diff options
author | Yue Tao <Yue.Tao@windriver.com> | 2014-07-22 15:46:36 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-10-10 15:06:06 +0100 |
commit | 90623776248e50a7a2b95247ba7b4aeac2dcbdc2 (patch) | |
tree | d04c5c3672b094e3cdc3a46dcb2f078fc34784c7 /meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-fix-oob-read-for-negative-tokens-and-memleaks-on.patch | |
parent | 014309709558c47e1b2ed4c79d79b5398201f5f4 (diff) | |
download | poky-90623776248e50a7a2b95247ba7b4aeac2dcbdc2.tar.gz |
gst-ffmpeg: Add CVE patches
Security Advisory - ffmpeg - CVE-2013-0866
The aac_decode_init function in libavcodec/aacdec.c in FFmpeg before
1.0.4 and 1.1.x before 1.1.2 allows remote attackers to have an
unspecified impact via a large number of channels in an AAC file, which
triggers an out-of-bounds array access.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0866
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0875
The ff_add_png_paeth_prediction function in libavcodec/pngdec.c in
FFmpeg before 1.1.3 allows remote attackers to have an unspecified
impact via a crafted PNG image, related to an out-of-bounds array
access.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0875
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0860
The ff_er_frame_end function in libavcodec/error_resilience.c in FFmpeg
before 1.0.4 and 1.1.x before 1.1.1 does not properly verify that a
frame is fully initialized, which allows remote attackers to trigger a
NULL pointer dereference via crafted picture data.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0860
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3934
Double free vulnerability in the vp3_update_thread_context function in
libavcodec/vp3.c in FFmpeg before 0.10 allows remote attackers to have
an unspecified impact via crafted vp3 data.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3934
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3946
The ff_h264_decode_sei function in libavcodec/h264_sei.c in FFmpeg
before 0.10 allows remote attackers to have an unspecified impact via
crafted Supplemental enhancement information (SEI) data, which triggers
an infinite loop.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3946
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-7023
The ff_combine_frame function in libavcodec/parser.c in FFmpeg before
2.1 does not properly handle certain memory-allocation errors, which
allows remote attackers to cause a denial of service (out-of-bounds
array access) or possibly have unspecified other impact via crafted
data.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7023
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-7009
The rpza_decode_stream function in libavcodec/rpza.c in FFmpeg before
2.1 does not properly maintain a pointer to pixel data, which allows
remote attackers to cause a denial of service (out-of-bounds array
access) or possibly have unspecified other impact via crafted Apple RPZA
data.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7009
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0855
Integer overflow in the alac_decode_close function in libavcodec/alac.c
in FFmpeg before 1.1 allows remote attackers to have an unspecified
impact via a large number of samples per frame in Apple Lossless Audio
Codec (ALAC) data, which triggers an out-of-bounds array access.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0855
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-4351
Buffer overflow in FFmpeg before 0.5.6, 0.6.x before 0.6.4, 0.7.x before
0.7.8, and 0.8.x before 0.8.8 allows remote attackers to execute
arbitrary code via unspecified vectors.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4351
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0848
