gst-plugins-bad: fix CVE-2015-0797

Backport patch from debian to fix CVE-2015-0797. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784220 https://sources.debian.net/data/main/g/gst-plugins-bad0.10/0.10.23-7.1+deb7u2/debian/patches/buffer-overflow-mp4.patch Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
author: Kang Kai <kai.kang@windriver.com> 2015-06-15 10:48:43 +0800
committer: Martin Jansa <Martin.Jansa@gmail.com> 2015-06-17 22:36:12 +0200
commit: 6cb3b63559bf33946f1c5d43626413d9a651e83f (patch)
tree: a70b9ecea7257a3554b12f9875dad07fc4c489da /meta-multimedia
parent: ce4aa917f0ff0acc740e4493ca9a950880d37fc6 (diff)
download: meta-openembedded-6cb3b63559bf33946f1c5d43626413d9a651e83f.tar.gz
2 files changed, 38 insertions, 0 deletions
diff --git a/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-plugins-bad/buffer-overflow-mp4.patch b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-plugins-bad/buffer-overflow-mp4.patch
new file mode 100644
index 0000000000..235acda8bf
--- /dev/null
+++ b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-plugins-bad/buffer-overflow-mp4.patch
@@ -0,0 +1,36 @@
+Description: Fix buffer overflow in mp4 parsing
+Author: Ralph Giles <giles@mozilla.com>
+---
+Backport patch from debian to fix CVE-2015-0797.
+https://sources.debian.net/data/main/g/gst-plugins-bad0.10/0.10.23-7.1+deb7u2/debian/patches/buffer-overflow-mp4.patch
+Upstream-Status: Backport
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+--- gst-plugins-bad0.10-0.10.23.orig/gst/videoparsers/gsth264parse.c
+++ gst-plugins-bad0.10-0.10.23/gst/videoparsers/gsth264parse.c
+@@ -384,6 +384,11 @@ gst_h264_parse_wrap_nal (GstH264Parse *
+ 
+   GST_DEBUG_OBJECT (h264parse, "nal length %d", size);
+ 
+  if (size > G_MAXUINT32 - nl) {
+    GST_ELEMENT_ERROR (h264parse, STREAM, FAILED, (NULL),
+        ("overflow in nal size"));
+    return NULL;
+  }
+   buf = gst_buffer_new_and_alloc (size + nl + 4);
+   if (format == GST_H264_PARSE_FORMAT_AVC) {
+     GST_WRITE_UINT32_BE (GST_BUFFER_DATA (buf), size << (32 - 8 * nl));
+@@ -452,6 +457,11 @@ gst_h264_parse_process_nal (GstH264Parse
+     GST_DEBUG_OBJECT (h264parse, "not processing nal size %u", nalu->size);
+     return;
+   }
+  if (G_UNLIKELY (nalu->size > 20 * 1024 * 1024)) {
+    GST_DEBUG_OBJECT (h264parse, "not processing nal size %u (too big)",
+        nalu->size);
+    return;
+  }
+ 
+   /* we have a peek as well */
+   nal_type = nalu->type;
diff --git a/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-plugins-bad_0.10.23.bb b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-plugins-bad_0.10.23.bb
index 0f64871497..4d94483462 100644
--- a/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-plugins-bad_0.10.23.bb
+++ b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-plugins-bad_0.10.23.bb
@@ -10,6 +10,8 @@ DEPENDS += "gst-plugins-base"
 PR = "r4"
+SRC_URI += "file://buffer-overflow-mp4.patch"
 inherit gettext gsettings
 EXTRA_OECONF += "--disable-experimental \
author	Kang Kai <kai.kang@windriver.com>	2015-06-15 10:48:43 +0800
committer	Martin Jansa <Martin.Jansa@gmail.com>	2015-06-17 22:36:12 +0200
commit	6cb3b63559bf33946f1c5d43626413d9a651e83f (patch)
tree	a70b9ecea7257a3554b12f9875dad07fc4c489da /meta-multimedia
parent	ce4aa917f0ff0acc740e4493ca9a950880d37fc6 (diff)
download	meta-openembedded-6cb3b63559bf33946f1c5d43626413d9a651e83f.tar.gz

diff --git a/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-plugins-bad/buffer-overflow-mp4.patch b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-plugins-bad/buffer-overflow-mp4.patch new file mode 100644 index 0000000000..235acda8bf --- /dev/null +++ b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-plugins-bad/buffer-overflow-mp4.patch
@@ -0,0 +1,36 @@
		1	Description: Fix buffer overflow in mp4 parsing
		2	Author: Ralph Giles <giles@mozilla.com>
		3	---
		4	Backport patch from debian to fix CVE-2015-0797.
		5	https://sources.debian.net/data/main/g/gst-plugins-bad0.10/0.10.23-7.1+deb7u2/debian/patches/buffer-overflow-mp4.patch
		6
		7	Upstream-Status: Backport
		8
		9	Signed-off-by: Kai Kang <kai.kang@windriver.com>
		10	---
		11	--- gst-plugins-bad0.10-0.10.23.orig/gst/videoparsers/gsth264parse.c
		12	+++ gst-plugins-bad0.10-0.10.23/gst/videoparsers/gsth264parse.c
		13	@@ -384,6 +384,11 @@ gst_h264_parse_wrap_nal (GstH264Parse *
		14
		15	GST_DEBUG_OBJECT (h264parse, "nal length %d", size);
		16
		17	+ if (size > G_MAXUINT32 - nl) {
		18	+ GST_ELEMENT_ERROR (h264parse, STREAM, FAILED, (NULL),
		19	+ ("overflow in nal size"));
		20	+ return NULL;
		21	+ }
		22	buf = gst_buffer_new_and_alloc (size + nl + 4);
		23	if (format == GST_H264_PARSE_FORMAT_AVC) {
		24	GST_WRITE_UINT32_BE (GST_BUFFER_DATA (buf), size << (32 - 8 * nl));
		25	@@ -452,6 +457,11 @@ gst_h264_parse_process_nal (GstH264Parse
		26	GST_DEBUG_OBJECT (h264parse, "not processing nal size %u", nalu->size);
		27	return;
		28	}
		29	+ if (G_UNLIKELY (nalu->size > 20 * 1024 * 1024)) {
		30	+ GST_DEBUG_OBJECT (h264parse, "not processing nal size %u (too big)",
		31	+ nalu->size);
		32	+ return;
		33	+ }
		34
		35	/* we have a peek as well */
		36	nal_type = nalu->type;


diff --git a/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-plugins-bad_0.10.23.bb b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-plugins-bad_0.10.23.bb index 0f64871497..4d94483462 100644 --- a/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-plugins-bad_0.10.23.bb +++ b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-plugins-bad_0.10.23.bb
@@ -10,6 +10,8 @@ DEPENDS += "gst-plugins-base"
10		10
11	PR = "r4"	11	PR = "r4"
12		12
		13	SRC_URI += "file://buffer-overflow-mp4.patch"
		14
13	inherit gettext gsettings	15	inherit gettext gsettings
14		16
15	EXTRA_OECONF += "--disable-experimental \	17	EXTRA_OECONF += "--disable-experimental \