[PATCH 0/2] Dizzy-next merge request

[PATCH 0/2] Dizzy-next merge request

[Armin Kuster]

Please consider these changes for Dizzy.


The following changes since commit 9e8bb322154e67e521e8c982d20d46dda20c024b:

  babeltrace: Backport fix for unaligned integer (2014-11-26 17:05:47 +0000)

are available in the git repository at:

  git://git.yoctoproject.org/poky-contrib akuster/dizzy-next
  http://git.yoctoproject.org/cgit.cgi//log/?h=akuster/dizzy-next

Roy Li (1):
  gst-ffmpeg: fixes for CVE-2014-8548 and CVE-2014-8541

Tom Zanussi (1):
  wic: Use overhead factor when creating partitions from rootfs
    directories

 .../0001-avcodec-smc-fix-off-by-1-error.patch      | 32 ++++++++++
 ...egdec-check-bits-per-pixel-for-changes-si.patch | 68 ++++++++++++++++++++++
 .../gstreamer/gst-ffmpeg_0.10.13.bb                |  2 +
 .../lib/wic/kickstart/custom_commands/partition.py |  2 +
 scripts/lib/wic/utils/oe/misc.py                   |  1 +
 5 files changed, 105 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-smc-fix-off-by-1-error.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0002-avcodec-mjpegdec-check-bits-per-pixel-for-changes-si.patch

-- 
1.9.1

[PATCH 1/2] wic: Use overhead factor when creating partitions from rootfs directories

[Armin Kuster]

From: Tom Zanussi <tom.zanussi@linux.intel.com>

When creating partitions sized to given rootfs directories, filesystem
creation could fail in cases where the calculated target partition
size was too small to contain the filesystem created using mkfs.  This
occurred in particular when creating partitions to contain very large
filesystems such as those containing sdk image artifacts.

This same limition is present in the oe-core image creation classes,
which can be readily see by changing IMAGE_OVERHEAD_FACTOR from the
default 1.3 to 1.0 and building a sato-sdk image.

It should be possible to calculate required sizes exactly given the
source rootfs and target filesystem types, but for now, to address the
specific problem users are hitting in such situations, we'll just do
exactly what oe-core does and define and use an IMAGE_OVERHEAD_FACTOR
or 1.3 in those cases.

Fixes [YOCTO #6863].

(From OE-Core rev: bbaef3ff5833fc1d97b7b028d7770834f62789da)

Signed-off-by: Tom Zanussi <tom.zanussi@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 scripts/lib/wic/kickstart/custom_commands/partition.py | 2 ++
 scripts/lib/wic/utils/oe/misc.py                       | 1 +
 2 files changed, 3 insertions(+)

diff --git a/scripts/lib/wic/kickstart/custom_commands/partition.py b/scripts/lib/wic/kickstart/custom_commands/partition.py
index 3950b43..54a494e 100644
--- a/scripts/lib/wic/kickstart/custom_commands/partition.py
+++ b/scripts/lib/wic/kickstart/custom_commands/partition.py
@@ -229,6 +229,7 @@ class Wic_PartData(Mic_PartData):
             extra_blocks = IMAGE_EXTRA_SPACE
 
         rootfs_size = actual_rootfs_size + extra_blocks
+        rootfs_size *= IMAGE_OVERHEAD_FACTOR
 
         msger.debug("Added %d extra blocks to %s to get to %d total blocks" % \
                     (extra_blocks, self.mountpoint, rootfs_size))
@@ -276,6 +277,7 @@ class Wic_PartData(Mic_PartData):
             extra_blocks = IMAGE_EXTRA_SPACE
 
         rootfs_size = actual_rootfs_size + extra_blocks
+        rootfs_size *= IMAGE_OVERHEAD_FACTOR
 
         msger.debug("Added %d extra blocks to %s to get to %d total blocks" % \
                     (extra_blocks, self.mountpoint, rootfs_size))
diff --git a/scripts/lib/wic/utils/oe/misc.py b/scripts/lib/wic/utils/oe/misc.py
index aa9b235..b0b5baa 100644
--- a/scripts/lib/wic/utils/oe/misc.py
+++ b/scripts/lib/wic/utils/oe/misc.py
@@ -123,6 +123,7 @@ def add_wks_var(key, val):
 
 BOOTDD_EXTRA_SPACE = 16384
 IMAGE_EXTRA_SPACE = 10240
+IMAGE_OVERHEAD_FACTOR = 1.3
 
 __bitbake_env_lines = ""
 
-- 
1.9.1

[PATCH 2/2] gst-ffmpeg: fixes for CVE-2014-8548 and CVE-2014-8541

[Armin Kuster]

From: Roy Li <rongqing.li@windriver.com>

Issue: LIN7-1755
Issue: LIN7-1739

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8541

libavcodec/mjpegdec.c in FFmpeg before 2.4.2 considers only dimension
differences, and not bits-per-pixel differences, when determining whether an
image size has changed, which allows remote attackers to cause a denial of
service (out-of-bounds access) or possibly have unspecified other impact via
crafted MJPEG data.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8548

Off-by-one error in libavcodec/smc.c in FFmpeg before 2.4.2 allows remote
attackers to cause a denial of service (out-of-bounds access) or possibly
have unspecified other impact via crafted Quicktime Graphics (aka SMC) video
data.

