* [PATCH 01/12] ffmpeg: fix for Security Advisory CVE-2014-2263
2014-05-16 2:12 [PATCH 00/12 v2] ffmpeg: backport 12 CVE patches rongqing.li
@ 2014-05-16 2:12 ` rongqing.li
2014-05-16 2:12 ` [PATCH 02/12] ffmpeg: fix for Security Advisory CVE-2013-0865 rongqing.li
` (11 subsequent siblings)
12 siblings, 0 replies; 17+ messages in thread
From: rongqing.li @ 2014-05-16 2:12 UTC (permalink / raw)
To: openembedded-core
From: Yue Tao <Yue.Tao@windriver.com>
The mpegts_write_pmt function in the MPEG2 transport stream (aka DVB)
muxer (libavformat/mpegtsenc.c) in FFmpeg, possibly 2.1 and earlier,
allows remote attackers to have unspecified impact and vectors, which
trigger an out-of-bounds write.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2263
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
...egtsenc-Check-data-array-size-in-mpegts_w.patch | 69 ++++++++++++++++++++
.../gstreamer/gst-ffmpeg_0.10.13.bb | 1 +
2 files changed, 70 insertions(+)
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avformat-mpegtsenc-Check-data-array-size-in-mpegts_w.patch
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avformat-mpegtsenc-Check-data-array-size-in-mpegts_w.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avformat-mpegtsenc-Check-data-array-size-in-mpegts_w.patch
new file mode 100644
index 0000000..68bb66e
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avformat-mpegtsenc-Check-data-array-size-in-mpegts_w.patch
@@ -0,0 +1,69 @@
+From 12770701856a05b6b3cd706f708f8e9a4e8a1336 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Thu, 13 Feb 2014 13:59:51 +0100
+Subject: [PATCH] avformat/mpegtsenc: Check data array size in
+ mpegts_write_pmt()
+
+Upstream-Status: Backport
+
+COmmit 12770701856a05b6b3cd706f708f8e9a4e8a1336 release/0.11
+
+Prevents out of array writes
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit 842b6c14bcfc1c5da1a2d288fd65386eb8c158ad)
+
+Conflicts:
+
+ libavformat/mpegtsenc.c
+(cherry picked from commit e87de3f50b765134588d0b048c32ed4b8acc16fb)
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavformat/mpegtsenc.c | 9 +++++++--
+ 1 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/libavformat/mpegtsenc.c b/libavformat/mpegtsenc.c
+index 793e205..a12d19f 100644
+--- a/gst-libs/ext/libav/libavformat/mpegtsenc.c
++++ b/gst-libs/ext/libav/libavformat/mpegtsenc.c
+@@ -240,7 +240,7 @@ static void mpegts_write_pat(AVFormatContext *s)
+ data, q - data);
+ }
+
+-static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
++static int mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
+ {
+ // MpegTSWrite *ts = s->priv_data;
+ uint8_t data[1012], *q, *desc_length_ptr, *program_info_length_ptr;
+@@ -293,6 +293,10 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
+ stream_type = STREAM_TYPE_PRIVATE_DATA;
+ break;
+ }
++
++ if (q - data > sizeof(data) - 32)
++ return AVERROR(EINVAL);
++
+ *q++ = stream_type;
+ put16(&q, 0xe000 | ts_st->pid);
+ desc_length_ptr = q;
+@@ -324,7 +328,7 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
+ len_ptr = q++;
+ *len_ptr = 0;
+
+- for (p = lang->value; next && *len_ptr < 255 / 4 * 4; p = next + 1) {
++ for (p = lang->value; next && *len_ptr < 255 / 4 * 4 && q - data < sizeof(data) - 4; p = next + 1) {
+ next = strchr(p, ',');
+ if (strlen(p) != 3 && (!next || next != p + 3))
+ continue; /* not a 3-letter code */
+@@ -386,6 +390,7 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
+ }
+ mpegts_write_section1(&service->pmt, PMT_TID, service->sid, 0, 0, 0,
+ data, q - data);
++ return 0;
+ }
+
+ /* NOTE: str == NULL is accepted for an empty string */
+--
+1.7.5.4
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index e1257a2..4913539 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -23,6 +23,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
file://libav_e500mc.patch \
file://libav_e5500.patch \
file://gst-ffmpeg-CVE-2013-3674.patch \
+ file://0001-avformat-mpegtsenc-Check-data-array-size-in-mpegts_w.patch \
"
SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
--
1.7.10.4
^ permalink raw reply related [flat|nested] 17+ messages in thread* [PATCH 02/12] ffmpeg: fix for Security Advisory CVE-2013-0865
2014-05-16 2:12 [PATCH 00/12 v2] ffmpeg: backport 12 CVE patches rongqing.li
2014-05-16 2:12 ` [PATCH 01/12] ffmpeg: fix for Security Advisory CVE-2014-2263 rongqing.li
@ 2014-05-16 2:12 ` rongqing.li
2014-05-16 2:12 ` [PATCH 03/12] ffmpeg: fix for Security Advisory CVE-2014-2099 rongqing.li
` (10 subsequent siblings)
12 siblings, 0 replies; 17+ messages in thread
From: rongqing.li @ 2014-05-16 2:12 UTC (permalink / raw)
To: openembedded-core
From: Yue Tao <Yue.Tao@windriver.com>
The vqa_decode_chunk function in libavcodec/vqavideo.c in FFmpeg before
1.0.4 and 1.1.x before 1.1.2 allows remote attackers to have an
unspecified impact via a large (1) cbp0 or (2) cbpz chunk in Westwood
Studios VQA Video file, which triggers an out-of-bounds write.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0865
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
...o-check-chunk-sizes-before-reading-chunks.patch | 51 ++++++++++++++++++++
.../gstreamer/gst-ffmpeg_0.10.13.bb | 1 +
2 files changed, 52 insertions(+)
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vqavideo-check-chunk-sizes-before-reading-chunks.patch
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vqavideo-check-chunk-sizes-before-reading-chunks.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vqavideo-check-chunk-sizes-before-reading-chunks.patch
new file mode 100644
index 0000000..7e4f682
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vqavideo-check-chunk-sizes-before-reading-chunks.patch
@@ -0,0 +1,51 @@
+From 2cac35086c9e103fa98960c546d5017e7363803a Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Fri, 25 Jan 2013 06:11:59 +0100
+Subject: [PATCH] vqavideo: check chunk sizes before reading chunks
+
+Upstream-Status: Backport
+
+Commit 2cac35086c9e103fa98960c546d5017e7363803a release/0.7
+
+Fixes out of array writes
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit ab6c9332bfa1e20127a16392a0b85a4aa4840889)
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/vqavideo.c | 10 ++++++++++
+ 1 files changed, 10 insertions(+), 0 deletions(-)
+
+diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c
+index d1eab5b..6e1ce6c 100644
+--- a/gst-libs/ext/libav/libavcodec/vqavideo.c
++++ b/gst-libs/ext/libav/libavcodec/vqavideo.c
+@@ -527,6 +527,11 @@ static void vqa_decode_chunk(VqaContext *s)
+ chunk_size = AV_RB32(&s->buf[cbp0_chunk + 4]);
+ cbp0_chunk += CHUNK_PREAMBLE_SIZE;
+
++ if (chunk_size > MAX_CODEBOOK_SIZE - s->next_codebook_buffer_index) {
++ av_log(s->avctx, AV_LOG_ERROR, "cbp0 chunk too large (0x%X bytes)\n", chunk_size);
++ return AVERROR_INVALIDDATA;
++ }
++
+ /* accumulate partial codebook */
+ memcpy(&s->next_codebook_buffer[s->next_codebook_buffer_index],
+ &s->buf[cbp0_chunk], chunk_size);
+@@ -550,6 +555,11 @@ static void vqa_decode_chunk(VqaContext *s)
+ chunk_size = AV_RB32(&s->buf[cbpz_chunk + 4]);
+ cbpz_chunk += CHUNK_PREAMBLE_SIZE;
+
++ if (chunk_size > MAX_CODEBOOK_SIZE - s->next_codebook_buffer_index) {
++ av_log(s->avctx, AV_LOG_ERROR, "cbpz chunk too large (0x%X bytes)\n", chunk_size);
++ return AVERROR_INVALIDDATA;
++ }
++
+ /* accumulate partial codebook */
+ memcpy(&s->next_codebook_buffer[s->next_codebook_buffer_index],
+ &s->buf[cbpz_chunk], chunk_size);
+--
+1.7.5.4
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index 4913539..3d1f207 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -24,6 +24,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
file://libav_e5500.patch \
file://gst-ffmpeg-CVE-2013-3674.patch \
file://0001-avformat-mpegtsenc-Check-data-array-size-in-mpegts_w.patch \
+ file://0001-vqavideo-check-chunk-sizes-before-reading-chunks.patch \
"
SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
--
1.7.10.4
^ permalink raw reply related [flat|nested] 17+ messages in thread* [PATCH 03/12] ffmpeg: fix for Security Advisory CVE-2014-2099
2014-05-16 2:12 [PATCH 00/12 v2] ffmpeg: backport 12 CVE patches rongqing.li
2014-05-16 2:12 ` [PATCH 01/12] ffmpeg: fix for Security Advisory CVE-2014-2263 rongqing.li
