gst-ffmpeg: fix for Security Advisory CVE-2013-0868

libavcodec/huffyuvdec.c in FFmpeg before 1.1.2 allows remote attackers to have an unspecified impact via crafted Huffyuv data, related to an out-of-bounds write and (1) unchecked return codes from the init_vlc function and (2) len==0 cases. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0868 (From OE-Core rev: 29dcc2c8e834cf43e415eedefb8fce9667b3aa40) (From OE-Core rev: 8229523ea86e9545cc0ee9e34af12a2f84d0809e) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Yue Tao <Yue.Tao@windriver.com> 2014-04-27 11:56:19 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-05-29 13:43:29 +0100
commit: f9f97a1fed798b30dd0c0a1d7794a1abf9883ab4 (patch)
tree: 54cf039b24049d7fa341ef7d3d23b426c649cb91
parent: 48169ac9bcd93f436ce166bd440157948613a495 (diff)
download: poky-f9f97a1fed798b30dd0c0a1d7794a1abf9883ab4.tar.gz
3 files changed, 150 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-init_vlc-return-codes.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-init_vlc-return-codes.patch
new file mode 100644
index 0000000000..e859e443bb
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-init_vlc-return-codes.patch
@@ -0,0 +1,87 @@
+From b666debffec1fcbb19ef377635a53b9a58bca8a4 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Tue, 29 Jan 2013 18:29:41 +0100
+Subject: [PATCH] huffyuvdec: Check init_vlc() return codes.
+Upstream-Status: Backport
+Commit b666debffec1fcbb19ef377635a53b9a58bca8a4 release/1.0
+Prevents out of array writes
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit f67a0d115254461649470452058fa3c28c0df294)
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/huffyuv.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c
+index 58da789..993e524 100644
+--- a/gst-libs/ext/libav/libavcodec/huffyuv.c
+++ b/gst-libs/ext/libav/libavcodec/huffyuv.c
+@@ -33,6 +33,7 @@
+ #include "put_bits.h"
+ #include "dsputil.h"
+ #include "thread.h"
+#include "libavutil/avassert.h"
+ 
+ #define VLC_BITS 11
+ 
+@@ -287,6 +287,7 @@ static void generate_joint_tables(HYuvCo
+                     int len1 = s->len[p][u];
+                     if (len1 > limit || !len1)
+                         continue;
+                    av_assert0(i < (1 << VLC_BITS));
+                     len[i] = len0 + len1;
+                     bits[i] = (s->bits[0][y] << len1) + s->bits[p][u];
+                     symbols[i] = (y<<8) + u;
+@@ -320,6 +321,7 @@ static void generate_joint_tables(HYuvCo
+                     int len2 = s->len[2][r&255];
+                     if (len2 > limit1 || !len2)
+                         continue;
+                    av_assert0(i < (1 << VLC_BITS));
+                     len[i] = len0 + len1 + len2;
+                     bits[i] = (code << len2) + s->bits[2][r&255];
+                     if(s->decorrelate){
+@@ -343,6 +345,7 @@ static void generate_joint_tables(HYuvCo
+ static int read_huffman_tables(HYuvContext *s, const uint8_t *src, int length){
+     GetBitContext gb;
+     int i;
+    int ret;
+ 
+     init_get_bits(&gb, src, length*8);
+ 
+@@ -353,7 +356,9 @@ static int read_huffman_tables(HYuvConte
+             return -1;
+         }
+         free_vlc(&s->vlc[i]);
+-        init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0);
+        if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1,
+                           s->bits[i], 4, 4, 0)) < 0)
+            return ret;
+     }
+ 
+     generate_joint_tables(s);
+@@ -365,6 +370,7 @@ static int read_old_huffman_tables(HYuvC
+ #if 1
+     GetBitContext gb;
+     int i;
+    int ret;
+ 
+     init_get_bits(&gb, classic_shift_luma, sizeof(classic_shift_luma)*8);
+     if(read_len_table(s->len[0], &gb)<0)
+@@ -385,7 +391,9 @@ static int read_old_huffman_tables(HYuvC
+ 
+     for(i=0; i<3; i++){
+         free_vlc(&s->vlc[i]);
+-        init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0);
+        if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1,
+                            s->bits[i], 4, 4, 0)) < 0)
+            return ret;
+     }
+ 
+     generate_joint_tables(s);
+-- 
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Skip-len-0-cases.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Skip-len-0-cases.patch
new file mode 100644
index 0000000000..94bf4b6fba
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Skip-len-0-cases.patch
@@ -0,0 +1,61 @@
+From db0f7f7394e1f994ed38db043f78ed0f10bde0da Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Tue, 29 Jan 2013 19:22:33 +0100
+Subject: [PATCH] huffyuvdec: Skip len==0 cases
+Upstream-Status: Backport
+Commit db0f7f7394e1f994ed38db043f78ed0f10bde0da release/1.0
+Fixes vlc decoding for hypothetical files that would contain such cases.
