!36 Fix CVE-2023-44446,CVE-2023-37329

From: @wk333 
Reviewed-by: @peijiankang 
Signed-off-by: @peijiankang

Adapt-to-backwards-incompatible-change-in-GNU-Make-4.3.patch

@@ -0,0 +1,13 @@
+diff -Naur gst-plugins-bad-1.14.4/common/gst-glib-gen.mak gst-plugins-bad-1.14.4-fix/common/gst-glib-gen.mak
+--- gst-plugins-bad-1.14.4/common/gst-glib-gen.mak	2018-03-24 04:45:17.000000000 +0800
++++ gst-plugins-bad-1.14.4-fix/common/gst-glib-gen.mak	2020-08-01 18:28:15.096308635 +0800
+@@ -8,7 +8,8 @@
+ #glib_gen_decl_banner=GST_EXPORT
+ #glib_gen_decl_include=\#include <gst/foo/foo-prelude.h>
+ 
+-enum_headers=$(foreach h,$(glib_enum_headers),\n\#include \"$(h)\")
++hash:=\#
++enum_headers=$(foreach h,$(glib_enum_headers),\n$(hash)include \"$(h)\")
+ 
+ # these are all the rules generating the relevant files
+ $(glib_gen_basename)-marshal.h: $(glib_gen_basename)-marshal.list

CVE-2021-3185.patch

@@ -0,0 +1,39 @@
+From 11353b3f6e2f047cc37483d21e6a37ae558896bc Mon Sep 17 00:00:00 2001
+From: Andrew Wesie <andrew@theori.io>
+Date: Fri, 16 Oct 2020 12:29:02 +0100
+Subject: [PATCH] codecparsers: h264parser: guard against ref_pic_markings
+ overflow
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/merge_requests/1703>
+---
+ gst-libs/gst/codecparsers/gsth264parser.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/gst-libs/gst/codecparsers/gsth264parser.c b/gst-libs/gst/codecparsers/gsth264parser.c
+index 1c40b6517c..012f1d0d73 100644
+--- a/gst-libs/gst/codecparsers/gsth264parser.c
++++ b/gst-libs/gst/codecparsers/gsth264parser.c
+@@ -723,13 +723,17 @@ gst_h264_slice_parse_dec_ref_pic_marking (GstH264SliceHdr * slice,
+ 
+       dec_ref_pic_m->n_ref_pic_marking = 0;
+       while (1) {
+-        refpicmarking =
+-            &dec_ref_pic_m->ref_pic_marking[dec_ref_pic_m->n_ref_pic_marking];
+-
+         READ_UE (nr, mem_mgmt_ctrl_op);
+         if (mem_mgmt_ctrl_op == 0)
+           break;
+ 
++        if (dec_ref_pic_m->n_ref_pic_marking >=
++            G_N_ELEMENTS (dec_ref_pic_m->ref_pic_marking))
++          goto error;
++
++        refpicmarking =
++            &dec_ref_pic_m->ref_pic_marking[dec_ref_pic_m->n_ref_pic_marking];
++
+         refpicmarking->memory_management_control_operation = mem_mgmt_ctrl_op;
+ 
+         if (mem_mgmt_ctrl_op == 1 || mem_mgmt_ctrl_op == 3)
+-- 
+GitLab
+

