From 38083d01e77e021f310920d9ac2b10a92238c255 Mon Sep 17 00:00:00 2001 From: Yue Tao Date: Mon, 14 Apr 2014 18:38:34 +0800 Subject: gst-ffmpeg: fix for Security Advisory CVE-2014-2263 The mpegts_write_pmt function in the MPEG2 transport stream (aka DVB) muxer (libavformat/mpegtsenc.c) in FFmpeg, possibly 2.1 and earlier, allows remote attackers to have unspecified impact and vectors, which trigger an out-of-bounds write. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2263 (From OE-Core rev: 70bf8c8dea82e914a6dcf67aefb6386dbc7706cd) (From OE-Core rev: 408581d744221a1dc723ed6bf4985b1021aa52c4) Signed-off-by: Yue Tao Signed-off-by: Roy Li Signed-off-by: Saul Wold Signed-off-by: Richard Purdie --- ...egtsenc-Check-data-array-size-in-mpegts_w.patch | 69 ++++++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avformat-mpegtsenc-Check-data-array-size-in-mpegts_w.patch (limited to 'meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13') diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avformat-mpegtsenc-Check-data-array-size-in-mpegts_w.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avformat-mpegtsenc-Check-data-array-size-in-mpegts_w.patch new file mode 100644 index 0000000000..68bb66e4e2 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avformat-mpegtsenc-Check-data-array-size-in-mpegts_w.patch @@ -0,0 +1,69 @@ +From 12770701856a05b6b3cd706f708f8e9a4e8a1336 Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer +Date: Thu, 13 Feb 2014 13:59:51 +0100 +Subject: [PATCH] avformat/mpegtsenc: Check data array size in + mpegts_write_pmt() + +Upstream-Status: Backport + +COmmit 12770701856a05b6b3cd706f708f8e9a4e8a1336 release/0.11 + +Prevents out of array writes + +Signed-off-by: Michael Niedermayer +(cherry picked from commit 842b6c14bcfc1c5da1a2d288fd65386eb8c158ad) + +Conflicts: + + libavformat/mpegtsenc.c +(cherry picked from commit e87de3f50b765134588d0b048c32ed4b8acc16fb) + +Signed-off-by: Michael Niedermayer +--- + libavformat/mpegtsenc.c | 9 +++++++-- + 1 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/libavformat/mpegtsenc.c b/libavformat/mpegtsenc.c +index 793e205..a12d19f 100644 +--- a/gst-libs/ext/libav/libavformat/mpegtsenc.c ++++ b/gst-libs/ext/libav/libavformat/mpegtsenc.c +@@ -240,7 +240,7 @@ static void mpegts_write_pat(AVFormatContext *s) + data, q - data); + } + +-static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service) ++static int mpegts_write_pmt(AVFormatContext *s, MpegTSService *service) + { + // MpegTSWrite *ts = s->priv_data; + uint8_t data[1012], *q, *desc_length_ptr, *program_info_length_ptr; +@@ -293,6 +293,10 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service) + stream_type = STREAM_TYPE_PRIVATE_DATA; + break; + } ++ ++ if (q - data > sizeof(data) - 32) ++ return AVERROR(EINVAL); ++ + *q++ = stream_type; + put16(&q, 0xe000 | ts_st->pid); + desc_length_ptr = q; +@@ -324,7 +328,7 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service) + len_ptr = q++; + *len_ptr = 0; + +- for (p = lang->value; next && *len_ptr < 255 / 4 * 4; p = next + 1) { ++ for (p = lang->value; next && *len_ptr < 255 / 4 * 4 && q - data < sizeof(data) - 4; p = next + 1) { + next = strchr(p, ','); + if (strlen(p) != 3 && (!next || next != p + 3)) + continue; /* not a 3-letter code */ +@@ -386,6 +390,7 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service) + } + mpegts_write_section1(&service->pmt, PMT_TID, service->sid, 0, 0, 0, + data, q - data); ++ return 0; + } + + /* NOTE: str == NULL is accepted for an empty string */ +-- +1.7.5.4 + -- cgit v1.2.3-54-g00ecf