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit 0dfc01c2bbf4b71bb56201bc4a393321e15d1b31)
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/huffyuv.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c
+index 993e524..72ed351 100644
+--- a/gst-libs/ext/libav/libavcodec/huffyuv.c
+++ b/gst-libs/ext/libav/libavcodec/huffyuv.c
+@@ -281,11 +281,11 @@ static void generate_joint_tables(HYuvCo
+             for(i=y=0; y<256; y++){
+                 int len0 = s->len[0][y];
+                 int limit = VLC_BITS - len0;
+-                if(limit <= 0)
+                if(limit <= 0 || !len0)
+                     continue;
+                 for(u=0; u<256; u++){
+                     int len1 = s->len[p][u];
+-                    if(len1 > limit)
+                    if (len1 > limit || !len1)
+                         continue;
+                     len[i] = len0 + len1;
+                     bits[i] = (s->bits[0][y] << len1) + s->bits[p][u];
+@@ -308,17 +308,17 @@ static void generate_joint_tables(HYuvCo
+         for(i=0, g=-16; g<16; g++){
+             int len0 = s->len[p0][g&255];
+             int limit0 = VLC_BITS - len0;
+-            if(limit0 < 2)
+            if (limit0 < 2 || !len0)
+                 continue;
+             for(b=-16; b<16; b++){
+                 int len1 = s->len[p1][b&255];
+                 int limit1 = limit0 - len1;
+-                if(limit1 < 1)
+                if (limit1 < 1 || !len1)
+                     continue;
+                 code = (s->bits[p0][g&255] << len1) + s->bits[p1][b&255];
+                 for(r=-16; r<16; r++){
+                     int len2 = s->len[2][r&255];
+-                    if(len2 > limit1)
+                    if (len2 > limit1 || !len2)
+                         continue;
+                     len[i] = len0 + len1 + len2;
+                     bits[i] = (code << len2) + s->bits[2][r&255];
+-- 
+1.8.5.2.233.g932f7e4
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index 05cc404050..847b927f8d 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -26,6 +26,8 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
           file://0001-avformat-mpegtsenc-Check-data-array-size-in-mpegts_w.patch \
           file://0001-vqavideo-check-chunk-sizes-before-reading-chunks.patch \
           file://0001-avcodec-msrle-use-av_image_get_linesize-to-calculate.patch \
+           file://0001-huffyuvdec-Skip-len-0-cases.patch \
+           file://0001-huffyuvdec-Check-init_vlc-return-codes.patch \
 "
 SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
author	Yue Tao <Yue.Tao@windriver.com>	2014-04-27 11:56:19 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2014-05-29 13:43:29 +0100
commit	f9f97a1fed798b30dd0c0a1d7794a1abf9883ab4 (patch)
tree	54cf039b24049d7fa341ef7d3d23b426c649cb91
parent	48169ac9bcd93f436ce166bd440157948613a495 (diff)
download	poky-f9f97a1fed798b30dd0c0a1d7794a1abf9883ab4.tar.gz

diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-init_vlc-return-codes.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-init_vlc-return-codes.patch new file mode 100644 index 0000000000..e859e443bb --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-init_vlc-return-codes.patch
