diff options
author | Yue Tao <Yue.Tao@windriver.com> | 2014-04-14 18:58:29 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-05-21 19:50:20 +0100 |
commit | 7721eac43a84bb22167bdac698cd8ca324886abb (patch) | |
tree | edbfc1f2074816386a748f97ed0a7263d21f2f01 /meta | |
parent | 46a9ffc167f6c95218cf7eb6653876492e494569 (diff) | |
download | poky-7721eac43a84bb22167bdac698cd8ca324886abb.tar.gz |
gst-ffmpeg: fix for Security Advisory CVE-2013-0865
The vqa_decode_chunk function in libavcodec/vqavideo.c in FFmpeg before
1.0.4 and 1.1.x before 1.1.2 allows remote attackers to have an
unspecified impact via a large (1) cbp0 or (2) cbpz chunk in Westwood
Studios VQA Video file, which triggers an out-of-bounds write.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0865
(From OE-Core rev: 4a93fc0a63cedbebfdc9577e2f1deb3598fb5851)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vqavideo-check-chunk-sizes-before-reading-chunks.patch | 51 | ||||
-rw-r--r-- | meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb | 1 |
2 files changed, 52 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vqavideo-check-chunk-sizes-before-reading-chunks.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vqavideo-check-chunk-sizes-before-reading-chunks.patch new file mode 100644 index 0000000000..7e4f682167 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vqavideo-check-chunk-sizes-before-reading-chunks.patch | |||
@@ -0,0 +1,51 @@ | |||
1 | From 2cac35086c9e103fa98960c546d5017e7363803a Mon Sep 17 00:00:00 2001 | ||
2 | From: Michael Niedermayer <michaelni@gmx.at> | ||
3 | Date: Fri, 25 Jan 2013 06:11:59 +0100 | ||
4 | Subject: [PATCH] vqavideo: check chunk sizes before reading chunks | ||
5 | |||
6 | Upstream-Status: Backport | ||
7 | |||
8 | Commit 2cac35086c9e103fa98960c546d5017e7363803a release/0.7 | ||
9 | |||
10 | Fixes out of array writes | ||
11 | |||
12 | Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind | ||
13 | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | ||
14 | (cherry picked from commit ab6c9332bfa1e20127a16392a0b85a4aa4840889) | ||
15 | |||
16 | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> | ||
17 | --- | ||
18 | libavcodec/vqavideo.c | 10 ++++++++++ | ||
19 | 1 files changed, 10 insertions(+), 0 deletions(-) | ||
20 | |||
21 | diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c | ||
22 | index d1eab5b..6e1ce6c 100644 | ||
23 | --- a/gst-libs/ext/libav/libavcodec/vqavideo.c | ||
24 | +++ b/gst-libs/ext/libav/libavcodec/vqavideo.c | ||
25 | @@ -527,6 +527,11 @@ static void vqa_decode_chunk(VqaContext *s) | ||
26 | chunk_size = AV_RB32(&s->buf[cbp0_chunk + 4]); | ||
27 | cbp0_chunk += CHUNK_PREAMBLE_SIZE; | ||
28 | |||
29 | + if (chunk_size > MAX_CODEBOOK_SIZE - s->next_codebook_buffer_index) { | ||
30 | + av_log(s->avctx, AV_LOG_ERROR, "cbp0 chunk too large (0x%X bytes)\n", chunk_size); | ||
31 | + return AVERROR_INVALIDDATA; | ||
32 | + } | ||
33 | + | ||
34 | /* accumulate partial codebook */ | ||
35 | memcpy(&s->next_codebook_buffer[s->next_codebook_buffer_index], | ||
36 | &s->buf[cbp0_chunk], chunk_size); | ||
37 | @@ -550,6 +555,11 @@ static void vqa_decode_chunk(VqaContext *s) | ||
38 | chunk_size = AV_RB32(&s->buf[cbpz_chunk + 4]); | ||
39 | cbpz_chunk += CHUNK_PREAMBLE_SIZE; | ||
40 | |||
41 | + if (chunk_size > MAX_CODEBOOK_SIZE - s->next_codebook_buffer_index) { | ||
42 | + av_log(s->avctx, AV_LOG_ERROR, "cbpz chunk too large (0x%X bytes)\n", chunk_size); | ||
43 | + return AVERROR_INVALIDDATA; | ||
44 | + } | ||
45 | + | ||
46 | /* accumulate partial codebook */ | ||
47 | memcpy(&s->next_codebook_buffer[s->next_codebook_buffer_index], | ||
48 | &s->buf[cbpz_chunk], chunk_size); | ||
49 | -- | ||
50 | 1.7.5.4 | ||
51 | |||
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb index 4913539c68..3d1f207b1b 100644 --- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb | |||
@@ -24,6 +24,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \ | |||
24 | file://libav_e5500.patch \ | 24 | file://libav_e5500.patch \ |
25 | file://gst-ffmpeg-CVE-2013-3674.patch \ | 25 | file://gst-ffmpeg-CVE-2013-3674.patch \ |
26 | file://0001-avformat-mpegtsenc-Check-data-array-size-in-mpegts_w.patch \ | 26 | file://0001-avformat-mpegtsenc-Check-data-array-size-in-mpegts_w.patch \ |
27 | file://0001-vqavideo-check-chunk-sizes-before-reading-chunks.patch \ | ||
27 | " | 28 | " |
28 | 29 | ||
29 | SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4" | 30 | SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4" |