From: Saul Wold <sgw@linux.intel.com>
To: rongqing.li@windriver.com, openembedded-core@lists.openembedded.org
Subject: Re: [PATCH 04/12] ffmpeg: fix for Security Advisory CVE-2013-0868
Date: Mon, 19 May 2014 08:39:55 -0700 [thread overview]
Message-ID: <537A25CB.9060408@linux.intel.com> (raw)
In-Reply-To: <c24e84fbaaad5b3761f135cf7dce07e3b9990bb3.1400201782.git.rongqing.li@windriver.com>
On 05/15/2014 07:12 PM, rongqing.li@windriver.com wrote:
> From: Yue Tao <Yue.Tao@windriver.com>
>
> libavcodec/huffyuvdec.c in FFmpeg before 1.1.2 allows remote attackers
> to have an unspecified impact via crafted Huffyuv data, related to an
> out-of-bounds write and (1) unchecked return codes from the init_vlc
> function and (2) len==0 cases.
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0868
>
> Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
> Signed-off-by: Roy Li <rongqing.li@windriver.com>
> ---
> ...01-huffyuvdec-Check-init_vlc-return-codes.patch | 87 ++++++++++++++++++++
> .../0001-huffyuvdec-Skip-len-0-cases.patch | 59 +++++++++++++
> .../gstreamer/gst-ffmpeg_0.10.13.bb | 2 +
> 3 files changed, 148 insertions(+)
> create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-init_vlc-return-codes.patch
> create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Skip-len-0-cases.patch
>
> diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-init_vlc-return-codes.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-init_vlc-return-codes.patch
> new file mode 100644
> index 0000000..e859e44
> --- /dev/null
> +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-init_vlc-return-codes.patch
> @@ -0,0 +1,87 @@
> +From b666debffec1fcbb19ef377635a53b9a58bca8a4 Mon Sep 17 00:00:00 2001
> +From: Michael Niedermayer <michaelni@gmx.at>
> +Date: Tue, 29 Jan 2013 18:29:41 +0100
> +Subject: [PATCH] huffyuvdec: Check init_vlc() return codes.
> +
> +Upstream-Status: Backport
> +
> +Commit b666debffec1fcbb19ef377635a53b9a58bca8a4 release/1.0
> +
> +Prevents out of array writes
> +
> +Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
> +Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
> +(cherry picked from commit f67a0d115254461649470452058fa3c28c0df294)
> +
> +Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
> +---
> + libavcodec/huffyuv.c | 14 ++++++++++----
> + 1 file changed, 10 insertions(+), 4 deletions(-)
> +
> +diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c
> +index 58da789..993e524 100644
> +--- a/gst-libs/ext/libav/libavcodec/huffyuv.c
> ++++ b/gst-libs/ext/libav/libavcodec/huffyuv.c
> +@@ -33,6 +33,7 @@
> + #include "put_bits.h"
> + #include "dsputil.h"
> + #include "thread.h"
> ++#include "libavutil/avassert.h"
> +
> + #define VLC_BITS 11
> +
> +@@ -287,6 +287,7 @@ static void generate_joint_tables(HYuvCo
> + int len1 = s->len[p][u];
> + if (len1 > limit || !len1)
> + continue;
> ++ av_assert0(i < (1 << VLC_BITS));
> + len[i] = len0 + len1;
> + bits[i] = (s->bits[0][y] << len1) + s->bits[p][u];
> + symbols[i] = (y<<8) + u;
> +@@ -320,6 +321,7 @@ static void generate_joint_tables(HYuvCo
> + int len2 = s->len[2][r&255];
> + if (len2 > limit1 || !len2)
> + continue;
> ++ av_assert0(i < (1 << VLC_BITS));
> + len[i] = len0 + len1 + len2;
> + bits[i] = (code << len2) + s->bits[2][r&255];
> + if(s->decorrelate){
> +@@ -343,6 +345,7 @@ static void generate_joint_tables(HYuvCo
> + static int read_huffman_tables(HYuvContext *s, const uint8_t *src, int length){
> + GetBitContext gb;
> + int i;
> ++ int ret;
> +
> + init_get_bits(&gb, src, length*8);
> +
> +@@ -353,7 +356,9 @@ static int read_huffman_tables(HYuvConte
> + return -1;
> + }
> + free_vlc(&s->vlc[i]);
> +- init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0);
> ++ if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1,
> ++ s->bits[i], 4, 4, 0)) < 0)
> ++ return ret;
> + }
> +
> + generate_joint_tables(s);
> +@@ -365,6 +370,7 @@ static int read_old_huffman_tables(HYuvC
> + #if 1
> + GetBitContext gb;
> + int i;
> ++ int ret;
> +
> + init_get_bits(&gb, classic_shift_luma, sizeof(classic_shift_luma)*8);
> + if(read_len_table(s->len[0], &gb)<0)
> +@@ -385,7 +391,9 @@ static int read_old_huffman_tables(HYuvC
> +
> + for(i=0; i<3; i++){
> + free_vlc(&s->vlc[i]);
> +- init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0);
> ++ if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1,
> ++ s->bits[i], 4, 4, 0)) < 0)
> ++ return ret;
> + }
> +
> + generate_joint_tables(s);
> +--
> diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Skip-len-0-cases.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Skip-len-0-cases.patch
> new file mode 100644
> index 0000000..68bc966
> --- /dev/null
> +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Skip-len-0-cases.patch
> @@ -0,0 +1,59 @@
> +From db0f7f7394e1f994ed38db043f78ed0f10bde0da Mon Sep 17 00:00:00 2001
> +From: Michael Niedermayer <michaelni@gmx.at>
> +Date: Tue, 29 Jan 2013 19:22:33 +0100
> +Subject: [PATCH] huffyuvdec: Skip len==0 cases
> +
> +Commit db0f7f7394e1f994ed38db043f78ed0f10bde0da release/1.0
> +
> +Fixes vlc decoding for hypothetical files that would contain such cases.
