diff options
author | Roy Li <rongqing.li@windriver.com> | 2014-11-18 21:02:11 -0600 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-12-31 10:18:22 +0000 |
commit | e8404413fe904a289f7db1f41856dcc954866152 (patch) | |
tree | ea0b8a59de3ea2255b055c3f082c2c2951b63849 /meta/recipes-multimedia/gstreamer | |
parent | d6cbbee29cf780a432a4a6f2cba1c2de00b30d43 (diff) | |
download | poky-e8404413fe904a289f7db1f41856dcc954866152.tar.gz |
gst-ffmpeg: fixes for CVE-2014-8548 and CVE-2014-8541
Issue: LIN7-1755
Issue: LIN7-1739
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8541
libavcodec/mjpegdec.c in FFmpeg before 2.4.2 considers only dimension
differences, and not bits-per-pixel differences, when determining whether an
image size has changed, which allows remote attackers to cause a denial of
service (out-of-bounds access) or possibly have unspecified other impact via
crafted MJPEG data.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8548
Off-by-one error in libavcodec/smc.c in FFmpeg before 2.4.2 allows remote
attackers to cause a denial of service (out-of-bounds access) or possibly
have unspecified other impact via crafted Quicktime Graphics (aka SMC) video
data.
(From OE-Core rev: 4bd50c5a967af2b8f0fe77b8f9c100169e4fc531)
(From OE-Core rev: fad70ea3495329a39329532f59de3b14c22c2d15)
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia/gstreamer')
3 files changed, 102 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-smc-fix-off-by-1-error.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-smc-fix-off-by-1-error.patch new file mode 100644 index 0000000000..3ca6fc4dc5 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-smc-fix-off-by-1-error.patch | |||
@@ -0,0 +1,32 @@ | |||
1 | From c17a0ad1df15a94d0b1239adc2afb593bdf0a153 Mon Sep 17 00:00:00 2001 | ||
2 | From: Michael Niedermayer <michaelni@gmx.at> | ||
3 | Date: Fri, 3 Oct 2014 22:50:45 +0200 | ||
4 | Subject: [PATCH 1/2] avcodec/smc: fix off by 1 error | ||
5 | |||
6 | Upstream-Status: Backport | ||
7 | |||
8 | Fixes out of array access | ||
9 | Fixes: asan_heap-oob_1685bf0_5_asan_heap-oob_1f35116_430_smc.mov | ||
10 | |||
11 | Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind | ||
12 | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | ||
13 | --- | ||
14 | libavcodec/smc.c | 2 +- | ||
15 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
16 | |||
17 | diff --git a/gst-libs/ext/libav/libavcodec/smc.c b/gst-libs/ext/libav/libavcodec/smc.c | ||
18 | index 3cd5e53..dec9f71 100644 | ||
19 | --- a/gst-libs/ext/libav/libavcodec/smc.c | ||
20 | +++ b/gst-libs/ext/libav/libavcodec/smc.c | ||
21 | @@ -69,7 +69,7 @@ typedef struct SmcContext { | ||
22 | row_ptr += stride * 4; \ | ||
23 | } \ | ||
24 | total_blocks--; \ | ||
25 | - if (total_blocks < 0) \ | ||
26 | + if (total_blocks < 0 + !!n_blocks) \ | ||
27 | { \ | ||
28 | av_log(s->avctx, AV_LOG_INFO, "warning: block counter just went negative (this should not happen)\n"); \ | ||
29 | return; \ | ||
30 | -- | ||
31 | 2.1.0 | ||
32 | |||
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0002-avcodec-mjpegdec-check-bits-per-pixel-for-changes-si.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0002-avcodec-mjpegdec-check-bits-per-pixel-for-changes-si.patch new file mode 100644 index 0000000000..c8bafd570e --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0002-avcodec-mjpegdec-check-bits-per-pixel-for-changes-si.patch | |||
@@ -0,0 +1,68 @@ | |||
1 | From 6043c431c97d55173f339fafbd033d3c0642e2e9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Michael Niedermayer <michaelni@gmx.at> | ||
3 | Date: Fri, 3 Oct 2014 01:50:27 +0200 | ||
4 | Subject: [PATCH 2/2] avcodec/mjpegdec: check bits per pixel for changes | ||
