diff options
author | Kang Kai <kai.kang@windriver.com> | 2015-05-22 15:52:24 +0800 |
---|---|---|
committer | Martin Jansa <Martin.Jansa@gmail.com> | 2015-05-28 10:35:13 +0200 |
commit | c7807315c194cef61bd015659a24115adb8d91e4 (patch) | |
tree | cfdd1927a3eeac57d92a0b5753d9c92635496f60 | |
parent | fa01c2614a4e58937cd73d0f5d8b17df935bc5b5 (diff) | |
download | meta-openembedded-c7807315c194cef61bd015659a24115adb8d91e4.tar.gz |
gst-ffmpeg: fix CVE issues
Backport patches to fix following CVE issues:
* CVE-2011-4352
* CVE-2014-7933
* CVE-2014-8542
* CVE-2014-8543
* CVE-2014-8544
* CVE-2014-8545
* CVE-2014-8546
* CVE-2014-8547
* CVE-2014-9318
* CVE-2014-9603
Patch for CVE-2014-9603 in upstream is applied for version 2.x. Becuase
source code changes, just partly backport part of the commit which is
applicable to version 0.10.13.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
11 files changed, 449 insertions, 0 deletions
diff --git a/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2011-4352.patch b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2011-4352.patch new file mode 100644 index 000000000..90f3fd031 --- /dev/null +++ b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2011-4352.patch | |||
@@ -0,0 +1,64 @@ | |||
1 | From 8b94df0f2047e9728cb872adc9e64557b7a5152f Mon Sep 17 00:00:00 2001 | ||
2 | From: Reinhard Tartler <siretart@tauware.de> | ||
3 | Date: Sun, 4 Dec 2011 10:10:33 +0100 | ||
4 | Subject: [PATCH] vp3dec: Check coefficient index in vp3_dequant() | ||
5 | |||
6 | Based on a patch by Michael Niedermayer <michaelni@gmx.at> | ||
7 | |||
8 | Fixes NGS00145, CVE-2011-4352 | ||
9 | |||
10 | Found-by: Phillip Langlois | ||
11 | Signed-off-by: Reinhard Tartler <siretart@tauware.de> | ||
12 | |||
13 | |||
14 | Upstream-Status: Backport | ||
15 | |||
16 | http://git.videolan.org/?p=ffmpeg.git;a=commit;h=8b94df0f2047e9728cb872adc9e64557b7a5152f | ||
17 | |||
18 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
19 | --- | ||
20 | libavcodec/vp3.c | 14 ++++++++++++-- | ||
21 | 1 file changed, 12 insertions(+), 2 deletions(-) | ||
22 | |||
23 | diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c | ||
24 | index 51ab048..f44d084 100644 | ||
25 | --- a/gst-libs/ext/libav/libavcodec/vp3.c | ||
26 | +++ b/gst-libs/ext/libav/libavcodec/vp3.c | ||
27 | @@ -1363,6 +1363,10 @@ static inline int vp3_dequant(Vp3DecodeContext *s, Vp3Fragment *frag, | ||
28 | case 1: // zero run | ||
29 | s->dct_tokens[plane][i]++; | ||
30 | i += (token >> 2) & 0x7f; | ||
31 | + if (i > 63) { | ||
32 | + av_log(s->avctx, AV_LOG_ERROR, "Coefficient index overflow\n"); | ||
33 | + return i; | ||
34 | + } | ||
35 | block[perm[i]] = (token >> 9) * dequantizer[perm[i]]; | ||
36 | i++; | ||
37 | break; | ||
38 | @@ -1566,7 +1570,10 @@ static void render_slice(Vp3DecodeContext *s, int slice) | ||
39 | /* invert DCT and place (or add) in final output */ | ||
40 | |||
41 | if (s->all_fragments[i].coding_method == MODE_INTRA) { | ||
42 | - vp3_dequant(s, s->all_fragments + i, plane, 0, block); | ||
43 | + int index; | ||
44 | + index = vp3_dequant(s, s->all_fragments + i, plane, 0, block); | ||
45 | + if (index > 63) | ||
46 | + continue; | ||
47 | if(s->avctx->idct_algo!=FF_IDCT_VP3) | ||
48 | block[0] += 128<<3; | ||
49 | s->dsp.idct_put( | ||