CVE-2023-37329.patch

@@ -0,0 +1,63 @@
+From 7ed446dca9454dd66a0180823f57a34bc01845a4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Tue, 13 Jun 2023 14:23:47 +0300
+Subject: [PATCH 1/2] dvdspu: Make sure enough data is allocated for the
+ available data
+
+If the size read from the stream is smaller than the currently available
+data then the size is bogus and the data should simply be discarded.
+
+Fixes ZDI-CAN-20994
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2660
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4896>
+---
+ gst/dvdspu/gstspu-pgs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/gst/dvdspu/gstspu-pgs.c b/gst/dvdspu/gstspu-pgs.c
+index e609a284df9..e29f4f18826 100644
+--- a/gst/dvdspu/gstspu-pgs.c
++++ b/gst/dvdspu/gstspu-pgs.c
+@@ -593,6 +593,9 @@ parse_set_object_data (GstDVDSpu * dvdspu, guint8 type, guint8 * payload,
+     obj->rle_data_size = GST_READ_UINT24_BE (payload);
+     payload += 3;
+ 
++    if (end - payload > obj->rle_data_size)
++      return 0;
++
+     PGS_DUMP ("%d bytes of RLE data, of %d bytes total.\n",
+         (int) (end - payload), obj->rle_data_size);
+ 
+-- 
+GitLab
+
+
+From 0dabf0eb00723a26b88e13dcb3030744e84569da Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Tue, 13 Jun 2023 14:25:04 +0300
+Subject: [PATCH 2/2] dvdspu: Avoid integer overflow when checking if enough
+ data is available
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4896>
+---
+ subprojects/gst-plugins-bad/gst/dvdspu/gstspu-pgs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/gst/dvdspu/gstspu-pgs.c b/gst/dvdspu/gstspu-pgs.c
+index e29f4f18826..49db6d13d8b 100644
+--- a/gst/dvdspu/gstspu-pgs.c
++++ b/gst/dvdspu/gstspu-pgs.c
+@@ -607,7 +607,8 @@ parse_set_object_data (GstDVDSpu * dvdspu, guint8 type, guint8 * payload,
+     PGS_DUMP ("%d bytes of additional RLE data\n", (int) (end - payload));
+     /* Check that the data chunk is for this object version, and fits in the buffer */
+     if (obj->rle_data_ver == obj_ver &&
+-        obj->rle_data_used + end - payload <= obj->rle_data_size) {
++        end - payload <= obj->rle_data_size &&
++        obj->rle_data_used <= obj->rle_data_size - (end - payload)) {
+ 
+       memcpy (obj->rle_data + obj->rle_data_used, payload, end - payload);
+       obj->rle_data_used += end - payload;
+-- 
+GitLab
+

CVE-2023-40474.patch

@@ -0,0 +1,114 @@
+From ce17e968e4cf900d28ca5b46f6e095febc42b4f0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Thu, 10 Aug 2023 15:45:01 +0300
+Subject: [PATCH] mxfdemux: Fix integer overflow causing out of bounds writes
+ when handling invalid uncompressed video
+
+Check ahead of time when parsing the track information whether
+width, height and bpp are valid and usable without overflows.
+
+Fixes ZDI-CAN-21660, CVE-2023-40474
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2896
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5362>
+---
+ gst/mxf/mxfup.c | 51 +++++++++++++++++----
+ 1 file changed, 43 insertions(+), 8 deletions(-)
+
+diff --git a/gst/mxf/mxfup.c b/gst/mxf/mxfup.c
+index d72ed22cb7a..0c0178c1c9e 100644
+--- a/gst/mxf/mxfup.c
++++ b/gst/mxf/mxfup.c
+@@ -118,6 +118,8 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
+     gpointer mapping_data, GstBuffer ** outbuf)
+ {
+   MXFUPMappingData *data = mapping_data;
++  gsize expected_in_stride = 0, out_stride = 0;
++  gsize expected_in_size = 0, out_size = 0;
+ 
+   /* SMPTE 384M 7.1 */
+   if (key->u[12] != 0x15 || (key->u[14] != 0x01 && key->u[14] != 0x02
+@@ -146,22 +148,25 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
+     }
+   }
+ 
+-  if (gst_buffer_get_size (buffer) != data->bpp * data->width * data->height) {
++  // Checked for overflows when parsing the descriptor
++  expected_in_stride = data->bpp * data->width;
++  out_stride = GST_ROUND_UP_4 (expected_in_stride);
++  expected_in_size = expected_in_stride * data->height;
++  out_size = out_stride * data->height;
++
++  if (gst_buffer_get_size (buffer) != expected_in_size) {
+     GST_ERROR ("Invalid buffer size");
+     gst_buffer_unref (buffer);
+     return GST_FLOW_ERROR;
+   }
+ 
+-  if (data->bpp != 4
+-      || GST_ROUND_UP_4 (data->width * data->bpp) != data->width * data->bpp) {
++  if (data->bpp != 4 || out_stride != expected_in_stride) {
+     guint y;
+     GstBuffer *ret;
+     GstMapInfo inmap, outmap;
+     guint8 *indata, *outdata;
+ 
+-    ret =
+-        gst_buffer_new_and_alloc (GST_ROUND_UP_4 (data->width * data->bpp) *
+-        data->height);
++    ret = gst_buffer_new_and_alloc (out_size);
+     gst_buffer_map (buffer, &inmap, GST_MAP_READ);
+     gst_buffer_map (ret, &outmap, GST_MAP_WRITE);
+     indata = inmap.data;
+@@ -169,8 +174,8 @@ mxf_up_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
+ 
+     for (y = 0; y < data->height; y++) {
+       memcpy (outdata, indata, data->width * data->bpp);
+-      outdata += GST_ROUND_UP_4 (data->width * data->bpp);
+-      indata += data->width * data->bpp;
++      outdata += out_stride;
++      indata += expected_in_stride;
+     }
+ 
+     gst_buffer_unmap (buffer, &inmap);
+@@ -378,6 +383,36 @@ mxf_up_create_caps (MXFMetadataTimelineTrack * track, GstTagList ** tags,
+     return NULL;
+   }
+ 
++  if (caps) {
++    MXFUPMappingData *data = *mapping_data;
++    gsize expected_in_stride = 0, out_stride = 0;
++    gsize expected_in_size = 0, out_size = 0;
++
++    // Do some checking of the parameters to see if they're valid and
++    // we can actually work with them.
++    if (data->image_start_offset > data->image_end_offset) {
++      GST_WARNING ("Invalid image start/end offset");
++      g_free (data);
++      *mapping_data = NULL;
++      gst_clear_caps (&caps);
++
++      return NULL;
++    }
++
++    if (!g_size_checked_mul (&expected_in_stride, data->bpp, data->width) ||
++        (out_stride = GST_ROUND_UP_4 (expected_in_stride)) < expected_in_stride
++        || !g_size_checked_mul (&expected_in_size, expected_in_stride,
++            data->height)
++        || !g_size_checked_mul (&out_size, out_stride, data->height)) {
++      GST_ERROR ("Invalid resolution or bit depth");
++      g_free (data);
++      *mapping_data = NULL;
++      gst_clear_caps (&caps);
++
++      return NULL;
++    }
++  }
++
+   return caps;
+ }
+ 
+-- 
+GitLab
+

