aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages
diff options
context:
space:
mode:
authorMaxim Cournoyer <maxim.cournoyer@gmail.com>2021-10-08 14:31:54 -0400
committerMaxim Cournoyer <maxim.cournoyer@gmail.com>2021-11-11 10:31:26 -0500
commitd8a0fc90b5b781c163bef64366f27fcd1d564ebd (patch)
treef030ac7f99effa91cff166d68c3c180e64501b52 /gnu/packages
parente151f94467250c87bfeb22b5ac41f20d296bd579 (diff)
downloadguix-d8a0fc90b5b781c163bef64366f27fcd1d564ebd.tar
guix-d8a0fc90b5b781c163bef64366f27fcd1d564ebd.tar.gz
Revert gstreamer update to 1.19.2.
This reverts commits from e49190cf2befec56246c2baa8697e30c7ba491ac to b2fe4c44e39f66d203d99b16aeed3bb69ccca6c8. Reason: 1.19 is an unstable (development) release rather than a stable one.
Diffstat (limited to 'gnu/packages')
-rw-r--r--gnu/packages/aidc.scm33
-rw-r--r--gnu/packages/gstreamer.scm120
-rw-r--r--gnu/packages/patches/gst-libav-64channels-stack-corruption.patch31
-rw-r--r--gnu/packages/patches/gst-plugins-bad-fix-overflow.patch263
-rw-r--r--gnu/packages/patches/gst-plugins-base-fix-id3v2-invalid-read.patch40
-rw-r--r--gnu/packages/patches/gst-plugins-good-CVE-2021-3497.patch174
-rw-r--r--gnu/packages/patches/gst-plugins-good-CVE-2021-3498.patch22
-rw-r--r--gnu/packages/patches/gst-plugins-good-fix-test.patch94
-rw-r--r--gnu/packages/patches/gst-plugins-ugly-fix-out-of-bound-reads.patch119
9 files changed, 838 insertions, 58 deletions
diff --git a/gnu/packages/aidc.scm b/gnu/packages/aidc.scm
index 0c89f1d8e2..21fc1957a2 100644
--- a/gnu/packages/aidc.scm
+++ b/gnu/packages/aidc.scm
@@ -5,7 +5,6 @@
;;; Copyright © 2018, 2019 Tobias Geerinckx-Rice <me@tobias.gr>
;;; Copyright © 2019 Guillaume Le Vaillant <glv@posteo.net>
;;; Copyright © 2020 Leo Famulari <leo@famulari.name>
-;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -47,7 +46,7 @@
(define-public zxing-cpp
(package
(name "zxing-cpp")
- (version "1.2.0")
+ (version "1.0.8")
(source
(origin
(method git-fetch)
@@ -57,14 +56,32 @@
(commit (string-append "v" version))))
(file-name (git-file-name name version))
(sha256
- (base32 "1gjj9c7h634rrmmgzbc7cxjqsxdq0paj6113k02ncjm1s9abk7ik"))))
+ (base32 "011sq8wcjfxbnd8sj6bf2fgkamlp8gj6q835g61c952npvwsnl71"))))
+ (native-inputs
+ `(("googletest-source" ,(package-source googletest))))
(build-system cmake-build-system)
(arguments
- ;; The test suite build system is written in a way that required external
- ;; libraries such as googletest, fmt and others are to be fetched from
- ;; the network (see: https://github.com/nu-book/zxing-cpp/issues/260).
- `(#:tests? #f
- #:configure-flags '("-DBUILD_BLACKBOX_TESTS=OFF")))
+ `(#:out-of-source? #f
+ #:phases
+ (modify-phases %standard-phases
+ (add-after 'unpack 'unpack-googletest
+ ;; Copy the googletest sources to where the CMake build expects them.
+ (lambda* (#:key inputs #:allow-other-keys)
+ (let ((source (assoc-ref inputs "googletest-source"))
+ (target "test/unit/googletest-src"))
+ (mkdir-p target)
+ (copy-recursively source target)
+ ;; Disable downloading via ExternalProject.
+ (substitute* "test/unit/CMakeLists.txt.in"
+ (("ExternalProject_Add\\(") "message("))
+ #t)))
+ (replace 'check
+ (lambda _
+ (with-directory-excursion "test/unit"
+ (invoke "cmake" ".")
+ (invoke "make")
+ (invoke "./ZXingUnitTest"))
+ #t)))))
(synopsis "C++ port of ZXing")
(description "ZXing-CPP is a barcode scanning library.")
(home-page "https://github.com/nu-book/zxing-cpp")
diff --git a/gnu/packages/gstreamer.scm b/gnu/packages/gstreamer.scm
index ed497e46ba..21368688f5 100644
--- a/gnu/packages/gstreamer.scm
+++ b/gnu/packages/gstreamer.scm
@@ -10,7 +10,6 @@
;;; Copyright © 2019, 2020 Marius Bakke <mbakke@fastmail.com>
;;; Copyright © 2020 Liliana Marie Prikler <liliana.prikler@gmail.com>
;;; Copyright © 2020 Michael Rohleder <mike@rohleder.de>
-;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -44,7 +43,6 @@
#:use-module (gnu packages base)
#:use-module (gnu packages bash)
#:use-module (gnu packages bison)
- #:use-module (gnu packages build-tools)
#:use-module (gnu packages cdrom)
#:use-module (gnu packages curl)
#:use-module (gnu packages compression)
@@ -411,7 +409,7 @@ arrays of data.")
(define-public gstreamer-docs
(package
(name "gstreamer-docs")
- (version "1.19.2")
+ (version "1.18.2")
(source (origin
(method url-fetch)
(uri (string-append
@@ -419,7 +417,7 @@ arrays of data.")
"/gstreamer-docs-" version ".tar.xz"))
(sha256
(base32
- "1isrp3c9gm59br9vbidd1sgqdjgl1ka2p269bqxmh5dcn4f2gz6a"))))
+ "07hrgn11ll16yahyyh5684k8ms1j9npsyb8lj0skwbapin4czshm"))))
(build-system trivial-build-system)
(arguments
`(#:modules ((guix build utils))
@@ -437,7 +435,8 @@ arrays of data.")
(invoke (string-append tar "/bin/tar") "-xvf" source
"--strip-components=3"
(string-append ,name "-" ,version
- "/devhelp/books/GStreamer")))))))
+ "/devhelp/books/GStreamer")))
+ #t))))
(native-inputs
`(("tar" ,tar)
("xz" ,xz)))
@@ -467,12 +466,13 @@ the GStreamer multimedia framework.")
(("'CK_DEFAULT_TIMEOUT', '[0-9]*'")
"'CK_DEFAULT_TIMEOUT', '600'")
(("timeout ?: .*\\)")
- "timeout: 90 * 60)"))))))
+ "timeout: 90 * 60)"))
+ #t))))
(define-public gstreamer
(package
(name "gstreamer")
- (version "1.19.2")
+ (version "1.18.4")
(source
(origin
(method url-fetch)
@@ -481,13 +481,26 @@ the GStreamer multimedia framework.")
version ".tar.xz"))
(sha256
(base32
- "03bfgsxd3njkaa5vm99hi36b4n98ywand60h3p18jlqyjfjpnnvf"))))
+ "1igv9l4hm21kp1jmlwlagzs7ly1vaxv1sbda29q8247372dwkvls"))))
(build-system meson-build-system)
(arguments
- `(#:meson ,meson-0.55
- #:phases
+ `(#:phases
(modify-phases %standard-phases
- ,@%common-gstreamer-phases)))
+ ,@%common-gstreamer-phases
+ ;; FIXME: Since switching to the meson-build-system, two tests
+ ;; started failing on i686. See
+ ;; <https://gitlab.freedesktop.org/gstreamer/gstreamer/issues/499>.
+ ,@(if (string-prefix? "i686" (or (%current-target-system)
+ (%current-system)))
+ `((add-after 'unpack 'disable-some-tests
+ (lambda _
+ (substitute* "tests/check/gst/gstsystemclock.c"
+ (("tcase_add_test \\(tc_chain, test_stress_cleanup_unschedule.*")
+ "")
+ (("tcase_add_test \\(tc_chain, test_stress_reschedule.*")
+ ""))
+ #t)))
+ '()))))
(propagated-inputs
;; In gstreamer-1.0.pc:
;; Requires: glib-2.0, gobject-2.0
@@ -532,15 +545,16 @@ This package provides the core library and elements.")
(define-public gst-plugins-base
(package
(name "gst-plugins-base")
- (version "1.19.2")
+ (version "1.18.4")
(source
(origin
(method url-fetch)
(uri (string-append "https://gstreamer.freedesktop.org/src/" name "/"
name "-" version ".tar.xz"))
+ (patches (search-patches "gst-plugins-base-fix-id3v2-invalid-read.patch"))
(sha256
(base32
- "04x5666vgg89dd9psxmnr99dszk8ykkc9dclg2ln2sq07kyh9qyd"))))
+ "08w3ivbc6n4vdds2ap6q7l8zdk9if8417nznyqidf0adm0lk5r99"))))
(build-system meson-build-system)
(propagated-inputs
`(("glib" ,glib) ;required by gstreamer-sdp-1.0.pc
@@ -583,14 +597,14 @@ This package provides the core library and elements.")
("gettext" ,gettext-minimal)
("xorg-server" ,xorg-server-for-tests)))
(arguments
- `(#:meson ,meson-0.55
- #:phases
+ `(#:phases
(modify-phases %standard-phases
,@%common-gstreamer-phases
(add-before 'configure 'patch
(lambda _
(substitute* "tests/check/libs/pbutils.c"
- (("/bin/sh") (which "sh")))))
+ (("/bin/sh") (which "sh")))
+ #t))
(add-before 'check 'pre-check
(lambda _
;; Tests require a running X server.
@@ -601,7 +615,8 @@ This package provides the core library and elements.")
;; Tests look for $XDG_RUNTIME_DIR.
(setenv "XDG_RUNTIME_DIR" (getcwd))
;; For missing '/etc/machine-id'.
- (setenv "DBUS_FATAL_WARNINGS" "0"))))))
+ (setenv "DBUS_FATAL_WARNINGS" "0")
+ #t)))))
(home-page "https://gstreamer.freedesktop.org/")
(synopsis
"Plugins for the GStreamer multimedia library")
@@ -612,7 +627,7 @@ for the GStreamer multimedia library.")
(define-public gst-plugins-good
(package
(name "gst-plugins-good")
- (version "1.19.2")
+ (version "1.18.4")
(source
(origin
(method url-fetch)
@@ -620,12 +635,14 @@ for the GStreamer multimedia library.")
(string-append
"https://gstreamer.freedesktop.org/src/" name "/"
name "-" version ".tar.xz"))
+ (patches (search-patches "gst-plugins-good-fix-test.patch"
+ "gst-plugins-good-CVE-2021-3497.patch"
+ "gst-plugins-good-CVE-2021-3498.patch"))
(sha256
- (base32 "0bjfipap6wc3w28hgf817hc6jvjbblkjil42a356vg242412xsab"))))
+ (base32 "1c1rpq709cy8maaykyn1n0kckj9c6fl3mhvixkk6xmdwkcx0xrdn"))))
(build-system meson-build-system)
(arguments
- `(#:meson ,meson-0.55
- #:glib-or-gtk? #t ; To wrap binaries and/or compile schemas
+ `(#:glib-or-gtk? #t ; To wrap binaries and/or compile schemas
#:phases
(modify-phases %standard-phases
,@%common-gstreamer-phases
@@ -639,7 +656,8 @@ for the GStreamer multimedia library.")
;; Tests look for $XDG_RUNTIME_DIR.
(setenv "XDG_RUNTIME_DIR" (getcwd))
;; For missing '/etc/machine-id'.
- (setenv "DBUS_FATAL_WARNINGS" "0"))))))
+ (setenv "DBUS_FATAL_WARNINGS" "0")
+ #t)))))
(native-inputs
`(("gettext" ,gettext-minimal)
("glib:bin" ,glib "bin")
@@ -702,14 +720,15 @@ model to base your own plug-in on, here it is.")
(define-public gst-plugins-bad
(package
(name "gst-plugins-bad")
- (version "1.19.2")
+ (version "1.18.4")
(source (origin
(method url-fetch)
(uri (string-append "https://gstreamer.freedesktop.org/src/"
name "/" name "-" version ".tar.xz"))
+ (patches (search-patches "gst-plugins-bad-fix-overflow.patch"))
(sha256
(base32
- "0y895s0jpfdpdqh2n55ki6gzvji5228v7z541if2xjgjka5gk0jk"))
+ "0py8k4pbalm9mxkpjbjxis0gp7g74wg5g4yax5q8rccmany0ds3l"))
(modules '((guix build utils)))
(snippet
'(begin
@@ -718,7 +737,6 @@ model to base your own plug-in on, here it is.")
(build-system meson-build-system)
(arguments
`(#:configure-flags '("-Dsctp-internal-usrsctp=disabled")
- #:meson ,meson-0.55
#:glib-or-gtk? #t ; To wrap binaries and/or compile schemas
#:phases
(modify-phases %standard-phases
@@ -756,7 +774,8 @@ model to base your own plug-in on, here it is.")
;; https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/issues/932
((".*elements/curlhttpsrc\\.c.*") "")
;; https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/issues/1412
- ((".*elements/dtls\\.c.*") "")))))
+ ((".*elements/dtls\\.c.*") ""))
+ #t)))
(add-before 'check 'pre-check
(lambda _
;; Tests require a running X server.
