize i;
+
++ /* Strip off any leftover odd bytes and assume everything before is valid */
++ if (ccpair_size % 2 != 0) {
++ ccpair_size -= 1;
++ }
++
+ /* We are converting from pairs to triplets */
+ *res = ccpair_size / 2 * 3;
+ storage = g_malloc (*res);
diff --git a/debian/patches/qtdemux-Make-sure-there-are-enough-offsets-to-read-w.patch b/debian/patches/qtdemux-Make-sure-there-are-enough-offsets-to-read-w.patch
new file mode 100644
index 0000000..e8d7aab
--- /dev/null
+++ b/debian/patches/qtdemux-Make-sure-there-are-enough-offsets-to-read-w.patch
@@ -0,0 +1,41 @@
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Fri, 27 Sep 2024 10:38:50 +0300
+Subject: qtdemux: Make sure there are enough offsets to read when parsing
+ samples
+Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/7f8f280555201f51898727919831259e68271868
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47597
+
+While this specific case is also caught when initializing co_chunk, the error
+is ignored in various places and calling into the function would lead to out of
+bounds reads if the error message doesn't cause the pipeline to be shut down
+fast enough.
+
+To avoid this, no matter what, make sure enough offsets are available when
+parsing them. While this is potentially slower, the same is already done in the
+non-chunks_are_samples case.
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-245
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3847
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8060>
+---
+ subprojects/gst-plugins-good/gst/isomp4/qtdemux.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/gst/isomp4/qtdemux.c
++++ b/gst/isomp4/qtdemux.c
+@@ -9982,9 +9982,9 @@ qtdemux_parse_samples (GstQTDemux * qtde
+ goto done;
+ }
+
+- cur->offset =
+- qt_atom_parser_get_offset_unchecked (&stream->co_chunk,
+- stream->co_size);
++ if (!qt_atom_parser_get_offset (&stream->co_chunk,
++ stream->co_size, &cur->offset))
++ goto corrupt_file;
+
+ GST_LOG_OBJECT (qtdemux, "Created entry %d with offset "
+ "%" G_GUINT64_FORMAT, j, cur->offset);
diff --git a/debian/patches/series b/debian/patches/series
index 3ba2e11..81eef24 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,32 @@
Skip-failing-tests.patch
GST-2023-0001.patch
+qtdemux-Avoid-integer-overflow-when-parsing-Theora-e.patch
+jpegdec-Directly-error-out-on-negotiation-failures.patch
+gdkpixbufdec-Check-if-initializing-the-video-info-ac.patch
+wavparse-Check-for-short-reads-when-parsing-headers-.patch
+wavparse-Make-sure-enough-data-for-the-tag-list-tag-.patch
+wavparse-Fix-parsing-of-acid-chunk.patch
+wavparse-Check-that-at-least-4-bytes-are-available-b.patch
+wavparse-Check-that-at-least-32-bytes-are-available-.patch
+wavparse-Fix-clipping-of-size-to-the-file-size.patch
+wavparse-Check-size-before-reading-ds64-chunk.patch
+avisubtitle-Fix-size-checks-and-avoid-overflows-when.patch
+matroskademux-Only-unmap-GstMapInfo-in-WavPack-heade.patch
+matroskademux-Fix-off-by-one-when-parsing-multi-chan.patch
+matroskademux-Check-for-big-enough-WavPack-codec-pri.patch
+matroskademux-Don-t-take-data-out-of-an-empty-adapte.patch
+matroskademux-Skip-over-laces-directly-when-postproc.patch
+matroskademux-Skip-over-zero-sized-Xiph-stream-heade.patch
+matroskademux-Put-a-copy-of-the-codec-data-into-the-.patch
+qtdemux-Fix-integer-overflow-when-allocating-the-sam.patch
+qtdemux-Fix-debug-output-during-trun-parsing.patch
+qtdemux-Don-t-iterate-over-all-trun-entries-if-none-.patch