The decode_init function in libavcodec/huffyuv.c in FFmpeg before 1.1
allows remote attackers to have an unspecified impact via a crafted
width in huffyuv data with the predictor set to median and the
colorspace set to YUV422P, which triggers an out-of-bounds array access.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0848
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3944
The smacker_decode_header_tree function in libavcodec/smacker.c in
FFmpeg before 0.10 allows remote attackers to have an unspecified impact
via crafted Smacker data.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3944
file://0001-huffyuvdec-check-width-more-completely-avoid-out-of-.patch \
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-7010
Multiple integer signedness errors in libavcodec/dsputil.c in FFmpeg
before 2.1 allow remote attackers to cause a denial of service
(out-of-bounds array access) or possibly have unspecified other impact
via crafted data.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7010
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3941
The decode_mb function in libavcodec/error_resilience.c in FFmpeg before
0.10 allows remote attackers to have an unspecified impact via vectors
related to an uninitialized block index, which triggers an out-of-bound
write.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3941
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0846
Array index error in the qdm2_decode_super_block function in
libavcodec/qdm2.c in FFmpeg before 1.1 allows remote attackers to have
an unspecified impact via crafted QDM2 data, which triggers an
out-of-bounds array access.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0846
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2012-6618
The av_probe_input_buffer function in libavformat/utils.c in FFmpeg
before 1.0.2, when running with certain -probesize values, allows remote
attackers to cause a denial of service (crash) via a crafted MP3 file,
possibly related to frame size or lack of sufficient frames to estimate
rate.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6618
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2012-6617
The prepare_sdp_description function in ffserver.c in FFmpeg before
1.0.2 allows remote attackers to cause a denial of service (crash) via
vectors related to the rtp format.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6617
(From OE-Core rev: 58f08a96764094189b5aaf3cc8b4cc0c95e23409)
(From OE-Core rev: 9b3a2d0716540dae72376a8c2e418b244a85c0cb)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-fix-oob-read-for-negative-tokens-and-memleaks-on.patch')
-rw-r--r-- | meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-fix-oob-read-for-negative-tokens-and-memleaks-on.patch | 183 |
1 files changed, 183 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-fix-oob-read-for-negative-tokens-and-memleaks-on.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-fix-oob-read-for-negative-tokens-and-memleaks-on.patch new file mode 100644 index 0000000000..e83d8f402b --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-fix-oob-read-for-negative-tokens-and-memleaks-on.patch | |||
@@ -0,0 +1,183 @@ | |||
1 | gst-ffmpeg: vp3: fix oob read for negative tokens and memleaks on error. | ||
2 | |||
3 | Upstream-Status: Backport | ||
4 | |||
5 | Signed-off-by: Yue.Tao <yue.tao@windriver.com> | ||
6 | |||
7 | --- | ||
8 | libavcodec/vp3.c | 59 +++++++++++++++++++++++++++++++++++++++++------------ | ||
9 | 1 files changed, 45 insertions(+), 14 deletions(-) | ||
10 | |||
11 | diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c | ||
12 | index 36715bb..ce14e63 100644 | ||
13 | --- a/gst-libs/ext/libav/libavcodec/vp3.c | ||
