diff -Nru gst-plugins-bad1.0-1.20.3/debian/changelog gst-plugins-bad1.0-1.20.3/debian/changelog --- gst-plugins-bad1.0-1.20.3/debian/changelog 2022-06-29 13:50:26.000000000 +0000 +++ gst-plugins-bad1.0-1.20.3/debian/changelog 2023-11-28 16:40:39.000000000 +0000 @@ -1,3 +1,35 @@ +gst-plugins-bad1.0 (1.20.3-0ubuntu1.1) jammy-security; urgency=medium + + * SECURITY UPDATE: heap overwrite in PGS subtitle overlay decoder + - debian/patches/CVE-2023-37329-1.patch: make sure enough data is + allocated for the available data in gst/dvdspu/gstspu-pgs.c. + - debian/patches/CVE-2023-37329-2.patch: avoid integer overflow when + checking if enough data is available in gst/dvdspu/gstspu-pgs.c. + - CVE-2023-37329 + * SECURITY UPDATE: integer overflow in MXF file handling + - debian/patches/CVE-2023-40474.patch: fix integer overflow causing out + of bounds writes when handling invalid uncompressed video in + gst/mxf/mxfup.c. + - CVE-2023-40474 + * SECURITY UPDATE: integer overflow in MXF file handling + - debian/patches/CVE-2023-40475.patch: check number of channels for + AES3 audio in gst/mxf/mxfd10.c. + - CVE-2023-40475 + * SECURITY UPDATE: integer overflow in H.265 video parser + - debian/patches/CVE-2023-40476.patch: fix possible overflow using + max_sub_layers_minus1 in gst-libs/gst/codecparsers/gsth265parser.c. + - CVE-2023-40476 + * SECURITY UPDATE: AV1 codec parser buffer overflow + - debian/patches/CVE-2023-44429.patch: clip max tile rows and cols + values in gst-libs/gst/codecparsers/gstav1parser.c. + - CVE-2023-44429 + * SECURITY UPDATE: MXF demuxer use-after-free + - debian/patches/CVE-2023-44446.patch: store GstMXFDemuxEssenceTrack in + their own fixed allocation in gst/mxf/mxfdemux.*. + - CVE-2023-44446 + + -- Marc Deslauriers Tue, 28 Nov 2023 11:40:39 -0500 + gst-plugins-bad1.0 (1.20.3-0ubuntu1) jammy; urgency=medium * New upstream release (LP: #1980239) diff -Nru gst-plugins-bad1.0-1.20.3/debian/patches/CVE-2023-37329-1.patch gst-plugins-bad1.0-1.20.3/debian/patches/CVE-2023-37329-1.patch --- gst-plugins-bad1.0-1.20.3/debian/patches/CVE-2023-37329-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-bad1.0-1.20.3/debian/patches/CVE-2023-37329-1.patch 2023-11-28 16:39:19.000000000 +0000 @@ -0,0 +1,34 @@ +From 60226124ec367c2549e4bf1e6174dfb8eca5a63d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Tue, 13 Jun 2023 14:23:47 +0300 +Subject: [PATCH] dvdspu: Make sure enough data is allocated for the available + data + +If the size read from the stream is smaller than the currently available +data then the size is bogus and the data should simply be discarded. + +Fixes ZDI-CAN-20994 +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2660 + +Part-of: +--- + subprojects/gst-plugins-bad/gst/dvdspu/gstspu-pgs.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/gst/dvdspu/gstspu-pgs.c b/gst/dvdspu/gstspu-pgs.c +index 6108de07c2e..391bb630f5d 100644 +--- a/gst/dvdspu/gstspu-pgs.c ++++ b/gst/dvdspu/gstspu-pgs.c +@@ -593,6 +593,9 @@ parse_set_object_data (GstDVDSpu * dvdspu, guint8 type, guint8 * payload, + obj->rle_data_size = GST_READ_UINT24_BE (payload); + payload += 3; + ++ if (end - payload > obj->rle_data_size) ++ return 0; ++ + PGS_DUMP ("%d bytes of RLE data, of %d bytes total.