summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChen Qi <Qi.Chen@windriver.com>2017-09-30 11:21:01 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-11-09 12:33:16 +0000
commit31eb2baed27fa83073c8718f40a6af7070097c37 (patch)
tree997fa90cecb34f6b66465c630f38236271593936
parent9e1e4d74c37479659e94a3650cff5c75a47759f0 (diff)
downloadpoky-31eb2baed27fa83073c8718f40a6af7070097c37.tar.gz
ffmpeg: upgrade to 3.3.4
Upgrade ffmpeg to version 3.3.4. Version 3.3.4 is a bug fix version, and there's no new feature added. Compared to version 3.3.3, there are 57 new commits. These 57 commits are either bug fix or small tweaks. Drop CVE patches that were backported from 3.3.4. (From OE-Core rev: 234d9aaffc2b08846281247e5ba37b20fea1493d) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14054.patch39
-rw-r--r--meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14055.patch34
-rw-r--r--meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14056.patch51
-rw-r--r--meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14057.patch44
-rw-r--r--meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14058.patch94
-rw-r--r--meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14059.patch40
-rw-r--r--meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14169.patch39
-rw-r--r--meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14170.patch49
-rw-r--r--meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14171.patch44
-rw-r--r--meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14222.patch40
-rw-r--r--meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14223.patch38
-rw-r--r--meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14225.patch49
-rw-r--r--meta/recipes-multimedia/ffmpeg/ffmpeg_3.3.4.bb12
13 files changed, 0 insertions, 573 deletions
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14054.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14054.patch
deleted file mode 100644
index e8baa188a3..0000000000
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14054.patch
+++ /dev/null
@@ -1,39 +0,0 @@
1From 124eb202e70678539544f6268efc98131f19fa49 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?=
3 =?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= <tony.sh and wangchu.zhl@alibaba-inc.com>
4Date: Fri, 25 Aug 2017 01:15:28 +0200
5Subject: [PATCH] avformat/rmdec: Fix DoS due to lack of eof check
6
7Fixes: loop.ivr
8
9Found-by: Xiaohei and Wangchu from Alibaba Security Team
10Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
11
12CVE: CVE-2017-14054
13Upstream-Status: Backport
14
15Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
16---
17 libavformat/rmdec.c | 5 ++++-
18 1 file changed, 4 insertions(+), 1 deletion(-)
19
20diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c
21index 178eaea..d6d7d9c 100644
22--- a/libavformat/rmdec.c
23+++ b/libavformat/rmdec.c
24@@ -1223,8 +1223,11 @@ static int ivr_read_header(AVFormatContext *s)
25 av_log(s, AV_LOG_DEBUG, "%s = '%s'\n", key, val);
26 } else if (type == 4) {
27 av_log(s, AV_LOG_DEBUG, "%s = '0x", key);
28- for (j = 0; j < len; j++)
29+ for (j = 0; j < len; j++) {
30+ if (avio_feof(pb))
31+ return AVERROR_INVALIDDATA;
32 av_log(s, AV_LOG_DEBUG, "%X", avio_r8(pb));
33+ }
34 av_log(s, AV_LOG_DEBUG, "'\n");
35 } else if (len == 4 && type == 3 && !strncmp(key, "StreamCount", tlen)) {
36 nb_streams = value = avio_rb32(pb);
37--
382.1.0
39
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14055.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14055.patch
deleted file mode 100644
index 37d0d1ab7f..0000000000
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14055.patch
+++ /dev/null
@@ -1,34 +0,0 @@
1From 4f05e2e2dc1a89f38cd9f0960a6561083d714f1e Mon Sep 17 00:00:00 2001
2From: Michael Niedermayer <michael@niedermayer.cc>
3Date: Fri, 25 Aug 2017 01:15:30 +0200
4Subject: [PATCH] avformat/mvdec: Fix DoS due to lack of eof check
5
6Fixes: loop.mv
7
8Found-by: Xiaohei and Wangchu from Alibaba Security Team
9Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10
11CVE: CVE-2017-14055
12Upstream-Status: Backport
13
14Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
15---
16 libavformat/mvdec.c | 2 ++
17 1 file changed, 2 insertions(+)
18
19diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c
20index 0e12c8c..f7aa4cb 100644
21--- a/libavformat/mvdec.c
22+++ b/libavformat/mvdec.c
23@@ -342,6 +342,8 @@ static int mv_read_header(AVFormatContext *avctx)
24 uint32_t pos = avio_rb32(pb);
25 uint32_t asize = avio_rb32(pb);
26 uint32_t vsize = avio_rb32(pb);
27+ if (avio_feof(pb))
28+ return AVERROR_INVALIDDATA;
29 avio_skip(pb, 8);
30 av_add_index_entry(ast, pos, timestamp, asize, 0, AVINDEX_KEYFRAME);
31 av_add_index_entry(vst, pos + asize, i, vsize, 0, AVINDEX_KEYFRAME);
32--
332.1.0
34
