diff options
author | Chen Qi <Qi.Chen@windriver.com> | 2017-09-30 11:21:01 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-11-09 12:33:16 +0000 |
commit | 31eb2baed27fa83073c8718f40a6af7070097c37 (patch) | |
tree | 997fa90cecb34f6b66465c630f38236271593936 | |
parent | 9e1e4d74c37479659e94a3650cff5c75a47759f0 (diff) | |
download | poky-31eb2baed27fa83073c8718f40a6af7070097c37.tar.gz |
ffmpeg: upgrade to 3.3.4
Upgrade ffmpeg to version 3.3.4. Version 3.3.4 is a bug fix version, and
there's no new feature added.
Compared to version 3.3.3, there are 57 new commits. These 57 commits are
either bug fix or small tweaks.
Drop CVE patches that were backported from 3.3.4.
(From OE-Core rev: 234d9aaffc2b08846281247e5ba37b20fea1493d)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
13 files changed, 0 insertions, 573 deletions
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14054.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14054.patch deleted file mode 100644 index e8baa188a3..0000000000 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14054.patch +++ /dev/null | |||
@@ -1,39 +0,0 @@ | |||
1 | From 124eb202e70678539544f6268efc98131f19fa49 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?= | ||
3 | =?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= <tony.sh and wangchu.zhl@alibaba-inc.com> | ||
4 | Date: Fri, 25 Aug 2017 01:15:28 +0200 | ||
5 | Subject: [PATCH] avformat/rmdec: Fix DoS due to lack of eof check | ||
6 | |||
7 | Fixes: loop.ivr | ||
8 | |||
9 | Found-by: Xiaohei and Wangchu from Alibaba Security Team | ||
10 | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | ||
11 | |||
12 | CVE: CVE-2017-14054 | ||
13 | Upstream-Status: Backport | ||
14 | |||
15 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
16 | --- | ||
17 | libavformat/rmdec.c | 5 ++++- | ||
18 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
19 | |||
20 | diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c | ||
21 | index 178eaea..d6d7d9c 100644 | ||
22 | --- a/libavformat/rmdec.c | ||
23 | +++ b/libavformat/rmdec.c | ||
24 | @@ -1223,8 +1223,11 @@ static int ivr_read_header(AVFormatContext *s) | ||
25 | av_log(s, AV_LOG_DEBUG, "%s = '%s'\n", key, val); | ||
26 | } else if (type == 4) { | ||
27 | av_log(s, AV_LOG_DEBUG, "%s = '0x", key); | ||
28 | - for (j = 0; j < len; j++) | ||
29 | + for (j = 0; j < len; j++) { | ||
30 | + if (avio_feof(pb)) | ||
31 | + return AVERROR_INVALIDDATA; | ||
32 | av_log(s, AV_LOG_DEBUG, "%X", avio_r8(pb)); | ||
33 | + } | ||
34 | av_log(s, AV_LOG_DEBUG, "'\n"); | ||
35 | } else if (len == 4 && type == 3 && !strncmp(key, "StreamCount", tlen)) { | ||
36 | nb_streams = value = avio_rb32(pb); | ||
37 | -- | ||
38 | 2.1.0 | ||
39 | |||
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14055.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14055.patch deleted file mode 100644 index 37d0d1ab7f..0000000000 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14055.patch +++ /dev/null | |||
@@ -1,34 +0,0 @@ | |||
1 | From 4f05e2e2dc1a89f38cd9f0960a6561083d714f1e Mon Sep 17 00:00:00 2001 | ||
2 | From: Michael Niedermayer <michael@niedermayer.cc> | ||
3 | Date: Fri, 25 Aug 2017 01:15:30 +0200 | ||
4 | Subject: [PATCH] avformat/mvdec: Fix DoS due to lack of eof check | ||
5 | |||
6 | Fixes: loop.mv | ||
7 | |||
8 | Found-by: Xiaohei and Wangchu from Alibaba Security Team | ||
9 | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | ||
