summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorYue Tao <Yue.Tao@windriver.com>2014-07-22 15:46:36 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2014-10-10 15:06:06 +0100
commit90623776248e50a7a2b95247ba7b4aeac2dcbdc2 (patch)
treed04c5c3672b094e3cdc3a46dcb2f078fc34784c7
parent014309709558c47e1b2ed4c79d79b5398201f5f4 (diff)
downloadpoky-90623776248e50a7a2b95247ba7b4aeac2dcbdc2.tar.gz
gst-ffmpeg: Add CVE patches
Security Advisory - ffmpeg - CVE-2013-0866 The aac_decode_init function in libavcodec/aacdec.c in FFmpeg before 1.0.4 and 1.1.x before 1.1.2 allows remote attackers to have an unspecified impact via a large number of channels in an AAC file, which triggers an out-of-bounds array access. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0866 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0875 The ff_add_png_paeth_prediction function in libavcodec/pngdec.c in FFmpeg before 1.1.3 allows remote attackers to have an unspecified impact via a crafted PNG image, related to an out-of-bounds array access. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0875 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0860 The ff_er_frame_end function in libavcodec/error_resilience.c in FFmpeg before 1.0.4 and 1.1.x before 1.1.1 does not properly verify that a frame is fully initialized, which allows remote attackers to trigger a NULL pointer dereference via crafted picture data. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0860 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3934 Double free vulnerability in the vp3_update_thread_context function in libavcodec/vp3.c in FFmpeg before 0.10 allows remote attackers to have an unspecified impact via crafted vp3 data. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3934 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3946 The ff_h264_decode_sei function in libavcodec/h264_sei.c in FFmpeg before 0.10 allows remote attackers to have an unspecified impact via crafted Supplemental enhancement information (SEI) data, which triggers an infinite loop. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3946 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-7023 The ff_combine_frame function in libavcodec/parser.c in FFmpeg before 2.1 does not properly handle certain memory-allocation errors, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted data. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7023 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-7009 The rpza_decode_stream function in libavcodec/rpza.c in FFmpeg before 2.1 does not properly maintain a pointer to pixel data, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Apple RPZA data. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7009 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0855 Integer overflow in the alac_decode_close function in libavcodec/alac.c in FFmpeg before 1.1 allows remote attackers to have an unspecified impact via a large number of samples per frame in Apple Lossless Audio Codec (ALAC) data, which triggers an out-of-bounds array access. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0855 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-4351 Buffer overflow in FFmpeg before 0.5.6, 0.6.x before 0.6.4, 0.7.x before 0.7.8, and 0.8.x before 0.8.8 allows remote attackers to execute arbitrary code via unspecified vectors. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4351 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0848 The decode_init function in libavcodec/huffyuv.c in FFmpeg before 1.1 allows remote attackers to have an unspecified impact via a crafted width in huffyuv data with the predictor set to median and the colorspace set to YUV422P, which triggers an out-of-bounds array access. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0848 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3944 The smacker_decode_header_tree function in libavcodec/smacker.c in FFmpeg before 0.10 allows remote attackers to have an unspecified impact via crafted Smacker data. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3944 file://0001-huffyuvdec-check-width-more-completely-avoid-out-of-.patch \ gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-7010 Multiple integer signedness errors in libavcodec/dsputil.c in FFmpeg before 2.1 allow remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted data. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7010 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3941 The decode_mb function in libavcodec/error_resilience.c in FFmpeg before 0.10 allows remote attackers to have an unspecified impact via vectors related to an uninitialized block index, which triggers an out-of-bound write. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3941 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0846 Array index error in the qdm2_decode_super_block function in libavcodec/qdm2.c in FFmpeg before 1.1 allows remote attackers to have an unspecified impact via crafted QDM2 data, which triggers an out-of-bounds array access. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0846 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2012-6618 The av_probe_input_buffer function in libavformat/utils.c in FFmpeg before 1.0.2, when running with certain -probesize values, allows remote attackers to cause a denial of service (crash) via a crafted MP3 file, possibly related to frame size or lack of sufficient frames to estimate rate. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6618 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2012-6617 The prepare_sdp_description function in ffserver.c in FFmpeg before 1.0.2 allows remote attackers to cause a denial of service (crash) via vectors related to the rtp format. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6617 (From OE-Core rev: 58f08a96764094189b5aaf3cc8b4cc0c95e23409) (From OE-Core rev: 9b3a2d0716540dae72376a8c2e418b244a85c0cb) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-aacdec-check-channel-count.patch34
