From effbbfd771487cc06c79d5a7e447a849884cc6cf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Mon, 30 Sep 2024 19:06:03 +0300
Subject: [PATCH 5/7] matroskademux: Skip over laces directly when
 postprocessing the frame fails

Otherwise NULL buffers might be handled afterwards.

Thanks to Antonio Morales for finding and reporting the issue.

Fixes GHSL-2024-249
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3865

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8108>

CVE: CVE-2024-47540
CVE: CVE-2024-47601
CVE: CVE-2024-47602
CVE: CVE-2024-47603
CVE: CVE-2024-47834
Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/effbbfd771487cc06c79d5a7e447a849884cc6cf]
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 .../gst-plugins-good/gst/matroska/matroska-demux.c   | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
index 98ed51e86a..e0a4405dce 100644
--- a/gst/matroska/matroska-demux.c
+++ b/gst/matroska/matroska-demux.c
@@ -4982,6 +4982,18 @@ gst_matroska_demux_parse_blockgroup_or_simpleblock (GstMatroskaDemux * demux,
       if (stream->postprocess_frame) {
         GST_LOG_OBJECT (demux, "running post process");
         ret = stream->postprocess_frame (GST_ELEMENT (demux), stream, &sub);
+        if (ret != GST_FLOW_OK) {
+          gst_clear_buffer (&sub);
+          goto next_lace;
+        }
+
+        if (sub == NULL) {
+          GST_WARNING_OBJECT (demux,
+              "Postprocessing buffer with timestamp %" GST_TIME_FORMAT
+              " for stream %d failed", GST_TIME_ARGS (buffer_timestamp),
+              stream_num);
+          goto next_lace;
+        }
       }
 
       /* At this point, we have a sub-buffer pointing at data within a larger
-- 
2.30.2