CVE-2023-40475.patch

@@ -0,0 +1,45 @@
+From 72742dee30cce7bf909639f82de119871566ce39 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Thu, 10 Aug 2023 15:47:03 +0300
+Subject: [PATCH] mxfdemux: Check number of channels for AES3 audio
+
+Only up to 8 channels are allowed and using a higher number would cause
+integer overflows when copying the data, and lead to out of bound
+writes.
+
+Also check that each buffer is at least 4 bytes long to avoid another
+overflow.
+
+Fixes ZDI-CAN-21661, CVE-2023-40475
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2897
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5362>
+---
+ gst/mxf/mxfd10.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/gst/mxf/mxfd10.c b/gst/mxf/mxfd10.c
+index 03854d93039..0ad0d2d283e 100644
+--- a/gst/mxf/mxfd10.c
++++ b/gst/mxf/mxfd10.c
+@@ -101,7 +101,7 @@ mxf_d10_sound_handle_essence_element (const MXFUL * key, GstBuffer * buffer,
+   gst_buffer_map (buffer, &map, GST_MAP_READ);
+ 
+   /* Now transform raw AES3 into raw audio, see SMPTE 331M */
+-  if ((map.size - 4) % 32 != 0) {
++  if (map.size < 4 || (map.size - 4) % 32 != 0) {
+     gst_buffer_unmap (buffer, &map);
+     GST_ERROR ("Invalid D10 sound essence buffer size");
+     return GST_FLOW_ERROR;
+@@ -201,6 +201,7 @@ mxf_d10_create_caps (MXFMetadataTimelineTrack * track, GstTagList ** tags,
+     GstAudioFormat audio_format;
+ 
+     if (s->channel_count == 0 ||
++        s->channel_count > 8 ||
+         s->quantization_bits == 0 ||
+         s->audio_sampling_rate.n == 0 || s->audio_sampling_rate.d == 0) {
+       GST_ERROR ("Invalid descriptor");
+-- 
+GitLab
+