\n", + (int) (end - payload), obj->rle_data_size); + +-- +GitLab + diff -Nru gst-plugins-bad1.0-1.20.3/debian/patches/CVE-2023-37329-2.patch gst-plugins-bad1.0-1.20.3/debian/patches/CVE-2023-37329-2.patch --- gst-plugins-bad1.0-1.20.3/debian/patches/CVE-2023-37329-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-bad1.0-1.20.3/debian/patches/CVE-2023-37329-2.patch 2023-11-28 16:39:23.000000000 +0000 @@ -0,0 +1,28 @@ +From 5f3cf0a7d7ae7ab883d0611e85c06354f1e94907 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Tue, 13 Jun 2023 14:25:04 +0300 +Subject: [PATCH] dvdspu: Avoid integer overflow when checking if enough data + is available + +Part-of: +--- + subprojects/gst-plugins-bad/gst/dvdspu/gstspu-pgs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/gst/dvdspu/gstspu-pgs.c b/gst/dvdspu/gstspu-pgs.c +index 391bb630f5d..df0b8e2cbe6 100644 +--- a/gst/dvdspu/gstspu-pgs.c ++++ b/gst/dvdspu/gstspu-pgs.c +@@ -607,7 +607,8 @@ parse_set_object_data (GstDVDSpu * dvdspu, guint8 type, guint8 * payload, + PGS_DUMP ("%d bytes of additional RLE data\n", (int) (end - payload)); + /* Check that the data chunk is for this object version, and fits in the buffer */ + if (obj->rle_data_ver == obj_ver && +- obj->rle_data_used + end - payload <= obj->rle_data_size) { ++ end - payload <= obj->rle_data_size && ++ obj->rle_data_used <= obj->rle_data_size - (end - payload)) { + + memcpy (obj->rle_data + obj->rle_data_used, payload, end - payload); + obj->rle_data_used += end - payload; +-- +GitLab + diff -Nru gst-plugins-bad1.0-1.20.3/debian/patches/CVE-2023-40474.patch gst-plugins-bad1.0-1.20.3/debian/patches/CVE-2023-40474.patch --- gst-plugins-bad1.0-1.20.3/debian/patches/CVE-2023-40474.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-bad1.0-1.20.3/debian/patches/CVE-2023-40474.patch 2023-11-28 16:39:30.000000000 +0000 @@ -0,0 +1,114 @@ +From f73fc41f2ca6a0cd4e883aee64bf8e1c15ff68ce Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 10 Aug 2023 15:45:01 +0300 +Subject: [PATCH] mxfdemux: Fix integer overflow causing out of bounds writes + when handling invalid uncompressed video + +Check ahead of time when parsing the track information whether +width, height and bpp are valid and usable without overflows. + +Fixes ZDI-CAN-21660, CVE-2023-40474 + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2896 + +Part-of: +--- + subprojects/gst-plugins-bad/gst/mxf/mxfup.c | 51 +++++++++++++++++---- + 1 file changed, 43 insertions(+), 8 deletions(-) + +diff --git a/gst/mxf/mxfup.c b/gst/mxf/mxfup.c +index d8b6664dab6..ba86255f205 100644 +--- a/gst/mxf/mxfup.c ++++ b/gst/mxf/mxfup.c +@@ -134,6 +134,8 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer, + gpointer mapping_data, GstBuffer ** outbuf) + { + MXFUPMappingData *data = mapping_data; ++ gsize expected_in_stride = 0, out_stride = 0; ++ gsize expected_in_size = 0, out_size = 0; + + /* SMPTE 384M 7.1 */ + if (key->u[12] != 0x15 || (key->u[14] != 0x01 && key->u[14] != 0x02 +@@ -162,22 +164,25 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer, + } + } + +- if (gst_buffer_get_size (buffer) != data->bpp * data->width * data->height) { ++ // Checked for overflows when parsing the descriptor ++ expected_in_stride = data->bpp * data->width; ++ out_stride = GST_ROUND_UP_4 (expected_in_stride); ++ expected_in_size = expected_in_stride * data->height; ++ out_size = out_stride * data->height; ++ ++ if (gst_buffer_get_size (buffer) != expected_in_size) { + GST_ERROR ("Invalid buffer size"); + gst_buffer_unref (buffer); + return GST_FLOW_ERROR; + } + +- if (data->bpp != 4 +- || GST_ROUND_UP_4 (data->width * data->bpp) != data->width * data->bpp) { ++ if (data->bpp != 4 || out_stride != expected_in_stride) { + guint y; + GstBuffer *ret; + GstMapInfo inmap, outmap; + guint8 *indata, *outdata; + +- ret = +- gst_buffer_new_and_alloc (GST_ROUND_UP_4 (data->width * data->bpp) * +- data->height); ++ ret = gst_buffer_new_and_alloc (out_size); + gst_buffer_map (buffer, &inmap, GST_MAP_READ); + gst_buffer_map (ret, &outmap, GST_MAP_WRITE); + indata = inmap.data; +@@ -185,8 +190,8 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer, + + for (y = 0; y < data->height; y++) { + memcpy (outdata, indata, data->width * data->bpp); +- outdata += GST_ROUND_UP_4 (data->width * data->bpp); +- indata += data->width * data->bpp; ++ outdata += out_stride; ++ indata += expected_in_stride; + } + + gst_buffer_unmap (buffer, &inmap); +@@ -394,6 +399,36 @@ mxf_up_create_caps (MXFMetadataTimelineTrack * track, GstTagList ** tags, + return NULL; + } + ++ if (caps) { ++ MXFUPMappingData *data = *mapping_data; ++ gsize expected_in_stride = 0, out_stride = 0; ++ gsize expected_in_size = 0, out_size = 0; ++ ++ // Do some checking of the parameters to see if they're valid and ++ // we can actually work with them. ++ if (data->image_start_offset > data->image_end_offset) { ++ GST_WARNING ("Invalid image start/end offset"); ++ g_free (data); ++ *mapping_data = NULL; ++ gst_clear_caps (&caps); ++ ++ return NULL; ++ } ++ ++ if (!g_size_checked_mul (&expected_in_stride, data->bpp, data->width) || ++ (out_stride = GST_ROUND_UP_4 (expected_in_stride)) < expected_in_stride ++ || !g_size_checked_mul (&expected_in_size, expected_in_stride, ++ data->height) ++ || !g_size_checked_mul (&out_size, out_stride, data->height)) { ++ GST_ERROR ("Invalid resolution or bit depth"); ++ g_free (data); ++ *mapping_data = NULL; ++ gst_clear_caps (&caps); ++ ++ return NULL; ++ } ++ } ++ + return caps; + } + +-- +GitLab + diff -Nru gst-plugins-bad1.0-1.20.3/debian/patches/CVE-2023-40475.patch gst-plugins-bad1.0-1.20.3/debian/patches/CVE-2023-40475.patch --- gst-plugins-bad1.0-1.20.3/debian/patches/CVE-2023-40475.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-bad1.0-1.20.3/debian/patches/CVE-2023-40475.patch 2023-11-28 16:39:34.000000000 +0000 @@ -0,0 +1,45 @@ +From 1edd1c38dcc5d27e7c5649d999ee8278872a16d4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 10 Aug 2023 15:47:03 +0300 +Subject: [PATCH] mxfdemux: Check number of channels for AES3 audio + +Only up to 8 channels are allowed and using a higher number would cause +integer overflows when copying the data, and lead to out of bound +writes. + +Also check that each buffer is at least 4 bytes long to avoid another +overflow. + +Fixes ZDI-CAN-21661, CVE-2023-40475 + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2897 + +Part-of: +--- + subprojects/gst-plugins-bad/gst/mxf/mxfd10.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/gst/mxf/mxfd10.c b/gst/mxf/mxfd10.c +index 66c071372ab..060d5a02dea 100644 +--- a/gst/mxf/mxfd10.c ++++ b/gst/mxf/mxfd10.c +@@ -119,7 +119,7 @@ mxf_d10_sound_handle_essence_element (const MXFUL * key, GstBuffer * buffer, + gst_buffer_map (buffer, &map, GST_MAP_READ); + + /* Now transform raw AES3 into raw audio, see SMPTE 331M */ +- if ((map.size - 4) % 32 != 0) { ++ if (map.size < 4 || (map.size - 4) % 32 != 0) { + gst_buffer_unmap (buffer, &map); + GST_ERROR ("Invalid D10 sound essence buffer size"); + return GST_FLOW_ERROR; +@@ -219,6 +219,7 @@ mxf_d10_create_caps (MXFMetadataTimelineTrack * track, GstTagList ** tags, + GstAudioFormat audio_format; + + if (s->channel_count == 0 || ++ s->channel_count > 8 || + s->quantization_bits == 0 || + s->audio_sampling_rate.n == 0 || s->audio_sampling_rate.d == 0) { + GST_ERROR ("Invalid descriptor"); +-- +GitLab + diff -Nru gst-plugins-bad1.0-1.20.3/debian/patches/CVE-2023-40476.patch gst-plugins-bad1.0-1.20.3/debian/patches/CVE-2023-40476.patch --- gst-plugins-bad1.0-1.20.3/debian/patches/CVE-2023-40476.