From: Hitendra Prajapati Date: Thu, 14 Aug 2025 04:40:00 +0000 (+0530) Subject: gstreamer1.0-plugins-base: fix CVE-2025-47806 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fbe8dd2aa6160530b84d3a174f3f8fc14f9fbab5;p=thirdparty%2Fopenembedded%2Fopenembedded-core-contrib.git gstreamer1.0-plugins-base: fix CVE-2025-47806 Upstream-Status: Backport from https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/da4380c4df0e00f8d0bad569927bfc7ea35ec37d Signed-off-by: Hitendra Prajapati Signed-off-by: Steve Sakoman --- diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2025-47806.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2025-47806.patch new file mode 100644 index 0000000000..632a5fb38e --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2025-47806.patch @@ -0,0 +1,50 @@ +From da4380c4df0e00f8d0bad569927bfc7ea35ec37d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 8 May 2025 12:46:40 +0300 +Subject: [PATCH] subparse: Make sure that subrip time string is not too long + before zero-padding + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4419 +Fixes CVE-2025-47806 + +Part-of: + +CVE: CVE-2025-47806 +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/da4380c4df0e00f8d0bad569927bfc7ea35ec37d] +Signed-off-by: Hitendra Prajapati +--- + gst/subparse/gstsubparse.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/gst/subparse/gstsubparse.c b/gst/subparse/gstsubparse.c +index 4ea4ec6..035068d 100644 +--- a/gst/subparse/gstsubparse.c ++++ b/gst/subparse/gstsubparse.c +@@ -850,7 +850,7 @@ parse_subrip_time (const gchar * ts_string, GstClockTime * t) + g_strdelimit (s, " ", '0'); + g_strdelimit (s, ".", ','); + +- /* make sure we have exactly three digits after he comma */ ++ /* make sure we have exactly three digits after the comma */ + p = strchr (s, ','); + if (p == NULL) { + /* If there isn't a ',' the timestamp is broken */ +@@ -859,6 +859,15 @@ parse_subrip_time (const gchar * ts_string, GstClockTime * t) + return FALSE; + } + ++ /* Check if the comma is too far into the string to avoid ++ * stack overflow when zero-padding the sub-second part. ++ * ++ * Allow for 3 digits of hours just in case. */ ++ if ((p - s) > sizeof ("hhh:mm:ss,")) { ++ GST_WARNING ("failed to parse subrip timestamp string '%s'", s); ++ return FALSE; ++ } ++ + ++p; + len = strlen (p); + if (len > 3) { +-- +2.50.1 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.12.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.12.bb index 44ecdc0b55..bfc6bb65ef 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.12.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.22.12.bb @@ -20,6 +20,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-ba file://0011-discoverer-Don-t-print-channel-layout-for-more-than-.patch \ file://0012-subparse-Check-for-NULL-return-of-strchr-when-parsin.patch \ file://CVE-2025-47808.patch \ + file://CVE-2025-47806.patch \ " SRC_URI[sha256sum] = "73cfadc3a6ffe77ed974cfd6fb391c605e4531f48db21dd6b9f42b8cb69bd8c1"