50 | @@ -1574,7 +1581,10 @@ static void render_slice(Vp3DecodeContext *s, int slice) | ||
51 | stride, | ||
52 | block); | ||
53 | } else { | ||
54 | - if (vp3_dequant(s, s->all_fragments + i, plane, 1, block)) { | ||
55 | + int index = vp3_dequant(s, s->all_fragments + i, plane, 1, block); | ||
56 | + if (index > 63) | ||
57 | + continue; | ||
58 | + if (index > 0) { | ||
59 | s->dsp.idct_add( | ||
60 | output_plane + first_pixel, | ||
61 | stride, | ||
62 | -- | ||
63 | 2.1.1 | ||
64 | |||
diff --git a/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-7933.patch b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-7933.patch new file mode 100644 index 000000000..3c537c77a --- /dev/null +++ b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-7933.patch | |||
@@ -0,0 +1,38 @@ | |||
1 | From 2266b8bc3370856d874334ba62b337ce4f1eb255 Mon Sep 17 00:00:00 2001 | ||
2 | From: Kai Kang <kai.kang@windriver.com> | ||
3 | Date: Wed, 13 May 2015 16:46:06 +0800 | ||
4 | Subject: [PATCH 2/2] gst-ffmpeg: fix CVE-2014-7933 | ||
5 | |||
6 | Upstream-Status: Backport | ||
7 | |||
8 | http://git.videolan.org/?p=ffmpeg.git;a=commit;h=33301f00 | ||
9 | |||
10 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
11 | --- | ||
12 | gst-libs/ext/libav/libavformat/matroskadec.c | 3 ++- | ||
13 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
14 | |||
15 | diff --git a/gst-libs/ext/libav/libavformat/matroskadec.c b/gst-libs/ext/libav/libavformat/matroskadec.c | ||
16 | index 59dce4f..e5f5fc1 100644 | ||
17 | --- a/gst-libs/ext/libav/libavformat/matroskadec.c | ||
18 | +++ b/gst-libs/ext/libav/libavformat/matroskadec.c | ||
19 | @@ -1916,7 +1916,7 @@ static int matroska_read_seek(AVFormatContext *s, int stream_index, | ||
20 | int64_t timestamp, int flags) | ||
21 | { | ||
22 | MatroskaDemuxContext *matroska = s->priv_data; | ||
23 | - MatroskaTrack *tracks = matroska->tracks.elem; | ||
24 | + MatroskaTrack *tracks = NULL; | ||
25 | AVStream *st = s->streams[stream_index]; | ||
26 | int i, index, index_sub, index_min; | ||
27 | |||
28 | @@ -1939,6 +1939,7 @@ static int matroska_read_seek(AVFormatContext *s, int stream_index, | ||
29 | return 0; | ||
30 | |||
31 | index_min = index; | ||
32 | + tracks = matroska->tracks.elem; | ||
33 | for (i=0; i < matroska->tracks.nb_elem; i++) { | ||
34 | tracks[i].audio.pkt_cnt = 0; | ||
35 | tracks[i].audio.sub_packet_cnt = 0; | ||
36 | -- | ||
37 | 1.9.1 | ||
38 | |||
diff --git a/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8542.patch b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8542.patch new file mode 100644 index 000000000..ca47c814c --- /dev/null +++ b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8542.patch | |||
@@ -0,0 +1,38 @@ | |||
1 | From 105654e376a736d243aef4a1d121abebce912e6b Mon Sep 17 00:00:00 2001 | ||
2 | From: Michael Niedermayer <michaelni@gmx.at> | ||
3 | Date: Fri, 3 Oct 2014 04:30:58 +0200 | ||
4 | Subject: [PATCH] avcodec/utils: Add case for jv to | ||
5 | avcodec_align_dimensions2() | ||
6 | |||
7 | (Upstream commit 105654e376a736d243aef4a1d121abebce912e6b) | ||
8 | |||
9 | Fixes out of array accesses | ||
10 | Fixes: asan_heap-oob_12304aa_8_asan_heap-oob_4da4f3_300_intro.jv | ||
11 | |||
12 | Upstream-Status: Backport | ||
13 | |||