10 | |||
11 | CVE: CVE-2017-14055 | ||
12 | Upstream-Status: Backport | ||
13 | |||
14 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
15 | --- | ||
16 | libavformat/mvdec.c | 2 ++ | ||
17 | 1 file changed, 2 insertions(+) | ||
18 | |||
19 | diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c | ||
20 | index 0e12c8c..f7aa4cb 100644 | ||
21 | --- a/libavformat/mvdec.c | ||
22 | +++ b/libavformat/mvdec.c | ||
23 | @@ -342,6 +342,8 @@ static int mv_read_header(AVFormatContext *avctx) | ||
24 | uint32_t pos = avio_rb32(pb); | ||
25 | uint32_t asize = avio_rb32(pb); | ||
26 | uint32_t vsize = avio_rb32(pb); | ||
27 | + if (avio_feof(pb)) | ||
28 | + return AVERROR_INVALIDDATA; | ||
29 | avio_skip(pb, 8); | ||
30 | av_add_index_entry(ast, pos, timestamp, asize, 0, AVINDEX_KEYFRAME); | ||
31 | av_add_index_entry(vst, pos + asize, i, vsize, 0, AVINDEX_KEYFRAME); | ||
32 | -- | ||
33 | 2.1.0 | ||
34 | |||
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14056.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14056.patch deleted file mode 100644 index 088b357b25..0000000000 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14056.patch +++ /dev/null | |||
@@ -1,51 +0,0 @@ | |||
1 | From 96f24d1bee7fe7bac08e2b7c74db1a046c9dc0de Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?= | ||
3 | =?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= <tony.sh and wangchu.zhl@alibaba-inc.com> | ||
4 | Date: Fri, 25 Aug 2017 01:15:29 +0200 | ||
5 | Subject: [PATCH] avformat/rl2: Fix DoS due to lack of eof check | ||
6 | |||
7 | Fixes: loop.rl2 | ||
8 | |||
9 | Found-by: Xiaohei and Wangchu from Alibaba Security Team | ||
10 | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | ||
11 | |||
12 | CVE: CVE-2017-14056 | ||
13 | Upstream-Status: Backport | ||
14 | |||
15 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
16 | --- | ||
17 | libavformat/rl2.c | 15 ++++++++++++--- | ||
18 | 1 file changed, 12 insertions(+), 3 deletions(-) | ||
19 | |||
20 | diff --git a/libavformat/rl2.c b/libavformat/rl2.c | ||
21 | index 0bec8f1..eb1682d 100644 | ||
22 | --- a/libavformat/rl2.c | ||
23 | +++ b/libavformat/rl2.c | ||
24 | @@ -170,12 +170,21 @@ static av_cold int rl2_read_header(AVFormatContext *s) | ||
25 | } | ||
26 | |||
27 | /** read offset and size tables */ | ||
28 | - for(i=0; i < frame_count;i++) | ||
29 | + for(i=0; i < frame_count;i++) { | ||
30 | + if (avio_feof(pb)) | ||
31 | + return AVERROR_INVALIDDATA; | ||
32 | chunk_size[i] = avio_rl32(pb); | ||
33 | - for(i=0; i < frame_count;i++) | ||
34 | + } | ||
35 | + for(i=0; i < frame_count;i++) { | ||
36 | + if (avio_feof(pb)) | ||
37 | + return AVERROR_INVALIDDATA; | ||
38 | chunk_offset[i] = avio_rl32(pb); | ||
39 | - for(i=0; i < frame_count;i++) | ||
40 | + } | ||
41 | + for(i=0; i < frame_count;i++) { | ||
42 | + if (avio_feof(pb)) | ||
43 | + return AVERROR_INVALIDDATA; | ||
44 | audio_size[i] = avio_rl32(pb) & 0xFFFF; | ||
45 | + } | ||
46 | |||
47 | /** build the sample index */ | ||
48 | for(i=0;i<frame_count;i++){ | ||
49 | -- | ||
50 | 2.1.0 | ||
51 | |||
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14057.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14057.patch deleted file mode 100644 index b301d233b3..0000000000 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14057.patch +++ /dev/null | |||
@@ -1,44 +0,0 @@ | |||
1 | From 7f9ec5593e04827249e7aeb466da06a98a0d7329 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?= | ||
