summaryrefslogtreecommitdiffstats
path: root/meta/recipes-multimedia/ffmpeg
diff options
context:
space:
mode:
authorChen Qi <Qi.Chen@windriver.com>2017-09-26 15:43:24 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-10-07 23:20:39 +0100
commit4435ab4a3b2acbd66910dad5c602ec71f8902386 (patch)
tree5b429173d641ea6df515dbb542ed4a0e4c6ee3e9 /meta/recipes-multimedia/ffmpeg
parent7ea2d2fb57572a03e322810c57e73b9255de9053 (diff)
downloadpoky-4435ab4a3b2acbd66910dad5c602ec71f8902386.tar.gz
ffmpeg: backport patches to fix 12 CVEs
Backport patches to fix the following CVEs. CVE-2017-14054 CVE-2017-14055 CVE-2017-14056 CVE-2017-14057 CVE-2017-14058 CVE-2017-14059 CVE-2017-14169 CVE-2017-14170 CVE-2017-14171 CVE-2017-14222 CVE-2017-14223 CVE-2017-14225 (From OE-Core rev: 13862938a6a7a938f8d781655ceaf78a81b57549) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia/ffmpeg')
-rw-r--r--meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14054.patch39
-rw-r--r--meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14055.patch34
-rw-r--r--meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14056.patch51
-rw-r--r--meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14057.patch44
-rw-r--r--meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14058.patch94
-rw-r--r--meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14059.patch40
-rw-r--r--meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14169.patch39
-rw-r--r--meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14170.patch49
-rw-r--r--meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14171.patch44
-rw-r--r--meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14222.patch40
-rw-r--r--meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14223.patch38
-rw-r--r--meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14225.patch49
-rw-r--r--meta/recipes-multimedia/ffmpeg/ffmpeg_3.3.3.bb12
13 files changed, 573 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14054.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14054.patch
new file mode 100644
index 0000000000..e8baa188a3
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14054.patch
@@ -0,0 +1,39 @@
1From 124eb202e70678539544f6268efc98131f19fa49 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?=
3 =?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= <tony.sh and wangchu.zhl@alibaba-inc.com>
4Date: Fri, 25 Aug 2017 01:15:28 +0200
5Subject: [PATCH] avformat/rmdec: Fix DoS due to lack of eof check
6
7Fixes: loop.ivr
8
9Found-by: Xiaohei and Wangchu from Alibaba Security Team
10Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
11
12CVE: CVE-2017-14054
13Upstream-Status: Backport
14
15Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
16---
17 libavformat/rmdec.c | 5 ++++-
18 1 file changed, 4 insertions(+), 1 deletion(-)
19
20diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c
21index 178eaea..d6d7d9c 100644
22--- a/libavformat/rmdec.c
23+++ b/libavformat/rmdec.c
24@@ -1223,8 +1223,11 @@ static int ivr_read_header(AVFormatContext *s)
25 av_log(s, AV_LOG_DEBUG, "%s = '%s'\n", key, val);
26 } else if (type == 4) {
27 av_log(s, AV_LOG_DEBUG, "%s = '0x", key);
28- for (j = 0; j < len; j++)
29+ for (j = 0; j < len; j++) {
30+ if (avio_feof(pb))
31+ return AVERROR_INVALIDDATA;
32 av_log(s, AV_LOG_DEBUG, "%X", avio_r8(pb));
33+ }
34 av_log(s, AV_LOG_DEBUG, "'\n");
35 } else if (len == 4 && type == 3 && !strncmp(key, "StreamCount", tlen)) {
36 nb_streams = value = avio_rb32(pb);
37--
382.1.0
39
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14055.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14055.patch
new file mode 100644
index 0000000000..37d0d1ab7f
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14055.patch
@@ -0,0 +1,34 @@
1From 4f05e2e2dc1a89f38cd9f0960a6561083d714f1e Mon Sep 17 00:00:00 2001
2From: Michael Niedermayer <michael@niedermayer.cc>
3Date: Fri, 25 Aug 2017 01:15:30 +0200
4Subject: [PATCH] avformat/mvdec: Fix DoS due to lack of eof check
5
6Fixes: loop.mv
7
8Found-by: Xiaohei and Wangchu from Alibaba Security Team
9Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10
11CVE: CVE-2017-14055
12Upstream-Status: Backport
13
14Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
15---
16 libavformat/mvdec.c | 2 ++