@@ -767,7 +786,8 @@ model to base your own plug-in on, here it is.")
;; Tests look for $XDG_RUNTIME_DIR.
(setenv "XDG_RUNTIME_DIR" (getcwd))
;; For missing '/etc/machine-id'.
- (setenv "DBUS_FATAL_WARNINGS" "0"))))))
+ (setenv "DBUS_FATAL_WARNINGS" "0")
+ #t)))))
(propagated-inputs
`(("gstreamer" ,gstreamer)
("gst-plugins-base" ,gst-plugins-base)))
@@ -890,19 +910,19 @@ par compared to the rest.")
(define-public gst-plugins-ugly
(package
(name "gst-plugins-ugly")
- (version "1.19.2")
+ (version "1.18.4")
(source
(origin
(method url-fetch)
(uri
(string-append "https://gstreamer.freedesktop.org/src/"
name "/" name "-" version ".tar.xz"))
+ (patches (search-patches "gst-plugins-ugly-fix-out-of-bound-reads.patch"))
(sha256
- (base32 "1pwz68qg40018ai655fdrjn5clmn0gp2b7dik0jzwx0fzbwzr87j"))))
+ (base32 "0g6i4db1883q3j0l2gdv46fcqwiiaw63n6mhvsfcms1i1p7g1391"))))
(build-system meson-build-system)
(arguments
- `(#:meson ,meson-0.55
- #:glib-or-gtk? #t ; To wrap binaries and/or compile schemas
+ `(#:glib-or-gtk? #t ; To wrap binaries and/or compile schemas
#:phases
(modify-phases %standard-phases
,@%common-gstreamer-phases
@@ -916,7 +936,8 @@ par compared to the rest.")
;; Tests look for $XDG_RUNTIME_DIR.
(setenv "XDG_RUNTIME_DIR" (getcwd))
;; For missing '/etc/machine-id'.
- (setenv "DBUS_FATAL_WARNINGS" "0"))))))
+ (setenv "DBUS_FATAL_WARNINGS" "0")
+ #t)))))
(native-inputs
`(("gettext" ,gettext-minimal)
("glib:bin" ,glib "bin")
@@ -949,17 +970,18 @@ think twice about shipping them.")
(define-public gst-libav
(package
(name "gst-libav")
- (version "1.19.2")
- (source (origin
- (method url-fetch)
- (uri(string-append
- "https://gstreamer.freedesktop.org/src/" name "/"
- name "-" version ".tar.xz"))
- (sha256
- (base32 "0rv4vxrqvlc8lm1afcg934k961gysx94xshmb5jv4xpwjkl8akzw"))))
+ (version "1.18.4")
+ (source
+ (origin
+ (method url-fetch)
+ (uri
+ (string-append
+ "https://gstreamer.freedesktop.org/src/" name "/"
+ name "-" version ".tar.xz"))
+ (patches (search-patches "gst-libav-64channels-stack-corruption.patch"))
+ (sha256
+ (base32 "15n3x3vhshqa3icw93g4vqmqd46122anzqvfxwn6q8famlxlcjil"))))
(build-system meson-build-system)
- (arguments
- `(#:meson ,meson-0.55))
(native-inputs
`(("perl" ,perl)
("pkg-config" ,pkg-config)
@@ -979,7 +1001,7 @@ decoders, muxers, and demuxers provided by FFmpeg.")
(define-public gst-editing-services
(package
(name "gst-editing-services")
- (version "1.19.2")
+ (version "1.18.4")
(source (origin
(method url-fetch)
(uri (string-append
@@ -987,12 +1009,11 @@ decoders, muxers, and demuxers provided by FFmpeg.")
"gst-editing-services-" version ".tar.xz"))
(sha256
(base32
- "007rd6vn9ly6djzgb8hilgj8rgdy2530w72vps0d0631fxckxh4g"))))
+ "010xg960qsh5dwmf0y9l1q13h0cymmrgapzla2zsw66ylxqbi1s6"))))
(build-system meson-build-system)
(arguments
;; FIXME: 16/22 failing tests.
- `(#:meson ,meson-0.55
- #:tests? #f
+ `(#:tests? #f
#:glib-or-gtk? #t ; To wrap binaries and/or compile schemas
#:phases (modify-phases %standard-phases
,@%common-gstreamer-phases)))
@@ -1052,7 +1073,7 @@ given, also pass them to the build system instead of the ones used by PKG."
(define-public python-gst
(package
(name "python-gst")
- (version "1.19.2")
+ (version "1.18.2")
(source (origin
(method url-fetch)
(uri (string-append
@@ -1060,11 +1081,10 @@ given, also pass them to the build system instead of the ones used by PKG."
"gst-python-" version ".tar.xz"))
(sha256
(base32
- "1y5wkp0nzqks8q5dbqi0491yv2yia4jz3bwh7sa2v8whkg46v3c7"))))
+ "171qxzndii7ynn9ag3a12h9vyydxzwy1j4ip3cb8hgim1dv0z7g1"))))
(build-system meson-build-system)
(arguments
- `(#:meson ,meson-0.55
- #:modules ((guix build meson-build-system)
+ `(#:modules ((guix build meson-build-system)
(guix build utils)
((guix build python-build-system) #:prefix python:))
#:imported-modules (,@%meson-build-system-modules
diff --git a/gnu/packages/patches/gst-libav-64channels-stack-corruption.patch b/gnu/packages/patches/gst-libav-64channels-stack-corruption.patch
new file mode 100644
index 0000000000..cc174e618d
--- /dev/null
+++ b/gnu/packages/patches/gst-libav-64channels-stack-corruption.patch
@@ -0,0 +1,31 @@
+Fix a stack corruption when handling files with more than 64 audio
+channels:
+
+https://gstreamer.freedesktop.org/security/sa-2021-0005.html
+
+Patch copied from upstream source repository:
+
+https://gitlab.freedesktop.org/gstreamer/gst-libav/-/commit/dcea8baa14a5fc3b796d876baaf2f238546ba2b1
+
+diff --git a/ext/libav/gstavcodecmap.c b/ext/libav/gstavcodecmap.c
+index b5be4bb7a5f2712f78383da9319754a8849e3307..be22f22cf5c7c7b22b13e44b10999adaacbcca2b 100644
+--- a/ext/libav/gstavcodecmap.c
++++ b/ext/libav/gstavcodecmap.c
+@@ -102,7 +102,7 @@ gst_ffmpeg_channel_layout_to_gst (guint64 channel_layout, gint channels,
+ guint nchannels = 0;
+ gboolean none_layout = FALSE;
+
+- if (channel_layout == 0) {
++ if (channel_layout == 0 || channels > 64) {
+ nchannels = channels;
+ none_layout = TRUE;
+ } else {
+@@ -163,7 +163,7 @@ gst_ffmpeg_channel_layout_to_gst (guint64 channel_layout, gint channels,
+ } else {
+ guint i;
+
+- for (i = 0; i < nchannels; i++)
++ for (i = 0; i < nchannels && i < 64; i++)
+ pos[i] = GST_AUDIO_CHANNEL_POSITION_NONE;
+ }
+ }
diff --git a/gnu/packages/patches/gst-plugins-bad-fix-overflow.patch b/gnu/packages/patches/gst-plugins-bad-fix-overflow.patch
new file mode 100644
index 0000000000..95ab13db51
--- /dev/null
+++ b/gnu/packages/patches/gst-plugins-bad-fix-overflow.patch
@@ -0,0 +1,263 @@
+Fix an overflow when calculating something for AVC/HEVC videos:
+
+https://security-tracker.debian.org/tracker/TEMP-0000000-C6AAE1
+
+Patch copied from upstream source repository:
+
+https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/commit/0cfbf7ad91c7f121192c8ce135769f8eb276c41d
+From 0cfbf7ad91c7f121192c8ce135769f8eb276c41d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Tue, 23 Mar 2021 19:19:14 +0200
+Subject: [PATCH] h2645parser: Catch overflows in AVC/HEVC NAL unit length
+ calculations
+
+Offset and size are stored as 32 bit guint and might overflow when
+adding the nal_length_size, so let's avoid that.