-rw-r--r--meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-dsputil-fix-signedness-in-sizeof-comparissio.patch40
-rw-r--r--meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-parser-reset-indexes-on-realloc-failure.patch50
-rw-r--r--meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-rpza-Perform-pointer-advance-and-checks-befo.patch81
-rw-r--r--meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-error-concealment-initialize-block-index.patch29
-rw-r--r--meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-error_concealment-Check-that-the-picture-is-not-in-a.patch37
-rw-r--r--meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-ffserver-set-oformat.patch36
-rw-r--r--meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264_sei-Fix-infinite-loop.patch39
-rw-r--r--meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-check-width-more-completely-avoid-out-of-.patch30
-rw-r--r--meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-lavf-compute-probe-buffer-size-more-reliably.patch45
-rw-r--r--meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-pngdec-filter-dont-access-out-of-array-elements-at-t.patch44
-rw-r--r--meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-qdm2-check-array-index-before-use-fix-out-of-array-a.patch30
-rw-r--r--meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-qdm2dec-fix-buffer-overflow.patch58
-rw-r--r--meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-smackerdec-Check-that-the-last-indexes-are-within-th.patch32
-rw-r--r--meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-Copy-all-3-frames-for-thread-updates.patch32
-rw-r--r--meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-fix-oob-read-for-negative-tokens-and-memleaks-on.patch183
-rw-r--r--meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-CVE-2013-0855.patch100
-rw-r--r--meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb17
18 files changed, 917 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-aacdec-check-channel-count.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-aacdec-check-channel-count.patch
new file mode 100644
index 0000000000..7da0e14525
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-aacdec-check-channel-count.patch
@@ -0,0 +1,34 @@
1gst-ffmpeg: aacdec: check channel count
2
3Prevent out of array accesses
4
5Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
6Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7(cherry picked from commit 96f452ac647dae33c53c242ef3266b65a9beafb6)
8
9Upstream-Status: Backport
10
11Signed-off-by: Yue Tao <yue.tao@windriver.com>
12---
13 libavcodec/aacdec.c | 5 +++++
14 1 files changed, 5 insertions(+), 0 deletions(-)
15
16diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c
17index 239153a..6c17c33 100644
18--- a/gst-libs/ext/libav/libavcodec/aacdec.c
19+++ b/gst-libs/ext/libav/libavcodec/aacdec.c
20@@ -914,6 +914,11 @@ static av_cold int aac_decode_init(AVCodecContext *avctx)
21 }
22 }
23
24+ if (avctx->channels > MAX_CHANNELS) {
25+ av_log(avctx, AV_LOG_ERROR, "Too many channels\n");
26+ return AVERROR_INVALIDDATA;
27+ }
28+
29 AAC_INIT_VLC_STATIC( 0, 304);
30 AAC_INIT_VLC_STATIC( 1, 270);
31 AAC_INIT_VLC_STATIC( 2, 550);
32--
331.7.5.4
34
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-dsputil-fix-signedness-in-sizeof-comparissio.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-dsputil-fix-signedness-in-sizeof-comparissio.patch
new file mode 100644
index 0000000000..31fa51a3ea
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-dsputil-fix-signedness-in-sizeof-comparissio.patch
@@ -0,0 +1,40 @@
1From a99aff4e4bbef8e64b51f267cd1769214e1b4e80 Mon Sep 17 00:00:00 2001
2From: Michael Niedermayer <michaelni@gmx.at>
3Date: Fri, 30 Aug 2013 23:40:47 +0200
4Subject: [PATCH] avcodec/dsputil: fix signedness in sizeof() comparissions
5
6Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7(cherry picked from commit 454a11a1c9c686c78aa97954306fb63453299760)
8
9Upstream-Status: Backport
10
11Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
12---
13 libavcodec/dsputil.c | 4 ++--
14 1 files changed, 2 insertions(+), 2 deletions(-)
15
16diff --git a/libavcodec/dsputil.c b/libavcodec/dsputil.c
17index 53dc2eb..6264832 100644
18--- a/gst-libs/ext/libav/libavcodec/dsputil.c
19+++ b/gst-libs/ext/libav/libavcodec/dsputil.c
20@@ -1912,7 +1912,7 @@ void ff_set_cmp(DSPContext* c, me_cmp_func *cmp, int type){
21
22 static void add_bytes_c(uint8_t *dst, uint8_t *src, int w){
23 long i;
24- for(i=0; i<=w-sizeof(long); i+=sizeof(long)){
25+ for(i=0; i<=w-(int)sizeof(long); i+=sizeof(long)){
26 long a = *(long*)(src+i);
27 long b = *(long*)(dst+i);
28 *(long*)(dst+i) = ((a&pb_7f) + (b&pb_7f)) ^ ((a^b)&pb_80);
29@@ -1937,7 +1937,7 @@ static void diff_bytes_c(uint8_t *dst, uint8_t *src1, uint8_t *src2, int w){
30 }
31 }else
32 #endif
33- for(i=0; i<=w-sizeof(long); i+=sizeof(long)){
34+ for(i=0; i<=w-(int)sizeof(long); i+=sizeof(long)){
35 long a = *(long*)(src1+i);
36 long b = *(long*)(src2+i);
37 *(long*)(dst+i) = ((a|pb_80) - (b&pb_7f)) ^ ((a^b^pb_80)&pb_80);
38--
391.7.5.4
40
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-parser-reset-indexes-on-realloc-failure.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-parser-reset-indexes-on-realloc-failure.patch
new file mode 100644
index 0000000000..5ff65834e4
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-parser-reset-indexes-on-realloc-failure.patch
@@ -0,0 +1,50 @@
1gst-ffmpeg: avcodec/parser: reset indexes on realloc failure
2
3Fixes Ticket2982
4
5Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
6(cherry picked from commit f31011e9abfb2ae75bb32bc44e2c34194c8dc40a)
7
8Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