17 1 file changed, 2 insertions(+)
18
19diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c
20index 0e12c8c..f7aa4cb 100644
21--- a/libavformat/mvdec.c
22+++ b/libavformat/mvdec.c
23@@ -342,6 +342,8 @@ static int mv_read_header(AVFormatContext *avctx)
24 uint32_t pos = avio_rb32(pb);
25 uint32_t asize = avio_rb32(pb);
26 uint32_t vsize = avio_rb32(pb);
27+ if (avio_feof(pb))
28+ return AVERROR_INVALIDDATA;
29 avio_skip(pb, 8);
30 av_add_index_entry(ast, pos, timestamp, asize, 0, AVINDEX_KEYFRAME);
31 av_add_index_entry(vst, pos + asize, i, vsize, 0, AVINDEX_KEYFRAME);
32--
332.1.0
34
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14056.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14056.patch
new file mode 100644
index 0000000000..088b357b25
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14056.patch
@@ -0,0 +1,51 @@
1From 96f24d1bee7fe7bac08e2b7c74db1a046c9dc0de Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?=
3 =?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= <tony.sh and wangchu.zhl@alibaba-inc.com>
4Date: Fri, 25 Aug 2017 01:15:29 +0200
5Subject: [PATCH] avformat/rl2: Fix DoS due to lack of eof check
6
7Fixes: loop.rl2
8
9Found-by: Xiaohei and Wangchu from Alibaba Security Team
10Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
11
12CVE: CVE-2017-14056
13Upstream-Status: Backport
14
15Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
16---
17 libavformat/rl2.c | 15 ++++++++++++---
18 1 file changed, 12 insertions(+), 3 deletions(-)
19
20diff --git a/libavformat/rl2.c b/libavformat/rl2.c
21index 0bec8f1..eb1682d 100644
22--- a/libavformat/rl2.c
23+++ b/libavformat/rl2.c
24@@ -170,12 +170,21 @@ static av_cold int rl2_read_header(AVFormatContext *s)
25 }
26
27 /** read offset and size tables */
28- for(i=0; i < frame_count;i++)
29+ for(i=0; i < frame_count;i++) {
30+ if (avio_feof(pb))
31+ return AVERROR_INVALIDDATA;
32 chunk_size[i] = avio_rl32(pb);
33- for(i=0; i < frame_count;i++)
34+ }
35+ for(i=0; i < frame_count;i++) {
36+ if (avio_feof(pb))
37+ return AVERROR_INVALIDDATA;
38 chunk_offset[i] = avio_rl32(pb);
39- for(i=0; i < frame_count;i++)
40+ }
41+ for(i=0; i < frame_count;i++) {
42+ if (avio_feof(pb))
43+ return AVERROR_INVALIDDATA;
44 audio_size[i] = avio_rl32(pb) & 0xFFFF;
45+ }
46
47 /** build the sample index */
48 for(i=0;i<frame_count;i++){
49--
502.1.0
51
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14057.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14057.patch
new file mode 100644
index 0000000000..b301d233b3
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14057.patch
@@ -0,0 +1,44 @@
1From 7f9ec5593e04827249e7aeb466da06a98a0d7329 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?=
3 =?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= <tony.sh and wangchu.zhl@alibaba-inc.com>
4Date: Fri, 25 Aug 2017 12:37:25 +0200
5Subject: [PATCH] avformat/asfdec: Fix DoS due to lack of eof check
6
7Fixes: loop.asf
8
9Found-by: Xiaohei and Wangchu from Alibaba Security Team
10Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
11
12CVE: CVE-2017-14057
13Upstream-Status: Backport
14
15Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
16---
17 libavformat/asfdec_f.c | 6 ++++--
18 1 file changed, 4 insertions(+), 2 deletions(-)
19
20diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
21index be09a92..f3acbae 100644
22--- a/libavformat/asfdec_f.c
23+++ b/libavformat/asfdec_f.c
24@@ -749,13 +749,15 @@ static int asf_read_marker(AVFormatContext *s, int64_t size)
25 count = avio_rl32(pb); // markers count
26 avio_rl16(pb); // reserved 2 bytes
27 name_len = avio_rl16(pb); // name length
28- for (i = 0; i < name_len; i++)
29- avio_r8(pb); // skip the name
30+ avio_skip(pb, name_len);
31
32 for (i = 0; i < count; i++) {
33 int64_t pres_time;
34 int name_len;
35
36+ if (avio_feof(pb))
37+ return AVERROR_INVALIDDATA;
38+
39 avio_rl64(pb); // offset, 8 bytes
40 pres_time = avio_rl64(pb); // presentation time
41 pres_time -= asf->hdr.preroll * 10000;
42--
432.1.0
44
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14058.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14058.patch
new file mode 100644
index 0000000000..95803cef55
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14058.patch
