diff options
author | Chen Qi <Qi.Chen@windriver.com> | 2017-09-26 15:43:24 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-10-07 23:20:39 +0100 |
commit | 4435ab4a3b2acbd66910dad5c602ec71f8902386 (patch) | |
tree | 5b429173d641ea6df515dbb542ed4a0e4c6ee3e9 /meta/recipes-multimedia/ffmpeg | |
parent | 7ea2d2fb57572a03e322810c57e73b9255de9053 (diff) | |
download | poky-4435ab4a3b2acbd66910dad5c602ec71f8902386.tar.gz |
ffmpeg: backport patches to fix 12 CVEs
Backport patches to fix the following CVEs.
CVE-2017-14054
CVE-2017-14055
CVE-2017-14056
CVE-2017-14057
CVE-2017-14058
CVE-2017-14059
CVE-2017-14169
CVE-2017-14170
CVE-2017-14171
CVE-2017-14222
CVE-2017-14223
CVE-2017-14225
(From OE-Core rev: 13862938a6a7a938f8d781655ceaf78a81b57549)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia/ffmpeg')
13 files changed, 573 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14054.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14054.patch new file mode 100644 index 0000000000..e8baa188a3 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14054.patch | |||
@@ -0,0 +1,39 @@ | |||
1 | From 124eb202e70678539544f6268efc98131f19fa49 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?= | ||
3 | =?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= <tony.sh and wangchu.zhl@alibaba-inc.com> | ||
4 | Date: Fri, 25 Aug 2017 01:15:28 +0200 | ||
5 | Subject: [PATCH] avformat/rmdec: Fix DoS due to lack of eof check | ||
6 | |||
7 | Fixes: loop.ivr | ||
8 | |||
9 | Found-by: Xiaohei and Wangchu from Alibaba Security Team | ||
10 | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | ||
11 | |||
12 | CVE: CVE-2017-14054 | ||
13 | Upstream-Status: Backport | ||
14 | |||
15 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
16 | --- | ||
17 | libavformat/rmdec.c | 5 ++++- | ||
18 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
19 | |||
20 | diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c | ||
21 | index 178eaea..d6d7d9c 100644 | ||
22 | --- a/libavformat/rmdec.c | ||
23 | +++ b/libavformat/rmdec.c | ||
24 | @@ -1223,8 +1223,11 @@ static int ivr_read_header(AVFormatContext *s) | ||
25 | av_log(s, AV_LOG_DEBUG, "%s = '%s'\n", key, val); | ||
26 | } else if (type == 4) { | ||
27 | av_log(s, AV_LOG_DEBUG, "%s = '0x", key); | ||
28 | - for (j = 0; j < len; j++) | ||
29 | + for (j = 0; j < len; j++) { | ||
30 | + if (avio_feof(pb)) | ||
31 | + return AVERROR_INVALIDDATA; | ||
32 | av_log(s, AV_LOG_DEBUG, "%X", avio_r8(pb)); | ||
33 | + } | ||
34 | av_log(s, AV_LOG_DEBUG, "'\n"); | ||
35 | } else if (len == 4 && type == 3 && !strncmp(key, "StreamCount", tlen)) { | ||
36 | nb_streams = value = avio_rb32(pb); | ||
37 | -- | ||
38 | 2.1.0 | ||
39 | |||
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14055.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14055.patch new file mode 100644 index 0000000000..37d0d1ab7f --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14055.patch | |||
@@ -0,0 +1,34 @@ | |||
1 | From 4f05e2e2dc1a89f38cd9f0960a6561083d714f1e Mon Sep 17 00:00:00 2001 | ||
2 | From: Michael Niedermayer <michael@niedermayer.cc> | ||
3 | Date: Fri, 25 Aug 2017 01:15:30 +0200 | ||
4 | Subject: [PATCH] avformat/mvdec: Fix DoS due to lack of eof check | ||
5 | |||
6 | Fixes: loop.mv | ||
7 | |||
8 | Found-by: Xiaohei and Wangchu from Alibaba Security Team | ||
9 | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | ||
10 | |||