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-bad1.0-1.20.3/debian/patches/CVE-2023-40476.patch 2023-11-28 16:39:48.000000000 +0000 @@ -0,0 +1,36 @@ +From fddda166222a067d0e511950a0a8cfb9f5a521b7 Mon Sep 17 00:00:00 2001 +From: Nicolas Dufresne +Date: Wed, 9 Aug 2023 12:49:19 -0400 +Subject: [PATCH] h265parser: Fix possible overflow using max_sub_layers_minus1 + +This fixes a possible overflow that can be triggered by an invalid value of +max_sub_layers_minus1 being set in the bitstream. The bitstream uses 3 bits, +but the allowed range is 0 to 6 only. + +Fixes ZDI-CAN-21768, CVE-2023-40476 + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2895 + +Part-of: +--- + .../gst-plugins-bad/gst-libs/gst/codecparsers/gsth265parser.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/gst-libs/gst/codecparsers/gsth265parser.c ++++ b/gst-libs/gst/codecparsers/gsth265parser.c +@@ -1670,6 +1670,7 @@ gst_h265_parse_vps (GstH265NalUnit * nal + + READ_UINT8 (&nr, vps->max_layers_minus1, 6); + READ_UINT8 (&nr, vps->max_sub_layers_minus1, 3); ++ CHECK_ALLOWED (vps->max_sub_layers_minus1, 0, 6); + READ_UINT8 (&nr, vps->temporal_id_nesting_flag, 1); + + /* skip reserved_0xffff_16bits */ +@@ -1848,6 +1849,7 @@ gst_h265_parse_sps (GstH265Parser * pars + sps->vps = vps; + + READ_UINT8 (&nr, sps->max_sub_layers_minus1, 3); ++ CHECK_ALLOWED (sps->max_sub_layers_minus1, 0, 6); + READ_UINT8 (&nr, sps->temporal_id_nesting_flag, 1); + + if (!gst_h265_parse_profile_tier_level (&sps->profile_tier_level, &nr, diff -Nru gst-plugins-bad1.0-1.20.3/debian/patches/CVE-2023-44429.patch gst-plugins-bad1.0-1.20.3/debian/patches/CVE-2023-44429.patch --- gst-plugins-bad1.0-1.20.3/debian/patches/CVE-2023-44429.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-bad1.0-1.20.3/debian/patches/CVE-2023-44429.patch 2023-11-28 16:40:22.000000000 +0000 @@ -0,0 +1,27 @@ +From b76a801f57353b893c344025cac56413140fca6d Mon Sep 17 00:00:00 2001 +From: Benjamin Gaignard +Date: Wed, 4 Oct 2023 11:14:38 +0200 +Subject: [PATCH] codecparsers: av1: Clip max tile rows and cols values + +Clip tile rows and cols to 64 as describe in AV1 specification. + +Fixes ZDI-CAN-22226 / CVE-2023-44429 + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3015 + +Part-of: +--- + .../gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/gst-libs/gst/codecparsers/gstav1parser.c ++++ b/gst-libs/gst/codecparsers/gstav1parser.c +@@ -2219,6 +2219,8 @@ gst_av1_parse_tile_info (GstAV1Parser * + ((parser->state.mi_cols + 31) >> 5) : ((parser->state.mi_cols + 15) >> 4); + sb_rows = seq_header->use_128x128_superblock ? ((parser->state.mi_rows + + 31) >> 5) : ((parser->state.mi_rows + 15) >> 4); ++ sb_cols = MIN (GST_AV1_MAX_TILE_COLS, sb_cols); ++ sb_rows = MIN (GST_AV1_MAX_TILE_ROWS, sb_rows); + sb_shift = seq_header->use_128x128_superblock ? 5 : 4; + sb_size = sb_shift + 2; + max_tile_width_sb = GST_AV1_MAX_TILE_WIDTH >> sb_size; diff -Nru gst-plugins-bad1.0-1.20.3/debian/patches/CVE-2023-44446.patch gst-plugins-bad1.0-1.20.3/debian/patches/CVE-2023-44446.patch --- gst-plugins-bad1.0-1.20.3/debian/patches/CVE-2023-44446.patch 1970-01-01 00:00:00.000000000 +0000 +++ gst-plugins-bad1.0-1.20.3/debian/patches/CVE-2023-44446.patch 2023-11-28 16:40:29.000000000 +0000 @@ -0,0 +1,316 @@ +From 7dfaa57b6f9b55f17ffe824bd8988bb71ae11353 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Fri, 20 Oct 2023 00:09:57 +0300 +Subject: [PATCH] mxfdemux: Store GstMXFDemuxEssenceTrack in their own