[PATCH 0/5] libav: fix 5 CVE issues

[PATCH 0/5] libav: fix 5 CVE issues

[jackie.huang]

From: Jackie Huang <jackie.huang@windriver.com>

---
The following changes since commit e44ed8c18e395b9c055aefee113b90708e8a8a2f:

  build-appliance-image: Update to jethro head revision (2015-11-03 14:02:57 +0000)

are available in the git repository at:

  git://git.pokylinux.org/poky-contrib.git jhuang0/d_libav-cve_151113-1
  http://git.pokylinux.org/cgit.cgi//log/?h=jhuang0/d_libav-cve_151113-1

Jackie Huang (4):
  libav: fix CVE-2015-3395
  libav: fix CVE-2015-6820
  libav: fix CVE-2015-6823
  libav: fix CVE-2015-6824

Kai Kang (1):
  libav: fix CVE-2015-1872

 .../libav/libav/libav-fix-CVE-2015-1872.patch      |  35 +++++++
 .../libav/libav/libav-fix-CVE-2015-3395.patch      | 113 +++++++++++++++++++++
 .../libav/libav/libav-fix-CVE-2015-6820.patch      |  66 ++++++++++++
 .../libav/libav/libav-fix-CVE-2015-6823.patch      |  45 ++++++++
 .../libav/libav/libav-fix-CVE-2015-6824.patch      |  46 +++++++++
 meta/recipes-multimedia/libav/libav_9.18.bb        |   8 +-
 6 files changed, 312 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-multimedia/libav/libav/libav-fix-CVE-2015-1872.patch
 create mode 100644 meta/recipes-multimedia/libav/libav/libav-fix-CVE-2015-3395.patch
 create mode 100644 meta/recipes-multimedia/libav/libav/libav-fix-CVE-2015-6820.patch
 create mode 100644 meta/recipes-multimedia/libav/libav/libav-fix-CVE-2015-6823.patch
 create mode 100644 meta/recipes-multimedia/libav/libav/libav-fix-CVE-2015-6824.patch

-- 
1.9.1

[PATCH 1/5] libav: fix CVE-2015-1872

[jackie.huang]

From: Kai Kang <kai.kang@windriver.com>

Cherry-pick patch and update context from ffmpeg to fix CVE-2015-1872:

http://git.videolan.org/?p=ffmpeg.git;a=commit;h=fabbfaa095660982cc0bc63242c459561fa37037

Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
---
 .../libav/libav/libav-fix-CVE-2015-1872.patch      | 35 ++++++++++++++++++++++
 meta/recipes-multimedia/libav/libav_9.18.bb        |  4 ++-
 2 files changed, 38 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-multimedia/libav/libav/libav-fix-CVE-2015-1872.patch

diff --git a/meta/recipes-multimedia/libav/libav/libav-fix-CVE-2015-1872.patch b/meta/recipes-multimedia/libav/libav/libav-fix-CVE-2015-1872.patch
new file mode 100644
index 0000000..058bfe7
--- /dev/null
+++ b/meta/recipes-multimedia/libav/libav/libav-fix-CVE-2015-1872.patch
@@ -0,0 +1,35 @@
+libav: Fix CVE-2015-1872
+
+Cherry-pick patch for fixing CVE-2015-1872 and update context from ffmpeg:
+
+http://git.videolan.org/?p=ffmpeg.git;a=commit;h=fabbfaa095660982cc0bc63242c459561fa37037
+
+Upstream-Status: Pending
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+ libavcodec/mjpegdec.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
+index 74bbfa6..ec7d411 100644
+--- a/libavcodec/mjpegdec.c
++++ b/libavcodec/mjpegdec.c
+@@ -357,9 +357,12 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
+         return AVERROR_PATCHWELCOME;
+     }
+     if (s->ls) {
+-        if (s->nb_components > 1)
++        if (s->nb_components == 3) {
+             s->avctx->pix_fmt = AV_PIX_FMT_RGB24;
+-        else if (s->bits <= 8)
++        } else if (s->nb_components != 1) {
++            av_log(s->avctx, AV_LOG_ERROR, "Unsupported number of components %d\n", s->nb_components);
++            return AVERROR_PATCHWELCOME;
++        } else if (s->bits <= 8)
+             s->avctx->pix_fmt = AV_PIX_FMT_GRAY8;
+         else
+             s->avctx->pix_fmt = AV_PIX_FMT_GRAY16;
+-- 
+2.4.1
+
diff --git a/meta/recipes-multimedia/libav/libav_9.18.bb b/meta/recipes-multimedia/libav/libav_9.18.bb
index 210a649..c2dd02c 100644
--- a/meta/recipes-multimedia/libav/libav_9.18.bb
+++ b/meta/recipes-multimedia/libav/libav_9.18.bb
@@ -3,4 +3,6 @@ require libav.inc
 SRC_URI[md5sum] = "75e838068a75fb88e1b4ea0546bc16f0"
 SRC_URI[sha256sum] = "0875e835da683eef1a7bac75e1884634194149d7479d1538ba9fbe1614d066d7"
 