@@ -0,0 +1,94 @@
1From 7ec414892ddcad88313848494b6fc5f437c9ca4a Mon Sep 17 00:00:00 2001
2From: Michael Niedermayer <michael@niedermayer.cc>
3Date: Sat, 26 Aug 2017 01:26:58 +0200
4Subject: [PATCH] avformat/hls: Fix DoS due to infinite loop
5
6Fixes: loop.m3u
7
8The default max iteration count of 1000 is arbitrary and ideas for a better solution are welcome
9
10Found-by: Xiaohei and Wangchu from Alibaba Security Team
11
12Previous version reviewed-by: Steven Liu <lingjiujianke@gmail.com>
13Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
14
15CVE: CVE-2017-14058
16Upstream-Status: Backport
17
18Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
19---
20 doc/demuxers.texi | 18 ++++++++++++++++++
21 libavformat/hls.c | 7 +++++++
22 2 files changed, 25 insertions(+)
23
24diff --git a/doc/demuxers.texi b/doc/demuxers.texi
25index 29a23d4..73dc0fe 100644
26--- a/doc/demuxers.texi
27+++ b/doc/demuxers.texi
28@@ -300,6 +300,24 @@ used to end the output video at the length of the shortest input file,
29 which in this case is @file{input.mp4} as the GIF in this example loops
30 infinitely.
31
32+@section hls
33+
34+HLS demuxer
35+
36+It accepts the following options:
37+
38+@table @option
39+@item live_start_index
40+segment index to start live streams at (negative values are from the end).
41+
42+@item allowed_extensions
43+',' separated list of file extensions that hls is allowed to access.
44+
45+@item max_reload
46+Maximum number of times a insufficient list is attempted to be reloaded.
47+Default value is 1000.
48+@end table
49+
50 @section image2
51
52 Image file demuxer.
53diff --git a/libavformat/hls.c b/libavformat/hls.c
54index 01731bd..0995345 100644
55--- a/libavformat/hls.c
56+++ b/libavformat/hls.c
57@@ -205,6 +205,7 @@ typedef struct HLSContext {
58 AVDictionary *avio_opts;
59 int strict_std_compliance;
60 char *allowed_extensions;
61+ int max_reload;
62 } HLSContext;
63
64 static int read_chomp_line(AVIOContext *s, char *buf, int maxlen)
65@@ -1263,6 +1264,7 @@ static int read_data(void *opaque, uint8_t *buf, int buf_size)
66 HLSContext *c = v->parent->priv_data;
67 int ret, i;
68 int just_opened = 0;
69+ int reload_count = 0;
70
71 restart:
72 if (!v->needed)
73@@ -1294,6 +1296,9 @@ restart:
74 reload_interval = default_reload_interval(v);
75
76 reload:
77+ reload_count++;
78+ if (reload_count > c->max_reload)
79+ return AVERROR_EOF;
80 if (!v->finished &&
81 av_gettime_relative() - v->last_load_time >= reload_interval) {
82 if ((ret = parse_playlist(c, v->url, v, NULL)) < 0) {
83@@ -2150,6 +2155,8 @@ static const AVOption hls_options[] = {
84 OFFSET(allowed_extensions), AV_OPT_TYPE_STRING,
85 {.str = "3gp,aac,avi,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"},
86 INT_MIN, INT_MAX, FLAGS},
87+ {"max_reload", "Maximum number of times a insufficient list is attempted to be reloaded",
88+ OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 1000}, 0, INT_MAX, FLAGS},
89 {NULL}
90 };
91
92--
932.1.0
94
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14059.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14059.patch
new file mode 100644
index 0000000000..34fde0be77
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14059.patch
@@ -0,0 +1,40 @@
1From 7e80b63ecd259d69d383623e75b318bf2bd491f6 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?=
3 =?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= <tony.sh and wangchu.zhl@alibaba-inc.com>
4Date: Fri, 25 Aug 2017 01:15:27 +0200
5Subject: [PATCH] avformat/cinedec: Fix DoS due to lack of eof check
6
7Fixes: loop.cine
8
9Found-by: Xiaohei and Wangchu from Alibaba Security Team
10Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
11
12CVE: CVE-2017-14059
13Upstream-Status: Backport
14
15Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
16---
17 libavformat/cinedec.c | 6 +++++-
18 1 file changed, 5 insertions(+), 1 deletion(-)
19
20diff --git a/libavformat/cinedec.c b/libavformat/cinedec.c
21index 763b93b..de34fb9 100644
22--- a/libavformat/cinedec.c
23+++ b/libavformat/cinedec.c
24@@ -267,8 +267,12 @@ static int cine_read_header(AVFormatContext *avctx)
25
26 /* parse image offsets */
27 avio_seek(pb, offImageOffsets, SEEK_SET);
28- for (i = 0; i < st->duration; i++)