fixed + allocation + +Previously they were stored inline inside a GArray, but as references to +the tracks were stored in various other places although the array could +still be updated (and reallocated!), this could lead to dangling +references in various places. + +Instead now store them in a GPtrArray in their own allocation so each +track's memory position stays fixed. + +Fixes ZDI-CAN-22299 + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3055 + +Part-of: +--- + .../gst-plugins-bad/gst/mxf/mxfdemux.c | 116 ++++++++---------- + .../gst-plugins-bad/gst/mxf/mxfdemux.h | 2 +- + 2 files changed, 50 insertions(+), 68 deletions(-) + +--- a/gst/mxf/mxfdemux.c ++++ b/gst/mxf/mxfdemux.c +@@ -170,10 +170,25 @@ gst_mxf_demux_partition_free (GstMXFDemu + } + + static void +-gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux) ++gst_mxf_demux_essence_track_free (GstMXFDemuxEssenceTrack * t) + { +- guint i; ++ if (t->offsets) ++ g_array_free (t->offsets, TRUE); ++ ++ g_free (t->mapping_data); ++ ++ if (t->tags) ++ gst_tag_list_unref (t->tags); ++ ++ if (t->caps) ++ gst_caps_unref (t->caps); ++ ++ g_free (t); ++} + ++static void ++gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux) ++{ + GST_DEBUG_OBJECT (demux, "Resetting MXF state"); + + g_list_foreach (demux->partitions, (GFunc) gst_mxf_demux_partition_free, +@@ -182,23 +197,7 @@ gst_mxf_demux_reset_mxf_state (GstMXFDem + demux->partitions = NULL; + + demux->current_partition = NULL; +- +- for (i = 0; i < demux->essence_tracks->len; i++) { +- GstMXFDemuxEssenceTrack *t = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); +- +- if (t->offsets) +- g_array_free (t->offsets, TRUE); +- +- g_free (t->mapping_data); +- +- if (t->tags) +- gst_tag_list_unref (t->tags); +- +- if (t->caps) +- gst_caps_unref (t->caps); +- } +- g_array_set_size (demux->essence_tracks, 0); ++ g_ptr_array_set_size (demux->essence_tracks, 0); + } + + static void +@@ -216,7 +215,7 @@ gst_mxf_demux_reset_linked_metadata (Gst + + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *track = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); ++ g_ptr_array_index (demux->essence_tracks, i); + + track->source_package = NULL; + track->delta_id = -1; +@@ -419,7 +418,7 @@ gst_mxf_demux_partition_postcheck (GstMX + + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *cand = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); ++ g_ptr_array_index (demux->essence_tracks, i); + + if (cand->body_sid != partition->partition.body_sid) + continue; +@@ -866,8 +865,7 @@ gst_mxf_demux_update_essence_tracks (Gst + + for (k = 0; k < demux->essence_tracks->len; k++) { + GstMXFDemuxEssenceTrack *tmp = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, +- k); ++ g_ptr_array_index (demux->essence_tracks, k); + + if (tmp->track_number == track->parent.track_number && + tmp->body_sid == edata->body_sid) { +@@ -885,24 +883,23 @@ gst_mxf_demux_update_essence_tracks (Gst + } + + if (!etrack) { +- GstMXFDemuxEssenceTrack tmp; ++ GstMXFDemuxEssenceTrack *tmp = g_new0 (GstMXFDemuxEssenceTrack, 1); + +- memset (&tmp, 0, sizeof (tmp)); +- tmp.body_sid = edata->body_sid; +- tmp.index_sid = edata->index_sid; +- tmp.track_number = track->parent.track_number; +- tmp.track_id = track->parent.track_id; +- memcpy (&tmp.source_package_uid, &package->parent.package_uid, 32); ++ tmp->body_sid = edata->body_sid; ++ tmp->index_sid = edata->index_sid; ++ tmp->track_number = track->parent.track_number; ++ tmp->track_id = track->parent.track_id; ++ memcpy (&tmp->source_package_uid, &package->parent.package_uid, 