[PATCH 00/16 v2] merge 16 CVE patches

[PATCH 00/16 v2] merge 16 CVE patches

[rongqing.li]

From: Roy Li <rongqing.li@windriver.com>

The following changes since commit 6bc3696d8451a23d743daf03ee98c4ba54ce4551:

  wget: Remove unneeded DEPENDS line (2014-07-21 19:10:30 +0100)

are available in the git repository at:

  git://git.pokylinux.org/poky-contrib roy/gst-ff
  http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=roy/gst-ff

Yue Tao (16):
  gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0866
  gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0875
  gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0860
  gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3934
  gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3946
  gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-7023
  gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-7009
  gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0855
  gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-4351
  gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0848
  gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3944
  gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-7010
  gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3941
  gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0846
  gst-ffmpeg: Security Advisory - ffmpeg - CVE-2012-6618
  gst-ffmpeg: Security Advisory - ffmpeg - CVE-2012-6617

 .../0001-aacdec-check-channel-count.patch          |   34 ++++
 ...util-fix-signedness-in-sizeof-comparissio.patch |   40 +++++
 ...c-parser-reset-indexes-on-realloc-failure.patch |   50 ++++++
 ...a-Perform-pointer-advance-and-checks-befo.patch |   81 +++++++++
 ...-error-concealment-initialize-block-index.patch |   29 ++++
 ...alment-Check-that-the-picture-is-not-in-a.patch |   37 ++++
 .../0001-ffserver-set-oformat.patch                |   36 ++++
 .../0001-h264_sei-Fix-infinite-loop.patch          |   39 +++++
 ...check-width-more-completely-avoid-out-of-.patch |   30 ++++
 ...f-compute-probe-buffer-size-more-reliably.patch |   45 +++++
 ...er-dont-access-out-of-array-elements-at-t.patch |   44 +++++
 ...array-index-before-use-fix-out-of-array-a.patch |   30 ++++
 .../0001-qdm2dec-fix-buffer-overflow.patch         |   58 +++++++
 ...Check-that-the-last-indexes-are-within-th.patch |   32 ++++
 ...-vp3-Copy-all-3-frames-for-thread-updates.patch |   32 ++++
 ...-read-for-negative-tokens-and-memleaks-on.patch |  183 ++++++++++++++++++++
 .../gst-ffmpeg-CVE-2013-0855.patch                 |  100 +++++++++++
 .../gstreamer/gst-ffmpeg_0.10.13.bb                |   17 ++
 18 files changed, 917 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-aacdec-check-channel-count.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-dsputil-fix-signedness-in-sizeof-comparissio.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-parser-reset-indexes-on-realloc-failure.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-rpza-Perform-pointer-advance-and-checks-befo.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-error-concealment-initialize-block-index.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-error_concealment-Check-that-the-picture-is-not-in-a.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-ffserver-set-oformat.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264_sei-Fix-infinite-loop.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-check-width-more-completely-avoid-out-of-.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-lavf-compute-probe-buffer-size-more-reliably.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-pngdec-filter-dont-access-out-of-array-elements-at-t.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-qdm2-check-array-index-before-use-fix-out-of-array-a.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-qdm2dec-fix-buffer-overflow.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-smackerdec-Check-that-the-last-indexes-are-within-th.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-Copy-all-3-frames-for-thread-updates.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-fix-oob-read-for-negative-tokens-and-memleaks-on.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-CVE-2013-0855.patch

-- 
1.7.10.4

[PATCH 01/16] gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0866

[rongqing.li]

From: Yue Tao <Yue.Tao@windriver.com>

The aac_decode_init function in libavcodec/aacdec.c in FFmpeg before
1.0.4 and 1.1.x before 1.1.2 allows remote attackers to have an
unspecified impact via a large number of channels in an AAC file, which
triggers an out-of-bounds array access.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0866

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
 .../0001-aacdec-check-channel-count.patch          |   34 ++++++++++++++++++++
 .../gstreamer/gst-ffmpeg_0.10.13.bb                |    1 +
 2 files changed, 35 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-aacdec-check-channel-count.patch

diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-aacdec-check-channel-count.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-aacdec-check-channel-count.patch
new file mode 100644
index 0000000..7da0e14
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-aacdec-check-channel-count.patch
@@ -0,0 +1,34 @@
+gst-ffmpeg: aacdec: check channel count
+
+Prevent out of array accesses
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit 96f452ac647dae33c53c242ef3266b65a9beafb6)
+
+Upstream-Status: Backport 
+
+Signed-off-by: Yue Tao <yue.tao@windriver.com>
+---
+ libavcodec/aacdec.c |    5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c
+index 239153a..6c17c33 100644
+--- a/gst-libs/ext/libav/libavcodec/aacdec.c
++++ b/gst-libs/ext/libav/libavcodec/aacdec.c
+@@ -914,6 +914,11 @@ static av_cold int aac_decode_init(AVCodecContext *avctx)
+         }
+     }
+ 
++    if (avctx->channels > MAX_CHANNELS) {
++        av_log(avctx, AV_LOG_ERROR, "Too many channels\n");
++        return AVERROR_INVALIDDATA;
++    }
++
+     AAC_INIT_VLC_STATIC( 0, 304);
+     AAC_INIT_VLC_STATIC( 1, 270);
+     AAC_INIT_VLC_STATIC( 2, 550);
+-- 
+1.7.5.4
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index a3b2f5c..b4fc8c7 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -36,6 +36,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://0001-alac-fix-nb_samples-order-case.patch \
            file://0001-h264-correct-ref-count-check-and-limit-fix-out-of-ar.patch \
            file://0001-roqvideodec-check-dimensions-validity.patch \
+           file://0001-aacdec-check-channel-count.patch \
 "
 
 SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
-- 
1.7.10.4

[PATCH 02/16] gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0875

[rongqing.li]

From: Yue Tao <Yue.Tao@windriver.com>

The ff_add_png_paeth_prediction function in libavcodec/pngdec.c in
FFmpeg before 1.1.3 allows remote attackers to have an unspecified
impact via a crafted PNG image, related to an out-of-bounds array
access.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0875

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
 ...er-dont-access-out-of-array-elements-at-t.patch |   44 ++++++++++++++++++++
 .../gstreamer/gst-ffmpeg_0.10.13.bb                |    1 +
 2 files changed, 45 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-pngdec-filter-dont-access-out-of-array-elements-at-t.patch

diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-pngdec-filter-dont-access-out-of-array-elements-at-t.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-pngdec-filter-dont-access-out-of-array-elements-at-t.patch
new file mode 100644
index 0000000..1e5fb7d
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-pngdec-filter-dont-access-out-of-array-elements-at-t.patch
@@ -0,0 +1,44 @@
+gst-ffmpeg: pngdec/filter: dont access out of array elements at the end
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+
+Upstream-Status: Backport 
+
+Signed-off-by: Yue Tao <yue.tao@windriver.com>
+---
+ libavcodec/pngdec.c |   12 ++++--------
+ 1 files changed, 4 insertions(+), 8 deletions(-)
+
+diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
+index 97c0ad1..193e35e 100644
+--- a/gst-libs/ext/libav/libavcodec/pngdec.c
++++ b/gst-libs/ext/libav/libavcodec/pngdec.c
+@@ -190,7 +190,7 @@ void ff_add_png_paeth_prediction(uint8_t *dst, uint8_t *src, uint8_t *top, int w
+     if(bpp >= 2) g = dst[1];\
+     if(bpp >= 3) b = dst[2];\
+     if(bpp >= 4) a = dst[3];\
+-    for(; i < size; i+=bpp) {\
++    for(; i <= size - bpp; i+=bpp) {\
+         dst[i+0] = r = op(r, src[i+0], last[i+0]);\
+         if(bpp == 1) continue;\
+         dst[i+1] = g = op(g, src[i+1], last[i+1]);\
+@@ -206,13 +206,9 @@ void ff_add_png_paeth_prediction(uint8_t *dst, uint8_t *src, uint8_t *top, int w
+     else if(bpp == 2) UNROLL1(2, op)\
+     else if(bpp == 3) UNROLL1(3, op)\
+     else if(bpp == 4) UNROLL1(4, op)\
+-    else {\
+-        for (; i < size; i += bpp) {\
+-            int j;\
+-            for (j = 0; j < bpp; j++)\
+-                dst[i+j] = op(dst[i+j-bpp], src[i+j], last[i+j]);\
+-        }\
+-    }
++    for (; i < size; i++) {\
++        dst[i] = op(dst[i-bpp], src[i], last[i]);\
++    }\
+ 
+ /* NOTE: 'dst' can be equal to 'last' */
+ static void png_filter_row(PNGDSPContext *dsp, uint8_t *dst, int filter_type,
+-- 
+1.7.5.4
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index b4fc8c7..98f8103 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -37,6 +37,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://0001-h264-correct-ref-count-check-and-limit-fix-out-of-ar.patch \
            file://0001-roqvideodec-check-dimensions-validity.patch \
            file://0001-aacdec-check-channel-count.patch \
+           file://0001-pngdec-filter-dont-access-out-of-array-elements-at-t.patch \
 "
 
 SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
-- 
1.7.10.4

[PATCH 03/16] gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0860

[rongqing.li]

From: Yue Tao <Yue.Tao@windriver.com>

The ff_er_frame_end function in libavcodec/error_resilience.c in FFmpeg
before 1.0.4 and 1.1.x before 1.1.1 does not properly verify that a
frame is fully initialized, which allows remote attackers to trigger a
NULL pointer dereference via crafted picture data.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0860

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
 ...alment-Check-that-the-picture-is-not-in-a.patch |   37 ++++++++++++++++++++
 .../gstreamer/gst-ffmpeg_0.10.13.bb                |    1 +
 2 files changed, 38 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-error_concealment-Check-that-the-picture-is-not-in-a.patch

diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-error_concealment-Check-that-the-picture-is-not-in-a.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-error_concealment-Check-that-the-picture-is-not-in-a.patch
new file mode 100644
index 0000000..8eef6e9
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-error_concealment-Check-that-the-picture-is-not-in-a.patch
@@ -0,0 +1,37 @@
+gst-ffmpeg: error_concealment: Check that the picture is not in a half
+
+Fixes state becoming inconsistent
+Fixes a null pointer dereference
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit 23318a57358358e7a4dc551e830e4503f0638cfe)
+
+Upstream-Status: Backport 
+
+Signed-off-by: Yue Tao <yue.tao@windriver.com>
+
+---
+ libavcodec/error_resilience.c |    6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+diff --git a/libavcodec/error_resilience.c b/libavcodec/error_resilience.c
+index 01f7424..2b6bc42 100644
+--- a/gst-libs/ext/libav/libavcodec/error_resilience.c
++++ b/gst-libs/ext/libav/libavcodec/error_resilience.c
+@@ -793,6 +793,12 @@ void ff_er_frame_end(MpegEncContext *s){
+        s->picture_structure != PICT_FRAME || // we dont support ER of field pictures yet, though it should not crash if enabled
+        s->error_count==3*s->mb_width*(s->avctx->skip_top + s->avctx->skip_bottom)) return;
+ 
++    if (   s->picture_structure == PICT_FRAME
++        && s->current_picture.linesize[0] != s->current_picture_ptr->linesize[0]) {
++        av_log(s->avctx, AV_LOG_ERROR, "Error concealment not possible, frame not fully initialized\n");
++        return;
++    }
++
+     if(s->current_picture.motion_val[0] == NULL){
+         av_log(s->avctx, AV_LOG_ERROR, "Warning MVs not available\n");
+ 
+-- 
+1.7.5.4
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index 98f8103..98d12ea 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -38,6 +38,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://0001-roqvideodec-check-dimensions-validity.patch \
            file://0001-aacdec-check-channel-count.patch \
            file://0001-pngdec-filter-dont-access-out-of-array-elements-at-t.patch \
+           file://0001-error_concealment-Check-that-the-picture-is-not-in-a.patch \
 "
 
 SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
-- 
1.7.10.4

[PATCH 04/16] gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3934

[rongqing.li]

From: Yue Tao <Yue.Tao@windriver.com>

Double free vulnerability in the vp3_update_thread_context function in
libavcodec/vp3.c in FFmpeg before 0.10 allows remote attackers to have
an unspecified impact via crafted vp3 data.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3934

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
 ...-vp3-Copy-all-3-frames-for-thread-updates.patch |   32 ++++
 ...-read-for-negative-tokens-and-memleaks-on.patch |  183 ++++++++++++++++++++
 .../gstreamer/gst-ffmpeg_0.10.13.bb                |    2 +
 3 files changed, 217 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-Copy-all-3-frames-for-thread-updates.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-fix-oob-read-for-negative-tokens-and-memleaks-on.patch

diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-Copy-all-3-frames-for-thread-updates.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-Copy-all-3-frames-for-thread-updates.patch
new file mode 100644
index 0000000..a1989cf
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-Copy-all-3-frames-for-thread-updates.patch
@@ -0,0 +1,32 @@
+gst-ffmpeg: vp3: Copy all 3 frames for thread updates.
+
+This fixes a double release of the current frame on deinit.
+Fixes CVE-2011-3934
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+
+Upstream-Status: Backport
+
+Signed-off-by: Yue.Tao <yue.tao@windriver.com>
+
+---
+ libavcodec/vp3.c |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
+index 738ae9f..b5daafc 100644
+--- a/gst-libs/ext/libav/libavcodec/vp3.c
++++ b/gst-libs/ext/libav/libavcodec/vp3.c
+@@ -1859,7 +1859,7 @@ static int vp3_update_thread_context(AVCodecContext *dst, const AVCodecContext *
+         ||s->width != s1->width
+         ||s->height!= s1->height) {
+         if (s != s1)
+-            copy_fields(s, s1, golden_frame, current_frame);
++            copy_fields(s, s1, golden_frame, keyframe);
+         return -1;
+     }
+ 
+-- 
+1.7.5.4
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-fix-oob-read-for-negative-tokens-and-memleaks-on.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-fix-oob-read-for-negative-tokens-and-memleaks-on.patch
new file mode 100644
index 0000000..e83d8f4
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-fix-oob-read-for-negative-tokens-and-memleaks-on.patch
@@ -0,0 +1,183 @@
+gst-ffmpeg: vp3: fix oob read for negative tokens and memleaks on error.
+
+Upstream-Status: Backport 
+
+Signed-off-by: Yue.Tao <yue.tao@windriver.com>
+
+---
+ libavcodec/vp3.c |   59 +++++++++++++++++++++++++++++++++++++++++------------
+ 1 files changed, 45 insertions(+), 14 deletions(-)
+
+diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
+index 36715bb..ce14e63 100644
+--- a/gst-libs/ext/libav/libavcodec/vp3.c
++++ b/gst-libs/ext/libav/libavcodec/vp3.c
+@@ -45,6 +45,7 @@
+ #define FRAGMENT_PIXELS 8
+ 
+ static av_cold int vp3_decode_end(AVCodecContext *avctx);
++static void vp3_decode_flush(AVCodecContext *avctx);
+ 
+ //FIXME split things out into their own arrays
+ typedef struct Vp3Fragment {
+@@ -890,7 +891,7 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb,
+             /* decode a VLC into a token */
+             token = get_vlc2(gb, vlc_table, 11, 3);
+             /* use the token to get a zero run, a coefficient, and an eob run */
+-            if (token <= 6) {
++            if ((unsigned) token <= 6U) {
+                 eob_run = eob_run_base[token];
+                 if (eob_run_get_bits[token])
+                     eob_run += get_bits(gb, eob_run_get_bits[token]);
+@@ -908,7 +909,7 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb,
+                     coeff_i        += eob_run;
+                     eob_run = 0;
+                 }
+-            } else {
++            } else if (token >= 0) {
+                 bits_to_get = coeff_get_bits[token];
+                 if (bits_to_get)
+                     bits_to_get = get_bits(gb, bits_to_get);
+@@ -942,6 +943,10 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb,
+                 for (i = coeff_index+1; i <= coeff_index+zero_run; i++)
+                     s->num_coded_frags[plane][i]--;
+                 coeff_i++;
++            } else {
++                av_log(s->avctx, AV_LOG_ERROR,
++                       "Invalid token %d\n", token);
++                return -1;
+             }
+     }
+ 
+@@ -991,6 +996,8 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb)
+     /* unpack the Y plane DC coefficients */
+     residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_y_table], 0,
+         0, residual_eob_run);
++    if (residual_eob_run < 0)
++        return residual_eob_run;
+ 
+     /* reverse prediction of the Y-plane DC coefficients */
+     reverse_dc_prediction(s, 0, s->fragment_width[0], s->fragment_height[0]);
+@@ -998,8 +1005,12 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb)
+     /* unpack the C plane DC coefficients */
+     residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_c_table], 0,
+         1, residual_eob_run);
++    if (residual_eob_run < 0)
++        return residual_eob_run;
+     residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_c_table], 0,
+         2, residual_eob_run);
++    if (residual_eob_run < 0)
++        return residual_eob_run;
+ 
+     /* reverse prediction of the C-plane DC coefficients */
+     if (!(s->avctx->flags & CODEC_FLAG_GRAY))
+@@ -1036,11 +1047,17 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb)
+     for (i = 1; i <= 63; i++) {
+             residual_eob_run = unpack_vlcs(s, gb, y_tables[i], i,
+                 0, residual_eob_run);
++            if (residual_eob_run < 0)
++                return residual_eob_run;
+ 
+             residual_eob_run = unpack_vlcs(s, gb, c_tables[i], i,
+                 1, residual_eob_run);
++            if (residual_eob_run < 0)
++                return residual_eob_run;
+             residual_eob_run = unpack_vlcs(s, gb, c_tables[i], i,
+                 2, residual_eob_run);
++            if (residual_eob_run < 0)
++                return residual_eob_run;
+     }
+ 
+     return 0;
+@@ -1777,10 +1794,15 @@ static int vp3_update_thread_context(AVCodecContext *dst, const AVCodecContext *
+     Vp3DecodeContext *s = dst->priv_data, *s1 = src->priv_data;
+     int qps_changed = 0, i, err;
+ 
++#define copy_fields(to, from, start_field, end_field) memcpy(&to->start_field, &from->start_field, (char*)&to->end_field - (char*)&to->start_field)
++
+     if (!s1->current_frame.data[0]
+         ||s->width != s1->width
+-        ||s->height!= s1->height)
++        ||s->height!= s1->height) {
++        if (s != s1)
++            copy_fields(s, s1, golden_frame, current_frame);
+         return -1;
++    }
+ 
+     if (s != s1) {
+         // init tables if the first frame hasn't been decoded
+@@ -1796,8 +1818,6 @@ static int vp3_update_thread_context(AVCodecContext *dst, const AVCodecContext *
+             memcpy(s->motion_val[1], s1->motion_val[1], c_fragment_count * sizeof(*s->motion_val[1]));
+         }
+ 
+-#define copy_fields(to, from, start_field, end_field) memcpy(&to->start_field, &from->start_field, (char*)&to->end_field - (char*)&to->start_field)
+-
+         // copy previous frame data
+         copy_fields(s, s1, golden_frame, dsp);
+ 
+@@ -1987,9 +2007,6 @@ static av_cold int vp3_decode_end(AVCodecContext *avctx)
+     Vp3DecodeContext *s = avctx->priv_data;
+     int i;
+ 
+-    if (avctx->is_copy && !s->current_frame.data[0])
+-        return 0;
+-
+     av_free(s->superblock_coding);
+     av_free(s->all_fragments);
+     av_free(s->coded_fragment_list[0]);
+@@ -2016,12 +2033,7 @@ static av_cold int vp3_decode_end(AVCodecContext *avctx)
+     free_vlc(&s->motion_vector_vlc);
+ 
+     /* release all frames */
+-    if (s->golden_frame.data[0])
+-        ff_thread_release_buffer(avctx, &s->golden_frame);
+-    if (s->last_frame.data[0] && s->last_frame.type != FF_BUFFER_TYPE_COPY)
+-        ff_thread_release_buffer(avctx, &s->last_frame);
+-    /* no need to release the current_frame since it will always be pointing
+-     * to the same frame as either the golden or last frame */
++    vp3_decode_flush(avctx);
+ 
+     return 0;
+ }
+@@ -2341,6 +2353,23 @@ static void vp3_decode_flush(AVCodecContext *avctx)
+         ff_thread_release_buffer(avctx, &s->current_frame);
+ }
+ 
++static int vp3_init_thread_copy(AVCodecContext *avctx)
++{
++    Vp3DecodeContext *s = avctx->priv_data;
++
++    s->superblock_coding      = NULL;
++    s->all_fragments          = NULL;
++    s->coded_fragment_list[0] = NULL;
++    s->dct_tokens_base        = NULL;
++    s->superblock_fragments   = NULL;
++    s->macroblock_coding      = NULL;
++    s->motion_val[0]          = NULL;
++    s->motion_val[1]          = NULL;
++    s->edge_emu_buffer        = NULL;
++
++    return 0;
++}
++
+ AVCodec ff_theora_decoder = {
+     .name           = "theora",
+     .type           = AVMEDIA_TYPE_VIDEO,
+@@ -2352,6 +2381,7 @@ AVCodec ff_theora_decoder = {
+     .capabilities   = CODEC_CAP_DR1 | CODEC_CAP_DRAW_HORIZ_BAND | CODEC_CAP_FRAME_THREADS,
+     .flush = vp3_decode_flush,
+     .long_name = NULL_IF_CONFIG_SMALL("Theora"),
++    .init_thread_copy      = ONLY_IF_THREADS_ENABLED(vp3_init_thread_copy),
+     .update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context)
+ };
+ #endif
+@@ -2367,5 +2397,6 @@ AVCodec ff_vp3_decoder = {
+     .capabilities   = CODEC_CAP_DR1 | CODEC_CAP_DRAW_HORIZ_BAND | CODEC_CAP_FRAME_THREADS,
+     .flush = vp3_decode_flush,
+     .long_name = NULL_IF_CONFIG_SMALL("On2 VP3"),
++    .init_thread_copy      = ONLY_IF_THREADS_ENABLED(vp3_init_thread_copy),
+     .update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context)
+ };
+-- 
+1.7.5.4
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index 98d12ea..c014fc2 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -39,6 +39,8 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://0001-aacdec-check-channel-count.patch \
            file://0001-pngdec-filter-dont-access-out-of-array-elements-at-t.patch \
            file://0001-error_concealment-Check-that-the-picture-is-not-in-a.patch \
+           file://0001-vp3-fix-oob-read-for-negative-tokens-and-memleaks-on.patch \
+           file://0001-vp3-Copy-all-3-frames-for-thread-updates.patch \
 "
 
 SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
-- 
1.7.10.4

[PATCH 05/16] gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3946

[rongqing.li]

From: Yue Tao <Yue.Tao@windriver.com>

The ff_h264_decode_sei function in libavcodec/h264_sei.c in FFmpeg
before 0.10 allows remote attackers to have an unspecified impact via
crafted Supplemental enhancement information (SEI) data, which triggers
an infinite loop.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3946

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
 .../0001-h264_sei-Fix-infinite-loop.patch          |   39 ++++++++++++++++++++
 .../gstreamer/gst-ffmpeg_0.10.13.bb                |    1 +
 2 files changed, 40 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264_sei-Fix-infinite-loop.patch

diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264_sei-Fix-infinite-loop.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264_sei-Fix-infinite-loop.patch
new file mode 100644
index 0000000..1e62b50
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264_sei-Fix-infinite-loop.patch
@@ -0,0 +1,39 @@
+gst-ffmpeg: h264_sei: Fix infinite loop.
+
+Fixsot yet fixed parts of CVE-2011-3946.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+
+Upstream-Status: Backport 
+
+Signed-off-by: Yue Tao <yue.tao@windriver.com>
+
+---
+ libavcodec/h264_sei.c |    4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+
+diff --git a/libavcodec/h264_sei.c b/libavcodec/h264_sei.c
+index 374e53d..80d70e5 100644
+--- a/gst-libs/ext/libav/libavcodec/h264_sei.c
++++ b/gst-libs/ext/libav/libavcodec/h264_sei.c
+@@ -169,11 +169,15 @@ int ff_h264_decode_sei(H264Context *h){
+ 
+         type=0;
+         do{
++            if (get_bits_left(&s->gb) < 8)
++                return -1;
+             type+= show_bits(&s->gb, 8);
+         }while(get_bits(&s->gb, 8) == 255);
+ 
+         size=0;
+         do{
++            if (get_bits_left(&s->gb) < 8)
++                return -1;
+             size+= show_bits(&s->gb, 8);
+         }while(get_bits(&s->gb, 8) == 255);
+ 
+-- 
+1.7.5.4
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index c014fc2..ad4dd34 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -41,6 +41,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://0001-error_concealment-Check-that-the-picture-is-not-in-a.patch \
            file://0001-vp3-fix-oob-read-for-negative-tokens-and-memleaks-on.patch \
            file://0001-vp3-Copy-all-3-frames-for-thread-updates.patch \
+           file://0001-h264_sei-Fix-infinite-loop.patch \
 "
 
 SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
-- 
1.7.10.4

[PATCH 06/16] gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-7023

[rongqing.li]

From: Yue Tao <Yue.Tao@windriver.com>

The ff_combine_frame function in libavcodec/parser.c in FFmpeg before
2.1 does not properly handle certain memory-allocation errors, which
allows remote attackers to cause a denial of service (out-of-bounds
array access) or possibly have unspecified other impact via crafted
data.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7023

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
 ...c-parser-reset-indexes-on-realloc-failure.patch |   50 ++++++++++++++++++++
 .../gstreamer/gst-ffmpeg_0.10.13.bb                |    1 +
 2 files changed, 51 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-parser-reset-indexes-on-realloc-failure.patch

diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-parser-reset-indexes-on-realloc-failure.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-parser-reset-indexes-on-realloc-failure.patch
new file mode 100644
index 0000000..5ff6583
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-parser-reset-indexes-on-realloc-failure.patch
@@ -0,0 +1,50 @@
+gst-ffmpeg: avcodec/parser: reset indexes on realloc failure
+
+Fixes Ticket2982
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit f31011e9abfb2ae75bb32bc44e2c34194c8dc40a)
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+
+Upstream-Status: Backport 
+
+Signed-off-by: Yue Tao <yue.tao@windriver.com>
+
+---
+ libavcodec/parser.c |   10 +++++++---
+ 1 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/libavcodec/parser.c b/libavcodec/parser.c
+index 2c6de6e..66eca06 100644
+--- a/gst-libs/ext/libav/libavcodec/parser.c
++++ b/gst-libs/ext/libav/libavcodec/parser.c
+@@ -241,8 +241,10 @@ int ff_combine_frame(ParseContext *pc, int next, const uint8_t **buf, int *buf_s
+     if(next == END_NOT_FOUND){
+         void* new_buffer = av_fast_realloc(pc->buffer, &pc->buffer_size, (*buf_size) + pc->index + FF_INPUT_BUFFER_PADDING_SIZE);
+ 
+-        if(!new_buffer)
++        if(!new_buffer) {
++            pc->index = 0;
+             return AVERROR(ENOMEM);
++        }
+         pc->buffer = new_buffer;
+         memcpy(&pc->buffer[pc->index], *buf, *buf_size);
+         pc->index += *buf_size;
+@@ -255,9 +257,11 @@ int ff_combine_frame(ParseContext *pc, int next, const uint8_t **buf, int *buf_s
+     /* append to buffer */
+     if(pc->index){
+         void* new_buffer = av_fast_realloc(pc->buffer, &pc->buffer_size, next + pc->index + FF_INPUT_BUFFER_PADDING_SIZE);
+-
+-        if(!new_buffer)
++        if(!new_buffer) {
++            pc->overread_index =
++            pc->index = 0;
+             return AVERROR(ENOMEM);
++        }
+         pc->buffer = new_buffer;
+         if (next > -FF_INPUT_BUFFER_PADDING_SIZE)
+             memcpy(&pc->buffer[pc->index], *buf,
+-- 
+1.7.5.4
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index ad4dd34..138b660 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -42,6 +42,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://0001-vp3-fix-oob-read-for-negative-tokens-and-memleaks-on.patch \
            file://0001-vp3-Copy-all-3-frames-for-thread-updates.patch \
            file://0001-h264_sei-Fix-infinite-loop.patch \
+           file://0001-avcodec-parser-reset-indexes-on-realloc-failure.patch \
 "
 
 SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
-- 
1.7.10.4

[PATCH 07/16] gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-7009

[rongqing.li]

From: Yue Tao <Yue.Tao@windriver.com>

The rpza_decode_stream function in libavcodec/rpza.c in FFmpeg before
2.1 does not properly maintain a pointer to pixel data, which allows
remote attackers to cause a denial of service (out-of-bounds array
access) or possibly have unspecified other impact via crafted Apple RPZA
data.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7009

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
 ...a-Perform-pointer-advance-and-checks-befo.patch |   81 ++++++++++++++++++++
 .../gstreamer/gst-ffmpeg_0.10.13.bb                |    1 +
 2 files changed, 82 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-rpza-Perform-pointer-advance-and-checks-befo.patch

diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-rpza-Perform-pointer-advance-and-checks-befo.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-rpza-Perform-pointer-advance-and-checks-befo.patch
new file mode 100644
index 0000000..7f6eb48
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-rpza-Perform-pointer-advance-and-checks-befo.patch
@@ -0,0 +1,81 @@
+gst-ffmpeg: avcodec/rpza: Perform pointer advance and checks before
+ using the pointers
+
+Fixes out of array accesses
+Fixes Ticket2850
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit 3819db745da2ac7fb3faacb116788c32f4753f34)
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+
+Upstream-Status: Backport 
+
+Singed-off-by: Yue Tao <yue.tao@windriver.com>
+
+---
+ libavcodec/rpza.c |    8 ++++----
+ 1 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c
+index 635b406..f291a95 100644
+--- a/gst-libs/ext/libav/libavcodec/rpza.c
++++ b/gst-libs/ext/libav/libavcodec/rpza.c
+@@ -83,7 +83,7 @@ static void rpza_decode_stream(RpzaContext *s)
+     unsigned short *pixels = (unsigned short *)s->frame.data[0];
+ 
+     int row_ptr = 0;
+-    int pixel_ptr = 0;
++    int pixel_ptr = -4;
+     int block_ptr;
+     int pixel_x, pixel_y;
+     int total_blocks;
+@@ -139,6 +139,7 @@ static void rpza_decode_stream(RpzaContext *s)
+             colorA = AV_RB16 (&s->buf[stream_ptr]);
+             stream_ptr += 2;
+             while (n_blocks--) {
++                ADVANCE_BLOCK()
+                 block_ptr = row_ptr + pixel_ptr;
+                 for (pixel_y = 0; pixel_y < 4; pixel_y++) {
+                     for (pixel_x = 0; pixel_x < 4; pixel_x++){
+@@ -147,7 +148,6 @@ static void rpza_decode_stream(RpzaContext *s)
+                     }
+                     block_ptr += row_inc;
+                 }
+-                ADVANCE_BLOCK();
+             }
+             break;
+ 
+@@ -184,6 +184,7 @@ static void rpza_decode_stream(RpzaContext *s)
+             color4[2] |= ((21 * ta + 11 * tb) >> 5);
+ 
+             while (n_blocks--) {
++                ADVANCE_BLOCK();
+                 block_ptr = row_ptr + pixel_ptr;
+                 for (pixel_y = 0; pixel_y < 4; pixel_y++) {
+                     index = s->buf[stream_ptr++];
+@@ -194,12 +195,12 @@ static void rpza_decode_stream(RpzaContext *s)
+                     }
+                     block_ptr += row_inc;
+                 }
+-                ADVANCE_BLOCK();
+             }
+             break;
+ 
+         /* Fill block with 16 colors */
+         case 0x00:
++            ADVANCE_BLOCK();
+             block_ptr = row_ptr + pixel_ptr;
+             for (pixel_y = 0; pixel_y < 4; pixel_y++) {
+                 for (pixel_x = 0; pixel_x < 4; pixel_x++){
+@@ -213,7 +214,6 @@ static void rpza_decode_stream(RpzaContext *s)
+                 }
+                 block_ptr += row_inc;
+             }
+-            ADVANCE_BLOCK();
+             break;
+ 
+         /* Unknown opcode */
+-- 
+1.7.5.4
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index 138b660..42878e6 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -43,6 +43,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://0001-vp3-Copy-all-3-frames-for-thread-updates.patch \
            file://0001-h264_sei-Fix-infinite-loop.patch \
            file://0001-avcodec-parser-reset-indexes-on-realloc-failure.patch \
+           file://0001-avcodec-rpza-Perform-pointer-advance-and-checks-befo.patch \
 "
 
 SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
-- 
1.7.10.4

[PATCH 08/16] gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0855

[rongqing.li]

From: Yue Tao <Yue.Tao@windriver.com>

Integer overflow in the alac_decode_close function in libavcodec/alac.c
in FFmpeg before 1.1 allows remote attackers to have an unspecified
impact via a large number of samples per frame in Apple Lossless Audio
Codec (ALAC) data, which triggers an out-of-bounds array access.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0855

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
 .../gst-ffmpeg-CVE-2013-0855.patch                 |  100 ++++++++++++++++++++
 .../gstreamer/gst-ffmpeg_0.10.13.bb                |    1 +
 2 files changed, 101 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-CVE-2013-0855.patch

diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-CVE-2013-0855.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-CVE-2013-0855.patch
new file mode 100644
index 0000000..3c8d8e3
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-CVE-2013-0855.patch
@@ -0,0 +1,100 @@
+gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0855
+
+Upstream-Status: Backport 
+
+Signed-off-by: Yue Tao <yue.tao@windriver.com>
+
+diff --git a/gst-libs/ext/libav/libavcodec/alac.c.old b/gst-libs/ext/libav/libavcodec/alac.c
+index 2a0df8c..bcbd56d 100644
+--- a/gst-libs/ext/libav/libavcodec/alac.c.old
++++ b/gst-libs/ext/libav/libavcodec/alac.c
+@@ -87,18 +87,44 @@ typedef struct {
+     int wasted_bits;
+ } ALACContext;
+ 
+-static void allocate_buffers(ALACContext *alac)
++static av_cold int alac_decode_close(AVCodecContext *avctx)
++{
++    ALACContext *alac = avctx->priv_data;
++
++    int chan;
++    for (chan = 0; chan < MAX_CHANNELS; chan++) {
++        av_freep(&alac->predicterror_buffer[chan]);
++        av_freep(&alac->outputsamples_buffer[chan]);
++        av_freep(&alac->wasted_bits_buffer[chan]);
++    }
++
++    return 0;
++}
++
++static int allocate_buffers(ALACContext *alac)
+ {
+     int chan;
++    int buf_size;
++
++    if (alac->setinfo_max_samples_per_frame > INT_MAX / sizeof(int32_t))
++        goto buf_alloc_fail;
++    buf_size = alac->setinfo_max_samples_per_frame * sizeof(int32_t);
++
+     for (chan = 0; chan < MAX_CHANNELS; chan++) {
+-        alac->predicterror_buffer[chan] =
+-            av_malloc(alac->setinfo_max_samples_per_frame * 4);
+ 
+-        alac->outputsamples_buffer[chan] =
+-            av_malloc(alac->setinfo_max_samples_per_frame * 4);
++        FF_ALLOC_OR_GOTO(alac->avctx, alac->predicterror_buffer[chan],
++                         buf_size, buf_alloc_fail);
+ 
+-        alac->wasted_bits_buffer[chan] = av_malloc(alac->setinfo_max_samples_per_frame * 4);
++        FF_ALLOC_OR_GOTO(alac->avctx, alac->outputsamples_buffer[chan],
++                         buf_size, buf_alloc_fail);
++
++        FF_ALLOC_OR_GOTO(alac->avctx, alac->wasted_bits_buffer[chan],
++                         buf_size, buf_alloc_fail);
+     }
++    return 0;
++buf_alloc_fail:
++    alac_decode_close(alac->avctx);
++    return AVERROR(ENOMEM);
+ }
+ 
+ static int alac_set_info(ALACContext *alac)
+@@ -131,8 +157,6 @@ static int alac_set_info(ALACContext *alac)
+     bytestream_get_be32(&ptr);      /* bitrate ? */
+     bytestream_get_be32(&ptr);      /* samplerate */
+ 
+-    allocate_buffers(alac);
+-
+     return 0;
+ }
+ 
+@@ -659,6 +683,7 @@ static int alac_decode_frame(AVCodecContext *avctx,
+ 
+ static av_cold int alac_decode_init(AVCodecContext * avctx)
+ {
++    int ret;
+     ALACContext *alac = avctx->priv_data;
+     alac->avctx = avctx;
+     alac->numchannels = alac->avctx->channels;
+@@ -674,18 +699,9 @@ static av_cold int alac_decode_init(AVCodecContext * avctx)
+         return -1;
+     }
+ 
+-    return 0;
+-}
+-
+-static av_cold int alac_decode_close(AVCodecContext *avctx)
+-{
+-    ALACContext *alac = avctx->priv_data;
+-
+-    int chan;
+-    for (chan = 0; chan < MAX_CHANNELS; chan++) {
+-        av_freep(&alac->predicterror_buffer[chan]);
+-        av_freep(&alac->outputsamples_buffer[chan]);
+-        av_freep(&alac->wasted_bits_buffer[chan]);
++    if ((ret = allocate_buffers(alac)) < 0) {
++        av_log(avctx, AV_LOG_ERROR, "Error allocating buffers\n");
++        return ret;
+     }
+ 
+     return 0;
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index 42878e6..c276184 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -44,6 +44,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://0001-h264_sei-Fix-infinite-loop.patch \
            file://0001-avcodec-parser-reset-indexes-on-realloc-failure.patch \
            file://0001-avcodec-rpza-Perform-pointer-advance-and-checks-befo.patch \
+           file://gst-ffmpeg-CVE-2013-0855.patch \
 "
 
 SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
-- 
1.7.10.4

[PATCH 09/16] gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-4351

[rongqing.li]

From: Yue Tao <Yue.Tao@windriver.com>

Buffer overflow in FFmpeg before 0.5.6, 0.6.x before 0.6.4, 0.7.x before
0.7.8, and 0.8.x before 0.8.8 allows remote attackers to execute
arbitrary code via unspecified vectors.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4351

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
 .../0001-qdm2dec-fix-buffer-overflow.patch         |   58 ++++++++++++++++++++
 .../gstreamer/gst-ffmpeg_0.10.13.bb                |    1 +
 2 files changed, 59 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-qdm2dec-fix-buffer-overflow.patch

diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-qdm2dec-fix-buffer-overflow.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-qdm2dec-fix-buffer-overflow.patch
new file mode 100644
index 0000000..43ffc03
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-qdm2dec-fix-buffer-overflow.patch
@@ -0,0 +1,58 @@
+gst-ffmpeg: qdm2dec: fix buffer overflow. Fixes NGS00144
+
+This also adds a few lines of code from master that are needed for this fix.
+
+Thanks to Phillip for suggestions to improve the patch.
+Found-by: Phillip Langlois
+
+Upstream-Status: Backport 
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/qdm2.c |    9 +++++++--
+ 1 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c
+index 3aa9e5b..e000df8 100644
+--- a/gst-libs/ext/libav/libavcodec/qdm2.c
++++ b/gst-libs/ext/libav/libavcodec/qdm2.c
+@@ -76,6 +76,7 @@ do { \
+ #define SAMPLES_NEEDED_2(why) \
+      av_log (NULL,AV_LOG_INFO,"This file triggers some missing code. Please contact the developers.\nPosition: %s\n",why);
+ 
++#define QDM2_MAX_FRAME_SIZE 512
+ 
+ typedef int8_t sb_int8_array[2][30][64];
+ 
+@@ -168,7 +169,7 @@ typedef struct {
+     /// I/O data
+     const uint8_t *compressed_data;
+     int compressed_size;
+-    float output_buffer[1024];
++    float output_buffer[QDM2_MAX_FRAME_SIZE * MPA_MAX_CHANNELS * 2];
+ 
+     /// Synthesis filter
+     MPADSPContext mpadsp;
+@@ -1819,6 +1820,9 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx)
+     s->group_order = av_log2(s->group_size) + 1;
+     s->frame_size = s->group_size / 16; // 16 iterations per super block
+ 
++    if (s->frame_size > QDM2_MAX_FRAME_SIZE)
++        return AVERROR_INVALIDDATA;
++
+     s->sub_sampling = s->fft_order - 7;
+     s->frequency_range = 255 / (1 << (2 - s->sub_sampling));
+ 
+@@ -1887,6 +1891,9 @@ static int qdm2_decode (QDM2Context *q, const uint8_t *in, int16_t *out)
+     int ch, i;
+     const int frame_size = (q->frame_size * q->channels);
+ 
++    if((unsigned)frame_size > FF_ARRAY_ELEMS(q->output_buffer)/2)
++        return -1;
++
+     /* select input buffer */
+     q->compressed_data = in;
+     q->compressed_size = q->checksum_size;
+-- 
+1.7.5.4
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index c276184..345086e 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -45,6 +45,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://0001-avcodec-parser-reset-indexes-on-realloc-failure.patch \
            file://0001-avcodec-rpza-Perform-pointer-advance-and-checks-befo.patch \
            file://gst-ffmpeg-CVE-2013-0855.patch \
+           file://0001-qdm2dec-fix-buffer-overflow.patch \
 "
 
 SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
-- 
1.7.10.4

[PATCH 10/16] gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0848

[rongqing.li]

From: Yue Tao <Yue.Tao@windriver.com>

The decode_init function in libavcodec/huffyuv.c in FFmpeg before 1.1
allows remote attackers to have an unspecified impact via a crafted
width in huffyuv data with the predictor set to median and the
colorspace set to YUV422P, which triggers an out-of-bounds array access.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0848

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
 ...check-width-more-completely-avoid-out-of-.patch |   30 ++++++++++++++++++++
 .../gstreamer/gst-ffmpeg_0.10.13.bb                |    1 +
 2 files changed, 31 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-check-width-more-completely-avoid-out-of-.patch

diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-check-width-more-completely-avoid-out-of-.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-check-width-more-completely-avoid-out-of-.patch
new file mode 100644
index 0000000..6b60d16
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-check-width-more-completely-avoid-out-of-.patch
@@ -0,0 +1,30 @@
+gst-ffmpeg: huffyuvdec: check width more completely, avoid out of array
+ accesses
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+
+Upstream-Status: Backport 
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/huffyuv.c |    5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
+
+diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c
+index 6e88114..ca5bcd8 100644
+--- a/gst-libs/ext/libav/libavcodec/huffyuv.c
++++ b/gst-libs/ext/libav/libavcodec/huffyuv.c
+@@ -526,6 +526,10 @@ s->bgr32=1;
+         assert(0);
+     }
+ 
++    if (s->predictor == MEDIAN && avctx->pix_fmt == AV_PIX_FMT_YUV422P && avctx->width%4) {
++        av_log(avctx, AV_LOG_ERROR, "width must be a multiple of 4 this colorspace and predictor\n");
++        return AVERROR_INVALIDDATA;
++    }
+     alloc_temp(s);
+ 
+ //    av_log(NULL, AV_LOG_DEBUG, "pred:%d bpp:%d hbpp:%d il:%d\n", s->predictor, s->bitstream_bpp, avctx->bits_per_coded_sample, s->interlaced);
+-- 
+1.7.5.4
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index 345086e..7e3d7d6 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -46,6 +46,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://0001-avcodec-rpza-Perform-pointer-advance-and-checks-befo.patch \
            file://gst-ffmpeg-CVE-2013-0855.patch \
            file://0001-qdm2dec-fix-buffer-overflow.patch \
+           file://0001-huffyuvdec-check-width-more-completely-avoid-out-of-.patch \
 "
 
 SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
-- 
1.7.10.4

[PATCH 11/16] gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3944

[rongqing.li]

From: Yue Tao <Yue.Tao@windriver.com>

The smacker_decode_header_tree function in libavcodec/smacker.c in
FFmpeg before 0.10 allows remote attackers to have an unspecified impact
via crafted Smacker data.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3944

           file://0001-huffyuvdec-check-width-more-completely-avoid-out-of-.patch \
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>

Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
 ...Check-that-the-last-indexes-are-within-th.patch |   32 ++++++++++++++++++++
 .../gstreamer/gst-ffmpeg_0.10.13.bb                |    1 +
 2 files changed, 33 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-smackerdec-Check-that-the-last-indexes-are-within-th.patch

diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-smackerdec-Check-that-the-last-indexes-are-within-th.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-smackerdec-Check-that-the-last-indexes-are-within-th.patch
new file mode 100644
index 0000000..15b1614
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-smackerdec-Check-that-the-last-indexes-are-within-th.patch
@@ -0,0 +1,32 @@
+gst-ffmpeg: smackerdec: Check that the last indexes are within the
+ table.
+
+Fixes CVE-2011-3944
+
+Upstream-Status: Backport 
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/smacker.c |    5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c
+index 30f99b4..2a8bae8 100644
+--- a/gst-libs/ext/libav/libavcodec/smacker.c
++++ b/gst-libs/ext/libav/libavcodec/smacker.c
+@@ -259,6 +259,11 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int
+     if(ctx.last[0] == -1) ctx.last[0] = huff.current++;
+     if(ctx.last[1] == -1) ctx.last[1] = huff.current++;
+     if(ctx.last[2] == -1) ctx.last[2] = huff.current++;
++    if(huff.current > huff.length){
++        ctx.last[0] = ctx.last[1] = ctx.last[2] = 1;
++        av_log(smk->avctx, AV_LOG_ERROR, "bigtree damaged\n");
++        return -1;
++    }
+ 
+     *recodes = huff.values;
+ 
+-- 
+1.7.5.4
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index 7e3d7d6..a540211 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -47,6 +47,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://gst-ffmpeg-CVE-2013-0855.patch \
            file://0001-qdm2dec-fix-buffer-overflow.patch \
            file://0001-huffyuvdec-check-width-more-completely-avoid-out-of-.patch \
+           file://0001-smackerdec-Check-that-the-last-indexes-are-within-th.patch \
 "
 
 SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
-- 
1.7.10.4

[PATCH 12/16] gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-7010

[rongqing.li]

From: Yue Tao <Yue.Tao@windriver.com>

Multiple integer signedness errors in libavcodec/dsputil.c in FFmpeg
before 2.1 allow remote attackers to cause a denial of service
(out-of-bounds array access) or possibly have unspecified other impact
via crafted data.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7010

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
 ...util-fix-signedness-in-sizeof-comparissio.patch |   40 ++++++++++++++++++++
 .../gstreamer/gst-ffmpeg_0.10.13.bb                |    1 +
 2 files changed, 41 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-dsputil-fix-signedness-in-sizeof-comparissio.patch

diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-dsputil-fix-signedness-in-sizeof-comparissio.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-dsputil-fix-signedness-in-sizeof-comparissio.patch
new file mode 100644
index 0000000..31fa51a
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-dsputil-fix-signedness-in-sizeof-comparissio.patch
@@ -0,0 +1,40 @@
+From a99aff4e4bbef8e64b51f267cd1769214e1b4e80 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Fri, 30 Aug 2013 23:40:47 +0200
+Subject: [PATCH] avcodec/dsputil: fix signedness in sizeof() comparissions
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit 454a11a1c9c686c78aa97954306fb63453299760)
+
+Upstream-Status: Backport
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/dsputil.c |    4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libavcodec/dsputil.c b/libavcodec/dsputil.c
+index 53dc2eb..6264832 100644
+--- a/gst-libs/ext/libav/libavcodec/dsputil.c
++++ b/gst-libs/ext/libav/libavcodec/dsputil.c
+@@ -1912,7 +1912,7 @@ void ff_set_cmp(DSPContext* c, me_cmp_func *cmp, int type){
+ 
+ static void add_bytes_c(uint8_t *dst, uint8_t *src, int w){
+     long i;
+-    for(i=0; i<=w-sizeof(long); i+=sizeof(long)){
++    for(i=0; i<=w-(int)sizeof(long); i+=sizeof(long)){
+         long a = *(long*)(src+i);
+         long b = *(long*)(dst+i);
+         *(long*)(dst+i) = ((a&pb_7f) + (b&pb_7f)) ^ ((a^b)&pb_80);
+@@ -1937,7 +1937,7 @@ static void diff_bytes_c(uint8_t *dst, uint8_t *src1, uint8_t *src2, int w){
+         }
+     }else
+ #endif
+-    for(i=0; i<=w-sizeof(long); i+=sizeof(long)){
++    for(i=0; i<=w-(int)sizeof(long); i+=sizeof(long)){
+         long a = *(long*)(src1+i);
+         long b = *(long*)(src2+i);
+         *(long*)(dst+i) = ((a|pb_80) - (b&pb_7f)) ^ ((a^b^pb_80)&pb_80);
+-- 
+1.7.5.4
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index a540211..c3681b6 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -48,6 +48,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://0001-qdm2dec-fix-buffer-overflow.patch \
            file://0001-huffyuvdec-check-width-more-completely-avoid-out-of-.patch \
            file://0001-smackerdec-Check-that-the-last-indexes-are-within-th.patch \
+           file://0001-avcodec-dsputil-fix-signedness-in-sizeof-comparissio.patch \
 "
 
 SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
-- 
1.7.10.4

[PATCH 13/16] gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3941

[rongqing.li]

From: Yue Tao <Yue.Tao@windriver.com>

The decode_mb function in libavcodec/error_resilience.c in FFmpeg before
0.10 allows remote attackers to have an unspecified impact via vectors
related to an uninitialized block index, which triggers an out-of-bound
write.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3941

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
 ...-error-concealment-initialize-block-index.patch |   29 ++++++++++++++++++++
 .../gstreamer/gst-ffmpeg_0.10.13.bb                |    1 +
 2 files changed, 30 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-error-concealment-initialize-block-index.patch

diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-error-concealment-initialize-block-index.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-error-concealment-initialize-block-index.patch
new file mode 100644
index 0000000..e0e4239
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-error-concealment-initialize-block-index.patch
@@ -0,0 +1,29 @@
+gst-ffmpeg: error concealment: initialize block index.
+
+Fixes CVE-2011-3941 (out of bounds write)
+
+Upstream-Status: Backport 
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/error_resilience.c |    3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+diff --git a/libavcodec/error_resilience.c b/libavcodec/error_resilience.c
+index 8bb5d0c..d55c000 100644
+--- a/gst-libs/ext/libav/libavcodec/error_resilience.c
++++ b/gst-libs/ext/libav/libavcodec/error_resilience.c
+@@ -45,6 +45,9 @@ static void decode_mb(MpegEncContext *s, int ref){
+     s->dest[1] = s->current_picture.data[1] + (s->mb_y * (16>>s->chroma_y_shift) * s->uvlinesize) + s->mb_x * (16>>s->chroma_x_shift);
+     s->dest[2] = s->current_picture.data[2] + (s->mb_y * (16>>s->chroma_y_shift) * s->uvlinesize) + s->mb_x * (16>>s->chroma_x_shift);
+ 
++    ff_init_block_index(s);
++    ff_update_block_index(s);
++
+     if(CONFIG_H264_DECODER && s->codec_id == CODEC_ID_H264){
+         H264Context *h= (void*)s;
+         h->mb_xy= s->mb_x + s->mb_y*s->mb_stride;
+-- 
+1.7.5.4
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index c3681b6..dd07435 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -49,6 +49,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://0001-huffyuvdec-check-width-more-completely-avoid-out-of-.patch \
            file://0001-smackerdec-Check-that-the-last-indexes-are-within-th.patch \
            file://0001-avcodec-dsputil-fix-signedness-in-sizeof-comparissio.patch \
+           file://0001-error-concealment-initialize-block-index.patch \
 "
 
 SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
-- 
1.7.10.4

[PATCH 14/16] gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0846

[rongqing.li]

From: Yue Tao <Yue.Tao@windriver.com>

Array index error in the qdm2_decode_super_block function in
libavcodec/qdm2.c in FFmpeg before 1.1 allows remote attackers to have
an unspecified impact via crafted QDM2 data, which triggers an
out-of-bounds array access.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0846

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
 ...array-index-before-use-fix-out-of-array-a.patch |   30 ++++++++++++++++++++
 .../gstreamer/gst-ffmpeg_0.10.13.bb                |    1 +
 2 files changed, 31 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-qdm2-check-array-index-before-use-fix-out-of-array-a.patch

diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-qdm2-check-array-index-before-use-fix-out-of-array-a.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-qdm2-check-array-index-before-use-fix-out-of-array-a.patch
new file mode 100644
index 0000000..8c94232
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-qdm2-check-array-index-before-use-fix-out-of-array-a.patch
@@ -0,0 +1,30 @@
+gst-ffmpeg: qdm2: check array index before use, fix out of array
+ accesses
+
+Upstream-Status: Backport 
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/qdm2.c |    5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c
+index 4cf4b2f..1dfb8d5 100644
+--- a/gst-libs/ext/libav/libavcodec/qdm2.c
++++ b/gst-libs/ext/libav/libavcodec/qdm2.c
+@@ -1257,6 +1257,11 @@ static void qdm2_decode_super_block (QDM2Context *q)
+     for (i = 0; packet_bytes > 0; i++) {
+         int j;
+ 
++        if (i>=FF_ARRAY_ELEMS(q->sub_packet_list_A)) {
++            SAMPLES_NEEDED_2("too many packet bytes");
++            return;
++        }
++
+         q->sub_packet_list_A[i].next = NULL;
+ 
+         if (i > 0) {
+-- 
+1.7.5.4
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index dd07435..7806006 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -50,6 +50,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://0001-smackerdec-Check-that-the-last-indexes-are-within-th.patch \
            file://0001-avcodec-dsputil-fix-signedness-in-sizeof-comparissio.patch \
            file://0001-error-concealment-initialize-block-index.patch \
+           file://0001-qdm2-check-array-index-before-use-fix-out-of-array-a.patch \
 "
 
 SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
-- 
1.7.10.4

[PATCH 15/16] gst-ffmpeg: Security Advisory - ffmpeg - CVE-2012-6618

[rongqing.li]

From: Yue Tao <Yue.Tao@windriver.com>

The av_probe_input_buffer function in libavformat/utils.c in FFmpeg
before 1.0.2, when running with certain -probesize values, allows remote
attackers to cause a denial of service (crash) via a crafted MP3 file,
possibly related to frame size or lack of sufficient frames to estimate
rate.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6618

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
 ...f-compute-probe-buffer-size-more-reliably.patch |   45 ++++++++++++++++++++
 .../gstreamer/gst-ffmpeg_0.10.13.bb                |    1 +
 2 files changed, 46 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-lavf-compute-probe-buffer-size-more-reliably.patch

diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-lavf-compute-probe-buffer-size-more-reliably.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-lavf-compute-probe-buffer-size-more-reliably.patch
new file mode 100644
index 0000000..ea4aa22
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-lavf-compute-probe-buffer-size-more-reliably.patch
@@ -0,0 +1,45 @@
+gst-ffmpeg: lavf: compute probe buffer size more reliably.
+
+The previous code computes the offset by reversing the growth
+of the allocated buffer size: it is complex and did lead to
+inconsistencies when the size limit is reached.
+
+Fix trac ticket #1991.
+(cherry picked from commit 03847eb8259291b4ff1bd840bd779d0699d71f96)
+
+Conflicts:
+	libavformat/utils.c
+
+Upstream-Status: Backport
+
+Signed-off-by: Yue Tao <yue.tao@windriver.com>
+
+---
+ libavformat/utils.c |    4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libavformat/utils.c b/libavformat/utils.c
+index 7940037..be73c4a 100644
+--- a/gst-libs/ext/libav/libavformat/utils.c
++++ b/gst-libs/ext/libav/libavformat/utils.c
+@@ -459,7 +459,7 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt,
+ {
+     AVProbeData pd = { filename ? filename : "", NULL, -offset };
+     unsigned char *buf = NULL;
+-    int ret = 0, probe_size;
++    int ret = 0, probe_size, buf_offset = 0;
+ 
+     if (!max_probe_size) {
+         max_probe_size = PROBE_BUF_MAX;
+@@ -499,7 +499,7 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt,
+             score = 0;
+             ret = 0;            /* error was end of file, nothing read */
+         }
+-        pd.buf_size += ret;
++        pd.buf_size = buf_offset += ret;
+         pd.buf = &buf[offset];
+ 
+         memset(pd.buf + pd.buf_size, 0, AVPROBE_PADDING_SIZE);
+-- 
+1.7.5.4
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index 7806006..10bf36c 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -51,6 +51,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://0001-avcodec-dsputil-fix-signedness-in-sizeof-comparissio.patch \
            file://0001-error-concealment-initialize-block-index.patch \
            file://0001-qdm2-check-array-index-before-use-fix-out-of-array-a.patch \
+           file://0001-lavf-compute-probe-buffer-size-more-reliably.patch \
 "
 
 SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
-- 
1.7.10.4

[PATCH 16/16] gst-ffmpeg: Security Advisory - ffmpeg - CVE-2012-6617

[rongqing.li]

From: Yue Tao <Yue.Tao@windriver.com>

The prepare_sdp_description function in ffserver.c in FFmpeg before
1.0.2 allows remote attackers to cause a denial of service (crash) via
vectors related to the rtp format.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6617

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
 .../0001-ffserver-set-oformat.patch                |   36 ++++++++++++++++++++
 .../gstreamer/gst-ffmpeg_0.10.13.bb                |    1 +
 2 files changed, 37 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-ffserver-set-oformat.patch

diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-ffserver-set-oformat.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-ffserver-set-oformat.patch
new file mode 100644
index 0000000..80325db
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-ffserver-set-oformat.patch
@@ -0,0 +1,36 @@
+gst-ffmpeg: ffserver: set oformat
+
+Fix Ticket1986
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit cbe43e62c9ac7d4aefdc13476f6f691bd626525f)
+
+Upstream-Status: Backport 
+
+---
+ ffserver.c |    4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+diff --git a/ffserver.c b/ffserver.c
+index 4044d0f..8740140 100644
+--- a/gst-libs/ext/libav/ffserver.c
++++ b/gst-libs/ext/libav/ffserver.c
+@@ -2937,12 +2937,14 @@ static int prepare_sdp_description(FFStream *stream, uint8_t **pbuffer,
+ {
+     AVFormatContext *avc;
+     AVStream *avs = NULL;
++    AVOutputFormat *rtp_format = av_guess_format("rtp", NULL, NULL);
+     int i;
+ 
+     avc =  avformat_alloc_context();
+-    if (avc == NULL) {
++    if (avc == NULL || !rtp_format) {
+         return -1;
+     }
++    avc->oformat = rtp_format;
+     av_dict_set(&avc->metadata, "title",
+                stream->title[0] ? stream->title : "No Title", 0);
+     avc->nb_streams = stream->nb_streams;
+-- 
+1.7.5.4
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index 10bf36c..e26b267 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -52,6 +52,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://0001-error-concealment-initialize-block-index.patch \
            file://0001-qdm2-check-array-index-before-use-fix-out-of-array-a.patch \
            file://0001-lavf-compute-probe-buffer-size-more-reliably.patch \
+           file://0001-ffserver-set-oformat.patch \
 "
 
 SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
-- 
1.7.10.4

Re: [PATCH 00/16 v2] merge 16 CVE patches

[Burton, Ross]

On 22 July 2014 08:46,  <rongqing.li@windriver.com> wrote:
> Yue Tao (16):
>   gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0866
>   gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0875
>   gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0860
>   gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3934
>   gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3946
>   gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-7023
>   gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-7009
>   gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0855
>   gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-4351
>   gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0848
>   gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3944
>   gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-7010
>   gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3941
>   gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0846
>   gst-ffmpeg: Security Advisory - ffmpeg - CVE-2012-6618
>   gst-ffmpeg: Security Advisory - ffmpeg - CVE-2012-6617

As there's no benefit in being able to bisect this, I think it would
be neater if these were squashed into a single commit.

Ross

Re: [PATCH 00/16 v2] merge 16 CVE patches

[Rongqing Li]

On 07/22/2014 04:22 PM, Burton, Ross wrote:
> On 22 July 2014 08:46,  <rongqing.li@windriver.com> wrote:
>> Yue Tao (16):
>>    gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0866
>>    gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0875
>>    gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0860
>>    gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3934
>>    gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3946
>>    gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-7023
>>    gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-7009
>>    gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0855
>>    gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-4351
>>    gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0848
>>    gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3944
>>    gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-7010
>>    gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3941
>>    gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0846
>>    gst-ffmpeg: Security Advisory - ffmpeg - CVE-2012-6618
>>    gst-ffmpeg: Security Advisory - ffmpeg - CVE-2012-6617
>
> As there's no benefit in being able to bisect this, I think it would
> be neater if these were squashed into a single commit.
>

I am fine, Saul can squash them when merge

-Roy

> Ross
>
>

-- 
Best Reagrds,
Roy | RongQing Li