3 | =?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= <tony.sh and wangchu.zhl@alibaba-inc.com> | ||
4 | Date: Fri, 25 Aug 2017 12:37:25 +0200 | ||
5 | Subject: [PATCH] avformat/asfdec: Fix DoS due to lack of eof check | ||
6 | |||
7 | Fixes: loop.asf | ||
8 | |||
9 | Found-by: Xiaohei and Wangchu from Alibaba Security Team | ||
10 | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | ||
11 | |||
12 | CVE: CVE-2017-14057 | ||
13 | Upstream-Status: Backport | ||
14 | |||
15 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
16 | --- | ||
17 | libavformat/asfdec_f.c | 6 ++++-- | ||
18 | 1 file changed, 4 insertions(+), 2 deletions(-) | ||
19 | |||
20 | diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c | ||
21 | index be09a92..f3acbae 100644 | ||
22 | --- a/libavformat/asfdec_f.c | ||
23 | +++ b/libavformat/asfdec_f.c | ||
24 | @@ -749,13 +749,15 @@ static int asf_read_marker(AVFormatContext *s, int64_t size) | ||
25 | count = avio_rl32(pb); // markers count | ||
26 | avio_rl16(pb); // reserved 2 bytes | ||
27 | name_len = avio_rl16(pb); // name length | ||
28 | - for (i = 0; i < name_len; i++) | ||
29 | - avio_r8(pb); // skip the name | ||
30 | + avio_skip(pb, name_len); | ||
31 | |||
32 | for (i = 0; i < count; i++) { | ||
33 | int64_t pres_time; | ||
34 | int name_len; | ||
35 | |||
36 | + if (avio_feof(pb)) | ||
37 | + return AVERROR_INVALIDDATA; | ||
38 | + | ||
39 | avio_rl64(pb); // offset, 8 bytes | ||
40 | pres_time = avio_rl64(pb); // presentation time | ||
41 | pres_time -= asf->hdr.preroll * 10000; | ||
42 | -- | ||
43 | 2.1.0 | ||
44 | |||
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14058.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14058.patch deleted file mode 100644 index 95803cef55..0000000000 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14058.patch +++ /dev/null | |||
@@ -1,94 +0,0 @@ | |||
1 | From 7ec414892ddcad88313848494b6fc5f437c9ca4a Mon Sep 17 00:00:00 2001 | ||
2 | From: Michael Niedermayer <michael@niedermayer.cc> | ||
3 | Date: Sat, 26 Aug 2017 01:26:58 +0200 | ||
4 | Subject: [PATCH] avformat/hls: Fix DoS due to infinite loop | ||
5 | |||
6 | Fixes: loop.m3u | ||
7 | |||
8 | The default max iteration count of 1000 is arbitrary and ideas for a better solution are welcome | ||
9 | |||
10 | Found-by: Xiaohei and Wangchu from Alibaba Security Team | ||
11 | |||
12 | Previous version reviewed-by: Steven Liu <lingjiujianke@gmail.com> | ||
13 | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | ||
14 | |||
15 | CVE: CVE-2017-14058 | ||
16 | Upstream-Status: Backport | ||
17 | |||
18 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
19 | --- | ||
20 | doc/demuxers.texi | 18 ++++++++++++++++++ | ||
21 | libavformat/hls.c | 7 +++++++ | ||
22 | 2 files changed, 25 insertions(+) | ||
23 | |||
24 | diff --git a/doc/demuxers.texi b/doc/demuxers.texi | ||
25 | index 29a23d4..73dc0fe 100644 | ||
26 | --- a/doc/demuxers.texi | ||
27 | +++ b/doc/demuxers.texi | ||
28 | @@ -300,6 +300,24 @@ used to end the output video at the length of the shortest input file, | ||
29 | which in this case is @file{input.mp4} as the GIF in this example loops | ||
30 | infinitely. | ||
31 | |||
32 | +@section hls | ||
33 | + | ||
34 | +HLS demuxer | ||
35 | + | ||
36 | +It accepts the following options: | ||
37 | + | ||
38 | +@table @option | ||
39 | +@item live_start_index | ||