+
+For the size this would happen if the AVC/HEVC NAL unit size happens to
+be stored in 4 bytes and is 4294967292 or higher, which is likely
+corrupted data anyway.
+
+For the offset this is something for the caller of these functions to
+take care of but is unlikely to happen as it would require parsing on a
+>4GB buffer.
+
+Allowing these overflows causes all kinds of follow-up bugs in the
+h2645parse elements, ranging from infinite loops and memory leaks to
+potential memory corruptions.
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/merge_requests/2107>
+---
+ gst-libs/gst/codecparsers/gsth264parser.c | 16 +++++-
+ gst-libs/gst/codecparsers/gsth265parser.c | 16 +++++-
+ tests/check/libs/h264parser.c | 60 +++++++++++++++++++++++
+ tests/check/libs/h265parser.c | 60 +++++++++++++++++++++++
+ 4 files changed, 150 insertions(+), 2 deletions(-)
+
+diff --git a/gst-libs/gst/codecparsers/gsth264parser.c b/gst-libs/gst/codecparsers/gsth264parser.c
+index 012f1d0d7..68aa25068 100644
+--- a/gst-libs/gst/codecparsers/gsth264parser.c
++++ b/gst-libs/gst/codecparsers/gsth264parser.c
+@@ -1556,6 +1556,14 @@ gst_h264_parser_identify_nalu_avc (GstH264NalParser * nalparser,
+
+ memset (nalu, 0, sizeof (*nalu));
+
++ /* Would overflow guint below otherwise: the callers needs to ensure that
++ * this never happens */
++ if (offset > G_MAXUINT32 - nal_length_size) {
++ GST_WARNING ("offset + nal_length_size overflow");
++ nalu->size = 0;
++ return GST_H264_PARSER_BROKEN_DATA;
++ }
++
+ if (size < offset + nal_length_size) {
+ GST_DEBUG ("Can't parse, buffer has too small size %" G_GSIZE_FORMAT
+ ", offset %u", size, offset);
+@@ -1570,7 +1578,13 @@ gst_h264_parser_identify_nalu_avc (GstH264NalParser * nalparser,
+ nalu->sc_offset = offset;
+ nalu->offset = offset + nal_length_size;
+
+- if (size < nalu->size + nal_length_size) {
++ if (nalu->size > G_MAXUINT32 - nal_length_size) {
++ GST_WARNING ("NALU size + nal_length_size overflow");
++ nalu->size = 0;
++ return GST_H264_PARSER_BROKEN_DATA;
++ }
++
++ if (size < (gsize) nalu->size + nal_length_size) {
+ nalu->size = 0;
+
+ return GST_H264_PARSER_NO_NAL_END;
+diff --git a/gst-libs/gst/codecparsers/gsth265parser.c b/gst-libs/gst/codecparsers/gsth265parser.c
+index 26e68b276..dc7f27aa9 100644
+--- a/gst-libs/gst/codecparsers/gsth265parser.c
++++ b/gst-libs/gst/codecparsers/gsth265parser.c
+@@ -1531,6 +1531,14 @@ gst_h265_parser_identify_nalu_hevc (GstH265Parser * parser,
+
+ memset (nalu, 0, sizeof (*nalu));
+
++ /* Would overflow guint below otherwise: the callers needs to ensure that
++ * this never happens */
++ if (offset > G_MAXUINT32 - nal_length_size) {
++ GST_WARNING ("offset + nal_length_size overflow");
++ nalu->size = 0;
++ return GST_H265_PARSER_BROKEN_DATA;
++ }
++
+ if (size < offset + nal_length_size) {
+ GST_DEBUG ("Can't parse, buffer has too small size %" G_GSIZE_FORMAT
+ ", offset %u", size, offset);
+@@ -1545,7 +1553,13 @@ gst_h265_parser_identify_nalu_hevc (GstH265Parser * parser,
+ nalu->sc_offset = offset;
+ nalu->offset = offset + nal_length_size;
+
+- if (size < nalu->size + nal_length_size) {
++ if (nalu->size > G_MAXUINT32 - nal_length_size) {
++ GST_WARNING ("NALU size + nal_length_size overflow");
++ nalu->size = 0;
++ return GST_H265_PARSER_BROKEN_DATA;
++ }
++
++ if (size < (gsize) nalu->size + nal_length_size) {
+ nalu->size = 0;
+
+ return GST_H265_PARSER_NO_NAL_END;
+diff --git a/tests/check/libs/h264parser.c b/tests/check/libs/h264parser.c
+index c7c46d9a2..d322dd8db 100644
+--- a/tests/check/libs/h264parser.c
++++ b/tests/check/libs/h264parser.c
+@@ -229,6 +229,65 @@ GST_START_TEST (test_h264_parse_slice_5bytes)
+
+ GST_END_TEST;
+
++GST_START_TEST (test_h264_parse_identify_nalu_avc)
++{
++ GstH264ParserResult res;
++ GstH264NalUnit nalu;
++ GstH264NalParser *const parser = gst_h264_nal_parser_new ();
++ /* Skip 3 bytes for the start code */
++ const gsize nal_size = sizeof (slice_dpa) - 3;
++ const gsize buf_size = 4 + nal_size;
++ guint8 *buf = g_new (guint8, buf_size);
++
++ memcpy (buf + 4, slice_dpa + 3, nal_size);
++
++ GST_WRITE_UINT16_BE (buf + 2, nal_size);
++ res = gst_h264_parser_identify_nalu_avc (parser, buf, 2, buf_size, 2, &nalu);
++
++ assert_equals_int (res, GST_H264_PARSER_OK);
++ assert_equals_int (nalu.type, GST_H264_NAL_SLICE_DPA);
++ assert_equals_int (nalu.offset, 4);
++ assert_equals_int (nalu.size, nal_size);
++
++ GST_WRITE_UINT32_BE (buf, nal_size);
++ res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu);
++
++ assert_equals_int (res, GST_H264_PARSER_OK);
++ assert_equals_int (nalu.type, GST_H264_NAL_SLICE_DPA);
++ assert_equals_int (nalu.offset, 4);
++ assert_equals_int (nalu.size, nal_size);
++
++ GST_WRITE_UINT32_BE (buf, G_MAXUINT32);
++ res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu);
++
++ assert_equals_int (res, GST_H264_PARSER_BROKEN_DATA);
++
++ GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 2);
++ res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu);
++
++ assert_equals_int (res, GST_H264_PARSER_BROKEN_DATA);
++
++ GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 3);
++ res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu);
++
++ assert_equals_int (res, GST_H264_PARSER_BROKEN_DATA);
++
++ GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 4);
++ res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu);
++
++ assert_equals_int (res, GST_H264_PARSER_NO_NAL_END);
++
++ GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 6);
++ res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu);
++
++ assert_equals_int (res, GST_H264_PARSER_NO_NAL_END);
++
++ g_free (buf);
++ gst_h264_nal_parser_free (parser);
++}
++
++GST_END_TEST;
++
+ static guint8 nalu_sps_with_vui[] = {
+ 0x00, 0x00, 0x00, 0x01, 0x67, 0x64, 0x00, 0x28,
+ 0xac, 0xd9, 0x40, 0x78, 0x04, 0x4f, 0xde, 0x03,
+@@ -666,6 +725,7 @@ h264parser_suite (void)
+ tcase_add_test (tc_chain, test_h264_parse_slice_dpa);
+ tcase_add_test (tc_chain, test_h264_parse_slice_eoseq_slice);
+ tcase_add_test (tc_chain, test_h264_parse_slice_5bytes);
++ tcase_add_test (tc_chain, test_h264_parse_identify_nalu_avc);
+ tcase_add_test (tc_chain, test_h264_parse_invalid_sei);
+ tcase_add_test (tc_chain, test_h264_create_sei);
+
+diff --git a/tests/check/libs/h265parser.c b/tests/check/libs/h265parser.c
+index 0a0e4db97..5b6a215ec 100644
+--- a/tests/check/libs/h265parser.c
++++ b/tests/check/libs/h265parser.c
+@@ -255,6 +255,65 @@ GST_START_TEST (test_h265_parse_slice_6bytes)
+
+ GST_END_TEST;
+
++GST_START_TEST (test_h265_parse_identify_nalu_hevc)
++{
++ GstH265ParserResult res;
++ GstH265NalUnit nalu;
++ GstH265Parser *parser = gst_h265_parser_new ();
++ /* Skip 4 bytes for the start code */
++ const gsize nal_size = sizeof (slice_eos_slice_eob) - 4;
++ const gsize buf_size = 4 + nal_size;
++ guint8 *buf = g_new (guint8, buf_size);
++
++ memcpy (buf + 4, slice_eos_slice_eob + 4, nal_size);
++
++ GST_WRITE_UINT16_BE (buf + 2, nal_size);
++ res = gst_h265_parser_identify_nalu_hevc (parser, buf, 2, buf_size, 2, &nalu);
++
++ assert_equals_int (res, GST_H265_PARSER_OK);
++ assert_equals_int (nalu.type, GST_H265_NAL_SLICE_IDR_W_RADL);
++ assert_equals_int (nalu.offset, 4);
++ assert_equals_int (nalu.size, nal_size);
++
++ GST_WRITE_UINT32_BE (buf, nal_size);
++ res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu);
++
++ assert_equals_int (res, GST_H265_PARSER_OK);
++ assert_equals_int (nalu.type, GST_H265_NAL_SLICE_IDR_W_RADL);
++ assert_equals_int (nalu.offset, 4);
++ assert_equals_int (nalu.size, nal_size);
++
++ GST_WRITE_UINT32_BE (buf, G_MAXUINT32);
++ res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu);
++
++ assert_equals_int (res, GST_H265_PARSER_BROKEN_DATA);
++
++ GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 2);
++ res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu);
++
++ assert_equals_int (res, GST_H265_PARSER_BROKEN_DATA);
++
++ GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 3);
++ res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu);
++
++ assert_equals_int (res, GST_H265_PARSER_BROKEN_DATA);
++
++ GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 4);
++ res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu);
++
++ assert_equals_int (res, GST_H265_PARSER_NO_NAL_END);
++
++ GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 6);
++ res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu);
++
++ assert_equals_int (res, GST_H265_PARSER_NO_NAL_END);
++
++ g_free (buf);
++ gst_h265_parser_free (parser);
++}
++
++GST_END_TEST;
++
+ GST_START_TEST (test_h265_base_profiles)
+ {
+ GstH265ProfileTierLevel ptl;
+@@ -1101,6 +1160,7 @@ h265parser_suite (void)
+ tcase_add_test (tc_chain, test_h265_parse_slice_eos_slice_eob);
+ tcase_add_test (tc_chain, test_h265_parse_pic_timing);
+ tcase_add_test (tc_chain, test_h265_parse_slice_6bytes);
++ tcase_add_test (tc_chain, test_h265_parse_identify_nalu_hevc);
+ tcase_add_test (tc_chain, test_h265_base_profiles);
+ tcase_add_test (tc_chain, test_h265_base_profiles_compat);
+ tcase_add_test (tc_chain, test_h265_format_range_profiles_exact_match);
+--
+2.31.1
+
diff --git a/gnu/packages/patches/gst-plugins-base-fix-id3v2-invalid-read.patch b/gnu/packages/patches/gst-plugins-base-fix-id3v2-invalid-read.patch
new file mode 100644
index 0000000000..b2dfef0118
--- /dev/null
+++ b/gnu/packages/patches/gst-plugins-base-fix-id3v2-invalid-read.patch
@@ -0,0 +1,40 @@
+Fix an "invalid read during ID3v2 tag parsing".
+
+https://security-tracker.debian.org/tracker/TEMP-0000000-57E7C1
+https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/issues/876
+
+Patch copied from upstream source repository:
+
+https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/commit/f4a1428a6997658625d529b9db60fde812fbf1ee
+
+From f4a1428a6997658625d529b9db60fde812fbf1ee Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim-Philipp=20M=C3=BCller?= <tim@centricular.com>
+Date: Wed, 3 Mar 2021 01:08:25 +0000
+Subject: [PATCH] tag: id3v2: fix frame size check and potential invalid reads
+
+Check the right variable when checking if there's
+enough data left to read the frame size.