14 | Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind | ||
15 | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | ||
16 | Signed-off-by: Yue Tao <yue.tao@windriver.com> | ||
17 | --- | ||
18 | libavcodec/utils.c | 4 ++++ | ||
19 | 1 file changed, 4 insertions(+) | ||
20 | |||
21 | diff --git a/libavcodec/utils.c b/libavcodec/utils.c | ||
22 | index d4f5532..c2c5579 100644 | ||
23 | --- a/gst-libs/ext/libav/libavcodec/utils.c | ||
24 | +++ b/gst-libs/ext/libav/libavcodec/utils.c | ||
25 | @@ -173,6 +173,10 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, int l | ||
26 | w_align=4; | ||
27 | h_align=4; | ||
28 | } | ||
29 | + if (s->codec_id == CODEC_ID_JV){ | ||
30 | + w_align = 8; | ||
31 | + h_align = 8; | ||
32 | + } | ||
33 | break; | ||
34 | case PIX_FMT_BGR24: | ||
35 | if((s->codec_id == CODEC_ID_MSZH) || (s->codec_id == CODEC_ID_ZLIB)){ | ||
36 | -- | ||
37 | 1.7.9.5 | ||
38 | |||
diff --git a/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8543.patch b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8543.patch new file mode 100644 index 000000000..b65e55fc1 --- /dev/null +++ b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8543.patch | |||
@@ -0,0 +1,35 @@ | |||
1 | From 8b0e96e1f21b761ca15dbb470cd619a1ebf86c3e Mon Sep 17 00:00:00 2001 | ||
2 | From: Michael Niedermayer <michaelni@gmx.at> | ||
3 | Date: Fri, 3 Oct 2014 14:45:04 +0200 | ||
4 | Subject: [PATCH] avcodec/mmvideo: Bounds check 2nd line of HHV Intra blocks | ||
5 | |||
6 | (Upstream commit 8b0e96e1f21b761ca15dbb470cd619a1ebf86c3e) | ||
7 | |||
8 | Fixes out of array access | ||
9 | Fixes: asan_heap-oob_4da4f3_8_asan_heap-oob_4da4f3_419_scene1a.mm | ||
10 | |||
11 | Upstream-Status: Backport | ||
12 | |||
13 | Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind | ||
14 | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | ||
15 | Signed-off-by: Yue Tao <yue.tao@windriver.com> | ||
16 | --- | ||
17 | libavcodec/mmvideo.c | 2 +- | ||
18 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
19 | |||
20 | diff --git a/libavcodec/mmvideo.c b/libavcodec/mmvideo.c | ||
21 | index 026d463..9ff6393 100644 | ||
22 | --- a/gst-libs/ext/libav/libavcodec/mmvideo.c | ||
23 | +++ b/gst-libs/ext/libav/libavcodec/mmvideo.c | ||
24 | @@ -104,7 +104,7 @@ static void mm_decode_intra(MmContext * s, int half_horiz, int half_vert, const | ||
25 | |||
26 | if (color) { | ||
27 | memset(s->frame.data[0] + y*s->frame.linesize[0] + x, color, run_length); | ||
28 | - if (half_vert) | ||
29 | + if (half_vert && y + half_vert < s->avctx->height) | ||
30 | memset(s->frame.data[0] + (y+1)*s->frame.linesize[0] + x, color, run_length); | ||
31 | } | ||
32 | x+= run_length; | ||
33 | -- | ||
34 | 1.7.9.5 | ||
35 | |||
diff --git a/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8544.patch b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8544.patch new file mode 100644 index 000000000..a124e3a12 --- /dev/null +++ b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8544.patch | |||
@@ -0,0 +1,56 @@ | |||
1 | From e1c0cfaa419aa5d320540d5a1b3f8fd9b82ab7e5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Michael Niedermayer <michaelni@gmx.at> | ||
3 | Date: Fri, 3 Oct 2014 16:08:32 +0200 | ||
4 | Subject: [PATCH] avcodec/tiff: more completely check bpp/bppcount | ||
5 | |||