-SRC_URI += "file://libav-fix-CVE-2014-9676.patch"
+SRC_URI += "file://libav-fix-CVE-2014-9676.patch \
+            file://libav-fix-CVE-2015-1872.patch \
+           "
-- 
1.9.1

[PATCH 2/5] libav: fix CVE-2015-3395

[jackie.huang]

From: Jackie Huang <jackie.huang@windriver.com>

Cherry-pick patch from ffmpeg to fix CVE-2015-3395:
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=f7e1367f58263593e6cee3c282f7277d7ee9d553

Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
---
 .../libav/libav/libav-fix-CVE-2015-3395.patch      | 113 +++++++++++++++++++++
 meta/recipes-multimedia/libav/libav_9.18.bb        |   1 +
 2 files changed, 114 insertions(+)
 create mode 100644 meta/recipes-multimedia/libav/libav/libav-fix-CVE-2015-3395.patch

diff --git a/meta/recipes-multimedia/libav/libav/libav-fix-CVE-2015-3395.patch b/meta/recipes-multimedia/libav/libav/libav-fix-CVE-2015-3395.patch
new file mode 100644
index 0000000..9ee4288
--- /dev/null
+++ b/meta/recipes-multimedia/libav/libav/libav-fix-CVE-2015-3395.patch
@@ -0,0 +1,113 @@
+Upstream-Status: Pending
+
+https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3395
+
+Cherry-pick from:
+http://git.videolan.org/?p=ffmpeg.git;a=commit;h=f7e1367f58263593e6cee3c282f7277d7ee9d553
+
+Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
+---
+From f7e1367f58263593e6cee3c282f7277d7ee9d553 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Tue, 24 Mar 2015 15:50:12 +0100
+Subject: [PATCH] avcodec/msrledec: restructure msrle_decode_pal4() based on
+ the line number instead of the pixel pointer
+
+Fixes out of array access
+Fixes: da14e86d8462be6493eab16bc2d40f88/asan_heap-oob_204cfd2_528_cov_340150052_COMPRESS.BMP
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/msrledec.c | 25 +++++++++++--------------
+ 1 file changed, 11 insertions(+), 14 deletions(-)
+
+diff --git a/libavcodec/msrledec.c b/libavcodec/msrledec.c
+index 4d3da5b..deb6f86 100644
+--- a/libavcodec/msrledec.c
++++ b/libavcodec/msrledec.c
+@@ -37,16 +37,14 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic,
+     unsigned char extra_byte, odd_pixel;
+     unsigned char stream_byte;
+     unsigned int pixel_ptr = 0;
+-    int row_dec = pic->linesize[0];
+-    int row_ptr = (avctx->height - 1) * row_dec;
+-    int frame_size = row_dec * avctx->height;
++    int line = avctx->height - 1;
+     int i;
+ 
+-    while (row_ptr >= 0) {
++    while (line >= 0 && pixel_ptr <= avctx->width) {
+         if (bytestream2_get_bytes_left(gb) <= 0) {
+             av_log(avctx, AV_LOG_ERROR,
+-                   "MS RLE: bytestream overrun, %d rows left\n",
+-                   row_ptr);
++                   "MS RLE: bytestream overrun, %dx%d left\n",
++                   avctx->width - pixel_ptr, line);
+             return AVERROR_INVALIDDATA;
+         }
+         rle_code = stream_byte = bytestream2_get_byteu(gb);
+@@ -55,7 +53,7 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic,
+             stream_byte = bytestream2_get_byte(gb);
+             if (stream_byte == 0) {
+                 /* line is done, goto the next one */
+-                row_ptr -= row_dec;
++                line--;
+                 pixel_ptr = 0;
+             } else if (stream_byte == 1) {
+                 /* decode is done */
+@@ -65,13 +63,12 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic,
+                 stream_byte = bytestream2_get_byte(gb);