11 | CVE: CVE-2017-14055 | ||
12 | Upstream-Status: Backport | ||
13 | |||
14 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
15 | --- | ||
16 | libavformat/mvdec.c | 2 ++ | ||
17 | 1 file changed, 2 insertions(+) | ||
18 | |||
19 | diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c | ||
20 | index 0e12c8c..f7aa4cb 100644 | ||
21 | --- a/libavformat/mvdec.c | ||
22 | +++ b/libavformat/mvdec.c | ||
23 | @@ -342,6 +342,8 @@ static int mv_read_header(AVFormatContext *avctx) | ||
24 | uint32_t pos = avio_rb32(pb); | ||
25 | uint32_t asize = avio_rb32(pb); | ||
26 | uint32_t vsize = avio_rb32(pb); | ||
27 | + if (avio_feof(pb)) | ||
28 | + return AVERROR_INVALIDDATA; | ||
29 | avio_skip(pb, 8); | ||
30 | av_add_index_entry(ast, pos, timestamp, asize, 0, AVINDEX_KEYFRAME); | ||
31 | av_add_index_entry(vst, pos + asize, i, vsize, 0, AVINDEX_KEYFRAME); | ||
32 | -- | ||
33 | 2.1.0 | ||
34 | |||
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14056.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14056.patch new file mode 100644 index 0000000000..088b357b25 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14056.patch | |||
@@ -0,0 +1,51 @@ | |||
1 | From 96f24d1bee7fe7bac08e2b7c74db1a046c9dc0de Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?= | ||
3 | =?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= <tony.sh and wangchu.zhl@alibaba-inc.com> | ||
4 | Date: Fri, 25 Aug 2017 01:15:29 +0200 | ||
5 | Subject: [PATCH] avformat/rl2: Fix DoS due to lack of eof check | ||
6 | |||
7 | Fixes: loop.rl2 | ||
8 | |||
9 | Found-by: Xiaohei and Wangchu from Alibaba Security Team | ||
10 | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | ||
11 | |||
12 | CVE: CVE-2017-14056 | ||
13 | Upstream-Status: Backport | ||
14 | |||
15 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
16 | --- | ||
17 | libavformat/rl2.c | 15 ++++++++++++--- | ||
18 | 1 file changed, 12 insertions(+), 3 deletions(-) | ||
19 | |||
20 | diff --git a/libavformat/rl2.c b/libavformat/rl2.c | ||
21 | index 0bec8f1..eb1682d 100644 | ||
22 | --- a/libavformat/rl2.c | ||
23 | +++ b/libavformat/rl2.c | ||
24 | @@ -170,12 +170,21 @@ static av_cold int rl2_read_header(AVFormatContext *s) | ||
25 | } | ||
26 | |||
27 | /** read offset and size tables */ | ||
28 | - for(i=0; i < frame_count;i++) | ||
29 | + for(i=0; i < frame_count;i++) { | ||
30 | + if (avio_feof(pb)) | ||
31 | + return AVERROR_INVALIDDATA; | ||
32 | chunk_size[i] = avio_rl32(pb); | ||
33 | - for(i=0; i < frame_count;i++) | ||
34 | + } | ||
35 | + for(i=0; i < frame_count;i++) { | ||
36 | + if (avio_feof(pb)) | ||
37 | + return AVERROR_INVALIDDATA; | ||
38 | chunk_offset[i] = avio_rl32(pb); | ||
39 | - for(i=0; i < frame_count;i++) | ||
40 | + } | ||
41 | + for(i=0; i < frame_count;i++) { | ||
42 | + if (avio_feof(pb)) | ||
43 | + return AVERROR_INVALIDDATA; | ||
44 | audio_size[i] = avio_rl32(pb) & 0xFFFF; | ||
45 | + } | ||
46 | |||
47 | /** build the sample index */ | ||
48 | for(i=0;i<frame_count;i++){ | ||
49 | -- | ||
50 | 2.1.0 | ||
51 | |||
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14057.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14057.patch new file mode 100644 index 0000000000..b301d233b3 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14057.patch | |||
@@ -0,0 +1,44 @@ | |||
1 | From 7f9ec5593e04827249e7aeb466da06a98a0d7329 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?= | ||