2014-05-16 2:12 ` [PATCH 02/12] ffmpeg: fix for Security Advisory CVE-2013-0865 rongqing.li
@ 2014-05-16 2:12 ` rongqing.li
2014-05-16 2:12 ` [PATCH 04/12] ffmpeg: fix for Security Advisory CVE-2013-0868 rongqing.li
` (9 subsequent siblings)
12 siblings, 0 replies; 17+ messages in thread
From: rongqing.li @ 2014-05-16 2:12 UTC (permalink / raw)
To: openembedded-core
From: Yue Tao <Yue.Tao@windriver.com>
The msrle_decode_frame function in libavcodec/msrle.c in FFmpeg before
2.1.4 does not properly calculate line sizes, which allows remote
attackers to cause a denial of service (out-of-bounds array access) or
possibly have unspecified other impact via crafted Microsoft RLE video
data.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2099
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
...le-use-av_image_get_linesize-to-calculate.patch | 50 ++++++++++++++++++++
.../gstreamer/gst-ffmpeg_0.10.13.bb | 1 +
2 files changed, 51 insertions(+)
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-msrle-use-av_image_get_linesize-to-calculate.patch
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-msrle-use-av_image_get_linesize-to-calculate.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-msrle-use-av_image_get_linesize-to-calculate.patch
new file mode 100644
index 0000000..b0a3fb1
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-msrle-use-av_image_get_linesize-to-calculate.patch
@@ -0,0 +1,50 @@
+From 573d5fdedae72bf59d8c0b0766fdee171063d36f Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Sun, 16 Feb 2014 23:08:52 +0100
+Subject: [PATCH] avcodec/msrle: use av_image_get_linesize() to calculate the
+ linesize
+
+Upstream-Status: Backport
+
+Commit 573d5fdedae72bf59d8c0b0766fdee171063d36f release/0.9
+
+Fixes out of array access
+Fixes: 14a74a0a2dc67ede543f0e35d834fbbe-asan_heap-oob_49572c_556_cov_215466444_44_001_engine_room.mov
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit c919e1ca2ecfc47d796382973ba0e48b8f6f92a2)
+
+Conflicts:
+
+ libavcodec/msrle.c
+(cherry picked from commit bc1c8ec5e65098fd2ccd8456f667151dfc9cda42)
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/msrle.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/libavcodec/msrle.c b/libavcodec/msrle.c
+index 30159bb..c39ae7b 100644
+--- a/gst-libs/ext/libav/libavcodec/msrle.c
++++ b/gst-libs/ext/libav/libavcodec/msrle.c
+@@ -35,6 +35,7 @@
+ #include "avcodec.h"
+ #include "dsputil.h"
+ #include "msrledec.h"
++#include "libavutil/imgutils.h"
+
+ typedef struct MsrleContext {
+ AVCodecContext *avctx;
+@@ -107,7 +108,7 @@ static int msrle_decode_frame(AVCodecContext *avctx,
+
+ /* FIXME how to correctly detect RLE ??? */
+ if (avctx->height * istride == avpkt->size) { /* assume uncompressed */
+- int linesize = avctx->width * avctx->bits_per_coded_sample / 8;
++ int linesize = av_image_get_linesize(avctx->pix_fmt, avctx->width, 0);
+ uint8_t *ptr = s->frame.data[0];
+ uint8_t *buf = avpkt->data + (avctx->height-1)*istride;
+ int i, j;
+--
+1.7.5.4
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index 3d1f207..05cc404 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -25,6 +25,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
file://gst-ffmpeg-CVE-2013-3674.patch \
file://0001-avformat-mpegtsenc-Check-data-array-size-in-mpegts_w.patch \
file://0001-vqavideo-check-chunk-sizes-before-reading-chunks.patch \
+ file://0001-avcodec-msrle-use-av_image_get_linesize-to-calculate.patch \
"
SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
--
1.7.10.4
^ permalink raw reply related [flat|nested] 17+ messages in thread* [PATCH 04/12] ffmpeg: fix for Security Advisory CVE-2013-0868
2014-05-16 2:12 [PATCH 00/12 v2] ffmpeg: backport 12 CVE patches rongqing.li
` (2 preceding siblings ...)
2014-05-16 2:12 ` [PATCH 03/12] ffmpeg: fix for Security Advisory CVE-2014-2099 rongqing.li
@ 2014-05-16 2:12 ` rongqing.li
2014-05-19 15:39 ` Saul Wold
2014-05-16 2:12 ` [PATCH 05/12] ffmpeg: fix for Security Advisory CVE-2013-0845 rongqing.li
` (8 subsequent siblings)
12 siblings, 1 reply; 17+ messages in thread
From: rongqing.li @ 2014-05-16 2:12 UTC (permalink / raw)
To: openembedded-core
From: Yue Tao <Yue.Tao@windriver.com>
libavcodec/huffyuvdec.c in FFmpeg before 1.1.2 allows remote attackers
to have an unspecified impact via crafted Huffyuv data, related to an
out-of-bounds write and (1) unchecked return codes from the init_vlc
function and (2) len==0 cases.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0868
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
...01-huffyuvdec-Check-init_vlc-return-codes.patch | 87 ++++++++++++++++++++
.../0001-huffyuvdec-Skip-len-0-cases.patch | 59 +++++++++++++
.../gstreamer/gst-ffmpeg_0.10.13.bb | 2 +
3 files changed, 148 insertions(+)
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-init_vlc-return-codes.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Skip-len-0-cases.patch
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-init_vlc-return-codes.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-init_vlc-return-codes.patch
new file mode 100644
index 0000000..e859e44
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-init_vlc-return-codes.patch
@@ -0,0 +1,87 @@
+From b666debffec1fcbb19ef377635a53b9a58bca8a4 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Tue, 29 Jan 2013 18:29:41 +0100
+Subject: [PATCH] huffyuvdec: Check init_vlc() return codes.
+
+Upstream-Status: Backport
+
+Commit b666debffec1fcbb19ef377635a53b9a58bca8a4 release/1.0
+
+Prevents out of array writes
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit f67a0d115254461649470452058fa3c28c0df294)
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/huffyuv.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c
+index 58da789..993e524 100644
+--- a/gst-libs/ext/libav/libavcodec/huffyuv.c
++++ b/gst-libs/ext/libav/libavcodec/huffyuv.c
+@@ -33,6 +33,7 @@
+ #include "put_bits.h"
+ #include "dsputil.h"
+ #include "thread.h"
++#include "libavutil/avassert.h"
+
+ #define VLC_BITS 11
+
+@@ -287,6 +287,7 @@ static void generate_joint_tables(HYuvCo
+ int len1 = s->len[p][u];
+ if (len1 > limit || !len1)
+ continue;
++ av_assert0(i < (1 << VLC_BITS));
+ len[i] = len0 + len1;
+ bits[i] = (s->bits[0][y] << len1) + s->bits[p][u];
+ symbols[i] = (y<<8) + u;
+@@ -320,6 +321,7 @@ static void generate_joint_tables(HYuvCo
+ int len2 = s->len[2][r&255];
+ if (len2 > limit1 || !len2)
+ continue;
++ av_assert0(i < (1 << VLC_BITS));
+ len[i] = len0 + len1 + len2;
+ bits[i] = (code << len2) + s->bits[2][r&255];
+ if(s->decorrelate){
+@@ -343,6 +345,7 @@ static void generate_joint_tables(HYuvCo
+ static int read_huffman_tables(HYuvContext *s, const uint8_t *src, int length){
+ GetBitContext gb;
+ int i;
++ int ret;
+
+ init_get_bits(&gb, src, length*8);
+
+@@ -353,7 +356,9 @@ static int read_huffman_tables(HYuvConte
+ return -1;
+ }
+ free_vlc(&s->vlc[i]);
+- init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0);
++ if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1,
++ s->bits[i], 4, 4, 0)) < 0)
++ return ret;
+ }
+
+ generate_joint_tables(s);
+@@ -365,6 +370,7 @@ static int read_old_huffman_tables(HYuvC
+ #if 1
+ GetBitContext gb;
+ int i;
++ int ret;
+
+ init_get_bits(&gb, classic_shift_luma, sizeof(classic_shift_luma)*8);
+ if(read_len_table(s->len[0], &gb)<0)
+@@ -385,7 +391,9 @@ static int read_old_huffman_tables(HYuvC
+
+ for(i=0; i<3; i++){
+ free_vlc(&s->vlc[i]);
+- init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0);
++ if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1,
++ s->bits[i], 4, 4, 0)) < 0)
++ return ret;
+ }
+
+ generate_joint_tables(s);
+--
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Skip-len-0-cases.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Skip-len-0-cases.patch
new file mode 100644
index 0000000..68bc966
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Skip-len-0-cases.patch
@@ -0,0 +1,59 @@
+From db0f7f7394e1f994ed38db043f78ed0f10bde0da Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Tue, 29 Jan 2013 19:22:33 +0100
+Subject: [PATCH] huffyuvdec: Skip len==0 cases
+
+Commit db0f7f7394e1f994ed38db043f78ed0f10bde0da release/1.0
+
+Fixes vlc decoding for hypothetical files that would contain such cases.
