summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKang Kai <kai.kang@windriver.com>2015-05-22 15:52:24 +0800
committerMartin Jansa <Martin.Jansa@gmail.com>2015-05-28 10:35:13 +0200
commitc7807315c194cef61bd015659a24115adb8d91e4 (patch)
treecfdd1927a3eeac57d92a0b5753d9c92635496f60
parentfa01c2614a4e58937cd73d0f5d8b17df935bc5b5 (diff)
downloadmeta-openembedded-c7807315c194cef61bd015659a24115adb8d91e4.tar.gz
gst-ffmpeg: fix CVE issues
Backport patches to fix following CVE issues: * CVE-2011-4352 * CVE-2014-7933 * CVE-2014-8542 * CVE-2014-8543 * CVE-2014-8544 * CVE-2014-8545 * CVE-2014-8546 * CVE-2014-8547 * CVE-2014-9318 * CVE-2014-9603 Patch for CVE-2014-9603 in upstream is applied for version 2.x. Becuase source code changes, just partly backport part of the commit which is applicable to version 0.10.13. Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
-rw-r--r--meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2011-4352.patch64
-rw-r--r--meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-7933.patch38
-rw-r--r--meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8542.patch38
-rw-r--r--meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8543.patch35
-rw-r--r--meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8544.patch56
-rw-r--r--meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8545.patch36
-rw-r--r--meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8546.patch35
-rw-r--r--meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8547.patch59
-rw-r--r--meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-9318.patch37
-rw-r--r--meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-9603.patch41
-rw-r--r--meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg_0.10.13.bb10
11 files changed, 449 insertions, 0 deletions
diff --git a/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2011-4352.patch b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2011-4352.patch
new file mode 100644
index 000000000..90f3fd031
--- /dev/null
+++ b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2011-4352.patch
@@ -0,0 +1,64 @@
1From 8b94df0f2047e9728cb872adc9e64557b7a5152f Mon Sep 17 00:00:00 2001
2From: Reinhard Tartler <siretart@tauware.de>
3Date: Sun, 4 Dec 2011 10:10:33 +0100
4Subject: [PATCH] vp3dec: Check coefficient index in vp3_dequant()
5
6Based on a patch by Michael Niedermayer <michaelni@gmx.at>
7
8Fixes NGS00145, CVE-2011-4352
9
10Found-by: Phillip Langlois
11Signed-off-by: Reinhard Tartler <siretart@tauware.de>
12
13
14Upstream-Status: Backport
15
16http://git.videolan.org/?p=ffmpeg.git;a=commit;h=8b94df0f2047e9728cb872adc9e64557b7a5152f
17
18Signed-off-by: Kai Kang <kai.kang@windriver.com>
19---
20 libavcodec/vp3.c | 14 ++++++++++++--
21 1 file changed, 12 insertions(+), 2 deletions(-)
22
23diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
24index 51ab048..f44d084 100644
25--- a/gst-libs/ext/libav/libavcodec/vp3.c
26+++ b/gst-libs/ext/libav/libavcodec/vp3.c
27@@ -1363,6 +1363,10 @@ static inline int vp3_dequant(Vp3DecodeContext *s, Vp3Fragment *frag,
28 case 1: // zero run
29 s->dct_tokens[plane][i]++;
30 i += (token >> 2) & 0x7f;
31+ if (i > 63) {
32+ av_log(s->avctx, AV_LOG_ERROR, "Coefficient index overflow\n");
33+ return i;
34+ }
35 block[perm[i]] = (token >> 9) * dequantizer[perm[i]];
36 i++;
37 break;
38@@ -1566,7 +1570,10 @@ static void render_slice(Vp3DecodeContext *s, int slice)