3 | =?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= <tony.sh and wangchu.zhl@alibaba-inc.com> | ||
4 | Date: Fri, 25 Aug 2017 12:37:25 +0200 | ||
5 | Subject: [PATCH] avformat/asfdec: Fix DoS due to lack of eof check | ||
6 | |||
7 | Fixes: loop.asf | ||
8 | |||
9 | Found-by: Xiaohei and Wangchu from Alibaba Security Team | ||
10 | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | ||
11 | |||
12 | CVE: CVE-2017-14057 | ||
13 | Upstream-Status: Backport | ||
14 | |||
15 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
16 | --- | ||
17 | libavformat/asfdec_f.c | 6 ++++-- | ||
18 | 1 file changed, 4 insertions(+), 2 deletions(-) | ||
19 | |||
20 | diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c | ||
21 | index be09a92..f3acbae 100644 | ||
22 | --- a/libavformat/asfdec_f.c | ||
23 | +++ b/libavformat/asfdec_f.c | ||
24 | @@ -749,13 +749,15 @@ static int asf_read_marker(AVFormatContext *s, int64_t size) | ||
25 | count = avio_rl32(pb); // markers count | ||
26 | avio_rl16(pb); // reserved 2 bytes | ||
27 | name_len = avio_rl16(pb); // name length | ||
28 | - for (i = 0; i < name_len; i++) | ||
29 | - avio_r8(pb); // skip the name | ||
30 | + avio_skip(pb, name_len); | ||
31 | |||
32 | for (i = 0; i < count; i++) { | ||
33 | int64_t pres_time; | ||
34 | int name_len; | ||
35 | |||
36 | + if (avio_feof(pb)) | ||
37 | + return AVERROR_INVALIDDATA; | ||
38 | + | ||
39 | avio_rl64(pb); // offset, 8 bytes | ||
40 | pres_time = avio_rl64(pb); // presentation time | ||
41 | pres_time -= asf->hdr.preroll * 10000; | ||
42 | -- | ||
43 | 2.1.0 | ||
44 | |||
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14058.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14058.patch new file mode 100644 index 0000000000..95803cef55 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14058.patch | |||
@@ -0,0 +1,94 @@ | |||
1 | From 7ec414892ddcad88313848494b6fc5f437c9ca4a Mon Sep 17 00:00:00 2001 | ||
2 | From: Michael Niedermayer <michael@niedermayer.cc> | ||
3 | Date: Sat, 26 Aug 2017 01:26:58 +0200 | ||
4 | Subject: [PATCH] avformat/hls: Fix DoS due to infinite loop | ||
5 | |||
6 | Fixes: loop.m3u | ||
7 | |||
8 | The default max iteration count of 1000 is arbitrary and ideas for a better solution are welcome | ||
9 | |||
10 | Found-by: Xiaohei and Wangchu from Alibaba Security Team | ||
11 | |||
12 | Previous version reviewed-by: Steven Liu <lingjiujianke@gmail.com> | ||
13 | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | ||
14 | |||
15 | CVE: CVE-2017-14058 | ||
16 | Upstream-Status: Backport | ||
17 | |||
18 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
19 | --- | ||
20 | doc/demuxers.texi | 18 ++++++++++++++++++ | ||
21 | libavformat/hls.c | 7 +++++++ | ||
22 | 2 files changed, 25 insertions(+) | ||
23 | |||
24 | diff --git a/doc/demuxers.texi b/doc/demuxers.texi | ||
25 | index 29a23d4..73dc0fe 100644 | ||
26 | --- a/doc/demuxers.texi | ||
27 | +++ b/doc/demuxers.texi | ||
28 | @@ -300,6 +300,24 @@ used to end the output video at the length of the shortest input file, | ||
29 | which in this case is @file{input.mp4} as the GIF in this example loops | ||
30 | infinitely. | ||
31 | |||
32 | +@section hls | ||
33 | + | ||
34 | +HLS demuxer | ||
35 | + | ||
36 | +It accepts the following options: | ||
37 | + | ||
38 | +@table @option | ||
39 | +@item live_start_index | ||
