* [PATCH 00/12] forward 12 CVE patches for ffmpeg
@ 2014-05-15 2:03 rongqing.li
2014-05-15 2:03 ` [PATCH 01/12] Security Advisory - ffmpeg - CVE-2014-2263 rongqing.li
` (12 more replies)
0 siblings, 13 replies; 15+ messages in thread
From: rongqing.li @ 2014-05-15 2:03 UTC (permalink / raw)
To: openembedded-core
From: Roy Li <rongqing.li@windriver.com>
The following changes since commit 58417093d7ce83c8a2f683a356fddc23aaee5e8e:
wic: Extend indirect string connection to support image names and rootfs (2014-05-13 19:35:06 +0100)
are available in the git repository at:
git://git.pokylinux.org/poky-contrib roy/ffmpeg-1
http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=roy/ffmpeg-1
Yue Tao (12):
Security Advisory - ffmpeg - CVE-2014-2263
Security Advisory - ffmpeg - CVE-2013-0865
Security Advisory - ffmpeg - CVE-2014-2099
Security Advisory - ffmpeg - CVE-2013-0868
Security Advisory - ffmpeg - CVE-2013-0845
Security Advisory - ffmpeg - CVE-2013-0852
Security Advisory - ffmpeg - CVE-2013-0858
Security Advisory - ffmpeg - CVE-2013-0851
Security Advisory - ffmpeg - CVE-2013-0854
Security Advisory - ffmpeg - CVE-2013-0856
Security Advisory - ffmpeg - CVE-2013-0850
Security Advisory - ffmpeg - CVE-2013-0849
.../0001-alac-fix-nb_samples-order-case.patch | 30 +++++++
.../0001-alsdec-check-block-length.patch | 61 ++++++++++++++
...ac3dec-Check-coding-mode-against-channels.patch | 37 +++++++++
...le-use-av_image_get_linesize-to-calculate.patch | 48 +++++++++++
...egtsenc-Check-data-array-size-in-mpegts_w.patch | 67 +++++++++++++++
.../0001-eamad-fix-out-of-array-accesses.patch | 29 +++++++
...t-ref-count-check-and-limit-fix-out-of-ar.patch | 29 +++++++
...01-huffyuvdec-Check-init_vlc-return-codes.patch | 87 ++++++++++++++++++++
.../0001-huffyuvdec-Skip-len-0-cases.patch | 59 +++++++++++++
.../0001-mjpegdec-check-SE.patch | 32 +++++++
...heck-RLE-size-before-copying.-Fix-out-of-.patch | 34 ++++++++
...001-roqvideodec-check-dimensions-validity.patch | 36 ++++++++
...o-check-chunk-sizes-before-reading-chunks.patch | 49 +++++++++++
.../gstreamer/gst-ffmpeg_0.10.13.bb | 13 +++
14 files changed, 611 insertions(+)
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-alac-fix-nb_samples-order-case.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-alsdec-check-block-length.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-atrac3dec-Check-coding-mode-against-channels.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-msrle-use-av_image_get_linesize-to-calculate.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avformat-mpegtsenc-Check-data-array-size-in-mpegts_w.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-eamad-fix-out-of-array-accesses.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264-correct-ref-count-check-and-limit-fix-out-of-ar.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-init_vlc-return-codes.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Skip-len-0-cases.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-mjpegdec-check-SE.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-pgssubdec-check-RLE-size-before-copying.-Fix-out-of-.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-roqvideodec-check-dimensions-validity.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vqavideo-check-chunk-sizes-before-reading-chunks.patch
--
1.7.10.4
^ permalink raw reply [flat|nested] 15+ messages in thread
* [PATCH 01/12] Security Advisory - ffmpeg - CVE-2014-2263
2014-05-15 2:03 [PATCH 00/12] forward 12 CVE patches for ffmpeg rongqing.li
@ 2014-05-15 2:03 ` rongqing.li
2014-05-15 2:03 ` [PATCH 02/12] Security Advisory - ffmpeg - CVE-2013-0865 rongqing.li
` (11 subsequent siblings)
12 siblings, 0 replies; 15+ messages in thread
From: rongqing.li @ 2014-05-15 2:03 UTC (permalink / raw)
To: openembedded-core
From: Yue Tao <Yue.Tao@windriver.com>
The mpegts_write_pmt function in the MPEG2 transport stream (aka DVB)
muxer (libavformat/mpegtsenc.c) in FFmpeg, possibly 2.1 and earlier,
allows remote attackers to have unspecified impact and vectors, which
trigger an out-of-bounds write.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2263
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
...egtsenc-Check-data-array-size-in-mpegts_w.patch | 67 ++++++++++++++++++++
.../gstreamer/gst-ffmpeg_0.10.13.bb | 1 +
2 files changed, 68 insertions(+)
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avformat-mpegtsenc-Check-data-array-size-in-mpegts_w.patch
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avformat-mpegtsenc-Check-data-array-size-in-mpegts_w.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avformat-mpegtsenc-Check-data-array-size-in-mpegts_w.patch
new file mode 100644
index 0000000..0e00355
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avformat-mpegtsenc-Check-data-array-size-in-mpegts_w.patch
@@ -0,0 +1,67 @@
+From 12770701856a05b6b3cd706f708f8e9a4e8a1336 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Thu, 13 Feb 2014 13:59:51 +0100
+Subject: [PATCH] avformat/mpegtsenc: Check data array size in
+ mpegts_write_pmt()
+
+COmmit 12770701856a05b6b3cd706f708f8e9a4e8a1336 release/0.11
+
+Prevents out of array writes
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit 842b6c14bcfc1c5da1a2d288fd65386eb8c158ad)
+
+Conflicts:
+
+ libavformat/mpegtsenc.c
+(cherry picked from commit e87de3f50b765134588d0b048c32ed4b8acc16fb)
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavformat/mpegtsenc.c | 9 +++++++--
+ 1 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/libavformat/mpegtsenc.c b/libavformat/mpegtsenc.c
+index 793e205..a12d19f 100644
+--- a/gst-libs/ext/libav/libavformat/mpegtsenc.c
++++ b/gst-libs/ext/libav/libavformat/mpegtsenc.c
+@@ -240,7 +240,7 @@ static void mpegts_write_pat(AVFormatContext *s)
+ data, q - data);
+ }
+
+-static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
++static int mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
+ {
+ // MpegTSWrite *ts = s->priv_data;
+ uint8_t data[1012], *q, *desc_length_ptr, *program_info_length_ptr;
+@@ -293,6 +293,10 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
+ stream_type = STREAM_TYPE_PRIVATE_DATA;
+ break;
+ }
++
++ if (q - data > sizeof(data) - 32)
++ return AVERROR(EINVAL);
++
+ *q++ = stream_type;
+ put16(&q, 0xe000 | ts_st->pid);
+ desc_length_ptr = q;
+@@ -324,7 +328,7 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
+ len_ptr = q++;
+ *len_ptr = 0;
+
+- for (p = lang->value; next && *len_ptr < 255 / 4 * 4; p = next + 1) {