29+ for (i = 0; i < st->duration; i++) {
30+ if (avio_feof(pb))
31+ return AVERROR_INVALIDDATA;
32+
33 av_add_index_entry(st, avio_rl64(pb), i, 0, 0, AVINDEX_KEYFRAME);
34+ }
35
36 return 0;
37 }
38--
392.1.0
40
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14169.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14169.patch
new file mode 100644
index 0000000000..e1284faa93
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14169.patch
@@ -0,0 +1,39 @@
1From 9d00fb9d70ee8c0cc7002b89318c5be00f1bbdad Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=28=E6=99=93=E9=BB=91=29?=
3 <tony.sh@alibaba-inc.com>
4Date: Tue, 29 Aug 2017 23:59:21 +0200
5Subject: [PATCH] avformat/mxfdec: Fix Sign error in mxf_read_primer_pack()
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10Fixes: 20170829B.mxf
11
12Co-Author: 张洪亮(望初)" <wangchu.zhl@alibaba-inc.com>
13Found-by: Xiaohei and Wangchu from Alibaba Security Team
14Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
15
16CVE: CVE-2017-14169
17Upstream-Status: Backport
18
19Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
20---
21 libavformat/mxfdec.c | 2 +-
22 1 file changed, 1 insertion(+), 1 deletion(-)
23
24diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
25index 6adb77d..91731a7 100644
26--- a/libavformat/mxfdec.c
27+++ b/libavformat/mxfdec.c
28@@ -500,7 +500,7 @@ static int mxf_read_primer_pack(void *arg, AVIOContext *pb, int tag, int size, U
29 avpriv_request_sample(pb, "Primer pack item length %d", item_len);
30 return AVERROR_PATCHWELCOME;
31 }
32- if (item_num > 65536) {
33+ if (item_num > 65536 || item_num < 0) {
34 av_log(mxf->fc, AV_LOG_ERROR, "item_num %d is too large\n", item_num);
35 return AVERROR_INVALIDDATA;
36 }
37--
382.1.0
39
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14170.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14170.patch
new file mode 100644
index 0000000000..8860125030
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14170.patch
@@ -0,0 +1,49 @@
1From 900f39692ca0337a98a7cf047e4e2611071810c2 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=28=E6=99=93=E9=BB=91=29?=
3 <tony.sh@alibaba-inc.com>
4Date: Tue, 29 Aug 2017 23:59:21 +0200
5Subject: [PATCH] avformat/mxfdec: Fix DoS issues in
6 mxf_read_index_entry_array()
7MIME-Version: 1.0
8Content-Type: text/plain; charset=UTF-8
9Content-Transfer-Encoding: 8bit
10
11Fixes: 20170829A.mxf
12
13Co-Author: 张洪亮(望初)" <wangchu.zhl@alibaba-inc.com>
14Found-by: Xiaohei and Wangchu from Alibaba Security Team
15Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
16
17CVE: CVE-2017-14170
18Upstream-Status: Backport
19
20Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
21---
22 libavformat/mxfdec.c | 4 ++++
23 1 file changed, 4 insertions(+)
24
25diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
26index f8d0f9e..6adb77d 100644
27--- a/libavformat/mxfdec.c
28+++ b/libavformat/mxfdec.c
29@@ -899,6 +899,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg
30 segment->nb_index_entries = avio_rb32(pb);
31
32 length = avio_rb32(pb);
33+ if(segment->nb_index_entries && length < 11)
34+ return AVERROR_INVALIDDATA;
35
36 if (!(segment->temporal_offset_entries=av_calloc(segment->nb_index_entries, sizeof(*segment->temporal_offset_entries))) ||
37 !(segment->flag_entries = av_calloc(segment->nb_index_entries, sizeof(*segment->flag_entries))) ||
38@@ -909,6 +911,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg
39 }
40
41 for (i = 0; i < segment->nb_index_entries; i++) {
42+ if(avio_feof(pb))
43+ return AVERROR_INVALIDDATA;
44 segment->temporal_offset_entries[i] = avio_r8(pb);
45 avio_r8(pb); /* KeyFrameOffset */
46 segment->flag_entries[i] = avio_r8(pb);
47--
482.1.0
49
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14171.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14171.patch
new file mode 100644
index 0000000000..e2ae2040cf
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14171.patch
@@ -0,0 +1,44 @@
1From c24bcb553650b91e9eff15ef6e54ca73de2453b7 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=28=E6=99=93=E9=BB=91=29?=
3 <tony.sh@alibaba-inc.com>
4Date: Tue, 29 Aug 2017 23:59:21 +0200
5Subject: [PATCH] avformat/nsvdec: Fix DoS due to lack of eof check in
6 nsvs_file_offset loop.