40 | +segment index to start live streams at (negative values are from the end). | ||
41 | + | ||
42 | +@item allowed_extensions | ||
43 | +',' separated list of file extensions that hls is allowed to access. | ||
44 | + | ||
45 | +@item max_reload | ||
46 | +Maximum number of times a insufficient list is attempted to be reloaded. | ||
47 | +Default value is 1000. | ||
48 | +@end table | ||
49 | + | ||
50 | @section image2 | ||
51 | |||
52 | Image file demuxer. | ||
53 | diff --git a/libavformat/hls.c b/libavformat/hls.c | ||
54 | index 01731bd..0995345 100644 | ||
55 | --- a/libavformat/hls.c | ||
56 | +++ b/libavformat/hls.c | ||
57 | @@ -205,6 +205,7 @@ typedef struct HLSContext { | ||
58 | AVDictionary *avio_opts; | ||
59 | int strict_std_compliance; | ||
60 | char *allowed_extensions; | ||
61 | + int max_reload; | ||
62 | } HLSContext; | ||
63 | |||
64 | static int read_chomp_line(AVIOContext *s, char *buf, int maxlen) | ||
65 | @@ -1263,6 +1264,7 @@ static int read_data(void *opaque, uint8_t *buf, int buf_size) | ||
66 | HLSContext *c = v->parent->priv_data; | ||
67 | int ret, i; | ||
68 | int just_opened = 0; | ||
69 | + int reload_count = 0; | ||
70 | |||
71 | restart: | ||
72 | if (!v->needed) | ||
73 | @@ -1294,6 +1296,9 @@ restart: | ||
74 | reload_interval = default_reload_interval(v); | ||
75 | |||
76 | reload: | ||
77 | + reload_count++; | ||
78 | + if (reload_count > c->max_reload) | ||
79 | + return AVERROR_EOF; | ||
80 | if (!v->finished && | ||
81 | av_gettime_relative() - v->last_load_time >= reload_interval) { | ||
82 | if ((ret = parse_playlist(c, v->url, v, NULL)) < 0) { | ||
83 | @@ -2150,6 +2155,8 @@ static const AVOption hls_options[] = { | ||
84 | OFFSET(allowed_extensions), AV_OPT_TYPE_STRING, | ||
85 | {.str = "3gp,aac,avi,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"}, | ||
86 | INT_MIN, INT_MAX, FLAGS}, | ||
87 | + {"max_reload", "Maximum number of times a insufficient list is attempted to be reloaded", | ||
88 | + OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 1000}, 0, INT_MAX, FLAGS}, | ||
89 | {NULL} | ||
90 | }; | ||
91 | |||
92 | -- | ||
93 | 2.1.0 | ||
94 | |||
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14059.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14059.patch new file mode 100644 index 0000000000..34fde0be77 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14059.patch | |||
@@ -0,0 +1,40 @@ | |||
1 | From 7e80b63ecd259d69d383623e75b318bf2bd491f6 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?= | ||
3 | =?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= <tony.sh and wangchu.zhl@alibaba-inc.com> | ||
4 | Date: Fri, 25 Aug 2017 01:15:27 +0200 | ||
5 | Subject: [PATCH] avformat/cinedec: Fix DoS due to lack of eof check | ||
6 | |||
7 | Fixes: loop.cine | ||
8 | |||
9 | Found-by: Xiaohei and Wangchu from Alibaba Security Team | ||
10 | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | ||
11 | |||
12 | CVE: CVE-2017-14059 | ||
13 | Upstream-Status: Backport | ||
14 | |||
15 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
16 | --- | ||
17 | libavformat/cinedec.c | 6 +++++- | ||
18 | 1 file changed, 5 insertions(+), 1 deletion(-) | ||
19 | |||
20 | diff --git a/libavformat/cinedec.c b/libavformat/cinedec.c | ||
21 | index 763b93b..de34fb9 100644 | ||
22 | --- a/libavformat/cinedec.c | ||
23 | +++ b/libavformat/cinedec.c | ||
24 | @@ -267,8 +267,12 @@ static int cine_read_header(AVFormatContext *avctx) | ||