9
10Upstream-Status: Backport
11
12Signed-off-by: Yue Tao <yue.tao@windriver.com>
13
14---
15 libavcodec/parser.c | 10 +++++++---
16 1 files changed, 7 insertions(+), 3 deletions(-)
17
18diff --git a/libavcodec/parser.c b/libavcodec/parser.c
19index 2c6de6e..66eca06 100644
20--- a/gst-libs/ext/libav/libavcodec/parser.c
21+++ b/gst-libs/ext/libav/libavcodec/parser.c
22@@ -241,8 +241,10 @@ int ff_combine_frame(ParseContext *pc, int next, const uint8_t **buf, int *buf_s
23 if(next == END_NOT_FOUND){
24 void* new_buffer = av_fast_realloc(pc->buffer, &pc->buffer_size, (*buf_size) + pc->index + FF_INPUT_BUFFER_PADDING_SIZE);
25
26- if(!new_buffer)
27+ if(!new_buffer) {
28+ pc->index = 0;
29 return AVERROR(ENOMEM);
30+ }
31 pc->buffer = new_buffer;
32 memcpy(&pc->buffer[pc->index], *buf, *buf_size);
33 pc->index += *buf_size;
34@@ -255,9 +257,11 @@ int ff_combine_frame(ParseContext *pc, int next, const uint8_t **buf, int *buf_s
35 /* append to buffer */
36 if(pc->index){
37 void* new_buffer = av_fast_realloc(pc->buffer, &pc->buffer_size, next + pc->index + FF_INPUT_BUFFER_PADDING_SIZE);
38-
39- if(!new_buffer)
40+ if(!new_buffer) {
41+ pc->overread_index =
42+ pc->index = 0;
43 return AVERROR(ENOMEM);
44+ }
45 pc->buffer = new_buffer;
46 if (next > -FF_INPUT_BUFFER_PADDING_SIZE)
47 memcpy(&pc->buffer[pc->index], *buf,
48--
491.7.5.4
50
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-rpza-Perform-pointer-advance-and-checks-befo.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-rpza-Perform-pointer-advance-and-checks-befo.patch
new file mode 100644
index 0000000000..7f6eb48889
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-rpza-Perform-pointer-advance-and-checks-befo.patch
@@ -0,0 +1,81 @@
1gst-ffmpeg: avcodec/rpza: Perform pointer advance and checks before
2 using the pointers
3
4Fixes out of array accesses
5Fixes Ticket2850
6
7Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
8(cherry picked from commit 3819db745da2ac7fb3faacb116788c32f4753f34)
9
10Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
11
12Upstream-Status: Backport
13
14Singed-off-by: Yue Tao <yue.tao@windriver.com>
15
16---
17 libavcodec/rpza.c | 8 ++++----
18 1 files changed, 4 insertions(+), 4 deletions(-)
19
20diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c
21index 635b406..f291a95 100644
22--- a/gst-libs/ext/libav/libavcodec/rpza.c
23+++ b/gst-libs/ext/libav/libavcodec/rpza.c
24@@ -83,7 +83,7 @@ static void rpza_decode_stream(RpzaContext *s)
25 unsigned short *pixels = (unsigned short *)s->frame.data[0];
26
27 int row_ptr = 0;
28- int pixel_ptr = 0;
29+ int pixel_ptr = -4;
30 int block_ptr;
31 int pixel_x, pixel_y;
32 int total_blocks;
33@@ -139,6 +139,7 @@ static void rpza_decode_stream(RpzaContext *s)
34 colorA = AV_RB16 (&s->buf[stream_ptr]);
35 stream_ptr += 2;
36 while (n_blocks--) {
37+ ADVANCE_BLOCK()
38 block_ptr = row_ptr + pixel_ptr;
39 for (pixel_y = 0; pixel_y < 4; pixel_y++) {
40 for (pixel_x = 0; pixel_x < 4; pixel_x++){
41@@ -147,7 +148,6 @@ static void rpza_decode_stream(RpzaContext *s)
42 }
43 block_ptr += row_inc;
44 }
45- ADVANCE_BLOCK();
46 }
47 break;
48
49@@ -184,6 +184,7 @@ static void rpza_decode_stream(RpzaContext *s)
50 color4[2] |= ((21 * ta + 11 * tb) >> 5);
51
52 while (n_blocks--) {
53+ ADVANCE_BLOCK();
54 block_ptr = row_ptr + pixel_ptr;
55 for (pixel_y = 0; pixel_y < 4; pixel_y++) {
56 index = s->buf[stream_ptr++];
57@@ -194,12 +195,12 @@ static void rpza_decode_stream(RpzaContext *s)
58 }
59 block_ptr += row_inc;
60 }
61- ADVANCE_BLOCK();
62 }
63 break;
64
65 /* Fill block with 16 colors */
66 case 0x00:
67+ ADVANCE_BLOCK();
68 block_ptr = row_ptr + pixel_ptr;
69 for (pixel_y = 0; pixel_y < 4; pixel_y++) {
70 for (pixel_x = 0; pixel_x < 4; pixel_x++){
71@@ -213,7 +214,6 @@ static void rpza_decode_stream(RpzaContext *s)
72 }
73 block_ptr += row_inc;
74 }
75- ADVANCE_BLOCK();
76 break;
77
78 /* Unknown opcode */
79--
801.7.5.4
81
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-error-concealment-initialize-block-index.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-error-concealment-initialize-block-index.patch
new file mode 100644
index 0000000000..e0e4239c2f
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-error-concealment-initialize-block-index.patch
@@ -0,0 +1,29 @@
1gst-ffmpeg: error concealment: initialize block index.
2
3Fixes CVE-2011-3941 (out of bounds write)
4
5Upstream-Status: Backport
6
7Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
8Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
9---
10 libavcodec/error_resilience.c | 3 +++
11 1 files changed, 3 insertions(+), 0 deletions(-)
12
13diff --git a/libavcodec/error_resilience.c b/libavcodec/error_resilience.c
14index 8bb5d0c..d55c000 100644
15--- a/gst-libs/ext/libav/libavcodec/error_resilience.c
16+++ b/gst-libs/ext/libav/libavcodec/error_resilience.c
17@@ -45,6 +45,9 @@ static void decode_mb(MpegEncContext *s, int ref){
18 s->dest[1] = s->current_picture.data[1] + (s->mb_y * (16>>s->chroma_y_shift) * s->uvlinesize) + s->mb_x * (16>>s->chroma_x_shift);
19 s->dest[2] = s->current_picture.data[2] + (s->mb_y * (16>>s->chroma_y_shift) * s->uvlinesize) + s->mb_x * (16>>s->chroma_x_shift);
20
21+ ff_init_block_index(s);
22+ ff_update_block_index(s);
23+
24 if(CONFIG_H264_DECODER && s->codec_id == CODEC_ID_H264){
25 H264Context *h= (void*)s;
26 h->mb_xy= s->mb_x + s->mb_y*s->mb_stride;
27--
281.7.5.4
29
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-error_concealment-Check-that-the-picture-is-not-in-a.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-error_concealment-Check-that-the-picture-is-not-in-a.patch
new file mode 100644
index 0000000000..8eef6e99cc
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-error_concealment-Check-that-the-picture-is-not-in-a.patch
@@ -0,0 +1,37 @@
1gst-ffmpeg: error_concealment: Check that the picture is not in a half