39 /* invert DCT and place (or add) in final output */
40
41 if (s->all_fragments[i].coding_method == MODE_INTRA) {
42- vp3_dequant(s, s->all_fragments + i, plane, 0, block);
43+ int index;
44+ index = vp3_dequant(s, s->all_fragments + i, plane, 0, block);
45+ if (index > 63)
46+ continue;
47 if(s->avctx->idct_algo!=FF_IDCT_VP3)
48 block[0] += 128<<3;
49 s->dsp.idct_put(
50@@ -1574,7 +1581,10 @@ static void render_slice(Vp3DecodeContext *s, int slice)
51 stride,
52 block);
53 } else {
54- if (vp3_dequant(s, s->all_fragments + i, plane, 1, block)) {
55+ int index = vp3_dequant(s, s->all_fragments + i, plane, 1, block);
56+ if (index > 63)
57+ continue;
58+ if (index > 0) {
59 s->dsp.idct_add(
60 output_plane + first_pixel,
61 stride,
62--
632.1.1
64
diff --git a/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-7933.patch b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-7933.patch
new file mode 100644
index 000000000..3c537c77a
--- /dev/null
+++ b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-7933.patch
@@ -0,0 +1,38 @@
1From 2266b8bc3370856d874334ba62b337ce4f1eb255 Mon Sep 17 00:00:00 2001
2From: Kai Kang <kai.kang@windriver.com>
3Date: Wed, 13 May 2015 16:46:06 +0800
4Subject: [PATCH 2/2] gst-ffmpeg: fix CVE-2014-7933
5
6Upstream-Status: Backport
7
8http://git.videolan.org/?p=ffmpeg.git;a=commit;h=33301f00
9
10Signed-off-by: Kai Kang <kai.kang@windriver.com>
11---
12 gst-libs/ext/libav/libavformat/matroskadec.c | 3 ++-
13 1 file changed, 2 insertions(+), 1 deletion(-)
14
15diff --git a/gst-libs/ext/libav/libavformat/matroskadec.c b/gst-libs/ext/libav/libavformat/matroskadec.c
16index 59dce4f..e5f5fc1 100644
17--- a/gst-libs/ext/libav/libavformat/matroskadec.c
18+++ b/gst-libs/ext/libav/libavformat/matroskadec.c
19@@ -1916,7 +1916,7 @@ static int matroska_read_seek(AVFormatContext *s, int stream_index,
20 int64_t timestamp, int flags)
21 {
22 MatroskaDemuxContext *matroska = s->priv_data;
23- MatroskaTrack *tracks = matroska->tracks.elem;
24+ MatroskaTrack *tracks = NULL;
25 AVStream *st = s->streams[stream_index];
26 int i, index, index_sub, index_min;
27
28@@ -1939,6 +1939,7 @@ static int matroska_read_seek(AVFormatContext *s, int stream_index,
29 return 0;
30
31 index_min = index;
32+ tracks = matroska->tracks.elem;
33 for (i=0; i < matroska->tracks.nb_elem; i++) {
34 tracks[i].audio.pkt_cnt = 0;
35 tracks[i].audio.sub_packet_cnt = 0;
36--
371.9.1
38
diff --git a/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8542.patch b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8542.patch
new file mode 100644
index 000000000..ca47c814c
--- /dev/null
+++ b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8542.patch
@@ -0,0 +1,38 @@
1From 105654e376a736d243aef4a1d121abebce912e6b Mon Sep 17 00:00:00 2001
2From: Michael Niedermayer <michaelni@gmx.at>
3Date: Fri, 3 Oct 2014 04:30:58 +0200
4Subject: [PATCH] avcodec/utils: Add case for jv to
5 avcodec_align_dimensions2()
6
7(Upstream commit 105654e376a736d243aef4a1d121abebce912e6b)
8
9Fixes out of array accesses
10Fixes: asan_heap-oob_12304aa_8_asan_heap-oob_4da4f3_300_intro.jv
11
12Upstream-Status: Backport
13
14Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
15Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
16Signed-off-by: Yue Tao <yue.tao@windriver.com>
17---
18 libavcodec/utils.c | 4 ++++
19 1 file changed, 4 insertions(+)
20