> +
> +Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
> +(cherry picked from commit 0dfc01c2bbf4b71bb56201bc4a393321e15d1b31)
> +
Missing Upstream-Status
Sau!
> +Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
> +---
> + libavcodec/huffyuv.c | 10 +++++-----
> + 1 file changed, 5 insertions(+), 5 deletions(-)
> +
> +diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c
> +index 993e524..72ed351 100644
> +--- a/gst-libs/ext/libav/libavcodec/huffyuv.c
> ++++ b/gst-libs/ext/libav/libavcodec/huffyuv.c
> +@@ -281,11 +281,11 @@ static void generate_joint_tables(HYuvCo
> + for(i=y=0; y<256; y++){
> + int len0 = s->len[0][y];
> + int limit = VLC_BITS - len0;
> +- if(limit <= 0)
> ++ if(limit <= 0 || !len0)
> + continue;
> + for(u=0; u<256; u++){
> + int len1 = s->len[p][u];
> +- if(len1 > limit)
> ++ if (len1 > limit || !len1)
> + continue;
> + len[i] = len0 + len1;
> + bits[i] = (s->bits[0][y] << len1) + s->bits[p][u];
> +@@ -308,17 +308,17 @@ static void generate_joint_tables(HYuvCo
> + for(i=0, g=-16; g<16; g++){
> + int len0 = s->len[p0][g&255];
> + int limit0 = VLC_BITS - len0;
> +- if(limit0 < 2)
> ++ if (limit0 < 2 || !len0)
> + continue;
> + for(b=-16; b<16; b++){
> + int len1 = s->len[p1][b&255];
> + int limit1 = limit0 - len1;
> +- if(limit1 < 1)
> ++ if (limit1 < 1 || !len1)
> + continue;
> + code = (s->bits[p0][g&255] << len1) + s->bits[p1][b&255];
> + for(r=-16; r<16; r++){
> + int len2 = s->len[2][r&255];
> +- if(len2 > limit1)
> ++ if (len2 > limit1 || !len2)
> + continue;
> + len[i] = len0 + len1 + len2;
> + bits[i] = (code << len2) + s->bits[2][r&255];
> +--
> +1.8.5.2.233.g932f7e4
> +
> diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
> index 05cc404..847b927 100644
> --- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
> +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
> @@ -26,6 +26,8 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
> file://0001-avformat-mpegtsenc-Check-data-array-size-in-mpegts_w.patch \
> file://0001-vqavideo-check-chunk-sizes-before-reading-chunks.patch \
> file://0001-avcodec-msrle-use-av_image_get_linesize-to-calculate.patch \
> + file://0001-huffyuvdec-Skip-len-0-cases.patch \
> + file://0001-huffyuvdec-Check-init_vlc-return-codes.patch \
> "
>
> SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
>
next prev parent reply other threads:[~2014-05-19 15:41 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-16 2:12 [PATCH 00/12 v2] ffmpeg: backport 12 CVE patches rongqing.li
2014-05-16 2:12 ` [PATCH 01/12] ffmpeg: fix for Security Advisory CVE-2014-2263 rongqing.li
2014-05-16 2:12 ` [PATCH 02/12] ffmpeg: fix for Security Advisory CVE-2013-0865 rongqing.li
2014-05-16 2:12 ` [PATCH 03/12] ffmpeg: fix for Security Advisory CVE-2014-2099 rongqing.li
2014-05-16 2:12 ` [PATCH 04/12] ffmpeg: fix for Security Advisory CVE-2013-0868 rongqing.li
2014-05-19 15:39 ` Saul Wold [this message]
2014-05-16 2:12 ` [PATCH 05/12] ffmpeg: fix for Security Advisory CVE-2013-0845 rongqing.li
2014-05-16 2:12 ` [PATCH 06/12] ffmpeg: fix for Security Advisory CVE-2013-0852 rongqing.li
2014-05-16 2:12 ` [PATCH 07/12] ffmpeg: fix for Security Advisory CVE-2013-0858 rongqing.li
2014-05-16 2:12 ` [PATCH 08/12] ffmpeg: fix for Security Advisory CVE-2013-0851 rongqing.li
2014-05-16 2:12 ` [PATCH 09/12] ffmpeg: fix for Security Advisory CVE-2013-0854 rongqing.li
2014-05-16 2:12 ` [PATCH 10/12] ffmpeg: fix for Security Advisory CVE-2013-0856 rongqing.li
2014-05-16 2:12 ` [PATCH 11/12] ffmpeg: fix for Security Advisory CVE-2013-0850 rongqing.li
2014-05-16 2:12 ` [PATCH 12/12] ffmpeg: fix for Security Advisory CVE-2013-0849 rongqing.li
2014-05-16 11:09 ` [PATCH 00/12 v2] ffmpeg: backport 12 CVE patches Paul Eggleton
2014-05-19 1:32 ` Rongqing Li
2014-05-19 9:58 ` Paul Eggleton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=537A25CB.9060408@linux.intel.com \
--to=sgw@linux.intel.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=rongqing.li@windriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.