2
3Fixes state becoming inconsistent
4Fixes a null pointer dereference
5
6Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
7Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
8(cherry picked from commit 23318a57358358e7a4dc551e830e4503f0638cfe)
9
10Upstream-Status: Backport
11
12Signed-off-by: Yue Tao <yue.tao@windriver.com>
13
14---
15 libavcodec/error_resilience.c | 6 ++++++
16 1 files changed, 6 insertions(+), 0 deletions(-)
17
18diff --git a/libavcodec/error_resilience.c b/libavcodec/error_resilience.c
19index 01f7424..2b6bc42 100644
20--- a/gst-libs/ext/libav/libavcodec/error_resilience.c
21+++ b/gst-libs/ext/libav/libavcodec/error_resilience.c
22@@ -793,6 +793,12 @@ void ff_er_frame_end(MpegEncContext *s){
23 s->picture_structure != PICT_FRAME || // we dont support ER of field pictures yet, though it should not crash if enabled
24 s->error_count==3*s->mb_width*(s->avctx->skip_top + s->avctx->skip_bottom)) return;
25
26+ if ( s->picture_structure == PICT_FRAME
27+ && s->current_picture.linesize[0] != s->current_picture_ptr->linesize[0]) {
28+ av_log(s->avctx, AV_LOG_ERROR, "Error concealment not possible, frame not fully initialized\n");
29+ return;
30+ }
31+
32 if(s->current_picture.motion_val[0] == NULL){
33 av_log(s->avctx, AV_LOG_ERROR, "Warning MVs not available\n");
34
35--
361.7.5.4
37
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-ffserver-set-oformat.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-ffserver-set-oformat.patch
new file mode 100644
index 0000000000..80325db4d6
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-ffserver-set-oformat.patch
@@ -0,0 +1,36 @@
1gst-ffmpeg: ffserver: set oformat
2
3Fix Ticket1986
4
5Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
6(cherry picked from commit cbe43e62c9ac7d4aefdc13476f6f691bd626525f)
7
8Upstream-Status: Backport
9
10---
11 ffserver.c | 4 +++-
12 1 files changed, 3 insertions(+), 1 deletions(-)
13
14diff --git a/ffserver.c b/ffserver.c
15index 4044d0f..8740140 100644
16--- a/gst-libs/ext/libav/ffserver.c
17+++ b/gst-libs/ext/libav/ffserver.c
18@@ -2937,12 +2937,14 @@ static int prepare_sdp_description(FFStream *stream, uint8_t **pbuffer,
19 {
20 AVFormatContext *avc;
21 AVStream *avs = NULL;
22+ AVOutputFormat *rtp_format = av_guess_format("rtp", NULL, NULL);
23 int i;
24
25 avc = avformat_alloc_context();
26- if (avc == NULL) {
27+ if (avc == NULL || !rtp_format) {
28 return -1;
29 }
30+ avc->oformat = rtp_format;
31 av_dict_set(&avc->metadata, "title",
32 stream->title[0] ? stream->title : "No Title", 0);
33 avc->nb_streams = stream->nb_streams;
34--
351.7.5.4
36
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264_sei-Fix-infinite-loop.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264_sei-Fix-infinite-loop.patch
new file mode 100644
index 0000000000..1e62b50360
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264_sei-Fix-infinite-loop.patch
@@ -0,0 +1,39 @@
1gst-ffmpeg: h264_sei: Fix infinite loop.
2
3Fixsot yet fixed parts of CVE-2011-3946.
4
5Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
6Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7
8Upstream-Status: Backport
9
10Signed-off-by: Yue Tao <yue.tao@windriver.com>
11
12---
13 libavcodec/h264_sei.c | 4 ++++
14 1 files changed, 4 insertions(+), 0 deletions(-)
15
16
17diff --git a/libavcodec/h264_sei.c b/libavcodec/h264_sei.c
18index 374e53d..80d70e5 100644
19--- a/gst-libs/ext/libav/libavcodec/h264_sei.c
20+++ b/gst-libs/ext/libav/libavcodec/h264_sei.c
21@@ -169,11 +169,15 @@ int ff_h264_decode_sei(H264Context *h){
22
23 type=0;
24 do{
25+ if (get_bits_left(&s->gb) < 8)
26+ return -1;
27 type+= show_bits(&s->gb, 8);
28 }while(get_bits(&s->gb, 8) == 255);
29
30 size=0;
31 do{
32+ if (get_bits_left(&s->gb) < 8)
33+ return -1;
34 size+= show_bits(&s->gb, 8);
35 }while(get_bits(&s->gb, 8) == 255);
36
37--
381.7.5.4
39
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-check-width-more-completely-avoid-out-of-.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-check-width-more-completely-avoid-out-of-.patch
new file mode 100644
index 0000000000..6b60d163fb
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-check-width-more-completely-avoid-out-of-.patch
@@ -0,0 +1,30 @@
1gst-ffmpeg: huffyuvdec: check width more completely, avoid out of array
2 accesses
3
4Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
5
6Upstream-Status: Backport
7
8Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
9---
10 libavcodec/huffyuv.c | 5 ++++-
11 1 files changed, 4 insertions(+), 1 deletions(-)
12
13diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c
14index 6e88114..ca5bcd8 100644
15--- a/gst-libs/ext/libav/libavcodec/huffyuv.c
16+++ b/gst-libs/ext/libav/libavcodec/huffyuv.c
17@@ -526,6 +526,10 @@ s->bgr32=1;
18 assert(0);
19 }
20
21+ if (s->predictor == MEDIAN && avctx->pix_fmt == AV_PIX_FMT_YUV422P && avctx->width%4) {
22+ av_log(avctx, AV_LOG_ERROR, "width must be a multiple of 4 this colorspace and predictor\n");
23+ return AVERROR_INVALIDDATA;
24+ }
25 alloc_temp(s);
26
27 // av_log(NULL, AV_LOG_DEBUG, "pred:%d bpp:%d hbpp:%d il:%d\n", s->predictor, s->bitstream_bpp, avctx->bits_per_coded_sample, s->interlaced);
28--
291.7.5.4
30
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-lavf-compute-probe-buffer-size-more-reliably.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-lavf-compute-probe-buffer-size-more-reliably.patch
new file mode 100644
index 0000000000..ea4aa222b3
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-lavf-compute-probe-buffer-size-more-reliably.patch
@@ -0,0 +1,45 @@
1gst-ffmpeg: lavf: compute probe buffer size more reliably.
2
3The previous code computes the offset by reversing the growth
4of the allocated buffer size: it is complex and did lead to
5inconsistencies when the size limit is reached.
6
7Fix trac ticket #1991.
