meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-CVE-2013-0855.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100

gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0855

Upstream-Status: Backport 

Signed-off-by: Yue Tao <yue.tao@windriver.com>

diff --git a/gst-libs/ext/libav/libavcodec/alac.c.old b/gst-libs/ext/libav/libavcodec/alac.c
index 2a0df8c..bcbd56d 100644
--- a/gst-libs/ext/libav/libavcodec/alac.c.old
+++ b/gst-libs/ext/libav/libavcodec/alac.c
@@ -87,18 +87,44 @@ typedef struct {
     int wasted_bits;
 } ALACContext;
 
-static void allocate_buffers(ALACContext *alac)
+static av_cold int alac_decode_close(AVCodecContext *avctx)
+{
+    ALACContext *alac = avctx->priv_data;
+
+    int chan;
+    for (chan = 0; chan < MAX_CHANNELS; chan++) {
+        av_freep(&alac->predicterror_buffer[chan]);
+        av_freep(&alac->outputsamples_buffer[chan]);
+        av_freep(&alac->wasted_bits_buffer[chan]);
+    }
+
+    return 0;
+}
+
+static int allocate_buffers(ALACContext *alac)
 {
     int chan;
+    int buf_size;
+
+    if (alac->setinfo_max_samples_per_frame > INT_MAX / sizeof(int32_t))
+        goto buf_alloc_fail;
+    buf_size = alac->setinfo_max_samples_per_frame * sizeof(int32_t);
+
     for (chan = 0; chan < MAX_CHANNELS; chan++) {
-        alac->predicterror_buffer[chan] =
-            av_malloc(alac->setinfo_max_samples_per_frame * 4);
 
-        alac->outputsamples_buffer[chan] =
-            av_malloc(alac->setinfo_max_samples_per_frame * 4);
+        FF_ALLOC_OR_GOTO(alac->avctx, alac->predicterror_buffer[chan],
+                         buf_size, buf_alloc_fail);
 
-        alac->wasted_bits_buffer[chan] = av_malloc(alac->setinfo_max_samples_per_frame * 4);
+        FF_ALLOC_OR_GOTO(alac->avctx, alac->outputsamples_buffer[chan],
+                         buf_size, buf_alloc_fail);
+
+        FF_ALLOC_OR_GOTO(alac->avctx, alac->wasted_bits_buffer[chan],
+                         buf_size, buf_alloc_fail);
     }
+    return 0;
+buf_alloc_fail:
+    alac_decode_close(alac->avctx);
+    return AVERROR(ENOMEM);
 }
 
 static int alac_set_info(ALACContext *alac)
@@ -131,8 +157,6 @@ static int alac_set_info(ALACContext *alac)
     bytestream_get_be32(&ptr);      /* bitrate ? */
     bytestream_get_be32(&ptr);      /* samplerate */
 
-    allocate_buffers(alac);
-
     return 0;
 }
 
@@ -659,6 +683,7 @@ static int alac_decode_frame(AVCodecContext *avctx,
 
 static av_cold int alac_decode_init(AVCodecContext * avctx)
 {
+    int ret;
     ALACContext *alac = avctx->priv_data;
     alac->avctx = avctx;
     alac->numchannels = alac->avctx->channels;
@@ -674,18 +699,9 @@ static av_cold int alac_decode_init(AVCodecContext * avctx)
         return -1;
     }
 
-    return 0;
-}
-
-static av_cold int alac_decode_close(AVCodecContext *avctx)
-{
-    ALACContext *alac = avctx->priv_data;
-
-    int chan;
-    for (chan = 0; chan < MAX_CHANNELS; chan++) {
-        av_freep(&alac->predicterror_buffer[chan]);
-        av_freep(&alac->outputsamples_buffer[chan]);
-        av_freep(&alac->wasted_bits_buffer[chan]);
+    if ((ret = allocate_buffers(alac)) < 0) {
+        av_log(avctx, AV_LOG_ERROR, "Error allocating buffers\n");
+        return ret;
     }
 
     return 0;