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14056.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14056.patch
deleted file mode 100644
index 088b357b25..0000000000
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14056.patch
+++ /dev/null
@@ -1,51 +0,0 @@
1From 96f24d1bee7fe7bac08e2b7c74db1a046c9dc0de Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?=
3 =?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= <tony.sh and wangchu.zhl@alibaba-inc.com>
4Date: Fri, 25 Aug 2017 01:15:29 +0200
5Subject: [PATCH] avformat/rl2: Fix DoS due to lack of eof check
6
7Fixes: loop.rl2
8
9Found-by: Xiaohei and Wangchu from Alibaba Security Team
10Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
11
12CVE: CVE-2017-14056
13Upstream-Status: Backport
14
15Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
16---
17 libavformat/rl2.c | 15 ++++++++++++---
18 1 file changed, 12 insertions(+), 3 deletions(-)
19
20diff --git a/libavformat/rl2.c b/libavformat/rl2.c
21index 0bec8f1..eb1682d 100644
22--- a/libavformat/rl2.c
23+++ b/libavformat/rl2.c
24@@ -170,12 +170,21 @@ static av_cold int rl2_read_header(AVFormatContext *s)
25 }
26
27 /** read offset and size tables */
28- for(i=0; i < frame_count;i++)
29+ for(i=0; i < frame_count;i++) {
30+ if (avio_feof(pb))
31+ return AVERROR_INVALIDDATA;
32 chunk_size[i] = avio_rl32(pb);
33- for(i=0; i < frame_count;i++)
34+ }
35+ for(i=0; i < frame_count;i++) {
36+ if (avio_feof(pb))
37+ return AVERROR_INVALIDDATA;
38 chunk_offset[i] = avio_rl32(pb);
39- for(i=0; i < frame_count;i++)
40+ }
41+ for(i=0; i < frame_count;i++) {
42+ if (avio_feof(pb))
43+ return AVERROR_INVALIDDATA;
44 audio_size[i] = avio_rl32(pb) & 0xFFFF;
45+ }
46
47 /** build the sample index */
48 for(i=0;i<frame_count;i++){
49--
502.1.0
51
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14057.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14057.patch
deleted file mode 100644
index b301d233b3..0000000000
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14057.patch
+++ /dev/null
@@ -1,44 +0,0 @@
1From 7f9ec5593e04827249e7aeb466da06a98a0d7329 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?=
3 =?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= <tony.sh and wangchu.zhl@alibaba-inc.com>
4Date: Fri, 25 Aug 2017 12:37:25 +0200
5Subject: [PATCH] avformat/asfdec: Fix DoS due to lack of eof check
6
7Fixes: loop.asf
8
9Found-by: Xiaohei and Wangchu from Alibaba Security Team
10Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
11
12CVE: CVE-2017-14057
13Upstream-Status: Backport
14
15Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
16---
17 libavformat/asfdec_f.c | 6 ++++--
18 1 file changed, 4 insertions(+), 2 deletions(-)
19
20diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
21index be09a92..f3acbae 100644
22--- a/libavformat/asfdec_f.c
23+++ b/libavformat/asfdec_f.c
24@@ -749,13 +749,15 @@ static int asf_read_marker(AVFormatContext *s, int64_t size)
25 count = avio_rl32(pb); // markers count
26 avio_rl16(pb); // reserved 2 bytes
27 name_len = avio_rl16(pb); // name length
28- for (i = 0; i < name_len; i++)
29- avio_r8(pb); // skip the name
30+ avio_skip(pb, name_len);
31
32 for (i = 0; i < count; i++) {
33 int64_t pres_time;
34 int name_len;
35
36+ if (avio_feof(pb))
37+ return AVERROR_INVALIDDATA;
38+
39 avio_rl64(pb); // offset, 8 bytes
40 pres_time = avio_rl64(pb); // presentation time
41 pres_time -= asf->hdr.preroll * 10000;
42--
432.1.0
44
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14058.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14058.patch
deleted file mode 100644
index 95803cef55..0000000000
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14058.patch
+++ /dev/null
@@ -1,94 +0,0 @@
1From 7ec414892ddcad88313848494b6fc5f437c9ca4a Mon Sep 17 00:00:00 2001
2From: Michael Niedermayer <michael@niedermayer.cc>
3Date: Sat, 26 Aug 2017 01:26:58 +0200
4Subject: [PATCH] avformat/hls: Fix DoS due to infinite loop
5
6Fixes: loop.m3u
7
8The default max iteration count of 1000 is arbitrary and ideas for a better solution are welcome
9
10Found-by: Xiaohei and Wangchu from Alibaba Security Team
11
12Previous version reviewed-by: Steven Liu <lingjiujianke@gmail.com>
13Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
14
15CVE: CVE-2017-14058
16Upstream-Status: Backport
17
18Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
19---
20 doc/demuxers.texi | 18 ++++++++++++++++++
21 libavformat/hls.c | 7 +++++++
22 2 files changed, 25 insertions(+)
23
24diff --git a/doc/demuxers.texi b/doc/demuxers.texi
25index 29a23d4..73dc0fe 100644
26--- a/doc/demuxers.texi
27+++ b/doc/demuxers.texi
28@@ -300,6 +300,24 @@ used to end the output video at the length of the shortest input file,
29 which in this case is @file{input.mp4} as the GIF in this example loops
30 infinitely.