8(cherry picked from commit 03847eb8259291b4ff1bd840bd779d0699d71f96)
9
10Conflicts:
11 libavformat/utils.c
12
13Upstream-Status: Backport
14
15Signed-off-by: Yue Tao <yue.tao@windriver.com>
16
17---
18 libavformat/utils.c | 4 ++--
19 1 files changed, 2 insertions(+), 2 deletions(-)
20
21diff --git a/libavformat/utils.c b/libavformat/utils.c
22index 7940037..be73c4a 100644
23--- a/gst-libs/ext/libav/libavformat/utils.c
24+++ b/gst-libs/ext/libav/libavformat/utils.c
25@@ -459,7 +459,7 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt,
26 {
27 AVProbeData pd = { filename ? filename : "", NULL, -offset };
28 unsigned char *buf = NULL;
29- int ret = 0, probe_size;
30+ int ret = 0, probe_size, buf_offset = 0;
31
32 if (!max_probe_size) {
33 max_probe_size = PROBE_BUF_MAX;
34@@ -499,7 +499,7 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt,
35 score = 0;
36 ret = 0; /* error was end of file, nothing read */
37 }
38- pd.buf_size += ret;
39+ pd.buf_size = buf_offset += ret;
40 pd.buf = &buf[offset];
41
42 memset(pd.buf + pd.buf_size, 0, AVPROBE_PADDING_SIZE);
43--
441.7.5.4
45
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-pngdec-filter-dont-access-out-of-array-elements-at-t.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-pngdec-filter-dont-access-out-of-array-elements-at-t.patch
new file mode 100644
index 0000000000..1e5fb7deb1
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-pngdec-filter-dont-access-out-of-array-elements-at-t.patch
@@ -0,0 +1,44 @@
1gst-ffmpeg: pngdec/filter: dont access out of array elements at the end
2
3Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
4
5Upstream-Status: Backport
6
7Signed-off-by: Yue Tao <yue.tao@windriver.com>
8---
9 libavcodec/pngdec.c | 12 ++++--------
10 1 files changed, 4 insertions(+), 8 deletions(-)
11
12diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
13index 97c0ad1..193e35e 100644
14--- a/gst-libs/ext/libav/libavcodec/pngdec.c
15+++ b/gst-libs/ext/libav/libavcodec/pngdec.c
16@@ -190,7 +190,7 @@ void ff_add_png_paeth_prediction(uint8_t *dst, uint8_t *src, uint8_t *top, int w
17 if(bpp >= 2) g = dst[1];\
18 if(bpp >= 3) b = dst[2];\
19 if(bpp >= 4) a = dst[3];\
20- for(; i < size; i+=bpp) {\
21+ for(; i <= size - bpp; i+=bpp) {\
22 dst[i+0] = r = op(r, src[i+0], last[i+0]);\
23 if(bpp == 1) continue;\
24 dst[i+1] = g = op(g, src[i+1], last[i+1]);\
25@@ -206,13 +206,9 @@ void ff_add_png_paeth_prediction(uint8_t *dst, uint8_t *src, uint8_t *top, int w
26 else if(bpp == 2) UNROLL1(2, op)\
27 else if(bpp == 3) UNROLL1(3, op)\
28 else if(bpp == 4) UNROLL1(4, op)\
29- else {\
30- for (; i < size; i += bpp) {\
31- int j;\
32- for (j = 0; j < bpp; j++)\
33- dst[i+j] = op(dst[i+j-bpp], src[i+j], last[i+j]);\
34- }\
35- }
36+ for (; i < size; i++) {\
37+ dst[i] = op(dst[i-bpp], src[i], last[i]);\
38+ }\
39
40 /* NOTE: 'dst' can be equal to 'last' */
41 static void png_filter_row(PNGDSPContext *dsp, uint8_t *dst, int filter_type,
42--
431.7.5.4
44
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-qdm2-check-array-index-before-use-fix-out-of-array-a.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-qdm2-check-array-index-before-use-fix-out-of-array-a.patch
new file mode 100644
index 0000000000..8c94232d6d
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-qdm2-check-array-index-before-use-fix-out-of-array-a.patch
@@ -0,0 +1,30 @@
1gst-ffmpeg: qdm2: check array index before use, fix out of array
2 accesses
3
4Upstream-Status: Backport
5
6Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
7Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
8---
9 libavcodec/qdm2.c | 5 +++++
10 1 files changed, 5 insertions(+), 0 deletions(-)
11
12diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c
13index 4cf4b2f..1dfb8d5 100644
14--- a/gst-libs/ext/libav/libavcodec/qdm2.c
15+++ b/gst-libs/ext/libav/libavcodec/qdm2.c
16@@ -1257,6 +1257,11 @@ static void qdm2_decode_super_block (QDM2Context *q)
17 for (i = 0; packet_bytes > 0; i++) {
18 int j;
19
20+ if (i>=FF_ARRAY_ELEMS(q->sub_packet_list_A)) {
21+ SAMPLES_NEEDED_2("too many packet bytes");
22+ return;
23+ }
24+
25 q->sub_packet_list_A[i].next = NULL;
26
27 if (i > 0) {
28--
291.7.5.4
30
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-qdm2dec-fix-buffer-overflow.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-qdm2dec-fix-buffer-overflow.patch
new file mode 100644
index 0000000000..43ffc03a69
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-qdm2dec-fix-buffer-overflow.patch
@@ -0,0 +1,58 @@
1gst-ffmpeg: qdm2dec: fix buffer overflow. Fixes NGS00144
2
3This also adds a few lines of code from master that are needed for this fix.
4
5Thanks to Phillip for suggestions to improve the patch.