21diff --git a/libavcodec/utils.c b/libavcodec/utils.c
22index d4f5532..c2c5579 100644
23--- a/gst-libs/ext/libav/libavcodec/utils.c
24+++ b/gst-libs/ext/libav/libavcodec/utils.c
25@@ -173,6 +173,10 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, int l
26 w_align=4;
27 h_align=4;
28 }
29+ if (s->codec_id == CODEC_ID_JV){
30+ w_align = 8;
31+ h_align = 8;
32+ }
33 break;
34 case PIX_FMT_BGR24:
35 if((s->codec_id == CODEC_ID_MSZH) || (s->codec_id == CODEC_ID_ZLIB)){
36--
371.7.9.5
38
diff --git a/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8543.patch b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8543.patch
new file mode 100644
index 000000000..b65e55fc1
--- /dev/null
+++ b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8543.patch
@@ -0,0 +1,35 @@
1From 8b0e96e1f21b761ca15dbb470cd619a1ebf86c3e Mon Sep 17 00:00:00 2001
2From: Michael Niedermayer <michaelni@gmx.at>
3Date: Fri, 3 Oct 2014 14:45:04 +0200
4Subject: [PATCH] avcodec/mmvideo: Bounds check 2nd line of HHV Intra blocks
5
6(Upstream commit 8b0e96e1f21b761ca15dbb470cd619a1ebf86c3e)
7
8Fixes out of array access
9Fixes: asan_heap-oob_4da4f3_8_asan_heap-oob_4da4f3_419_scene1a.mm
10
11Upstream-Status: Backport
12
13Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
14Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
15Signed-off-by: Yue Tao <yue.tao@windriver.com>
16---
17 libavcodec/mmvideo.c | 2 +-
18 1 file changed, 1 insertion(+), 1 deletion(-)
19
20diff --git a/libavcodec/mmvideo.c b/libavcodec/mmvideo.c
21index 026d463..9ff6393 100644
22--- a/gst-libs/ext/libav/libavcodec/mmvideo.c
23+++ b/gst-libs/ext/libav/libavcodec/mmvideo.c
24@@ -104,7 +104,7 @@ static void mm_decode_intra(MmContext * s, int half_horiz, int half_vert, const
25
26 if (color) {
27 memset(s->frame.data[0] + y*s->frame.linesize[0] + x, color, run_length);
28- if (half_vert)
29+ if (half_vert && y + half_vert < s->avctx->height)
30 memset(s->frame.data[0] + (y+1)*s->frame.linesize[0] + x, color, run_length);
31 }
32 x+= run_length;
33--
341.7.9.5
35
diff --git a/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8544.patch b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8544.patch
new file mode 100644
index 000000000..a124e3a12
--- /dev/null
+++ b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8544.patch
@@ -0,0 +1,56 @@
1From e1c0cfaa419aa5d320540d5a1b3f8fd9b82ab7e5 Mon Sep 17 00:00:00 2001
2From: Michael Niedermayer <michaelni@gmx.at>
3Date: Fri, 3 Oct 2014 16:08:32 +0200
4Subject: [PATCH] avcodec/tiff: more completely check bpp/bppcount
5
6(Upstream commit e1c0cfaa419aa5d320540d5a1b3f8fd9b82ab7e5)
7
8Fixes pixel format selection
9Fixes out of array accesses
10Fixes: asan_heap-oob_1766029_6_asan_heap-oob_20aa045_332_cov_1823216757_m2-d1d366d7965db766c19a66c7a2ccbb6b.tif
11
12Upstream-Status: Backport
13
14Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
15Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
16Signed-off-by: Yue Tao <yue.tao@windriver.com>
17---
18 libavcodec/tiff.c | 13 ++++++++++---
19 1 file changed, 10 insertions(+), 3 deletions(-)
20
21diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
22index 6e2096f..0870e31 100644
23--- a/gst-libs/ext/libav/libavcodec/tiff.c
24+++ b/gst-libs/ext/libav/libavcodec/tiff.c
25@@ -324,11 +324,11 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *
26 s->height = value;
27 break;
28 case TIFF_BPP:
29- s->bppcount = count;
30- if(count > 4){
31- av_log(s->avctx, AV_LOG_ERROR, "This format is not supported (bpp=%d, %d components)\n", s->bpp, count);
32+ if(count > 4U){
33+ av_log(s->avctx, AV_LOG_ERROR, "This format is not supported (bpp=%d, %d components)\n", value, count);
34 return -1;
35 }
36+ s->bppcount = count;
37 if(count == 1) s->bpp = value;
38 else{
39 switch(type){
40@@ -344,6 +344,13 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *
41 s->bpp = -1;
42 }
43 }
44+ if (s->bpp > 64U) {
45+ av_log(s->avctx, AV_LOG_ERROR,
46+ "This format is not supported (bpp=%d, %d components)\n",
47+ s->bpp, count);
48+ s->bpp = 0;
49+ return AVERROR_INVALIDDATA;
50+ }
51 break;
52 case TIFF_SAMPLES_PER_PIXEL:
53 if (count != 1) {
54--
551.7.9.5
56
diff --git a/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8545.patch b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8545.patch
new file mode 100644
index 000000000..29d5f776a
--- /dev/null
+++ b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8545.patch
@@ -0,0 +1,36 @@
1From 3e2b745020c2dbf0201fe7df3dad9e7e0b2e1bb6 Mon Sep 17 00:00:00 2001
2From: Michael Niedermayer <michaelni@gmx.at>
3Date: Fri, 3 Oct 2014 17:35:58 +0200
4Subject: [PATCH] avcodec/pngdec: Check bits per pixel before setting
5 monoblack pixel format
6
7(Upstream commit 3e2b745020c2dbf0201fe7df3dad9e7e0b2e1bb6)
8
9Fixes out of array accesses
10Fixes: asan_heap-oob_14dbfcf_4_asan_heap-oob_1ce5767_179_add_method_small.png
11
12Upstream-Status: Backport
13
14Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
15Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
16Signed-off-by: Yue Tao <yue.tao@windriver.com>
17---
18 libavcodec/pngdec.c | 2 +-
19 1 file changed, 1 insertion(+), 1 deletion(-)
20
21diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
22index da91aab..f3603b3 100644
23--- a/gst-libs/ext/libav/libavcodec/pngdec.c
24+++ b/gst-libs/ext/libav/libavcodec/pngdec.c
25@@ -481,7 +481,7 @@ static int decode_frame(AVCodecContext *avctx,
26 } else if (s->bit_depth == 16 &&
27 s->color_type == PNG_COLOR_TYPE_RGB) {
28 avctx->pix_fmt = PIX_FMT_RGB48BE;
29- } else if (s->bit_depth == 1 &&
30+ } else if (s->bit_depth == 1 && s->bits_per_pixel == 1 &&
31 s->color_type == PNG_COLOR_TYPE_GRAY) {
32 avctx->pix_fmt = PIX_FMT_MONOBLACK;
33 } else if (s->color_type == PNG_COLOR_TYPE_PALETTE) {
34--
351.7.9.5
36
diff --git a/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8546.patch b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8546.patch
new file mode 100644
index 000000000..d55d9ebe6
--- /dev/null
+++ b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8546.patch
@@ -0,0 +1,35 @@
1From e7e5114c506957f40aafd794e06de1a7e341e9d5 Mon Sep 17 00:00:00 2001
2From: Michael Niedermayer <michaelni@gmx.at>
3Date: Fri, 3 Oct 2014 19:33:01 +0200
4Subject: [PATCH] avcodec/cinepak: fix integer underflow
5
6(Upstream commit e7e5114c506957f40aafd794e06de1a7e341e9d5)
7
8Fixes out of array access
9Fixes: asan_heap-oob_4da0ba_6_asan_heap-oob_4da0ba_241_cvid_crash.avi
10
11Upstream-status: Backport
12
13Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
14Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
15Signed-off-by: Yue Tao <yue.tao@windriver.com>
16---
17 libavcodec/cinepak.c | 2 +-
18 1 file changed, 1 insertion(+), 1 deletion(-)
19
20diff --git a/libavcodec/cinepak.c b/libavcodec/cinepak.c