25 | |||
26 | /* parse image offsets */ | ||
27 | avio_seek(pb, offImageOffsets, SEEK_SET); | ||
28 | - for (i = 0; i < st->duration; i++) | ||
29 | + for (i = 0; i < st->duration; i++) { | ||
30 | + if (avio_feof(pb)) | ||
31 | + return AVERROR_INVALIDDATA; | ||
32 | + | ||
33 | av_add_index_entry(st, avio_rl64(pb), i, 0, 0, AVINDEX_KEYFRAME); | ||
34 | + } | ||
35 | |||
36 | return 0; | ||
37 | } | ||
38 | -- | ||
39 | 2.1.0 | ||
40 | |||
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14169.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14169.patch new file mode 100644 index 0000000000..e1284faa93 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14169.patch | |||
@@ -0,0 +1,39 @@ | |||
1 | From 9d00fb9d70ee8c0cc7002b89318c5be00f1bbdad Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=28=E6=99=93=E9=BB=91=29?= | ||
3 | <tony.sh@alibaba-inc.com> | ||
4 | Date: Tue, 29 Aug 2017 23:59:21 +0200 | ||
5 | Subject: [PATCH] avformat/mxfdec: Fix Sign error in mxf_read_primer_pack() | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | Fixes: 20170829B.mxf | ||
11 | |||
12 | Co-Author: 张洪亮(望初)" <wangchu.zhl@alibaba-inc.com> | ||
13 | Found-by: Xiaohei and Wangchu from Alibaba Security Team | ||
14 | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | ||
15 | |||
16 | CVE: CVE-2017-14169 | ||
17 | Upstream-Status: Backport | ||
18 | |||
19 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
20 | --- | ||
21 | libavformat/mxfdec.c | 2 +- | ||
22 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
23 | |||
24 | diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c | ||
25 | index 6adb77d..91731a7 100644 | ||
26 | --- a/libavformat/mxfdec.c | ||
27 | +++ b/libavformat/mxfdec.c | ||
28 | @@ -500,7 +500,7 @@ static int mxf_read_primer_pack(void *arg, AVIOContext *pb, int tag, int size, U | ||
29 | avpriv_request_sample(pb, "Primer pack item length %d", item_len); | ||
30 | return AVERROR_PATCHWELCOME; | ||
31 | } | ||
32 | - if (item_num > 65536) { | ||
33 | + if (item_num > 65536 || item_num < 0) { | ||
34 | av_log(mxf->fc, AV_LOG_ERROR, "item_num %d is too large\n", item_num); | ||
35 | return AVERROR_INVALIDDATA; | ||
36 | } | ||
37 | -- | ||
38 | 2.1.0 | ||
39 | |||
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14170.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14170.patch new file mode 100644 index 0000000000..8860125030 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14170.patch | |||
@@ -0,0 +1,49 @@ | |||
1 | From 900f39692ca0337a98a7cf047e4e2611071810c2 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=28=E6=99=93=E9=BB=91=29?= | ||
3 | <tony.sh@alibaba-inc.com> | ||
4 | Date: Tue, 29 Aug 2017 23:59:21 +0200 | ||
5 | Subject: [PATCH] avformat/mxfdec: Fix DoS issues in | ||
6 | mxf_read_index_entry_array() | ||
7 | MIME-Version: 1.0 | ||
8 | Content-Type: text/plain; charset=UTF-8 | ||
9 | Content-Transfer-Encoding: 8bit | ||
10 | |||
11 | Fixes: 20170829A.mxf | ||
12 | |||
13 | Co-Author: 张洪亮(望初)" <wangchu.zhl@alibaba-inc.com> | ||
14 | Found-by: Xiaohei and Wangchu from Alibaba Security Team | ||
15 | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | ||
16 | |||
17 | CVE: CVE-2017-14170 | ||
18 | Upstream-Status: Backport | ||
19 | |||
20 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
21 | --- | ||
22 | libavformat/mxfdec.c | 4 ++++ | ||
23 | 1 file changed, 4 insertions(+) | ||