CVE-2023-40476.patch

@@ -0,0 +1,41 @@
+From ff91a3d8d6f7e2412c44663bf30fad5c7fdbc9d9 Mon Sep 17 00:00:00 2001
+From: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Date: Wed, 9 Aug 2023 12:49:19 -0400
+Subject: [PATCH] h265parser: Fix possible overflow using max_sub_layers_minus1
+
+This fixes a possible overflow that can be triggered by an invalid value of
+max_sub_layers_minus1 being set in the bitstream. The bitstream uses 3 bits,
+but the allowed range is 0 to 6 only.
+
+Fixes ZDI-CAN-21768, CVE-2023-40476
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2895
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5364>
+---
+ gst-libs/gst/codecparsers/gsth265parser.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/gst-libs/gst/codecparsers/gsth265parser.c b/gst-libs/gst/codecparsers/gsth265parser.c
+index 16fce00..2e8ef18 100644
+--- a/gst-libs/gst/codecparsers/gsth265parser.c
++++ b/gst-libs/gst/codecparsers/gsth265parser.c
+@@ -1490,6 +1490,7 @@ gst_h265_parse_vps (GstH265NalUnit * nalu, GstH265VPS * vps)
+ 
+   READ_UINT8 (&nr, vps->max_layers_minus1, 6);
+   READ_UINT8 (&nr, vps->max_sub_layers_minus1, 3);
++  CHECK_ALLOWED (vps->max_sub_layers_minus1, 0, 6);
+   READ_UINT8 (&nr, vps->temporal_id_nesting_flag, 1);
+ 
+   /* skip reserved_0xffff_16bits */
+@@ -1669,6 +1670,7 @@ gst_h265_parse_sps (GstH265Parser * parser, GstH265NalUnit * nalu,
+   sps->vps = vps;
+ 
+   READ_UINT8 (&nr, sps->max_sub_layers_minus1, 3);
++  CHECK_ALLOWED (sps->max_sub_layers_minus1, 0, 6);
+   READ_UINT8 (&nr, sps->temporal_id_nesting_flag, 1);
+ 
+   if (!gst_h265_parse_profile_tier_level (&sps->profile_tier_level, &nr,
+-- 
+2.30.0
+

