Various variables were of smaller types than needed and there were no
checks for any overflows when doing additions on the sizes. This is all
checked now.
In addition the size of the decompressed data is limited to 200MB now as
any larger sizes are likely pathological and we can avoid out of memory
situations in many cases like this.
Also fix a bug where the available output size on the next iteration in
the zlib decompression code was provided too large and could
potentially lead to out of bound writes.
Thanks to Adam Doupe for analyzing and reporting the issue.
CVE: tbd
https://gstreamer.freedesktop.org/security/sa-2022-0003.html
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2611>
Various variables were of smaller types than needed and there were no
checks for any overflows when doing additions on the sizes. This is all
checked now.
In addition the size of the decompressed data is limited to 120MB now as
any larger sizes are likely pathological and we can avoid out of memory
situations in many cases like this.
Also fix a bug where the available output size on the next iteration in
the zlib/bz2 decompression code was provided too large and could
potentially lead to out of bound writes.
Thanks to Adam Doupe for analyzing and reporting the issue.
CVE: CVE-2022-1922, CVE-2022-1923, CVE-2022-1924, CVE-2022-1925
https://gstreamer.freedesktop.org/security/sa-2022-0002.html
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1225
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2611>
The mq we get out of the weak ref might be NULL if we're
shutting down, which could cause assertion failures or
crashes.
It might also cause miscompilations where the compiler just
optimises away the NULL check because it jumps to a code path
that then dereferences the pointer which clearly isn't going
to work. Seems like something like this happens with gcc 11.
Fixes#1262
Co-authored-by: Doug Nazar <nazard@nazar.ca>
Co-authored-by: Sebastian Dröge <sebastian@centricular.com>
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2600>
Fixes:
../plugins/elements/gstmultiqueue.c: In function ‘gst_multi_queue_loop’:
../plugins/elements/gstmultiqueue.c:2394:19: warning: ‘is_query’ may be used uninitialized in this function [-Wmaybe-uninitialized]
2394 | if (object && !is_query)
| ^~~~~~~~~
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2596>
gtk_gl_area_get_error() doesn't return a copy of the error, but just the
error. If initialising OpenGL fails, then GtkGstGLWidget will consume
the error, and cause GTK to try and display freed memory.
==50914== Invalid read of size 8
==50914== at 0x4C4CB8A: gtk_gl_area_draw_error_screen (gtkglarea.c:663)
==50914== by 0x4C4CB8A: gtk_gl_area_draw (gtkglarea.c:687)
==50914== by 0x4E061CA: gtk_widget_draw_internal (gtkwidget.c:7084)
==50914== by 0x4BAEFB1: gtk_container_propagate_draw (gtkcontainer.c:3854)
==50914== by 0x4D4B6BF: gtk_stack_render (gtkstack.c:2207)
==50914== by 0x4BB4B03: gtk_css_custom_gadget_draw (gtkcsscustomgadget.c:159)
==50914== by 0x4BBA4C4: gtk_css_gadget_draw (gtkcssgadget.c:885)
==50914== by 0x4D4D780: gtk_stack_draw (gtkstack.c:2119)
==50914== by 0x4E061CA: gtk_widget_draw_internal (gtkwidget.c:7084)
==50914== by 0x4BAEFB1: gtk_container_propagate_draw (gtkcontainer.c:3854)
==50914== by 0x4BAF0C3: gtk_container_draw (gtkcontainer.c:3674)
==50914== by 0x4E061CA: gtk_widget_draw_internal (gtkwidget.c:7084)
==50914== by 0x4BAEFB1: gtk_container_propagate_draw (gtkcontainer.c:3854)
==50914== Address 0x187a0818 is 8 bytes inside a block of size 16 free'd
==50914== at 0x48480E4: free (vg_replace_malloc.c:872)
==50914== by 0x49A5B8C: g_free (gmem.c:218)
==50914== by 0x49C1013: g_slice_free1 (gslice.c:1183)
==50914== by 0x4990DE4: g_error_free (gerror.c:870)
==50914== by 0x4990FE9: g_clear_error (gerror.c:1052)
==50914== by 0x1A489780: _get_gl_context (gtkgstglwidget.c:540)
==50914== by 0x1A4863CB: gst_gtk_invoke_func (gstgtkutils.c:39)
==50914== by 0x49A3834: g_main_context_invoke_full (gmain.c:6137)
==50914== by 0x1A486450: gst_gtk_invoke_on_main (gstgtkutils.c:59)
==50914== by 0x1A48A29E: gtk_gst_gl_widget_init_winsys (gtkgstglwidget.c:632)
==50914== by 0x1A4887E7: gst_gtk_gl_sink_start (gstgtkglsink.c:267)
==50914== by 0x6579810: gst_base_sink_change_state (gstbasesink.c:5662)
==50914== Block was alloc'd at