21index 4746289..f651c48 100644
22--- a/gst-libs/ext/libav/libavcodec/cinepak.c
23+++ b/gst-libs/ext/libav/libavcodec/cinepak.c
24@@ -125,7 +125,7 @@ static int cinepak_decode_vectors (CinepakContext *s, cvid_strip *strip,
25 const uint8_t *eod = (data + size);
26 uint32_t flag, mask;
27 cvid_codebook *codebook;
28- unsigned int x, y;
29+ int x, y;
30 uint32_t iy[4];
31 uint32_t iu[2];
32 uint32_t iv[2];
33--
341.7.9.5
35
diff --git a/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8547.patch b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8547.patch
new file mode 100644
index 000000000..a8616fa55
--- /dev/null
+++ b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8547.patch
@@ -0,0 +1,59 @@
1From 8f1457864be8fb9653643519dea1c6492f1dde57 Mon Sep 17 00:00:00 2001
2From: Michael Niedermayer <michaelni@gmx.at>
3Date: Fri, 3 Oct 2014 20:15:52 +0200
4Subject: [PATCH] avcodec/gifdec: factorize interleave end handling out
5
6(Upstream commit 8f1457864be8fb9653643519dea1c6492f1dde57)
7
8also change it to a loop
9Fixes out of array access
10Fixes: asan_heap-oob_ca5410_8_asan_heap-oob_ca5410_97_ID_LSD_Size_Less_Then_Data_Inter_3.gif
11
12Upstream-Status: Backport
13
14Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
15Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
16Signed-off-by: Yue Tao <yue.tao@windriver.com>
17---
18 libavcodec/gifdec.c | 15 +++++----------
19 1 file changed, 5 insertions(+), 10 deletions(-)
20
21diff --git a/libavcodec/gifdec.c b/libavcodec/gifdec.c
22index dee48f5..90de38b 100644
23--- a/gst-libs/ext/libav/libavcodec/gifdec.c
24+++ b/gst-libs/ext/libav/libavcodec/gifdec.c
25@@ -271,26 +271,21 @@ static int gif_read_image(GifState *s, AVFrame *frame)
26 case 1:
27 y1 += 8;
28 ptr += linesize * 8;
29- if (y1 >= height) {
30- y1 = pass ? 2 : 4;
31- ptr = ptr1 + linesize * y1;
32- pass++;
33- }
34 break;
35 case 2:
36 y1 += 4;
37 ptr += linesize * 4;
38- if (y1 >= height) {
39- y1 = 1;
40- ptr = ptr1 + linesize;
41- pass++;
42- }
43 break;
44 case 3:
45 y1 += 2;
46 ptr += linesize * 2;
47 break;
48 }
49+ while (y1 >= height) {
50+ y1 = 4 >> pass;
51+ ptr = ptr1 + linesize * y1;
52+ pass++;
53+ }
54 } else {
55 ptr += linesize;
56 }
57--
581.7.9.5
59
diff --git a/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-9318.patch b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-9318.patch
new file mode 100644
index 000000000..0553ceefd
--- /dev/null
+++ b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-9318.patch
@@ -0,0 +1,37 @@
1From 0d3a3b9f8907625b361420d48fe05716859620ff Mon Sep 17 00:00:00 2001
2From: Michael Niedermayer <michaelni@gmx.at>
3Date: Wed, 26 Nov 2014 18:56:39 +0100
4Subject: [PATCH] avcodec/rawdec: Check the return code of
5 avpicture_get_size()
6
7(Upstream commit 1d3a3b9f8907625b361420d48fe05716859620ff)
8
9Fixes out of array access
10Fixes: asan_heap-oob_22388d0_3435_cov_3297128910_small_roll5_FlashCine1.cine
11Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
12
13Upstream-Status: Backport
14
15Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
16Signed-off-by: Yue Tao <yue.tao@windriver.com>
17---
18 libavcodec/rawdec.c | 3 +++
19 1 file changed, 3 insertions(+)
20
21diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c
22index 28792a1..647dfa9 100644
23--- a/gst-libs/ext/libav/libavcodec/rawdec.c
24+++ b/gst-libs/ext/libav/libavcodec/rawdec.c