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit 0dfc01c2bbf4b71bb56201bc4a393321e15d1b31)
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/huffyuv.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c
+index 993e524..72ed351 100644
+--- a/gst-libs/ext/libav/libavcodec/huffyuv.c
++++ b/gst-libs/ext/libav/libavcodec/huffyuv.c
+@@ -281,11 +281,11 @@ static void generate_joint_tables(HYuvCo
+ for(i=y=0; y<256; y++){
+ int len0 = s->len[0][y];
+ int limit = VLC_BITS - len0;
+- if(limit <= 0)
++ if(limit <= 0 || !len0)
+ continue;
+ for(u=0; u<256; u++){
+ int len1 = s->len[p][u];
+- if(len1 > limit)
++ if (len1 > limit || !len1)
+ continue;
+ len[i] = len0 + len1;
+ bits[i] = (s->bits[0][y] << len1) + s->bits[p][u];
+@@ -308,17 +308,17 @@ static void generate_joint_tables(HYuvCo
+ for(i=0, g=-16; g<16; g++){
+ int len0 = s->len[p0][g&255];
+ int limit0 = VLC_BITS - len0;
+- if(limit0 < 2)
++ if (limit0 < 2 || !len0)
+ continue;
+ for(b=-16; b<16; b++){
+ int len1 = s->len[p1][b&255];
+ int limit1 = limit0 - len1;
+- if(limit1 < 1)
++ if (limit1 < 1 || !len1)
+ continue;
+ code = (s->bits[p0][g&255] << len1) + s->bits[p1][b&255];
+ for(r=-16; r<16; r++){
+ int len2 = s->len[2][r&255];
+- if(len2 > limit1)
++ if (len2 > limit1 || !len2)
+ continue;
+ len[i] = len0 + len1 + len2;
+ bits[i] = (code << len2) + s->bits[2][r&255];
+--
+1.8.5.2.233.g932f7e4
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index 05cc404..847b927 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -26,6 +26,8 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
file://0001-avformat-mpegtsenc-Check-data-array-size-in-mpegts_w.patch \
file://0001-vqavideo-check-chunk-sizes-before-reading-chunks.patch \
file://0001-avcodec-msrle-use-av_image_get_linesize-to-calculate.patch \
+ file://0001-huffyuvdec-Skip-len-0-cases.patch \
+ file://0001-huffyuvdec-Check-init_vlc-return-codes.patch \
"
SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
--
1.7.10.4
^ permalink raw reply related [flat|nested] 17+ messages in thread* Re: [PATCH 04/12] ffmpeg: fix for Security Advisory CVE-2013-0868
2014-05-16 2:12 ` [PATCH 04/12] ffmpeg: fix for Security Advisory CVE-2013-0868 rongqing.li
@ 2014-05-19 15:39 ` Saul Wold
0 siblings, 0 replies; 17+ messages in thread
From: Saul Wold @ 2014-05-19 15:39 UTC (permalink / raw)
To: rongqing.li, openembedded-core
On 05/15/2014 07:12 PM, rongqing.li@windriver.com wrote:
> From: Yue Tao <Yue.Tao@windriver.com>
>
> libavcodec/huffyuvdec.c in FFmpeg before 1.1.2 allows remote attackers
> to have an unspecified impact via crafted Huffyuv data, related to an
> out-of-bounds write and (1) unchecked return codes from the init_vlc
> function and (2) len==0 cases.
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0868
>
> Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
> Signed-off-by: Roy Li <rongqing.li@windriver.com>
> ---
> ...01-huffyuvdec-Check-init_vlc-return-codes.patch | 87 ++++++++++++++++++++
> .../0001-huffyuvdec-Skip-len-0-cases.patch | 59 +++++++++++++
> .../gstreamer/gst-ffmpeg_0.10.13.bb | 2 +
> 3 files changed, 148 insertions(+)
> create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-init_vlc-return-codes.patch
> create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Skip-len-0-cases.patch
>
> diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-init_vlc-return-codes.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-init_vlc-return-codes.patch
> new file mode 100644
> index 0000000..e859e44
> --- /dev/null
> +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-init_vlc-return-codes.patch
> @@ -0,0 +1,87 @@
> +From b666debffec1fcbb19ef377635a53b9a58bca8a4 Mon Sep 17 00:00:00 2001
> +From: Michael Niedermayer <michaelni@gmx.at>
> +Date: Tue, 29 Jan 2013 18:29:41 +0100
> +Subject: [PATCH] huffyuvdec: Check init_vlc() return codes.
> +
> +Upstream-Status: Backport
> +
> +Commit b666debffec1fcbb19ef377635a53b9a58bca8a4 release/1.0
> +
> +Prevents out of array writes
> +
> +Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
> +Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
> +(cherry picked from commit f67a0d115254461649470452058fa3c28c0df294)
> +
> +Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
> +---
> + libavcodec/huffyuv.c | 14 ++++++++++----
> + 1 file changed, 10 insertions(+), 4 deletions(-)
> +
> +diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c
> +index 58da789..993e524 100644
> +--- a/gst-libs/ext/libav/libavcodec/huffyuv.c
> ++++ b/gst-libs/ext/libav/libavcodec/huffyuv.c
> +@@ -33,6 +33,7 @@
> + #include "put_bits.h"
> + #include "dsputil.h"
> + #include "thread.h"
> ++#include "libavutil/avassert.h"
> +
> + #define VLC_BITS 11
> +
> +@@ -287,6 +287,7 @@ static void generate_joint_tables(HYuvCo
> + int len1 = s->len[p][u];
> + if (len1 > limit || !len1)
> + continue;
> ++ av_assert0(i < (1 << VLC_BITS));
> + len[i] = len0 + len1;
> + bits[i] = (s->bits[0][y] << len1) + s->bits[p][u];
> + symbols[i] = (y<<8) + u;
> +@@ -320,6 +321,7 @@ static void generate_joint_tables(HYuvCo
> + int len2 = s->len[2][r&255];
> + if (len2 > limit1 || !len2)
> + continue;
> ++ av_assert0(i < (1 << VLC_BITS));
> + len[i] = len0 + len1 + len2;
> + bits[i] = (code << len2) + s->bits[2][r&255];
> + if(s->decorrelate){
> +@@ -343,6 +345,7 @@ static void generate_joint_tables(HYuvCo
> + static int read_huffman_tables(HYuvContext *s, const uint8_t *src, int length){
> + GetBitContext gb;
> + int i;
> ++ int ret;
> +
> + init_get_bits(&gb, src, length*8);
> +
> +@@ -353,7 +356,9 @@ static int read_huffman_tables(HYuvConte
> + return -1;
> + }
> + free_vlc(&s->vlc[i]);
> +- init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0);
> ++ if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1,
> ++ s->bits[i], 4, 4, 0)) < 0)
> ++ return ret;
> + }
> +
> + generate_joint_tables(s);
> +@@ -365,6 +370,7 @@ static int read_old_huffman_tables(HYuvC
> + #if 1
> + GetBitContext gb;
> + int i;
> ++ int ret;
> +
> + init_get_bits(&gb, classic_shift_luma, sizeof(classic_shift_luma)*8);
> + if(read_len_table(s->len[0], &gb)<0)
> +@@ -385,7 +391,9 @@ static int read_old_huffman_tables(HYuvC
> +
> + for(i=0; i<3; i++){
> + free_vlc(&s->vlc[i]);
> +- init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0);
> ++ if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1,
> ++ s->bits[i], 4, 4, 0)) < 0)
> ++ return ret;
> + }
> +
> + generate_joint_tables(s);
> +--
> diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Skip-len-0-cases.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Skip-len-0-cases.patch
> new file mode 100644
> index 0000000..68bc966
> --- /dev/null
> +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Skip-len-0-cases.patch
> @@ -0,0 +1,59 @@
> +From db0f7f7394e1f994ed38db043f78ed0f10bde0da Mon Sep 17 00:00:00 2001
> +From: Michael Niedermayer <michaelni@gmx.at>
> +Date: Tue, 29 Jan 2013 19:22:33 +0100
> +Subject: [PATCH] huffyuvdec: Skip len==0 cases
> +
> +Commit db0f7f7394e1f994ed38db043f78ed0f10bde0da release/1.0
> +
> +Fixes vlc decoding for hypothetical files that would contain such cases.
> +
> +Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
> +(cherry picked from commit 0dfc01c2bbf4b71bb56201bc4a393321e15d1b31)
> +
Missing Upstream-Status
Sau!