14 | +++ b/gst-libs/ext/libav/libavcodec/vp3.c | ||
15 | @@ -45,6 +45,7 @@ | ||
16 | #define FRAGMENT_PIXELS 8 | ||
17 | |||
18 | static av_cold int vp3_decode_end(AVCodecContext *avctx); | ||
19 | +static void vp3_decode_flush(AVCodecContext *avctx); | ||
20 | |||
21 | //FIXME split things out into their own arrays | ||
22 | typedef struct Vp3Fragment { | ||
23 | @@ -890,7 +891,7 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb, | ||
24 | /* decode a VLC into a token */ | ||
25 | token = get_vlc2(gb, vlc_table, 11, 3); | ||
26 | /* use the token to get a zero run, a coefficient, and an eob run */ | ||
27 | - if (token <= 6) { | ||
28 | + if ((unsigned) token <= 6U) { | ||
29 | eob_run = eob_run_base[token]; | ||
30 | if (eob_run_get_bits[token]) | ||
31 | eob_run += get_bits(gb, eob_run_get_bits[token]); | ||
32 | @@ -908,7 +909,7 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb, | ||
33 | coeff_i += eob_run; | ||
34 | eob_run = 0; | ||
35 | } | ||
36 | - } else { | ||
37 | + } else if (token >= 0) { | ||
38 | bits_to_get = coeff_get_bits[token]; | ||
39 | if (bits_to_get) | ||
40 | bits_to_get = get_bits(gb, bits_to_get); | ||
41 | @@ -942,6 +943,10 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb, | ||
42 | for (i = coeff_index+1; i <= coeff_index+zero_run; i++) | ||
43 | s->num_coded_frags[plane][i]--; | ||
44 | coeff_i++; | ||
45 | + } else { | ||
46 | + av_log(s->avctx, AV_LOG_ERROR, | ||
47 | + "Invalid token %d\n", token); | ||
48 | + return -1; | ||
49 | } | ||
50 | } | ||
51 | |||
52 | @@ -991,6 +996,8 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb) | ||
53 | /* unpack the Y plane DC coefficients */ | ||
54 | residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_y_table], 0, | ||
55 | 0, residual_eob_run); | ||
56 | + if (residual_eob_run < 0) | ||
57 | + return residual_eob_run; | ||
58 | |||
59 | /* reverse prediction of the Y-plane DC coefficients */ | ||
60 | reverse_dc_prediction(s, 0, s->fragment_width[0], s->fragment_height[0]); | ||
61 | @@ -998,8 +1005,12 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb) | ||
62 | /* unpack the C plane DC coefficients */ | ||
63 | residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_c_table], 0, | ||
64 | 1, residual_eob_run); | ||
65 | + if (residual_eob_run < 0) | ||
66 | + return residual_eob_run; | ||
67 | residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_c_table], 0, | ||
68 | 2, residual_eob_run); | ||
69 | + if (residual_eob_run < 0) | ||
70 | + return residual_eob_run; | ||
71 | |||
72 | /* reverse prediction of the C-plane DC coefficients */ | ||
73 | if (!(s->avctx->flags & CODEC_FLAG_GRAY)) | ||
74 | @@ -1036,11 +1047,17 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb) | ||
75 | for (i = 1; i <= 63; i++) { | ||
76 | residual_eob_run = unpack_vlcs(s, gb, y_tables[i], i, | ||
77 | 0, residual_eob_run); | ||
78 | + if (residual_eob_run < 0) | ||
79 | + return residual_eob_run; | ||
80 | |||
81 | residual_eob_run = unpack_vlcs(s, gb, c_tables[i], i, | ||
82 | 1, residual_eob_run); | ||
83 | + if (residual_eob_run < 0) | ||
84 | + return residual_eob_run; | ||
85 | residual_eob_run = unpack_vlcs(s, gb, c_tables[i], i, | ||
86 | 2, residual_eob_run); | ||
87 | + if (residual_eob_run < 0) | ||
88 | + return residual_eob_run; | ||
89 | } | ||
90 | |||
91 | return 0; | ||
92 | @@ -1777,10 +1794,15 @@ static int vp3_update_thread_context(AVCodecContext *dst, const AVCodecContext * | ||
93 | Vp3DecodeContext *s = dst->priv_data, *s1 = src->priv_data; | ||
94 | int qps_changed = 0, i, err; | ||
95 | |||
96 | +#define copy_fields(to, from, start_field, end_field) memcpy(&to->start_field, &from->start_field, (char*)&to->end_field - (char*)&to->start_field) | ||