+qtdemux-Check-sizes-of-stsc-stco-stts-before-trying-.patch
+qtdemux-Make-sure-only-an-even-number-of-bytes-is-pr.patch
+qtdemux-Make-sure-enough-data-is-available-before-re.patch
+qtdemux-Fix-length-checks-and-offsets-in-stsd-entry-.patch
+qtdemux-Fix-error-handling-when-parsing-cenc-sample-.patch
+qtdemux-Make-sure-there-are-enough-offsets-to-read-w.patch
+qtdemux-Actually-handle-errors-returns-from-various-.patch
+qtdemux-Check-for-invalid-atom-length-when-extractin.patch
+qtdemux-Add-size-check-for-parsing-SMI-SEQH-atom.patch
diff --git a/debian/patches/wavparse-Check-for-short-reads-when-parsing-headers-.patch b/debian/patches/wavparse-Check-for-short-reads-when-parsing-headers-.patch
new file mode 100644
index 0000000..33f13b2
--- /dev/null
+++ b/debian/patches/wavparse-Check-for-short-reads-when-parsing-headers-.patch
@@ -0,0 +1,163 @@
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Fri, 4 Oct 2024 13:00:57 +0300
+Subject: wavparse: Check for short reads when parsing headers in pull mode
+Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/c627f3a28bc792580f9a9ebcbb309b2256e4a895
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47776
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47778
+
+And also return the actual flow return to the caller instead of always returning
+GST_FLOW_ERROR.
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-258, GHSL-2024-260
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3886
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3888
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8054>
+---
+ .../gst/wavparse/gstwavparse.c | 63 ++++++++++++++-----
+ 1 file changed, 46 insertions(+), 17 deletions(-)
+
+--- a/gst/wavparse/gstwavparse.c
++++ b/gst/wavparse/gstwavparse.c
+@@ -1097,6 +1097,24 @@ parse_ds64 (GstWavParse * wav, GstBuffer
+ }
+
+ static GstFlowReturn
++gst_wavparse_pull_range_exact (GstWavParse * wav, guint64 offset, guint size,
++ GstBuffer ** buffer)
++{
++ GstFlowReturn res;
++
++ res = gst_pad_pull_range (wav->sinkpad, offset, size, buffer);
++ if (res != GST_FLOW_OK)
++ return res;
++
++ if (gst_buffer_get_size (*buffer) < size) {
++ gst_clear_buffer (buffer);
++ return GST_FLOW_EOS;
++ }
++
++ return res;
++}
++
++static GstFlowReturn
+ gst_wavparse_stream_headers (GstWavParse * wav)
+ {
+ GstFlowReturn res = GST_FLOW_OK;
+@@ -1291,9 +1309,9 @@ gst_wavparse_stream_headers (GstWavParse
+
+ buf = NULL;
+ if ((res =
+- gst_pad_pull_range (wav->sinkpad, wav->offset, 8,
++ gst_wavparse_pull_range_exact (wav, wav->offset, 8,
+ &buf)) != GST_FLOW_OK)
+- goto header_read_error;
++ goto header_pull_error;
+ gst_buffer_map (buf, &map, GST_MAP_READ);
+ tag = GST_READ_UINT32_LE (map.data);
+ size = GST_READ_UINT32_LE (map.data + 4);
+@@ -1396,9 +1414,9 @@ gst_wavparse_stream_headers (GstWavParse
+ gst_buffer_unref (buf);
+ buf = NULL;
+ if ((res =
+- gst_pad_pull_range (wav->sinkpad, wav->offset + 8,
++ gst_wavparse_pull_range_exact (wav, wav->offset + 8,
+ data_size, &buf)) != GST_FLOW_OK)
+- goto header_read_error;
++ goto header_pull_error;
+ gst_buffer_extract (buf, 0, &wav->fact, 4);
+ wav->fact = GUINT32_FROM_LE (wav->fact);
+ gst_buffer_unref (buf);
+@@ -1443,9 +1461,9 @@ gst_wavparse_stream_headers (GstWavParse
+ gst_buffer_unref (buf);
+ buf = NULL;
+ if ((res =
+- gst_pad_pull_range (wav->sinkpad, wav->offset + 8,
+- size, &buf)) != GST_FLOW_OK)
+- goto header_read_error;
++ gst_wavparse_pull_range_exact (wav, wav->offset + 8, size,
++ &buf)) != GST_FLOW_OK)