40 | +segment index to start live streams at (negative values are from the end). | ||
41 | + | ||
42 | +@item allowed_extensions | ||
43 | +',' separated list of file extensions that hls is allowed to access. | ||
44 | + | ||
45 | +@item max_reload | ||
46 | +Maximum number of times a insufficient list is attempted to be reloaded. | ||
47 | +Default value is 1000. | ||
48 | +@end table | ||
49 | + | ||
50 | @section image2 | ||
51 | |||
52 | Image file demuxer. | ||
53 | diff --git a/libavformat/hls.c b/libavformat/hls.c | ||
54 | index 01731bd..0995345 100644 | ||
55 | --- a/libavformat/hls.c | ||
56 | +++ b/libavformat/hls.c | ||
57 | @@ -205,6 +205,7 @@ typedef struct HLSContext { | ||
58 | AVDictionary *avio_opts; | ||
59 | int strict_std_compliance; | ||
60 | char *allowed_extensions; | ||
61 | + int max_reload; | ||
62 | } HLSContext; | ||
63 | |||
64 | static int read_chomp_line(AVIOContext *s, char *buf, int maxlen) | ||
65 | @@ -1263,6 +1264,7 @@ static int read_data(void *opaque, uint8_t *buf, int buf_size) | ||
66 | HLSContext *c = v->parent->priv_data; | ||
67 | int ret, i; | ||
68 | int just_opened = 0; | ||
69 | + int reload_count = 0; | ||
70 | |||
71 | restart: | ||
72 | if (!v->needed) | ||
73 | @@ -1294,6 +1296,9 @@ restart: | ||
74 | reload_interval = default_reload_interval(v); | ||
75 | |||
76 | reload: | ||
77 | + reload_count++; | ||
78 | + if (reload_count > c->max_reload) | ||
79 | + return AVERROR_EOF; | ||
80 | if (!v->finished && | ||
81 | av_gettime_relative() - v->last_load_time >= reload_interval) { | ||
82 | if ((ret = parse_playlist(c, v->url, v, NULL)) < 0) { | ||
83 | @@ -2150,6 +2155,8 @@ static const AVOption hls_options[] = { | ||
84 | OFFSET(allowed_extensions), AV_OPT_TYPE_STRING, | ||
85 | {.str = "3gp,aac,avi,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"}, | ||
86 | INT_MIN, INT_MAX, FLAGS}, | ||
87 | + {"max_reload", "Maximum number of times a insufficient list is attempted to be reloaded", | ||
88 | + OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 1000}, 0, INT_MAX, FLAGS}, | ||
89 | {NULL} | ||
90 | }; | ||
91 | |||
92 | -- | ||
93 | 2.1.0 | ||
94 | |||
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14059.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14059.patch deleted file mode 100644 index 34fde0be77..0000000000 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14059.patch +++ /dev/null | |||
@@ -1,40 +0,0 @@ | |||
1 | From 7e80b63ecd259d69d383623e75b318bf2bd491f6 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?= | ||
3 | =?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= <tony.sh and wangchu.zhl@alibaba-inc.com> | ||
4 | Date: Fri, 25 Aug 2017 01:15:27 +0200 | ||
5 | Subject: [PATCH] avformat/cinedec: Fix DoS due to lack of eof check | ||
6 | |||
7 | Fixes: loop.cine | ||
8 | |||
9 | Found-by: Xiaohei and Wangchu from Alibaba Security Team | ||
10 | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | ||
11 | |||
12 | CVE: CVE-2017-14059 | ||
13 | Upstream-Status: Backport | ||
14 | |||
15 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
16 | --- | ||
17 | libavformat/cinedec.c | 6 +++++- | ||
18 | 1 file changed, 5 insertions(+), 1 deletion(-) | ||
19 | |||
20 | diff --git a/libavformat/cinedec.c b/libavformat/cinedec.c | ||
21 | index 763b93b..de34fb9 100644 | ||
22 | --- a/libavformat/cinedec.c | ||
23 | +++ b/libavformat/cinedec.c | ||
24 | @@ -267,8 +267,12 @@ static int cine_read_header(AVFormatContext *avctx) | ||