++ for (p = lang->value; next && *len_ptr < 255 / 4 * 4 && q - data < sizeof(data) - 4; p = next + 1) {
+ next = strchr(p, ',');
+ if (strlen(p) != 3 && (!next || next != p + 3))
+ continue; /* not a 3-letter code */
+@@ -386,6 +390,7 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
+ }
+ mpegts_write_section1(&service->pmt, PMT_TID, service->sid, 0, 0, 0,
+ data, q - data);
++ return 0;
+ }
+
+ /* NOTE: str == NULL is accepted for an empty string */
+--
+1.7.5.4
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index e1257a2..4913539 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -23,6 +23,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
file://libav_e500mc.patch \
file://libav_e5500.patch \
file://gst-ffmpeg-CVE-2013-3674.patch \
+ file://0001-avformat-mpegtsenc-Check-data-array-size-in-mpegts_w.patch \
"
SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
--
1.7.10.4
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH 02/12] Security Advisory - ffmpeg - CVE-2013-0865
2014-05-15 2:03 [PATCH 00/12] forward 12 CVE patches for ffmpeg rongqing.li
2014-05-15 2:03 ` [PATCH 01/12] Security Advisory - ffmpeg - CVE-2014-2263 rongqing.li
@ 2014-05-15 2:03 ` rongqing.li
2014-05-15 2:03 ` [PATCH 03/12] Security Advisory - ffmpeg - CVE-2014-2099 rongqing.li
` (10 subsequent siblings)
12 siblings, 0 replies; 15+ messages in thread
From: rongqing.li @ 2014-05-15 2:03 UTC (permalink / raw)
To: openembedded-core
From: Yue Tao <Yue.Tao@windriver.com>
The vqa_decode_chunk function in libavcodec/vqavideo.c in FFmpeg before
1.0.4 and 1.1.x before 1.1.2 allows remote attackers to have an
unspecified impact via a large (1) cbp0 or (2) cbpz chunk in Westwood
Studios VQA Video file, which triggers an out-of-bounds write.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0865
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
...o-check-chunk-sizes-before-reading-chunks.patch | 49 ++++++++++++++++++++
.../gstreamer/gst-ffmpeg_0.10.13.bb | 1 +
2 files changed, 50 insertions(+)
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vqavideo-check-chunk-sizes-before-reading-chunks.patch
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vqavideo-check-chunk-sizes-before-reading-chunks.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vqavideo-check-chunk-sizes-before-reading-chunks.patch
new file mode 100644
index 0000000..c4002d5
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vqavideo-check-chunk-sizes-before-reading-chunks.patch
@@ -0,0 +1,49 @@
+From 2cac35086c9e103fa98960c546d5017e7363803a Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Fri, 25 Jan 2013 06:11:59 +0100
+Subject: [PATCH] vqavideo: check chunk sizes before reading chunks
+
+Commit 2cac35086c9e103fa98960c546d5017e7363803a release/0.7
+
+Fixes out of array writes
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit ab6c9332bfa1e20127a16392a0b85a4aa4840889)
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/vqavideo.c | 10 ++++++++++
+ 1 files changed, 10 insertions(+), 0 deletions(-)
+
+diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c
+index d1eab5b..6e1ce6c 100644
+--- a/gst-libs/ext/libav/libavcodec/vqavideo.c
++++ b/gst-libs/ext/libav/libavcodec/vqavideo.c
+@@ -527,6 +527,11 @@ static void vqa_decode_chunk(VqaContext *s)
+ chunk_size = AV_RB32(&s->buf[cbp0_chunk + 4]);
+ cbp0_chunk += CHUNK_PREAMBLE_SIZE;
+
++ if (chunk_size > MAX_CODEBOOK_SIZE - s->next_codebook_buffer_index) {
++ av_log(s->avctx, AV_LOG_ERROR, "cbp0 chunk too large (0x%X bytes)\n", chunk_size);
++ return AVERROR_INVALIDDATA;
++ }
++
+ /* accumulate partial codebook */
+ memcpy(&s->next_codebook_buffer[s->next_codebook_buffer_index],
+ &s->buf[cbp0_chunk], chunk_size);
+@@ -550,6 +555,11 @@ static void vqa_decode_chunk(VqaContext *s)
+ chunk_size = AV_RB32(&s->buf[cbpz_chunk + 4]);
+ cbpz_chunk += CHUNK_PREAMBLE_SIZE;
+
++ if (chunk_size > MAX_CODEBOOK_SIZE - s->next_codebook_buffer_index) {
++ av_log(s->avctx, AV_LOG_ERROR, "cbpz chunk too large (0x%X bytes)\n", chunk_size);
++ return AVERROR_INVALIDDATA;
++ }
++
+ /* accumulate partial codebook */
+ memcpy(&s->next_codebook_buffer[s->next_codebook_buffer_index],
+ &s->buf[cbpz_chunk], chunk_size);
+--
+1.7.5.4
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index 4913539..3d1f207 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -24,6 +24,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
file://libav_e5500.patch \
file://gst-ffmpeg-CVE-2013-3674.patch \
file://0001-avformat-mpegtsenc-Check-data-array-size-in-mpegts_w.patch \
+ file://0001-vqavideo-check-chunk-sizes-before-reading-chunks.patch \
"
SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
--
1.7.10.4
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH 03/12] Security Advisory - ffmpeg - CVE-2014-2099
2014-05-15 2:03 [PATCH 00/12] forward 12 CVE patches for ffmpeg rongqing.li
2014-05-15 2:03 ` [PATCH 01/12] Security Advisory - ffmpeg - CVE-2014-2263 rongqing.li
2014-05-15 2:03 ` [PATCH 02/12] Security Advisory - ffmpeg - CVE-2013-0865 rongqing.li
@ 2014-05-15 2:03 ` rongqing.li
2014-05-15 2:03 ` [PATCH 04/12] Security Advisory - ffmpeg - CVE-2013-0868 rongqing.li
` (9 subsequent siblings)
12 siblings, 0 replies; 15+ messages in thread
From: rongqing.li @ 2014-05-15 2:03 UTC (permalink / raw)
To: openembedded-core
From: Yue Tao <Yue.Tao@windriver.com>
The msrle_decode_frame function in libavcodec/msrle.c in FFmpeg before
2.1.4 does not properly calculate line sizes, which allows remote
attackers to cause a denial of service (out-of-bounds array access) or
possibly have unspecified other impact via crafted Microsoft RLE video
data.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2099
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
...le-use-av_image_get_linesize-to-calculate.patch | 48 ++++++++++++++++++++
.../gstreamer/gst-ffmpeg_0.10.13.bb | 1 +
2 files changed, 49 insertions(+)
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-msrle-use-av_image_get_linesize-to-calculate.patch
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-msrle-use-av_image_get_linesize-to-calculate.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-msrle-use-av_image_get_linesize-to-calculate.patch
new file mode 100644
index 0000000..1d5bba4
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-msrle-use-av_image_get_linesize-to-calculate.patch
@@ -0,0 +1,48 @@
+From 573d5fdedae72bf59d8c0b0766fdee171063d36f Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Sun, 16 Feb 2014 23:08:52 +0100
+Subject: [PATCH] avcodec/msrle: use av_image_get_linesize() to calculate the