++ goto header_pull_error;
+ gst_buffer_map (buf, &map, GST_MAP_READ);
+ acid = (const gst_riff_acid *) map.data;
+ tempo = acid->tempo;
+@@ -1483,9 +1501,9 @@ gst_wavparse_stream_headers (GstWavParse
+ gst_buffer_unref (buf);
+ buf = NULL;
+ if ((res =
+- gst_pad_pull_range (wav->sinkpad, wav->offset, 12,
++ gst_wavparse_pull_range_exact (wav, wav->offset, 12,
+ &buf)) != GST_FLOW_OK)
+- goto header_read_error;
++ goto header_pull_error;
+ gst_buffer_extract (buf, 8, <ag, 4);
+ ltag = GUINT32_FROM_LE (ltag);
+ }
+@@ -1512,9 +1530,9 @@ gst_wavparse_stream_headers (GstWavParse
+ buf = NULL;
+ if (data_size > 0) {
+ if ((res =
+- gst_pad_pull_range (wav->sinkpad, wav->offset,
++ gst_wavparse_pull_range_exact (wav, wav->offset,
+ data_size, &buf)) != GST_FLOW_OK)
+- goto header_read_error;
++ goto header_pull_error;
+ }
+ }
+ if (data_size > 0) {
+@@ -1552,9 +1570,9 @@ gst_wavparse_stream_headers (GstWavParse
+ buf = NULL;
+ wav->offset += 12;
+ if ((res =
+- gst_pad_pull_range (wav->sinkpad, wav->offset,
++ gst_wavparse_pull_range_exact (wav, wav->offset,
+ data_size, &buf)) != GST_FLOW_OK)
+- goto header_read_error;
++ goto header_pull_error;
+ gst_buffer_map (buf, &map, GST_MAP_READ);
+ gst_wavparse_adtl_chunk (wav, (const guint8 *) map.data,
+ data_size);
+@@ -1597,9 +1615,9 @@ gst_wavparse_stream_headers (GstWavParse
+ gst_buffer_unref (buf);
+ buf = NULL;
+ if ((res =
+- gst_pad_pull_range (wav->sinkpad, wav->offset,
++ gst_wavparse_pull_range_exact (wav, wav->offset,
+ data_size, &buf)) != GST_FLOW_OK)
+- goto header_read_error;
++ goto header_pull_error;
+ gst_buffer_map (buf, &map, GST_MAP_READ);
+ if (!gst_wavparse_cue_chunk (wav, (const guint8 *) map.data,
+ data_size)) {
+@@ -1641,9 +1659,9 @@ gst_wavparse_stream_headers (GstWavParse
+ gst_buffer_unref (buf);
+ buf = NULL;
+ if ((res =
+- gst_pad_pull_range (wav->sinkpad, wav->offset,
++ gst_wavparse_pull_range_exact (wav, wav->offset,
+ data_size, &buf)) != GST_FLOW_OK)
+- goto header_read_error;
++ goto header_pull_error;
+ gst_buffer_map (buf, &map, GST_MAP_READ);
+ if (!gst_wavparse_smpl_chunk (wav, (const guint8 *) map.data,
+ data_size)) {
+@@ -1795,6 +1813,17 @@ header_read_error:
+ ("Couldn't read in header %d (%s)", res, gst_flow_get_name (res)));
+ goto fail;
+ }
++header_pull_error:
++ {
++ if (res == GST_FLOW_EOS) {
++ GST_WARNING_OBJECT (wav, "Couldn't pull header %d (%s)", res,
++ gst_flow_get_name (res));
++ } else {
++ GST_ELEMENT_ERROR (wav, STREAM, DEMUX, (NULL),
++ ("Couldn't pull header %d (%s)", res, gst_flow_get_name (res)));
++ }
++ goto exit;
++ }
+ }
+
+ /*
diff --git a/debian/patches/wavparse-Check-size-before-reading-ds64-chunk.patch b/debian/patches/wavparse-Check-size-before-reading-ds64-chunk.patch
new file mode 100644
index 0000000..7a3f85d
--- /dev/null
+++ b/debian/patches/wavparse-Check-size-before-reading-ds64-chunk.patch
@@ -0,0 +1,30 @@
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Fri, 4 Oct 2024 13:51:00 +0300
+Subject: wavparse: Check size before reading ds64 chunk
+Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ba8476d3448eeaf016345ae0697b8447c0f62636
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47775
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-261
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3889
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8054>
+---
+ subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/gst/wavparse/gstwavparse.c
++++ b/gst/wavparse/gstwavparse.c