6Found-by: Phillip Langlois
7
8Upstream-Status: Backport
9
10Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
11---
12 libavcodec/qdm2.c | 9 +++++++--
13 1 files changed, 7 insertions(+), 2 deletions(-)
14
15diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c
16index 3aa9e5b..e000df8 100644
17--- a/gst-libs/ext/libav/libavcodec/qdm2.c
18+++ b/gst-libs/ext/libav/libavcodec/qdm2.c
19@@ -76,6 +76,7 @@ do { \
20 #define SAMPLES_NEEDED_2(why) \
21 av_log (NULL,AV_LOG_INFO,"This file triggers some missing code. Please contact the developers.\nPosition: %s\n",why);
22
23+#define QDM2_MAX_FRAME_SIZE 512
24
25 typedef int8_t sb_int8_array[2][30][64];
26
27@@ -168,7 +169,7 @@ typedef struct {
28 /// I/O data
29 const uint8_t *compressed_data;
30 int compressed_size;
31- float output_buffer[1024];
32+ float output_buffer[QDM2_MAX_FRAME_SIZE * MPA_MAX_CHANNELS * 2];
33
34 /// Synthesis filter
35 MPADSPContext mpadsp;
36@@ -1819,6 +1820,9 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx)
37 s->group_order = av_log2(s->group_size) + 1;
38 s->frame_size = s->group_size / 16; // 16 iterations per super block
39
40+ if (s->frame_size > QDM2_MAX_FRAME_SIZE)
41+ return AVERROR_INVALIDDATA;
42+
43 s->sub_sampling = s->fft_order - 7;
44 s->frequency_range = 255 / (1 << (2 - s->sub_sampling));
45
46@@ -1887,6 +1891,9 @@ static int qdm2_decode (QDM2Context *q, const uint8_t *in, int16_t *out)
47 int ch, i;
48 const int frame_size = (q->frame_size * q->channels);
49
50+ if((unsigned)frame_size > FF_ARRAY_ELEMS(q->output_buffer)/2)
51+ return -1;
52+
53 /* select input buffer */
54 q->compressed_data = in;
55 q->compressed_size = q->checksum_size;
56--
571.7.5.4
58
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-smackerdec-Check-that-the-last-indexes-are-within-th.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-smackerdec-Check-that-the-last-indexes-are-within-th.patch
new file mode 100644
index 0000000000..15b161469c
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-smackerdec-Check-that-the-last-indexes-are-within-th.patch
@@ -0,0 +1,32 @@
1gst-ffmpeg: smackerdec: Check that the last indexes are within the
2 table.
3
4Fixes CVE-2011-3944
5
6Upstream-Status: Backport
7
8Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
9Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
10---
11 libavcodec/smacker.c | 5 +++++
12 1 files changed, 5 insertions(+), 0 deletions(-)
13
14diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c
15index 30f99b4..2a8bae8 100644
16--- a/gst-libs/ext/libav/libavcodec/smacker.c
17+++ b/gst-libs/ext/libav/libavcodec/smacker.c
18@@ -259,6 +259,11 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int
19 if(ctx.last[0] == -1) ctx.last[0] = huff.current++;
20 if(ctx.last[1] == -1) ctx.last[1] = huff.current++;
21 if(ctx.last[2] == -1) ctx.last[2] = huff.current++;
22+ if(huff.current > huff.length){
23+ ctx.last[0] = ctx.last[1] = ctx.last[2] = 1;
24+ av_log(smk->avctx, AV_LOG_ERROR, "bigtree damaged\n");
25+ return -1;
26+ }
27
28 *recodes = huff.values;
29
30--
311.7.5.4
32
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-Copy-all-3-frames-for-thread-updates.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-Copy-all-3-frames-for-thread-updates.patch
new file mode 100644
index 0000000000..a1989cfeab
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-Copy-all-3-frames-for-thread-updates.patch
@@ -0,0 +1,32 @@
1gst-ffmpeg: vp3: Copy all 3 frames for thread updates.
2
3This fixes a double release of the current frame on deinit.
4Fixes CVE-2011-3934
5
6Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
7Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
8
9Upstream-Status: Backport
10
11Signed-off-by: Yue.Tao <yue.tao@windriver.com>
12
13---
14 libavcodec/vp3.c | 2 +-
15 1 files changed, 1 insertions(+), 1 deletions(-)
16
17diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
18index 738ae9f..b5daafc 100644
19--- a/gst-libs/ext/libav/libavcodec/vp3.c
20+++ b/gst-libs/ext/libav/libavcodec/vp3.c
21@@ -1859,7 +1859,7 @@ static int vp3_update_thread_context(AVCodecContext *dst, const AVCodecContext *
22 ||s->width != s1->width
23 ||s->height!= s1->height) {
24 if (s != s1)
25- copy_fields(s, s1, golden_frame, current_frame);
26+ copy_fields(s, s1, golden_frame, keyframe);
27 return -1;
28 }
29
30--
311.7.5.4
32
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-fix-oob-read-for-negative-tokens-and-memleaks-on.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-fix-oob-read-for-negative-tokens-and-memleaks-on.patch
new file mode 100644
index 0000000000..e83d8f402b
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-fix-oob-read-for-negative-tokens-and-memleaks-on.patch
@@ -0,0 +1,183 @@
1gst-ffmpeg: vp3: fix oob read for negative tokens and memleaks on error.
2
3Upstream-Status: Backport
4
5Signed-off-by: Yue.Tao <yue.tao@windriver.com>
6
7---
8 libavcodec/vp3.c | 59 +++++++++++++++++++++++++++++++++++++++++------------
9 1 files changed, 45 insertions(+), 14 deletions(-)
10
11diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
12index 36715bb..ce14e63 100644
13--- a/gst-libs/ext/libav/libavcodec/vp3.c
14+++ b/gst-libs/ext/libav/libavcodec/vp3.c
15@@ -45,6 +45,7 @@
16 #define FRAGMENT_PIXELS 8
17
18 static av_cold int vp3_decode_end(AVCodecContext *avctx);
19+static void vp3_decode_flush(AVCodecContext *avctx);
20
21 //FIXME split things out into their own arrays
22 typedef struct Vp3Fragment {
