gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0869

The field_end function in libavcodec/h264.c in FFmpeg before 1.1.2 allows remote attackers to have an unspecified impact via crafted H.264 data, related to an SPS and slice mismatch and an out-of-bounds array access. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0869 (From OE-Core rev: 9d0fe8f47e360ad09d4a20144da96576dd4bf82f) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Conflicts: meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Yue Tao <Yue.Tao@windriver.com> 2014-08-29 14:46:19 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-10-23 16:13:31 +0100
commit: df4a397df9213eb2f419120fc2c32d51d0bf6a05 (patch)
tree: a2113aca8a09262549fc07b4bf7f912809b7f9f2
parent: 9b3389e023a41d485c9b637cc93f1057b53d12c3 (diff)
download: poky-df4a397df9213eb2f419120fc2c32d51d0bf6a05.tar.gz
2 files changed, 34 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264-skip-error-concealment-when-SPS-and-slices-are-.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264-skip-error-concealment-when-SPS-and-slices-are-.patch
new file mode 100644
index 0000000000..5d45c1a96c
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264-skip-error-concealment-when-SPS-and-slices-are-.patch
@@ -0,0 +1,33 @@
+gst-ffmpeg: h264: skip error concealment when SPS and slices are
+ mismatching
+Fixes out of array accesses
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit 695af8eed642ff0104834495652d1ee784a4c14d)
+Upstream-Status: Backport
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+Signed-off-by: Yue Tao <yue.tao@windriver.com>
+---
+ libavcodec/h264.c |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+diff --git a/libavcodec/h264.c b/libavcodec/h264.c
+index da144db..0aab4e7 100644
+--- a/gst-libs/ext/libav/libavcodec/h264.c
+++ b/gst-libs/ext/libav/libavcodec/h264.c
+@@ -2351,7 +2351,7 @@ static int field_end(H264Context *h, int in_setup)
+      * past end by one (callers fault) and resync_mb_y != 0
+      * causes problems for the first MB line, too.
+      */
+-    if (!FIELD_PICTURE)
+    if (!FIELD_PICTURE && h->current_slice && !h->sps.new)
+         ff_er_frame_end(s);
+ 
+     ff_MPV_frame_end(s);
+-- 
+1.7.5.4
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index d1fa412dc6..8fc4b8f344 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -54,6 +54,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
           file://0001-lavf-compute-probe-buffer-size-more-reliably.patch \
           file://0001-ffserver-set-oformat.patch \
           file://0001-h264-set-parameters-from-SPS-whenever-it-changes.patch \
+           file://0001-h264-skip-error-concealment-when-SPS-and-slices-are-.patch \
 "
 SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
author	Yue Tao <Yue.Tao@windriver.com>	2014-08-29 14:46:19 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2014-10-23 16:13:31 +0100
commit	df4a397df9213eb2f419120fc2c32d51d0bf6a05 (patch)
tree	a2113aca8a09262549fc07b4bf7f912809b7f9f2
parent	9b3389e023a41d485c9b637cc93f1057b53d12c3 (diff)
download	poky-df4a397df9213eb2f419120fc2c32d51d0bf6a05.tar.gz

diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264-skip-error-concealment-when-SPS-and-slices-are-.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264-skip-error-concealment-when-SPS-and-slices-are-.patch new file mode 100644 index 0000000000..5d45c1a96c --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264-skip-error-concealment-when-SPS-and-slices-are-.patch
@@ -0,0 +1,33 @@
		1	gst-ffmpeg: h264: skip error concealment when SPS and slices are
		2	mismatching
		3
		4	Fixes out of array accesses
		5
		6	Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
		7	Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
		8	(cherry picked from commit 695af8eed642ff0104834495652d1ee784a4c14d)
		9
		10	Upstream-Status: Backport
		11
		12	Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
		13	Signed-off-by: Yue Tao <yue.tao@windriver.com>
		14	---
		15	libavcodec/h264.c \| 2 +-
		16	1 files changed, 1 insertions(+), 1 deletions(-)
		17
		18	diff --git a/libavcodec/h264.c b/libavcodec/h264.c
		19	index da144db..0aab4e7 100644
		20	--- a/gst-libs/ext/libav/libavcodec/h264.c
		21	+++ b/gst-libs/ext/libav/libavcodec/h264.c
		22	@@ -2351,7 +2351,7 @@ static int field_end(H264Context *h, int in_setup)
		23	* past end by one (callers fault) and resync_mb_y != 0
		24	* causes problems for the first MB line, too.
		25	*/
		26	- if (!FIELD_PICTURE)
		27	+ if (!FIELD_PICTURE && h->current_slice && !h->sps.new)
		28	ff_er_frame_end(s);
		29
		30	ff_MPV_frame_end(s);
		31	--
		32	1.7.5.4
		33


diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb index d1fa412dc6..8fc4b8f344 100644 --- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -54,6 +54,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
54	file://0001-lavf-compute-probe-buffer-size-more-reliably.patch \	54	file://0001-lavf-compute-probe-buffer-size-more-reliably.patch \
55	file://0001-ffserver-set-oformat.patch \	55	file://0001-ffserver-set-oformat.patch \
56	file://0001-h264-set-parameters-from-SPS-whenever-it-changes.patch \	56	file://0001-h264-set-parameters-from-SPS-whenever-it-changes.patch \
		57	file://0001-h264-skip-error-concealment-when-SPS-and-slices-are-.patch \
57	"	58	"
58		59
59	SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"	60	SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"