24 | |||
25 | diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c | ||
26 | index f8d0f9e..6adb77d 100644 | ||
27 | --- a/libavformat/mxfdec.c | ||
28 | +++ b/libavformat/mxfdec.c | ||
29 | @@ -899,6 +899,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg | ||
30 | segment->nb_index_entries = avio_rb32(pb); | ||
31 | |||
32 | length = avio_rb32(pb); | ||
33 | + if(segment->nb_index_entries && length < 11) | ||
34 | + return AVERROR_INVALIDDATA; | ||
35 | |||
36 | if (!(segment->temporal_offset_entries=av_calloc(segment->nb_index_entries, sizeof(*segment->temporal_offset_entries))) || | ||
37 | !(segment->flag_entries = av_calloc(segment->nb_index_entries, sizeof(*segment->flag_entries))) || | ||
38 | @@ -909,6 +911,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg | ||
39 | } | ||
40 | |||
41 | for (i = 0; i < segment->nb_index_entries; i++) { | ||
42 | + if(avio_feof(pb)) | ||
43 | + return AVERROR_INVALIDDATA; | ||
44 | segment->temporal_offset_entries[i] = avio_r8(pb); | ||
45 | avio_r8(pb); /* KeyFrameOffset */ | ||
46 | segment->flag_entries[i] = avio_r8(pb); | ||
47 | -- | ||
48 | 2.1.0 | ||
49 | |||
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14171.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14171.patch new file mode 100644 index 0000000000..e2ae2040cf --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14171.patch | |||
@@ -0,0 +1,44 @@ | |||
1 | From c24bcb553650b91e9eff15ef6e54ca73de2453b7 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=28=E6=99=93=E9=BB=91=29?= | ||
3 | <tony.sh@alibaba-inc.com> | ||
4 | Date: Tue, 29 Aug 2017 23:59:21 +0200 | ||
5 | Subject: [PATCH] avformat/nsvdec: Fix DoS due to lack of eof check in | ||
6 | nsvs_file_offset loop. | ||
7 | MIME-Version: 1.0 | ||
8 | Content-Type: text/plain; charset=UTF-8 | ||
9 | Content-Transfer-Encoding: 8bit | ||
10 | |||
11 | Fixes: 20170829.nsv | ||
12 | |||
13 | Co-Author: 张洪亮(望初)" <wangchu.zhl@alibaba-inc.com> | ||
14 | Found-by: Xiaohei and Wangchu from Alibaba Security Team | ||
15 | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | ||
16 | |||
17 | CVE: CVE-2017-14171 | ||
18 | Upstream-Status: Backport | ||
19 | |||
20 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
21 | --- | ||
22 | libavformat/nsvdec.c | 5 ++++- | ||
23 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
24 | |||
25 | diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c | ||
26 | index c6ddb67..d8ce656 100644 | ||
27 | --- a/libavformat/nsvdec.c | ||
28 | +++ b/libavformat/nsvdec.c | ||
29 | @@ -335,8 +335,11 @@ static int nsv_parse_NSVf_header(AVFormatContext *s) | ||
30 | if (!nsv->nsvs_file_offset) | ||
31 | return AVERROR(ENOMEM); | ||
32 | |||
33 | - for(i=0;i<table_entries_used;i++) | ||
34 | + for(i=0;i<table_entries_used;i++) { | ||
35 | + if (avio_feof(pb)) | ||
36 | + return AVERROR_INVALIDDATA; | ||
37 | nsv->nsvs_file_offset[i] = avio_rl32(pb) + size; | ||
38 | + } | ||
39 | |||
40 | if(table_entries > table_entries_used && | ||
41 | avio_rl32(pb) == MKTAG('T','O','C','2')) { | ||
42 | -- | ||
43 | 2.1.0 | ||
44 | |||
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14222.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14222.patch new file mode 100644 index 0000000000..ee02037948 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14222.patch | |||
@@ -0,0 +1,40 @@ | |||
1 | From 9cb4eb772839c5e1de2855d126bf74ff16d13382 Mon Sep 17 00:00:00 2001 | ||