+@@ -1087,6 +1087,11 @@ parse_ds64 (GstWavParse * wav, GstBuffer
+ guint32 sampleCountLow, sampleCountHigh;
+
+ gst_buffer_map (buf, &map, GST_MAP_READ);
++ if (map.size < 6 * 4) {
++ GST_WARNING_OBJECT (wav, "Too small ds64 chunk (%" G_GSIZE_FORMAT ")",
++ map.size);
++ return FALSE;
++ }
+ dataSizeLow = GST_READ_UINT32_LE (map.data + 2 * 4);
+ dataSizeHigh = GST_READ_UINT32_LE (map.data + 3 * 4);
+ sampleCountLow = GST_READ_UINT32_LE (map.data + 4 * 4);
diff --git a/debian/patches/wavparse-Check-that-at-least-32-bytes-are-available-.patch b/debian/patches/wavparse-Check-that-at-least-32-bytes-are-available-.patch
new file mode 100644
index 0000000..a55cf59
--- /dev/null
+++ b/debian/patches/wavparse-Check-that-at-least-32-bytes-are-available-.patch
@@ -0,0 +1,29 @@
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Fri, 4 Oct 2024 13:22:02 +0300
+Subject: wavparse: Check that at least 32 bytes are available before parsing
+ smpl chunks
+Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/3d2a5841d777dd95afdea30ad134f96c876f84ab
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47777
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-259
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3887
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8054>
+---
+ subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/gst/wavparse/gstwavparse.c
++++ b/gst/wavparse/gstwavparse.c
+@@ -893,6 +893,9 @@ gst_wavparse_smpl_chunk (GstWavParse * w
+ {
+ guint32 note_number;
+
++ if (size < 32)
++ return FALSE;
++
+ /*
+ manufacturer_id = GST_READ_UINT32_LE (data);
+ product_id = GST_READ_UINT32_LE (data + 4);
diff --git a/debian/patches/wavparse-Check-that-at-least-4-bytes-are-available-b.patch b/debian/patches/wavparse-Check-that-at-least-4-bytes-are-available-b.patch
new file mode 100644
index 0000000..e1218e7
--- /dev/null
+++ b/debian/patches/wavparse-Check-that-at-least-4-bytes-are-available-b.patch
@@ -0,0 +1,25 @@
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Fri, 4 Oct 2024 13:21:44 +0300
+Subject: wavparse: Check that at least 4 bytes are available before parsing
+ cue chunks
+Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/8f04506d7e68a653c8d7c5e2fb0a19ef93c6ea35
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8054>
+---
+ subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/gst/wavparse/gstwavparse.c
++++ b/gst/wavparse/gstwavparse.c
+@@ -789,6 +789,11 @@ gst_wavparse_cue_chunk (GstWavParse * wa
+ return TRUE;
+ }
+
++ if (size < 4) {
++ GST_WARNING_OBJECT (wav, "broken file %d", size);
++ return FALSE;
++ }
++
+ ncues = GST_READ_UINT32_LE (data);
+
+ if (size < 4 + ncues * 24) {
diff --git a/debian/patches/wavparse-Fix-clipping-of-size-to-the-file-size.patch b/debian/patches/wavparse-Fix-clipping-of-size-to-the-file-size.patch
new file mode 100644
index 0000000..8695858
--- /dev/null
+++ b/debian/patches/wavparse-Fix-clipping-of-size-to-the-file-size.patch
@@ -0,0 +1,36 @@
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Fri, 4 Oct 2024 13:27:27 +0300
+Subject: wavparse: Fix clipping of size to the file size
+Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/34cfd6b82c3ae6772b9b43b3f6243f85cea35c38
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47776
+
+The size does not include the 8 bytes tag and length, so an additional 8 bytes
+must be removed here. 8 bytes are always available at this point because
+otherwise the parsing of the tag and length right above would've failed.