31
32+@section hls
33+
34+HLS demuxer
35+
36+It accepts the following options:
37+
38+@table @option
39+@item live_start_index
40+segment index to start live streams at (negative values are from the end).
41+
42+@item allowed_extensions
43+',' separated list of file extensions that hls is allowed to access.
44+
45+@item max_reload
46+Maximum number of times a insufficient list is attempted to be reloaded.
47+Default value is 1000.
48+@end table
49+
50 @section image2
51
52 Image file demuxer.
53diff --git a/libavformat/hls.c b/libavformat/hls.c
54index 01731bd..0995345 100644
55--- a/libavformat/hls.c
56+++ b/libavformat/hls.c
57@@ -205,6 +205,7 @@ typedef struct HLSContext {
58 AVDictionary *avio_opts;
59 int strict_std_compliance;
60 char *allowed_extensions;
61+ int max_reload;
62 } HLSContext;
63
64 static int read_chomp_line(AVIOContext *s, char *buf, int maxlen)
65@@ -1263,6 +1264,7 @@ static int read_data(void *opaque, uint8_t *buf, int buf_size)
66 HLSContext *c = v->parent->priv_data;
67 int ret, i;
68 int just_opened = 0;
69+ int reload_count = 0;
70
71 restart:
72 if (!v->needed)
73@@ -1294,6 +1296,9 @@ restart:
74 reload_interval = default_reload_interval(v);
75
76 reload:
77+ reload_count++;
78+ if (reload_count > c->max_reload)
79+ return AVERROR_EOF;
80 if (!v->finished &&
81 av_gettime_relative() - v->last_load_time >= reload_interval) {
82 if ((ret = parse_playlist(c, v->url, v, NULL)) < 0) {
83@@ -2150,6 +2155,8 @@ static const AVOption hls_options[] = {
84 OFFSET(allowed_extensions), AV_OPT_TYPE_STRING,
85 {.str = "3gp,aac,avi,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"},
86 INT_MIN, INT_MAX, FLAGS},
87+ {"max_reload", "Maximum number of times a insufficient list is attempted to be reloaded",
88+ OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 1000}, 0, INT_MAX, FLAGS},
89 {NULL}
90 };
91
92--
932.1.0
94
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14059.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14059.patch
deleted file mode 100644
index 34fde0be77..0000000000
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14059.patch
+++ /dev/null
@@ -1,40 +0,0 @@
1From 7e80b63ecd259d69d383623e75b318bf2bd491f6 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?=
3 =?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= <tony.sh and wangchu.zhl@alibaba-inc.com>
4Date: Fri, 25 Aug 2017 01:15:27 +0200
5Subject: [PATCH] avformat/cinedec: Fix DoS due to lack of eof check
6
7Fixes: loop.cine
8
9Found-by: Xiaohei and Wangchu from Alibaba Security Team
10Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
11
12CVE: CVE-2017-14059
13Upstream-Status: Backport
14
15Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
16---
17 libavformat/cinedec.c | 6 +++++-
18 1 file changed, 5 insertions(+), 1 deletion(-)
19
20diff --git a/libavformat/cinedec.c b/libavformat/cinedec.c
21index 763b93b..de34fb9 100644
22--- a/libavformat/cinedec.c
23+++ b/libavformat/cinedec.c
24@@ -267,8 +267,12 @@ static int cine_read_header(AVFormatContext *avctx)
25
26 /* parse image offsets */
27 avio_seek(pb, offImageOffsets, SEEK_SET);
28- for (i = 0; i < st->duration; i++)
29+ for (i = 0; i < st->duration; i++) {
30+ if (avio_feof(pb))
31+ return AVERROR_INVALIDDATA;
32+
33 av_add_index_entry(st, avio_rl64(pb), i, 0, 0, AVINDEX_KEYFRAME);
34+ }
35
36 return 0;
37 }
38--
392.1.0
40
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14169.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14169.patch
deleted file mode 100644
index e1284faa93..0000000000
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14169.patch
+++ /dev/null
@@ -1,39 +0,0 @@
1From 9d00fb9d70ee8c0cc7002b89318c5be00f1bbdad Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=28=E6=99=93=E9=BB=91=29?=
