1. 02 Feb, 2022 2 commits
  2. 01 Feb, 2022 2 commits
    • Jeremy Cline's avatar
      tagdemux: Fix crash when presented with malformed files · 11675e48
      Jeremy Cline authored and Tim-Philipp Müller's avatar Tim-Philipp Müller committed
      There's a race condition in gsttagdemux.c between typefinding and the
      end-of-stream event. If TYPE_FIND_MAX_SIZE is exceeded,
      demux->priv->collect is set to NULL and an error is returned. However,
      the end-of-stream event causes one last attempt at typefinding to occur.
      
      This leads to gst_tag_demux_trim_buffer() being called with the NULL
      demux->priv->collect buffer which it attempts to dereference, resulting
      in a segfault.
      
      The malicious MP3 can be created by:
      
      printf "\x49\x44\x33\x04\x00\x00\x00\x00\x00\x00%s", \
          "$(dd if=/dev/urandom bs=1K count=200)" > malicious.mp3
      
      This creates a valid ID3 header which gets us as far as typefinding. The
      crash can then be reproduced with the following pipeline:
      
      gst-launch-1.0 -e filesrc location=malicious.mp3 ! queue ! decodebin ! audioconvert ! vorbisenc ! oggmux ! filesink location=malicious.ogg
      
      Fixes #959
      
      Part-of: <https://gitlab.freedes...
      11675e48
    • Jordan Petridіs's avatar
      gstvideoencoder: make sure the buffer is writable before modifying metadata · 8d6c1cad
      Jordan Petridіs authored and Tim-Philipp Müller's avatar Tim-Philipp Müller committed
      Similar to ae8d0cf3
      
      Part-of: <!1294>
      8d6c1cad
  3. 28 Jan, 2022 1 commit
  4. 20 Jan, 2022 2 commits
  5. 18 Jan, 2022 2 commits
    • Matthew Waters's avatar
      oggdemux: fix a race in push mode when performing the duration seek · cd06dcc0
      Matthew Waters authored and Tim-Philipp Müller's avatar Tim-Philipp Müller committed
      There may be two or more threads involved here however the important
      interaction is the use of ogg->seeK_event_drop_till value that was only
      set in the push-mode seek-event thread and could race with upstream
      sending e.g. and EOS (or data).
      
      Scenario is this:
      1. oggdemux performs a seek to near the end of the file to try and find
         the duration. ogg->push_state is set to PUSH_DURATION.
      2. Seek is picked up by the dedicated seek event thread and sets
         ogg->seek_event_drop_till to the seek event's seqnum.
      3. Most operations are blocked or dropped waiting on the duration to
         be determined and processing continues until a duration is found.
      4. Two branching options for how this ultimately plays out
      4a. The source is too fast and we receive an EOS event which is dropped
          because ogg->push_state == PUSH_DURATION.  In this case everything
          works.
      4b. We hit our 'almost at the end' check in
          gst_ogg_pad_handle_push_mode_state() and ...
      cd06dcc0
    • Seungha Yang's avatar
      uridecodebin: Fix critical warnings · 96d4190f
      Seungha Yang authored and Tim-Philipp Müller's avatar Tim-Philipp Müller committed
      Don't pass non-GstObject object to there.
      
      Part-of: <!1290>
      96d4190f
  6. 17 Jan, 2022 1 commit
    • Nirbheek Chauhan's avatar
      audio-converter: Fix resampling when there's nothing to output · 47117324
      Nirbheek Chauhan authored and Tim-Philipp Müller's avatar Tim-Philipp Müller committed
      Sometimes we can't output anything because we don't have enough
      incoming frames. In that case, the resampler was trying to call
      do_quantize() and do_resample() in a loop forever because there would
      never be samples to output (so chain->samples would always be NULL).
      
      Fix this by not calling chain->make_func() in a loop -- seems
      completely unnecessary since calling it over and over won't change
      anything if the make_func() can't output samples.
      
      Also add some checks for the input and / or output being NULL when
      doing conversion or quantization. This will happen when we have
      nothing to output.
      
      We can't bail early, because we need resampler->samples_avail to be
      updated in gst_audio_resampler_resample(), so we must call that and
      no-op everything along the way.
      
      Part-of: <!1289>
      47117324
  7. 20 Nov, 2021 3 commits
  8. 31 Oct, 2021 3 commits
  9. 29 Oct, 2021 2 commits
  10. 08 Sep, 2021 2 commits
  11. 06 Sep, 2021 1 commit
    • Nirbheek Chauhan's avatar
      rtspconnection: Consistently translate GIOError to GstRTSPResult · e0166ef7
      Nirbheek Chauhan authored and Tim-Philipp Müller's avatar Tim-Philipp Müller committed
      The users of this API need to be able to differentiate between EINTR
      and ERROR. For example, in rtspsrc, gst_rtsp_conninfo_connect()
      behaves differently when gst_rtsp_connection_connect_with_response_usec()
      returns an ERROR or EINTR. The former is an element error while the
      latter is simple a GST_ERROR since it was a user cancellation of the
      connection attempt.
      
      Due to this, rtspsrc was incorrectly emitting element errors while
      going to NULL, which would or would not reach the application in
      a racy manner.
      
      Part-of: <!1271>
      e0166ef7
  12. 05 Aug, 2021 1 commit
  13. 16 Jul, 2021 1 commit
    • Sebastian Dröge's avatar
      audioaggregator: Resync on the next buffer when dropping a buffer on discont resyncing · 93733ba1
      Sebastian Dröge authored and Tim-Philipp Müller's avatar Tim-Philipp Müller committed
      If a buffer is dropped during resyncing on a discont because either its
      end offset is already before the current output offset of the
      aggregator or because it fully overlaps with the part of the current
      output buffer that was already filled, then don't just assume that the
      next buffer is going to start at exactly the expected offset. It might
      still require some more dropping of samples.
      
      This caused the input to be mixed with an offset to its actual position
      in the output stream, causing additional latency and wrong
      synchronization between the different input streams.
      
      Instead consider each buffer after a discont as a discont until the
      aggregator actually resynced and starts mixing samples from the input
      again.
      
      Also update the start output offset of a new input buffer if samples
      have to be dropped at the beginning. Otherwise it might be mixed too
      early into the output and overwrite part of the output buffer that
      already took samples from this input into account.
      
      Fixes #912
      which is a regression introduced by !1180
      
      Part-of: <!1228>
      93733ba1
  14. 07 Jul, 2021 2 commits
  15. 28 Jun, 2021 1 commit
  16. 24 Jun, 2021 1 commit
  17. 22 Jun, 2021 1 commit
  18. 02 Jun, 2021 3 commits
  19. 01 Jun, 2021 2 commits
  20. 20 May, 2021 1 commit
    • Nicolas Dufresne's avatar
      compositor: Fix NV12 blend operation · 0f86fca8
      Nicolas Dufresne authored
      The full src_height/width was being used instead of the remaining
      width/height for the current band. As a side effect, that value would
      get erroneously reset and would cause overrun.
      
      Fixes #887
      
      Part-of: <!1163>
      0f86fca8
  21. 03 May, 2021 2 commits
  22. 30 Apr, 2021 1 commit
  23. 27 Apr, 2021 1 commit
  24. 21 Apr, 2021 2 commits