+ linesize
+
+Commit 573d5fdedae72bf59d8c0b0766fdee171063d36f release/0.9
+
+Fixes out of array access
+Fixes: 14a74a0a2dc67ede543f0e35d834fbbe-asan_heap-oob_49572c_556_cov_215466444_44_001_engine_room.mov
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit c919e1ca2ecfc47d796382973ba0e48b8f6f92a2)
+
+Conflicts:
+
+ libavcodec/msrle.c
+(cherry picked from commit bc1c8ec5e65098fd2ccd8456f667151dfc9cda42)
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/msrle.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/libavcodec/msrle.c b/libavcodec/msrle.c
+index 30159bb..c39ae7b 100644
+--- a/gst-libs/ext/libav/libavcodec/msrle.c
++++ b/gst-libs/ext/libav/libavcodec/msrle.c
+@@ -35,6 +35,7 @@
+ #include "avcodec.h"
+ #include "dsputil.h"
+ #include "msrledec.h"
++#include "libavutil/imgutils.h"
+
+ typedef struct MsrleContext {
+ AVCodecContext *avctx;
+@@ -107,7 +108,7 @@ static int msrle_decode_frame(AVCodecContext *avctx,
+
+ /* FIXME how to correctly detect RLE ??? */
+ if (avctx->height * istride == avpkt->size) { /* assume uncompressed */
+- int linesize = avctx->width * avctx->bits_per_coded_sample / 8;
++ int linesize = av_image_get_linesize(avctx->pix_fmt, avctx->width, 0);
+ uint8_t *ptr = s->frame.data[0];
+ uint8_t *buf = avpkt->data + (avctx->height-1)*istride;
+ int i, j;
+--
+1.7.5.4
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index 3d1f207..05cc404 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -25,6 +25,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
file://gst-ffmpeg-CVE-2013-3674.patch \
file://0001-avformat-mpegtsenc-Check-data-array-size-in-mpegts_w.patch \
file://0001-vqavideo-check-chunk-sizes-before-reading-chunks.patch \
+ file://0001-avcodec-msrle-use-av_image_get_linesize-to-calculate.patch \
"
SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
--
1.7.10.4
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH 04/12] Security Advisory - ffmpeg - CVE-2013-0868
2014-05-15 2:03 [PATCH 00/12] forward 12 CVE patches for ffmpeg rongqing.li
` (2 preceding siblings ...)
2014-05-15 2:03 ` [PATCH 03/12] Security Advisory - ffmpeg - CVE-2014-2099 rongqing.li
@ 2014-05-15 2:03 ` rongqing.li
2014-05-15 2:03 ` [PATCH 05/12] Security Advisory - ffmpeg - CVE-2013-0845 rongqing.li
` (8 subsequent siblings)
12 siblings, 0 replies; 15+ messages in thread
From: rongqing.li @ 2014-05-15 2:03 UTC (permalink / raw)
To: openembedded-core
From: Yue Tao <Yue.Tao@windriver.com>
libavcodec/huffyuvdec.c in FFmpeg before 1.1.2 allows remote attackers
to have an unspecified impact via crafted Huffyuv data, related to an
out-of-bounds write and (1) unchecked return codes from the init_vlc
function and (2) len==0 cases.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0868
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
...01-huffyuvdec-Check-init_vlc-return-codes.patch | 87 ++++++++++++++++++++
.../0001-huffyuvdec-Skip-len-0-cases.patch | 59 +++++++++++++
.../gstreamer/gst-ffmpeg_0.10.13.bb | 2 +
3 files changed, 148 insertions(+)
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-init_vlc-return-codes.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Skip-len-0-cases.patch
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-init_vlc-return-codes.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-init_vlc-return-codes.patch
new file mode 100644
index 0000000..e26165b
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-init_vlc-return-codes.patch
@@ -0,0 +1,87 @@
+From b666debffec1fcbb19ef377635a53b9a58bca8a4 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Tue, 29 Jan 2013 18:29:41 +0100
+Subject: [PATCH] huffyuvdec: Check init_vlc() return codes.
+
+Commit b666debffec1fcbb19ef377635a53b9a58bca8a4 release/1.0
+
+Prevents out of array writes
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit f67a0d115254461649470452058fa3c28c0df294)
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/huffyuv.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c
+index 58da789..993e524 100644
+--- a/gst-libs/ext/libav/libavcodec/huffyuv.c
++++ b/gst-libs/ext/libav/libavcodec/huffyuv.c
+@@ -33,6 +33,7 @@
+ #include "put_bits.h"
+ #include "dsputil.h"
+ #include "thread.h"
++#include "libavutil/avassert.h"
+
+ #define VLC_BITS 11
+
+@@ -287,6 +287,7 @@ static void generate_joint_tables(HYuvCo
+ int len1 = s->len[p][u];
+ if (len1 > limit || !len1)
+ continue;
++ av_assert0(i < (1 << VLC_BITS));
+ len[i] = len0 + len1;
+ bits[i] = (s->bits[0][y] << len1) + s->bits[p][u];
+ symbols[i] = (y<<8) + u;
+@@ -320,6 +321,7 @@ static void generate_joint_tables(HYuvCo
+ int len2 = s->len[2][r&255];
+ if (len2 > limit1 || !len2)
+ continue;
++ av_assert0(i < (1 << VLC_BITS));
+ len[i] = len0 + len1 + len2;
+ bits[i] = (code << len2) + s->bits[2][r&255];
+ if(s->decorrelate){
+@@ -343,6 +345,7 @@ static void generate_joint_tables(HYuvCo
+ static int read_huffman_tables(HYuvContext *s, const uint8_t *src, int length){
+ GetBitContext gb;
+ int i;
++ int ret;
+
+ init_get_bits(&gb, src, length*8);
+
+@@ -353,7 +356,9 @@ static int read_huffman_tables(HYuvConte
+ return -1;
+ }
+ free_vlc(&s->vlc[i]);
+- init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0);
++ if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1,
++ s->bits[i], 4, 4, 0)) < 0)
++ return ret;
+ }
+
+ generate_joint_tables(s);
+@@ -365,6 +370,7 @@ static int read_old_huffman_tables(HYuvC
+ #if 1
+ GetBitContext gb;
+ int i;
++ int ret;
+
+ init_get_bits(&gb, classic_shift_luma, sizeof(classic_shift_luma)*8);
+ if(read_len_table(s->len[0], &gb)<0)
+@@ -385,7 +391,9 @@ static int read_old_huffman_tables(HYuvC
+
+ for(i=0; i<3; i++){
+ free_vlc(&s->vlc[i]);
+- init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0);
++ if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1,
++ s->bits[i], 4, 4, 0)) < 0)
++ return ret;
+ }
+
+ generate_joint_tables(s);
+--
+1.8.5.2.233.g932f7e4
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Skip-len-0-cases.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Skip-len-0-cases.patch
new file mode 100644
index 0000000..68bc966
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Skip-len-0-cases.patch
@@ -0,0 +1,59 @@
+From db0f7f7394e1f994ed38db043f78ed0f10bde0da Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Tue, 29 Jan 2013 19:22:33 +0100
+Subject: [PATCH] huffyuvdec: Skip len==0 cases
+
+Commit db0f7f7394e1f994ed38db043f78ed0f10bde0da release/1.0
+
+Fixes vlc decoding for hypothetical files that would contain such cases.
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit 0dfc01c2bbf4b71bb56201bc4a393321e15d1b31)
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/huffyuv.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c
+index 993e524..72ed351 100644
+--- a/gst-libs/ext/libav/libavcodec/huffyuv.c
++++ b/gst-libs/ext/libav/libavcodec/huffyuv.c
+@@ -281,11 +281,11 @@ static void generate_joint_tables(HYuvCo
+ for(i=y=0; y<256; y++){
+ int len0 = s->len[0][y];
+ int limit = VLC_BITS - len0;
+- if(limit <= 0)
++ if(limit <= 0 || !len0)
+ continue;
+ for(u=0; u<256; u++){
+ int len1 = s->len[p][u];
+- if(len1 > limit)
++ if (len1 > limit || !len1)
+ continue;
+ len[i] = len0 + len1;
+ bits[i] = (s->bits[0][y] << len1) + s->bits[p][u];
+@@ -308,17 +308,17 @@ static void generate_joint_tables(HYuvCo
+ for(i=0, g=-16; g<16; g++){
+ int len0 = s->len[p0][g&255];
+ int limit0 = VLC_BITS - len0;
+- if(limit0 < 2)
++ if (limit0 < 2 || !len0)
+ continue;
+ for(b=-16; b<16; b++){
+ int len1 = s->len[p1][b&255];
+ int limit1 = limit0 - len1;
+- if(limit1 < 1)
++ if (limit1 < 1 || !len1)
+ continue;
+ code = (s->bits[p0][g&255] << len1) + s->bits[p1][b&255];
+ for(r=-16; r<16; r++){
+ int len2 = s->len[2][r&255];
+- if(len2 > limit1)
++ if (len2 > limit1 || !len2)
+ continue;
+ len[i] = len0 + len1 + len2;
+ bits[i] = (code << len2) + s->bits[2][r&255];
+--
+1.8.5.2.233.g932f7e4
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index 05cc404..847b927 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -26,6 +26,8 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
file://0001-avformat-mpegtsenc-Check-data-array-size-in-mpegts_w.patch \
file://0001-vqavideo-check-chunk-sizes-before-reading-chunks.patch \
file://0001-avcodec-msrle-use-av_image_get_linesize-to-calculate.patch \
+ file://0001-huffyuvdec-Skip-len-0-cases.patch \
+ file://0001-huffyuvdec-Check-init_vlc-return-codes.patch \
"
SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
--
1.7.10.4
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH 05/12] Security Advisory - ffmpeg - CVE-2013-0845
2014-05-15 2:03 [PATCH 00/12] forward 12 CVE patches for ffmpeg rongqing.li
` (3 preceding siblings ...)
2014-05-15 2:03 ` [PATCH 04/12] Security Advisory - ffmpeg - CVE-2013-0868 rongqing.li
@ 2014-05-15 2:03 ` rongqing.li
2014-05-15 2:03 ` [PATCH 06/12] Security Advisory - ffmpeg - CVE-2013-0852 rongqing.li
` (7 subsequent siblings)
12 siblings, 0 replies; 15+ messages in thread
From: rongqing.li @ 2014-05-15 2:03 UTC (permalink / raw)
To: openembedded-core
From: Yue Tao <Yue.Tao@windriver.com>
libavcodec/alsdec.c in FFmpeg before 1.0.4 allows remote attackers to
have an unspecified impact via a crafted block length, which triggers an
out-of-bounds write.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0845
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
.../0001-alsdec-check-block-length.patch | 61 ++++++++++++++++++++
.../gstreamer/gst-ffmpeg_0.10.13.bb | 1 +
2 files changed, 62 insertions(+)
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-alsdec-check-block-length.patch
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-alsdec-check-block-length.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-alsdec-check-block-length.patch
new file mode 100644
index 0000000..bac1fde
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-alsdec-check-block-length.patch
@@ -0,0 +1,61 @@
+From 6df0d3e2916c223dbe4262bf1b876dff1cb3f980 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Wed, 12 Dec 2012 12:28:45 +0100
+Subject: [PATCH] alsdec: check block length
+
+Commit 6df0d3e2916c223dbe4262bf1b876dff1cb3f980 release/1.0
+
+Fix writing over the end
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit 0ceca269b66ec12a23bf0907bd2c220513cdbf16)
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/alsdec.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c
+index 46dd0b4..1095b01 100644
+--- a/gst-libs/ext/libav/libavcodec/alsdec.c
++++ b/gst-libs/ext/libav/libavcodec/alsdec.c
+@@ -552,12 +552,15 @@ static void get_block_sizes(ALSDecContext *ctx, unsigned int *div_blocks,
+
+ /** Read the block data for a constant block
+ */
+-static void read_const_block_data(ALSDecContext *ctx, ALSBlockData *bd)
++static int read_const_block_data(ALSDecContext *ctx, ALSBlockData *bd)
+ {
+ ALSSpecificConfig *sconf = &ctx->sconf;
+ AVCodecContext *avctx = ctx->avctx;
+ GetBitContext *gb = &ctx->gb;
+
++ if (bd->block_length <= 0)
++ return -1;
++
+ *bd->raw_samples = 0;
+ *bd->const_block = get_bits1(gb); // 1 = constant value, 0 = zero block (silence)
+ bd->js_blocks = get_bits1(gb);
+@@ -572,6 +575,8 @@ static void read_const_block_data(ALSDecContext *ctx, ALSBlockData *bd)
+
+ // ensure constant block decoding by reusing this field
+ *bd->const_block = 1;
++
++ return 0;
+ }
+
+
+@@ -971,7 +976,8 @@ static int read_block(ALSDecContext *ctx, ALSBlockData *bd)
+ if (read_var_block_data(ctx, bd))
+ return -1;
+ } else {
+- read_const_block_data(ctx, bd);
++ if (read_const_block_data(ctx, bd) < 0)
++ return -1;
+ }
+
+ return 0;
+--
+1.8.5.2.233.g932f7e4
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index 847b927..430bcc7 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -28,6 +28,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
file://0001-avcodec-msrle-use-av_image_get_linesize-to-calculate.patch \
file://0001-huffyuvdec-Skip-len-0-cases.patch \
file://0001-huffyuvdec-Check-init_vlc-return-codes.patch \
+ file://0001-alsdec-check-block-length.patch \
"
SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
--
1.7.10.4
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH 06/12] Security Advisory - ffmpeg - CVE-2013-0852
2014-05-15 2:03 [PATCH 00/12] forward 12 CVE patches for ffmpeg rongqing.li
` (4 preceding siblings ...)
2014-05-15 2:03 ` [PATCH 05/12] Security Advisory - ffmpeg - CVE-2013-0845 rongqing.li
@ 2014-05-15 2:03 ` rongqing.li
2014-05-15 2:03 ` [PATCH 07/12] Security Advisory - ffmpeg - CVE-2013-0858 rongqing.li
` (6 subsequent siblings)
12 siblings, 0 replies; 15+ messages in thread
From: rongqing.li @ 2014-05-15 2:03 UTC (permalink / raw)
To: openembedded-core
From: Yue Tao <Yue.Tao@windriver.com>
The parse_picture_segment function in libavcodec/pgssubdec.c in FFmpeg
before 1.1 allows remote attackers to have an unspecified impact via
crafted RLE data, which triggers an out-of-bounds array access.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0852
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
...heck-RLE-size-before-copying.-Fix-out-of-.patch | 34 ++++++++++++++++++++
.../gstreamer/gst-ffmpeg_0.10.13.bb | 1 +
2 files changed, 35 insertions(+)
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-pgssubdec-check-RLE-size-before-copying.-Fix-out-of-.patch
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-pgssubdec-check-RLE-size-before-copying.-Fix-out-of-.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-pgssubdec-check-RLE-size-before-copying.-Fix-out-of-.patch
new file mode 100644
index 0000000..3cf3a4c
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-pgssubdec-check-RLE-size-before-copying.-Fix-out-of-.patch
@@ -0,0 +1,34 @@
+From 28bf685bfc6d0c744369cdf367f61a78d80d0b01 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Thu, 15 Nov 2012 16:41:28 +0100
+Subject: [PATCH] pgssubdec: check RLE size before copying. Fix out of array
+ accesses
+
+Commit 28bf685bfc6d0c744369cdf367f61a78d80d0b01 release/1.1
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit c0d68be555f5858703383040e04fcd6529777061)
+---
+ libavcodec/pgssubdec.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c
+index 728f178..26a3c2a 100644
+--- a/gst-libs/ext/libav/libavcodec/pgssubdec.c
++++ b/gst-libs/ext/libav/libavcodec/pgssubdec.c
+@@ -202,6 +202,11 @@ static int parse_picture_segment(AVCodec
+ return -1;
+ }
+
++ if (buf_size > rle_bitmap_len) {
++ av_log(avctx, AV_LOG_ERROR, "too much RLE data\n");
++ return AVERROR_INVALIDDATA;
++ }
++
+ ctx->picture.w = width;
+ ctx->picture.h = height;
+
+--
+1.8.5.2.233.g932f7e4
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index 430bcc7..eded98b 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -29,6 +29,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
file://0001-huffyuvdec-Skip-len-0-cases.patch \
file://0001-huffyuvdec-Check-init_vlc-return-codes.patch \
file://0001-alsdec-check-block-length.patch \
+ file://0001-pgssubdec-check-RLE-size-before-copying.-Fix-out-of-.patch \
"
SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
--
1.7.10.4
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH 07/12] Security Advisory - ffmpeg - CVE-2013-0858
2014-05-15 2:03 [PATCH 00/12] forward 12 CVE patches for ffmpeg rongqing.li
` (5 preceding siblings ...)
2014-05-15 2:03 ` [PATCH 06/12] Security Advisory - ffmpeg - CVE-2013-0852 rongqing.li
@ 2014-05-15 2:03 ` rongqing.li
2014-05-15 2:03 ` [PATCH 08/12] Security Advisory - ffmpeg - CVE-2013-0851 rongqing.li
` (5 subsequent siblings)
12 siblings, 0 replies; 15+ messages in thread
From: rongqing.li @ 2014-05-15 2:03 UTC (permalink / raw)
To: openembedded-core
From: Yue Tao <Yue.Tao@windriver.com>
The atrac3_decode_init function in libavcodec/atrac3.c in FFmpeg before
1.0.4 allows remote attackers to have an unspecified impact via ATRAC3
data with the joint stereo coding mode set and fewer than two channels.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0858
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
...ac3dec-Check-coding-mode-against-channels.patch | 37 ++++++++++++++++++++
.../gstreamer/gst-ffmpeg_0.10.13.bb | 1 +
2 files changed, 38 insertions(+)
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-atrac3dec-Check-coding-mode-against-channels.patch
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-atrac3dec-Check-coding-mode-against-channels.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-atrac3dec-Check-coding-mode-against-channels.patch
new file mode 100644
index 0000000..c269481
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-atrac3dec-Check-coding-mode-against-channels.patch
@@ -0,0 +1,37 @@
+From 2502914c5f8eb77659d7c0868396862557a63245 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Fri, 9 Nov 2012 13:26:20 +0100
+Subject: [PATCH] atrac3dec: Check coding mode against channels.
+
+Commit 2502914c5f8eb77659d7c0868396862557a63245 release/1.0
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit 13451f5520ce6b0afde861b2285dda659f8d4fb4)
+
+Conflicts:
+
+ libavcodec/atrac3.c
+---
+ libavcodec/atrac3.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/libavcodec/atrac3.c b/libavcodec/atrac3.c
+index 7d076be..1da4c78 100644
+--- a/gst-libs/ext/libav/libavcodec/atrac3.c
++++ b/gst-libs/ext/libav/libavcodec/atrac3.c
+@@ -955,6 +955,11 @@ static av_cold int atrac3_decode_init(AVCodecContext *avctx)
+ }
+ /* Check the extradata. */
+
++ if (q->codingMode == JOINT_STEREO && avctx->channels < 2) {
++ av_log(avctx, AV_LOG_ERROR, "Invalid coding mode\n");
++ return AVERROR_INVALIDDATA;
++ }
++
+ if (q->atrac3version != 4) {
+ av_log(avctx,AV_LOG_ERROR,"Version %d != 4.\n",q->atrac3version);
+ return AVERROR_INVALIDDATA;
+--
+1.8.5.2.233.g932f7e4
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index eded98b..a603ff5 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -30,6 +30,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
file://0001-huffyuvdec-Check-init_vlc-return-codes.patch \
file://0001-alsdec-check-block-length.patch \
file://0001-pgssubdec-check-RLE-size-before-copying.-Fix-out-of-.patch \
+ file://0001-atrac3dec-Check-coding-mode-against-channels.patch \
"
SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
--
1.7.10.4
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH 08/12] Security Advisory - ffmpeg - CVE-2013-0851
2014-05-15 2:03 [PATCH 00/12] forward 12 CVE patches for ffmpeg rongqing.li
` (6 preceding siblings ...)
2014-05-15 2:03 ` [PATCH 07/12] Security Advisory - ffmpeg - CVE-2013-0858 rongqing.li
@ 2014-05-15 2:03 ` rongqing.li
2014-05-15 2:03 ` [PATCH 09/12] Security Advisory - ffmpeg - CVE-2013-0854 rongqing.li
` (4 subsequent siblings)
12 siblings, 0 replies; 15+ messages in thread
From: rongqing.li @ 2014-05-15 2:03 UTC (permalink / raw)
To: openembedded-core
From: Yue Tao <Yue.Tao@windriver.com>
The decode_frame function in libavcodec/eamad.c in FFmpeg before 1.1
allows remote attackers to have an unspecified impact via crafted
Electronic Arts Madcow video data, which triggers an out-of-bounds array
access.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0851
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
.../0001-eamad-fix-out-of-array-accesses.patch | 29 ++++++++++++++++++++
.../gstreamer/gst-ffmpeg_0.10.13.bb | 1 +
2 files changed, 30 insertions(+)
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-eamad-fix-out-of-array-accesses.patch
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-eamad-fix-out-of-array-accesses.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-eamad-fix-out-of-array-accesses.patch
new file mode 100644
index 0000000..16432c6
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-eamad-fix-out-of-array-accesses.patch
@@ -0,0 +1,29 @@
+From 63ac64864c6e0e84355aa3caa5b92208997a9a8d Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Sat, 17 Nov 2012 16:26:55 +0100
+Subject: [PATCH] eamad: fix out of array accesses
+
+Commit 63ac64864c6e0e84355aa3caa5b92208997a9a8d release/1.1
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/eamad.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libavcodec/eamad.c b/libavcodec/eamad.c
+index 2805195..e38650e 100644
+--- a/gst-libs/ext/libav/libavcodec/eamad.c
++++ b/gst-libs/ext/libav/libavcodec/eamad.c
+@@ -237,7 +237,7 @@ static int decode_frame(AVCodecContext *avctx,
+ int chunk_type;
+ int inter;
+
+- if (buf_size < 17) {
++ if (buf_size < 26) {
+ av_log(avctx, AV_LOG_ERROR, "Input buffer too small\n");
+ *data_size = 0;
+ return -1;
+--
+1.8.5.2.233.g932f7e4
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index a603ff5..0d0ba9a 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -31,6 +31,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
file://0001-alsdec-check-block-length.patch \
file://0001-pgssubdec-check-RLE-size-before-copying.-Fix-out-of-.patch \
file://0001-atrac3dec-Check-coding-mode-against-channels.patch \
+ file://0001-eamad-fix-out-of-array-accesses.patch \
"
SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
--
1.7.10.4
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH 09/12] Security Advisory - ffmpeg - CVE-2013-0854
2014-05-15 2:03 [PATCH 00/12] forward 12 CVE patches for ffmpeg rongqing.li
` (7 preceding siblings ...)
2014-05-15 2:03 ` [PATCH 08/12] Security Advisory - ffmpeg - CVE-2013-0851 rongqing.li
@ 2014-05-15 2:03 ` rongqing.li
2014-05-15 2:04 ` [PATCH 10/12] Security Advisory - ffmpeg - CVE-2013-0856 rongqing.li
` (3 subsequent siblings)
12 siblings, 0 replies; 15+ messages in thread
From: rongqing.li @ 2014-05-15 2:03 UTC (permalink / raw)
To: openembedded-core
From: Yue Tao <Yue.Tao@windriver.com>
The mjpeg_decode_scan_progressive_ac function in libavcodec/mjpegdec.c
in FFmpeg before 1.1 allows remote attackers to have an unspecified
impact via crafted MJPEG data.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0854
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
.../0001-mjpegdec-check-SE.patch | 32 ++++++++++++++++++++
.../gstreamer/gst-ffmpeg_0.10.13.bb | 1 +
2 files changed, 33 insertions(+)
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-mjpegdec-check-SE.patch
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-mjpegdec-check-SE.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-mjpegdec-check-SE.patch
new file mode 100644
index 0000000..2b9302f
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-mjpegdec-check-SE.patch
@@ -0,0 +1,32 @@
+From 1f41cffe1e3e79620f587545bdfcbd7e6e68ed29 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Sun, 11 Nov 2012 00:01:24 +0100
+Subject: [PATCH] mjpegdec: check SE.
+
+Commit 1f41cffe1e3e79620f587545bdfcbd7e6e68ed29 release/1.1
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/mjpegdec.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
+index 6b5266d..0a71a6f 100644
+--- a/gst-libs/ext/libav/libavcodec/mjpegdec.c
++++ b/gst-libs/ext/libav/libavcodec/mjpegdec.c
+@@ -905,6 +905,11 @@ static int mjpeg_decode_scan_progressive
+ int16_t *quant_matrix = s->quant_matrixes[ s->quant_index[c] ];
+ GetBitContext mb_bitmask_gb;
+
++ if (se > 63) {
++ av_log(s->avctx, AV_LOG_ERROR, "SE %d is too large\n", se);
++ return AVERROR_INVALIDDATA;
++ }
++
+ if (mb_bitmask) {
+ init_get_bits(&mb_bitmask_gb, mb_bitmask, s->mb_width*s->mb_height);
+ }
+--
+1.8.5.2.233.g932f7e4
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index 0d0ba9a..28ea29e 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -32,6 +32,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
file://0001-pgssubdec-check-RLE-size-before-copying.-Fix-out-of-.patch \
file://0001-atrac3dec-Check-coding-mode-against-channels.patch \
file://0001-eamad-fix-out-of-array-accesses.patch \
+ file://0001-mjpegdec-check-SE.patch \
"
SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
--
1.7.10.4
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH 10/12] Security Advisory - ffmpeg - CVE-2013-0856
2014-05-15 2:03 [PATCH 00/12] forward 12 CVE patches for ffmpeg rongqing.li
` (8 preceding siblings ...)
2014-05-15 2:03 ` [PATCH 09/12] Security Advisory - ffmpeg - CVE-2013-0854 rongqing.li
@ 2014-05-15 2:04 ` rongqing.li
2014-05-15 2:04 ` [PATCH 11/12] Security Advisory - ffmpeg - CVE-2013-0850 rongqing.li
` (2 subsequent siblings)
12 siblings, 0 replies; 15+ messages in thread
From: rongqing.li @ 2014-05-15 2:04 UTC (permalink / raw)
To: openembedded-core
From: Yue Tao <Yue.Tao@windriver.com>
The lpc_prediction function in libavcodec/alac.c in FFmpeg before 1.1
allows remote attackers to have an unspecified impact via crafted Apple
Lossless Audio Codec (ALAC) data, related to a large nb_samples value.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0856
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
.../0001-alac-fix-nb_samples-order-case.patch | 30 ++++++++++++++++++++
.../gstreamer/gst-ffmpeg_0.10.13.bb | 1 +
2 files changed, 31 insertions(+)
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-alac-fix-nb_samples-order-case.patch
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-alac-fix-nb_samples-order-case.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-alac-fix-nb_samples-order-case.patch
new file mode 100644
index 0000000..e004bff
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-alac-fix-nb_samples-order-case.patch
@@ -0,0 +1,30 @@
+From e0884eadf6a15e93142131b695f48776f9a0ac31 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Sat, 10 Nov 2012 17:14:04 +0100
+Subject: [PATCH] alac: fix nb_samples < order case
+
+Commit e0884eadf6a15e93142131b695f48776f9a0ac31 release/1.0
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit fd4f4923cce6a2cbf4f48640b4ac706e614a1594)
+---
+ libavcodec/alac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libavcodec/alac.c b/libavcodec/alac.c
+index 9cd1737..e8e844a 100644
+--- a/gst-libs/ext/libav/libavcodec/alac.c
++++ b/gst-libs/ext/libav/libavcodec/alac.c
+@@ -278,7 +278,7 @@ static void predictor_decompress_fir_ada
+
+ /* read warm-up samples */
+ if (predictor_coef_num > 0)
+- for (i = 0; i < predictor_coef_num; i++) {
++ for (i = 0; i < predictor_coef_num && i < output_size; i++) {
+ int32_t val;
+
+ val = buffer_out[i] + error_buffer[i+1];
+--
+1.8.5.2.233.g932f7e4
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index 28ea29e..a0673fd 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -33,6 +33,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
file://0001-atrac3dec-Check-coding-mode-against-channels.patch \
file://0001-eamad-fix-out-of-array-accesses.patch \
file://0001-mjpegdec-check-SE.patch \
+ file://0001-alac-fix-nb_samples-order-case.patch \
"
SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
--
1.7.10.4
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH 11/12] Security Advisory - ffmpeg - CVE-2013-0850
2014-05-15 2:03 [PATCH 00/12] forward 12 CVE patches for ffmpeg rongqing.li
` (9 preceding siblings ...)
2014-05-15 2:04 ` [PATCH 10/12] Security Advisory - ffmpeg - CVE-2013-0856 rongqing.li
@ 2014-05-15 2:04 ` rongqing.li
2014-05-15 2:04 ` [PATCH 12/12] Security Advisory - ffmpeg - CVE-2013-0849 rongqing.li
2014-05-15 8:51 ` [PATCH 00/12] forward 12 CVE patches for ffmpeg Paul Eggleton
12 siblings, 0 replies; 15+ messages in thread
From: rongqing.li @ 2014-05-15 2:04 UTC (permalink / raw)
To: openembedded-core
From: Yue Tao <Yue.Tao@windriver.com>
The decode_slice_header function in libavcodec/h264.c in FFmpeg before
1.1 allows remote attackers to have an unspecified impact via crafted
H.264 data, which triggers an out-of-bounds array access.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0850
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
...t-ref-count-check-and-limit-fix-out-of-ar.patch | 29 ++++++++++++++++++++
.../gstreamer/gst-ffmpeg_0.10.13.bb | 1 +
2 files changed, 30 insertions(+)
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264-correct-ref-count-check-and-limit-fix-out-of-ar.patch
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264-correct-ref-count-check-and-limit-fix-out-of-ar.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264-correct-ref-count-check-and-limit-fix-out-of-ar.patch
new file mode 100644
index 0000000..4e0e562
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264-correct-ref-count-check-and-limit-fix-out-of-ar.patch
@@ -0,0 +1,29 @@
+From d6c184880ee2e09fd68c0ae217173832cee5afc1 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Sun, 18 Nov 2012 16:29:04 +0100
+Subject: [PATCH] h264: correct ref count check and limit, fix out of array
+ accesses.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/h264.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libavcodec/h264.c b/libavcodec/h264.c
+index da43f1e..32cede5 100644
+--- a/gst-libs/ext/libav/libavcodec/h264.c
++++ b/gst-libs/ext/libav/libavcodec/h264.c
+@@ -2870,6 +2870,9 @@ static int decode_slice_header(H264Conte
+ h->ref_count[0]= get_ue_golomb(&s->gb) + 1;
+ if(h->slice_type_nos==AV_PICTURE_TYPE_B)
+ h->ref_count[1]= get_ue_golomb(&s->gb) + 1;
++ else
++ // full range is spec-ok in this case, even for frames
++ h->ref_count[1] = 1;
+
+ if(h->ref_count[0]-1 > 32-1 || h->ref_count[1]-1 > 32-1){
+ av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow\n");
+--
+1.8.5.2.233.g932f7e4
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index a0673fd..ad85fa2 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -34,6 +34,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
file://0001-eamad-fix-out-of-array-accesses.patch \
file://0001-mjpegdec-check-SE.patch \
file://0001-alac-fix-nb_samples-order-case.patch \
+ file://0001-h264-correct-ref-count-check-and-limit-fix-out-of-ar.patch \
"
SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
--
1.7.10.4
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH 12/12] Security Advisory - ffmpeg - CVE-2013-0849
2014-05-15 2:03 [PATCH 00/12] forward 12 CVE patches for ffmpeg rongqing.li
` (10 preceding siblings ...)
2014-05-15 2:04 ` [PATCH 11/12] Security Advisory - ffmpeg - CVE-2013-0850 rongqing.li
@ 2014-05-15 2:04 ` rongqing.li
2014-05-15 8:51 ` [PATCH 00/12] forward 12 CVE patches for ffmpeg Paul Eggleton
12 siblings, 0 replies; 15+ messages in thread
From: rongqing.li @ 2014-05-15 2:04 UTC (permalink / raw)
To: openembedded-core
From: Yue Tao <Yue.Tao@windriver.com>
The roq_decode_init function in libavcodec/roqvideodec.c in FFmpeg
before 1.1 allows remote attackers to have an unspecified impact via a
crafted (1) width or (2) height dimension that is not a multiple of
sixteen in id RoQ video data.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0849
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
...001-roqvideodec-check-dimensions-validity.patch | 36 ++++++++++++++++++++
.../gstreamer/gst-ffmpeg_0.10.13.bb | 1 +
2 files changed, 37 insertions(+)
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-roqvideodec-check-dimensions-validity.patch
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-roqvideodec-check-dimensions-validity.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-roqvideodec-check-dimensions-validity.patch
new file mode 100644
index 0000000..32f358f
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-roqvideodec-check-dimensions-validity.patch
@@ -0,0 +1,36 @@
+From 391e0fc6c90ced6656b74f50f3a487b6dc76ea63 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Thu, 29 Nov 2012 15:18:17 +0100
+Subject: [PATCH] roqvideodec: check dimensions validity
+
+Commit 391e0fc6c90ced6656b74f50f3a487b6dc76ea63 release/0.7
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit 3ae610451170cd5a28b33950006ff0bd23036845)
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/roqvideodec.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/libavcodec/roqvideodec.c b/libavcodec/roqvideodec.c
+index f0977f6..4e34231 100644
+--- a/gst-libs/ext/libav/libavcodec/roqvideodec.c
++++ b/gst-libs/ext/libav/libavcodec/roqvideodec.c
+@@ -157,6 +157,12 @@ static av_cold int roq_decode_init(AVCodecContext *avctx)
+ RoqContext *s = avctx->priv_data;
+
+ s->avctx = avctx;
++
++ if (avctx->width%16 || avctx->height%16) {
++ av_log_ask_for_sample(avctx, "dimensions not being a multiple of 16 are unsupported\n");
++ return AVERROR_PATCHWELCOME;
++ }
++
+ s->width = avctx->width;
+ s->height = avctx->height;
+ avcodec_get_frame_defaults(&s->frames[0]);
+--
+1.8.5.2.233.g932f7e4
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index ad85fa2..a3b2f5c 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -35,6 +35,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
file://0001-mjpegdec-check-SE.patch \
file://0001-alac-fix-nb_samples-order-case.patch \
file://0001-h264-correct-ref-count-check-and-limit-fix-out-of-ar.patch \
+ file://0001-roqvideodec-check-dimensions-validity.patch \
"
SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
--
1.7.10.4
^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH 00/12] forward 12 CVE patches for ffmpeg
2014-05-15 2:03 [PATCH 00/12] forward 12 CVE patches for ffmpeg rongqing.li
` (11 preceding siblings ...)
