diff options
author | Yue Tao <Yue.Tao@windriver.com> | 2014-04-27 11:56:19 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-05-29 13:43:29 +0100 |
commit | f9f97a1fed798b30dd0c0a1d7794a1abf9883ab4 (patch) | |
tree | 54cf039b24049d7fa341ef7d3d23b426c649cb91 /meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-init_vlc-return-codes.patch | |
parent | 48169ac9bcd93f436ce166bd440157948613a495 (diff) | |
download | poky-f9f97a1fed798b30dd0c0a1d7794a1abf9883ab4.tar.gz |
gst-ffmpeg: fix for Security Advisory CVE-2013-0868
libavcodec/huffyuvdec.c in FFmpeg before 1.1.2 allows remote attackers
to have an unspecified impact via crafted Huffyuv data, related to an
out-of-bounds write and (1) unchecked return codes from the init_vlc
function and (2) len==0 cases.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0868
(From OE-Core rev: 29dcc2c8e834cf43e415eedefb8fce9667b3aa40)
(From OE-Core rev: 8229523ea86e9545cc0ee9e34af12a2f84d0809e)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-init_vlc-return-codes.patch')
-rw-r--r-- | meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-init_vlc-return-codes.patch | 87 |
1 files changed, 87 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-init_vlc-return-codes.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-init_vlc-return-codes.patch new file mode 100644 index 0000000000..e859e443bb --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-init_vlc-return-codes.patch | |||
@@ -0,0 +1,87 @@ | |||
1 | From b666debffec1fcbb19ef377635a53b9a58bca8a4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Michael Niedermayer <michaelni@gmx.at> | ||
3 | Date: Tue, 29 Jan 2013 18:29:41 +0100 | ||
4 | Subject: [PATCH] huffyuvdec: Check init_vlc() return codes. | ||
5 | |||
6 | Upstream-Status: Backport | ||
7 | |||
8 | Commit b666debffec1fcbb19ef377635a53b9a58bca8a4 release/1.0 | ||
9 | |||
10 | Prevents out of array writes | ||
11 | |||
12 | Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind | ||
13 | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | ||
14 | (cherry picked from commit f67a0d115254461649470452058fa3c28c0df294) | ||
15 | |||
16 | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | ||
17 | --- | ||
18 | libavcodec/huffyuv.c | 14 ++++++++++---- | ||
19 | 1 file changed, 10 insertions(+), 4 deletions(-) | ||
20 | |||
21 | diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c | ||
22 | index 58da789..993e524 100644 | ||
23 | --- a/gst-libs/ext/libav/libavcodec/huffyuv.c | ||
24 | +++ b/gst-libs/ext/libav/libavcodec/huffyuv.c | ||
25 | @@ -33,6 +33,7 @@ | ||
26 | #include "put_bits.h" | ||
27 | #include "dsputil.h" | ||
28 | #include "thread.h" | ||
29 | +#include "libavutil/avassert.h" | ||
30 | |||
31 | #define VLC_BITS 11 | ||
32 | |||
33 | @@ -287,6 +287,7 @@ static void generate_joint_tables(HYuvCo | ||
34 | int len1 = s->len[p][u]; | ||
35 | if (len1 > limit || !len1) | ||
36 | continue; | ||
37 | + av_assert0(i < (1 << VLC_BITS)); | ||
38 | len[i] = len0 + len1; | ||
39 | bits[i] = (s->bits[0][y] << len1) + s->bits[p][u]; | ||
40 | symbols[i] = (y<<8) + u; | ||
41 | @@ -320,6 +321,7 @@ static void generate_joint_tables(HYuvCo | ||
42 | int len2 = s->len[2][r&255]; | ||
43 | if (len2 > limit1 || !len2) | ||
44 | continue; | ||
45 | + av_assert0(i < (1 << VLC_BITS)); | ||
46 | len[i] = len0 + len1 + len2; | ||
47 | bits[i] = (code << len2) + s->bits[2][r&255]; | ||
48 | if(s->decorrelate){ | ||
49 | @@ -343,6 +345,7 @@ static void generate_joint_tables(HYuvCo | ||
50 | static int read_huffman_tables(HYuvContext *s, const uint8_t *src, int length){ | ||
51 | GetBitContext gb; | ||
52 | int i; | ||
53 | + int ret; | ||
54 | |||
55 | init_get_bits(&gb, src, length*8); | ||
56 | |||
57 | @@ -353,7 +356,9 @@ static int read_huffman_tables(HYuvConte | ||
58 | return -1; | ||
59 | } | ||
60 | free_vlc(&s->vlc[i]); | ||
61 | - init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0); | ||
62 | + if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, | ||
63 | + s->bits[i], 4, 4, 0)) < 0) | ||
64 | + return ret; | ||
65 | } | ||
66 | |||
67 | generate_joint_tables(s); | ||
68 | @@ -365,6 +370,7 @@ static int read_old_huffman_tables(HYuvC | ||
69 | #if 1 | ||
70 | GetBitContext gb; | ||
71 | int i; | ||
72 | + int ret; | ||
73 | |||
74 | init_get_bits(&gb, classic_shift_luma, sizeof(classic_shift_luma)*8); | ||
75 | if(read_len_table(s->len[0], &gb)<0) | ||
76 | @@ -385,7 +391,9 @@ static int read_old_huffman_tables(HYuvC | ||
77 | |||
78 | for(i=0; i<3; i++){ | ||
79 | free_vlc(&s->vlc[i]); | ||
80 | - init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0); | ||
81 | + if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, | ||
82 | + s->bits[i], 4, 4, 0)) < 0) | ||
83 | + return ret; | ||
84 | } | ||
85 | |||
86 | generate_joint_tables(s); | ||
87 | -- | ||