3 <tony.sh@alibaba-inc.com>
4Date: Tue, 29 Aug 2017 23:59:21 +0200
5Subject: [PATCH] avformat/mxfdec: Fix Sign error in mxf_read_primer_pack()
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10Fixes: 20170829B.mxf
11
12Co-Author: 张洪亮(望初)" <wangchu.zhl@alibaba-inc.com>
13Found-by: Xiaohei and Wangchu from Alibaba Security Team
14Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
15
16CVE: CVE-2017-14169
17Upstream-Status: Backport
18
19Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
20---
21 libavformat/mxfdec.c | 2 +-
22 1 file changed, 1 insertion(+), 1 deletion(-)
23
24diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
25index 6adb77d..91731a7 100644
26--- a/libavformat/mxfdec.c
27+++ b/libavformat/mxfdec.c
28@@ -500,7 +500,7 @@ static int mxf_read_primer_pack(void *arg, AVIOContext *pb, int tag, int size, U
29 avpriv_request_sample(pb, "Primer pack item length %d", item_len);
30 return AVERROR_PATCHWELCOME;
31 }
32- if (item_num > 65536) {
33+ if (item_num > 65536 || item_num < 0) {
34 av_log(mxf->fc, AV_LOG_ERROR, "item_num %d is too large\n", item_num);
35 return AVERROR_INVALIDDATA;
36 }
37--
382.1.0
39
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14170.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14170.patch
deleted file mode 100644
index 8860125030..0000000000
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14170.patch
+++ /dev/null
@@ -1,49 +0,0 @@
1From 900f39692ca0337a98a7cf047e4e2611071810c2 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=28=E6=99=93=E9=BB=91=29?=
3 <tony.sh@alibaba-inc.com>
4Date: Tue, 29 Aug 2017 23:59:21 +0200
5Subject: [PATCH] avformat/mxfdec: Fix DoS issues in
6 mxf_read_index_entry_array()
7MIME-Version: 1.0
8Content-Type: text/plain; charset=UTF-8
9Content-Transfer-Encoding: 8bit
10
11Fixes: 20170829A.mxf
12
13Co-Author: 张洪亮(望初)" <wangchu.zhl@alibaba-inc.com>
14Found-by: Xiaohei and Wangchu from Alibaba Security Team
15Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
16
17CVE: CVE-2017-14170
18Upstream-Status: Backport
19
20Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
21---
22 libavformat/mxfdec.c | 4 ++++
23 1 file changed, 4 insertions(+)
24
25diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
26index f8d0f9e..6adb77d 100644
27--- a/libavformat/mxfdec.c
28+++ b/libavformat/mxfdec.c
29@@ -899,6 +899,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg
30 segment->nb_index_entries = avio_rb32(pb);
31
32 length = avio_rb32(pb);
33+ if(segment->nb_index_entries && length < 11)
34+ return AVERROR_INVALIDDATA;
35
36 if (!(segment->temporal_offset_entries=av_calloc(segment->nb_index_entries, sizeof(*segment->temporal_offset_entries))) ||
37 !(segment->flag_entries = av_calloc(segment->nb_index_entries, sizeof(*segment->flag_entries))) ||
38@@ -909,6 +911,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg
39 }
40
41 for (i = 0; i < segment->nb_index_entries; i++) {
42+ if(avio_feof(pb))
43+ return AVERROR_INVALIDDATA;
44 segment->temporal_offset_entries[i] = avio_r8(pb);
45 avio_r8(pb); /* KeyFrameOffset */
46 segment->flag_entries[i] = avio_r8(pb);
47--
482.1.0
49
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14171.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14171.patch
deleted file mode 100644
index e2ae2040cf..0000000000
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14171.patch
+++ /dev/null
@@ -1,44 +0,0 @@
1From c24bcb553650b91e9eff15ef6e54ca73de2453b7 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=28=E6=99=93=E9=BB=91=29?=
3 <tony.sh@alibaba-inc.com>
4Date: Tue, 29 Aug 2017 23:59:21 +0200
5Subject: [PATCH] avformat/nsvdec: Fix DoS due to lack of eof check in
6 nsvs_file_offset loop.