23@@ -890,7 +891,7 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb,
24 /* decode a VLC into a token */
25 token = get_vlc2(gb, vlc_table, 11, 3);
26 /* use the token to get a zero run, a coefficient, and an eob run */
27- if (token <= 6) {
28+ if ((unsigned) token <= 6U) {
29 eob_run = eob_run_base[token];
30 if (eob_run_get_bits[token])
31 eob_run += get_bits(gb, eob_run_get_bits[token]);
32@@ -908,7 +909,7 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb,
33 coeff_i += eob_run;
34 eob_run = 0;
35 }
36- } else {
37+ } else if (token >= 0) {
38 bits_to_get = coeff_get_bits[token];
39 if (bits_to_get)
40 bits_to_get = get_bits(gb, bits_to_get);
41@@ -942,6 +943,10 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb,
42 for (i = coeff_index+1; i <= coeff_index+zero_run; i++)
43 s->num_coded_frags[plane][i]--;
44 coeff_i++;
45+ } else {
46+ av_log(s->avctx, AV_LOG_ERROR,
47+ "Invalid token %d\n", token);
48+ return -1;
49 }
50 }
51
52@@ -991,6 +996,8 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb)
53 /* unpack the Y plane DC coefficients */
54 residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_y_table], 0,
55 0, residual_eob_run);
56+ if (residual_eob_run < 0)
57+ return residual_eob_run;
58
59 /* reverse prediction of the Y-plane DC coefficients */
60 reverse_dc_prediction(s, 0, s->fragment_width[0], s->fragment_height[0]);
61@@ -998,8 +1005,12 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb)
62 /* unpack the C plane DC coefficients */
63 residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_c_table], 0,
64 1, residual_eob_run);
65+ if (residual_eob_run < 0)
66+ return residual_eob_run;
67 residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_c_table], 0,
68 2, residual_eob_run);
69+ if (residual_eob_run < 0)
70+ return residual_eob_run;
71
72 /* reverse prediction of the C-plane DC coefficients */
73 if (!(s->avctx->flags & CODEC_FLAG_GRAY))
74@@ -1036,11 +1047,17 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb)
75 for (i = 1; i <= 63; i++) {
76 residual_eob_run = unpack_vlcs(s, gb, y_tables[i], i,
77 0, residual_eob_run);
78+ if (residual_eob_run < 0)
79+ return residual_eob_run;
80
81 residual_eob_run = unpack_vlcs(s, gb, c_tables[i], i,
82 1, residual_eob_run);
83+ if (residual_eob_run < 0)
84+ return residual_eob_run;
85 residual_eob_run = unpack_vlcs(s, gb, c_tables[i], i,
86 2, residual_eob_run);
87+ if (residual_eob_run < 0)
88+ return residual_eob_run;
89 }
90
91 return 0;
92@@ -1777,10 +1794,15 @@ static int vp3_update_thread_context(AVCodecContext *dst, const AVCodecContext *
93 Vp3DecodeContext *s = dst->priv_data, *s1 = src->priv_data;
94 int qps_changed = 0, i, err;
95
96+#define copy_fields(to, from, start_field, end_field) memcpy(&to->start_field, &from->start_field, (char*)&to->end_field - (char*)&to->start_field)
97+
98 if (!s1->current_frame.data[0]
99 ||s->width != s1->width
100- ||s->height!= s1->height)
101+ ||s->height!= s1->height) {
102+ if (s != s1)
103+ copy_fields(s, s1, golden_frame, current_frame);
104 return -1;
105+ }
106
107 if (s != s1) {
108 // init tables if the first frame hasn't been decoded
109@@ -1796,8 +1818,6 @@ static int vp3_update_thread_context(AVCodecContext *dst, const AVCodecContext *
110 memcpy(s->motion_val[1], s1->motion_val[1], c_fragment_count * sizeof(*s->motion_val[1]));
111 }
112
113-#define copy_fields(to, from, start_field, end_field) memcpy(&to->start_field, &from->start_field, (char*)&to->end_field - (char*)&to->start_field)
114-
115 // copy previous frame data
116 copy_fields(s, s1, golden_frame, dsp);
117
118@@ -1987,9 +2007,6 @@ static av_cold int vp3_decode_end(AVCodecContext *avctx)
119 Vp3DecodeContext *s = avctx->priv_data;
120 int i;
121
122- if (avctx->is_copy && !s->current_frame.data[0])
123- return 0;
124-
125 av_free(s->superblock_coding);
126 av_free(s->all_fragments);
127 av_free(s->coded_fragment_list[0]);
128@@ -2016,12 +2033,7 @@ static av_cold int vp3_decode_end(AVCodecContext *avctx)
129 free_vlc(&s->motion_vector_vlc);
130
131 /* release all frames */
132- if (s->golden_frame.data[0])
133- ff_thread_release_buffer(avctx, &s->golden_frame);
134- if (s->last_frame.data[0] && s->last_frame.type != FF_BUFFER_TYPE_COPY)
135- ff_thread_release_buffer(avctx, &s->last_frame);
136- /* no need to release the current_frame since it will always be pointing
137- * to the same frame as either the golden or last frame */
138+ vp3_decode_flush(avctx);
139
140 return 0;
141 }
142@@ -2341,6 +2353,23 @@ static void vp3_decode_flush(AVCodecContext *avctx)
143 ff_thread_release_buffer(avctx, &s->current_frame);
144 }
145
146+static int vp3_init_thread_copy(AVCodecContext *avctx)
147+{
148+ Vp3DecodeContext *s = avctx->priv_data;
149+
150+ s->superblock_coding = NULL;
151+ s->all_fragments = NULL;
152+ s->coded_fragment_list[0] = NULL;
153+ s->dct_tokens_base = NULL;
154+ s->superblock_fragments = NULL;
155+ s->macroblock_coding = NULL;
156+ s->motion_val[0] = NULL;
157+ s->motion_val[1] = NULL;
158+ s->edge_emu_buffer = NULL;
159+
160+ return 0;
161+}
162+
163 AVCodec ff_theora_decoder = {
164 .name = "theora",
165 .type = AVMEDIA_TYPE_VIDEO,
166@@ -2352,6 +2381,7 @@ AVCodec ff_theora_decoder = {
167 .capabilities = CODEC_CAP_DR1 | CODEC_CAP_DRAW_HORIZ_BAND | CODEC_CAP_FRAME_THREADS,
168 .flush = vp3_decode_flush,
169 .long_name = NULL_IF_CONFIG_SMALL("Theora"),
170+ .init_thread_copy = ONLY_IF_THREADS_ENABLED(vp3_init_thread_copy),
171 .update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context)
172 };