+                 pixel_ptr += stream_byte;
+                 stream_byte = bytestream2_get_byte(gb);
+-                row_ptr -= stream_byte * row_dec;
+             } else {
+                 // copy pixels from encoded stream
+                 odd_pixel =  stream_byte & 1;
+                 rle_code = (stream_byte + 1) / 2;
+                 extra_byte = rle_code & 0x01;
+-                if (row_ptr + pixel_ptr + stream_byte > frame_size ||
++                if (pixel_ptr + 2*rle_code - odd_pixel > avctx->width ||
+                     bytestream2_get_bytes_left(gb) < rle_code) {
+                     av_log(avctx, AV_LOG_ERROR,
+                            "MS RLE: frame/stream ptr just went out of bounds (copy)\n");
+@@ -82,13 +79,13 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic,
+                     if (pixel_ptr >= avctx->width)
+                         break;
+                     stream_byte = bytestream2_get_byteu(gb);
+-                    pic->data[0][row_ptr + pixel_ptr] = stream_byte >> 4;
++                    pic->data[0][line * pic->linesize[0] + pixel_ptr] = stream_byte >> 4;
+                     pixel_ptr++;
+                     if (i + 1 == rle_code && odd_pixel)
+                         break;
+                     if (pixel_ptr >= avctx->width)
+                         break;
+-                    pic->data[0][row_ptr + pixel_ptr] = stream_byte & 0x0F;
++                    pic->data[0][line * pic->linesize[0] + pixel_ptr] = stream_byte & 0x0F;
+                     pixel_ptr++;
+                 }
+ 
+@@ -98,7 +95,7 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic,
+             }
+         } else {
+             // decode a run of data
+-            if (row_ptr + pixel_ptr + stream_byte > frame_size) {
++            if (pixel_ptr + rle_code > avctx->width + 1) {
+                 av_log(avctx, AV_LOG_ERROR,
+                        "MS RLE: frame ptr just went out of bounds (run)\n");
+                 return AVERROR_INVALIDDATA;
+@@ -108,9 +105,9 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic,
+                 if (pixel_ptr >= avctx->width)
+                     break;
+                 if ((i & 1) == 0)
+-                    pic->data[0][row_ptr + pixel_ptr] = stream_byte >> 4;
++                    pic->data[0][line * pic->linesize[0] + pixel_ptr] = stream_byte >> 4;
+                 else
+-                    pic->data[0][row_ptr + pixel_ptr] = stream_byte & 0x0F;
++                    pic->data[0][line * pic->linesize[0] + pixel_ptr] = stream_byte & 0x0F;
+                 pixel_ptr++;
+             }
+         }
+-- 
+1.9.1
+
diff --git a/meta/recipes-multimedia/libav/libav_9.18.bb b/meta/recipes-multimedia/libav/libav_9.18.bb
index c2dd02c..4564def 100644
--- a/meta/recipes-multimedia/libav/libav_9.18.bb
+++ b/meta/recipes-multimedia/libav/libav_9.18.bb
@@ -5,4 +5,5 @@ SRC_URI[sha256sum] = "0875e835da683eef1a7bac75e1884634194149d7479d1538ba9fbe1614
 
 SRC_URI += "file://libav-fix-CVE-2014-9676.patch \
             file://libav-fix-CVE-2015-1872.patch \
+            file://libav-fix-CVE-2015-3395.patch \
            "
-- 
1.9.1

[PATCH 3/5] libav: fix CVE-2015-6820

[jackie.huang]

From: Jackie Huang <jackie.huang@windriver.com>

Cherry-pick patch from ffmpeg to fix CVE-2015-6820:
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=79a98294da6cd85f8c86b34764c5e0c43b09eea3

Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
---
 .../libav/libav/libav-fix-CVE-2015-6820.patch      | 66 ++++++++++++++++++++++
 meta/recipes-multimedia/libav/libav_9.18.bb        |  1 +
 2 files changed, 67 insertions(+)
 create mode 100644 meta/recipes-multimedia/libav/libav/libav-fix-CVE-2015-6820.patch

diff --git a/meta/recipes-multimedia/libav/libav/libav-fix-CVE-2015-6820.patch b/meta/recipes-multimedia/libav/libav/libav-fix-CVE-2015-6820.patch
new file mode 100644
index 0000000..00b124c
--- /dev/null
+++ b/meta/recipes-multimedia/libav/libav/libav-fix-CVE-2015-6820.patch
@@ -0,0 +1,66 @@
+Upstream-Status: Pending
+
+https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6820
+
+Cherry-pick from:
+http://git.videolan.org/?p=ffmpeg.git;a=commit;h=79a98294da6cd85f8c86b34764c5e0c43b09eea3
+
+Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
+---
+From 79a98294da6cd85f8c86b34764c5e0c43b09eea3 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Wed, 1 Jul 2015 02:05:43 +0200
+Subject: [PATCH] avcodec/aacsbr: check that the element type matches before
+ applying SBR
+
+Fixes out of array access
+Fixes: signal_sigsegv_3670fc0_2818_cov_2307326154_moon.mux
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/aacsbr.c | 8 ++++++++
+ libavcodec/sbr.h    | 1 +
+ 2 files changed, 9 insertions(+)
+
+diff --git a/libavcodec/aacsbr.c b/libavcodec/aacsbr.c
+index 7e98834..ca6dad7 100644
+--- a/libavcodec/aacsbr.c
++++ b/libavcodec/aacsbr.c
+@@ -1019,6 +1019,8 @@ static unsigned int read_sbr_data(AACContext *ac, SpectralBandReplication *sbr,
+ {
+     unsigned int cnt = get_bits_count(gb);
+ 
++    sbr->id_aac = id_aac;
++
+     if (id_aac == TYPE_SCE || id_aac == TYPE_CCE) {
+         if (read_sbr_single_channel_element(ac, sbr, gb)) {
+             sbr_turnoff(sbr);
+@@ -1695,6 +1697,12 @@ void ff_sbr_apply(AACContext *ac, SpectralBandReplication *sbr, int id_aac,
+     int nch = (id_aac == TYPE_CPE) ? 2 : 1;
+     int err;
+ 
++    if (id_aac != sbr->id_aac) {
++        av_log(ac->avctx, AV_LOG_ERROR,
++            "element type mismatch %d != %d\n", id_aac, sbr->id_aac);
++        sbr_turnoff(sbr);
++    }
++
+     if (!sbr->kx_and_m_pushed) {
+         sbr->kx[0] = sbr->kx[1];
+         sbr->m[0] = sbr->m[1];
+diff --git a/libavcodec/sbr.h b/libavcodec/sbr.h
+index e28fccd..ff00acb 100644
+--- a/libavcodec/sbr.h
++++ b/libavcodec/sbr.h
+@@ -137,6 +137,7 @@ typedef struct AACSBRContext {
+ struct SpectralBandReplication {
+     int                sample_rate;
+     int                start;
++    int                id_aac;
+     int                reset;
+     SpectrumParameters spectrum_params;
+     int                bs_amp_res_header;
+-- 
+1.9.1
+
diff --git a/meta/recipes-multimedia/libav/libav_9.18.bb b/meta/recipes-multimedia/libav/libav_9.18.bb
index 4564def..7d0cc70 100644
--- a/meta/recipes-multimedia/libav/libav_9.18.bb
+++ b/meta/recipes-multimedia/libav/libav_9.18.bb
@@ -6,4 +6,5 @@ SRC_URI[sha256sum] = "0875e835da683eef1a7bac75e1884634194149d7479d1538ba9fbe1614
 SRC_URI += "file://libav-fix-CVE-2014-9676.patch \
             file://libav-fix-CVE-2015-1872.patch \
             file://libav-fix-CVE-2015-3395.patch \
+            file://libav-fix-CVE-2015-6820.patch \
            "
-- 
1.9.1