CVE-2023-44446.patch

@@ -0,0 +1,305 @@
+From 2c92454ec06ce2c17aceceb14b1db006410791a7 Mon Sep 17 00:00:00 2001
+From: peijiankang <peijiankang@kylinos.cn>
+Date: Mon, 20 Nov 2023 16:25:54 +0800
+Subject: [PATCH] CVE-2023-44446
+
+---
+ gst/mxf/mxfdemux.c | 112 +++++++++++++++++++--------------------------
+ gst/mxf/mxfdemux.h |   2 +-
+ 2 files changed, 49 insertions(+), 65 deletions(-)
+
+diff --git a/gst/mxf/mxfdemux.c b/gst/mxf/mxfdemux.c
+index f6e5ac0..6dd0acb 100644
+--- a/gst/mxf/mxfdemux.c
++++ b/gst/mxf/mxfdemux.c
+@@ -154,10 +154,25 @@ gst_mxf_demux_partition_free (GstMXFDemuxPartition * partition)
+ }
+ 
+ static void
+-gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux)
++gst_mxf_demux_essence_track_free (GstMXFDemuxEssenceTrack * t)
+ {
+-  guint i;
++  if (t->offsets)
++    g_array_free (t->offsets, TRUE);
++
++  g_free (t->mapping_data);
++
++  if (t->tags)
++    gst_tag_list_unref (t->tags);
++
++  if (t->caps)
++    gst_caps_unref (t->caps);
++
++  g_free (t);
++}
+ 
++static void
++gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux)
++{
+   GST_DEBUG_OBJECT (demux, "Resetting MXF state");
+ 
+   g_list_foreach (demux->partitions, (GFunc) gst_mxf_demux_partition_free,
+@@ -166,23 +181,7 @@ gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux)
+   demux->partitions = NULL;
+ 
+   demux->current_partition = NULL;
+-
+-  for (i = 0; i < demux->essence_tracks->len; i++) {
+-    GstMXFDemuxEssenceTrack *t =
+-        &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+-
+-    if (t->offsets)
+-      g_array_free (t->offsets, TRUE);
+-
+-    g_free (t->mapping_data);
+-
+-    if (t->tags)
+-      gst_tag_list_unref (t->tags);
+-
+-    if (t->caps)
+-      gst_caps_unref (t->caps);
+-  }
+-  g_array_set_size (demux->essence_tracks, 0);
++  g_ptr_array_set_size (demux->essence_tracks, 0);
+ }
+ 
+ static void
+@@ -200,7 +199,7 @@ gst_mxf_demux_reset_linked_metadata (GstMXFDemux * demux)
+ 
+   for (i = 0; i < demux->essence_tracks->len; i++) {
+     GstMXFDemuxEssenceTrack *track =
+-        &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
++        g_ptr_array_index (demux->essence_tracks, i);
+ 
+     track->source_package = NULL;
+     track->source_track = NULL;
+@@ -713,8 +712,7 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
+ 
+       for (k = 0; k < demux->essence_tracks->len; k++) {
+         GstMXFDemuxEssenceTrack *tmp =
+-            &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
+-            k);
++            g_ptr_array_index (demux->essence_tracks, k);
+ 
+         if (tmp->track_number == track->parent.track_number &&
+             tmp->body_sid == edata->body_sid) {
+@@ -732,24 +730,23 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
+       }
+ 
+       if (!etrack) {
+-        GstMXFDemuxEssenceTrack tmp;
++        GstMXFDemuxEssenceTrack *tmp = g_new0 (GstMXFDemuxEssenceTrack, 1);
+ 
+-        memset (&tmp, 0, sizeof (tmp));
+-        tmp.body_sid = edata->body_sid;
+-        tmp.index_sid = edata->index_sid;
+-        tmp.track_number = track->parent.track_number;
+-        tmp.track_id = track->parent.track_id;
+-        memcpy (&tmp.source_package_uid, &package->parent.package_uid, 32);
++        tmp->body_sid = edata->body_sid;
++        tmp->index_sid = edata->index_sid;
++        tmp->track_number = track->parent.track_number;
++        tmp->track_id = track->parent.track_id;
++        memcpy (&tmp->source_package_uid, &package->parent.package_uid, 32);
+ 
+         if (demux->current_partition->partition.body_sid == edata->body_sid &&
+             demux->current_partition->partition.body_offset == 0)
+-          tmp.position = 0;
++          tmp->position = 0;
+         else
+-          tmp.position = -1;
++          tmp->position = -1;
+ 
+-        g_array_append_val (demux->essence_tracks, tmp);
++        g_ptr_array_add (demux->essence_tracks, tmp);
+         etrack =
+-            &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
++            g_ptr_array_index (demux->essence_tracks,
+             demux->essence_tracks->len - 1);
+         new = TRUE;
+       }
+@@ -876,13 +873,7 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
+ 
+     next:
+       if (new) {
+-        g_free (etrack->mapping_data);
+-        if (etrack->tags)
+-          gst_tag_list_unref (etrack->tags);
+-        if (etrack->caps)
+-          gst_caps_unref (etrack->caps);
+-
+-        g_array_remove_index (demux->essence_tracks,
++        g_ptr_array_remove_index (demux->essence_tracks,
+             demux->essence_tracks->len - 1);
+       }
+     }
+@@ -895,7 +886,7 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
+ 
+   for (i = 0; i < demux->essence_tracks->len; i++) {
+     GstMXFDemuxEssenceTrack *etrack =
+-        &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
++        g_ptr_array_index (demux->essence_tracks, i);
+ 
+     if (!etrack->source_package || !etrack->source_track || !etrack->caps) {
+       GST_ERROR_OBJECT (demux, "Failed to update essence track %u", i);
+@@ -1117,7 +1108,7 @@ gst_mxf_demux_update_tracks (GstMXFDemux * demux)
+ 
+     for (k = 0; k < demux->essence_tracks->len; k++) {
+       GstMXFDemuxEssenceTrack *tmp =
+-          &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, k);
++          g_ptr_array_index (demux->essence_tracks, k);
+ 
+       if (tmp->source_package == source_package &&
+           tmp->source_track == source_track) {
+@@ -1598,8 +1589,7 @@ gst_mxf_demux_pad_set_component (GstMXFDemux * demux, GstMXFDemuxPad * pad,
+   pad->current_essence_track = NULL;
+ 
+   for (k = 0; k < demux->essence_tracks->len; k++) {
+-    GstMXFDemuxEssenceTrack *tmp =
+-        &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, k);
++    GstMXFDemuxEssenceTrack *tmp = g_ptr_array_index (demux->essence_tracks, k);
+ 
