From: Caolán McNamara <caolan.mcnamara@collabora.com>
Date: Fri, 3 Nov 2023 14:20:07 +0000 (+0000)
Subject: CVE-2023-6185  escape url passed to gstreamer
X-Git-Tag: archive/raspbian/1%6.1.5-3+rpi1+deb10u11^2~17
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=ffa853fda9df85860c28790346541d9e3b09c585;p=libreoffice.git

CVE-2023-6185  escape url passed to gstreamer

Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158895
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
(cherry picked from commit 2ee1167da1952b133280db2ae26eed6bf0303bc2)
(cherry picked from commit a77d9c151f043f070512488d84f0b839f4ed4553)
(cherry picked from commit 2b896a0ba8818804b89735bd7c8991fa8eb3d7b5)
(cherry picked from commit 0f14350fe70907d4466bcef15bfe05865b37babd)
(cherry picked from commit 9b7df77e3491add0919d8de993df0f40d7c58a70)
(cherry picked from commit 714e464631533901314f3189ce293dca47bec20e)
(cherry picked from commit cc41f40d696cec7c3ecec147b899d45d09f4629c)
(cherry picked from commit b3299fe7ae71b0ed781284a49cb03e34af15fcc0)

Change-Id: I3c93ee34800cc8563370f75ef3ef6f8a9220e6ec

origin: https://github.com/LibreOffice/core/commit/ba2cefc4cb8f8ed3c89cd195bb8d2eb4417b1b61.patch
bug: https://www.libreoffice.org/about-us/security/advisories/cve-2023-6185/
bug-freexian-security: https://deb.freexian.com/extended-lts/tracker/CVE-2023-6185

Gbp-Pq: Name 0081-CVE-2023-6185-escape-url-passed-to-gstreamer.patch
---

diff --git a/avmedia/source/gstreamer/gstframegrabber.cxx b/avmedia/source/gstreamer/gstframegrabber.cxx
index def1018baee..fddfad173eb 100644
--- a/avmedia/source/gstreamer/gstframegrabber.cxx
+++ b/avmedia/source/gstreamer/gstframegrabber.cxx
@@ -56,18 +56,17 @@ void FrameGrabber::disposePipeline()
 FrameGrabber::FrameGrabber( const OUString &rURL ) :
     FrameGrabber_BASE()
 {
-    gchar *pPipelineStr;
-    pPipelineStr = g_strdup_printf(
+    const char pPipelineStr[] =
 #ifdef AVMEDIA_GST_0_10
-        "uridecodebin uri=%s ! ffmpegcolorspace ! videoscale ! appsink "
+        "uridecodebin name=source ! ffmpegcolorspace ! videoscale ! appsink "
         "name=sink caps=\"video/x-raw-rgb,format=RGB,pixel-aspect-ratio=1/1,"
         "bpp=(int)24,depth=(int)24,endianness=(int)4321,"
-        "red_mask=(int)0xff0000, green_mask=(int)0x00ff00, blue_mask=(int)0x0000ff\"",
+        "red_mask=(int)0xff0000, green_mask=(int)0x00ff00, blue_mask=(int)0x0000ff\""
 #else
-        "uridecodebin uri=%s ! videoconvert ! videoscale ! appsink "
-        "name=sink caps=\"video/x-raw,format=RGB,pixel-aspect-ratio=1/1\"",
+        "uridecodebin name=source ! videoconvert ! videoscale ! appsink "
+        "name=sink caps=\"video/x-raw,format=RGB,pixel-aspect-ratio=1/1\""
 #endif
-        OUStringToOString( rURL, RTL_TEXTENCODING_UTF8 ).getStr() );
+        ;
 
     GError *pError = nullptr;
     mpPipeline = gst_parse_launch( pPipelineStr, &pError );
@@ -78,6 +77,12 @@ FrameGrabber::FrameGrabber( const OUString &rURL ) :
     }
 
     if( mpPipeline ) {
+
+        if (GstElement *pUriDecode = gst_bin_get_by_name(GST_BIN(mpPipeline), "source"))
+            g_object_set(pUriDecode, "uri", OUStringToOString(rURL, RTL_TEXTENCODING_UTF8).getStr(), nullptr);
+        else
+            g_warning("Missing 'source' element in gstreamer pipeline");
+
         // pre-roll
         switch( gst_element_set_state( mpPipeline, GST_STATE_PAUSED ) ) {
         case GST_STATE_CHANGE_FAILURE: