diff options
author | Yue Tao <Yue.Tao@windriver.com> | 2014-07-22 15:46:36 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-07-23 21:59:24 +0100 |
commit | 91c845c452de5ddbf85cf252df874650fb916bdd (patch) | |
tree | df418966ede6c876afdb3c524f0099f8d48d2770 | |
parent | b7f8fded0de08d2bfe16541bc4d8c9073b3bb941 (diff) | |
download | poky-91c845c452de5ddbf85cf252df874650fb916bdd.tar.gz |
gst-ffmpeg: Add CVE patches
Security Advisory - ffmpeg - CVE-2013-0866
The aac_decode_init function in libavcodec/aacdec.c in FFmpeg before
1.0.4 and 1.1.x before 1.1.2 allows remote attackers to have an
unspecified impact via a large number of channels in an AAC file, which
triggers an out-of-bounds array access.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0866
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0875
The ff_add_png_paeth_prediction function in libavcodec/pngdec.c in
FFmpeg before 1.1.3 allows remote attackers to have an unspecified
impact via a crafted PNG image, related to an out-of-bounds array
access.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0875
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0860
The ff_er_frame_end function in libavcodec/error_resilience.c in FFmpeg
before 1.0.4 and 1.1.x before 1.1.1 does not properly verify that a
frame is fully initialized, which allows remote attackers to trigger a
NULL pointer dereference via crafted picture data.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0860
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3934
Double free vulnerability in the vp3_update_thread_context function in
libavcodec/vp3.c in FFmpeg before 0.10 allows remote attackers to have
an unspecified impact via crafted vp3 data.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3934
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3946
The ff_h264_decode_sei function in libavcodec/h264_sei.c in FFmpeg
before 0.10 allows remote attackers to have an unspecified impact via
crafted Supplemental enhancement information (SEI) data, which triggers
an infinite loop.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3946
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-7023
The ff_combine_frame function in libavcodec/parser.c in FFmpeg before
2.1 does not properly handle certain memory-allocation errors, which
allows remote attackers to cause a denial of service (out-of-bounds
array access) or possibly have unspecified other impact via crafted
data.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7023
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-7009
The rpza_decode_stream function in libavcodec/rpza.c in FFmpeg before
2.1 does not properly maintain a pointer to pixel data, which allows
remote attackers to cause a denial of service (out-of-bounds array
access) or possibly have unspecified other impact via crafted Apple RPZA
data.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7009
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0855
Integer overflow in the alac_decode_close function in libavcodec/alac.c
in FFmpeg before 1.1 allows remote attackers to have an unspecified
impact via a large number of samples per frame in Apple Lossless Audio
Codec (ALAC) data, which triggers an out-of-bounds array access.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0855
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-4351
Buffer overflow in FFmpeg before 0.5.6, 0.6.x before 0.6.4, 0.7.x before
0.7.8, and 0.8.x before 0.8.8 allows remote attackers to execute
arbitrary code via unspecified vectors.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4351
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0848
The decode_init function in libavcodec/huffyuv.c in FFmpeg before 1.1
allows remote attackers to have an unspecified impact via a crafted
width in huffyuv data with the predictor set to median and the
colorspace set to YUV422P, which triggers an out-of-bounds array access.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0848
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3944
The smacker_decode_header_tree function in libavcodec/smacker.c in
FFmpeg before 0.10 allows remote attackers to have an unspecified impact
via crafted Smacker data.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3944
file://0001-huffyuvdec-check-width-more-completely-avoid-out-of-.patch \
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-7010
Multiple integer signedness errors in libavcodec/dsputil.c in FFmpeg
before 2.1 allow remote attackers to cause a denial of service
(out-of-bounds array access) or possibly have unspecified other impact
via crafted data.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7010
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3941
The decode_mb function in libavcodec/error_resilience.c in FFmpeg before
0.10 allows remote attackers to have an unspecified impact via vectors
related to an uninitialized block index, which triggers an out-of-bound
write.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3941
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0846
Array index error in the qdm2_decode_super_block function in
libavcodec/qdm2.c in FFmpeg before 1.1 allows remote attackers to have
an unspecified impact via crafted QDM2 data, which triggers an
out-of-bounds array access.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0846
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2012-6618
The av_probe_input_buffer function in libavformat/utils.c in FFmpeg
before 1.0.2, when running with certain -probesize values, allows remote
attackers to cause a denial of service (crash) via a crafted MP3 file,
possibly related to frame size or lack of sufficient frames to estimate
rate.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6618
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2012-6617
The prepare_sdp_description function in ffserver.c in FFmpeg before
1.0.2 allows remote attackers to cause a denial of service (crash) via
vectors related to the rtp format.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6617
(From OE-Core rev: 58f08a96764094189b5aaf3cc8b4cc0c95e23409)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