32); + + if (demux->current_partition->partition.body_sid == edata->body_sid && + demux->current_partition->partition.body_offset == 0) +- tmp.position = 0; ++ tmp->position = 0; + else +- tmp.position = -1; ++ tmp->position = -1; + +- g_array_append_val (demux->essence_tracks, tmp); ++ g_ptr_array_add (demux->essence_tracks, tmp); + etrack = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, ++ g_ptr_array_index (demux->essence_tracks, + demux->essence_tracks->len - 1); + new = TRUE; + } +@@ -1050,13 +1047,7 @@ gst_mxf_demux_update_essence_tracks (Gst + + next: + if (new) { +- g_free (etrack->mapping_data); +- if (etrack->tags) +- gst_tag_list_unref (etrack->tags); +- if (etrack->caps) +- gst_caps_unref (etrack->caps); +- +- g_array_remove_index (demux->essence_tracks, ++ g_ptr_array_remove_index (demux->essence_tracks, + demux->essence_tracks->len - 1); + } + } +@@ -1069,7 +1060,7 @@ gst_mxf_demux_update_essence_tracks (Gst + + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *etrack = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); ++ g_ptr_array_index (demux->essence_tracks, i); + + if (!etrack->source_package || !etrack->source_track || !etrack->caps) { + GST_ERROR_OBJECT (demux, "Failed to update essence track %u", i); +@@ -1438,7 +1429,7 @@ gst_mxf_demux_update_tracks (GstMXFDemux + + for (k = 0; k < demux->essence_tracks->len; k++) { + GstMXFDemuxEssenceTrack *tmp = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, k); ++ g_ptr_array_index (demux->essence_tracks, k); + + if (tmp->source_package == source_package && + tmp->source_track == source_track) { +@@ -1927,8 +1918,7 @@ gst_mxf_demux_pad_set_component (GstMXFD + pad->current_essence_track = NULL; + + for (k = 0; k < demux->essence_tracks->len; k++) { +- GstMXFDemuxEssenceTrack *tmp = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, k); ++ GstMXFDemuxEssenceTrack *tmp = g_ptr_array_index (demux->essence_tracks, k); + + if (tmp->source_package == source_package && + tmp->source_track == source_track) { +@@ -2712,7 +2702,7 @@ gst_mxf_demux_handle_generic_container_e + if (!etrack) { + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *tmp = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); ++ g_ptr_array_index (demux->essence_tracks, i); + + if (tmp->body_sid == demux->current_partition->partition.body_sid && + (tmp->track_number == track_number || tmp->track_number == 0)) { +@@ -3933,8 +3923,7 @@ from_track_offset: + gst_mxf_demux_set_partition_for_offset (demux, demux->offset); + + for (i = 0; i < demux->essence_tracks->len; i++) { +- GstMXFDemuxEssenceTrack *t = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); ++ GstMXFDemuxEssenceTrack *t = g_ptr_array_index (demux->essence_tracks, i); + + if (index_start_position != -1 && t == etrack) + t->position = index_start_position; +@@ -3958,8 +3947,7 @@ from_track_offset: + /* Handle EOS */ + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *t = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, +- i); ++ g_ptr_array_index (demux->essence_tracks, i); + + if (t->position > 0) + t->duration = t->position; +@@ -4197,8 +4185,7 @@ gst_mxf_demux_pull_and_handle_klv_packet + guint i; + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *etrack = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, +- i); ++ g_ptr_array_index (demux->essence_tracks, i); + + if (etrack->body_sid != partition->partition.body_sid) + continue; +@@ -4669,9 +4656,8 @@ gst_mxf_demux_pad_to_track_and_position + /* Get the corresponding essence track for the given source package and stream