7MIME-Version: 1.0
8Content-Type: text/plain; charset=UTF-8
9Content-Transfer-Encoding: 8bit
10
11Fixes: 20170829.nsv
12
13Co-Author: 张洪亮(望初)" <wangchu.zhl@alibaba-inc.com>
14Found-by: Xiaohei and Wangchu from Alibaba Security Team
15Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
16
17CVE: CVE-2017-14171
18Upstream-Status: Backport
19
20Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
21---
22 libavformat/nsvdec.c | 5 ++++-
23 1 file changed, 4 insertions(+), 1 deletion(-)
24
25diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c
26index c6ddb67..d8ce656 100644
27--- a/libavformat/nsvdec.c
28+++ b/libavformat/nsvdec.c
29@@ -335,8 +335,11 @@ static int nsv_parse_NSVf_header(AVFormatContext *s)
30 if (!nsv->nsvs_file_offset)
31 return AVERROR(ENOMEM);
32
33- for(i=0;i<table_entries_used;i++)
34+ for(i=0;i<table_entries_used;i++) {
35+ if (avio_feof(pb))
36+ return AVERROR_INVALIDDATA;
37 nsv->nsvs_file_offset[i] = avio_rl32(pb) + size;
38+ }
39
40 if(table_entries > table_entries_used &&
41 avio_rl32(pb) == MKTAG('T','O','C','2')) {
42--
432.1.0
44
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14222.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14222.patch
deleted file mode 100644
index ee02037948..0000000000
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14222.patch
+++ /dev/null
@@ -1,40 +0,0 @@
1From 9cb4eb772839c5e1de2855d126bf74ff16d13382 Mon Sep 17 00:00:00 2001
2From: Michael Niedermayer <michael@niedermayer.cc>
3Date: Tue, 5 Sep 2017 00:16:29 +0200
4Subject: [PATCH] avformat/mov: Fix DoS in read_tfra()
5
6Fixes: Missing EOF check in loop
7No testcase
8
9Found-by: Xiaohei and Wangchu from Alibaba Security Team
10Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
11
12CVE: CVE-2017-14222
13Upstream-Status: Backport
14
15Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
16---
17 libavformat/mov.c | 7 +++++++
18 1 file changed, 7 insertions(+)
19
20diff --git a/libavformat/mov.c b/libavformat/mov.c
21index 994e9c6..2519707 100644
22--- a/libavformat/mov.c
23+++ b/libavformat/mov.c
24@@ -6094,6 +6094,13 @@ static int read_tfra(MOVContext *mov, AVIOContext *f)
25 }
26 for (i = 0; i < index->item_count; i++) {
27 int64_t time, offset;
28+
29+ if (avio_feof(f)) {
30+ index->item_count = 0;
31+ av_freep(&index->items);
32+ return AVERROR_INVALIDDATA;
33+ }
34+
35 if (version == 1) {
36 time = avio_rb64(f);
37 offset = avio_rb64(f);
38--
392.1.0
40
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14223.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14223.patch
deleted file mode 100644
index d1fef6b144..0000000000
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14223.patch
+++ /dev/null
@@ -1,38 +0,0 @@
1From afc9c683ed9db01edb357bc8c19edad4282b3a97 Mon Sep 17 00:00:00 2001
2From: Michael Niedermayer <michael@niedermayer.cc>
3Date: Tue, 5 Sep 2017 00:16:29 +0200
4Subject: [PATCH] avformat/asfdec: Fix DoS in asf_build_simple_index()
5
6Fixes: Missing EOF check in loop
7No testcase
8
9Found-by: Xiaohei and Wangchu from Alibaba Security Team
10Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
11
12CVE: CVE-2017-14223
13Upstream-Status: Backport
14
15Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
16---
17 libavformat/asfdec_f.c | 5 +++++
18 1 file changed, 5 insertions(+)
19
20diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
21index f3acbae..cc648b9 100644
22--- a/libavformat/asfdec_f.c
23+++ b/libavformat/asfdec_f.c
24@@ -1610,6 +1610,11 @@ static int asf_build_simple_index(AVFormatContext *s, int stream_index)