5 | similar to dimensions | ||
6 | |||
7 | Upstream-Status: Backport | ||
8 | |||
9 | Fixes out of array accesses | ||
10 | Fixes: asan_heap-oob_16668e9_2_asan_heap-oob_16668e9_346_miss_congeniality_pegasus_mjpg.avi | ||
11 | |||
12 | Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind | ||
13 | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | ||
14 | |||
15 | Conflicts: | ||
16 | libavcodec/mjpegdec.c | ||
17 | --- | ||
18 | libavcodec/mjpegdec.c | 15 ++++++++------- | ||
19 | 1 file changed, 8 insertions(+), 7 deletions(-) | ||
20 | |||
21 | diff --git a/gst-libs/ext/libav/libavcodec/mjpegdec.c b/gst-libs/ext/libav/libavcodec/mjpegdec.c | ||
22 | index 84343c0..c0137d8 100644 | ||
23 | --- a/gst-libs/ext/libav/libavcodec/mjpegdec.c | ||
24 | +++ b/gst-libs/ext/libav/libavcodec/mjpegdec.c | ||
25 | @@ -210,16 +210,16 @@ int ff_mjpeg_decode_dht(MJpegDecodeContext *s) | ||
26 | |||
27 | int ff_mjpeg_decode_sof(MJpegDecodeContext *s) | ||
28 | { | ||
29 | - int len, nb_components, i, width, height, pix_fmt_id; | ||
30 | + int len, nb_components, i, bits, width, height, pix_fmt_id; | ||
31 | |||
32 | /* XXX: verify len field validity */ | ||
33 | len = get_bits(&s->gb, 16); | ||
34 | - s->bits= get_bits(&s->gb, 8); | ||
35 | + bits= get_bits(&s->gb, 8); | ||
36 | |||
37 | - if(s->pegasus_rct) s->bits=9; | ||
38 | - if(s->bits==9 && !s->pegasus_rct) s->rct=1; //FIXME ugly | ||
39 | + if(s->pegasus_rct) bits=9; | ||
40 | + if(bits==9 && !s->pegasus_rct) s->rct=1; //FIXME ugly | ||
41 | |||
42 | - if (s->bits != 8 && !s->lossless){ | ||
43 | + if (bits != 8 && !s->lossless){ | ||
44 | av_log(s->avctx, AV_LOG_ERROR, "only 8 bits/component accepted\n"); | ||
45 | return -1; | ||
46 | } | ||
47 | @@ -239,7 +239,7 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) | ||
48 | if (nb_components <= 0 || | ||
49 | nb_components > MAX_COMPONENTS) | ||
50 | return -1; | ||
51 | - if (s->ls && !(s->bits <= 8 || nb_components == 1)){ | ||
52 | + if (s->ls && !(bits <= 8 || nb_components == 1)){ | ||
53 | av_log(s->avctx, AV_LOG_ERROR, "only <= 8 bits/component or 16-bit gray accepted for JPEG-LS\n"); | ||
54 | return -1; | ||
55 | } | ||
56 | @@ -272,10 +272,11 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) | ||
57 | |||
58 | /* if different size, realloc/alloc picture */ | ||
59 | /* XXX: also check h_count and v_count */ | ||
60 | - if (width != s->width || height != s->height) { | ||
61 | + if (width != s->width || height != s->height || bits != s->bits) { | ||
62 | av_freep(&s->qscale_table); | ||
63 | |||
64 | s->width = width; | ||
65 | + s->bits= bits; | ||
66 | s->height = height; | ||
67 | s->interlaced = 0; | ||
68 | |||
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb index 395054de5d..30e5deb1f9 100644 --- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb | |||
@@ -55,6 +55,8 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \ | |||
55 | file://0001-ffserver-set-oformat.patch \ | 55 | file://0001-ffserver-set-oformat.patch \ |
56 | file://0001-h264-set-parameters-from-SPS-whenever-it-changes.patch \ | 56 | file://0001-h264-set-parameters-from-SPS-whenever-it-changes.patch \ |
57 | file://0001-h264-skip-error-concealment-when-SPS-and-slices-are-.patch \ | 57 | file://0001-h264-skip-error-concealment-when-SPS-and-slices-are-.patch \ |
58 | file://0001-avcodec-smc-fix-off-by-1-error.patch \ | ||
59 | file://0002-avcodec-mjpegdec-check-bits-per-pixel-for-changes-si.patch \ | ||
58 | ${@bb.utils.contains('PACKAGECONFIG', 'libav9', 'file://libav-9.patch', '', d)} \ | 60 | ${@bb.utils.contains('PACKAGECONFIG', 'libav9', 'file://libav-9.patch', '', d)} \ |
59 | " | 61 | " |
60 | 62 | ||