25@@ -87,6 +87,9 @@ static av_cold int raw_init_decoder(AVCodecContext *avctx)
26
27 ff_set_systematic_pal2(context->palette, avctx->pix_fmt);
28 context->length = avpicture_get_size(avctx->pix_fmt, avctx->width, avctx->height);
29+ if (context->length < 0)
30+ return context->length;
31+
32 if((avctx->bits_per_coded_sample == 4 || avctx->bits_per_coded_sample == 2) &&
33 avctx->pix_fmt==PIX_FMT_PAL8 &&
34 (!avctx->codec_tag || avctx->codec_tag == MKTAG('r','a','w',' '))){
35--
361.7.9.5
37
diff --git a/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-9603.patch b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-9603.patch
new file mode 100644
index 000000000..5dda4cca2
--- /dev/null
+++ b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-9603.patch
@@ -0,0 +1,41 @@
1From dc68faf8339a885bc55fabe5b01f1de4f8f3782c Mon Sep 17 00:00:00 2001
2From: Kai Kang <kai.kang@windriver.com>
3Date: Wed, 13 May 2015 16:30:53 +0800
4Subject: [PATCH 1/2] gst-ffmpeg: fix CVE-2014-9603
5
6Upstream-Status: Backport
7
8Upstream is version 2.x and vmdav.c is splitted into 2 files vmdaudio.c
9and vmdvideo.c. Becuase source code changes, just partly backport commit which
10is applicable to version 0.10.13 to fix CVE-2014-9603.
11
12http://git.videolan.org/?p=ffmpeg.git;a=commit;h=3030fb7e0d41836f8add6399e9a7c7b740b48bfd
13
14Signed-off-by: Kai Kang <kai.kang@windriver.com>
15---
16 gst-libs/ext/libav/libavcodec/vmdav.c | 7 +++++--
17 1 file changed, 5 insertions(+), 2 deletions(-)
18
19diff --git a/gst-libs/ext/libav/libavcodec/vmdav.c b/gst-libs/ext/libav/libavcodec/vmdav.c
20index d258252..ba88ad8 100644
21--- a/gst-libs/ext/libav/libavcodec/vmdav.c
22+++ b/gst-libs/ext/libav/libavcodec/vmdav.c
23@@ -294,10 +294,13 @@ static void vmd_decode(VmdVideoContext *s)
24 len = *pb++;
25 if (len & 0x80) {
26 len = (len & 0x7F) + 1;
27- if (*pb++ == 0xFF)
28+ if (*pb++ == 0xFF) {
29 len = rle_unpack(pb, &dp[ofs], len, frame_width - ofs);
30- else
31+ } else {
32+ if (ofs + len > frame_width)
33+ return;
34 memcpy(&dp[ofs], pb, len);
35+ }
36 pb += len;
37 ofs += len;
38 } else {
39--
401.9.1
41
diff --git a/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg_0.10.13.bb b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg_0.10.13.bb
index b5c838f9e..7bd7ec33d 100644
--- a/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg_0.10.13.bb
+++ b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg_0.10.13.bb
@@ -57,6 +57,16 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
57 file://0001-avcodec-smc-fix-off-by-1-error.patch \ 57 file://0001-avcodec-smc-fix-off-by-1-error.patch \
58 file://0002-avcodec-mjpegdec-check-bits-per-pixel-for-changes-si.patch \ 58 file://0002-avcodec-mjpegdec-check-bits-per-pixel-for-changes-si.patch \
59 file://libav-9.patch \ 59 file://libav-9.patch \
60 file://gst-ffmpeg-fix-CVE-2011-4352.patch \
61 file://gst-ffmpeg-fix-CVE-2014-7933.patch \
62 file://gst-ffmpeg-fix-CVE-2014-8542.patch \
63 file://gst-ffmpeg-fix-CVE-2014-8543.patch \
64 file://gst-ffmpeg-fix-CVE-2014-8544.patch \
65 file://gst-ffmpeg-fix-CVE-2014-8545.patch \
66 file://gst-ffmpeg-fix-CVE-2014-8546.patch \
67 file://gst-ffmpeg-fix-CVE-2014-8547.patch \
68 file://gst-ffmpeg-fix-CVE-2014-9318.patch \
69 file://gst-ffmpeg-fix-CVE-2014-9603.patch \
60" 70"
61 71
62SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4" 72SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"