6 | (Upstream commit e1c0cfaa419aa5d320540d5a1b3f8fd9b82ab7e5) | ||
7 | |||
8 | Fixes pixel format selection | ||
9 | Fixes out of array accesses | ||
10 | Fixes: asan_heap-oob_1766029_6_asan_heap-oob_20aa045_332_cov_1823216757_m2-d1d366d7965db766c19a66c7a2ccbb6b.tif | ||
11 | |||
12 | Upstream-Status: Backport | ||
13 | |||
14 | Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind | ||
15 | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | ||
16 | Signed-off-by: Yue Tao <yue.tao@windriver.com> | ||
17 | --- | ||
18 | libavcodec/tiff.c | 13 ++++++++++--- | ||
19 | 1 file changed, 10 insertions(+), 3 deletions(-) | ||
20 | |||
21 | diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c | ||
22 | index 6e2096f..0870e31 100644 | ||
23 | --- a/gst-libs/ext/libav/libavcodec/tiff.c | ||
24 | +++ b/gst-libs/ext/libav/libavcodec/tiff.c | ||
25 | @@ -324,11 +324,11 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t * | ||
26 | s->height = value; | ||
27 | break; | ||
28 | case TIFF_BPP: | ||
29 | - s->bppcount = count; | ||
30 | - if(count > 4){ | ||
31 | - av_log(s->avctx, AV_LOG_ERROR, "This format is not supported (bpp=%d, %d components)\n", s->bpp, count); | ||
32 | + if(count > 4U){ | ||
33 | + av_log(s->avctx, AV_LOG_ERROR, "This format is not supported (bpp=%d, %d components)\n", value, count); | ||
34 | return -1; | ||
35 | } | ||
36 | + s->bppcount = count; | ||
37 | if(count == 1) s->bpp = value; | ||
38 | else{ | ||
39 | switch(type){ | ||
40 | @@ -344,6 +344,13 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t * | ||
41 | s->bpp = -1; | ||
42 | } | ||
43 | } | ||
44 | + if (s->bpp > 64U) { | ||
45 | + av_log(s->avctx, AV_LOG_ERROR, | ||
46 | + "This format is not supported (bpp=%d, %d components)\n", | ||
47 | + s->bpp, count); | ||
48 | + s->bpp = 0; | ||
49 | + return AVERROR_INVALIDDATA; | ||
50 | + } | ||
51 | break; | ||
52 | case TIFF_SAMPLES_PER_PIXEL: | ||
53 | if (count != 1) { | ||
54 | -- | ||
55 | 1.7.9.5 | ||
56 | |||
diff --git a/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8545.patch b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8545.patch new file mode 100644 index 000000000..29d5f776a --- /dev/null +++ b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8545.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | From 3e2b745020c2dbf0201fe7df3dad9e7e0b2e1bb6 Mon Sep 17 00:00:00 2001 | ||
2 | From: Michael Niedermayer <michaelni@gmx.at> | ||
3 | Date: Fri, 3 Oct 2014 17:35:58 +0200 | ||
4 | Subject: [PATCH] avcodec/pngdec: Check bits per pixel before setting | ||
5 | monoblack pixel format | ||
6 | |||
7 | (Upstream commit 3e2b745020c2dbf0201fe7df3dad9e7e0b2e1bb6) | ||
8 | |||
9 | Fixes out of array accesses | ||
10 | Fixes: asan_heap-oob_14dbfcf_4_asan_heap-oob_1ce5767_179_add_method_small.png | ||
11 | |||
12 | Upstream-Status: Backport | ||
13 | |||
14 | Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind | ||
15 | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | ||
16 | Signed-off-by: Yue Tao <yue.tao@windriver.com> | ||
17 | --- | ||
18 | libavcodec/pngdec.c | 2 +- | ||
19 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
20 | |||
21 | diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c | ||
22 | index da91aab..f3603b3 100644 | ||
23 | --- a/gst-libs/ext/libav/libavcodec/pngdec.c | ||