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-260
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3888
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8054>
+---
+ subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/gst/wavparse/gstwavparse.c
++++ b/gst/wavparse/gstwavparse.c
+@@ -1337,10 +1337,11 @@ gst_wavparse_stream_headers (GstWavParse
+ }
+
+ /* Clip to upstream size if known */
+- if (upstream_size > 0 && size + wav->offset > upstream_size) {
++ if (upstream_size > 0 && size + 8 + wav->offset > upstream_size) {
+ GST_WARNING_OBJECT (wav, "Clipping chunk size to file size");
+ g_assert (upstream_size >= wav->offset);
+- size = upstream_size - wav->offset;
++ g_assert (upstream_size - wav->offset >= 8);
++ size = upstream_size - wav->offset - 8;
+ }
+
+ /* wav is a st00pid format, we don't know for sure where data starts.
diff --git a/debian/patches/wavparse-Fix-parsing-of-acid-chunk.patch b/debian/patches/wavparse-Fix-parsing-of-acid-chunk.patch
new file mode 100644
index 0000000..9f8a574
--- /dev/null
+++ b/debian/patches/wavparse-Fix-parsing-of-acid-chunk.patch
@@ -0,0 +1,53 @@
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Fri, 4 Oct 2024 13:15:27 +0300
+Subject: wavparse: Fix parsing of acid chunk
+Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/8911020ae3da65b224dd1c87de3437a532e9efa4
+
+Simply casting the bytes to a struct can lead to crashes because of unaligned
+reads, and is also missing the endianness swapping that is necessary on big
+endian architectures.
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8054>
+---
+ .../gst-plugins-good/gst/wavparse/gstwavparse.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+--- a/gst/wavparse/gstwavparse.c
++++ b/gst/wavparse/gstwavparse.c
+@@ -1433,8 +1433,7 @@ gst_wavparse_stream_headers (GstWavParse
+ break;
+ }
+ case GST_RIFF_TAG_acid:{
+- const gst_riff_acid *acid = NULL;
+- const guint data_size = sizeof (gst_riff_acid);
++ const guint data_size = 24;
+ gfloat tempo;
+
+ GST_INFO_OBJECT (wav, "Have acid chunk");
+@@ -1448,13 +1447,13 @@ gst_wavparse_stream_headers (GstWavParse
+ break;
+ }
+ if (wav->streaming) {
++ const guint8 *data;
+ if (!gst_wavparse_peek_chunk (wav, &tag, &size)) {
+ goto exit;
+ }
+ gst_adapter_flush (wav->adapter, 8);
+- acid = (const gst_riff_acid *) gst_adapter_map (wav->adapter,
+- data_size);
+- tempo = acid->tempo;
++ data = gst_adapter_map (wav->adapter, data_size);
++ tempo = GST_READ_FLOAT_LE (data + 20);
+ gst_adapter_unmap (wav->adapter);
+ } else {
+ GstMapInfo map;
+@@ -1465,8 +1464,7 @@ gst_wavparse_stream_headers (GstWavParse
+ &buf)) != GST_FLOW_OK)
+ goto header_pull_error;
+ gst_buffer_map (buf, &map, GST_MAP_READ);
+- acid = (const gst_riff_acid *) map.data;
+- tempo = acid->tempo;
++ tempo = GST_READ_FLOAT_LE (map.data + 20);
+ gst_buffer_unmap (buf, &map);
+ }
+ /* send data as tags */