==50914== at 0x484586F: malloc (vg_replace_malloc.c:381)
==50914== by 0x49A9278: g_malloc (gmem.c:125)
==50914== by 0x49C1BA5: g_slice_alloc (gslice.c:1072)
==50914== by 0x49C3BCC: g_slice_alloc0 (gslice.c:1098)
==50914== by 0x499096B: g_error_allocate (gerror.c:708)
==50914== by 0x4990AF1: UnknownInlinedFun (gerror.c:722)
==50914== by 0x4990AF1: g_error_copy (gerror.c:892)
==50914== by 0x4C4B9F9: gtk_gl_area_set_error (gtkglarea.c:1036)
==50914== by 0x4C4BAF7: gtk_gl_area_real_create_context (gtkglarea.c:346)
==50914== by 0x4B21B28: _gtk_marshal_OBJECT__VOIDv (gtkmarshalers.c:2730)
==50914== by 0x4920B78: UnknownInlinedFun (gclosure.c:893)
==50914== by 0x4920B78: g_signal_emit_valist (gsignal.c:3406)
==50914== by 0x4920CB2: g_signal_emit (gsignal.c:3553)
==50914== by 0x4C4B927: gtk_gl_area_realize (gtkglarea.c:308)
Reproduced by running:
MESA_GL_VERSION_OVERRIDE=2.7 totem
See https://gitlab.gnome.org/GNOME/totem/-/issues/522
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2567>
If our downstream caps didn't intersect, we attempted to convert between
raw and ADTS stream formats, if possible. If the caps still did not
intersect, we then used the modified `src_caps` but left the
`output_header_type` unmodified.
This caused a mismatch between caps and actual stream format.
Avoid this by first copying the `src_caps` to `convcaps` for the
additional intersection tests, replacing `src_caps` if we succeed.
While we're here, clean up the code a bit and remove the `codec_data`
field from outgoing ADTS caps.
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2563>
the licence in gstreamer/subprojects/gstreamer/gst/gstplugin.c
currently is defined to be one of:
LGPL GPL QPL GPL/QPL MPL BSD MIT/X11 0BSD Proprietary
The open source project for the kinesis plugin is using an
Apache 2.0 license. Because "Apache 2.0" is not one of the
supported licenses it automatically falls back to Proprietary.
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2524>
https://bugzilla.gnome.org/show_bug.cgi?id=741398 changed
rtpptdemux in 2014 to not post a GST_ELEMENT_ERROR on the
bus when dropping an invalid (non-RTP) packet, but still
returned GST_FLOW_ERROR upstream - so the pipeline still
stops, but now without a useful bus error.
Return GST_FLOW_OK instead, so the pipeline keeps
running. Some old telephony equipment can send invalid
packets before the real RTP traffic starts.
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2523>
Intel DXVA driver crashes sometimes (from GPU thread) if
ID3D11VideoDecoder is released while there are outstanding view objects.
To make sure the object life cycle, holds an ID3D11VideoDecoder refcount
in GstD3D11Memory object.
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2513>
get_colorspace() checks input caps transfer when mapping V4L2_XFER_FUNC_709
back to V4L2_COLORSPACE_BT2020 and GST_VIDEO_TRANSFER_BT2020_12. After
receiving source change event, decoder will G_FMT and S_FMT again. So need
to reset transfer when acquiring format to avoid using the old transfer.
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2505>
When collection is updated, decodebin3 exposes pad first and then
streams-selected message is posted.
The condition can cause a situation where playbin3 links non-existing
combiner/playsink pads (since streams-selected is not posted yet) with
new decodebin output pad. This commit will re-check selected/active
streams condition on pad-added and reconfigure output if needed.
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2495>
Given the amount of complains about artifacts when negotiating dmabuf
given incompatible drm-formats, and that there's no enough bandwidth
for a proper and quick fix in gstreamer-vaapi, this patch disables,
from decoders and postprocessor, the DMABuf caps feature.
For those who needs DMABuf can use the va elements in -bad, increasing
their ranking for autoplugging by using the environment variable
GST_PLUGIN_FEATURE_RANK=vah264dec:MAX, for example.
This can be considered a first step to the deprecation of
gstreamer-vaapi in favor of the va plugin in -bad.
Fixes: #1137
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2459>
In case of per features registration such as the
customizable gstreamer-full library, each
element should check that the soup library can be loaded to
facilitate the element registration.