> +Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
> +---
> + libavcodec/huffyuv.c | 10 +++++-----
> + 1 file changed, 5 insertions(+), 5 deletions(-)
> +
> +diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c
> +index 993e524..72ed351 100644
> +--- a/gst-libs/ext/libav/libavcodec/huffyuv.c
> ++++ b/gst-libs/ext/libav/libavcodec/huffyuv.c
> +@@ -281,11 +281,11 @@ static void generate_joint_tables(HYuvCo
> + for(i=y=0; y<256; y++){
> + int len0 = s->len[0][y];
> + int limit = VLC_BITS - len0;
> +- if(limit <= 0)
> ++ if(limit <= 0 || !len0)
> + continue;
> + for(u=0; u<256; u++){
> + int len1 = s->len[p][u];
> +- if(len1 > limit)
> ++ if (len1 > limit || !len1)
> + continue;
> + len[i] = len0 + len1;
> + bits[i] = (s->bits[0][y] << len1) + s->bits[p][u];
> +@@ -308,17 +308,17 @@ static void generate_joint_tables(HYuvCo
> + for(i=0, g=-16; g<16; g++){
> + int len0 = s->len[p0][g&255];
> + int limit0 = VLC_BITS - len0;
> +- if(limit0 < 2)
> ++ if (limit0 < 2 || !len0)
> + continue;
> + for(b=-16; b<16; b++){
> + int len1 = s->len[p1][b&255];
> + int limit1 = limit0 - len1;
> +- if(limit1 < 1)
> ++ if (limit1 < 1 || !len1)
> + continue;
> + code = (s->bits[p0][g&255] << len1) + s->bits[p1][b&255];
> + for(r=-16; r<16; r++){
> + int len2 = s->len[2][r&255];
> +- if(len2 > limit1)
> ++ if (len2 > limit1 || !len2)
> + continue;
> + len[i] = len0 + len1 + len2;
> + bits[i] = (code << len2) + s->bits[2][r&255];
> +--
> +1.8.5.2.233.g932f7e4
> +
> diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
> index 05cc404..847b927 100644
> --- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
> +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
> @@ -26,6 +26,8 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
> file://0001-avformat-mpegtsenc-Check-data-array-size-in-mpegts_w.patch \
> file://0001-vqavideo-check-chunk-sizes-before-reading-chunks.patch \
> file://0001-avcodec-msrle-use-av_image_get_linesize-to-calculate.patch \
> + file://0001-huffyuvdec-Skip-len-0-cases.patch \
> + file://0001-huffyuvdec-Check-init_vlc-return-codes.patch \
> "
>
> SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
>
^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH 05/12] ffmpeg: fix for Security Advisory CVE-2013-0845
2014-05-16 2:12 [PATCH 00/12 v2] ffmpeg: backport 12 CVE patches rongqing.li
` (3 preceding siblings ...)
2014-05-16 2:12 ` [PATCH 04/12] ffmpeg: fix for Security Advisory CVE-2013-0868 rongqing.li
@ 2014-05-16 2:12 ` rongqing.li
2014-05-16 2:12 ` [PATCH 06/12] ffmpeg: fix for Security Advisory CVE-2013-0852 rongqing.li
` (7 subsequent siblings)
12 siblings, 0 replies; 17+ messages in thread
From: rongqing.li @ 2014-05-16 2:12 UTC (permalink / raw)
To: openembedded-core
From: Yue Tao <Yue.Tao@windriver.com>
libavcodec/alsdec.c in FFmpeg before 1.0.4 allows remote attackers to
have an unspecified impact via a crafted block length, which triggers an
out-of-bounds write.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0845
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
.../0001-alsdec-check-block-length.patch | 61 ++++++++++++++++++++
.../gstreamer/gst-ffmpeg_0.10.13.bb | 1 +
2 files changed, 62 insertions(+)
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-alsdec-check-block-length.patch
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-alsdec-check-block-length.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-alsdec-check-block-length.patch
new file mode 100644
index 0000000..73980f4
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-alsdec-check-block-length.patch
@@ -0,0 +1,61 @@
+From 6df0d3e2916c223dbe4262bf1b876dff1cb3f980 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Wed, 12 Dec 2012 12:28:45 +0100
+Subject: [PATCH] alsdec: check block length
+
+Upstream-Status: Backport
+
+Commit 6df0d3e2916c223dbe4262bf1b876dff1cb3f980 release/1.0
+
+Fix writing over the end
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit 0ceca269b66ec12a23bf0907bd2c220513cdbf16)
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/alsdec.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c
+index 46dd0b4..1095b01 100644
+--- a/gst-libs/ext/libav/libavcodec/alsdec.c
++++ b/gst-libs/ext/libav/libavcodec/alsdec.c
+@@ -552,12 +552,15 @@ static void get_block_sizes(ALSDecContext *ctx, unsigned int *div_blocks,
+
+ /** Read the block data for a constant block
+ */
+-static void read_const_block_data(ALSDecContext *ctx, ALSBlockData *bd)
++static int read_const_block_data(ALSDecContext *ctx, ALSBlockData *bd)
+ {
+ ALSSpecificConfig *sconf = &ctx->sconf;
+ AVCodecContext *avctx = ctx->avctx;
+ GetBitContext *gb = &ctx->gb;
+
++ if (bd->block_length <= 0)
++ return -1;
++
+ *bd->raw_samples = 0;
+ *bd->const_block = get_bits1(gb); // 1 = constant value, 0 = zero block (silence)
+ bd->js_blocks = get_bits1(gb);
+@@ -572,6 +575,8 @@ static void read_const_block_data(ALSDecContext *ctx, ALSBlockData *bd)
+
+ // ensure constant block decoding by reusing this field
+ *bd->const_block = 1;
++
++ return 0;
+ }
+
+
+@@ -971,7 +976,8 @@ static int read_block(ALSDecContext *ctx, ALSBlockData *bd)
+ if (read_var_block_data(ctx, bd))
+ return -1;
+ } else {
+- read_const_block_data(ctx, bd);
++ if (read_const_block_data(ctx, bd) < 0)
++ return -1;
+ }
+
+ return 0;
+--
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index 847b927..430bcc7 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -28,6 +28,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
file://0001-avcodec-msrle-use-av_image_get_linesize-to-calculate.patch \
file://0001-huffyuvdec-Skip-len-0-cases.patch \
file://0001-huffyuvdec-Check-init_vlc-return-codes.patch \
+ file://0001-alsdec-check-block-length.patch \
"
SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
--
1.7.10.4
^ permalink raw reply related [flat|nested] 17+ messages in thread* [PATCH 06/12] ffmpeg: fix for Security Advisory CVE-2013-0852
2014-05-16 2:12 [PATCH 00/12 v2] ffmpeg: backport 12 CVE patches rongqing.li
` (4 preceding siblings ...)
2014-05-16 2:12 ` [PATCH 05/12] ffmpeg: fix for Security Advisory CVE-2013-0845 rongqing.li
@ 2014-05-16 2:12 ` rongqing.li
2014-05-16 2:12 ` [PATCH 07/12] ffmpeg: fix for Security Advisory CVE-2013-0858 rongqing.li
` (6 subsequent siblings)
12 siblings, 0 replies; 17+ messages in thread
From: rongqing.li @ 2014-05-16 2:12 UTC (permalink / raw)
To: openembedded-core
From: Yue Tao <Yue.Tao@windriver.com>
The parse_picture_segment function in libavcodec/pgssubdec.c in FFmpeg
before 1.1 allows remote attackers to have an unspecified impact via
crafted RLE data, which triggers an out-of-bounds array access.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0852
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
...heck-RLE-size-before-copying.-Fix-out-of-.patch | 34 ++++++++++++++++++++
.../gstreamer/gst-ffmpeg_0.10.13.bb | 1 +
2 files changed, 35 insertions(+)
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-pgssubdec-check-RLE-size-before-copying.-Fix-out-of-.patch
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-pgssubdec-check-RLE-size-before-copying.-Fix-out-of-.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-pgssubdec-check-RLE-size-before-copying.-Fix-out-of-.patch
new file mode 100644
index 0000000..1041347
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-pgssubdec-check-RLE-size-before-copying.-Fix-out-of-.patch
@@ -0,0 +1,34 @@
+From 28bf685bfc6d0c744369cdf367f61a78d80d0b01 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Thu, 15 Nov 2012 16:41:28 +0100
+Subject: [PATCH] pgssubdec: check RLE size before copying. Fix out of array
+ accesses
+
+Upstream-Status: Backport
+
+Commit 28bf685bfc6d0c744369cdf367f61a78d80d0b01 release/1.1
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit c0d68be555f5858703383040e04fcd6529777061)
+---
+ libavcodec/pgssubdec.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c
+index 728f178..26a3c2a 100644
+--- a/gst-libs/ext/libav/libavcodec/pgssubdec.c
++++ b/gst-libs/ext/libav/libavcodec/pgssubdec.c
+@@ -202,6 +202,11 @@ static int parse_picture_segment(AVCodec
+ return -1;
+ }
+
++ if (buf_size > rle_bitmap_len) {
++ av_log(avctx, AV_LOG_ERROR, "too much RLE data\n");
++ return AVERROR_INVALIDDATA;
++ }
++
+ ctx->picture.w = width;
+ ctx->picture.h = height;
+
+--
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index 430bcc7..eded98b 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -29,6 +29,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
file://0001-huffyuvdec-Skip-len-0-cases.patch \
file://0001-huffyuvdec-Check-init_vlc-return-codes.patch \
file://0001-alsdec-check-block-length.patch \
+ file://0001-pgssubdec-check-RLE-size-before-copying.-Fix-out-of-.patch \
"
SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
--
1.7.10.4
^ permalink raw reply related [flat|nested] 17+ messages in thread* [PATCH 07/12] ffmpeg: fix for Security Advisory CVE-2013-0858
2014-05-16 2:12 [PATCH 00/12 v2] ffmpeg: backport 12 CVE patches rongqing.li
` (5 preceding siblings ...)