2014-05-15 2:04 ` [PATCH 12/12] Security Advisory - ffmpeg - CVE-2013-0849 rongqing.li
@ 2014-05-15 8:51 ` Paul Eggleton
2014-05-15 16:46 ` Otavio Salvador
12 siblings, 1 reply; 15+ messages in thread
From: Paul Eggleton @ 2014-05-15 8:51 UTC (permalink / raw)
To: rongqing.li; +Cc: openembedded-core
Hi Roy,
On Thursday 15 May 2014 10:03:50 rongqing.li@windriver.com wrote:
> From: Roy Li <rongqing.li@windriver.com>
>
> The following changes since commit 58417093d7ce83c8a2f683a356fddc23aaee5e8e:
>
> wic: Extend indirect string connection to support image names and rootfs
> (2014-05-13 19:35:06 +0100)
>
> are available in the git repository at:
>
> git://git.pokylinux.org/poky-contrib roy/ffmpeg-1
> http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=roy/ffmpeg-1
>
> Yue Tao (12):
> Security Advisory - ffmpeg - CVE-2014-2263
> Security Advisory - ffmpeg - CVE-2013-0865
> Security Advisory - ffmpeg - CVE-2014-2099
> Security Advisory - ffmpeg - CVE-2013-0868
> Security Advisory - ffmpeg - CVE-2013-0845
> Security Advisory - ffmpeg - CVE-2013-0852
> Security Advisory - ffmpeg - CVE-2013-0858
> Security Advisory - ffmpeg - CVE-2013-0851
> Security Advisory - ffmpeg - CVE-2013-0854
> Security Advisory - ffmpeg - CVE-2013-0856
> Security Advisory - ffmpeg - CVE-2013-0850
> Security Advisory - ffmpeg - CVE-2013-0849
Note that whilst we should apply these patches, they won't actually have any
effect on unmodified builds because we do not use gst-ffmpeg's internal copy of
ffmpeg, we use libav instead. So if any of these fixes apply to libav (or if
there are equivalent fixes) we will need to apply them to libav.
Cheers,
Paul
--
Paul Eggleton
Intel Open Source Technology Centre
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 00/12] forward 12 CVE patches for ffmpeg
2014-05-15 8:51 ` [PATCH 00/12] forward 12 CVE patches for ffmpeg Paul Eggleton
@ 2014-05-15 16:46 ` Otavio Salvador
0 siblings, 0 replies; 15+ messages in thread
From: Otavio Salvador @ 2014-05-15 16:46 UTC (permalink / raw)
To: Paul Eggleton; +Cc: Patches and discussions about the oe-core layer
On Thu, May 15, 2014 at 5:51 AM, Paul Eggleton
<paul.eggleton@linux.intel.com> wrote:
> Hi Roy,
>
> On Thursday 15 May 2014 10:03:50 rongqing.li@windriver.com wrote:
>> From: Roy Li <rongqing.li@windriver.com>
>>
>> The following changes since commit 58417093d7ce83c8a2f683a356fddc23aaee5e8e:
>>
>> wic: Extend indirect string connection to support image names and rootfs
>> (2014-05-13 19:35:06 +0100)
>>
>> are available in the git repository at:
>>
>> git://git.pokylinux.org/poky-contrib roy/ffmpeg-1
>> http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=roy/ffmpeg-1
>>
>> Yue Tao (12):
>> Security Advisory - ffmpeg - CVE-2014-2263
>> Security Advisory - ffmpeg - CVE-2013-0865
>> Security Advisory - ffmpeg - CVE-2014-2099
>> Security Advisory - ffmpeg - CVE-2013-0868
>> Security Advisory - ffmpeg - CVE-2013-0845
>> Security Advisory - ffmpeg - CVE-2013-0852
>> Security Advisory - ffmpeg - CVE-2013-0858
>> Security Advisory - ffmpeg - CVE-2013-0851
>> Security Advisory - ffmpeg - CVE-2013-0854
>> Security Advisory - ffmpeg - CVE-2013-0856
>> Security Advisory - ffmpeg - CVE-2013-0850
>> Security Advisory - ffmpeg - CVE-2013-0849
>
> Note that whilst we should apply these patches, they won't actually have any
> effect on unmodified builds because we do not use gst-ffmpeg's internal copy of
> ffmpeg, we use libav instead. So if any of these fixes apply to libav (or if
> there are equivalent fixes) we will need to apply them to libav.
And please rework the commit logs for:
ffmpeg: fix for Security Advisory CVE-2013-0849
or anything similar, per your personal choice. But please put the
recipe name as prefix.
--
Otavio Salvador O.S. Systems
http://www.ossystems.com.br http://code.ossystems.com.br
Mobile: +55 (53) 9981-7854 Mobile: +1 (347) 903-9750
^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2014-05-15 16:46 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-05-15 2:03 [PATCH 00/12] forward 12 CVE patches for ffmpeg rongqing.li
2014-05-15 2:03 ` [PATCH 01/12] Security Advisory - ffmpeg - CVE-2014-2263 rongqing.li
2014-05-15 2:03 ` [PATCH 02/12] Security Advisory - ffmpeg - CVE-2013-0865 rongqing.li
2014-05-15 2:03 ` [PATCH 03/12] Security Advisory - ffmpeg - CVE-2014-2099 rongqing.li
2014-05-15 2:03 ` [PATCH 04/12] Security Advisory - ffmpeg - CVE-2013-0868 rongqing.li
2014-05-15 2:03 ` [PATCH 05/12] Security Advisory - ffmpeg - CVE-2013-0845 rongqing.li
2014-05-15 2:03 ` [PATCH 06/12] Security Advisory - ffmpeg - CVE-2013-0852 rongqing.li
2014-05-15 2:03 ` [PATCH 07/12] Security Advisory - ffmpeg - CVE-2013-0858 rongqing.li
2014-05-15 2:03 ` [PATCH 08/12] Security Advisory - ffmpeg - CVE-2013-0851 rongqing.li
2014-05-15 2:03 ` [PATCH 09/12] Security Advisory - ffmpeg - CVE-2013-0854 rongqing.li
2014-05-15 2:04 ` [PATCH 10/12] Security Advisory - ffmpeg - CVE-2013-0856 rongqing.li
2014-05-15 2:04 ` [PATCH 11/12] Security Advisory - ffmpeg - CVE-2013-0850 rongqing.li
2014-05-15 2:04 ` [PATCH 12/12] Security Advisory - ffmpeg - CVE-2013-0849 rongqing.li
2014-05-15 8:51 ` [PATCH 00/12] forward 12 CVE patches for ffmpeg Paul Eggleton
2014-05-15 16:46 ` Otavio Salvador
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox