gstreamer1.0-plugins-bad: fix CVE-2023-50186

Upstream-Status: Backport
[a46737a731]

(From OE-Core rev: ce2d6ba5d69867471919fe698467e243d5f0e73c)

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-50186.patch

@@ -0,0 +1,70 @@
+From a46737a73155fe1c19fa5115df40da35426f9fb5 Mon Sep 17 00:00:00 2001
+From: Seungha Yang <seungha@centricular.com>
+Date: Thu, 23 Nov 2023 20:24:42 +0900
+Subject: [PATCH] av1parser: Fix array sizes in scalability structure
+
+Since the AV1 specification is not explicitly mentioning about
+the array size bounds, array sizes in scalability structure
+should be defined as possible maximum sizes that can have.
+
+Also, this commit removes GST_AV1_MAX_SPATIAL_LAYERS define from
+public header which is API break but the define is misleading
+and this patch is introducing ABI break already
+
+ZDI-CAN-22300
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5824>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/a46737a73155fe1c19fa5115df40da35426f9fb5]
+CVE: CVE-2023-50186
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ gst-libs/gst/codecparsers/gstav1parser.h | 11 +++++------
+ gst/videoparsers/gstav1parse.c           |  2 +-
+ 2 files changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/gst-libs/gst/codecparsers/gstav1parser.h b/gst-libs/gst/codecparsers/gstav1parser.h
+index 31f5945..ef6ce9e 100644
+--- a/gst-libs/gst/codecparsers/gstav1parser.h
++++ b/gst-libs/gst/codecparsers/gstav1parser.h
+@@ -71,9 +71,8 @@ G_BEGIN_DECLS
+ #define GST_AV1_MAX_TILE_COUNT                 512
+ #define GST_AV1_MAX_OPERATING_POINTS    \
+   (GST_AV1_MAX_NUM_TEMPORAL_LAYERS * GST_AV1_MAX_NUM_SPATIAL_LAYERS)
+-#define GST_AV1_MAX_SPATIAL_LAYERS             2  /* correct? */
+-#define GST_AV1_MAX_TEMPORAL_GROUP_SIZE        8  /* correct? */
+-#define GST_AV1_MAX_TEMPORAL_GROUP_REFERENCES  8  /* correct? */
++#define GST_AV1_MAX_TEMPORAL_GROUP_SIZE        255
++#define GST_AV1_MAX_TEMPORAL_GROUP_REFERENCES  7
+ #define GST_AV1_MAX_NUM_Y_POINTS               16
+ #define GST_AV1_MAX_NUM_CB_POINTS              16
+ #define GST_AV1_MAX_NUM_CR_POINTS              16
+@@ -968,9 +967,9 @@ struct _GstAV1MetadataScalability {
+   gboolean spatial_layer_dimensions_present_flag;
+   gboolean spatial_layer_description_present_flag;
+   gboolean temporal_group_description_present_flag;
+-  guint16 spatial_layer_max_width[GST_AV1_MAX_SPATIAL_LAYERS];
+-  guint16 spatial_layer_max_height[GST_AV1_MAX_SPATIAL_LAYERS];
+-  guint8 spatial_layer_ref_id[GST_AV1_MAX_SPATIAL_LAYERS];
++  guint16 spatial_layer_max_width[GST_AV1_MAX_NUM_SPATIAL_LAYERS];
++  guint16 spatial_layer_max_height[GST_AV1_MAX_NUM_SPATIAL_LAYERS];
++  guint8 spatial_layer_ref_id[GST_AV1_MAX_NUM_SPATIAL_LAYERS];
+   guint8 temporal_group_size;
+ 
+   guint8 temporal_group_temporal_id[GST_AV1_MAX_TEMPORAL_GROUP_SIZE];
+diff --git a/gst/videoparsers/gstav1parse.c b/gst/videoparsers/gstav1parse.c
+index f127856..ef1bc74 100644
+--- a/gst/videoparsers/gstav1parse.c
++++ b/gst/videoparsers/gstav1parse.c
+@@ -1229,7 +1229,7 @@ gst_av1_parse_handle_sequence_obu (GstAV1Parse * self, GstAV1OBU * obu)
+   }
+ 
+   val = (self->parser->state.operating_point_idc >> 8) & 0x0f;
+-  for (i = 0; i < (1 << GST_AV1_MAX_SPATIAL_LAYERS); i++) {
++  for (i = 0; i < GST_AV1_MAX_NUM_SPATIAL_LAYERS; i++) {
+     if (val & (1 << i))
+       self->highest_spatial_id = i;
+   }
+-- 
+2.25.1
+

meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb

@@ -16,6 +16,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad
            file://CVE-2023-44429.patch \
            file://CVE-2024-0444.patch \
            file://CVE-2023-44446.patch \
+           file://CVE-2023-50186.patch \
            "
 SRC_URI[sha256sum] = "87251beebfd1325e5118cc67774061f6e8971761ca65a9e5957919610080d195"