diff --git a/debian/patches/wavparse-Make-sure-enough-data-for-the-tag-list-tag-.patch b/debian/patches/wavparse-Make-sure-enough-data-for-the-tag-list-tag-.patch
new file mode 100644
index 0000000..e596cae
--- /dev/null
+++ b/debian/patches/wavparse-Make-sure-enough-data-for-the-tag-list-tag-.patch
@@ -0,0 +1,30 @@
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Fri, 4 Oct 2024 13:09:43 +0300
+Subject: wavparse: Make sure enough data for the tag list tag is available
+ before parsing
+Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/f5fa594695e5a9b347e88719b487d9779f80926a
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-47778
+
+Thanks to Antonio Morales for finding and reporting the issue.
+
+Fixes GHSL-2024-258
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3886
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8054>
+---
+ subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/gst/wavparse/gstwavparse.c
++++ b/gst/wavparse/gstwavparse.c
+@@ -1488,6 +1488,10 @@ gst_wavparse_stream_headers (GstWavParse
+ case GST_RIFF_TAG_LIST:{
+ guint32 ltag;
+
++ /* Need at least the ltag */
++ if (size < 4)
++ goto exit;
++
+ if (wav->streaming) {
+ const guint8 *data = NULL;
+
--
GitLab
From a8d2444282fff6bb94c43395589b8d5368a9de3f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dylan=20A=C3=AFssi?= <devel@lists.apertis.org>
Date: Mon, 6 Jan 2025 08:55:00 +0000
Subject: [PATCH 2/3] Release gst-plugins-good1.0 version
1.22.0-5+deb12u2+apertis1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Dylan Aïssi <dylan.aissi@collabora.com>
---
debian/changelog | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 5477474..6483e8d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+gst-plugins-good1.0 (1.22.0-5+deb12u2+apertis1) apertis; urgency=medium
+
+ * Sync from debian/bookworm-security.
+ * Remaining Apertis specific changes:
+ - Disable JACK support.
+ - Disable mp3 related plugins.
+ - Check dh_auto_test results only for amd64 since it fails for arm64 on OBS
+
+ -- Apertis CI <devel@lists.apertis.org> Mon, 06 Jan 2025 08:55:00 +0000
+
gst-plugins-good1.0 (1.22.0-5+deb12u2) bookworm-security; urgency=high
* Non-maintainer upload by the Security Team.
--
GitLab
From 2a845fe99df9024a347b72bb26aed01421945add Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dylan=20A=C3=AFssi?= <dylan.aissi@collabora.com>
Date: Mon, 6 Jan 2025 09:18:11 +0000
Subject: [PATCH 3/3] Refresh the automatically detected licensing information
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Dylan Aïssi <dylan.aissi@collabora.com>
---
debian/apertis/copyright | 1 -
1 file changed, 1 deletion(-)
diff --git a/debian/apertis/copyright b/debian/apertis/copyright
index e94b8c8..b94f366 100644
--- a/debian/apertis/copyright
+++ b/debian/apertis/copyright
@@ -2857,4 +2857,3 @@ License: LGPL-2+
Files: tests/interactive/ximagesrc-test.c
Copyright: <2006> Zaheer Abbas Merali <zaheerabbas at merali dot org>
License: LGPL-2+
-
--
GitLab