24 | +++ b/gst-libs/ext/libav/libavcodec/pngdec.c | ||
25 | @@ -481,7 +481,7 @@ static int decode_frame(AVCodecContext *avctx, | ||
26 | } else if (s->bit_depth == 16 && | ||
27 | s->color_type == PNG_COLOR_TYPE_RGB) { | ||
28 | avctx->pix_fmt = PIX_FMT_RGB48BE; | ||
29 | - } else if (s->bit_depth == 1 && | ||
30 | + } else if (s->bit_depth == 1 && s->bits_per_pixel == 1 && | ||
31 | s->color_type == PNG_COLOR_TYPE_GRAY) { | ||
32 | avctx->pix_fmt = PIX_FMT_MONOBLACK; | ||
33 | } else if (s->color_type == PNG_COLOR_TYPE_PALETTE) { | ||
34 | -- | ||
35 | 1.7.9.5 | ||
36 | |||
diff --git a/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8546.patch b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8546.patch new file mode 100644 index 000000000..d55d9ebe6 --- /dev/null +++ b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8546.patch | |||
@@ -0,0 +1,35 @@ | |||
1 | From e7e5114c506957f40aafd794e06de1a7e341e9d5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Michael Niedermayer <michaelni@gmx.at> | ||
3 | Date: Fri, 3 Oct 2014 19:33:01 +0200 | ||
4 | Subject: [PATCH] avcodec/cinepak: fix integer underflow | ||
5 | |||
6 | (Upstream commit e7e5114c506957f40aafd794e06de1a7e341e9d5) | ||
7 | |||
8 | Fixes out of array access | ||
9 | Fixes: asan_heap-oob_4da0ba_6_asan_heap-oob_4da0ba_241_cvid_crash.avi | ||
10 | |||
11 | Upstream-status: Backport | ||
12 | |||
13 | Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind | ||
14 | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | ||
15 | Signed-off-by: Yue Tao <yue.tao@windriver.com> | ||
16 | --- | ||
17 | libavcodec/cinepak.c | 2 +- | ||
18 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
19 | |||
20 | diff --git a/libavcodec/cinepak.c b/libavcodec/cinepak.c | ||
21 | index 4746289..f651c48 100644 | ||
22 | --- a/gst-libs/ext/libav/libavcodec/cinepak.c | ||
23 | +++ b/gst-libs/ext/libav/libavcodec/cinepak.c | ||
24 | @@ -125,7 +125,7 @@ static int cinepak_decode_vectors (CinepakContext *s, cvid_strip *strip, | ||
25 | const uint8_t *eod = (data + size); | ||
26 | uint32_t flag, mask; | ||
27 | cvid_codebook *codebook; | ||
28 | - unsigned int x, y; | ||
29 | + int x, y; | ||
30 | uint32_t iy[4]; | ||
31 | uint32_t iu[2]; | ||
32 | uint32_t iv[2]; | ||
33 | -- | ||
34 | 1.7.9.5 | ||
35 | |||
diff --git a/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8547.patch b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8547.patch new file mode 100644 index 000000000..a8616fa55 --- /dev/null +++ b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-8547.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | From 8f1457864be8fb9653643519dea1c6492f1dde57 Mon Sep 17 00:00:00 2001 | ||
2 | From: Michael Niedermayer <michaelni@gmx.at> | ||
3 | Date: Fri, 3 Oct 2014 20:15:52 +0200 | ||
4 | Subject: [PATCH] avcodec/gifdec: factorize interleave end handling out | ||
5 | |||
6 | (Upstream commit 8f1457864be8fb9653643519dea1c6492f1dde57) | ||
7 | |||
8 | also change it to a loop | ||
9 | Fixes out of array access | ||
10 | Fixes: asan_heap-oob_ca5410_8_asan_heap-oob_ca5410_97_ID_LSD_Size_Less_Then_Data_Inter_3.gif | ||
11 | |||
12 | Upstream-Status: Backport | ||
13 | |||
14 | Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind | ||
