Fix CVE-2023-37327

CVE-2023-37327.patch

@@ -0,0 +1,54 @@
+From dbbfc917fe616ff3343a03fc8e9533d39777ce6e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Tue, 13 Jun 2023 13:20:16 +0300
+Subject: [PATCH 1/2] flacparse: Avoid integer overflow in available data check
+ for image tags
+
+If the image length as stored in the file is some bogus integer then
+adding it to the current byte readers position can overflow and wrongly
+have the check for enough available data succeed.
+
+This then later can cause NULL pointer dereferences or out of bounds
+reads/writes when actually reading the image data.
+
+Fixes ZDI-CAN-20775
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2661
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4894>
+---
+ .../gst/audioparsers/gstflacparse.c        | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/gst/audioparsers/gstflacparse.c b/gst/audioparsers/gstflacparse.c
+index a53b7ebc776..8ee450c65ac 100644
+--- a/gst/audioparsers/gstflacparse.c
++++ b/gst/audioparsers/gstflacparse.c
+@@ -1111,6 +1111,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer)
+   GstMapInfo map;
+   guint32 img_len = 0, img_type = 0;
+   guint32 img_mimetype_len = 0, img_description_len = 0;
++  const guint8 *img_data;
+ 
+   gst_buffer_map (buffer, &map, GST_MAP_READ);
+   gst_byte_reader_init (&reader, map.data, map.size);
+@@ -1137,7 +1138,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer)
+   if (!gst_byte_reader_get_uint32_be (&reader, &img_len))
+     goto error;
+ 
+-  if (gst_byte_reader_get_pos (&reader) + img_len > map.size)
++  if (!gst_byte_reader_get_data (&reader, img_len, &img_data))
+     goto error;
+ 
+   GST_INFO_OBJECT (flacparse, "Got image of %d bytes", img_len);
+@@ -1146,8 +1147,7 @@ gst_flac_parse_handle_picture (GstFlacParse * flacparse, GstBuffer * buffer)
+     if (flacparse->tags == NULL)
+       flacparse->tags = gst_tag_list_new_empty ();
+ 
+-    gst_tag_list_add_id3_image (flacparse->tags,
+-        map.data + gst_byte_reader_get_pos (&reader), img_len, img_type);
++    gst_tag_list_add_id3_image (flacparse->tags, img_data, img_len, img_type);
+   }
+ 
+   gst_buffer_unmap (buffer, &map);
+-- 
+GitLab

gstreamer1-plugins-good.spec

@@ -3,7 +3,7 @@
 
 Name:		    gstreamer1-plugins-good		
 Version:	    1.16.2
-Release:	    5
+Release:	    6
 Summary:	    GStreamer plugins with good code and licensing
 License:	    LGPLv2+	
 URL:		    http://gstreamer.freedesktop.org/
@@ -20,6 +20,8 @@ Patch6003:          CVE-2022-1921.patch
 Patch0004:          CVE-2022-2122.patch
 #https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225
 Patch0005:          CVE-2022-1922_CVE-2022-1923_CVE-2022-1924_CVE-2022-1925.patch
+#https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4894.patch
+Patch0006:          CVE-2023-37327.patch
 
 BuildRequires:	gcc gcc-c++ gstreamer1-devel gstreamer1-plugins-base-devel flac-devel
 BuildRequires:  gdk-pixbuf2-devel libjpeg-devel libpng-devel libshout-devel orc-devel
@@ -104,6 +106,9 @@ echo "%{_libdir}" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf
 %doc %{_datadir}/gtk-doc/html/*
 
 %changelog
+* Fri Dec 15 2023 wangkai <13474090681@163.com> - 1.16.2-6
+- Fix CVE-2023-37327
+
 * Mon Jun 27 2022 yaoxin <yaoxin30@h-partners.com> - 1.16.2-5
 - Fix CVE-2022-2122 CVE-2022-1920-to-CVE-2022-1925