18 files changed, 917 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-aacdec-check-channel-count.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-aacdec-check-channel-count.patch new file mode 100644 index 0000000000..7da0e14525 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-aacdec-check-channel-count.patch | |||
@@ -0,0 +1,34 @@ | |||
1 | gst-ffmpeg: aacdec: check channel count | ||
2 | |||
3 | Prevent out of array accesses | ||
4 | |||
5 | Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind | ||
6 | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | ||
7 | (cherry picked from commit 96f452ac647dae33c53c242ef3266b65a9beafb6) | ||
8 | |||
9 | Upstream-Status: Backport | ||
10 | |||
11 | Signed-off-by: Yue Tao <yue.tao@windriver.com> | ||
12 | --- | ||
13 | libavcodec/aacdec.c | 5 +++++ | ||
14 | 1 files changed, 5 insertions(+), 0 deletions(-) | ||
15 | |||
16 | diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c | ||
17 | index 239153a..6c17c33 100644 | ||
18 | --- a/gst-libs/ext/libav/libavcodec/aacdec.c | ||
19 | +++ b/gst-libs/ext/libav/libavcodec/aacdec.c | ||
20 | @@ -914,6 +914,11 @@ static av_cold int aac_decode_init(AVCodecContext *avctx) | ||
21 | } | ||
22 | } | ||
23 | |||
24 | + if (avctx->channels > MAX_CHANNELS) { | ||
25 | + av_log(avctx, AV_LOG_ERROR, "Too many channels\n"); | ||
26 | + return AVERROR_INVALIDDATA; | ||
27 | + } | ||
28 | + | ||
29 | AAC_INIT_VLC_STATIC( 0, 304); | ||
30 | AAC_INIT_VLC_STATIC( 1, 270); | ||
31 | AAC_INIT_VLC_STATIC( 2, 550); | ||
32 | -- | ||
33 | 1.7.5.4 | ||
34 | |||
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-dsputil-fix-signedness-in-sizeof-comparissio.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-dsputil-fix-signedness-in-sizeof-comparissio.patch new file mode 100644 index 0000000000..31fa51a3ea --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-dsputil-fix-signedness-in-sizeof-comparissio.patch | |||
@@ -0,0 +1,40 @@ | |||
1 | From a99aff4e4bbef8e64b51f267cd1769214e1b4e80 Mon Sep 17 00:00:00 2001 | ||
2 | From: Michael Niedermayer <michaelni@gmx.at> | ||
3 | Date: Fri, 30 Aug 2013 23:40:47 +0200 | ||
4 | Subject: [PATCH] avcodec/dsputil: fix signedness in sizeof() comparissions | ||
5 | |||
6 | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | ||
7 | (cherry picked from commit 454a11a1c9c686c78aa97954306fb63453299760) | ||
8 | |||
9 | Upstream-Status: Backport | ||
10 | |||
11 | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | ||
12 | --- | ||
13 | libavcodec/dsputil.c | 4 ++-- | ||
14 | 1 files changed, 2 insertions(+), 2 deletions(-) | ||
15 | |||
16 | diff --git a/libavcodec/dsputil.c b/libavcodec/dsputil.c | ||
17 | index 53dc2eb..6264832 100644 | ||
18 | --- a/gst-libs/ext/libav/libavcodec/dsputil.c | ||
19 | +++ b/gst-libs/ext/libav/libavcodec/dsputil.c | ||
20 | @@ -1912,7 +1912,7 @@ void ff_set_cmp(DSPContext* c, me_cmp_func *cmp, int type){ | ||
21 | |||
22 | static void add_bytes_c(uint8_t *dst, uint8_t *src, int w){ | ||
23 | long i; | ||
24 | - for(i=0; i<=w-sizeof(long); i+=sizeof(long)){ | ||
25 | + for(i=0; i<=w-(int)sizeof(long); i+=sizeof(long)){ | ||
26 | long a = *(long*)(src+i); | ||
27 | long b = *(long*)(dst+i); | ||
28 | *(long*)(dst+i) = ((a&pb_7f) + (b&pb_7f)) ^ ((a^b)&pb_80); | ||
29 | @@ -1937,7 +1937,7 @@ static void diff_bytes_c(uint8_t *dst, uint8_t *src1, uint8_t *src2, int w){ | ||
30 | } | ||
31 | }else | ||
32 | #endif | ||
33 | - for(i=0; i<=w-sizeof(long); i+=sizeof(long)){ | ||
34 | + for(i=0; i<=w-(int)sizeof(long); i+=sizeof(long)){ | ||
35 | long a = *(long*)(src1+i); | ||
36 | long b = *(long*)(src2+i); | ||
37 | *(long*)(dst+i) = ((a|pb_80) - (b&pb_7f)) ^ ((a^b^pb_80)&pb_80); | ||
38 | -- | ||
39 | 1.7.5.4 | ||
40 | |||
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-parser-reset-indexes-on-realloc-failure.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-parser-reset-indexes-on-realloc-failure.patch new file mode 100644 index 0000000000..5ff65834e4 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-parser-reset-indexes-on-realloc-failure.patch | |||
@@ -0,0 +1,50 @@ | |||
1 | gst-ffmpeg: avcodec/parser: reset indexes on realloc failure | ||
2 | |||
3 | Fixes Ticket2982 | ||
4 | |||
5 | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | ||
6 | (cherry picked from commit f31011e9abfb2ae75bb32bc44e2c34194c8dc40a) | ||
7 | |||
8 | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | ||
9 | |||
10 | Upstream-Status: Backport | ||
11 | |||
12 | Signed-off-by: Yue Tao <yue.tao@windriver.com> | ||
13 | |||
14 | --- | ||
15 | libavcodec/parser.c | 10 +++++++--- | ||
16 | 1 files changed, 7 insertions(+), 3 deletions(-) | ||
17 | |||
18 | diff --git a/libavcodec/parser.c b/libavcodec/parser.c | ||
19 | index 2c6de6e..66eca06 100644 | ||
20 | --- a/gst-libs/ext/libav/libavcodec/parser.c | ||
21 | +++ b/gst-libs/ext/libav/libavcodec/parser.c | ||
22 | @@ -241,8 +241,10 @@ int ff_combine_frame(ParseContext *pc, int next, const uint8_t **buf, int *buf_s | ||
23 | if(next == END_NOT_FOUND){ | ||
24 | void* new_buffer = av_fast_realloc(pc->buffer, &pc->buffer_size, (*buf_size) + pc->index + FF_INPUT_BUFFER_PADDING_SIZE); | ||
25 | |||
26 | - if(!new_buffer) | ||
27 | + if(!new_buffer) { | ||
28 | + pc->index = 0; | ||
29 | return AVERROR(ENOMEM); | ||
30 | + } | ||
31 | pc->buffer = new_buffer; | ||
32 | memcpy(&pc->buffer[pc->index], *buf, *buf_size); | ||
33 | pc->index += *buf_size; | ||
34 | @@ -255,9 +257,11 @@ int ff_combine_frame(ParseContext *pc, int next, const uint8_t **buf, int *buf_s | ||
35 | /* append to buffer */ | ||
36 | if(pc->index){ | ||
37 | void* new_buffer = av_fast_realloc(pc->buffer, &pc->buffer_size, next + pc->index + FF_INPUT_BUFFER_PADDING_SIZE); | ||
38 | - | ||
39 | - if(!new_buffer) | ||
40 | + if(!new_buffer) { | ||
41 | + pc->overread_index = | ||
42 | + pc->index = 0; | ||
43 | return AVERROR(ENOMEM); | ||
44 | + } | ||
45 | pc->buffer = new_buffer; | ||
46 | if (next > -FF_INPUT_BUFFER_PADDING_SIZE) | ||
47 | memcpy(&pc->buffer[pc->index], *buf, | ||
48 | -- | ||
49 | 1.7.5.4 | ||
50 | |||
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-rpza-Perform-pointer-advance-and-checks-befo.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-rpza-Perform-pointer-advance-and-checks-befo.patch new file mode 100644 index 0000000000..7f6eb48889 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-rpza-Perform-pointer-advance-and-checks-befo.patch | |||
@@ -0,0 +1,81 @@ | |||
1 | gst-ffmpeg: avcodec/rpza: Perform pointer advance and checks before | ||
2 | using the pointers | ||
3 | |||
4 | Fixes out of array accesses | ||
5 | Fixes Ticket2850 | ||
6 | |||
7 | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | ||
8 | (cherry picked from commit 3819db745da2ac7fb3faacb116788c32f4753f34) | ||
9 | |||
10 | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | ||
11 | |||
12 | Upstream-Status: Backport | ||
13 | |||
14 | Singed-off-by: Yue Tao <yue.tao@windriver.com> | ||
15 | |||
16 | --- | ||
17 | libavcodec/rpza.c | 8 ++++---- | ||
18 | 1 files changed, 4 insertions(+), 4 deletions(-) | ||
19 | |||
20 | diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c | ||
21 | index 635b406..f291a95 100644 | ||
22 | --- a/gst-libs/ext/libav/libavcodec/rpza.c | ||
23 | +++ b/gst-libs/ext/libav/libavcodec/rpza.c | ||
24 | @@ -83,7 +83,7 @@ static void rpza_decode_stream(RpzaContext *s) | ||
25 | unsigned short *pixels = (unsigned short *)s->frame.data[0]; | ||
26 | |||
27 | int row_ptr = 0; | ||
28 | - int pixel_ptr = 0; | ||
29 | + int pixel_ptr = -4; | ||
30 | int block_ptr; | ||
31 | int pixel_x, pixel_y; | ||
32 | int total_blocks; | ||
33 | @@ -139,6 +139,7 @@ static void rpza_decode_stream(RpzaContext *s) | ||
34 | colorA = AV_RB16 (&s->buf[stream_ptr]); | ||
35 | stream_ptr += 2; | ||
36 | while (n_blocks--) { | ||
37 | + ADVANCE_BLOCK() | ||
38 | block_ptr = row_ptr + pixel_ptr; | ||
39 | for (pixel_y = 0; pixel_y < 4; pixel_y++) { | ||
40 | for (pixel_x = 0; pixel_x < 4; pixel_x++){ | ||
41 | @@ -147,7 +148,6 @@ static void rpza_decode_stream(RpzaContext *s) | ||
42 | } | ||
43 | block_ptr += row_inc; | ||
44 | } | ||
45 | - ADVANCE_BLOCK(); | ||
46 | } | ||
47 | break; | ||
48 | |||
49 | @@ -184,6 +184,7 @@ static void rpza_decode_stream(RpzaContext *s) | ||
50 | color4[2] |= ((21 * ta + 11 * tb) >> 5); | ||
51 | |||
52 | while (n_blocks--) { | ||
53 | + ADVANCE_BLOCK(); | ||
54 | block_ptr = row_ptr + pixel_ptr; | ||
55 | for (pixel_y = 0; pixel_y < 4; pixel_y++) { | ||
56 | index = s->buf[stream_ptr++]; | ||
57 | @@ -194,12 +195,12 @@ static void rpza_decode_stream(RpzaContext *s) | ||
58 | } | ||
59 | block_ptr += row_inc; | ||
60 | } | ||
61 | - ADVANCE_BLOCK(); | ||
62 | } | ||
63 | break; | ||
64 | |||
65 | /* Fill block with 16 colors */ | ||
66 | case 0x00: | ||
67 | + ADVANCE_BLOCK(); | ||
68 | block_ptr = row_ptr + pixel_ptr; | ||
69 | for (pixel_y = 0; pixel_y < 4; pixel_y++) { | ||
70 | for (pixel_x = 0; pixel_x < 4; pixel_x++){ | ||
71 | @@ -213,7 +214,6 @@ static void rpza_decode_stream(RpzaContext *s) | ||
72 | } | ||
73 | block_ptr += row_inc; | ||
74 | } | ||
75 | - ADVANCE_BLOCK(); | ||
76 | break; | ||
77 | |||
78 | /* Unknown opcode */ | ||
79 | -- | ||
80 | 1.7.5.4 | ||
81 | |||
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-error-concealment-initialize-block-index.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-error-concealment-initialize-block-index.patch new file mode 100644 index 0000000000..e0e4239c2f --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-error-concealment-initialize-block-index.patch | |||
@@ -0,0 +1,29 @@ | |||
1 | gst-ffmpeg: error concealment: initialize block index. | ||
2 | |||
3 | Fixes CVE-2011-3941 (out of bounds write) | ||
4 | |||
5 | Upstream-Status: Backport | ||
6 | |||
7 | Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind | ||
8 | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | ||
9 | --- | ||
10 | libavcodec/error_resilience.c | 3 +++ | ||
11 | 1 files changed, 3 insertions(+), 0 deletions(-) | ||
12 | |||
13 | diff --git a/libavcodec/error_resilience.c b/libavcodec/error_resilience.c | ||
14 | index 8bb5d0c..d55c000 100644 | ||
15 | --- a/gst-libs/ext/libav/libavcodec/error_resilience.c | ||
16 | +++ b/gst-libs/ext/libav/libavcodec/error_resilience.c | ||
17 | @@ -45,6 +45,9 @@ static void decode_mb(MpegEncContext *s, int ref){ | ||
18 | s->dest[1] = s->current_picture.data[1] + (s->mb_y * (16>>s->chroma_y_shift) * s->uvlinesize) + s->mb_x * (16>>s->chroma_x_shift); | ||
19 | s->dest[2] = s->current_picture.data[2] + (s->mb_y * (16>>s->chroma_y_shift) * s->uvlinesize) + s->mb_x * (16>>s->chroma_x_shift); | ||
20 | |||
21 | + ff_init_block_index(s); | ||
22 | + ff_update_block_index(s); | ||
23 | + | ||
24 | if(CONFIG_H264_DECODER && s->codec_id == CODEC_ID_H264){ | ||
25 | H264Context *h= (void*)s; | ||
26 | h->mb_xy= s->mb_x + s->mb_y*s->mb_stride; | ||
27 | -- | ||
28 | 1.7.5.4 | ||
29 | |||
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-error_concealment-Check-that-the-picture-is-not-in-a.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-error_concealment-Check-that-the-picture-is-not-in-a.patch new file mode 100644 index 0000000000..8eef6e99cc --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-error_concealment-Check-that-the-picture-is-not-in-a.patch | |||
@@ -0,0 +1,37 @@ | |||
1 | gst-ffmpeg: error_concealment: Check that the picture is not in a half | ||
2 | |||
3 | Fixes state becoming inconsistent | ||
4 | Fixes a null pointer dereference | ||
5 | |||
6 | Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind | ||
7 | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | ||
8 | (cherry picked from commit 23318a57358358e7a4dc551e830e4503f0638cfe) | ||
9 | |||
10 | Upstream-Status: Backport | ||
11 | |||
12 | Signed-off-by: Yue Tao <yue.tao@windriver.com> | ||
13 | |||
14 | --- | ||
15 | libavcodec/error_resilience.c | 6 ++++++ | ||
16 | 1 files changed, 6 insertions(+), 0 deletions(-) | ||
17 | |||
18 | diff --git a/libavcodec/error_resilience.c b/libavcodec/error_resilience.c | ||
19 | index 01f7424..2b6bc42 100644 | ||
20 | --- a/gst-libs/ext/libav/libavcodec/error_resilience.c | ||
21 | +++ b/gst-libs/ext/libav/libavcodec/error_resilience.c | ||
22 | @@ -793,6 +793,12 @@ void ff_er_frame_end(MpegEncContext *s){ | ||
23 | s->picture_structure != PICT_FRAME || // we dont support ER of field pictures yet, though it should not crash if enabled | ||
24 | s->error_count==3*s->mb_width*(s->avctx->skip_top + s->avctx->skip_bottom)) return; | ||
25 | |||
26 | + if ( s->picture_structure == PICT_FRAME | ||
27 | + && s->current_picture.linesize[0] != s->current_picture_ptr->linesize[0]) { | ||
28 | + av_log(s->avctx, AV_LOG_ERROR, "Error concealment not possible, frame not fully initialized\n"); | ||
29 | + return; | ||
30 | + } | ||
31 | + | ||
32 | if(s->current_picture.motion_val[0] == NULL){ | ||
33 | av_log(s->avctx, AV_LOG_ERROR, "Warning MVs not available\n"); | ||
34 | |||
35 | -- | ||
36 | 1.7.5.4 | ||
37 | |||
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-ffserver-set-oformat.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-ffserver-set-oformat.patch new file mode 100644 index 0000000000..80325db4d6 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-ffserver-set-oformat.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | gst-ffmpeg: ffserver: set oformat | ||
2 | |||
3 | Fix Ticket1986 | ||
4 | |||
5 | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | ||
6 | (cherry picked from commit cbe43e62c9ac7d4aefdc13476f6f691bd626525f) | ||
7 | |||
8 | Upstream-Status: Backport | ||
9 | |||
10 | --- | ||
11 | ffserver.c | 4 +++- | ||
12 | 1 files changed, 3 insertions(+), 1 deletions(-) | ||
13 | |||
14 | diff --git a/ffserver.c b/ffserver.c | ||
15 | index 4044d0f..8740140 100644 | ||
16 | --- a/gst-libs/ext/libav/ffserver.c | ||
17 | +++ b/gst-libs/ext/libav/ffserver.c | ||
18 | @@ -2937,12 +2937,14 @@ static int prepare_sdp_description(FFStream *stream, uint8_t **pbuffer, | ||
19 | { | ||
20 | AVFormatContext *avc; | ||
21 | AVStream *avs = NULL; | ||
22 | + AVOutputFormat *rtp_format = av_guess_format("rtp", NULL, NULL); | ||
23 | int i; | ||
24 | |||
25 | avc = avformat_alloc_context(); | ||
26 | - if (avc == NULL) { | ||
27 | + if (avc == NULL || !rtp_format) { | ||
28 | return -1; | ||
29 | } | ||
30 | + avc->oformat = rtp_format; | ||
31 | av_dict_set(&avc->metadata, "title", | ||
32 | stream->title[0] ? stream->title : "No Title", 0); | ||
33 | avc->nb_streams = stream->nb_streams; | ||
34 | -- | ||
35 | 1.7.5.4 | ||
36 | |||
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264_sei-Fix-infinite-loop.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264_sei-Fix-infinite-loop.patch new file mode 100644 index 0000000000..1e62b50360 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264_sei-Fix-infinite-loop.patch | |||
@@ -0,0 +1,39 @@ | |||
1 | gst-ffmpeg: h264_sei: Fix infinite loop. | ||
2 | |||
3 | Fixsot yet fixed parts of CVE-2011-3946. | ||
4 | |||
5 | Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind | ||
6 | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | ||
7 | |||
8 | Upstream-Status: Backport | ||
9 | |||
10 | Signed-off-by: Yue Tao <yue.tao@windriver.com> | ||
11 | |||
12 | --- | ||
13 | libavcodec/h264_sei.c | 4 ++++ | ||
14 | 1 files changed, 4 insertions(+), 0 deletions(-) | ||
15 | |||
16 | |||
17 | diff --git a/libavcodec/h264_sei.c b/libavcodec/h264_sei.c | ||
18 | index 374e53d..80d70e5 100644 | ||
19 | --- a/gst-libs/ext/libav/libavcodec/h264_sei.c | ||
20 | +++ b/gst-libs/ext/libav/libavcodec/h264_sei.c | ||
21 | @@ -169,11 +169,15 @@ int ff_h264_decode_sei(H264Context *h){ | ||
22 | |||
23 | type=0; | ||
24 | do{ | ||
25 | + if (get_bits_left(&s->gb) < 8) | ||
26 | + return -1; | ||
27 | type+= show_bits(&s->gb, 8); | ||
28 | }while(get_bits(&s->gb, 8) == 255); | ||
29 | |||
30 | size=0; | ||
31 | do{ | ||
32 | + if (get_bits_left(&s->gb) < 8) | ||
33 | + return -1; | ||
34 | size+= show_bits(&s->gb, 8); | ||
35 | }while(get_bits(&s->gb, 8) == 255); | ||
36 | |||
37 | -- | ||
38 | 1.7.5.4 | ||
39 | |||
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-check-width-more-completely-avoid-out-of-.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-check-width-more-completely-avoid-out-of-.patch new file mode 100644 index 0000000000..6b60d163fb --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-check-width-more-completely-avoid-out-of-.patch | |||
@@ -0,0 +1,30 @@ | |||
1 | gst-ffmpeg: huffyuvdec: check width more completely, avoid out of array | ||
2 | accesses | ||
3 | |||
4 | Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind | ||
5 | |||
6 | Upstream-Status: Backport | ||
7 | |||
8 | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | ||
9 | --- | ||
10 | libavcodec/huffyuv.c | 5 ++++- | ||
11 | 1 files changed, 4 insertions(+), 1 deletions(-) | ||
12 | |||
13 | diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c | ||
14 | index 6e88114..ca5bcd8 100644 | ||
15 | --- a/gst-libs/ext/libav/libavcodec/huffyuv.c | ||
16 | +++ b/gst-libs/ext/libav/libavcodec/huffyuv.c | ||
17 | @@ -526,6 +526,10 @@ s->bgr32=1; | ||
18 | assert(0); | ||
19 | } | ||
20 | |||
21 | + if (s->predictor == MEDIAN && avctx->pix_fmt == AV_PIX_FMT_YUV422P && avctx->width%4) { | ||
22 | + av_log(avctx, AV_LOG_ERROR, "width must be a multiple of 4 this colorspace and predictor\n"); | ||
23 | + return AVERROR_INVALIDDATA; | ||
24 | + } | ||
25 | alloc_temp(s); | ||
26 | |||
27 | // av_log(NULL, AV_LOG_DEBUG, "pred:%d bpp:%d hbpp:%d il:%d\n", s->predictor, s->bitstream_bpp, avctx->bits_per_coded_sample, s->interlaced); | ||
28 | -- | ||
29 | 1.7.5.4 | ||
30 | |||
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-lavf-compute-probe-buffer-size-more-reliably.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-lavf-compute-probe-buffer-size-more-reliably.patch new file mode 100644 index 0000000000..ea4aa222b3 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-lavf-compute-probe-buffer-size-more-reliably.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | gst-ffmpeg: lavf: compute probe buffer size more reliably. | ||
2 | |||
3 | The previous code computes the offset by reversing the growth | ||
4 | of the allocated buffer size: it is complex and did lead to | ||
5 | inconsistencies when the size limit is reached. | ||
6 | |||
7 | Fix trac ticket #1991. | ||
8 | (cherry picked from commit 03847eb8259291b4ff1bd840bd779d0699d71f96) | ||
9 | |||
10 | Conflicts: | ||
11 | libavformat/utils.c | ||
12 | |||
13 | Upstream-Status: Backport | ||
14 | |||
15 | Signed-off-by: Yue Tao <yue.tao@windriver.com> | ||
16 | |||
17 | --- | ||
18 | libavformat/utils.c | 4 ++-- | ||