Initialize the debug category properly
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2491>
d3d11screencapture can miss a cursor shape to draw or draw an outdated cursor shape.
- AcquireNextFrame only provides cursor shape when there is one update
- current d3d11screencapture skips cursor shape when mouse is not drawn
So, if a gstreamer application uses d3d11screencapture with cursor initially not drawn
"show-cursor"=false and then switches this property to true, the cursor will not be
actually drawn until AcquireNextFrame provides a new cursor shape.
This commit makes d3d11screencapture always update the cursor shape information, even
if the mouse is not drawn. d3d11screencapture will always have the latest cursor shape
when requested to draw it.
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2488>
zlib is required, and if it isn't found it is checked several ways and
then forced via subproject(). This code was added in commit
b93e37592a, to account for systems where
zlib doesn't have pkg-config files installed.
But Meson already does dependency fallback, and also, since 0.54.0, does
the in-between checks for find_library('z') and has_header('zlib.h') via
the "system" type dependency. Simplify dependency lookup by marking it
as required, which also makes sure that the console log doesn't
confusingly list "not found".
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2486>
While current and future LoongArch machines that are supposed to run
GStreamer all support unaligned accesses, there might be future
lower-end cores (e.g. the embedded product line) without such support,
and we may not want to penalize these use cases.
So, mark LoongArch as not supporting unaligned accesses for now, and
hope the compilers do a good job optimizing them. We can always flip
switch later.
Suggested-by: CHEN Tao <redeast_cn@outlook.com>
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2450>
It is valid to have the padding set to 1 on the first packet and it
happens very often from TWCC packets coming from libwebrtc. This means
that we were totally ignoring many TWCC packets.
Fix test that checked that a first packet with padding was not valid and
instead test a single twcc packet with padding to check precisely what
this patch was about.
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2447>
- Consistently unref the chained buffer at the end of the chain
function, if we're not handing it off to `gst_pad_push`. This avoids a
few buffer leaks in the error paths in `_chain` and `_push_history`.
- When mapping the video frame fails, return a flow error instead of
crashing.
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2444>
Background:
Whenever a caps event is received by appsink, the caps are stored in the
same internal queue as buffers. Only when enough buffers have been
popped from the queue to reach the caps, `priv->sample` gets its caps
updated to match, so that they are correct for the following buffers.
Note that as far as upstream elements are concerned, the caps of appsink
are updated immediately when the CAPS event is sent. Samples pulled from
appsink retain the old caps until a later buffer -- one that was sent by
upstream elements after the new caps -- is pulled.
The race condition:
When a flush is received, appsink clears the entire internal queue. The
caps of `priv->sample` are not updated as part of this process, and
instead remain as those of the sample that was last pulled by the user.
This leaves open a race condition where:
1. Upstream sends a new caps event, and possibly some buffers for the
new caps.
2. Upstream sends a flush (possibly from a different thread).
3. Upstream sends a new buffer for the new caps. Since as far as
upstream is concerned, appsink caps are the new caps already, no new
CAPS event is sent.
4. The appsink user pulls a sample, having not pulled before enough
samples to reach the buffers sent in step 1.
Bug: the pulled sample has the old caps instead of the new caps.
Fixing the race condition:
To avoid this problem, when a buffer is received after a flush,
`priv->sample`'s caps should be updated with the current caps before the
buffer is added to the internal queue.
Interestingly, before this patch, appsink already had code for this, in
gst_app_sink_render_common():
/* queue holding caps event might have been FLUSHed,
* but caps state still present in pad caps */
if (G_UNLIKELY (!priv->last_caps &&
gst_pad_has_current_caps (GST_BASE_SINK_PAD (psink)))) {
priv->last_caps = gst_pad_get_current_caps (GST_BASE_SINK_PAD (psink));
gst_sample_set_caps (priv->sample, priv->last_caps);
GST_DEBUG_OBJECT (appsink, "activating pad caps %" GST_PTR_FORMAT,
priv->last_caps);
}
This code assumes `priv->last_caps` is reset when a flush is received,
which makes sense, but unfortunately, there was no code in the flush
code path resetting it.
This patch adds such code, therefore fixing the race condition. A unit
test demonstrating the bug and testing its behavior with the fix has
also been added.
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2442>
If for some reason the encoder produces frames with a pts higher than
the input one, we were dropping all the video encoder frames and ended
up crashing when trying to access the pts of a NULL pointer returned by
gst_video_encoder_get_oldest_frame().
I hit this scenario by feeding a decreasing timestamp to vp8enc which
seem to confuse the encoder.
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2436>