2014-05-16 2:12 ` [PATCH 06/12] ffmpeg: fix for Security Advisory CVE-2013-0852 rongqing.li
@ 2014-05-16 2:12 ` rongqing.li
2014-05-16 2:12 ` [PATCH 08/12] ffmpeg: fix for Security Advisory CVE-2013-0851 rongqing.li
` (5 subsequent siblings)
12 siblings, 0 replies; 17+ messages in thread
From: rongqing.li @ 2014-05-16 2:12 UTC (permalink / raw)
To: openembedded-core
From: Yue Tao <Yue.Tao@windriver.com>
The atrac3_decode_init function in libavcodec/atrac3.c in FFmpeg before
1.0.4 allows remote attackers to have an unspecified impact via ATRAC3
data with the joint stereo coding mode set and fewer than two channels.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0858
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
...ac3dec-Check-coding-mode-against-channels.patch | 37 ++++++++++++++++++++
.../gstreamer/gst-ffmpeg_0.10.13.bb | 1 +
2 files changed, 38 insertions(+)
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-atrac3dec-Check-coding-mode-against-channels.patch
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-atrac3dec-Check-coding-mode-against-channels.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-atrac3dec-Check-coding-mode-against-channels.patch
new file mode 100644
index 0000000..42cb5f4
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-atrac3dec-Check-coding-mode-against-channels.patch
@@ -0,0 +1,37 @@
+From 2502914c5f8eb77659d7c0868396862557a63245 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Fri, 9 Nov 2012 13:26:20 +0100
+Subject: [PATCH] atrac3dec: Check coding mode against channels.
+
+Upstream-Status: Backport
+
+Commit 2502914c5f8eb77659d7c0868396862557a63245 release/1.0
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit 13451f5520ce6b0afde861b2285dda659f8d4fb4)
+
+Conflicts:
+
+ libavcodec/atrac3.c
+---
+ libavcodec/atrac3.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/libavcodec/atrac3.c b/libavcodec/atrac3.c
+index 7d076be..1da4c78 100644
+--- a/gst-libs/ext/libav/libavcodec/atrac3.c
++++ b/gst-libs/ext/libav/libavcodec/atrac3.c
+@@ -955,6 +955,11 @@ static av_cold int atrac3_decode_init(AVCodecContext *avctx)
+ }
+ /* Check the extradata. */
+
++ if (q->codingMode == JOINT_STEREO && avctx->channels < 2) {
++ av_log(avctx, AV_LOG_ERROR, "Invalid coding mode\n");
++ return AVERROR_INVALIDDATA;
++ }
++
+ if (q->atrac3version != 4) {
+ av_log(avctx,AV_LOG_ERROR,"Version %d != 4.\n",q->atrac3version);
+ return AVERROR_INVALIDDATA;
+--
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index eded98b..a603ff5 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -30,6 +30,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
file://0001-huffyuvdec-Check-init_vlc-return-codes.patch \
file://0001-alsdec-check-block-length.patch \
file://0001-pgssubdec-check-RLE-size-before-copying.-Fix-out-of-.patch \
+ file://0001-atrac3dec-Check-coding-mode-against-channels.patch \
"
SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
--
1.7.10.4
^ permalink raw reply related [flat|nested] 17+ messages in thread* [PATCH 08/12] ffmpeg: fix for Security Advisory CVE-2013-0851
2014-05-16 2:12 [PATCH 00/12 v2] ffmpeg: backport 12 CVE patches rongqing.li
` (6 preceding siblings ...)
2014-05-16 2:12 ` [PATCH 07/12] ffmpeg: fix for Security Advisory CVE-2013-0858 rongqing.li
@ 2014-05-16 2:12 ` rongqing.li
2014-05-16 2:12 ` [PATCH 09/12] ffmpeg: fix for Security Advisory CVE-2013-0854 rongqing.li
` (4 subsequent siblings)
12 siblings, 0 replies; 17+ messages in thread
From: rongqing.li @ 2014-05-16 2:12 UTC (permalink / raw)
To: openembedded-core
From: Yue Tao <Yue.Tao@windriver.com>
The decode_frame function in libavcodec/eamad.c in FFmpeg before 1.1
allows remote attackers to have an unspecified impact via crafted
Electronic Arts Madcow video data, which triggers an out-of-bounds array
access.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0851
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
.../0001-eamad-fix-out-of-array-accesses.patch | 29 ++++++++++++++++++++
.../gstreamer/gst-ffmpeg_0.10.13.bb | 1 +
2 files changed, 30 insertions(+)
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-eamad-fix-out-of-array-accesses.patch
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-eamad-fix-out-of-array-accesses.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-eamad-fix-out-of-array-accesses.patch
new file mode 100644
index 0000000..f45e3fd
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-eamad-fix-out-of-array-accesses.patch
@@ -0,0 +1,29 @@
+From 63ac64864c6e0e84355aa3caa5b92208997a9a8d Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Sat, 17 Nov 2012 16:26:55 +0100
+Subject: [PATCH] eamad: fix out of array accesses
+
+Upstream-Status: Backport
+
+Commit 63ac64864c6e0e84355aa3caa5b92208997a9a8d release/1.1
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/eamad.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libavcodec/eamad.c b/libavcodec/eamad.c
+index 2805195..e38650e 100644
+--- a/gst-libs/ext/libav/libavcodec/eamad.c
++++ b/gst-libs/ext/libav/libavcodec/eamad.c
+@@ -237,7 +237,7 @@ static int decode_frame(AVCodecContext *avctx,
+ int chunk_type;
+ int inter;
+
+- if (buf_size < 17) {
++ if (buf_size < 26) {
+ av_log(avctx, AV_LOG_ERROR, "Input buffer too small\n");
+ *data_size = 0;
+ return -1;
+--
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index a603ff5..0d0ba9a 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -31,6 +31,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
file://0001-alsdec-check-block-length.patch \
file://0001-pgssubdec-check-RLE-size-before-copying.-Fix-out-of-.patch \
file://0001-atrac3dec-Check-coding-mode-against-channels.patch \
+ file://0001-eamad-fix-out-of-array-accesses.patch \
"
SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
--
1.7.10.4
^ permalink raw reply related [flat|nested] 17+ messages in thread* [PATCH 09/12] ffmpeg: fix for Security Advisory CVE-2013-0854
2014-05-16 2:12 [PATCH 00/12 v2] ffmpeg: backport 12 CVE patches rongqing.li
` (7 preceding siblings ...)
2014-05-16 2:12 ` [PATCH 08/12] ffmpeg: fix for Security Advisory CVE-2013-0851 rongqing.li
@ 2014-05-16 2:12 ` rongqing.li
2014-05-16 2:12 ` [PATCH 10/12] ffmpeg: fix for Security Advisory CVE-2013-0856 rongqing.li
` (3 subsequent siblings)
12 siblings, 0 replies; 17+ messages in thread
From: rongqing.li @ 2014-05-16 2:12 UTC (permalink / raw)
To: openembedded-core
From: Yue Tao <Yue.Tao@windriver.com>
The mjpeg_decode_scan_progressive_ac function in libavcodec/mjpegdec.c
in FFmpeg before 1.1 allows remote attackers to have an unspecified
impact via crafted MJPEG data.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0854
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
.../0001-mjpegdec-check-SE.patch | 32 ++++++++++++++++++++
.../gstreamer/gst-ffmpeg_0.10.13.bb | 1 +
2 files changed, 33 insertions(+)
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-mjpegdec-check-SE.patch
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-mjpegdec-check-SE.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-mjpegdec-check-SE.patch
new file mode 100644
index 0000000..d90bafa
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-mjpegdec-check-SE.patch
@@ -0,0 +1,32 @@
+From 1f41cffe1e3e79620f587545bdfcbd7e6e68ed29 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Sun, 11 Nov 2012 00:01:24 +0100
+Subject: [PATCH] mjpegdec: check SE.