173 #endif
174@@ -2367,5 +2397,6 @@ AVCodec ff_vp3_decoder = {
175 .capabilities = CODEC_CAP_DR1 | CODEC_CAP_DRAW_HORIZ_BAND | CODEC_CAP_FRAME_THREADS,
176 .flush = vp3_decode_flush,
177 .long_name = NULL_IF_CONFIG_SMALL("On2 VP3"),
178+ .init_thread_copy = ONLY_IF_THREADS_ENABLED(vp3_init_thread_copy),
179 .update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context)
180 };
181--
1821.7.5.4
183
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-CVE-2013-0855.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-CVE-2013-0855.patch
new file mode 100644
index 0000000000..3c8d8e353e
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-CVE-2013-0855.patch
@@ -0,0 +1,100 @@
1gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0855
2
3Upstream-Status: Backport
4
5Signed-off-by: Yue Tao <yue.tao@windriver.com>
6
7diff --git a/gst-libs/ext/libav/libavcodec/alac.c.old b/gst-libs/ext/libav/libavcodec/alac.c
8index 2a0df8c..bcbd56d 100644
9--- a/gst-libs/ext/libav/libavcodec/alac.c.old
10+++ b/gst-libs/ext/libav/libavcodec/alac.c
11@@ -87,18 +87,44 @@ typedef struct {
12 int wasted_bits;
13 } ALACContext;
14
15-static void allocate_buffers(ALACContext *alac)
16+static av_cold int alac_decode_close(AVCodecContext *avctx)
17+{
18+ ALACContext *alac = avctx->priv_data;
19+
20+ int chan;
21+ for (chan = 0; chan < MAX_CHANNELS; chan++) {
22+ av_freep(&alac->predicterror_buffer[chan]);
23+ av_freep(&alac->outputsamples_buffer[chan]);
24+ av_freep(&alac->wasted_bits_buffer[chan]);
25+ }
26+
27+ return 0;
28+}
29+
30+static int allocate_buffers(ALACContext *alac)
31 {
32 int chan;
33+ int buf_size;
34+
35+ if (alac->setinfo_max_samples_per_frame > INT_MAX / sizeof(int32_t))
36+ goto buf_alloc_fail;
37+ buf_size = alac->setinfo_max_samples_per_frame * sizeof(int32_t);
38+
39 for (chan = 0; chan < MAX_CHANNELS; chan++) {
40- alac->predicterror_buffer[chan] =
41- av_malloc(alac->setinfo_max_samples_per_frame * 4);
42
43- alac->outputsamples_buffer[chan] =
44- av_malloc(alac->setinfo_max_samples_per_frame * 4);
45+ FF_ALLOC_OR_GOTO(alac->avctx, alac->predicterror_buffer[chan],
46+ buf_size, buf_alloc_fail);
47
48- alac->wasted_bits_buffer[chan] = av_malloc(alac->setinfo_max_samples_per_frame * 4);
49+ FF_ALLOC_OR_GOTO(alac->avctx, alac->outputsamples_buffer[chan],
50+ buf_size, buf_alloc_fail);
51+
52+ FF_ALLOC_OR_GOTO(alac->avctx, alac->wasted_bits_buffer[chan],
53+ buf_size, buf_alloc_fail);
54 }
55+ return 0;
56+buf_alloc_fail:
57+ alac_decode_close(alac->avctx);
58+ return AVERROR(ENOMEM);
59 }
60
61 static int alac_set_info(ALACContext *alac)
62@@ -131,8 +157,6 @@ static int alac_set_info(ALACContext *alac)
63 bytestream_get_be32(&ptr); /* bitrate ? */
64 bytestream_get_be32(&ptr); /* samplerate */
65
66- allocate_buffers(alac);
67-
68 return 0;
69 }
70
71@@ -659,6 +683,7 @@ static int alac_decode_frame(AVCodecContext *avctx,
72
73 static av_cold int alac_decode_init(AVCodecContext * avctx)
74 {
75+ int ret;
76 ALACContext *alac = avctx->priv_data;
77 alac->avctx = avctx;
78 alac->numchannels = alac->avctx->channels;
79@@ -674,18 +699,9 @@ static av_cold int alac_decode_init(AVCodecContext * avctx)
80 return -1;
81 }
82
83- return 0;
84-}
85-
86-static av_cold int alac_decode_close(AVCodecContext *avctx)
87-{
88- ALACContext *alac = avctx->priv_data;
89-
90- int chan;
91- for (chan = 0; chan < MAX_CHANNELS; chan++) {
92- av_freep(&alac->predicterror_buffer[chan]);
93- av_freep(&alac->outputsamples_buffer[chan]);
94- av_freep(&alac->wasted_bits_buffer[chan]);
95+ if ((ret = allocate_buffers(alac)) < 0) {
96+ av_log(avctx, AV_LOG_ERROR, "Error allocating buffers\n");
97+ return ret;
98 }
99
100 return 0;
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index a3b2f5cf29..e26b267f32 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -36,6 +36,23 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
36 file://0001-alac-fix-nb_samples-order-case.patch \ 36 file://0001-alac-fix-nb_samples-order-case.patch \
37 file://0001-h264-correct-ref-count-check-and-limit-fix-out-of-ar.patch \ 37 file://0001-h264-correct-ref-count-check-and-limit-fix-out-of-ar.patch \
38 file://0001-roqvideodec-check-dimensions-validity.patch \ 38 file://0001-roqvideodec-check-dimensions-validity.patch \
39 file://0001-aacdec-check-channel-count.patch \
40 file://0001-pngdec-filter-dont-access-out-of-array-elements-at-t.patch \
41 file://0001-error_concealment-Check-that-the-picture-is-not-in-a.patch \
42 file://0001-vp3-fix-oob-read-for-negative-tokens-and-memleaks-on.patch \
43 file://0001-vp3-Copy-all-3-frames-for-thread-updates.patch \
44 file://0001-h264_sei-Fix-infinite-loop.patch \
45 file://0001-avcodec-parser-reset-indexes-on-realloc-failure.patch \
46 file://0001-avcodec-rpza-Perform-pointer-advance-and-checks-befo.patch \
47 file://gst-ffmpeg-CVE-2013-0855.patch \
48 file://0001-qdm2dec-fix-buffer-overflow.patch \
49 file://0001-huffyuvdec-check-width-more-completely-avoid-out-of-.patch \
50 file://0001-smackerdec-Check-that-the-last-indexes-are-within-th.patch \
51 file://0001-avcodec-dsputil-fix-signedness-in-sizeof-comparissio.patch \
52 file://0001-error-concealment-initialize-block-index.patch \
53 file://0001-qdm2-check-array-index-before-use-fix-out-of-array-a.patch \
54 file://0001-lavf-compute-probe-buffer-size-more-reliably.patch \
55 file://0001-ffserver-set-oformat.patch \
39" 56"
40 57
41SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4" 58SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"