+
+Closes https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/issues/876
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/merge_requests/1065>
+---
+ gst-libs/gst/tag/id3v2frames.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/gst-libs/gst/tag/id3v2frames.c b/gst-libs/gst/tag/id3v2frames.c
+index 8e9f78254..f39659bf7 100644
+--- a/gst-libs/gst/tag/id3v2frames.c
++++ b/gst-libs/gst/tag/id3v2frames.c
+@@ -109,7 +109,7 @@ id3v2_parse_frame (ID3TagsWorking * work)
+
+ if (work->frame_flags & (ID3V2_FRAME_FORMAT_COMPRESSION |
+ ID3V2_FRAME_FORMAT_DATA_LENGTH_INDICATOR)) {
+- if (work->hdr.frame_data_size <= 4)
++ if (frame_data_size <= 4)
+ return FALSE;
+ if (ID3V2_VER_MAJOR (work->hdr.version) == 3) {
+ work->parse_size = GST_READ_UINT32_BE (frame_data);
+--
+2.31.1
+
diff --git a/gnu/packages/patches/gst-plugins-good-CVE-2021-3497.patch b/gnu/packages/patches/gst-plugins-good-CVE-2021-3497.patch
new file mode 100644
index 0000000000..c8c3ee6cf1
--- /dev/null
+++ b/gnu/packages/patches/gst-plugins-good-CVE-2021-3497.patch
@@ -0,0 +1,174 @@
+Fix CVE-2021-3497:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3497
+https://gstreamer.freedesktop.org/security/sa-2021-0002.html
+
+Patch copied from upstream source repository:
+
+https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/commit/9181191511f9c0be6a89c98b311f49d66bd46dc3?merge_request_iid=903
+
+diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
+index 467815986c8c3d86fd8906a0d539b34f67d6693e..0e47ee7b5e25ac3331f30439710ae755235f2a22 100644
+--- a/gst/matroska/matroska-demux.c
++++ b/gst/matroska/matroska-demux.c
+@@ -3851,6 +3851,12 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+ guint32 block_samples, tmp;
+ gsize size = gst_buffer_get_size (*buf);
+
++ if (size < 4) {
++ GST_ERROR_OBJECT (element, "Too small wavpack buffer");
++ gst_buffer_unmap (*buf, &map);
++ return GST_FLOW_ERROR;
++ }
++
+ gst_buffer_extract (*buf, 0, &tmp, sizeof (guint32));
+ block_samples = GUINT32_FROM_LE (tmp);
+ /* we need to reconstruct the header of the wavpack block */
+@@ -3858,10 +3864,10 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+ /* -20 because ck_size is the size of the wavpack block -8
+ * and lace_size is the size of the wavpack block + 12
+ * (the three guint32 of the header that already are in the buffer) */
+- wvh.ck_size = size + sizeof (Wavpack4Header) - 20;
++ wvh.ck_size = size + WAVPACK4_HEADER_SIZE - 20;
+
+ /* block_samples, flags and crc are already in the buffer */
+- newbuf = gst_buffer_new_allocate (NULL, sizeof (Wavpack4Header) - 12, NULL);
++ newbuf = gst_buffer_new_allocate (NULL, WAVPACK4_HEADER_SIZE - 12, NULL);
+
+ gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
+ data = outmap.data;
+@@ -3886,9 +3892,11 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+ audiocontext->wvpk_block_index += block_samples;
+ } else {
+ guint8 *outdata = NULL;
+- guint outpos = 0;
+- gsize buf_size, size, out_size = 0;
++ gsize buf_size, size;
+ guint32 block_samples, flags, crc, blocksize;
++ GstAdapter *adapter;
++
++ adapter = gst_adapter_new ();
+
+ gst_buffer_map (*buf, &map, GST_MAP_READ);
+ buf_data = map.data;
+@@ -3897,6 +3905,7 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+ if (buf_size < 4) {
+ GST_ERROR_OBJECT (element, "Too small wavpack buffer");
+ gst_buffer_unmap (*buf, &map);
++ g_object_unref (adapter);
+ return GST_FLOW_ERROR;
+ }
+
+@@ -3918,59 +3927,57 @@ gst_matroska_demux_add_wvpk_header (GstElement * element,
+ data += 4;
+ size -= 4;
+
+- if (blocksize == 0 || size < blocksize)
+- break;
+-
+- g_assert ((newbuf == NULL) == (outdata == NULL));
++ if (blocksize == 0 || size < blocksize) {
++ GST_ERROR_OBJECT (element, "Too small wavpack buffer");
++ gst_buffer_unmap (*buf, &map);
++ g_object_unref (adapter);
++ return GST_FLOW_ERROR;
++ }
+
+- if (newbuf == NULL) {
+- out_size = sizeof (Wavpack4Header) + blocksize;
+- newbuf = gst_buffer_new_allocate (NULL, out_size, NULL);
++ g_assert (newbuf == NULL);
+
+- gst_buffer_copy_into (newbuf, *buf,
+- GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1);
++ newbuf =
++ gst_buffer_new_allocate (NULL, WAVPACK4_HEADER_SIZE + blocksize,
++ NULL);
++ gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
++ outdata = outmap.data;
++
++ outdata[0] = 'w';
++ outdata[1] = 'v';
++ outdata[2] = 'p';
++ outdata[3] = 'k';
++ outdata += 4;
++
++ GST_WRITE_UINT32_LE (outdata, blocksize + WAVPACK4_HEADER_SIZE - 8);
++ GST_WRITE_UINT16_LE (outdata + 4, wvh.version);
++ GST_WRITE_UINT8 (outdata + 6, wvh.track_no);
++ GST_WRITE_UINT8 (outdata + 7, wvh.index_no);
++ GST_WRITE_UINT32_LE (outdata + 8, wvh.total_samples);
++ GST_WRITE_UINT32_LE (outdata + 12, wvh.block_index);
++ GST_WRITE_UINT32_LE (outdata + 16, block_samples);
++ GST_WRITE_UINT32_LE (outdata + 20, flags);
++ GST_WRITE_UINT32_LE (outdata + 24, crc);
++ outdata += 28;
++
++ memcpy (outdata, data, blocksize);
+
+- outpos = 0;
+- gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
+- outdata = outmap.data;
+- } else {
+- gst_buffer_unmap (newbuf, &outmap);
+- out_size += sizeof (Wavpack4Header) + blocksize;
+- gst_buffer_set_size (newbuf, out_size);
+- gst_buffer_map (newbuf, &outmap, GST_MAP_WRITE);
+- outdata = outmap.data;
+- }