@@ -0,0 +1,87 @@
		1	From b666debffec1fcbb19ef377635a53b9a58bca8a4 Mon Sep 17 00:00:00 2001
		2	From: Michael Niedermayer <michaelni@gmx.at>
		3	Date: Tue, 29 Jan 2013 18:29:41 +0100
		4	Subject: [PATCH] huffyuvdec: Check init_vlc() return codes.
		5
		6	Upstream-Status: Backport
		7
		8	Commit b666debffec1fcbb19ef377635a53b9a58bca8a4 release/1.0
		9
		10	Prevents out of array writes
		11
		12	Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
		13	Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
		14	(cherry picked from commit f67a0d115254461649470452058fa3c28c0df294)
		15
		16	Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
		17	---
		18	libavcodec/huffyuv.c \| 14 ++++++++++----
		19	1 file changed, 10 insertions(+), 4 deletions(-)
		20
		21	diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c
		22	index 58da789..993e524 100644
		23	--- a/gst-libs/ext/libav/libavcodec/huffyuv.c
		24	+++ b/gst-libs/ext/libav/libavcodec/huffyuv.c
		25	@@ -33,6 +33,7 @@
		26	#include "put_bits.h"
		27	#include "dsputil.h"
		28	#include "thread.h"
		29	+#include "libavutil/avassert.h"
		30
		31	#define VLC_BITS 11
		32
		33	@@ -287,6 +287,7 @@ static void generate_joint_tables(HYuvCo
		34	int len1 = s->len[p][u];
		35	if (len1 > limit \|\| !len1)
		36	continue;
		37	+ av_assert0(i < (1 << VLC_BITS));
		38	len[i] = len0 + len1;
		39	bits[i] = (s->bits[0][y] << len1) + s->bits[p][u];
		40	symbols[i] = (y<<8) + u;
		41	@@ -320,6 +321,7 @@ static void generate_joint_tables(HYuvCo
		42	int len2 = s->len[2][r&255];
		43	if (len2 > limit1 \|\| !len2)
		44	continue;
		45	+ av_assert0(i < (1 << VLC_BITS));
		46	len[i] = len0 + len1 + len2;
		47	bits[i] = (code << len2) + s->bits[2][r&255];
		48	if(s->decorrelate){
		49	@@ -343,6 +345,7 @@ static void generate_joint_tables(HYuvCo
		50	static int read_huffman_tables(HYuvContext s, const uint8_t src, int length){
		51	GetBitContext gb;
		52	int i;
		53	+ int ret;
		54
		55	init_get_bits(&gb, src, length*8);
		56
		57	@@ -353,7 +356,9 @@ static int read_huffman_tables(HYuvConte
		58	return -1;
		59	}
		60	free_vlc(&s->vlc[i]);
		61	- init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0);
		62	+ if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1,
		63	+ s->bits[i], 4, 4, 0)) < 0)
		64	+ return ret;
		65	}
		66
		67	generate_joint_tables(s);
		68	@@ -365,6 +370,7 @@ static int read_old_huffman_tables(HYuvC
		69	#if 1
		70	GetBitContext gb;
		71	int i;
		72	+ int ret;
		73
		74	init_get_bits(&gb, classic_shift_luma, sizeof(classic_shift_luma)*8);
		75	if(read_len_table(s->len[0], &gb)<0)
		76	@@ -385,7 +391,9 @@ static int read_old_huffman_tables(HYuvC
		77
		78	for(i=0; i<3; i++){
		79	free_vlc(&s->vlc[i]);
		80	- init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0);
		81	+ if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1,
		82	+ s->bits[i], 4, 4, 0)) < 0)
		83	+ return ret;
		84	}
		85
		86	generate_joint_tables(s);
		87	--


diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Skip-len-0-cases.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Skip-len-0-cases.patch new file mode 100644 index 0000000000..94bf4b6fba --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Skip-len-0-cases.patch