[PATCH 4/5] libav: fix CVE-2015-6823

[jackie.huang]

From: Jackie Huang <jackie.huang@windriver.com>

Cherry-pick patch from ffmpeg to fix CVE-2015-6823:
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=f7068bf277a37479aecde2832208d820682b35e6

Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
---
 .../libav/libav/libav-fix-CVE-2015-6823.patch      | 45 ++++++++++++++++++++++
 meta/recipes-multimedia/libav/libav_9.18.bb        |  1 +
 2 files changed, 46 insertions(+)
 create mode 100644 meta/recipes-multimedia/libav/libav/libav-fix-CVE-2015-6823.patch

diff --git a/meta/recipes-multimedia/libav/libav/libav-fix-CVE-2015-6823.patch b/meta/recipes-multimedia/libav/libav/libav-fix-CVE-2015-6823.patch
new file mode 100644
index 0000000..198353b
--- /dev/null
+++ b/meta/recipes-multimedia/libav/libav/libav-fix-CVE-2015-6823.patch
@@ -0,0 +1,45 @@
+Upstream-Status: Pending
+
+https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6823
+
+Cherry-pick from:
+http://git.videolan.org/?p=ffmpeg.git;a=commit;h=f7068bf277a37479aecde2832208d820682b35e6
+
+Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
+---
+From f7068bf277a37479aecde2832208d820682b35e6 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Mon, 13 Jul 2015 15:46:10 +0200
+Subject: [PATCH] avcodec/alac: Clear pointers in allocate_buffers()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes: 06a4edb39ad8a9883175f9bd428334a2_signal_sigsegv_7ffff713351a_706_mov__alac__ALAC_6ch.mov
+
+Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+---
+ libavcodec/alac.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/libavcodec/alac.c b/libavcodec/alac.c
+index b0527f1..a5948bb 100644
+--- a/libavcodec/alac.c
++++ b/libavcodec/alac.c
+@@ -534,6 +534,12 @@ static int allocate_buffers(ALACContext *alac)
+     int ch;
+     int buf_size = alac->max_samples_per_frame * sizeof(int32_t);
+ 
++    for (ch = 0; ch < 2; ch++) {
++        alac->predict_error_buffer[ch]  = NULL;
++        alac->output_samples_buffer[ch] = NULL;
++        alac->extra_bits_buffer[ch]     = NULL;
++    }
++
+     for (ch = 0; ch < FFMIN(alac->channels, 2); ch++) {
+         FF_ALLOC_OR_GOTO(alac->avctx, alac->predict_error_buffer[ch],
+                          buf_size, buf_alloc_fail);
+-- 
+1.9.1
+
diff --git a/meta/recipes-multimedia/libav/libav_9.18.bb b/meta/recipes-multimedia/libav/libav_9.18.bb
index 7d0cc70..026f4df 100644
--- a/meta/recipes-multimedia/libav/libav_9.18.bb
+++ b/meta/recipes-multimedia/libav/libav_9.18.bb
@@ -7,4 +7,5 @@ SRC_URI += "file://libav-fix-CVE-2014-9676.patch \
             file://libav-fix-CVE-2015-1872.patch \
             file://libav-fix-CVE-2015-3395.patch \
             file://libav-fix-CVE-2015-6820.patch \
+            file://libav-fix-CVE-2015-6823.patch \
            "
-- 
1.9.1

[PATCH 5/5] libav: fix CVE-2015-6824

[jackie.huang]

From: Jackie Huang <jackie.huang@windriver.com>

Cherry-pick patch from ffmpeg to fix CVE-2015-6824:
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=a5d44d5c220e12ca0cb7a4eceb0f74759cb13111

Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
---
 .../libav/libav/libav-fix-CVE-2015-6824.patch      | 46 ++++++++++++++++++++++
 meta/recipes-multimedia/libav/libav_9.18.bb        |  1 +
 2 files changed, 47 insertions(+)
 create mode 100644 meta/recipes-multimedia/libav/libav/libav-fix-CVE-2015-6824.patch

diff --git a/meta/recipes-multimedia/libav/libav/libav-fix-CVE-2015-6824.patch b/meta/recipes-multimedia/libav/libav/libav-fix-CVE-2015-6824.patch
new file mode 100644
index 0000000..2b19bd2
--- /dev/null
+++ b/meta/recipes-multimedia/libav/libav/libav-fix-CVE-2015-6824.patch
@@ -0,0 +1,46 @@
+Upstream-Status: Pending
+
+https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6824
+
+Cherry-pick from:
+http://git.videolan.org/?p=ffmpeg.git;a=commit;h=a5d44d5c220e12ca0cb7a4eceb0f74759cb13111
+
+Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
+---
+From a5d44d5c220e12ca0cb7a4eceb0f74759cb13111 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Wed, 15 Jul 2015 19:20:19 +0200
+Subject: [PATCH] swscale/utils: Clear pix buffers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes use of uninitialized memory
+Fixes: a96874b9466b6edc660a519c7ad47977_signal_sigsegv_7ffff713351a_744_nc_sample.avi with memlimit 2147483648
+
+Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+---
+ libswscale/utils.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/libswscale/utils.c b/libswscale/utils.c
+index c384aa5..16f187a 100644
+--- a/libswscale/utils.c
++++ b/libswscale/utils.c
+@@ -1496,9 +1496,9 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter,
+ 
+     /* Allocate pixbufs (we use dynamic allocation because otherwise we would
+      * need to allocate several megabytes to handle all possible cases) */
+-    FF_ALLOC_OR_GOTO(c, c->lumPixBuf,  c->vLumBufSize * 3 * sizeof(int16_t *), fail);
+-    FF_ALLOC_OR_GOTO(c, c->chrUPixBuf, c->vChrBufSize * 3 * sizeof(int16_t *), fail);
+-    FF_ALLOC_OR_GOTO(c, c->chrVPixBuf, c->vChrBufSize * 3 * sizeof(int16_t *), fail);
++    FF_ALLOCZ_OR_GOTO(c, c->lumPixBuf,  c->vLumBufSize * 3 * sizeof(int16_t *), fail);
++    FF_ALLOCZ_OR_GOTO(c, c->chrUPixBuf, c->vChrBufSize * 3 * sizeof(int16_t *), fail);
++    FF_ALLOCZ_OR_GOTO(c, c->chrVPixBuf, c->vChrBufSize * 3 * sizeof(int16_t *), fail);
+     if (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat) && isALPHA(c->dstFormat))
+         FF_ALLOCZ_OR_GOTO(c, c->alpPixBuf, c->vLumBufSize * 3 * sizeof(int16_t *), fail);
+     /* Note we need at least one pixel more at the end because of the MMX code
+-- 
+1.9.1
+
diff --git a/meta/recipes-multimedia/libav/libav_9.18.bb b/meta/recipes-multimedia/libav/libav_9.18.bb
index 026f4df..4378dbe 100644
--- a/meta/recipes-multimedia/libav/libav_9.18.bb
+++ b/meta/recipes-multimedia/libav/libav_9.18.bb
@@ -8,4 +8,5 @@ SRC_URI += "file://libav-fix-CVE-2014-9676.patch \
             file://libav-fix-CVE-2015-3395.patch \
             file://libav-fix-CVE-2015-6820.patch \
             file://libav-fix-CVE-2015-6823.patch \
+            file://libav-fix-CVE-2015-6824.patch \
            "
-- 
1.9.1

Re: [PATCH 0/5] libav: fix 5 CVE issues

[Burton, Ross]

[-- Attachment #1: Type: text/plain, Size: 631 bytes --]

On 13 November 2015 at 08:03, <jackie.huang@windriver.com> wrote:

> Jackie Huang (4):
>   libav: fix CVE-2015-3395
>   libav: fix CVE-2015-6820
>   libav: fix CVE-2015-6823
>   libav: fix CVE-2015-6824
>
> Kai Kang (1):
>   libav: fix CVE-2015-1872
>

I'd tend to lean towards squashing these int a single "libav: fix CVEs"
commit which adds all five of those patches in a single operation (but as
separate patches for tracking), but it's hard to have a strong opinion
either way.

However is the Pending upstream-status appropriate?  Is this the right time
to bring up swapping libav for ffmpeg again?

Ross

[-- Attachment #2: Type: text/html, Size: 1137 bytes --]