1 files changed, 100 insertions, 0 deletions
diff --git a/meta-multimedia/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-CVE-2013-0855.patch b/meta-multimedia/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-CVE-2013-0855.patch
new file mode 100644
index 000000000..3c8d8e353
--- /dev/null
+++ b/meta-multimedia/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-CVE-2013-0855.patch
@@ -0,0 +1,100 @@
+gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0855
+Upstream-Status: Backport 
+Signed-off-by: Yue Tao <yue.tao@windriver.com>
+diff --git a/gst-libs/ext/libav/libavcodec/alac.c.old b/gst-libs/ext/libav/libavcodec/alac.c
+index 2a0df8c..bcbd56d 100644
+--- a/gst-libs/ext/libav/libavcodec/alac.c.old
+++ b/gst-libs/ext/libav/libavcodec/alac.c
+@@ -87,18 +87,44 @@ typedef struct {
+     int wasted_bits;
+ } ALACContext;
+ 
+-static void allocate_buffers(ALACContext *alac)
+static av_cold int alac_decode_close(AVCodecContext *avctx)
+{
+    ALACContext *alac = avctx->priv_data;
+
+    int chan;
+    for (chan = 0; chan < MAX_CHANNELS; chan++) {
+        av_freep(&alac->predicterror_buffer[chan]);
+        av_freep(&alac->outputsamples_buffer[chan]);
+        av_freep(&alac->wasted_bits_buffer[chan]);
+    }
+
+    return 0;
+}
+
+static int allocate_buffers(ALACContext *alac)
+ {
+     int chan;
+    int buf_size;
+
+    if (alac->setinfo_max_samples_per_frame > INT_MAX / sizeof(int32_t))
+        goto buf_alloc_fail;
+    buf_size = alac->setinfo_max_samples_per_frame * sizeof(int32_t);
+
+     for (chan = 0; chan < MAX_CHANNELS; chan++) {
+-        alac->predicterror_buffer[chan] =
+-            av_malloc(alac->setinfo_max_samples_per_frame * 4);
+ 
+-        alac->outputsamples_buffer[chan] =
+-            av_malloc(alac->setinfo_max_samples_per_frame * 4);
+        FF_ALLOC_OR_GOTO(alac->avctx, alac->predicterror_buffer[chan],
+                         buf_size, buf_alloc_fail);
+ 
+-        alac->wasted_bits_buffer[chan] = av_malloc(alac->setinfo_max_samples_per_frame * 4);
+        FF_ALLOC_OR_GOTO(alac->avctx, alac->outputsamples_buffer[chan],
+                         buf_size, buf_alloc_fail);
+
+        FF_ALLOC_OR_GOTO(alac->avctx, alac->wasted_bits_buffer[chan],
+                         buf_size, buf_alloc_fail);
+     }
+    return 0;
+buf_alloc_fail:
+    alac_decode_close(alac->avctx);
+    return AVERROR(ENOMEM);
+ }
+ 
+ static int alac_set_info(ALACContext *alac)
+@@ -131,8 +157,6 @@ static int alac_set_info(ALACContext *alac)
+     bytestream_get_be32(&ptr);      /* bitrate ? */
+     bytestream_get_be32(&ptr);      /* samplerate */
+ 
+-    allocate_buffers(alac);
+-
+     return 0;
+ }
+ 
+@@ -659,6 +683,7 @@ static int alac_decode_frame(AVCodecContext *avctx,
+ 
+ static av_cold int alac_decode_init(AVCodecContext * avctx)
+ {
+    int ret;
+     ALACContext *alac = avctx->priv_data;
+     alac->avctx = avctx;
+     alac->numchannels = alac->avctx->channels;
+@@ -674,18 +699,9 @@ static av_cold int alac_decode_init(AVCodecContext * avctx)
+         return -1;
+     }
+ 
+-    return 0;
+-}
+-
+-static av_cold int alac_decode_close(AVCodecContext *avctx)
+-{
+-    ALACContext *alac = avctx->priv_data;
+-
+-    int chan;
+-    for (chan = 0; chan < MAX_CHANNELS; chan++) {
+-        av_freep(&alac->predicterror_buffer[chan]);
+-        av_freep(&alac->outputsamples_buffer[chan]);
+-        av_freep(&alac->wasted_bits_buffer[chan]);
+    if ((ret = allocate_buffers(alac)) < 0) {
+        av_log(avctx, AV_LOG_ERROR, "Error allocating buffers\n");