15 | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | ||
16 | Signed-off-by: Yue Tao <yue.tao@windriver.com> | ||
17 | --- | ||
18 | libavcodec/gifdec.c | 15 +++++---------- | ||
19 | 1 file changed, 5 insertions(+), 10 deletions(-) | ||
20 | |||
21 | diff --git a/libavcodec/gifdec.c b/libavcodec/gifdec.c | ||
22 | index dee48f5..90de38b 100644 | ||
23 | --- a/gst-libs/ext/libav/libavcodec/gifdec.c | ||
24 | +++ b/gst-libs/ext/libav/libavcodec/gifdec.c | ||
25 | @@ -271,26 +271,21 @@ static int gif_read_image(GifState *s, AVFrame *frame) | ||
26 | case 1: | ||
27 | y1 += 8; | ||
28 | ptr += linesize * 8; | ||
29 | - if (y1 >= height) { | ||
30 | - y1 = pass ? 2 : 4; | ||
31 | - ptr = ptr1 + linesize * y1; | ||
32 | - pass++; | ||
33 | - } | ||
34 | break; | ||
35 | case 2: | ||
36 | y1 += 4; | ||
37 | ptr += linesize * 4; | ||
38 | - if (y1 >= height) { | ||
39 | - y1 = 1; | ||
40 | - ptr = ptr1 + linesize; | ||
41 | - pass++; | ||
42 | - } | ||
43 | break; | ||
44 | case 3: | ||
45 | y1 += 2; | ||
46 | ptr += linesize * 2; | ||
47 | break; | ||
48 | } | ||
49 | + while (y1 >= height) { | ||
50 | + y1 = 4 >> pass; | ||
51 | + ptr = ptr1 + linesize * y1; | ||
52 | + pass++; | ||
53 | + } | ||
54 | } else { | ||
55 | ptr += linesize; | ||
56 | } | ||
57 | -- | ||
58 | 1.7.9.5 | ||
59 | |||
diff --git a/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-9318.patch b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-9318.patch new file mode 100644 index 000000000..0553ceefd --- /dev/null +++ b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-9318.patch | |||
@@ -0,0 +1,37 @@ | |||
1 | From 0d3a3b9f8907625b361420d48fe05716859620ff Mon Sep 17 00:00:00 2001 | ||
2 | From: Michael Niedermayer <michaelni@gmx.at> | ||
3 | Date: Wed, 26 Nov 2014 18:56:39 +0100 | ||
4 | Subject: [PATCH] avcodec/rawdec: Check the return code of | ||
5 | avpicture_get_size() | ||
6 | |||
7 | (Upstream commit 1d3a3b9f8907625b361420d48fe05716859620ff) | ||
8 | |||
9 | Fixes out of array access | ||
10 | Fixes: asan_heap-oob_22388d0_3435_cov_3297128910_small_roll5_FlashCine1.cine | ||
11 | Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind | ||
12 | |||
13 | Upstream-Status: Backport | ||
14 | |||
15 | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | ||
16 | Signed-off-by: Yue Tao <yue.tao@windriver.com> | ||
17 | --- | ||
18 | libavcodec/rawdec.c | 3 +++ | ||
19 | 1 file changed, 3 insertions(+) | ||
20 | |||
21 | diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c | ||
22 | index 28792a1..647dfa9 100644 | ||
23 | --- a/gst-libs/ext/libav/libavcodec/rawdec.c | ||
24 | +++ b/gst-libs/ext/libav/libavcodec/rawdec.c | ||
25 | @@ -87,6 +87,9 @@ static av_cold int raw_init_decoder(AVCodecContext *avctx) | ||
26 | |||
27 | ff_set_systematic_pal2(context->palette, avctx->pix_fmt); | ||
28 | context->length = avpicture_get_size(avctx->pix_fmt, avctx->width, avctx->height); | ||
29 | + if (context->length < 0) | ||
30 | + return context->length; | ||
31 | + | ||
32 | if((avctx->bits_per_coded_sample == 4 || avctx->bits_per_coded_sample == 2) && | ||
33 | avctx->pix_fmt==PIX_FMT_PAL8 && | ||
34 | (!avctx->codec_tag || avctx->codec_tag == MKTAG('r','a','w',' '))){ | ||
35 | -- | ||
36 | 1.7.9.5 | ||
37 | |||