2 | From: Michael Niedermayer <michael@niedermayer.cc> | ||
3 | Date: Tue, 5 Sep 2017 00:16:29 +0200 | ||
4 | Subject: [PATCH] avformat/mov: Fix DoS in read_tfra() | ||
5 | |||
6 | Fixes: Missing EOF check in loop | ||
7 | No testcase | ||
8 | |||
9 | Found-by: Xiaohei and Wangchu from Alibaba Security Team | ||
10 | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | ||
11 | |||
12 | CVE: CVE-2017-14222 | ||
13 | Upstream-Status: Backport | ||
14 | |||
15 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
16 | --- | ||
17 | libavformat/mov.c | 7 +++++++ | ||
18 | 1 file changed, 7 insertions(+) | ||
19 | |||
20 | diff --git a/libavformat/mov.c b/libavformat/mov.c | ||
21 | index 994e9c6..2519707 100644 | ||
22 | --- a/libavformat/mov.c | ||
23 | +++ b/libavformat/mov.c | ||
24 | @@ -6094,6 +6094,13 @@ static int read_tfra(MOVContext *mov, AVIOContext *f) | ||
25 | } | ||
26 | for (i = 0; i < index->item_count; i++) { | ||
27 | int64_t time, offset; | ||
28 | + | ||
29 | + if (avio_feof(f)) { | ||
30 | + index->item_count = 0; | ||
31 | + av_freep(&index->items); | ||
32 | + return AVERROR_INVALIDDATA; | ||
33 | + } | ||
34 | + | ||
35 | if (version == 1) { | ||
36 | time = avio_rb64(f); | ||
37 | offset = avio_rb64(f); | ||
38 | -- | ||
39 | 2.1.0 | ||
40 | |||
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14223.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14223.patch new file mode 100644 index 0000000000..d1fef6b144 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14223.patch | |||
@@ -0,0 +1,38 @@ | |||
1 | From afc9c683ed9db01edb357bc8c19edad4282b3a97 Mon Sep 17 00:00:00 2001 | ||
2 | From: Michael Niedermayer <michael@niedermayer.cc> | ||
3 | Date: Tue, 5 Sep 2017 00:16:29 +0200 | ||
4 | Subject: [PATCH] avformat/asfdec: Fix DoS in asf_build_simple_index() | ||
5 | |||
6 | Fixes: Missing EOF check in loop | ||
7 | No testcase | ||
8 | |||
9 | Found-by: Xiaohei and Wangchu from Alibaba Security Team | ||
10 | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | ||
11 | |||
12 | CVE: CVE-2017-14223 | ||
13 | Upstream-Status: Backport | ||
14 | |||
15 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
16 | --- | ||
17 | libavformat/asfdec_f.c | 5 +++++ | ||
18 | 1 file changed, 5 insertions(+) | ||
19 | |||
20 | diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c | ||
21 | index f3acbae..cc648b9 100644 | ||
22 | --- a/libavformat/asfdec_f.c | ||
23 | +++ b/libavformat/asfdec_f.c | ||
24 | @@ -1610,6 +1610,11 @@ static int asf_build_simple_index(AVFormatContext *s, int stream_index) | ||
25 | int64_t pos = s->internal->data_offset + s->packet_size * (int64_t)pktnum; | ||
26 | int64_t index_pts = FFMAX(av_rescale(itime, i, 10000) - asf->hdr.preroll, 0); | ||
27 | |||
28 | + if (avio_feof(s->pb)) { | ||
29 | + ret = AVERROR_INVALIDDATA; | ||
30 | + goto end; | ||
31 | + } | ||
32 | + | ||
33 | if (pos != last_pos) { | ||
34 | av_log(s, AV_LOG_DEBUG, "pktnum:%d, pktct:%d pts: %"PRId64"\n", | ||
35 | pktnum, pktct, index_pts); | ||
36 | -- | ||
37 | 2.1.0 | ||
38 | |||
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14225.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14225.patch new file mode 100644 index 0000000000..ce6845eecf --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2017-14225.patch | |||
@@ -0,0 +1,49 @@ | |||
1 | Subject: [PATCH] ffprobe: Fix null pointer dereference with color primaries | ||