97 | + | ||
98 | if (!s1->current_frame.data[0] | ||
99 | ||s->width != s1->width | ||
100 | - ||s->height!= s1->height) | ||
101 | + ||s->height!= s1->height) { | ||
102 | + if (s != s1) | ||
103 | + copy_fields(s, s1, golden_frame, current_frame); | ||
104 | return -1; | ||
105 | + } | ||
106 | |||
107 | if (s != s1) { | ||
108 | // init tables if the first frame hasn't been decoded | ||
109 | @@ -1796,8 +1818,6 @@ static int vp3_update_thread_context(AVCodecContext *dst, const AVCodecContext * | ||
110 | memcpy(s->motion_val[1], s1->motion_val[1], c_fragment_count * sizeof(*s->motion_val[1])); | ||
111 | } | ||
112 | |||
113 | -#define copy_fields(to, from, start_field, end_field) memcpy(&to->start_field, &from->start_field, (char*)&to->end_field - (char*)&to->start_field) | ||
114 | - | ||
115 | // copy previous frame data | ||
116 | copy_fields(s, s1, golden_frame, dsp); | ||
117 | |||
118 | @@ -1987,9 +2007,6 @@ static av_cold int vp3_decode_end(AVCodecContext *avctx) | ||
119 | Vp3DecodeContext *s = avctx->priv_data; | ||
120 | int i; | ||
121 | |||
122 | - if (avctx->is_copy && !s->current_frame.data[0]) | ||
123 | - return 0; | ||
124 | - | ||
125 | av_free(s->superblock_coding); | ||
126 | av_free(s->all_fragments); | ||
127 | av_free(s->coded_fragment_list[0]); | ||
128 | @@ -2016,12 +2033,7 @@ static av_cold int vp3_decode_end(AVCodecContext *avctx) | ||
129 | free_vlc(&s->motion_vector_vlc); | ||
130 | |||
131 | /* release all frames */ | ||
132 | - if (s->golden_frame.data[0]) | ||
133 | - ff_thread_release_buffer(avctx, &s->golden_frame); | ||
134 | - if (s->last_frame.data[0] && s->last_frame.type != FF_BUFFER_TYPE_COPY) | ||
135 | - ff_thread_release_buffer(avctx, &s->last_frame); | ||
136 | - /* no need to release the current_frame since it will always be pointing | ||
137 | - * to the same frame as either the golden or last frame */ | ||
138 | + vp3_decode_flush(avctx); | ||
139 | |||
140 | return 0; | ||
141 | } | ||
142 | @@ -2341,6 +2353,23 @@ static void vp3_decode_flush(AVCodecContext *avctx) | ||
143 | ff_thread_release_buffer(avctx, &s->current_frame); | ||
144 | } | ||
145 | |||
146 | +static int vp3_init_thread_copy(AVCodecContext *avctx) | ||
147 | +{ | ||
148 | + Vp3DecodeContext *s = avctx->priv_data; | ||
149 | + | ||
150 | + s->superblock_coding = NULL; | ||
151 | + s->all_fragments = NULL; | ||
152 | + s->coded_fragment_list[0] = NULL; | ||
153 | + s->dct_tokens_base = NULL; | ||
154 | + s->superblock_fragments = NULL; | ||
155 | + s->macroblock_coding = NULL; | ||
156 | + s->motion_val[0] = NULL; | ||
157 | + s->motion_val[1] = NULL; | ||
158 | + s->edge_emu_buffer = NULL; | ||
159 | + | ||
160 | + return 0; | ||
161 | +} | ||
162 | + | ||
163 | AVCodec ff_theora_decoder = { | ||
164 | .name = "theora", | ||
165 | .type = AVMEDIA_TYPE_VIDEO, | ||
166 | @@ -2352,6 +2381,7 @@ AVCodec ff_theora_decoder = { | ||
167 | .capabilities = CODEC_CAP_DR1 | CODEC_CAP_DRAW_HORIZ_BAND | CODEC_CAP_FRAME_THREADS, | ||
168 | .flush = vp3_decode_flush, | ||
169 | .long_name = NULL_IF_CONFIG_SMALL("Theora"), | ||
170 | + .init_thread_copy = ONLY_IF_THREADS_ENABLED(vp3_init_thread_copy), | ||
171 | .update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context) | ||
172 | }; | ||
173 | #endif | ||
174 | @@ -2367,5 +2397,6 @@ AVCodec ff_vp3_decoder = { | ||
175 | .capabilities = CODEC_CAP_DR1 | CODEC_CAP_DRAW_HORIZ_BAND | CODEC_CAP_FRAME_THREADS, | ||
176 | .flush = vp3_decode_flush, | ||
177 | .long_name = NULL_IF_CONFIG_SMALL("On2 VP3"), | ||
178 | + .init_thread_copy = ONLY_IF_THREADS_ENABLED(vp3_init_thread_copy), | ||
179 | .update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context) | ||
180 | }; | ||
181 | -- | ||
182 | 1.7.5.4 | ||
183 | |||