+        return ret;
+     }
+ 
+     return 0;

diff --git a/meta-multimedia/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-CVE-2013-0855.patch b/meta-multimedia/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-CVE-2013-0855.patch new file mode 100644 index 000000000..3c8d8e353 --- /dev/null +++ b/meta-multimedia/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-CVE-2013-0855.patch
@@ -0,0 +1,100 @@
	1	gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0855
	2
	3	Upstream-Status: Backport
	4
	5	Signed-off-by: Yue Tao <yue.tao@windriver.com>
	6
	7	diff --git a/gst-libs/ext/libav/libavcodec/alac.c.old b/gst-libs/ext/libav/libavcodec/alac.c
	8	index 2a0df8c..bcbd56d 100644
	9	--- a/gst-libs/ext/libav/libavcodec/alac.c.old
	10	+++ b/gst-libs/ext/libav/libavcodec/alac.c
	11	@@ -87,18 +87,44 @@ typedef struct {
	12	int wasted_bits;
	13	} ALACContext;
	14
	15	-static void allocate_buffers(ALACContext *alac)
	16	+static av_cold int alac_decode_close(AVCodecContext *avctx)
	17	+{
	18	+ ALACContext *alac = avctx->priv_data;
	19	+
	20	+ int chan;
	21	+ for (chan = 0; chan < MAX_CHANNELS; chan++) {
	22	+ av_freep(&alac->predicterror_buffer[chan]);
	23	+ av_freep(&alac->outputsamples_buffer[chan]);
	24	+ av_freep(&alac->wasted_bits_buffer[chan]);
	25	+ }
	26	+
	27	+ return 0;
	28	+}
	29	+
	30	+static int allocate_buffers(ALACContext *alac)
	31	{
	32	int chan;
	33	+ int buf_size;
	34	+
	35	+ if (alac->setinfo_max_samples_per_frame > INT_MAX / sizeof(int32_t))
	36	+ goto buf_alloc_fail;
	37	+ buf_size = alac->setinfo_max_samples_per_frame * sizeof(int32_t);
	38	+
	39	for (chan = 0; chan < MAX_CHANNELS; chan++) {
	40	- alac->predicterror_buffer[chan] =
	41	- av_malloc(alac->setinfo_max_samples_per_frame * 4);
	42
	43	- alac->outputsamples_buffer[chan] =
	44	- av_malloc(alac->setinfo_max_samples_per_frame * 4);
	45	+ FF_ALLOC_OR_GOTO(alac->avctx, alac->predicterror_buffer[chan],
	46	+ buf_size, buf_alloc_fail);
	47
	48	- alac->wasted_bits_buffer[chan] = av_malloc(alac->setinfo_max_samples_per_frame * 4);
	49	+ FF_ALLOC_OR_GOTO(alac->avctx, alac->outputsamples_buffer[chan],
	50	+ buf_size, buf_alloc_fail);
	51	+
	52	+ FF_ALLOC_OR_GOTO(alac->avctx, alac->wasted_bits_buffer[chan],
	53	+ buf_size, buf_alloc_fail);
	54	}
	55	+ return 0;
	56	+buf_alloc_fail:
	57	+ alac_decode_close(alac->avctx);
	58	+ return AVERROR(ENOMEM);
	59	}
	60
	61	static int alac_set_info(ALACContext *alac)
	62	@@ -131,8 +157,6 @@ static int alac_set_info(ALACContext *alac)
	63	bytestream_get_be32(&ptr); /* bitrate ? */
	64	bytestream_get_be32(&ptr); /* samplerate */
	65
	66	- allocate_buffers(alac);
	67	-
	68	return 0;
	69	}
	70
	71	@@ -659,6 +683,7 @@ static int alac_decode_frame(AVCodecContext *avctx,
	72
	73	static av_cold int alac_decode_init(AVCodecContext * avctx)
	74	{
	75	+ int ret;
	76	ALACContext *alac = avctx->priv_data;
	77	alac->avctx = avctx;
	78	alac->numchannels = alac->avctx->channels;
	79	@@ -674,18 +699,9 @@ static av_cold int alac_decode_init(AVCodecContext * avctx)
	80	return -1;
	81	}
	82
	83	- return 0;
	84	-}
	85	-
	86	-static av_cold int alac_decode_close(AVCodecContext *avctx)
	87	-{
	88	- ALACContext *alac = avctx->priv_data;
	89	-
	90	- int chan;
	91	- for (chan = 0; chan < MAX_CHANNELS; chan++) {
	92	- av_freep(&alac->predicterror_buffer[chan]);
	93	- av_freep(&alac->outputsamples_buffer[chan]);
	94	- av_freep(&alac->wasted_bits_buffer[chan]);
	95	+ if ((ret = allocate_buffers(alac)) < 0) {
	96	+ av_log(avctx, AV_LOG_ERROR, "Error allocating buffers\n");
	97	+ return ret;
	98	}
	99
	100	return 0;