7MIME-Version: 1.0
8Content-Type: text/plain; charset=UTF-8
9Content-Transfer-Encoding: 8bit
10
11Fixes: 20170829.nsv
12
13Co-Author: 张洪亮(望初)" <wangchu.zhl@alibaba-inc.com>
14Found-by: Xiaohei and Wangchu from Alibaba Security Team
15Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
16
17CVE: CVE-2017-14171
18Upstream-Status: Backport
19
20Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
21---
22 libavformat/nsvdec.c | 5 ++++-
23 1 file changed, 4 insertions(+), 1 deletion(-)
24
25diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c
26index c6ddb67..d8ce656 100644
27--- a/libavformat/nsvdec.c
28+++ b/libavformat/nsvdec.c
29@@ -335,8 +335,11 @@ static int nsv_parse_NSVf_header(AVFormatContext *s)
30 if (!nsv->nsvs_file_offset)
31 return AVERROR(ENOMEM);
32
33- for(i=0;i<table_entries_used;i++)
34+ for(i=0;i<table_entries_used;i++) {
35+ if (avio_feof(pb))
36+ return AVERROR_INVALIDDATA;
37 nsv->nsvs_file_offset[i] = avio_rl32(pb) + size;
38+ }
39
40 if(table_entries > table_entries_used &&
41 avio_rl32(pb) == MKTAG('T','O','C','2')) {
42--
432.1.0
44
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14222.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14222.patch
new file mode 100644
index 0000000000..ee02037948
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14222.patch
@@ -0,0 +1,40 @@
1From 9cb4eb772839c5e1de2855d126bf74ff16d13382 Mon Sep 17 00:00:00 2001
2From: Michael Niedermayer <michael@niedermayer.cc>
3Date: Tue, 5 Sep 2017 00:16:29 +0200
4Subject: [PATCH] avformat/mov: Fix DoS in read_tfra()
5
6Fixes: Missing EOF check in loop
7No testcase
8
9Found-by: Xiaohei and Wangchu from Alibaba Security Team
10Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
11
12CVE: CVE-2017-14222
13Upstream-Status: Backport
14
15Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
16---
17 libavformat/mov.c | 7 +++++++
18 1 file changed, 7 insertions(+)
19
20diff --git a/libavformat/mov.c b/libavformat/mov.c
21index 994e9c6..2519707 100644
22--- a/libavformat/mov.c
23+++ b/libavformat/mov.c
24@@ -6094,6 +6094,13 @@ static int read_tfra(MOVContext *mov, AVIOContext *f)
25 }
26 for (i = 0; i < index->item_count; i++) {
27 int64_t time, offset;
28+
29+ if (avio_feof(f)) {
30+ index->item_count = 0;
31+ av_freep(&index->items);
32+ return AVERROR_INVALIDDATA;
33+ }
34+
35 if (version == 1) {
36 time = avio_rb64(f);
37 offset = avio_rb64(f);
38--
392.1.0
40
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14223.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14223.patch
new file mode 100644
index 0000000000..d1fef6b144
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14223.patch
@@ -0,0 +1,38 @@
1From afc9c683ed9db01edb357bc8c19edad4282b3a97 Mon Sep 17 00:00:00 2001
2From: Michael Niedermayer <michael@niedermayer.cc>
3Date: Tue, 5 Sep 2017 00:16:29 +0200
4Subject: [PATCH] avformat/asfdec: Fix DoS in asf_build_simple_index()
5
6Fixes: Missing EOF check in loop
7No testcase
8
9Found-by: Xiaohei and Wangchu from Alibaba Security Team
10Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
11
12CVE: CVE-2017-14223
13Upstream-Status: Backport
14
15Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
16---
17 libavformat/asfdec_f.c | 5 +++++
18 1 file changed, 5 insertions(+)
19
20diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
21index f3acbae..cc648b9 100644
22--- a/libavformat/asfdec_f.c
23+++ b/libavformat/asfdec_f.c
24@@ -1610,6 +1610,11 @@ static int asf_build_simple_index(AVFormatContext *s, int stream_index)
25 int64_t pos = s->internal->data_offset + s->packet_size * (int64_t)pktnum;