@@ -0,0 +1,61 @@
		1	From db0f7f7394e1f994ed38db043f78ed0f10bde0da Mon Sep 17 00:00:00 2001
		2	From: Michael Niedermayer <michaelni@gmx.at>
		3	Date: Tue, 29 Jan 2013 19:22:33 +0100
		4	Subject: [PATCH] huffyuvdec: Skip len==0 cases
		5
		6	Upstream-Status: Backport
		7
		8	Commit db0f7f7394e1f994ed38db043f78ed0f10bde0da release/1.0
		9
		10	Fixes vlc decoding for hypothetical files that would contain such cases.
		11
		12	Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
		13	(cherry picked from commit 0dfc01c2bbf4b71bb56201bc4a393321e15d1b31)
		14
		15	Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
		16	---
		17	libavcodec/huffyuv.c \| 10 +++++-----
		18	1 file changed, 5 insertions(+), 5 deletions(-)
		19
		20	diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c
		21	index 993e524..72ed351 100644
		22	--- a/gst-libs/ext/libav/libavcodec/huffyuv.c
		23	+++ b/gst-libs/ext/libav/libavcodec/huffyuv.c
		24	@@ -281,11 +281,11 @@ static void generate_joint_tables(HYuvCo
		25	for(i=y=0; y<256; y++){
		26	int len0 = s->len[0][y];
		27	int limit = VLC_BITS - len0;
		28	- if(limit <= 0)
		29	+ if(limit <= 0 \|\| !len0)
		30	continue;
		31	for(u=0; u<256; u++){
		32	int len1 = s->len[p][u];
		33	- if(len1 > limit)
		34	+ if (len1 > limit \|\| !len1)
		35	continue;
		36	len[i] = len0 + len1;
		37	bits[i] = (s->bits[0][y] << len1) + s->bits[p][u];
		38	@@ -308,17 +308,17 @@ static void generate_joint_tables(HYuvCo
		39	for(i=0, g=-16; g<16; g++){
		40	int len0 = s->len[p0][g&255];
		41	int limit0 = VLC_BITS - len0;
		42	- if(limit0 < 2)
		43	+ if (limit0 < 2 \|\| !len0)
		44	continue;
		45	for(b=-16; b<16; b++){
		46	int len1 = s->len[p1][b&255];
		47	int limit1 = limit0 - len1;
		48	- if(limit1 < 1)
		49	+ if (limit1 < 1 \|\| !len1)
		50	continue;
		51	code = (s->bits[p0][g&255] << len1) + s->bits[p1][b&255];
		52	for(r=-16; r<16; r++){
		53	int len2 = s->len[2][r&255];
		54	- if(len2 > limit1)
		55	+ if (len2 > limit1 \|\| !len2)
		56	continue;
		57	len[i] = len0 + len1 + len2;
		58	bits[i] = (code << len2) + s->bits[2][r&255];
		59	--
		60	1.8.5.2.233.g932f7e4
		61


diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb index 05cc404050..847b927f8d 100644 --- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -26,6 +26,8 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
26	file://0001-avformat-mpegtsenc-Check-data-array-size-in-mpegts_w.patch \	26	file://0001-avformat-mpegtsenc-Check-data-array-size-in-mpegts_w.patch \
27	file://0001-vqavideo-check-chunk-sizes-before-reading-chunks.patch \	27	file://0001-vqavideo-check-chunk-sizes-before-reading-chunks.patch \
28	file://0001-avcodec-msrle-use-av_image_get_linesize-to-calculate.patch \	28	file://0001-avcodec-msrle-use-av_image_get_linesize-to-calculate.patch \
		29	file://0001-huffyuvdec-Skip-len-0-cases.patch \
		30	file://0001-huffyuvdec-Check-init_vlc-return-codes.patch \
29	"	31	"
30		32
31	SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"	33	SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"