++ gst_buffer_unmap (newbuf, &outmap);
++ gst_adapter_push (adapter, newbuf);
++ newbuf = NULL;
+
+- outdata[outpos] = 'w';
+- outdata[outpos + 1] = 'v';
+- outdata[outpos + 2] = 'p';
+- outdata[outpos + 3] = 'k';
+- outpos += 4;
+-
+- GST_WRITE_UINT32_LE (outdata + outpos,
+- blocksize + sizeof (Wavpack4Header) - 8);
+- GST_WRITE_UINT16_LE (outdata + outpos + 4, wvh.version);
+- GST_WRITE_UINT8 (outdata + outpos + 6, wvh.track_no);
+- GST_WRITE_UINT8 (outdata + outpos + 7, wvh.index_no);
+- GST_WRITE_UINT32_LE (outdata + outpos + 8, wvh.total_samples);
+- GST_WRITE_UINT32_LE (outdata + outpos + 12, wvh.block_index);
+- GST_WRITE_UINT32_LE (outdata + outpos + 16, block_samples);
+- GST_WRITE_UINT32_LE (outdata + outpos + 20, flags);
+- GST_WRITE_UINT32_LE (outdata + outpos + 24, crc);
+- outpos += 28;
+-
+- memmove (outdata + outpos, data, blocksize);
+- outpos += blocksize;
+ data += blocksize;
+ size -= blocksize;
+ }
+ gst_buffer_unmap (*buf, &map);
+- gst_buffer_unref (*buf);
+
+- if (newbuf)
+- gst_buffer_unmap (newbuf, &outmap);
++ newbuf = gst_adapter_take_buffer (adapter, gst_adapter_available (adapter));
++ g_object_unref (adapter);
+
++ gst_buffer_copy_into (newbuf, *buf,
++ GST_BUFFER_COPY_TIMESTAMPS | GST_BUFFER_COPY_FLAGS, 0, -1);
++ gst_buffer_unref (*buf);
+ *buf = newbuf;
++
+ audiocontext->wvpk_block_index += block_samples;
+ }
+
+diff --git a/gst/matroska/matroska-ids.h b/gst/matroska/matroska-ids.h
+index 429213f778063ba0063944ab64ad60373bbce5ee..8d4a685a910ec13100a3c3d156b2412d28ec0522 100644
+--- a/gst/matroska/matroska-ids.h
++++ b/gst/matroska/matroska-ids.h
+@@ -688,6 +688,8 @@ typedef struct _Wavpack4Header {
+ guint32 crc; /* crc for actual decoded data */
+ } Wavpack4Header;
+
++#define WAVPACK4_HEADER_SIZE (32)
++
+ typedef enum {
+ GST_MATROSKA_TRACK_ENCODING_SCOPE_FRAME = (1<<0),
+ GST_MATROSKA_TRACK_ENCODING_SCOPE_CODEC_DATA = (1<<1),
diff --git a/gnu/packages/patches/gst-plugins-good-CVE-2021-3498.patch b/gnu/packages/patches/gst-plugins-good-CVE-2021-3498.patch
new file mode 100644
index 0000000000..50eb42f126
--- /dev/null
+++ b/gnu/packages/patches/gst-plugins-good-CVE-2021-3498.patch
@@ -0,0 +1,22 @@
+Fix CVE-2021-3498:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3498
+https://gstreamer.freedesktop.org/security/sa-2021-0003.html
+
+Patch copied from upstream source repository:
+
+https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/commit/02174790726dd20a5c73ce2002189bf240ad4fe0?merge_request_iid=903
+
+diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
+index 4d0234743b8cf243b4521e56ef9027ba23b1b5d0..467815986c8c3d86fd8906a0d539b34f67d6693e 100644
+--- a/gst/matroska/matroska-demux.c
++++ b/gst/matroska/matroska-demux.c
+@@ -692,6 +692,8 @@ gst_matroska_demux_parse_stream (GstMatroskaDemux * demux, GstEbmlRead * ebml,
+
+ DEBUG_ELEMENT_START (demux, ebml, "TrackEntry");
+
++ *dest_context = NULL;
++
+ /* start with the master */
+ if ((ret = gst_ebml_read_master (ebml, &id)) != GST_FLOW_OK) {
+ DEBUG_ELEMENT_STOP (demux, ebml, "TrackEntry", ret);
diff --git a/gnu/packages/patches/gst-plugins-good-fix-test.patch b/gnu/packages/patches/gst-plugins-good-fix-test.patch
new file mode 100644
index 0000000000..38ec0ba802
--- /dev/null
+++ b/gnu/packages/patches/gst-plugins-good-fix-test.patch
@@ -0,0 +1,94 @@
+Fix a broken test:
+
+https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/issues/803
+
+Patches copied from upstream source repository:
+
+https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/commit/2ce5909f3a0b0da3abb7b794215d6b8b72a3b7fa
+https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/commit/f5310ce346180a717f091f2f09bcbb3ddfb15436
+
+From 2ce5909f3a0b0da3abb7b794215d6b8b72a3b7fa Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim-Philipp=20M=C3=BCller?= <tim@centricular.com>
+Date: Thu, 12 Nov 2020 23:38:21 +0000
+Subject: [PATCH 1/2] tests: qtdemux: fix crash on 32-bit architectures
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/issues/803
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/merge_requests/815>
+---
+ tests/check/elements/qtdemux.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/tests/check/elements/qtdemux.c b/tests/check/elements/qtdemux.c
+index 5271c6576..0c748278b 100644
+--- a/tests/check/elements/qtdemux.c
++++ b/tests/check/elements/qtdemux.c
+@@ -797,9 +797,10 @@ GST_START_TEST (test_qtdemux_pad_names)
+ "protection-system", G_TYPE_STRING,
+ "9a04f079-9840-4286-ab92-e65be0885f95", NULL);
+ caps =
+- gst_caps_new_simple ("video/quicktime", "variant", G_TYPE_STRING,
+- "mss-fragmented", "timesacle", G_TYPE_UINT64, 10000000, "media-caps",
+- GST_TYPE_CAPS, mediacaps, NULL);
++ gst_caps_new_simple ("video/quicktime",
++ "variant", G_TYPE_STRING, "mss-fragmented",
++ "timesacle", G_TYPE_UINT64, G_GUINT64_CONSTANT (10000000),
++ "media-caps", GST_TYPE_CAPS, mediacaps, NULL);
+
+ /* Send segment event* */
+ event = gst_event_new_caps (caps);
+@@ -852,9 +853,10 @@ GST_START_TEST (test_qtdemux_pad_names)
+ "protection-system", G_TYPE_STRING,
+ "9a04f079-9840-4286-ab92-e65be0885f95", NULL);
+ caps =
+- gst_caps_new_simple ("video/quicktime", "variant", G_TYPE_STRING,
+- "mss-fragmented", "timesacle", G_TYPE_UINT64, 10000000, "media-caps",
+- GST_TYPE_CAPS, mediacaps, NULL);
++ gst_caps_new_simple ("video/quicktime",
++ "variant", G_TYPE_STRING, "mss-fragmented",
++ "timesacle", G_TYPE_UINT64, G_GUINT64_CONSTANT (10000000),
++ "media-caps", GST_TYPE_CAPS, mediacaps, NULL);
+
+ /* Send segment event* */
+ event = gst_event_new_caps (caps);
+--
+2.30.0
+
+
+From f5310ce346180a717f091f2f09bcbb3ddfb15436 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim-Philipp=20M=C3=BCller?= <tim@centricular.com>
+Date: Thu, 12 Nov 2020 23:39:21 +0000
+Subject: [PATCH 2/2] tests: qtdemux: fix typo in caps field
+
+timesacle -> timescale
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/merge_requests/815>
+---
+ tests/check/elements/qtdemux.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tests/check/elements/qtdemux.c b/tests/check/elements/qtdemux.c
+index 0c748278b..4a14c45c0 100644
+--- a/tests/check/elements/qtdemux.c
++++ b/tests/check/elements/qtdemux.c
+@@ -799,7 +799,7 @@ GST_START_TEST (test_qtdemux_pad_names)
+ caps =
+ gst_caps_new_simple ("video/quicktime",
+ "variant", G_TYPE_STRING, "mss-fragmented",
+- "timesacle", G_TYPE_UINT64, G_GUINT64_CONSTANT (10000000),
++ "timescale", G_TYPE_UINT64, G_GUINT64_CONSTANT (10000000),
+ "media-caps", GST_TYPE_CAPS, mediacaps, NULL);
+
+ /* Send segment event* */
+@@ -855,7 +855,7 @@ GST_START_TEST (test_qtdemux_pad_names)
+ caps =
+ gst_caps_new_simple ("video/quicktime",
+ "variant", G_TYPE_STRING, "mss-fragmented",
+- "timesacle", G_TYPE_UINT64, G_GUINT64_CONSTANT (10000000),
++ "timescale", G_TYPE_UINT64, G_GUINT64_CONSTANT (10000000),
+ "media-caps", GST_TYPE_CAPS, mediacaps, NULL);
+
+ /* Send segment event* */
+--
+2.30.0
+
diff --git a/gnu/packages/patches/gst-plugins-ugly-fix-out-of-bound-reads.patch b/gnu/packages/patches/gst-plugins-ugly-fix-out-of-bound-reads.patch
new file mode 100644
index 0000000000..3c6a96f45d
--- /dev/null
+++ b/gnu/packages/patches/gst-plugins-ugly-fix-out-of-bound-reads.patch
@@ -0,0 +1,119 @@
+Fix out of bounds reads when parsing audio and video packets:
+
+https://security-tracker.debian.org/tracker/TEMP-0000000-4DAA44
+https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/issues/37
+
+Patch copied from upstream source repository:
+
+https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/commit/3aba7d1e625554b2407bc77b3d09b4928b937d5f
+From 3aba7d1e625554b2407bc77b3d09b4928b937d5f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Wed, 3 Mar 2021 11:05:14 +0200
+Subject: [PATCH] rmdemux: Make sure we have enough data available when parsing
+ audio/video packets
+
+Otherwise there will be out-of-bounds reads and potential crashes.
+
+Thanks to Natalie Silvanovich for reporting.
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/issues/37
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/merge_requests/74>
+---
+ gst/realmedia/rmdemux.c | 35 +++++++++++++++++++++++++++++++++++
+ 1 file changed, 35 insertions(+)
+
+diff --git a/gst/realmedia/rmdemux.c b/gst/realmedia/rmdemux.c
+index 6cc659a1..68b0736b 100644
+--- a/gst/realmedia/rmdemux.c
++++ b/gst/realmedia/rmdemux.c
+@@ -2223,6 +2223,9 @@ gst_rmdemux_parse_video_packet (GstRMDemux * rmdemux, GstRMDemuxStream * stream,
+
+ gst_buffer_map (in, &map, GST_MAP_READ);
+
++ if (map.size < offset)
++ goto not_enough_data;
++
+ data = map.data + offset;
+ size = map.size - offset;
+
+@@ -2289,6 +2292,9 @@ gst_rmdemux_parse_video_packet (GstRMDemux * rmdemux, GstRMDemuxStream * stream,
+ }
+ GST_DEBUG_OBJECT (rmdemux, "fragment size %d", fragment_size);
+
++ if (map.size < (data - map.data) + fragment_size)
++ goto not_enough_data;
++
+ /* get the fragment */
+ fragment =
+ gst_buffer_copy_region (in, GST_BUFFER_COPY_ALL, data - map.data,
+@@ -2437,6 +2443,9 @@ gst_rmdemux_parse_audio_packet (GstRMDemux * rmdemux, GstRMDemuxStream * stream,
+ GstFlowReturn ret;
+ GstBuffer *buffer;
+
++ if (gst_buffer_get_size (in) < offset)
++ goto not_enough_data;
++
+ buffer = gst_buffer_copy_region (in, GST_BUFFER_COPY_MEMORY, offset, -1);
+
+ if (rmdemux->first_ts != -1 && timestamp > rmdemux->first_ts)
+@@ -2467,9 +2476,19 @@ gst_rmdemux_parse_audio_packet (GstRMDemux * rmdemux, GstRMDemuxStream * stream,
+ ret = gst_pad_push (stream->pad, buffer);
+ }
+
++done:
+ gst_buffer_unref (in);
+
+ return ret;
++
++ /* ERRORS */
++not_enough_data:
++ {
++ GST_ELEMENT_WARNING (rmdemux, STREAM, DECODE, ("Skipping bad packet."),
++ (NULL));
++ ret = GST_FLOW_OK;
++ goto done;
++ }
+ }
+
+ static GstFlowReturn
+@@ -2490,6 +2509,9 @@ gst_rmdemux_parse_packet (GstRMDemux * rmdemux, GstBuffer * in, guint16 version)
+ data = map.data;
+ size = map.size;
+
++ if (size < 4 + 6 + 1 + 2)
++ goto not_enough_data;
++
+ /* stream number */
+ id = RMDEMUX_GUINT16_GET (data);
+
+@@ -2525,6 +2547,9 @@ gst_rmdemux_parse_packet (GstRMDemux * rmdemux, GstBuffer * in, guint16 version)
+
+ /* version 1 has an extra byte */
+ if (version == 1) {
++ if (size < 1)
++ goto not_enough_data;
++
+ data += 1;
+ size -= 1;
+ }
+@@ -2596,6 +2621,16 @@ unknown_stream:
+ gst_buffer_unref (in);
+ return GST_FLOW_OK;
+ }
++
++ /* ERRORS */
++not_enough_data:
++ {
++ GST_ELEMENT_WARNING (rmdemux, STREAM, DECODE, ("Skipping bad packet."),
++ (NULL));
++ gst_buffer_unmap (in, &map);
++ gst_buffer_unref (in);
++ return GST_FLOW_OK;
++ }
+ }
+
+ gboolean
+--
+2.31.1
+