diff --git a/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-9603.patch b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-9603.patch new file mode 100644 index 000000000..5dda4cca2 --- /dev/null +++ b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-9603.patch | |||
@@ -0,0 +1,41 @@ | |||
1 | From dc68faf8339a885bc55fabe5b01f1de4f8f3782c Mon Sep 17 00:00:00 2001 | ||
2 | From: Kai Kang <kai.kang@windriver.com> | ||
3 | Date: Wed, 13 May 2015 16:30:53 +0800 | ||
4 | Subject: [PATCH 1/2] gst-ffmpeg: fix CVE-2014-9603 | ||
5 | |||
6 | Upstream-Status: Backport | ||
7 | |||
8 | Upstream is version 2.x and vmdav.c is splitted into 2 files vmdaudio.c | ||
9 | and vmdvideo.c. Becuase source code changes, just partly backport commit which | ||
10 | is applicable to version 0.10.13 to fix CVE-2014-9603. | ||
11 | |||
12 | http://git.videolan.org/?p=ffmpeg.git;a=commit;h=3030fb7e0d41836f8add6399e9a7c7b740b48bfd | ||
13 | |||
14 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
15 | --- | ||
16 | gst-libs/ext/libav/libavcodec/vmdav.c | 7 +++++-- | ||
17 | 1 file changed, 5 insertions(+), 2 deletions(-) | ||
18 | |||
19 | diff --git a/gst-libs/ext/libav/libavcodec/vmdav.c b/gst-libs/ext/libav/libavcodec/vmdav.c | ||
20 | index d258252..ba88ad8 100644 | ||
21 | --- a/gst-libs/ext/libav/libavcodec/vmdav.c | ||
22 | +++ b/gst-libs/ext/libav/libavcodec/vmdav.c | ||
23 | @@ -294,10 +294,13 @@ static void vmd_decode(VmdVideoContext *s) | ||
24 | len = *pb++; | ||
25 | if (len & 0x80) { | ||
26 | len = (len & 0x7F) + 1; | ||
27 | - if (*pb++ == 0xFF) | ||
28 | + if (*pb++ == 0xFF) { | ||
29 | len = rle_unpack(pb, &dp[ofs], len, frame_width - ofs); | ||
30 | - else | ||
31 | + } else { | ||
32 | + if (ofs + len > frame_width) | ||
33 | + return; | ||
34 | memcpy(&dp[ofs], pb, len); | ||
35 | + } | ||
36 | pb += len; | ||
37 | ofs += len; | ||
38 | } else { | ||
39 | -- | ||
40 | 1.9.1 | ||
41 | |||
diff --git a/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg_0.10.13.bb b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg_0.10.13.bb index b5c838f9e..7bd7ec33d 100644 --- a/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg_0.10.13.bb +++ b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg_0.10.13.bb | |||
@@ -57,6 +57,16 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \ | |||
57 | file://0001-avcodec-smc-fix-off-by-1-error.patch \ | 57 | file://0001-avcodec-smc-fix-off-by-1-error.patch \ |
58 | file://0002-avcodec-mjpegdec-check-bits-per-pixel-for-changes-si.patch \ | 58 | file://0002-avcodec-mjpegdec-check-bits-per-pixel-for-changes-si.patch \ |
59 | file://libav-9.patch \ | 59 | file://libav-9.patch \ |
60 | file://gst-ffmpeg-fix-CVE-2011-4352.patch \ | ||
61 | file://gst-ffmpeg-fix-CVE-2014-7933.patch \ | ||
62 | file://gst-ffmpeg-fix-CVE-2014-8542.patch \ | ||
63 | file://gst-ffmpeg-fix-CVE-2014-8543.patch \ | ||
64 | file://gst-ffmpeg-fix-CVE-2014-8544.patch \ | ||
65 | file://gst-ffmpeg-fix-CVE-2014-8545.patch \ | ||
66 | file://gst-ffmpeg-fix-CVE-2014-8546.patch \ | ||
67 | file://gst-ffmpeg-fix-CVE-2014-8547.patch \ | ||
68 | file://gst-ffmpeg-fix-CVE-2014-9318.patch \ | ||
69 | file://gst-ffmpeg-fix-CVE-2014-9603.patch \ | ||
60 | " | 70 | " |
61 | 71 | ||
62 | SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4" | 72 | SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4" |