2 | |||
3 | Found-by: AD-lab of venustech | ||
4 | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | ||
5 | |||
6 | CVE: CVE-2017-14225 | ||
7 | Upstream-Status: Backport | ||
8 | |||
9 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
10 | --- | ||
11 | ffprobe.c | 15 +++++++++++---- | ||
12 | 1 file changed, 11 insertions(+), 4 deletions(-) | ||
13 | |||
14 | diff --git a/ffprobe.c b/ffprobe.c | ||
15 | index a219fc1..df22b30 100644 | ||
16 | --- a/ffprobe.c | ||
17 | +++ b/ffprobe.c | ||
18 | @@ -1899,6 +1899,16 @@ static void print_pkt_side_data(WriterContext *w, | ||
19 | writer_print_section_footer(w); | ||
20 | } | ||
21 | |||
22 | +static void print_primaries(WriterContext *w, enum AVColorPrimaries color_primaries) | ||
23 | +{ | ||
24 | + const char *val = av_color_primaries_name(color_primaries); | ||
25 | + if (!val || color_primaries == AVCOL_PRI_UNSPECIFIED) { | ||
26 | + print_str_opt("color_primaries", "unknown"); | ||
27 | + } else { | ||
28 | + print_str("color_primaries", val); | ||
29 | + } | ||
30 | +} | ||
31 | + | ||
32 | static void clear_log(int need_lock) | ||
33 | { | ||
34 | int i; | ||
35 | @@ -2420,10 +2430,7 @@ static int show_stream(WriterContext *w, AVFormatContext *fmt_ctx, int stream_id | ||
36 | else | ||
37 | print_str_opt("color_transfer", av_color_transfer_name(par->color_trc)); | ||
38 | |||
39 | - if (par->color_primaries != AVCOL_PRI_UNSPECIFIED) | ||
40 | - print_str("color_primaries", av_color_primaries_name(par->color_primaries)); | ||
41 | - else | ||
42 | - print_str_opt("color_primaries", av_color_primaries_name(par->color_primaries)); | ||
43 | + print_primaries(w, par->color_primaries); | ||
44 | |||
45 | if (par->chroma_location != AVCHROMA_LOC_UNSPECIFIED) | ||
46 | print_str("chroma_location", av_chroma_location_name(par->chroma_location)); | ||
47 | -- | ||
48 | 2.1.0 | ||
49 | |||
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_3.3.3.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_3.3.3.bb index b4de97300d..c1ebecf933 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_3.3.3.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_3.3.3.bb | |||
@@ -26,6 +26,18 @@ LIC_FILES_CHKSUM = "file://COPYING.GPLv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ | |||
26 | SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ | 26 | SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ |
27 | file://mips64_cpu_detection.patch \ | 27 | file://mips64_cpu_detection.patch \ |
28 | file://0001-build-fix-for-mips.patch \ | 28 | file://0001-build-fix-for-mips.patch \ |
29 | file://CVE-2017-14054.patch \ | ||
30 | file://CVE-2017-14055.patch \ | ||
31 | file://CVE-2017-14056.patch \ | ||
32 | file://CVE-2017-14057.patch \ | ||
33 | file://CVE-2017-14058.patch \ | ||
34 | file://CVE-2017-14059.patch \ | ||
35 | file://CVE-2017-14169.patch \ | ||
36 | file://CVE-2017-14170.patch \ | ||
37 | file://CVE-2017-14171.patch \ | ||
38 | file://CVE-2017-14222.patch \ | ||
39 | file://CVE-2017-14223.patch \ | ||
40 | file://CVE-2017-14225.patch \ | ||
29 | " | 41 | " |
30 | SRC_URI[md5sum] = "743dc66ebe67180283b92d029f690d0f" | 42 | SRC_URI[md5sum] = "743dc66ebe67180283b92d029f690d0f" |
31 | SRC_URI[sha256sum] = "d2a9002cdc6b533b59728827186c044ad02ba64841f1b7cd6c21779875453a1e" | 43 | SRC_URI[sha256sum] = "d2a9002cdc6b533b59728827186c044ad02ba64841f1b7cd6c21779875453a1e" |