25 | |||
26 | /* parse image offsets */ | ||
27 | avio_seek(pb, offImageOffsets, SEEK_SET); | ||
28 | - for (i = 0; i < st->duration; i++) | ||
29 | + for (i = 0; i < st->duration; i++) { | ||
30 | + if (avio_feof(pb)) | ||
31 | + return AVERROR_INVALIDDATA; | ||
32 | + | ||
33 | av_add_index_entry(st, avio_rl64(pb), i, 0, 0, AVINDEX_KEYFRAME); | ||
34 | + } | ||
35 | |||
36 | return 0; | ||
37 | } | ||
38 | -- | ||
39 | 2.1.0 | ||
40 | |||
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14169.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14169.patch deleted file mode 100644 index e1284faa93..0000000000 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14169.patch +++ /dev/null | |||
@@ -1,39 +0,0 @@ | |||
1 | From 9d00fb9d70ee8c0cc7002b89318c5be00f1bbdad Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=28=E6=99=93=E9=BB=91=29?= | ||
3 | <tony.sh@alibaba-inc.com> | ||
4 | Date: Tue, 29 Aug 2017 23:59:21 +0200 | ||
5 | Subject: [PATCH] avformat/mxfdec: Fix Sign error in mxf_read_primer_pack() | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | Fixes: 20170829B.mxf | ||
11 | |||
12 | Co-Author: 张洪亮(望初)" <wangchu.zhl@alibaba-inc.com> | ||
13 | Found-by: Xiaohei and Wangchu from Alibaba Security Team | ||
14 | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | ||
15 | |||
16 | CVE: CVE-2017-14169 | ||
17 | Upstream-Status: Backport | ||
18 | |||
19 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
20 | --- | ||
21 | libavformat/mxfdec.c | 2 +- | ||
22 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
23 | |||
24 | diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c | ||
25 | index 6adb77d..91731a7 100644 | ||
26 | --- a/libavformat/mxfdec.c | ||
27 | +++ b/libavformat/mxfdec.c | ||
28 | @@ -500,7 +500,7 @@ static int mxf_read_primer_pack(void *arg, AVIOContext *pb, int tag, int size, U | ||
29 | avpriv_request_sample(pb, "Primer pack item length %d", item_len); | ||
30 | return AVERROR_PATCHWELCOME; | ||
31 | } | ||
32 | - if (item_num > 65536) { | ||
33 | + if (item_num > 65536 || item_num < 0) { | ||
34 | av_log(mxf->fc, AV_LOG_ERROR, "item_num %d is too large\n", item_num); | ||
35 | return AVERROR_INVALIDDATA; | ||
36 | } | ||
37 | -- | ||
38 | 2.1.0 | ||
39 | |||
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14170.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14170.patch deleted file mode 100644 index 8860125030..0000000000 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14170.patch +++ /dev/null | |||
@@ -1,49 +0,0 @@ | |||
1 | From 900f39692ca0337a98a7cf047e4e2611071810c2 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=28=E6=99=93=E9=BB=91=29?= | ||
3 | <tony.sh@alibaba-inc.com> | ||
4 | Date: Tue, 29 Aug 2017 23:59:21 +0200 | ||
5 | Subject: [PATCH] avformat/mxfdec: Fix DoS issues in | ||
6 | mxf_read_index_entry_array() | ||
7 | MIME-Version: 1.0 | ||
8 | Content-Type: text/plain; charset=UTF-8 | ||
9 | Content-Transfer-Encoding: 8bit | ||
10 | |||
11 | Fixes: 20170829A.mxf | ||
12 | |||
13 | Co-Author: 张洪亮(望初)" <wangchu.zhl@alibaba-inc.com> | ||
14 | Found-by: Xiaohei and Wangchu from Alibaba Security Team | ||
15 | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | ||
16 | |||
17 | CVE: CVE-2017-14170 | ||
18 | Upstream-Status: Backport | ||
19 | |||
20 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
21 | --- | ||
22 | libavformat/mxfdec.c | 4 ++++ | ||