+     if (tmp->source_package == source_package &&
+         tmp->source_track == source_track) {
+@@ -1731,7 +1721,7 @@ gst_mxf_demux_handle_generic_container_essence_element (GstMXFDemux * demux,
+ 
+   for (i = 0; i < demux->essence_tracks->len; i++) {
+     GstMXFDemuxEssenceTrack *tmp =
+-        &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
++        g_ptr_array_index (demux->essence_tracks, i);
+ 
+     if (tmp->body_sid == demux->current_partition->partition.body_sid &&
+         (tmp->track_number == track_number || tmp->track_number == 0)) {
+@@ -2656,7 +2646,7 @@ gst_mxf_demux_handle_klv_packet (GstMXFDemux * demux, const MXFUL * key,
+ 
+       for (i = 0; i < demux->essence_tracks->len; i++) {
+         GstMXFDemuxEssenceTrack *etrack =
+-            &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
++            g_ptr_array_index (demux->essence_tracks, i);
+ 
+         if (etrack->body_sid != demux->current_partition->partition.body_sid)
+           continue;
+@@ -2719,7 +2709,7 @@ gst_mxf_demux_handle_klv_packet (GstMXFDemux * demux, const MXFUL * key,
+       guint i;
+       for (i = 0; i < demux->essence_tracks->len; i++) {
+         GstMXFDemuxEssenceTrack *etrack =
+-            &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
++            g_ptr_array_index (demux->essence_tracks, i);
+ 
+         if (etrack->body_sid != demux->current_partition->partition.body_sid)
+           continue;
+@@ -2913,8 +2903,7 @@ from_index:
+     gst_mxf_demux_set_partition_for_offset (demux, demux->offset);
+ 
+     for (i = 0; i < demux->essence_tracks->len; i++) {
+-      GstMXFDemuxEssenceTrack *t =
+-          &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
++      GstMXFDemuxEssenceTrack *t = g_ptr_array_index (demux->essence_tracks, i);
+ 
+       if (index_start_position != -1 && t == etrack)
+         t->position = index_start_position;
+@@ -2937,8 +2926,7 @@ from_index:
+       if (ret == GST_FLOW_EOS) {
+         for (i = 0; i < demux->essence_tracks->len; i++) {
+           GstMXFDemuxEssenceTrack *t =
+-              &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
+-              i);
++              g_ptr_array_index (demux->essence_tracks, i);
+ 
+           if (t->position > 0)
+             t->duration = t->position;
+@@ -3020,7 +3008,7 @@ gst_mxf_demux_pull_and_handle_klv_packet (GstMXFDemux * demux)
+ 
+     for (i = 0; i < demux->essence_tracks->len; i++) {
+       GstMXFDemuxEssenceTrack *t =
+-          &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
++          g_ptr_array_index (demux->essence_tracks, i);
+ 
+       if (t->position > 0)
+         t->duration = t->position;
+@@ -3627,8 +3615,7 @@ gst_mxf_demux_seek_push (GstMXFDemux * demux, GstEvent * event)
+   }
+ 
+   for (i = 0; i < demux->essence_tracks->len; i++) {
+-    GstMXFDemuxEssenceTrack *t =
+-        &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
++    GstMXFDemuxEssenceTrack *t = g_ptr_array_index (demux->essence_tracks, i);
+     t->position = -1;
+   }
+ 
+@@ -4001,8 +3988,7 @@ gst_mxf_demux_seek_pull (GstMXFDemux * demux, GstEvent * event)
+   }
+ 
+   for (i = 0; i < demux->essence_tracks->len; i++) {
+-    GstMXFDemuxEssenceTrack *t =
+-        &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
++    GstMXFDemuxEssenceTrack *t = g_ptr_array_index (demux->essence_tracks, i);
+     t->position = -1;
+   }
+ 
+@@ -4284,7 +4270,7 @@ gst_mxf_demux_sink_event (GstPad * pad, GstObject * parent, GstEvent * event)
+ 
+       for (i = 0; i < demux->essence_tracks->len; i++) {
+         GstMXFDemuxEssenceTrack *t =
+-            &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
++            g_ptr_array_index (demux->essence_tracks, i);
+ 
+         if (t->position > 0)
+           t->duration = t->position;
+@@ -4325,8 +4311,7 @@ gst_mxf_demux_sink_event (GstPad * pad, GstObject * parent, GstEvent * event)
+ 
+           for (i = 0; i < demux->essence_tracks->len; i++) {
+             GstMXFDemuxEssenceTrack *etrack =
+-                &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
+-                i);
++                g_ptr_array_index (demux->essence_tracks, i);
+             etrack->position = -1;
+           }
+           ret = TRUE;
+@@ -4350,8 +4335,7 @@ gst_mxf_demux_sink_event (GstPad * pad, GstObject * parent, GstEvent * event)
+ 
+       for (i = 0; i < demux->essence_tracks->len; i++) {
+         GstMXFDemuxEssenceTrack *t =
+-            &g_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
+-            i);
++            g_ptr_array_index (demux->essence_tracks, i);
+         t->position = -1;
+       }
+       demux->current_partition = NULL;
+@@ -4624,7 +4608,7 @@ gst_mxf_demux_finalize (GObject * object)
+ 
+   g_ptr_array_free (demux->src, TRUE);
+   demux->src = NULL;
+-  g_array_free (demux->essence_tracks, TRUE);
++  g_ptr_array_free (demux->essence_tracks, TRUE);
+   demux->essence_tracks = NULL;
+ 
+   g_hash_table_destroy (demux->metadata);
+@@ -4701,8 +4685,8 @@ gst_mxf_demux_init (GstMXFDemux * demux)
+   g_rw_lock_init (&demux->metadata_lock);
+ 
+   demux->src = g_ptr_array_new ();
+-  demux->essence_tracks =
+-      g_array_new (FALSE, FALSE, sizeof (GstMXFDemuxEssenceTrack));
++  demux->essence_tracks = g_ptr_array_new_with_free_func ((GDestroyNotify)
++      gst_mxf_demux_essence_track_free);
+ 
+   gst_segment_init (&demux->segment, GST_FORMAT_TIME);
+ 
+diff --git a/gst/mxf/mxfdemux.h b/gst/mxf/mxfdemux.h
+index aac3e67..a452980 100644
+--- a/gst/mxf/mxfdemux.h
++++ b/gst/mxf/mxfdemux.h
+@@ -182,7 +182,7 @@ struct _GstMXFDemux
+   GList *partitions;
+   GstMXFDemuxPartition *current_partition;
+ 
+-  GArray *essence_tracks;
++  GPtrArray *essence_tracks;
+ 
+   GList *pending_index_table_segments;
+   GList *index_tables; /* one per BodySID / IndexSID */
+-- 
+2.41.0
+