+
+Upstream-Status: Backport
+
+Commit 1f41cffe1e3e79620f587545bdfcbd7e6e68ed29 release/1.1
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/mjpegdec.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
+index 6b5266d..0a71a6f 100644
+--- a/gst-libs/ext/libav/libavcodec/mjpegdec.c
++++ b/gst-libs/ext/libav/libavcodec/mjpegdec.c
+@@ -905,6 +905,11 @@ static int mjpeg_decode_scan_progressive
+ int16_t *quant_matrix = s->quant_matrixes[ s->quant_index[c] ];
+ GetBitContext mb_bitmask_gb;
+
++ if (se > 63) {
++ av_log(s->avctx, AV_LOG_ERROR, "SE %d is too large\n", se);
++ return AVERROR_INVALIDDATA;
++ }
++
+ if (mb_bitmask) {
+ init_get_bits(&mb_bitmask_gb, mb_bitmask, s->mb_width*s->mb_height);
+ }
+--
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index 0d0ba9a..28ea29e 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -32,6 +32,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
file://0001-pgssubdec-check-RLE-size-before-copying.-Fix-out-of-.patch \
file://0001-atrac3dec-Check-coding-mode-against-channels.patch \
file://0001-eamad-fix-out-of-array-accesses.patch \
+ file://0001-mjpegdec-check-SE.patch \
"
SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
--
1.7.10.4
^ permalink raw reply related [flat|nested] 17+ messages in thread* [PATCH 10/12] ffmpeg: fix for Security Advisory CVE-2013-0856
2014-05-16 2:12 [PATCH 00/12 v2] ffmpeg: backport 12 CVE patches rongqing.li
` (8 preceding siblings ...)
2014-05-16 2:12 ` [PATCH 09/12] ffmpeg: fix for Security Advisory CVE-2013-0854 rongqing.li
@ 2014-05-16 2:12 ` rongqing.li
2014-05-16 2:12 ` [PATCH 11/12] ffmpeg: fix for Security Advisory CVE-2013-0850 rongqing.li
` (2 subsequent siblings)
12 siblings, 0 replies; 17+ messages in thread
From: rongqing.li @ 2014-05-16 2:12 UTC (permalink / raw)
To: openembedded-core
From: Yue Tao <Yue.Tao@windriver.com>
The lpc_prediction function in libavcodec/alac.c in FFmpeg before 1.1
allows remote attackers to have an unspecified impact via crafted Apple
Lossless Audio Codec (ALAC) data, related to a large nb_samples value.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0856
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
.../0001-alac-fix-nb_samples-order-case.patch | 30 ++++++++++++++++++++
.../gstreamer/gst-ffmpeg_0.10.13.bb | 1 +
2 files changed, 31 insertions(+)
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-alac-fix-nb_samples-order-case.patch
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-alac-fix-nb_samples-order-case.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-alac-fix-nb_samples-order-case.patch
new file mode 100644
index 0000000..10ce0f3
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-alac-fix-nb_samples-order-case.patch
@@ -0,0 +1,30 @@
+From e0884eadf6a15e93142131b695f48776f9a0ac31 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Sat, 10 Nov 2012 17:14:04 +0100
+Subject: [PATCH] alac: fix nb_samples < order case
+
+Upstream-Status: Backport
+
+Commit e0884eadf6a15e93142131b695f48776f9a0ac31 release/1.0
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit fd4f4923cce6a2cbf4f48640b4ac706e614a1594)
+---
+ libavcodec/alac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libavcodec/alac.c b/libavcodec/alac.c
+index 9cd1737..e8e844a 100644
+--- a/gst-libs/ext/libav/libavcodec/alac.c
++++ b/gst-libs/ext/libav/libavcodec/alac.c
+@@ -278,7 +278,7 @@ static void predictor_decompress_fir_ada
+
+ /* read warm-up samples */
+ if (predictor_coef_num > 0)
+- for (i = 0; i < predictor_coef_num; i++) {
++ for (i = 0; i < predictor_coef_num && i < output_size; i++) {
+ int32_t val;
+
+ val = buffer_out[i] + error_buffer[i+1];
+--
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index 28ea29e..a0673fd 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -33,6 +33,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
file://0001-atrac3dec-Check-coding-mode-against-channels.patch \
file://0001-eamad-fix-out-of-array-accesses.patch \
file://0001-mjpegdec-check-SE.patch \
+ file://0001-alac-fix-nb_samples-order-case.patch \
"
SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
--
1.7.10.4
^ permalink raw reply related [flat|nested] 17+ messages in thread* [PATCH 11/12] ffmpeg: fix for Security Advisory CVE-2013-0850
2014-05-16 2:12 [PATCH 00/12 v2] ffmpeg: backport 12 CVE patches rongqing.li
` (9 preceding siblings ...)
2014-05-16 2:12 ` [PATCH 10/12] ffmpeg: fix for Security Advisory CVE-2013-0856 rongqing.li
@ 2014-05-16 2:12 ` rongqing.li
2014-05-16 2:12 ` [PATCH 12/12] ffmpeg: fix for Security Advisory CVE-2013-0849 rongqing.li
2014-05-16 11:09 ` [PATCH 00/12 v2] ffmpeg: backport 12 CVE patches Paul Eggleton
12 siblings, 0 replies; 17+ messages in thread
From: rongqing.li @ 2014-05-16 2:12 UTC (permalink / raw)
To: openembedded-core
From: Yue Tao <Yue.Tao@windriver.com>
The decode_slice_header function in libavcodec/h264.c in FFmpeg before
1.1 allows remote attackers to have an unspecified impact via crafted
H.264 data, which triggers an out-of-bounds array access.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0850
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
...t-ref-count-check-and-limit-fix-out-of-ar.patch | 29 ++++++++++++++++++++
.../gstreamer/gst-ffmpeg_0.10.13.bb | 1 +
2 files changed, 30 insertions(+)
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264-correct-ref-count-check-and-limit-fix-out-of-ar.patch
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264-correct-ref-count-check-and-limit-fix-out-of-ar.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264-correct-ref-count-check-and-limit-fix-out-of-ar.patch
new file mode 100644
index 0000000..d4f55b2
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264-correct-ref-count-check-and-limit-fix-out-of-ar.patch
@@ -0,0 +1,29 @@
+From d6c184880ee2e09fd68c0ae217173832cee5afc1 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Sun, 18 Nov 2012 16:29:04 +0100
+Subject: [PATCH] h264: correct ref count check and limit, fix out of array
+ accesses.
+
+Upstream-Status: Backport
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/h264.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libavcodec/h264.c b/libavcodec/h264.c
+index da43f1e..32cede5 100644
+--- a/gst-libs/ext/libav/libavcodec/h264.c
++++ b/gst-libs/ext/libav/libavcodec/h264.c
+@@ -2870,6 +2870,9 @@ static int decode_slice_header(H264Conte
+ h->ref_count[0]= get_ue_golomb(&s->gb) + 1;
+ if(h->slice_type_nos==AV_PICTURE_TYPE_B)
+ h->ref_count[1]= get_ue_golomb(&s->gb) + 1;
++ else
++ // full range is spec-ok in this case, even for frames
++ h->ref_count[1] = 1;
+
+ if(h->ref_count[0]-1 > 32-1 || h->ref_count[1]-1 > 32-1){
+ av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow\n");
+--
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index a0673fd..ad85fa2 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -34,6 +34,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
file://0001-eamad-fix-out-of-array-accesses.patch \
file://0001-mjpegdec-check-SE.patch \
file://0001-alac-fix-nb_samples-order-case.patch \
+ file://0001-h264-correct-ref-count-check-and-limit-fix-out-of-ar.patch \
"
SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
--
1.7.10.4
^ permalink raw reply related [flat|nested] 17+ messages in thread* [PATCH 12/12] ffmpeg: fix for Security Advisory CVE-2013-0849
2014-05-16 2:12 [PATCH 00/12 v2] ffmpeg: backport 12 CVE patches rongqing.li
` (10 preceding siblings ...)
2014-05-16 2:12 ` [PATCH 11/12] ffmpeg: fix for Security Advisory CVE-2013-0850 rongqing.li
@ 2014-05-16 2:12 ` rongqing.li
2014-05-16 11:09 ` [PATCH 00/12 v2] ffmpeg: backport 12 CVE patches Paul Eggleton
12 siblings, 0 replies; 17+ messages in thread
From: rongqing.li @ 2014-05-16 2:12 UTC (permalink / raw)
To: openembedded-core
From: Yue Tao <Yue.Tao@windriver.com>
The roq_decode_init function in libavcodec/roqvideodec.c in FFmpeg
before 1.1 allows remote attackers to have an unspecified impact via a
crafted (1) width or (2) height dimension that is not a multiple of
sixteen in id RoQ video data.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0849
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
...001-roqvideodec-check-dimensions-validity.patch | 36 ++++++++++++++++++++
.../gstreamer/gst-ffmpeg_0.10.13.bb | 1 +
2 files changed, 37 insertions(+)
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-roqvideodec-check-dimensions-validity.patch
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-roqvideodec-check-dimensions-validity.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-roqvideodec-check-dimensions-validity.patch
new file mode 100644
index 0000000..7e58afc
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-roqvideodec-check-dimensions-validity.patch
@@ -0,0 +1,36 @@
+From 391e0fc6c90ced6656b74f50f3a487b6dc76ea63 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Thu, 29 Nov 2012 15:18:17 +0100
+Subject: [PATCH] roqvideodec: check dimensions validity
+
+Upstream-Status: Backport
+
+Commit 391e0fc6c90ced6656b74f50f3a487b6dc76ea63 release/0.7
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit 3ae610451170cd5a28b33950006ff0bd23036845)
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/roqvideodec.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/libavcodec/roqvideodec.c b/libavcodec/roqvideodec.c
+index f0977f6..4e34231 100644
+--- a/gst-libs/ext/libav/libavcodec/roqvideodec.c
++++ b/gst-libs/ext/libav/libavcodec/roqvideodec.c
+@@ -157,6 +157,12 @@ static av_cold int roq_decode_init(AVCodecContext *avctx)
+ RoqContext *s = avctx->priv_data;
+
+ s->avctx = avctx;
++
++ if (avctx->width%16 || avctx->height%16) {
++ av_log_ask_for_sample(avctx, "dimensions not being a multiple of 16 are unsupported\n");
++ return AVERROR_PATCHWELCOME;
++ }
++
+ s->width = avctx->width;
+ s->height = avctx->height;
+ avcodec_get_frame_defaults(&s->frames[0]);
+--
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index ad85fa2..a3b2f5c 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -35,6 +35,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
file://0001-mjpegdec-check-SE.patch \
file://0001-alac-fix-nb_samples-order-case.patch \
file://0001-h264-correct-ref-count-check-and-limit-fix-out-of-ar.patch \
+ file://0001-roqvideodec-check-dimensions-validity.patch \
"
SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
--
1.7.10.4
^ permalink raw reply related [flat|nested] 17+ messages in thread* Re: [PATCH 00/12 v2] ffmpeg: backport 12 CVE patches
2014-05-16 2:12 [PATCH 00/12 v2] ffmpeg: backport 12 CVE patches rongqing.li
` (11 preceding siblings ...)
2014-05-16 2:12 ` [PATCH 12/12] ffmpeg: fix for Security Advisory CVE-2013-0849 rongqing.li
@ 2014-05-16 11:09 ` Paul Eggleton
2014-05-19 1:32 ` Rongqing Li
12 siblings, 1 reply; 17+ messages in thread
From: Paul Eggleton @ 2014-05-16 11:09 UTC (permalink / raw)
To: Roy Li; +Cc: openembedded-core
Hi Roy,
On Friday 16 May 2014 10:12:08 rongqing.li@windriver.com wrote:
> From: Roy Li <rongqing.li@windriver.com>
>
> Diff with V1: use ffmpeg as prefix of commit header
>
> The following changes since commit e273301efa0037a13c3a60b4414140364d9c9873:
>
> gstreamer/lame: Better gcc 4.9 fix (2014-05-15 23:27:41 +0100)
>
> are available in the git repository at:
>
> git://git.pokylinux.org/poky-contrib roy/ffmpeg-2
> http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=roy/ffmpeg-2
>
> Yue Tao (12):
> ffmpeg: fix for Security Advisory CVE-2014-2263
> ffmpeg: fix for Security Advisory CVE-2013-0865
> ffmpeg: fix for Security Advisory CVE-2014-2099
> ffmpeg: fix for Security Advisory CVE-2013-0868
> ffmpeg: fix for Security Advisory CVE-2013-0845
> ffmpeg: fix for Security Advisory CVE-2013-0852
> ffmpeg: fix for Security Advisory CVE-2013-0858
> ffmpeg: fix for Security Advisory CVE-2013-0851
> ffmpeg: fix for Security Advisory CVE-2013-0854
> ffmpeg: fix for Security Advisory CVE-2013-0856
> ffmpeg: fix for Security Advisory CVE-2013-0850
> ffmpeg: fix for Security Advisory CVE-2013-0849
This should really be "gst-ffmpeg:" rather than just "ffmpeg:" since that's the
recipe being modified.
Also, I'm not sure if you got my message yesterday (since there was a problem
with the email transmission) however I'll repeat it here just in case:
> Note that whilst we should apply these patches, they won't actually have any
> effect on unmodified builds because we do not use gst-ffmpeg's internal
> copy of ffmpeg, we use libav instead. So if any of these fixes apply to
> libav (or if there are equivalent fixes) we will need to apply them to
> libav.
Would you be able to take care of the corresponding patches to libav?
Thanks,
Paul
--
Paul Eggleton
Intel Open Source Technology Centre
^ permalink raw reply [flat|nested] 17+ messages in thread* Re: [PATCH 00/12 v2] ffmpeg: backport 12 CVE patches
2014-05-16 11:09 ` [PATCH 00/12 v2] ffmpeg: backport 12 CVE patches Paul Eggleton
@ 2014-05-19 1:32 ` Rongqing Li
2014-05-19 9:58 ` Paul Eggleton
0 siblings, 1 reply; 17+ messages in thread
From: Rongqing Li @ 2014-05-19 1:32 UTC (permalink / raw)
To: Paul Eggleton; +Cc: openembedded-core
On 05/16/2014 07:09 PM, Paul Eggleton wrote:
> Hi Roy,
>
> On Friday 16 May 2014 10:12:08 rongqing.li@windriver.com wrote:
>> From: Roy Li <rongqing.li@windriver.com>
>>
>> Diff with V1: use ffmpeg as prefix of commit header
>>
>> The following changes since commit e273301efa0037a13c3a60b4414140364d9c9873:
>>
>> gstreamer/lame: Better gcc 4.9 fix (2014-05-15 23:27:41 +0100)
>>
>> are available in the git repository at:
>>
>> git://git.pokylinux.org/poky-contrib roy/ffmpeg-2
>> http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=roy/ffmpeg-2
>>
>> Yue Tao (12):
>> ffmpeg: fix for Security Advisory CVE-2014-2263
>> ffmpeg: fix for Security Advisory CVE-2013-0865
>> ffmpeg: fix for Security Advisory CVE-2014-2099
>> ffmpeg: fix for Security Advisory CVE-2013-0868
>> ffmpeg: fix for Security Advisory CVE-2013-0845
>> ffmpeg: fix for Security Advisory CVE-2013-0852
>> ffmpeg: fix for Security Advisory CVE-2013-0858
>> ffmpeg: fix for Security Advisory CVE-2013-0851
>> ffmpeg: fix for Security Advisory CVE-2013-0854
>> ffmpeg: fix for Security Advisory CVE-2013-0856
>> ffmpeg: fix for Security Advisory CVE-2013-0850
>> ffmpeg: fix for Security Advisory CVE-2013-0849
>
> This should really be "gst-ffmpeg:" rather than just "ffmpeg:" since that's the
> recipe being modified.
>
Ok, I update it
=====================
The following changes since commit e273301efa0037a13c3a60b4414140364d9c9873:
gstreamer/lame: Better gcc 4.9 fix (2014-05-15 23:27:41 +0100)
are available in the git repository at:
git://git.pokylinux.org/poky-contrib roy/ffmpeg-2
http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=roy/ffmpeg-2
Yue Tao (12):
gst-ffmpeg: fix for Security Advisory CVE-2014-2263
gst-ffmpeg: fix for Security Advisory CVE-2013-0865
gst-ffmpeg: fix for Security Advisory CVE-2014-2099
gst-ffmpeg: fix for Security Advisory CVE-2013-0868
gst-ffmpeg: fix for Security Advisory CVE-2013-0845
gst-ffmpeg: fix for Security Advisory CVE-2013-0852
gst-ffmpeg: fix for Security Advisory CVE-2013-0858
gst-ffmpeg: fix for Security Advisory CVE-2013-0851
gst-ffmpeg: fix for Security Advisory CVE-2013-0854
gst-ffmpeg: fix for Security Advisory CVE-2013-0856
gst-ffmpeg: fix for Security Advisory CVE-2013-0850
gst-ffmpeg: fix for Security Advisory CVE-2013-0849
.../0001-alac-fix-nb_samples-order-case.patch | 30 +++++++
.../0001-alsdec-check-block-length.patch | 61 ++++++++++++++
...ac3dec-Check-coding-mode-against-channels.patch | 37 +++++++++
...le-use-av_image_get_linesize-to-calculate.patch | 50 +++++++++++
...egtsenc-Check-data-array-size-in-mpegts_w.patch | 69 ++++++++++++++++
.../0001-eamad-fix-out-of-array-accesses.patch | 29 +++++++
...t-ref-count-check-and-limit-fix-out-of-ar.patch | 29 +++++++
...01-huffyuvdec-Check-init_vlc-return-codes.patch | 87
++++++++++++++++++++
.../0001-huffyuvdec-Skip-len-0-cases.patch | 59 +++++++++++++
.../0001-mjpegdec-check-SE.patch | 32 +++++++
...heck-RLE-size-before-copying.-Fix-out-of-.patch | 34 ++++++++
...001-roqvideodec-check-dimensions-validity.patch | 36 ++++++++
...o-check-chunk-sizes-before-reading-chunks.patch | 51 ++++++++++++
.../gstreamer/gst-ffmpeg_0.10.13.bb | 13 +++
14 files changed, 617 insertions(+)
create mode 100644
meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-alac-fix-nb_samples-order-case.patch
create mode 100644
meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-alsdec-check-block-length.patch
create mode 100644
meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-atrac3dec-Check-coding-mode-against-channels.patch
create mode 100644
meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-msrle-use-av_image_get_linesize-to-calculate.patch
create mode 100644
meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avformat-mpegtsenc-Check-data-array-size-in-mpegts_w.patch
create mode 100644
meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-eamad-fix-out-of-array-accesses.patch
create mode 100644
meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264-correct-ref-count-check-and-limit-fix-out-of-ar.patch
create mode 100644
meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-init_vlc-return-codes.patch
create mode 100644
meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Skip-len-0-cases.patch
create mode 100644
meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-mjpegdec-check-SE.patch
create mode 100644
meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-pgssubdec-check-RLE-size-before-copying.-Fix-out-of-.patch
> Also, I'm not sure if you got my message yesterday (since there was a problem
> with the email transmission) however I'll repeat it here just in case:
>
>> Note that whilst we should apply these patches, they won't actually have any
>> effect on unmodified builds because we do not use gst-ffmpeg's internal
>> copy of ffmpeg, we use libav instead. So if any of these fixes apply to
>> libav (or if there are equivalent fixes) we will need to apply them to
>> libav.
>
> Would you be able to take care of the corresponding patches to libav?
>
I did not see the CVE patches on libav
-Roy
> Thanks,
> Paul
>
--
Best Reagrds,
Roy | RongQing Li
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH 00/12 v2] ffmpeg: backport 12 CVE patches
2014-05-19 1:32 ` Rongqing Li
@ 2014-05-19 9:58 ` Paul Eggleton
0 siblings, 0 replies; 17+ messages in thread
From: Paul Eggleton @ 2014-05-19 9:58 UTC (permalink / raw)
To: Rongqing Li; +Cc: openembedded-core
On Monday 19 May 2014 09:32:57 Rongqing Li wrote:
> On 05/16/2014 07:09 PM, Paul Eggleton wrote:
> > Hi Roy,
> >
> > On Friday 16 May 2014 10:12:08 rongqing.li@windriver.com wrote:
> >> From: Roy Li <rongqing.li@windriver.com>
> >>
> >> Diff with V1: use ffmpeg as prefix of commit header
> >>
> >> The following changes since commit
e273301efa0037a13c3a60b4414140364d9c9873:
> >> gstreamer/lame: Better gcc 4.9 fix (2014-05-15 23:27:41 +0100)
> >>
> >> are available in the git repository at:
> >> git://git.pokylinux.org/poky-contrib roy/ffmpeg-2
> >> http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=roy/ffmpeg-2
> >>
> >> Yue Tao (12):
> >> ffmpeg: fix for Security Advisory CVE-2014-2263
> >> ffmpeg: fix for Security Advisory CVE-2013-0865
> >> ffmpeg: fix for Security Advisory CVE-2014-2099
> >> ffmpeg: fix for Security Advisory CVE-2013-0868
> >> ffmpeg: fix for Security Advisory CVE-2013-0845
> >> ffmpeg: fix for Security Advisory CVE-2013-0852
> >> ffmpeg: fix for Security Advisory CVE-2013-0858
> >> ffmpeg: fix for Security Advisory CVE-2013-0851
> >> ffmpeg: fix for Security Advisory CVE-2013-0854
> >> ffmpeg: fix for Security Advisory CVE-2013-0856
> >> ffmpeg: fix for Security Advisory CVE-2013-0850
> >> ffmpeg: fix for Security Advisory CVE-2013-0849
> >
> > This should really be "gst-ffmpeg:" rather than just "ffmpeg:" since
> > that's the recipe being modified.
>
> Ok, I update it
>
> =====================
> The following changes since commit e273301efa0037a13c3a60b4414140364d9c9873:
>
> gstreamer/lame: Better gcc 4.9 fix (2014-05-15 23:27:41 +0100)
>
> are available in the git repository at:
>
> git://git.pokylinux.org/poky-contrib roy/ffmpeg-2
> http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=roy/ffmpeg-2
>
> Yue Tao (12):
> gst-ffmpeg: fix for Security Advisory CVE-2014-2263
> gst-ffmpeg: fix for Security Advisory CVE-2013-0865
> gst-ffmpeg: fix for Security Advisory CVE-2014-2099
> gst-ffmpeg: fix for Security Advisory CVE-2013-0868
> gst-ffmpeg: fix for Security Advisory CVE-2013-0845
> gst-ffmpeg: fix for Security Advisory CVE-2013-0852
> gst-ffmpeg: fix for Security Advisory CVE-2013-0858
> gst-ffmpeg: fix for Security Advisory CVE-2013-0851
> gst-ffmpeg: fix for Security Advisory CVE-2013-0854
> gst-ffmpeg: fix for Security Advisory CVE-2013-0856
> gst-ffmpeg: fix for Security Advisory CVE-2013-0850
> gst-ffmpeg: fix for Security Advisory CVE-2013-0849
>
> .../0001-alac-fix-nb_samples-order-case.patch | 30 +++++++
> .../0001-alsdec-check-block-length.patch | 61 ++++++++++++++
> ...ac3dec-Check-coding-mode-against-channels.patch | 37 +++++++++
> ...le-use-av_image_get_linesize-to-calculate.patch | 50 +++++++++++
> ...egtsenc-Check-data-array-size-in-mpegts_w.patch | 69 ++++++++++++++++
> .../0001-eamad-fix-out-of-array-accesses.patch | 29 +++++++
> ...t-ref-count-check-and-limit-fix-out-of-ar.patch | 29 +++++++
> ...01-huffyuvdec-Check-init_vlc-return-codes.patch | 87
> ++++++++++++++++++++
> .../0001-huffyuvdec-Skip-len-0-cases.patch | 59 +++++++++++++
> .../0001-mjpegdec-check-SE.patch | 32 +++++++
> ...heck-RLE-size-before-copying.-Fix-out-of-.patch | 34 ++++++++
> ...001-roqvideodec-check-dimensions-validity.patch | 36 ++++++++
> ...o-check-chunk-sizes-before-reading-chunks.patch | 51 ++++++++++++
> .../gstreamer/gst-ffmpeg_0.10.13.bb | 13 +++
> 14 files changed, 617 insertions(+)
> create mode 100644
> meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-alac-fix-nb_sample
> s-order-case.patch create mode 100644
> meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-alsdec-check-block
> -length.patch create mode 100644
> meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-atrac3dec-Check-co
> ding-mode-against-channels.patch create mode 100644
> meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-msrle-use-
> av_image_get_linesize-to-calculate.patch create mode 100644
> meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avformat-mpegtsenc
> -Check-data-array-size-in-mpegts_w.patch create mode 100644
> meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-eamad-fix-out-of-a
> rray-accesses.patch create mode 100644
> meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264-correct-ref-c
> ount-check-and-limit-fix-out-of-ar.patch create mode 100644
> meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-i
> nit_vlc-return-codes.patch create mode 100644
> meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Skip-le
> n-0-cases.patch create mode 100644
> meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-mjpegdec-check-SE.
> patch create mode 100644
> meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-pgssubdec-check-RL
> E-size-before-copying.-Fix-out-of-.patch
> > Also, I'm not sure if you got my message yesterday (since there was a
> > problem>
> > with the email transmission) however I'll repeat it here just in case:
> >> Note that whilst we should apply these patches, they won't actually have
> >> any effect on unmodified builds because we do not use gst-ffmpeg's
> >> internal copy of ffmpeg, we use libav instead. So if any of these fixes
> >> apply to libav (or if there are equivalent fixes) we will need to apply
> >> them to libav.
> >
> > Would you be able to take care of the corresponding patches to libav?
>
> I did not see the CVE patches on libav
If they are applicable to the built-in copy of ffmpeg, at least some of them
should be applicable to libav.
Actually I've noticed we're a couple of releases behind on libav 0.8 upgrades
(libav 0.8 is the version we are using with gst-ffmpeg), and we also need to do
a libav 9 upgrade. I will take care of at least doing the upgrades, but we
should double-check that these fixes are either not applicable or already
applied after that is done.
Cheers,
Paul
--
Paul Eggleton
Intel Open Source Technology Centre
^ permalink raw reply [flat|nested] 17+ messages in thread