https://bugs.gentoo.org/974286
https://gstreamer.freedesktop.org/security/sa-2026-0021.html
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11247

From 83becc83eac477ecb97171f8278b0047dd7b6d5f Mon Sep 17 00:00:00 2001
From: Cameron O'Neal <tzusec@gmail.com>
Date: Wed, 1 Apr 2026 13:42:51 +0300
Subject: [PATCH 1/2] wavparse: Fix integer overflow when checking available
 buffer size for reading cues

See https://gitlab.freedesktop.org/gstreamer/gstreamer/-/work_items/5009

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11247>
--- a/gst/wavparse/gstwavparse.c
+++ b/gst/wavparse/gstwavparse.c
@@ -796,6 +796,7 @@ gst_wavparse_cue_chunk (GstWavParse * wav, const guint8 * data, guint32 size)
   guint32 i, ncues;
   GList *cues = NULL;
   GstWavParseCue *cue;
+  guint32 expected_size;
 
   if (wav->cues) {
     GST_WARNING_OBJECT (wav, "found another cue's");
@@ -808,14 +809,15 @@ gst_wavparse_cue_chunk (GstWavParse * wav, const guint8 * data, guint32 size)
   }
 
   ncues = GST_READ_UINT32_LE (data);
+  size -= 4;
+  data += 4;
 
-  if (size < 4 + ncues * 24) {
+  if (!g_uint_checked_mul (&expected_size, ncues, 24) || size < expected_size) {
     GST_WARNING_OBJECT (wav, "broken file %d %d", size, ncues);
     return FALSE;
   }
 
   /* parse data */
-  data += 4;
   for (i = 0; i < ncues; i++) {
     cue = g_new0 (GstWavParseCue, 1);
     cue->id = GST_READ_UINT32_LE (data);
-- 
GitLab


From 44f04fb2871a173027adcfdbafb72d31fddfec7c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Wed, 1 Apr 2026 13:44:52 +0300
Subject: [PATCH 2/2] wavparse: Use prepend+reverse instead of append when
 building the cues list

append has quadratic behaviour and this can matter if there are a lot of cues.

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11247>
--- a/gst/wavparse/gstwavparse.c
+++ b/gst/wavparse/gstwavparse.c
@@ -826,11 +826,11 @@ gst_wavparse_cue_chunk (GstWavParse * wav, const guint8 * data, guint32 size)
     cue->chunk_start = GST_READ_UINT32_LE (data + 12);
     cue->block_start = GST_READ_UINT32_LE (data + 16);
     cue->sample_offset = GST_READ_UINT32_LE (data + 20);
-    cues = g_list_append (cues, cue);
+    cues = g_list_prepend (cues, cue);
     data += 24;
   }
 
-  wav->cues = cues;
+  wav->cues = g_list_reverse (cues);
 
   return TRUE;
 }
-- 
GitLab