id */ + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *track = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); +- GST_LOG_OBJECT (pad, +- "Looking at essence track body_sid:%d index_sid:%d", ++ g_ptr_array_index (demux->essence_tracks, i); ++ GST_LOG_OBJECT (pad, "Looking at essence track body_sid:%d index_sid:%d", + track->body_sid, track->index_sid); + if (clip->source_track_id == 0 || (track->track_id == clip->source_track_id + && mxf_umid_is_equal (&clip->source_package_id, +@@ -4920,8 +4906,7 @@ gst_mxf_demux_seek_push (GstMXFDemux * d + } + + for (i = 0; i < demux->essence_tracks->len; i++) { +- GstMXFDemuxEssenceTrack *t = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); ++ GstMXFDemuxEssenceTrack *t = g_ptr_array_index (demux->essence_tracks, i); + t->position = -1; + } + +@@ -5359,8 +5344,7 @@ gst_mxf_demux_seek_pull (GstMXFDemux * d + } + + for (i = 0; i < demux->essence_tracks->len; i++) { +- GstMXFDemuxEssenceTrack *t = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); ++ GstMXFDemuxEssenceTrack *t = g_ptr_array_index (demux->essence_tracks, i); + t->position = -1; + } + +@@ -5659,7 +5643,7 @@ gst_mxf_demux_sink_event (GstPad * pad, + + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *t = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i); ++ g_ptr_array_index (demux->essence_tracks, i); + + if (t->position > 0) + t->duration = t->position; +@@ -5700,8 +5684,7 @@ gst_mxf_demux_sink_event (GstPad * pad, + + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *etrack = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, +- i); ++ g_ptr_array_index (demux->essence_tracks, i); + etrack->position = -1; + } + ret = TRUE; +@@ -5725,8 +5708,7 @@ gst_mxf_demux_sink_event (GstPad * pad, + + for (i = 0; i < demux->essence_tracks->len; i++) { + GstMXFDemuxEssenceTrack *t = +- &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, +- i); ++ g_ptr_array_index (demux->essence_tracks, i); + t->position = -1; + } + demux->current_partition = NULL; +@@ -5999,7 +5981,7 @@ gst_mxf_demux_finalize (GObject * object + + g_ptr_array_free (demux->src, TRUE); + demux->src = NULL; +- g_array_free (demux->essence_tracks, TRUE); ++ g_ptr_array_free (demux->essence_tracks, TRUE); + demux->essence_tracks = NULL; + + g_hash_table_destroy (demux->metadata); +@@ -6076,8 +6058,8 @@ gst_mxf_demux_init (GstMXFDemux * demux) + g_rw_lock_init (&demux->metadata_lock); + + demux->src = g_ptr_array_new (); +- demux->essence_tracks = +- g_array_new (FALSE, FALSE, sizeof (GstMXFDemuxEssenceTrack)); ++ demux->essence_tracks = g_ptr_array_new_with_free_func ((GDestroyNotify) ++ gst_mxf_demux_essence_track_free); + + gst_segment_init (&demux->segment, GST_FORMAT_TIME); + +--- a/gst/mxf/mxfdemux.h ++++ b/gst/mxf/mxfdemux.h +@@ -266,7 +266,7 @@ struct _GstMXFDemux + GList *partitions; + GstMXFDemuxPartition *current_partition; + +- GArray *essence_tracks; ++ GPtrArray *essence_tracks; + + GList *pending_index_table_segments; + GList *index_tables; /* one per BodySID / IndexSID */ diff -Nru gst-plugins-bad1.0-1.20.3/debian/patches/series gst-plugins-bad1.0-1.20.3/debian/patches/series --- gst-plugins-bad1.0-1.20.3/debian/patches/series 2022-06-29 13:50:26.000000000 +0000 +++ gst-plugins-bad1.0-1.20.3/debian/patches/series 2023-11-28 16:40:26.000000000 +0000 @@ -1,3 +1,10 @@ 02_opencv-data-path.patch pcfile-requires-plugins-good Skip-failing-tests.patch +CVE-2023-37329-1.patch +CVE-2023-37329-2.patch +CVE-2023-40474.patch +CVE-2023-40475.patch +CVE-2023-40476.patch +CVE-2023-44429.patch +CVE-2023-44446.patch