25 int64_t pos = s->internal->data_offset + s->packet_size * (int64_t)pktnum;
26 int64_t index_pts = FFMAX(av_rescale(itime, i, 10000) - asf->hdr.preroll, 0);
27
28+ if (avio_feof(s->pb)) {
29+ ret = AVERROR_INVALIDDATA;
30+ goto end;
31+ }
32+
33 if (pos != last_pos) {
34 av_log(s, AV_LOG_DEBUG, "pktnum:%d, pktct:%d pts: %"PRId64"\n",
35 pktnum, pktct, index_pts);
36--
372.1.0
38
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14225.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14225.patch
deleted file mode 100644
index ce6845eecf..0000000000
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14225.patch
+++ /dev/null
@@ -1,49 +0,0 @@
1Subject: [PATCH] ffprobe: Fix null pointer dereference with color primaries
2
3Found-by: AD-lab of venustech
4Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
5
6CVE: CVE-2017-14225
7Upstream-Status: Backport
8
9Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
10---
11 ffprobe.c | 15 +++++++++++----
12 1 file changed, 11 insertions(+), 4 deletions(-)
13
14diff --git a/ffprobe.c b/ffprobe.c
15index a219fc1..df22b30 100644
16--- a/ffprobe.c
17+++ b/ffprobe.c
18@@ -1899,6 +1899,16 @@ static void print_pkt_side_data(WriterContext *w,
19 writer_print_section_footer(w);
20 }
21
22+static void print_primaries(WriterContext *w, enum AVColorPrimaries color_primaries)
23+{
24+ const char *val = av_color_primaries_name(color_primaries);
25+ if (!val || color_primaries == AVCOL_PRI_UNSPECIFIED) {
26+ print_str_opt("color_primaries", "unknown");
27+ } else {
28+ print_str("color_primaries", val);
29+ }
30+}
31+
32 static void clear_log(int need_lock)
33 {
34 int i;
35@@ -2420,10 +2430,7 @@ static int show_stream(WriterContext *w, AVFormatContext *fmt_ctx, int stream_id
36 else
37 print_str_opt("color_transfer", av_color_transfer_name(par->color_trc));
38
39- if (par->color_primaries != AVCOL_PRI_UNSPECIFIED)
40- print_str("color_primaries", av_color_primaries_name(par->color_primaries));
41- else
42- print_str_opt("color_primaries", av_color_primaries_name(par->color_primaries));
43+ print_primaries(w, par->color_primaries);
44
45 if (par->chroma_location != AVCHROMA_LOC_UNSPECIFIED)
46 print_str("chroma_location", av_chroma_location_name(par->chroma_location));
47--
482.1.0
49
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_3.3.4.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_3.3.4.bb
index c8f521e7be..57e0ac0411 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_3.3.4.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_3.3.4.bb
@@ -26,18 +26,6 @@ LIC_FILES_CHKSUM = "file://COPYING.GPLv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
26SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ 26SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
27 file://mips64_cpu_detection.patch \ 27 file://mips64_cpu_detection.patch \
28 file://0001-build-fix-for-mips.patch \ 28 file://0001-build-fix-for-mips.patch \
29 file://CVE-2017-14054.patch \
30 file://CVE-2017-14055.patch \
31 file://CVE-2017-14056.patch \
32 file://CVE-2017-14057.patch \
33 file://CVE-2017-14058.patch \
34 file://CVE-2017-14059.patch \
35 file://CVE-2017-14169.patch \
36 file://CVE-2017-14170.patch \
37 file://CVE-2017-14171.patch \
38 file://CVE-2017-14222.patch \
39 file://CVE-2017-14223.patch \
40 file://CVE-2017-14225.patch \
41 " 29 "
42SRC_URI[md5sum] = "e14a0200c78ce5c918427e57cd406a0d" 30SRC_URI[md5sum] = "e14a0200c78ce5c918427e57cd406a0d"
43SRC_URI[sha256sum] = "98b97e1b908dfeb6aeb6d407e5a5eacdfc253a40c2d195f5867ed2d1d46ea957" 31SRC_URI[sha256sum] = "98b97e1b908dfeb6aeb6d407e5a5eacdfc253a40c2d195f5867ed2d1d46ea957"