gstreamer1-plugins-bad-free.spec

@@ -2,21 +2,34 @@
 %bcond_with extras
 
 Name:           gstreamer1-plugins-bad-free
-Version:        1.14.4
-Release:        7
+Version:        1.16.2
+Release:        4
 Summary:        Not well tested plugins for GStreamer framework
 License:        LGPLv2+ and LGPLv2
 URL:            http://gstreamer.freedesktop.org/
 Source0:        https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad-%{version}.tar.xz
 
-BuildRequires:  gstreamer1-devel >= %{version} gdb
+Patch0001:      Adapt-to-backwards-incompatible-change-in-GNU-Make-4.3.patch
+Patch0002:      CVE-2021-3185.patch
+# https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ce17e968e4cf900d28ca5b46f6e095febc42b4f0
+Patch0003:      CVE-2023-40474.patch
+# https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/72742dee30cce7bf909639f82de119871566ce39
+Patch0004:      CVE-2023-40475.patch
+# https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ff91a3d8d6f7e2412c44663bf30fad5c7fdbc9d9
+Patch0005:      CVE-2023-40476.patch
+#https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/7dfaa57b6f9b55f17ffe824bd8988bb71ae11353
+Patch0006:      CVE-2023-44446.patch
+#https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4896.patch
+Patch0007:      CVE-2023-37329.patch
+
+BuildRequires:  gstreamer1-devel >= %{version} gdb autoconf
 BuildRequires:  gstreamer1-plugins-base-devel >= %{version}
 BuildRequires:  check gettext-devel libXt-devel gtk-doc
 BuildRequires:  gobject-introspection-devel >= 1.31.1
 BuildRequires:  bzip2-devel exempi-devel gsm-devel 
 BuildRequires:  lcms2-devel libexif-devel libiptcdata-devel
 BuildRequires:  libnice-devel librsvg2-devel libsndfile-devel
-BuildRequires:  mesa-libGL-devel mesa-libGLES-devel mesa-libGLU-devel
+BuildRequires:  mesa-libGL-devel libglvnd-devel mesa-libGLU-devel
 BuildRequires:  openssl-devel orc-devel libwayland-client-devel 
 BuildRequires:  opus-devel nettle-devel libgcrypt-devel
 BuildRequires:  gnutls-devel pkgconfig(gudev-1.0) pkgconfig(libusb-1.0)
@@ -75,9 +88,10 @@ Requires:       gstreamer1-plugins-base-devel
 This package provides the development files for GStreamer not-well-tested plugins.
 