26 int64_t index_pts = FFMAX(av_rescale(itime, i, 10000) - asf->hdr.preroll, 0);
27
28+ if (avio_feof(s->pb)) {
29+ ret = AVERROR_INVALIDDATA;
30+ goto end;
31+ }
32+
33 if (pos != last_pos) {
34 av_log(s, AV_LOG_DEBUG, "pktnum:%d, pktct:%d pts: %"PRId64"\n",
35 pktnum, pktct, index_pts);
36--
372.1.0
38
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14225.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14225.patch
new file mode 100644
index 0000000000..ce6845eecf
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14225.patch
@@ -0,0 +1,49 @@
1Subject: [PATCH] ffprobe: Fix null pointer dereference with color primaries
2
3Found-by: AD-lab of venustech
4Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
5
6CVE: CVE-2017-14225
7Upstream-Status: Backport
8
9Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
10---
11 ffprobe.c | 15 +++++++++++----
12 1 file changed, 11 insertions(+), 4 deletions(-)
13
14diff --git a/ffprobe.c b/ffprobe.c
15index a219fc1..df22b30 100644
16--- a/ffprobe.c
17+++ b/ffprobe.c
18@@ -1899,6 +1899,16 @@ static void print_pkt_side_data(WriterContext *w,
19 writer_print_section_footer(w);
20 }
21
22+static void print_primaries(WriterContext *w, enum AVColorPrimaries color_primaries)
23+{
24+ const char *val = av_color_primaries_name(color_primaries);
25+ if (!val || color_primaries == AVCOL_PRI_UNSPECIFIED) {
26+ print_str_opt("color_primaries", "unknown");
27+ } else {
28+ print_str("color_primaries", val);
29+ }
30+}
31+
32 static void clear_log(int need_lock)
33 {
34 int i;
35@@ -2420,10 +2430,7 @@ static int show_stream(WriterContext *w, AVFormatContext *fmt_ctx, int stream_id
36 else
37 print_str_opt("color_transfer", av_color_transfer_name(par->color_trc));
38
39- if (par->color_primaries != AVCOL_PRI_UNSPECIFIED)
40- print_str("color_primaries", av_color_primaries_name(par->color_primaries));
41- else
42- print_str_opt("color_primaries", av_color_primaries_name(par->color_primaries));
43+ print_primaries(w, par->color_primaries);
44
45 if (par->chroma_location != AVCHROMA_LOC_UNSPECIFIED)
46 print_str("chroma_location", av_chroma_location_name(par->chroma_location));
47--
482.1.0
49
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_3.3.3.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_3.3.3.bb
index b4de97300d..c1ebecf933 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_3.3.3.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_3.3.3.bb
@@ -26,6 +26,18 @@ LIC_FILES_CHKSUM = "file://COPYING.GPLv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
26SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ 26SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
27 file://mips64_cpu_detection.patch \ 27 file://mips64_cpu_detection.patch \
28 file://0001-build-fix-for-mips.patch \ 28 file://0001-build-fix-for-mips.patch \
29 file://CVE-2017-14054.patch \
30 file://CVE-2017-14055.patch \
31 file://CVE-2017-14056.patch \
32 file://CVE-2017-14057.patch \
33 file://CVE-2017-14058.patch \
34 file://CVE-2017-14059.patch \
35 file://CVE-2017-14169.patch \
36 file://CVE-2017-14170.patch \
37 file://CVE-2017-14171.patch \
38 file://CVE-2017-14222.patch \
39 file://CVE-2017-14223.patch \
40 file://CVE-2017-14225.patch \
29 " 41 "
30SRC_URI[md5sum] = "743dc66ebe67180283b92d029f690d0f" 42SRC_URI[md5sum] = "743dc66ebe67180283b92d029f690d0f"
31SRC_URI[sha256sum] = "d2a9002cdc6b533b59728827186c044ad02ba64841f1b7cd6c21779875453a1e" 43SRC_URI[sha256sum] = "d2a9002cdc6b533b59728827186c044ad02ba64841f1b7cd6c21779875453a1e"