19 | 1 files changed, 2 insertions(+), 2 deletions(-) | ||
20 | |||
21 | diff --git a/libavformat/utils.c b/libavformat/utils.c | ||
22 | index 7940037..be73c4a 100644 | ||
23 | --- a/gst-libs/ext/libav/libavformat/utils.c | ||
24 | +++ b/gst-libs/ext/libav/libavformat/utils.c | ||
25 | @@ -459,7 +459,7 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt, | ||
26 | { | ||
27 | AVProbeData pd = { filename ? filename : "", NULL, -offset }; | ||
28 | unsigned char *buf = NULL; | ||
29 | - int ret = 0, probe_size; | ||
30 | + int ret = 0, probe_size, buf_offset = 0; | ||
31 | |||
32 | if (!max_probe_size) { | ||
33 | max_probe_size = PROBE_BUF_MAX; | ||
34 | @@ -499,7 +499,7 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt, | ||
35 | score = 0; | ||
36 | ret = 0; /* error was end of file, nothing read */ | ||
37 | } | ||
38 | - pd.buf_size += ret; | ||
39 | + pd.buf_size = buf_offset += ret; | ||
40 | pd.buf = &buf[offset]; | ||
41 | |||
42 | memset(pd.buf + pd.buf_size, 0, AVPROBE_PADDING_SIZE); | ||
43 | -- | ||
44 | 1.7.5.4 | ||
45 | |||
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-pngdec-filter-dont-access-out-of-array-elements-at-t.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-pngdec-filter-dont-access-out-of-array-elements-at-t.patch new file mode 100644 index 0000000000..1e5fb7deb1 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-pngdec-filter-dont-access-out-of-array-elements-at-t.patch | |||
@@ -0,0 +1,44 @@ | |||
1 | gst-ffmpeg: pngdec/filter: dont access out of array elements at the end | ||
2 | |||
3 | Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind | ||
4 | |||
5 | Upstream-Status: Backport | ||
6 | |||
7 | Signed-off-by: Yue Tao <yue.tao@windriver.com> | ||
8 | --- | ||
9 | libavcodec/pngdec.c | 12 ++++-------- | ||
10 | 1 files changed, 4 insertions(+), 8 deletions(-) | ||
11 | |||
12 | diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c | ||
13 | index 97c0ad1..193e35e 100644 | ||
14 | --- a/gst-libs/ext/libav/libavcodec/pngdec.c | ||
15 | +++ b/gst-libs/ext/libav/libavcodec/pngdec.c | ||
16 | @@ -190,7 +190,7 @@ void ff_add_png_paeth_prediction(uint8_t *dst, uint8_t *src, uint8_t *top, int w | ||
17 | if(bpp >= 2) g = dst[1];\ | ||
18 | if(bpp >= 3) b = dst[2];\ | ||
19 | if(bpp >= 4) a = dst[3];\ | ||
20 | - for(; i < size; i+=bpp) {\ | ||
21 | + for(; i <= size - bpp; i+=bpp) {\ | ||
22 | dst[i+0] = r = op(r, src[i+0], last[i+0]);\ | ||
23 | if(bpp == 1) continue;\ | ||
24 | dst[i+1] = g = op(g, src[i+1], last[i+1]);\ | ||
25 | @@ -206,13 +206,9 @@ void ff_add_png_paeth_prediction(uint8_t *dst, uint8_t *src, uint8_t *top, int w | ||
26 | else if(bpp == 2) UNROLL1(2, op)\ | ||
27 | else if(bpp == 3) UNROLL1(3, op)\ | ||
28 | else if(bpp == 4) UNROLL1(4, op)\ | ||
29 | - else {\ | ||
30 | - for (; i < size; i += bpp) {\ | ||
31 | - int j;\ | ||
32 | - for (j = 0; j < bpp; j++)\ | ||
33 | - dst[i+j] = op(dst[i+j-bpp], src[i+j], last[i+j]);\ | ||
34 | - }\ | ||
35 | - } | ||
36 | + for (; i < size; i++) {\ | ||
37 | + dst[i] = op(dst[i-bpp], src[i], last[i]);\ | ||
38 | + }\ | ||
39 | |||
40 | /* NOTE: 'dst' can be equal to 'last' */ | ||
41 | static void png_filter_row(PNGDSPContext *dsp, uint8_t *dst, int filter_type, | ||
42 | -- | ||
43 | 1.7.5.4 | ||
44 | |||
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-qdm2-check-array-index-before-use-fix-out-of-array-a.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-qdm2-check-array-index-before-use-fix-out-of-array-a.patch new file mode 100644 index 0000000000..8c94232d6d --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-qdm2-check-array-index-before-use-fix-out-of-array-a.patch | |||
@@ -0,0 +1,30 @@ | |||
1 | gst-ffmpeg: qdm2: check array index before use, fix out of array | ||
2 | accesses | ||
3 | |||
4 | Upstream-Status: Backport | ||
5 | |||
6 | Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind | ||
7 | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | ||
8 | --- | ||
9 | libavcodec/qdm2.c | 5 +++++ | ||
10 | 1 files changed, 5 insertions(+), 0 deletions(-) | ||
11 | |||
12 | diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c | ||
13 | index 4cf4b2f..1dfb8d5 100644 | ||
14 | --- a/gst-libs/ext/libav/libavcodec/qdm2.c | ||
15 | +++ b/gst-libs/ext/libav/libavcodec/qdm2.c | ||
16 | @@ -1257,6 +1257,11 @@ static void qdm2_decode_super_block (QDM2Context *q) | ||
17 | for (i = 0; packet_bytes > 0; i++) { | ||
18 | int j; | ||
19 | |||
20 | + if (i>=FF_ARRAY_ELEMS(q->sub_packet_list_A)) { | ||
21 | + SAMPLES_NEEDED_2("too many packet bytes"); | ||
22 | + return; | ||
23 | + } | ||
24 | + | ||
25 | q->sub_packet_list_A[i].next = NULL; | ||
26 | |||
27 | if (i > 0) { | ||
28 | -- | ||
29 | 1.7.5.4 | ||
30 | |||
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-qdm2dec-fix-buffer-overflow.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-qdm2dec-fix-buffer-overflow.patch new file mode 100644 index 0000000000..43ffc03a69 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-qdm2dec-fix-buffer-overflow.patch | |||
@@ -0,0 +1,58 @@ | |||
1 | gst-ffmpeg: qdm2dec: fix buffer overflow. Fixes NGS00144 | ||
2 | |||
3 | This also adds a few lines of code from master that are needed for this fix. | ||
4 | |||
5 | Thanks to Phillip for suggestions to improve the patch. | ||
6 | Found-by: Phillip Langlois | ||
7 | |||
8 | Upstream-Status: Backport | ||
9 | |||
10 | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | ||
11 | --- | ||
12 | libavcodec/qdm2.c | 9 +++++++-- | ||
13 | 1 files changed, 7 insertions(+), 2 deletions(-) | ||
14 | |||
15 | diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c | ||
16 | index 3aa9e5b..e000df8 100644 | ||
17 | --- a/gst-libs/ext/libav/libavcodec/qdm2.c | ||
18 | +++ b/gst-libs/ext/libav/libavcodec/qdm2.c | ||
19 | @@ -76,6 +76,7 @@ do { \ | ||
20 | #define SAMPLES_NEEDED_2(why) \ | ||
21 | av_log (NULL,AV_LOG_INFO,"This file triggers some missing code. Please contact the developers.\nPosition: %s\n",why); | ||
22 | |||
23 | +#define QDM2_MAX_FRAME_SIZE 512 | ||
24 | |||
25 | typedef int8_t sb_int8_array[2][30][64]; | ||
26 | |||
27 | @@ -168,7 +169,7 @@ typedef struct { | ||
28 | /// I/O data | ||
29 | const uint8_t *compressed_data; | ||
30 | int compressed_size; | ||
31 | - float output_buffer[1024]; | ||
32 | + float output_buffer[QDM2_MAX_FRAME_SIZE * MPA_MAX_CHANNELS * 2]; | ||
33 | |||
34 | /// Synthesis filter | ||
35 | MPADSPContext mpadsp; | ||
36 | @@ -1819,6 +1820,9 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx) | ||
37 | s->group_order = av_log2(s->group_size) + 1; | ||
38 | s->frame_size = s->group_size / 16; // 16 iterations per super block | ||
39 | |||
40 | + if (s->frame_size > QDM2_MAX_FRAME_SIZE) | ||
41 | + return AVERROR_INVALIDDATA; | ||
42 | + | ||
43 | s->sub_sampling = s->fft_order - 7; | ||
44 | s->frequency_range = 255 / (1 << (2 - s->sub_sampling)); | ||
45 | |||
46 | @@ -1887,6 +1891,9 @@ static int qdm2_decode (QDM2Context *q, const uint8_t *in, int16_t *out) | ||
47 | int ch, i; | ||
48 | const int frame_size = (q->frame_size * q->channels); | ||
49 | |||
50 | + if((unsigned)frame_size > FF_ARRAY_ELEMS(q->output_buffer)/2) | ||
51 | + return -1; | ||
52 | + | ||
53 | /* select input buffer */ | ||
54 | q->compressed_data = in; | ||
55 | q->compressed_size = q->checksum_size; | ||
56 | -- | ||
57 | 1.7.5.4 | ||
58 | |||
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-smackerdec-Check-that-the-last-indexes-are-within-th.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-smackerdec-Check-that-the-last-indexes-are-within-th.patch new file mode 100644 index 0000000000..15b161469c --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-smackerdec-Check-that-the-last-indexes-are-within-th.patch | |||
@@ -0,0 +1,32 @@ | |||
1 | gst-ffmpeg: smackerdec: Check that the last indexes are within the | ||
2 | table. | ||
3 | |||
4 | Fixes CVE-2011-3944 | ||
5 | |||
6 | Upstream-Status: Backport | ||
7 | |||
8 | Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind | ||
9 | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | ||
10 | --- | ||
11 | libavcodec/smacker.c | 5 +++++ | ||
12 | 1 files changed, 5 insertions(+), 0 deletions(-) | ||
13 | |||
14 | diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c | ||
15 | index 30f99b4..2a8bae8 100644 | ||
16 | --- a/gst-libs/ext/libav/libavcodec/smacker.c | ||
17 | +++ b/gst-libs/ext/libav/libavcodec/smacker.c | ||
18 | @@ -259,6 +259,11 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int | ||
19 | if(ctx.last[0] == -1) ctx.last[0] = huff.current++; | ||
20 | if(ctx.last[1] == -1) ctx.last[1] = huff.current++; | ||
21 | if(ctx.last[2] == -1) ctx.last[2] = huff.current++; | ||
22 | + if(huff.current > huff.length){ | ||
23 | + ctx.last[0] = ctx.last[1] = ctx.last[2] = 1; | ||
24 | + av_log(smk->avctx, AV_LOG_ERROR, "bigtree damaged\n"); | ||
25 | + return -1; | ||
26 | + } | ||
27 | |||
28 | *recodes = huff.values; | ||
29 | |||
30 | -- | ||
31 | 1.7.5.4 | ||
32 | |||
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-Copy-all-3-frames-for-thread-updates.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-Copy-all-3-frames-for-thread-updates.patch new file mode 100644 index 0000000000..a1989cfeab --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-Copy-all-3-frames-for-thread-updates.patch | |||
@@ -0,0 +1,32 @@ | |||
1 | gst-ffmpeg: vp3: Copy all 3 frames for thread updates. | ||
2 | |||
3 | This fixes a double release of the current frame on deinit. | ||
4 | Fixes CVE-2011-3934 | ||
5 | |||
6 | Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind | ||
7 | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | ||
8 | |||
9 | Upstream-Status: Backport | ||
10 | |||
11 | Signed-off-by: Yue.Tao <yue.tao@windriver.com> | ||
12 | |||
13 | --- | ||
14 | libavcodec/vp3.c | 2 +- | ||
15 | 1 files changed, 1 insertions(+), 1 deletions(-) | ||
16 | |||
17 | diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c | ||
18 | index 738ae9f..b5daafc 100644 | ||
19 | --- a/gst-libs/ext/libav/libavcodec/vp3.c | ||
20 | +++ b/gst-libs/ext/libav/libavcodec/vp3.c | ||
21 | @@ -1859,7 +1859,7 @@ static int vp3_update_thread_context(AVCodecContext *dst, const AVCodecContext * | ||
22 | ||s->width != s1->width | ||
23 | ||s->height!= s1->height) { | ||
24 | if (s != s1) | ||
25 | - copy_fields(s, s1, golden_frame, current_frame); | ||
26 | + copy_fields(s, s1, golden_frame, keyframe); | ||
27 | return -1; | ||
28 | } | ||
29 | |||
30 | -- | ||
31 | 1.7.5.4 | ||
32 | |||
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-fix-oob-read-for-negative-tokens-and-memleaks-on.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-fix-oob-read-for-negative-tokens-and-memleaks-on.patch new file mode 100644 index 0000000000..e83d8f402b --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-fix-oob-read-for-negative-tokens-and-memleaks-on.patch | |||
@@ -0,0 +1,183 @@ | |||
1 | gst-ffmpeg: vp3: fix oob read for negative tokens and memleaks on error. | ||
2 | |||
3 | Upstream-Status: Backport | ||
4 | |||
5 | Signed-off-by: Yue.Tao <yue.tao@windriver.com> | ||
6 | |||
7 | --- | ||
8 | libavcodec/vp3.c | 59 +++++++++++++++++++++++++++++++++++++++++------------ | ||
9 | 1 files changed, 45 insertions(+), 14 deletions(-) | ||
10 | |||
11 | diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c | ||
12 | index 36715bb..ce14e63 100644 | ||
13 | --- a/gst-libs/ext/libav/libavcodec/vp3.c | ||
14 | +++ b/gst-libs/ext/libav/libavcodec/vp3.c | ||
15 | @@ -45,6 +45,7 @@ | ||
16 | #define FRAGMENT_PIXELS 8 | ||
17 | |||
18 | static av_cold int vp3_decode_end(AVCodecContext *avctx); | ||
19 | +static void vp3_decode_flush(AVCodecContext *avctx); | ||
20 | |||
21 | //FIXME split things out into their own arrays | ||
22 | typedef struct Vp3Fragment { | ||
23 | @@ -890,7 +891,7 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb, | ||
24 | /* decode a VLC into a token */ | ||
25 | token = get_vlc2(gb, vlc_table, 11, 3); | ||
26 | /* use the token to get a zero run, a coefficient, and an eob run */ | ||
27 | - if (token <= 6) { | ||
28 | + if ((unsigned) token <= 6U) { | ||
29 | eob_run = eob_run_base[token]; | ||
30 | if (eob_run_get_bits[token]) | ||
31 | eob_run += get_bits(gb, eob_run_get_bits[token]); | ||
32 | @@ -908,7 +909,7 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb, | ||
33 | coeff_i += eob_run; | ||
34 | eob_run = 0; | ||
35 | } | ||
36 | - } else { | ||
37 | + } else if (token >= 0) { | ||
38 | bits_to_get = coeff_get_bits[token]; | ||
39 | if (bits_to_get) | ||
40 | bits_to_get = get_bits(gb, bits_to_get); | ||
41 | @@ -942,6 +943,10 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb, | ||
42 | for (i = coeff_index+1; i <= coeff_index+zero_run; i++) | ||
43 | s->num_coded_frags[plane][i]--; | ||
44 | coeff_i++; | ||
45 | + } else { | ||
46 | + av_log(s->avctx, AV_LOG_ERROR, | ||
47 | + "Invalid token %d\n", token); | ||
48 | + return -1; | ||
49 | } | ||
50 | } | ||
51 | |||
52 | @@ -991,6 +996,8 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb) | ||
53 | /* unpack the Y plane DC coefficients */ | ||
54 | residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_y_table], 0, | ||
55 | 0, residual_eob_run); | ||
56 | + if (residual_eob_run < 0) | ||
57 | + return residual_eob_run; | ||
58 | |||
59 | /* reverse prediction of the Y-plane DC coefficients */ | ||
60 | reverse_dc_prediction(s, 0, s->fragment_width[0], s->fragment_height[0]); | ||
61 | @@ -998,8 +1005,12 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb) | ||
62 | /* unpack the C plane DC coefficients */ | ||
63 | residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_c_table], 0, | ||
64 | 1, residual_eob_run); | ||
65 | + if (residual_eob_run < 0) | ||
66 | + return residual_eob_run; | ||
67 | residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_c_table], 0, | ||
68 | 2, residual_eob_run); | ||
69 | + if (residual_eob_run < 0) | ||
70 | + return residual_eob_run; | ||
71 | |||
72 | /* reverse prediction of the C-plane DC coefficients */ | ||
73 | if (!(s->avctx->flags & CODEC_FLAG_GRAY)) | ||
74 | @@ -1036,11 +1047,17 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb) | ||
75 | for (i = 1; i <= 63; i++) { | ||
76 | residual_eob_run = unpack_vlcs(s, gb, y_tables[i], i, | ||
77 | 0, residual_eob_run); | ||
78 | + if (residual_eob_run < 0) | ||
79 | + return residual_eob_run; | ||
80 | |||
81 | residual_eob_run = unpack_vlcs(s, gb, c_tables[i], i, | ||
82 | 1, residual_eob_run); | ||
83 | + if (residual_eob_run < 0) | ||
84 | + return residual_eob_run; | ||
85 | residual_eob_run = unpack_vlcs(s, gb, c_tables[i], i, | ||
86 | 2, residual_eob_run); | ||
87 | + if (residual_eob_run < 0) | ||
88 | + return residual_eob_run; | ||
89 | } | ||
90 | |||
91 | return 0; | ||
92 | @@ -1777,10 +1794,15 @@ static int vp3_update_thread_context(AVCodecContext *dst, const AVCodecContext * | ||
93 | Vp3DecodeContext *s = dst->priv_data, *s1 = src->priv_data; | ||
94 | int qps_changed = 0, i, err; | ||
95 | |||
96 | +#define copy_fields(to, from, start_field, end_field) memcpy(&to->start_field, &from->start_field, (char*)&to->end_field - (char*)&to->start_field) | ||
97 | + | ||
98 | if (!s1->current_frame.data[0] | ||
99 | ||s->width != s1->width | ||
100 | - ||s->height!= s1->height) | ||
101 | + ||s->height!= s1->height) { | ||
102 | + if (s != s1) | ||
103 | + copy_fields(s, s1, golden_frame, current_frame); | ||
104 | return -1; | ||
105 | + } | ||
106 | |||
107 | if (s != s1) { | ||
108 | // init tables if the first frame hasn't been decoded | ||
109 | @@ -1796,8 +1818,6 @@ static int vp3_update_thread_context(AVCodecContext *dst, const AVCodecContext * | ||
110 | memcpy(s->motion_val[1], s1->motion_val[1], c_fragment_count * sizeof(*s->motion_val[1])); | ||
111 | } | ||
112 | |||
113 | -#define copy_fields(to, from, start_field, end_field) memcpy(&to->start_field, &from->start_field, (char*)&to->end_field - (char*)&to->start_field) | ||
114 | - | ||
115 | // copy previous frame data | ||
116 | copy_fields(s, s1, golden_frame, dsp); | ||
117 | |||
118 | @@ -1987,9 +2007,6 @@ static av_cold int vp3_decode_end(AVCodecContext *avctx) | ||
119 | Vp3DecodeContext *s = avctx->priv_data; | ||
120 | int i; | ||
121 | |||
122 | - if (avctx->is_copy && !s->current_frame.data[0]) | ||
123 | - return 0; | ||
124 | - | ||
125 | av_free(s->superblock_coding); | ||
126 | av_free(s->all_fragments); | ||
127 | av_free(s->coded_fragment_list[0]); | ||
128 | @@ -2016,12 +2033,7 @@ static av_cold int vp3_decode_end(AVCodecContext *avctx) | ||
129 | free_vlc(&s->motion_vector_vlc); | ||
130 | |||
131 | /* release all frames */ | ||
132 | - if (s->golden_frame.data[0]) | ||
133 | - ff_thread_release_buffer(avctx, &s->golden_frame); | ||
134 | - if (s->last_frame.data[0] && s->last_frame.type != FF_BUFFER_TYPE_COPY) | ||
135 | - ff_thread_release_buffer(avctx, &s->last_frame); | ||
136 | - /* no need to release the current_frame since it will always be pointing | ||
137 | - * to the same frame as either the golden or last frame */ | ||
138 | + vp3_decode_flush(avctx); | ||
139 | |||
140 | return 0; | ||
141 | } | ||
142 | @@ -2341,6 +2353,23 @@ static void vp3_decode_flush(AVCodecContext *avctx) | ||
143 | ff_thread_release_buffer(avctx, &s->current_frame); | ||
144 | } | ||
145 | |||
146 | +static int vp3_init_thread_copy(AVCodecContext *avctx) | ||
147 | +{ | ||
148 | + Vp3DecodeContext *s = avctx->priv_data; | ||
149 | + | ||
150 | + s->superblock_coding = NULL; | ||
151 | + s->all_fragments = NULL; | ||
152 | + s->coded_fragment_list[0] = NULL; | ||
153 | + s->dct_tokens_base = NULL; | ||
154 | + s->superblock_fragments = NULL; | ||
155 | + s->macroblock_coding = NULL; | ||
156 | + s->motion_val[0] = NULL; | ||
157 | + s->motion_val[1] = NULL; | ||
158 | + s->edge_emu_buffer = NULL; | ||
159 | + | ||
160 | + return 0; | ||
161 | +} | ||
162 | + | ||
163 | AVCodec ff_theora_decoder = { | ||
164 | .name = "theora", | ||
165 | .type = AVMEDIA_TYPE_VIDEO, | ||
166 | @@ -2352,6 +2381,7 @@ AVCodec ff_theora_decoder = { | ||
167 | .capabilities = CODEC_CAP_DR1 | CODEC_CAP_DRAW_HORIZ_BAND | CODEC_CAP_FRAME_THREADS, | ||
168 | .flush = vp3_decode_flush, | ||
169 | .long_name = NULL_IF_CONFIG_SMALL("Theora"), | ||
170 | + .init_thread_copy = ONLY_IF_THREADS_ENABLED(vp3_init_thread_copy), | ||
171 | .update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context) | ||
172 | }; | ||
173 | #endif | ||
174 | @@ -2367,5 +2397,6 @@ AVCodec ff_vp3_decoder = { | ||
175 | .capabilities = CODEC_CAP_DR1 | CODEC_CAP_DRAW_HORIZ_BAND | CODEC_CAP_FRAME_THREADS, | ||
176 | .flush = vp3_decode_flush, | ||
177 | .long_name = NULL_IF_CONFIG_SMALL("On2 VP3"), | ||
178 | + .init_thread_copy = ONLY_IF_THREADS_ENABLED(vp3_init_thread_copy), | ||
179 | .update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context) | ||
180 | }; | ||
181 | -- | ||
182 | 1.7.5.4 | ||
183 | |||
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-CVE-2013-0855.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-CVE-2013-0855.patch new file mode 100644 index 0000000000..3c8d8e353e --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-CVE-2013-0855.patch | |||
@@ -0,0 +1,100 @@ | |||
1 | gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0855 | ||
2 | |||
3 | Upstream-Status: Backport | ||
4 | |||
5 | Signed-off-by: Yue Tao <yue.tao@windriver.com> | ||
6 | |||
7 | diff --git a/gst-libs/ext/libav/libavcodec/alac.c.old b/gst-libs/ext/libav/libavcodec/alac.c | ||
8 | index 2a0df8c..bcbd56d 100644 | ||
9 | --- a/gst-libs/ext/libav/libavcodec/alac.c.old | ||
10 | +++ b/gst-libs/ext/libav/libavcodec/alac.c | ||
11 | @@ -87,18 +87,44 @@ typedef struct { | ||
12 | int wasted_bits; | ||
13 | } ALACContext; | ||
14 | |||
15 | -static void allocate_buffers(ALACContext *alac) | ||
16 | +static av_cold int alac_decode_close(AVCodecContext *avctx) | ||
17 | +{ | ||
18 | + ALACContext *alac = avctx->priv_data; | ||
19 | + | ||
20 | + int chan; | ||
21 | + for (chan = 0; chan < MAX_CHANNELS; chan++) { | ||
22 | + av_freep(&alac->predicterror_buffer[chan]); | ||
23 | + av_freep(&alac->outputsamples_buffer[chan]); | ||
24 | + av_freep(&alac->wasted_bits_buffer[chan]); | ||
25 | + } | ||
26 | + | ||
27 | + return 0; | ||
28 | +} | ||
29 | + | ||
30 | +static int allocate_buffers(ALACContext *alac) | ||
31 | { | ||
32 | int chan; | ||
33 | + int buf_size; | ||
34 | + | ||
35 | + if (alac->setinfo_max_samples_per_frame > INT_MAX / sizeof(int32_t)) | ||
36 | + goto buf_alloc_fail; | ||
37 | + buf_size = alac->setinfo_max_samples_per_frame * sizeof(int32_t); | ||
38 | + | ||
39 | for (chan = 0; chan < MAX_CHANNELS; chan++) { | ||
40 | - alac->predicterror_buffer[chan] = | ||
41 | - av_malloc(alac->setinfo_max_samples_per_frame * 4); | ||
42 | |||
43 | - alac->outputsamples_buffer[chan] = | ||
44 | - av_malloc(alac->setinfo_max_samples_per_frame * 4); | ||
45 | + FF_ALLOC_OR_GOTO(alac->avctx, alac->predicterror_buffer[chan], | ||
46 | + buf_size, buf_alloc_fail); | ||
47 | |||
48 | - alac->wasted_bits_buffer[chan] = av_malloc(alac->setinfo_max_samples_per_frame * 4); | ||
49 | + FF_ALLOC_OR_GOTO(alac->avctx, alac->outputsamples_buffer[chan], | ||
50 | + buf_size, buf_alloc_fail); | ||
51 | + | ||
52 | + FF_ALLOC_OR_GOTO(alac->avctx, alac->wasted_bits_buffer[chan], | ||
53 | + buf_size, buf_alloc_fail); | ||
54 | } | ||
55 | + return 0; | ||
56 | +buf_alloc_fail: | ||
57 | + alac_decode_close(alac->avctx); | ||
58 | + return AVERROR(ENOMEM); | ||
59 | } | ||
60 | |||
61 | static int alac_set_info(ALACContext *alac) | ||
62 | @@ -131,8 +157,6 @@ static int alac_set_info(ALACContext *alac) | ||
63 | bytestream_get_be32(&ptr); /* bitrate ? */ | ||
64 | bytestream_get_be32(&ptr); /* samplerate */ | ||
65 | |||
66 | - allocate_buffers(alac); | ||
67 | - | ||
68 | return 0; | ||
69 | } | ||
70 | |||
71 | @@ -659,6 +683,7 @@ static int alac_decode_frame(AVCodecContext *avctx, | ||
72 | |||
73 | static av_cold int alac_decode_init(AVCodecContext * avctx) | ||
74 | { | ||
75 | + int ret; | ||
76 | ALACContext *alac = avctx->priv_data; | ||
77 | alac->avctx = avctx; | ||
78 | alac->numchannels = alac->avctx->channels; | ||
79 | @@ -674,18 +699,9 @@ static av_cold int alac_decode_init(AVCodecContext * avctx) | ||
80 | return -1; | ||
81 | } | ||
82 | |||
83 | - return 0; | ||
84 | -} | ||
85 | - | ||
86 | -static av_cold int alac_decode_close(AVCodecContext *avctx) | ||
87 | -{ | ||
88 | - ALACContext *alac = avctx->priv_data; | ||
89 | - | ||
90 | - int chan; | ||
91 | - for (chan = 0; chan < MAX_CHANNELS; chan++) { | ||
92 | - av_freep(&alac->predicterror_buffer[chan]); | ||
93 | - av_freep(&alac->outputsamples_buffer[chan]); | ||
94 | - av_freep(&alac->wasted_bits_buffer[chan]); | ||
95 | + if ((ret = allocate_buffers(alac)) < 0) { | ||
96 | + av_log(avctx, AV_LOG_ERROR, "Error allocating buffers\n"); | ||
97 | + return ret; | ||
98 | } | ||
99 | |||
100 | return 0; | ||
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb index a3b2f5cf29..e26b267f32 100644 --- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb | |||
@@ -36,6 +36,23 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \ | |||
36 | file://0001-alac-fix-nb_samples-order-case.patch \ | 36 | file://0001-alac-fix-nb_samples-order-case.patch \ |
37 | file://0001-h264-correct-ref-count-check-and-limit-fix-out-of-ar.patch \ | 37 | file://0001-h264-correct-ref-count-check-and-limit-fix-out-of-ar.patch \ |
38 | file://0001-roqvideodec-check-dimensions-validity.patch \ | 38 | file://0001-roqvideodec-check-dimensions-validity.patch \ |
39 | file://0001-aacdec-check-channel-count.patch \ | ||
40 | file://0001-pngdec-filter-dont-access-out-of-array-elements-at-t.patch \ | ||
41 | file://0001-error_concealment-Check-that-the-picture-is-not-in-a.patch \ | ||
42 | file://0001-vp3-fix-oob-read-for-negative-tokens-and-memleaks-on.patch \ | ||
43 | file://0001-vp3-Copy-all-3-frames-for-thread-updates.patch \ | ||
44 | file://0001-h264_sei-Fix-infinite-loop.patch \ | ||
45 | file://0001-avcodec-parser-reset-indexes-on-realloc-failure.patch \ | ||
46 | file://0001-avcodec-rpza-Perform-pointer-advance-and-checks-befo.patch \ | ||
47 | file://gst-ffmpeg-CVE-2013-0855.patch \ | ||
48 | file://0001-qdm2dec-fix-buffer-overflow.patch \ | ||
49 | file://0001-huffyuvdec-check-width-more-completely-avoid-out-of-.patch \ | ||
50 | file://0001-smackerdec-Check-that-the-last-indexes-are-within-th.patch \ | ||
51 | file://0001-avcodec-dsputil-fix-signedness-in-sizeof-comparissio.patch \ | ||
52 | file://0001-error-concealment-initialize-block-index.patch \ | ||
53 | file://0001-qdm2-check-array-index-before-use-fix-out-of-array-a.patch \ | ||
54 | file://0001-lavf-compute-probe-buffer-size-more-reliably.patch \ | ||
55 | file://0001-ffserver-set-oformat.patch \ | ||
39 | " | 56 | " |
40 | 57 | ||
41 | SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4" | 58 | SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4" |