 %prep
-%autosetup -n gst-plugins-bad-%{version}
+%autosetup -n gst-plugins-bad-%{version} -p1
 
 %build
+autoreconf --force --install
 %configure --disable-silent-rules --disable-fatal-warnings \
     --with-package-name="openEuler GStreamer-plugins-bad package" \
     --with-package-origin="https://openeuler.org/en/building/download.html" \
@@ -160,7 +174,6 @@ EOF
 %{_libdir}/gstreamer-%{majorminor}/libgstbayer.so
 %{_libdir}/gstreamer-%{majorminor}/libgstcamerabin.so
 %{_libdir}/gstreamer-%{majorminor}/libgstcoloreffects.so
-%{_libdir}/gstreamer-%{majorminor}/libgstcompositor.so
 %{_libdir}/gstreamer-%{majorminor}/libgstdashdemux.so
 %{_libdir}/gstreamer-%{majorminor}/libgstfaceoverlay.so
 %if %{with extras}
@@ -200,7 +213,6 @@ EOF
 %{_libdir}/gstreamer-%{majorminor}/libgstsmooth.so
 %{_libdir}/gstreamer-%{majorminor}/libgstsmoothstreaming.so
 %{_libdir}/gstreamer-%{majorminor}/libgstspeed.so
-%{_libdir}/gstreamer-%{majorminor}/libgststereo.so
 %{_libdir}/gstreamer-%{majorminor}/libgstsubenc.so
 %{_libdir}/gstreamer-%{majorminor}/libgsttimecode.so
 %{_libdir}/gstreamer-%{majorminor}/libgstuvch264.so
@@ -209,7 +221,6 @@ EOF
 %{_libdir}/gstreamer-%{majorminor}/libgstyadif.so
 %{_libdir}/gstreamer-%{majorminor}/libgsty4mdec.so
 %{_libdir}/gstreamer-%{majorminor}/libgstdvb.so
-%{_libdir}/gstreamer-%{majorminor}/libgstvcdsrc.so
 %{_libdir}/gstreamer-%{majorminor}/libgstbluez.so
 %{_libdir}/gstreamer-%{majorminor}/libgstbz2.so
 %{_libdir}/gstreamer-%{majorminor}/libgstcolormanagement.so
@@ -217,7 +228,6 @@ EOF
 %{_libdir}/gstreamer-%{majorminor}/libgsthls.so
 %{_libdir}/gstreamer-%{majorminor}/libgstgsm.so
 %{_libdir}/gstreamer-%{majorminor}/libgstkms.so
-%{_libdir}/gstreamer-%{majorminor}/libgstopenglmixers.so
 %{_libdir}/gstreamer-%{majorminor}/libgstopusparse.so
 %{_libdir}/gstreamer-%{majorminor}/libgstsndfile.so
 %{_libdir}/gstreamer-%{majorminor}/libgstttmlsubs.so
@@ -229,9 +239,7 @@ EOF
 %{_libdir}/gstreamer-%{majorminor}/libgstdvbsuboverlay.so
 %{_libdir}/gstreamer-%{majorminor}/libgstdvdspu.so
 %{_libdir}/gstreamer-%{majorminor}/libgstsiren.so
-%if ! %{with extras}
-%exclude %{_libdir}/gstreamer-%{majorminor}/libgstcurl.so
-%endif
+%{_libdir}/gstreamer-%{majorminor}/libgstclosedcaption.so
 
 
 %if %{with extras}
@@ -265,6 +273,21 @@ EOF
 %{_includedir}/gstreamer-%{majorminor}/gst/*
 
 %changelog
+* Fri Dec 15 2023 wangkai <13474090681@163.com> - 1.16.2-4
+- Fix CVE-2023-44446,CVE-2023-37329
+
+* Sat Oct 07 2023 yaoxin <yao_xin001@hoperun.com> - 1.16.2-3
+- Fix CVE-2023-40474,CVE-2023-40475 and CVE-2023-40476
+
+* Mon Feb 08 2021 openEuler Buildteam <buildteam@openeuler.org> - 1.16.2-2
+- fix CVE-2021-3185
+
+* Wed Aug 19 2020 jinzhimin <jinzhimin2@huawei.com> - 1.16.2-1
+- update to 1.16.2
+
+* Tue Aug 18 2020 lingsheng <lingsheng@huawei.com> - 1.14.4-8
+- Fix build fail with make 4.3
+
 * Tue May 19 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.14.4-7
 - rebuild for libwebp-1.1.0