23 | 1 file changed, 4 insertions(+) | ||
24 | |||
25 | diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c | ||
26 | index f8d0f9e..6adb77d 100644 | ||
27 | --- a/libavformat/mxfdec.c | ||
28 | +++ b/libavformat/mxfdec.c | ||
29 | @@ -899,6 +899,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg | ||
30 | segment->nb_index_entries = avio_rb32(pb); | ||
31 | |||
32 | length = avio_rb32(pb); | ||
33 | + if(segment->nb_index_entries && length < 11) | ||
34 | + return AVERROR_INVALIDDATA; | ||
35 | |||
36 | if (!(segment->temporal_offset_entries=av_calloc(segment->nb_index_entries, sizeof(*segment->temporal_offset_entries))) || | ||
37 | !(segment->flag_entries = av_calloc(segment->nb_index_entries, sizeof(*segment->flag_entries))) || | ||
38 | @@ -909,6 +911,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg | ||
39 | } | ||
40 | |||
41 | for (i = 0; i < segment->nb_index_entries; i++) { | ||
42 | + if(avio_feof(pb)) | ||
43 | + return AVERROR_INVALIDDATA; | ||
44 | segment->temporal_offset_entries[i] = avio_r8(pb); | ||
45 | avio_r8(pb); /* KeyFrameOffset */ | ||
46 | segment->flag_entries[i] = avio_r8(pb); | ||
47 | -- | ||
48 | 2.1.0 | ||
49 | |||
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14171.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14171.patch deleted file mode 100644 index e2ae2040cf..0000000000 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14171.patch +++ /dev/null | |||
@@ -1,44 +0,0 @@ | |||
1 | From c24bcb553650b91e9eff15ef6e54ca73de2453b7 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=28=E6=99=93=E9=BB=91=29?= | ||
3 | <tony.sh@alibaba-inc.com> | ||
4 | Date: Tue, 29 Aug 2017 23:59:21 +0200 | ||
5 | Subject: [PATCH] avformat/nsvdec: Fix DoS due to lack of eof check in | ||
6 | nsvs_file_offset loop. | ||
7 | MIME-Version: 1.0 | ||
8 | Content-Type: text/plain; charset=UTF-8 | ||
9 | Content-Transfer-Encoding: 8bit | ||
10 | |||
11 | Fixes: 20170829.nsv | ||
12 | |||
13 | Co-Author: 张洪亮(望初)" <wangchu.zhl@alibaba-inc.com> | ||
14 | Found-by: Xiaohei and Wangchu from Alibaba Security Team | ||
15 | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | ||
16 | |||
17 | CVE: CVE-2017-14171 | ||
18 | Upstream-Status: Backport | ||
19 | |||
20 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
21 | --- | ||
22 | libavformat/nsvdec.c | 5 ++++- | ||
23 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
24 | |||
25 | diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c | ||
26 | index c6ddb67..d8ce656 100644 | ||
27 | --- a/libavformat/nsvdec.c | ||
28 | +++ b/libavformat/nsvdec.c | ||
29 | @@ -335,8 +335,11 @@ static int nsv_parse_NSVf_header(AVFormatContext *s) | ||
30 | if (!nsv->nsvs_file_offset) | ||
31 | return AVERROR(ENOMEM); | ||
32 | |||
33 | - for(i=0;i<table_entries_used;i++) | ||
34 | + for(i=0;i<table_entries_used;i++) { | ||
35 | + if (avio_feof(pb)) | ||
36 | + return AVERROR_INVALIDDATA; | ||
37 | nsv->nsvs_file_offset[i] = avio_rl32(pb) + size; | ||
38 | + } | ||
39 | |||
40 | if(table_entries > table_entries_used && | ||
41 | avio_rl32(pb) == MKTAG('T','O','C','2')) { | ||
42 | -- | ||
43 | 2.1.0 | ||
44 | |||
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14222.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14222.patch deleted file mode 100644 index ee02037948..0000000000 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14222.patch +++ /dev/null | |||
@@ -1,40 +0,0 @@ | |||
1 | From 9cb4eb772839c5e1de2855d126bf74ff16d13382 Mon Sep 17 00:00:00 2001 | ||
2 | From: Michael Niedermayer <michael@niedermayer.cc> | ||
3 | Date: Tue, 5 Sep 2017 00:16:29 +0200 | ||
4 | Subject: [PATCH] avformat/mov: Fix DoS in read_tfra() | ||
5 | |||
6 | Fixes: Missing EOF check in loop | ||
7 | No testcase | ||
8 | |||
9 | Found-by: Xiaohei and Wangchu from Alibaba Security Team | ||
10 | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | ||
11 | |||
12 | CVE: CVE-2017-14222 | ||
13 | Upstream-Status: Backport | ||
14 | |||
15 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
16 | --- | ||
17 | libavformat/mov.c | 7 +++++++ | ||
18 | 1 file changed, 7 insertions(+) | ||
19 | |||
20 | diff --git a/libavformat/mov.c b/libavformat/mov.c | ||
21 | index 994e9c6..2519707 100644 | ||
22 | --- a/libavformat/mov.c | ||
23 | +++ b/libavformat/mov.c | ||
24 | @@ -6094,6 +6094,13 @@ static int read_tfra(MOVContext *mov, AVIOContext *f) | ||
25 | } | ||
26 | for (i = 0; i < index->item_count; i++) { | ||
27 | int64_t time, offset; | ||
28 | + | ||
29 | + if (avio_feof(f)) { | ||
30 | + index->item_count = 0; | ||
31 | + av_freep(&index->items); | ||
32 | + return AVERROR_INVALIDDATA; | ||
33 | + } | ||
34 | + | ||
35 | if (version == 1) { | ||
36 | time = avio_rb64(f); | ||
37 | offset = avio_rb64(f); | ||
38 | -- | ||
39 | 2.1.0 | ||
40 | |||
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14223.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14223.patch deleted file mode 100644 index d1fef6b144..0000000000 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14223.patch +++ /dev/null | |||
@@ -1,38 +0,0 @@ | |||
1 | From afc9c683ed9db01edb357bc8c19edad4282b3a97 Mon Sep 17 00:00:00 2001 | ||
2 | From: Michael Niedermayer <michael@niedermayer.cc> | ||
3 | Date: Tue, 5 Sep 2017 00:16:29 +0200 | ||
4 | Subject: [PATCH] avformat/asfdec: Fix DoS in asf_build_simple_index() | ||
5 | |||
6 | Fixes: Missing EOF check in loop | ||
7 | No testcase | ||
8 | |||
9 | Found-by: Xiaohei and Wangchu from Alibaba Security Team | ||
10 | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | ||
11 | |||
12 | CVE: CVE-2017-14223 | ||
13 | Upstream-Status: Backport | ||
14 | |||
15 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
16 | --- | ||
17 | libavformat/asfdec_f.c | 5 +++++ | ||
18 | 1 file changed, 5 insertions(+) | ||
19 | |||
20 | diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c | ||
21 | index f3acbae..cc648b9 100644 | ||
22 | --- a/libavformat/asfdec_f.c | ||
23 | +++ b/libavformat/asfdec_f.c | ||
24 | @@ -1610,6 +1610,11 @@ static int asf_build_simple_index(AVFormatContext *s, int stream_index) | ||
25 | int64_t pos = s->internal->data_offset + s->packet_size * (int64_t)pktnum; | ||
26 | int64_t index_pts = FFMAX(av_rescale(itime, i, 10000) - asf->hdr.preroll, 0); | ||
27 | |||
28 | + if (avio_feof(s->pb)) { | ||
29 | + ret = AVERROR_INVALIDDATA; | ||
30 | + goto end; | ||
31 | + } | ||
32 | + | ||
33 | if (pos != last_pos) { | ||
34 | av_log(s, AV_LOG_DEBUG, "pktnum:%d, pktct:%d pts: %"PRId64"\n", | ||
35 | pktnum, pktct, index_pts); | ||
36 | -- | ||
37 | 2.1.0 | ||
38 | |||
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14225.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14225.patch deleted file mode 100644 index ce6845eecf..0000000000 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14225.patch +++ /dev/null | |||
@@ -1,49 +0,0 @@ | |||
1 | Subject: [PATCH] ffprobe: Fix null pointer dereference with color primaries | ||
2 | |||
3 | Found-by: AD-lab of venustech | ||
4 | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | ||
5 | |||
6 | CVE: CVE-2017-14225 | ||
7 | Upstream-Status: Backport | ||
8 | |||
9 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
10 | --- | ||
11 | ffprobe.c | 15 +++++++++++---- | ||
12 | 1 file changed, 11 insertions(+), 4 deletions(-) | ||
13 | |||
14 | diff --git a/ffprobe.c b/ffprobe.c | ||
15 | index a219fc1..df22b30 100644 | ||
16 | --- a/ffprobe.c | ||
17 | +++ b/ffprobe.c | ||
18 | @@ -1899,6 +1899,16 @@ static void print_pkt_side_data(WriterContext *w, | ||
19 | writer_print_section_footer(w); | ||
20 | } | ||
21 | |||
22 | +static void print_primaries(WriterContext *w, enum AVColorPrimaries color_primaries) | ||
23 | +{ | ||
24 | + const char *val = av_color_primaries_name(color_primaries); | ||
25 | + if (!val || color_primaries == AVCOL_PRI_UNSPECIFIED) { | ||
26 | + print_str_opt("color_primaries", "unknown"); | ||
27 | + } else { | ||
28 | + print_str("color_primaries", val); | ||
29 | + } | ||
30 | +} | ||
31 | + | ||
32 | static void clear_log(int need_lock) | ||
33 | { | ||
34 | int i; | ||
35 | @@ -2420,10 +2430,7 @@ static int show_stream(WriterContext *w, AVFormatContext *fmt_ctx, int stream_id | ||
36 | else | ||
37 | print_str_opt("color_transfer", av_color_transfer_name(par->color_trc)); | ||
38 | |||
39 | - if (par->color_primaries != AVCOL_PRI_UNSPECIFIED) | ||
40 | - print_str("color_primaries", av_color_primaries_name(par->color_primaries)); | ||
41 | - else | ||
42 | - print_str_opt("color_primaries", av_color_primaries_name(par->color_primaries)); | ||
43 | + print_primaries(w, par->color_primaries); | ||
44 | |||
45 | if (par->chroma_location != AVCHROMA_LOC_UNSPECIFIED) | ||
46 | print_str("chroma_location", av_chroma_location_name(par->chroma_location)); | ||
47 | -- | ||
48 | 2.1.0 | ||
49 | |||
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_3.3.4.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_3.3.4.bb index c8f521e7be..57e0ac0411 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_3.3.4.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_3.3.4.bb | |||
@@ -26,18 +26,6 @@ LIC_FILES_CHKSUM = "file://COPYING.GPLv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ | |||
26 | SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ | 26 | SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ |
27 | file://mips64_cpu_detection.patch \ | 27 | file://mips64_cpu_detection.patch \ |
28 | file://0001-build-fix-for-mips.patch \ | 28 | file://0001-build-fix-for-mips.patch \ |
29 | file://CVE-2017-14054.patch \ | ||
30 | file://CVE-2017-14055.patch \ | ||
31 | file://CVE-2017-14056.patch \ | ||
32 | file://CVE-2017-14057.patch \ | ||
33 | file://CVE-2017-14058.patch \ | ||
34 | file://CVE-2017-14059.patch \ | ||
35 | file://CVE-2017-14169.patch \ | ||
36 | file://CVE-2017-14170.patch \ | ||
37 | file://CVE-2017-14171.patch \ | ||
38 | file://CVE-2017-14222.patch \ | ||
39 | file://CVE-2017-14223.patch \ | ||
40 | file://CVE-2017-14225.patch \ | ||
41 | " | 29 | " |
42 | SRC_URI[md5sum] = "e14a0200c78ce5c918427e57cd406a0d" | 30 | SRC_URI[md5sum] = "e14a0200c78ce5c918427e57cd406a0d" |
43 | SRC_URI[sha256sum] = "98b97e1b908dfeb6aeb6d407e5a5eacdfc253a40c2d195f5867ed2d1d46ea957" | 31 | SRC_URI[sha256sum] = "98b97e1b908dfeb6aeb6d407e5a5eacdfc253a40c2d195f5867ed2d1d46ea957" |