(From OE-Core rev: 4bd50c5a967af2b8f0fe77b8f9c100169e4fc531)

Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../0001-avcodec-smc-fix-off-by-1-error.patch      | 32 ++++++++++
 ...egdec-check-bits-per-pixel-for-changes-si.patch | 68 ++++++++++++++++++++++
 .../gstreamer/gst-ffmpeg_0.10.13.bb                |  2 +
 3 files changed, 102 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-smc-fix-off-by-1-error.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0002-avcodec-mjpegdec-check-bits-per-pixel-for-changes-si.patch

diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-smc-fix-off-by-1-error.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-smc-fix-off-by-1-error.patch
new file mode 100644
index 0000000..3ca6fc4
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-smc-fix-off-by-1-error.patch
@@ -0,0 +1,32 @@
+From c17a0ad1df15a94d0b1239adc2afb593bdf0a153 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Fri, 3 Oct 2014 22:50:45 +0200
+Subject: [PATCH 1/2] avcodec/smc: fix off by 1 error
+
+Upstream-Status: Backport
+
+Fixes out of array access
+Fixes: asan_heap-oob_1685bf0_5_asan_heap-oob_1f35116_430_smc.mov
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/smc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/gst-libs/ext/libav/libavcodec/smc.c b/gst-libs/ext/libav/libavcodec/smc.c
+index 3cd5e53..dec9f71 100644
+--- a/gst-libs/ext/libav/libavcodec/smc.c
++++ b/gst-libs/ext/libav/libavcodec/smc.c
+@@ -69,7 +69,7 @@ typedef struct SmcContext {
+         row_ptr += stride * 4; \
+     } \
+     total_blocks--; \
+-    if (total_blocks < 0) \
++    if (total_blocks < 0 + !!n_blocks) \
+     { \
+         av_log(s->avctx, AV_LOG_INFO, "warning: block counter just went negative (this should not happen)\n"); \
+         return; \
+-- 
+2.1.0
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0002-avcodec-mjpegdec-check-bits-per-pixel-for-changes-si.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0002-avcodec-mjpegdec-check-bits-per-pixel-for-changes-si.patch
new file mode 100644
index 0000000..c8bafd5
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0002-avcodec-mjpegdec-check-bits-per-pixel-for-changes-si.patch
@@ -0,0 +1,68 @@
+From 6043c431c97d55173f339fafbd033d3c0642e2e9 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Fri, 3 Oct 2014 01:50:27 +0200
+Subject: [PATCH 2/2] avcodec/mjpegdec: check bits per pixel for changes
+ similar to dimensions
+
+Upstream-Status: Backport
+
+Fixes out of array accesses
+Fixes: asan_heap-oob_16668e9_2_asan_heap-oob_16668e9_346_miss_congeniality_pegasus_mjpg.avi
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+
+Conflicts:
+	libavcodec/mjpegdec.c
+---
+ libavcodec/mjpegdec.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/gst-libs/ext/libav/libavcodec/mjpegdec.c b/gst-libs/ext/libav/libavcodec/mjpegdec.c
+index 84343c0..c0137d8 100644
+--- a/gst-libs/ext/libav/libavcodec/mjpegdec.c
++++ b/gst-libs/ext/libav/libavcodec/mjpegdec.c
+@@ -210,16 +210,16 @@ int ff_mjpeg_decode_dht(MJpegDecodeContext *s)
+ 
+ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
+ {
+-    int len, nb_components, i, width, height, pix_fmt_id;
++    int len, nb_components, i, bits, width, height, pix_fmt_id;
+ 
+     /* XXX: verify len field validity */
+     len = get_bits(&s->gb, 16);
+-    s->bits= get_bits(&s->gb, 8);
++    bits= get_bits(&s->gb, 8);
+ 
+-    if(s->pegasus_rct) s->bits=9;
+-    if(s->bits==9 && !s->pegasus_rct) s->rct=1;    //FIXME ugly
++    if(s->pegasus_rct) bits=9;
++    if(bits==9 && !s->pegasus_rct) s->rct=1;    //FIXME ugly
+ 
+-    if (s->bits != 8 && !s->lossless){
++    if (bits != 8 && !s->lossless){
+         av_log(s->avctx, AV_LOG_ERROR, "only 8 bits/component accepted\n");
+         return -1;
+     }
+@@ -239,7 +239,7 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
+     if (nb_components <= 0 ||
+         nb_components > MAX_COMPONENTS)
+         return -1;
+-    if (s->ls && !(s->bits <= 8 || nb_components == 1)){
++    if (s->ls && !(bits <= 8 || nb_components == 1)){
+         av_log(s->avctx, AV_LOG_ERROR, "only <= 8 bits/component or 16-bit gray accepted for JPEG-LS\n");
+         return -1;
+     }
+@@ -272,10 +272,11 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
+ 
+     /* if different size, realloc/alloc picture */
+     /* XXX: also check h_count and v_count */
+-    if (width != s->width || height != s->height) {
++    if (width != s->width || height != s->height || bits != s->bits) {
+         av_freep(&s->qscale_table);
+ 
+         s->width = width;
++        s->bits= bits;
+         s->height = height;
+         s->interlaced = 0;
+ 
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index 395054d..30e5deb 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -55,6 +55,8 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://0001-ffserver-set-oformat.patch \
            file://0001-h264-set-parameters-from-SPS-whenever-it-changes.patch \
            file://0001-h264-skip-error-concealment-when-SPS-and-slices-are-.patch \
+           file://0001-avcodec-smc-fix-off-by-1-error.patch \
+           file://0002-avcodec-mjpegdec-check-bits-per-pixel-for-changes-si.patch \
            ${@bb.utils.contains('PACKAGECONFIG', 'libav9', 'file://libav-9.patch', '', d)} \ 
 "
 
-- 
1.9.1