mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-02-13 20:23:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

gst-ffmpeg: Add CVE patches

Browse Source 
Security Advisory - ffmpeg - CVE-2013-0866

The aac_decode_init function in libavcodec/aacdec.c in FFmpeg before
1.0.4 and 1.1.x before 1.1.2 allows remote attackers to have an
unspecified impact via a large number of channels in an AAC file, which
triggers an out-of-bounds array access.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0866

gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0875

The ff_add_png_paeth_prediction function in libavcodec/pngdec.c in
FFmpeg before 1.1.3 allows remote attackers to have an unspecified
impact via a crafted PNG image, related to an out-of-bounds array
access.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0875

gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0860

The ff_er_frame_end function in libavcodec/error_resilience.c in FFmpeg
before 1.0.4 and 1.1.x before 1.1.1 does not properly verify that a
frame is fully initialized, which allows remote attackers to trigger a
NULL pointer dereference via crafted picture data.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0860

gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3934

Double free vulnerability in the vp3_update_thread_context function in
libavcodec/vp3.c in FFmpeg before 0.10 allows remote attackers to have
an unspecified impact via crafted vp3 data.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3934

gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3946

The ff_h264_decode_sei function in libavcodec/h264_sei.c in FFmpeg
before 0.10 allows remote attackers to have an unspecified impact via
crafted Supplemental enhancement information (SEI) data, which triggers
an infinite loop.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3946

gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-7023

The ff_combine_frame function in libavcodec/parser.c in FFmpeg before
2.1 does not properly handle certain memory-allocation errors, which
allows remote attackers to cause a denial of service (out-of-bounds
array access) or possibly have unspecified other impact via crafted
data.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7023

gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-7009

The rpza_decode_stream function in libavcodec/rpza.c in FFmpeg before
2.1 does not properly maintain a pointer to pixel data, which allows
remote attackers to cause a denial of service (out-of-bounds array
access) or possibly have unspecified other impact via crafted Apple RPZA
data.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7009

gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0855

Integer overflow in the alac_decode_close function in libavcodec/alac.c
in FFmpeg before 1.1 allows remote attackers to have an unspecified
impact via a large number of samples per frame in Apple Lossless Audio
Codec (ALAC) data, which triggers an out-of-bounds array access.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0855

gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-4351

Buffer overflow in FFmpeg before 0.5.6, 0.6.x before 0.6.4, 0.7.x before
0.7.8, and 0.8.x before 0.8.8 allows remote attackers to execute
arbitrary code via unspecified vectors.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4351

gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0848

The decode_init function in libavcodec/huffyuv.c in FFmpeg before 1.1
allows remote attackers to have an unspecified impact via a crafted
width in huffyuv data with the predictor set to median and the
colorspace set to YUV422P, which triggers an out-of-bounds array access.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0848

gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3944

The smacker_decode_header_tree function in libavcodec/smacker.c in
FFmpeg before 0.10 allows remote attackers to have an unspecified impact
via crafted Smacker data.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3944

           file://0001-huffyuvdec-check-width-more-completely-avoid-out-of-.patch \

gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-7010

Multiple integer signedness errors in libavcodec/dsputil.c in FFmpeg
before 2.1 allow remote attackers to cause a denial of service
(out-of-bounds array access) or possibly have unspecified other impact
via crafted data.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7010

gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3941

The decode_mb function in libavcodec/error_resilience.c in FFmpeg before
0.10 allows remote attackers to have an unspecified impact via vectors
related to an uninitialized block index, which triggers an out-of-bound
write.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3941

gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0846

Array index error in the qdm2_decode_super_block function in
libavcodec/qdm2.c in FFmpeg before 1.1 allows remote attackers to have
an unspecified impact via crafted QDM2 data, which triggers an
out-of-bounds array access.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0846

gst-ffmpeg: Security Advisory - ffmpeg - CVE-2012-6618

The av_probe_input_buffer function in libavformat/utils.c in FFmpeg
before 1.0.2, when running with certain -probesize values, allows remote
attackers to cause a denial of service (crash) via a crafted MP3 file,
possibly related to frame size or lack of sufficient frames to estimate
rate.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6618

gst-ffmpeg: Security Advisory - ffmpeg - CVE-2012-6617

The prepare_sdp_description function in ffserver.c in FFmpeg before
1.0.2 allows remote attackers to cause a denial of service (crash) via
vectors related to the rtp format.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6617

(From OE-Core rev: 58f08a96764094189b5aaf3cc8b4cc0c95e23409)

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Yue Tao
2014-07-22 15:46:36 +08:00
committed by Richard Purdie
parent b7f8fded0d
commit 91c845c452
18 changed files with 917 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-aacdec-check-channel-count.patch Normal file
View File

@@ -0,0 +1,34 @@
gst-ffmpeg: aacdec: check channel count
Prevent out of array accesses
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 96f452ac647dae33c53c242ef3266b65a9beafb6)
Upstream-Status: Backport
Signed-off-by: Yue Tao <yue.tao@windriver.com>
---
libavcodec/aacdec.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c
index 239153a..6c17c33 100644
--- a/gst-libs/ext/libav/libavcodec/aacdec.c
+++ b/gst-libs/ext/libav/libavcodec/aacdec.c
@@ -914,6 +914,11 @@ static av_cold int aac_decode_init(AVCodecContext *avctx)
}
}
+ if (avctx->channels > MAX_CHANNELS) {
+ av_log(avctx, AV_LOG_ERROR, "Too many channels\n");
+ return AVERROR_INVALIDDATA;
+ }
+
AAC_INIT_VLC_STATIC( 0, 304);
AAC_INIT_VLC_STATIC( 1, 270);
AAC_INIT_VLC_STATIC( 2, 550);
--
1.7.5.4

40
meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-dsputil-fix-signedness-in-sizeof-comparissio.patch Normal file
View File

@@ -0,0 +1,40 @@
From a99aff4e4bbef8e64b51f267cd1769214e1b4e80 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Fri, 30 Aug 2013 23:40:47 +0200
Subject: [PATCH] avcodec/dsputil: fix signedness in sizeof() comparissions
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 454a11a1c9c686c78aa97954306fb63453299760)
Upstream-Status: Backport
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
libavcodec/dsputil.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/dsputil.c b/libavcodec/dsputil.c
index 53dc2eb..6264832 100644
--- a/gst-libs/ext/libav/libavcodec/dsputil.c
+++ b/gst-libs/ext/libav/libavcodec/dsputil.c
@@ -1912,7 +1912,7 @@ void ff_set_cmp(DSPContext* c, me_cmp_func *cmp, int type){
static void add_bytes_c(uint8_t *dst, uint8_t *src, int w){
long i;
- for(i=0; i<=w-sizeof(long); i+=sizeof(long)){
+ for(i=0; i<=w-(int)sizeof(long); i+=sizeof(long)){
long a = *(long*)(src+i);
long b = *(long*)(dst+i);
*(long*)(dst+i) = ((a&pb_7f) + (b&pb_7f)) ^ ((a^b)&pb_80);
@@ -1937,7 +1937,7 @@ static void diff_bytes_c(uint8_t *dst, uint8_t *src1, uint8_t *src2, int w){
}
}else
#endif
- for(i=0; i<=w-sizeof(long); i+=sizeof(long)){
+ for(i=0; i<=w-(int)sizeof(long); i+=sizeof(long)){
long a = *(long*)(src1+i);
long b = *(long*)(src2+i);
*(long*)(dst+i) = ((a|pb_80) - (b&pb_7f)) ^ ((a^b^pb_80)&pb_80);
--
1.7.5.4

50
meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-parser-reset-indexes-on-realloc-failure.patch Normal file
View File

@@ -0,0 +1,50 @@
gst-ffmpeg: avcodec/parser: reset indexes on realloc failure
Fixes Ticket2982
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f31011e9abfb2ae75bb32bc44e2c34194c8dc40a)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Upstream-Status: Backport
Signed-off-by: Yue Tao <yue.tao@windriver.com>
---
libavcodec/parser.c | 10 +++++++---
1 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/libavcodec/parser.c b/libavcodec/parser.c
index 2c6de6e..66eca06 100644
--- a/gst-libs/ext/libav/libavcodec/parser.c
+++ b/gst-libs/ext/libav/libavcodec/parser.c
@@ -241,8 +241,10 @@ int ff_combine_frame(ParseContext *pc, int next, const uint8_t **buf, int *buf_s
if(next == END_NOT_FOUND){
void* new_buffer = av_fast_realloc(pc->buffer, &pc->buffer_size, (*buf_size) + pc->index + FF_INPUT_BUFFER_PADDING_SIZE);
- if(!new_buffer)
+ if(!new_buffer) {
+ pc->index = 0;
return AVERROR(ENOMEM);
+ }
pc->buffer = new_buffer;
memcpy(&pc->buffer[pc->index], *buf, *buf_size);
pc->index += *buf_size;
@@ -255,9 +257,11 @@ int ff_combine_frame(ParseContext *pc, int next, const uint8_t **buf, int *buf_s
/* append to buffer */
if(pc->index){
void* new_buffer = av_fast_realloc(pc->buffer, &pc->buffer_size, next + pc->index + FF_INPUT_BUFFER_PADDING_SIZE);
-
- if(!new_buffer)
+ if(!new_buffer) {
+ pc->overread_index =
+ pc->index = 0;
return AVERROR(ENOMEM);
+ }
pc->buffer = new_buffer;
if (next > -FF_INPUT_BUFFER_PADDING_SIZE)
memcpy(&pc->buffer[pc->index], *buf,
--
1.7.5.4

81
meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-rpza-Perform-pointer-advance-and-checks-befo.patch Normal file
View File

@@ -0,0 +1,81 @@
gst-ffmpeg: avcodec/rpza: Perform pointer advance and checks before
using the pointers
Fixes out of array accesses
Fixes Ticket2850
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3819db745da2ac7fb3faacb116788c32f4753f34)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Upstream-Status: Backport
Singed-off-by: Yue Tao <yue.tao@windriver.com>
---
libavcodec/rpza.c | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c
index 635b406..f291a95 100644
--- a/gst-libs/ext/libav/libavcodec/rpza.c
+++ b/gst-libs/ext/libav/libavcodec/rpza.c
@@ -83,7 +83,7 @@ static void rpza_decode_stream(RpzaContext *s)
unsigned short *pixels = (unsigned short *)s->frame.data[0];
int row_ptr = 0;
- int pixel_ptr = 0;
+ int pixel_ptr = -4;
int block_ptr;
int pixel_x, pixel_y;
int total_blocks;
@@ -139,6 +139,7 @@ static void rpza_decode_stream(RpzaContext *s)
colorA = AV_RB16 (&s->buf[stream_ptr]);
stream_ptr += 2;
while (n_blocks--) {
+ ADVANCE_BLOCK()
block_ptr = row_ptr + pixel_ptr;
for (pixel_y = 0; pixel_y < 4; pixel_y++) {
for (pixel_x = 0; pixel_x < 4; pixel_x++){
@@ -147,7 +148,6 @@ static void rpza_decode_stream(RpzaContext *s)
}
block_ptr += row_inc;
}
- ADVANCE_BLOCK();
}
break;
@@ -184,6 +184,7 @@ static void rpza_decode_stream(RpzaContext *s)
color4[2] |= ((21 * ta + 11 * tb) >> 5);
while (n_blocks--) {
+ ADVANCE_BLOCK();
block_ptr = row_ptr + pixel_ptr;
for (pixel_y = 0; pixel_y < 4; pixel_y++) {
index = s->buf[stream_ptr++];
@@ -194,12 +195,12 @@ static void rpza_decode_stream(RpzaContext *s)
}
block_ptr += row_inc;
}
- ADVANCE_BLOCK();
}
break;
/* Fill block with 16 colors */
case 0x00:
+ ADVANCE_BLOCK();
block_ptr = row_ptr + pixel_ptr;
for (pixel_y = 0; pixel_y < 4; pixel_y++) {
for (pixel_x = 0; pixel_x < 4; pixel_x++){
@@ -213,7 +214,6 @@ static void rpza_decode_stream(RpzaContext *s)
}
block_ptr += row_inc;
}
- ADVANCE_BLOCK();
break;
/* Unknown opcode */
--
1.7.5.4

29
meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-error-concealment-initialize-block-index.patch Normal file
View File

@@ -0,0 +1,29 @@
gst-ffmpeg: error concealment: initialize block index.
Fixes CVE-2011-3941 (out of bounds write)
Upstream-Status: Backport
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
libavcodec/error_resilience.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/libavcodec/error_resilience.c b/libavcodec/error_resilience.c
index 8bb5d0c..d55c000 100644
--- a/gst-libs/ext/libav/libavcodec/error_resilience.c
+++ b/gst-libs/ext/libav/libavcodec/error_resilience.c
@@ -45,6 +45,9 @@ static void decode_mb(MpegEncContext *s, int ref){
s->dest[1] = s->current_picture.data[1] + (s->mb_y * (16>>s->chroma_y_shift) * s->uvlinesize) + s->mb_x * (16>>s->chroma_x_shift);
s->dest[2] = s->current_picture.data[2] + (s->mb_y * (16>>s->chroma_y_shift) * s->uvlinesize) + s->mb_x * (16>>s->chroma_x_shift);
+ ff_init_block_index(s);
+ ff_update_block_index(s);
+
if(CONFIG_H264_DECODER && s->codec_id == CODEC_ID_H264){
H264Context *h= (void*)s;
h->mb_xy= s->mb_x + s->mb_y*s->mb_stride;
--
1.7.5.4

37
meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-error_concealment-Check-that-the-picture-is-not-in-a.patch Normal file
View File

@@ -0,0 +1,37 @@
gst-ffmpeg: error_concealment: Check that the picture is not in a half
Fixes state becoming inconsistent
Fixes a null pointer dereference
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 23318a57358358e7a4dc551e830e4503f0638cfe)
Upstream-Status: Backport
Signed-off-by: Yue Tao <yue.tao@windriver.com>
---
libavcodec/error_resilience.c | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/libavcodec/error_resilience.c b/libavcodec/error_resilience.c
index 01f7424..2b6bc42 100644
--- a/gst-libs/ext/libav/libavcodec/error_resilience.c
+++ b/gst-libs/ext/libav/libavcodec/error_resilience.c
@@ -793,6 +793,12 @@ void ff_er_frame_end(MpegEncContext *s){
s->picture_structure != PICT_FRAME || // we dont support ER of field pictures yet, though it should not crash if enabled
s->error_count==3*s->mb_width*(s->avctx->skip_top + s->avctx->skip_bottom)) return;
+ if ( s->picture_structure == PICT_FRAME
+ && s->current_picture.linesize[0] != s->current_picture_ptr->linesize[0]) {
+ av_log(s->avctx, AV_LOG_ERROR, "Error concealment not possible, frame not fully initialized\n");
+ return;
+ }
+
if(s->current_picture.motion_val[0] == NULL){
av_log(s->avctx, AV_LOG_ERROR, "Warning MVs not available\n");
--
1.7.5.4

36
meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-ffserver-set-oformat.patch Normal file
View File

@@ -0,0 +1,36 @@
gst-ffmpeg: ffserver: set oformat
Fix Ticket1986
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit cbe43e62c9ac7d4aefdc13476f6f691bd626525f)
Upstream-Status: Backport
---
ffserver.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/ffserver.c b/ffserver.c
index 4044d0f..8740140 100644
--- a/gst-libs/ext/libav/ffserver.c
+++ b/gst-libs/ext/libav/ffserver.c
@@ -2937,12 +2937,14 @@ static int prepare_sdp_description(FFStream *stream, uint8_t **pbuffer,
{
AVFormatContext *avc;
AVStream *avs = NULL;
+ AVOutputFormat *rtp_format = av_guess_format("rtp", NULL, NULL);
int i;
avc = avformat_alloc_context();
- if (avc == NULL) {
+ if (avc == NULL || !rtp_format) {
return -1;
}
+ avc->oformat = rtp_format;
av_dict_set(&avc->metadata, "title",
stream->title[0] ? stream->title : "No Title", 0);
avc->nb_streams = stream->nb_streams;
--
1.7.5.4

39
meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264_sei-Fix-infinite-loop.patch Normal file
View File

@@ -0,0 +1,39 @@
gst-ffmpeg: h264_sei: Fix infinite loop.
Fixsot yet fixed parts of CVE-2011-3946.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Upstream-Status: Backport
Signed-off-by: Yue Tao <yue.tao@windriver.com>
---
libavcodec/h264_sei.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/libavcodec/h264_sei.c b/libavcodec/h264_sei.c
index 374e53d..80d70e5 100644
--- a/gst-libs/ext/libav/libavcodec/h264_sei.c
+++ b/gst-libs/ext/libav/libavcodec/h264_sei.c
@@ -169,11 +169,15 @@ int ff_h264_decode_sei(H264Context *h){
type=0;
do{
+ if (get_bits_left(&s->gb) < 8)
+ return -1;
type+= show_bits(&s->gb, 8);
}while(get_bits(&s->gb, 8) == 255);
size=0;
do{
+ if (get_bits_left(&s->gb) < 8)
+ return -1;
size+= show_bits(&s->gb, 8);
}while(get_bits(&s->gb, 8) == 255);
--
1.7.5.4

30
meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-check-width-more-completely-avoid-out-of-.patch Normal file
View File

@@ -0,0 +1,30 @@
gst-ffmpeg: huffyuvdec: check width more completely, avoid out of array
accesses
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Upstream-Status: Backport
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
libavcodec/huffyuv.c | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c
index 6e88114..ca5bcd8 100644
--- a/gst-libs/ext/libav/libavcodec/huffyuv.c
+++ b/gst-libs/ext/libav/libavcodec/huffyuv.c
@@ -526,6 +526,10 @@ s->bgr32=1;
assert(0);
}
+ if (s->predictor == MEDIAN && avctx->pix_fmt == AV_PIX_FMT_YUV422P && avctx->width%4) {
+ av_log(avctx, AV_LOG_ERROR, "width must be a multiple of 4 this colorspace and predictor\n");
+ return AVERROR_INVALIDDATA;
+ }
alloc_temp(s);
// av_log(NULL, AV_LOG_DEBUG, "pred:%d bpp:%d hbpp:%d il:%d\n", s->predictor, s->bitstream_bpp, avctx->bits_per_coded_sample, s->interlaced);
--
1.7.5.4

45
meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-lavf-compute-probe-buffer-size-more-reliably.patch Normal file
View File

@@ -0,0 +1,45 @@
gst-ffmpeg: lavf: compute probe buffer size more reliably.
The previous code computes the offset by reversing the growth
of the allocated buffer size: it is complex and did lead to
inconsistencies when the size limit is reached.
Fix trac ticket #1991.
(cherry picked from commit 03847eb8259291b4ff1bd840bd779d0699d71f96)
Conflicts:
libavformat/utils.c
Upstream-Status: Backport
Signed-off-by: Yue Tao <yue.tao@windriver.com>
---
libavformat/utils.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavformat/utils.c b/libavformat/utils.c
index 7940037..be73c4a 100644
--- a/gst-libs/ext/libav/libavformat/utils.c
+++ b/gst-libs/ext/libav/libavformat/utils.c
@@ -459,7 +459,7 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt,
{
AVProbeData pd = { filename ? filename : "", NULL, -offset };
unsigned char *buf = NULL;
- int ret = 0, probe_size;
+ int ret = 0, probe_size, buf_offset = 0;
if (!max_probe_size) {
max_probe_size = PROBE_BUF_MAX;
@@ -499,7 +499,7 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt,
score = 0;
ret = 0; /* error was end of file, nothing read */
}
- pd.buf_size += ret;
+ pd.buf_size = buf_offset += ret;
pd.buf = &buf[offset];
memset(pd.buf + pd.buf_size, 0, AVPROBE_PADDING_SIZE);
--
1.7.5.4

44
meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-pngdec-filter-dont-access-out-of-array-elements-at-t.patch Normal file
View File

@@ -0,0 +1,44 @@
gst-ffmpeg: pngdec/filter: dont access out of array elements at the end
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Upstream-Status: Backport
Signed-off-by: Yue Tao <yue.tao@windriver.com>
---
libavcodec/pngdec.c | 12 ++++--------
1 files changed, 4 insertions(+), 8 deletions(-)
diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index 97c0ad1..193e35e 100644
--- a/gst-libs/ext/libav/libavcodec/pngdec.c
+++ b/gst-libs/ext/libav/libavcodec/pngdec.c
@@ -190,7 +190,7 @@ void ff_add_png_paeth_prediction(uint8_t *dst, uint8_t *src, uint8_t *top, int w
if(bpp >= 2) g = dst[1];\
if(bpp >= 3) b = dst[2];\
if(bpp >= 4) a = dst[3];\
- for(; i < size; i+=bpp) {\
+ for(; i <= size - bpp; i+=bpp) {\
dst[i+0] = r = op(r, src[i+0], last[i+0]);\
if(bpp == 1) continue;\
dst[i+1] = g = op(g, src[i+1], last[i+1]);\
@@ -206,13 +206,9 @@ void ff_add_png_paeth_prediction(uint8_t *dst, uint8_t *src, uint8_t *top, int w
else if(bpp == 2) UNROLL1(2, op)\
else if(bpp == 3) UNROLL1(3, op)\
else if(bpp == 4) UNROLL1(4, op)\
- else {\
- for (; i < size; i += bpp) {\
- int j;\
- for (j = 0; j < bpp; j++)\
- dst[i+j] = op(dst[i+j-bpp], src[i+j], last[i+j]);\
- }\
- }
+ for (; i < size; i++) {\
+ dst[i] = op(dst[i-bpp], src[i], last[i]);\
+ }\
/* NOTE: 'dst' can be equal to 'last' */
static void png_filter_row(PNGDSPContext *dsp, uint8_t *dst, int filter_type,
--
1.7.5.4

30
meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-qdm2-check-array-index-before-use-fix-out-of-array-a.patch Normal file
View File

@@ -0,0 +1,30 @@
gst-ffmpeg: qdm2: check array index before use, fix out of array
accesses
Upstream-Status: Backport
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
libavcodec/qdm2.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c
index 4cf4b2f..1dfb8d5 100644
--- a/gst-libs/ext/libav/libavcodec/qdm2.c
+++ b/gst-libs/ext/libav/libavcodec/qdm2.c
@@ -1257,6 +1257,11 @@ static void qdm2_decode_super_block (QDM2Context *q)
for (i = 0; packet_bytes > 0; i++) {
int j;
+ if (i>=FF_ARRAY_ELEMS(q->sub_packet_list_A)) {
+ SAMPLES_NEEDED_2("too many packet bytes");
+ return;
+ }
+
q->sub_packet_list_A[i].next = NULL;
if (i > 0) {
--
1.7.5.4

58
meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-qdm2dec-fix-buffer-overflow.patch Normal file
View File

@@ -0,0 +1,58 @@
gst-ffmpeg: qdm2dec: fix buffer overflow. Fixes NGS00144
This also adds a few lines of code from master that are needed for this fix.
Thanks to Phillip for suggestions to improve the patch.
Found-by: Phillip Langlois
Upstream-Status: Backport
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
libavcodec/qdm2.c | 9 +++++++--
1 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c
index 3aa9e5b..e000df8 100644
--- a/gst-libs/ext/libav/libavcodec/qdm2.c
+++ b/gst-libs/ext/libav/libavcodec/qdm2.c
@@ -76,6 +76,7 @@ do { \
#define SAMPLES_NEEDED_2(why) \
av_log (NULL,AV_LOG_INFO,"This file triggers some missing code. Please contact the developers.\nPosition: %s\n",why);
+#define QDM2_MAX_FRAME_SIZE 512
typedef int8_t sb_int8_array[2][30][64];
@@ -168,7 +169,7 @@ typedef struct {
/// I/O data
const uint8_t *compressed_data;
int compressed_size;
- float output_buffer[1024];
+ float output_buffer[QDM2_MAX_FRAME_SIZE * MPA_MAX_CHANNELS * 2];
/// Synthesis filter
MPADSPContext mpadsp;
@@ -1819,6 +1820,9 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx)
s->group_order = av_log2(s->group_size) + 1;
s->frame_size = s->group_size / 16; // 16 iterations per super block
+ if (s->frame_size > QDM2_MAX_FRAME_SIZE)
+ return AVERROR_INVALIDDATA;
+
s->sub_sampling = s->fft_order - 7;
s->frequency_range = 255 / (1 << (2 - s->sub_sampling));
@@ -1887,6 +1891,9 @@ static int qdm2_decode (QDM2Context *q, const uint8_t *in, int16_t *out)
int ch, i;
const int frame_size = (q->frame_size * q->channels);
+ if((unsigned)frame_size > FF_ARRAY_ELEMS(q->output_buffer)/2)
+ return -1;
+
/* select input buffer */
q->compressed_data = in;
q->compressed_size = q->checksum_size;
--
1.7.5.4

32
meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-smackerdec-Check-that-the-last-indexes-are-within-th.patch Normal file
View File

@@ -0,0 +1,32 @@
gst-ffmpeg: smackerdec: Check that the last indexes are within the
table.
Fixes CVE-2011-3944
Upstream-Status: Backport
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
libavcodec/smacker.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c
index 30f99b4..2a8bae8 100644
--- a/gst-libs/ext/libav/libavcodec/smacker.c
+++ b/gst-libs/ext/libav/libavcodec/smacker.c
@@ -259,6 +259,11 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int
if(ctx.last[0] == -1) ctx.last[0] = huff.current++;
if(ctx.last[1] == -1) ctx.last[1] = huff.current++;
if(ctx.last[2] == -1) ctx.last[2] = huff.current++;
+ if(huff.current > huff.length){
+ ctx.last[0] = ctx.last[1] = ctx.last[2] = 1;
+ av_log(smk->avctx, AV_LOG_ERROR, "bigtree damaged\n");
+ return -1;
+ }
*recodes = huff.values;
--
1.7.5.4

32
meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-Copy-all-3-frames-for-thread-updates.patch Normal file
View File

@@ -0,0 +1,32 @@
gst-ffmpeg: vp3: Copy all 3 frames for thread updates.
This fixes a double release of the current frame on deinit.
Fixes CVE-2011-3934
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Upstream-Status: Backport
Signed-off-by: Yue.Tao <yue.tao@windriver.com>
---
libavcodec/vp3.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
index 738ae9f..b5daafc 100644
--- a/gst-libs/ext/libav/libavcodec/vp3.c
+++ b/gst-libs/ext/libav/libavcodec/vp3.c
@@ -1859,7 +1859,7 @@ static int vp3_update_thread_context(AVCodecContext *dst, const AVCodecContext *
||s->width != s1->width
||s->height!= s1->height) {
if (s != s1)
- copy_fields(s, s1, golden_frame, current_frame);
+ copy_fields(s, s1, golden_frame, keyframe);
return -1;
}
--
1.7.5.4

183
meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-fix-oob-read-for-negative-tokens-and-memleaks-on.patch Normal file
View File

@@ -0,0 +1,183 @@
gst-ffmpeg: vp3: fix oob read for negative tokens and memleaks on error.
Upstream-Status: Backport
Signed-off-by: Yue.Tao <yue.tao@windriver.com>
---
libavcodec/vp3.c | 59 +++++++++++++++++++++++++++++++++++++++++------------
1 files changed, 45 insertions(+), 14 deletions(-)
diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
index 36715bb..ce14e63 100644
--- a/gst-libs/ext/libav/libavcodec/vp3.c
+++ b/gst-libs/ext/libav/libavcodec/vp3.c
@@ -45,6 +45,7 @@
#define FRAGMENT_PIXELS 8
static av_cold int vp3_decode_end(AVCodecContext *avctx);
+static void vp3_decode_flush(AVCodecContext *avctx);
//FIXME split things out into their own arrays
typedef struct Vp3Fragment {
@@ -890,7 +891,7 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb,
/* decode a VLC into a token */
token = get_vlc2(gb, vlc_table, 11, 3);
/* use the token to get a zero run, a coefficient, and an eob run */
- if (token <= 6) {
+ if ((unsigned) token <= 6U) {
eob_run = eob_run_base[token];
if (eob_run_get_bits[token])
eob_run += get_bits(gb, eob_run_get_bits[token]);
@@ -908,7 +909,7 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb,
coeff_i += eob_run;
eob_run = 0;
}
- } else {
+ } else if (token >= 0) {
bits_to_get = coeff_get_bits[token];
if (bits_to_get)
bits_to_get = get_bits(gb, bits_to_get);
@@ -942,6 +943,10 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb,
for (i = coeff_index+1; i <= coeff_index+zero_run; i++)
s->num_coded_frags[plane][i]--;
coeff_i++;
+ } else {
+ av_log(s->avctx, AV_LOG_ERROR,
+ "Invalid token %d\n", token);
+ return -1;
}
}
@@ -991,6 +996,8 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb)
/* unpack the Y plane DC coefficients */
residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_y_table], 0,
0, residual_eob_run);
+ if (residual_eob_run < 0)
+ return residual_eob_run;
/* reverse prediction of the Y-plane DC coefficients */
reverse_dc_prediction(s, 0, s->fragment_width[0], s->fragment_height[0]);
@@ -998,8 +1005,12 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb)
/* unpack the C plane DC coefficients */
residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_c_table], 0,
1, residual_eob_run);
+ if (residual_eob_run < 0)
+ return residual_eob_run;
residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_c_table], 0,
2, residual_eob_run);
+ if (residual_eob_run < 0)
+ return residual_eob_run;
/* reverse prediction of the C-plane DC coefficients */
if (!(s->avctx->flags & CODEC_FLAG_GRAY))
@@ -1036,11 +1047,17 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb)
for (i = 1; i <= 63; i++) {
residual_eob_run = unpack_vlcs(s, gb, y_tables[i], i,
0, residual_eob_run);
+ if (residual_eob_run < 0)
+ return residual_eob_run;
residual_eob_run = unpack_vlcs(s, gb, c_tables[i], i,
1, residual_eob_run);
+ if (residual_eob_run < 0)
+ return residual_eob_run;
residual_eob_run = unpack_vlcs(s, gb, c_tables[i], i,
2, residual_eob_run);
+ if (residual_eob_run < 0)
+ return residual_eob_run;
}
return 0;
@@ -1777,10 +1794,15 @@ static int vp3_update_thread_context(AVCodecContext *dst, const AVCodecContext *
Vp3DecodeContext *s = dst->priv_data, *s1 = src->priv_data;
int qps_changed = 0, i, err;
+#define copy_fields(to, from, start_field, end_field) memcpy(&to->start_field, &from->start_field, (char*)&to->end_field - (char*)&to->start_field)
+
if (!s1->current_frame.data[0]
||s->width != s1->width
- ||s->height!= s1->height)
+ ||s->height!= s1->height) {
+ if (s != s1)
+ copy_fields(s, s1, golden_frame, current_frame);
return -1;
+ }
if (s != s1) {
// init tables if the first frame hasn't been decoded
@@ -1796,8 +1818,6 @@ static int vp3_update_thread_context(AVCodecContext *dst, const AVCodecContext *
memcpy(s->motion_val[1], s1->motion_val[1], c_fragment_count * sizeof(*s->motion_val[1]));
}
-#define copy_fields(to, from, start_field, end_field) memcpy(&to->start_field, &from->start_field, (char*)&to->end_field - (char*)&to->start_field)
-
// copy previous frame data
copy_fields(s, s1, golden_frame, dsp);
@@ -1987,9 +2007,6 @@ static av_cold int vp3_decode_end(AVCodecContext *avctx)
Vp3DecodeContext *s = avctx->priv_data;
int i;
- if (avctx->is_copy && !s->current_frame.data[0])
- return 0;
-
av_free(s->superblock_coding);
av_free(s->all_fragments);
av_free(s->coded_fragment_list[0]);
@@ -2016,12 +2033,7 @@ static av_cold int vp3_decode_end(AVCodecContext *avctx)
free_vlc(&s->motion_vector_vlc);
/* release all frames */
- if (s->golden_frame.data[0])
- ff_thread_release_buffer(avctx, &s->golden_frame);
- if (s->last_frame.data[0] && s->last_frame.type != FF_BUFFER_TYPE_COPY)
- ff_thread_release_buffer(avctx, &s->last_frame);
- /* no need to release the current_frame since it will always be pointing
- * to the same frame as either the golden or last frame */
+ vp3_decode_flush(avctx);
return 0;
}
@@ -2341,6 +2353,23 @@ static void vp3_decode_flush(AVCodecContext *avctx)
ff_thread_release_buffer(avctx, &s->current_frame);
}
+static int vp3_init_thread_copy(AVCodecContext *avctx)
+{
+ Vp3DecodeContext *s = avctx->priv_data;
+
+ s->superblock_coding = NULL;
+ s->all_fragments = NULL;
+ s->coded_fragment_list[0] = NULL;
+ s->dct_tokens_base = NULL;
+ s->superblock_fragments = NULL;
+ s->macroblock_coding = NULL;
+ s->motion_val[0] = NULL;
+ s->motion_val[1] = NULL;
+ s->edge_emu_buffer = NULL;
+
+ return 0;
+}
+
AVCodec ff_theora_decoder = {
.name = "theora",
.type = AVMEDIA_TYPE_VIDEO,
@@ -2352,6 +2381,7 @@ AVCodec ff_theora_decoder = {
.capabilities = CODEC_CAP_DR1 | CODEC_CAP_DRAW_HORIZ_BAND | CODEC_CAP_FRAME_THREADS,
.flush = vp3_decode_flush,
.long_name = NULL_IF_CONFIG_SMALL("Theora"),
+ .init_thread_copy = ONLY_IF_THREADS_ENABLED(vp3_init_thread_copy),
.update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context)
};
#endif
@@ -2367,5 +2397,6 @@ AVCodec ff_vp3_decoder = {
.capabilities = CODEC_CAP_DR1 | CODEC_CAP_DRAW_HORIZ_BAND | CODEC_CAP_FRAME_THREADS,
.flush = vp3_decode_flush,
.long_name = NULL_IF_CONFIG_SMALL("On2 VP3"),
+ .init_thread_copy = ONLY_IF_THREADS_ENABLED(vp3_init_thread_copy),
.update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context)
};
--
1.7.5.4

100
meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-CVE-2013-0855.patch Normal file
View File

@@ -0,0 +1,100 @@
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0855
Upstream-Status: Backport
Signed-off-by: Yue Tao <yue.tao@windriver.com>
diff --git a/gst-libs/ext/libav/libavcodec/alac.c.old b/gst-libs/ext/libav/libavcodec/alac.c
index 2a0df8c..bcbd56d 100644
--- a/gst-libs/ext/libav/libavcodec/alac.c.old
+++ b/gst-libs/ext/libav/libavcodec/alac.c
@@ -87,18 +87,44 @@ typedef struct {
int wasted_bits;
} ALACContext;
-static void allocate_buffers(ALACContext *alac)
+static av_cold int alac_decode_close(AVCodecContext *avctx)
+{
+ ALACContext *alac = avctx->priv_data;
+
+ int chan;
+ for (chan = 0; chan < MAX_CHANNELS; chan++) {
+ av_freep(&alac->predicterror_buffer[chan]);
+ av_freep(&alac->outputsamples_buffer[chan]);
+ av_freep(&alac->wasted_bits_buffer[chan]);
+ }
+
+ return 0;
+}
+
+static int allocate_buffers(ALACContext *alac)
{
int chan;
+ int buf_size;
+
+ if (alac->setinfo_max_samples_per_frame > INT_MAX / sizeof(int32_t))
+ goto buf_alloc_fail;
+ buf_size = alac->setinfo_max_samples_per_frame * sizeof(int32_t);
+
for (chan = 0; chan < MAX_CHANNELS; chan++) {
- alac->predicterror_buffer[chan] =
- av_malloc(alac->setinfo_max_samples_per_frame * 4);
- alac->outputsamples_buffer[chan] =
- av_malloc(alac->setinfo_max_samples_per_frame * 4);
+ FF_ALLOC_OR_GOTO(alac->avctx, alac->predicterror_buffer[chan],
+ buf_size, buf_alloc_fail);
- alac->wasted_bits_buffer[chan] = av_malloc(alac->setinfo_max_samples_per_frame * 4);
+ FF_ALLOC_OR_GOTO(alac->avctx, alac->outputsamples_buffer[chan],
+ buf_size, buf_alloc_fail);
+
+ FF_ALLOC_OR_GOTO(alac->avctx, alac->wasted_bits_buffer[chan],
+ buf_size, buf_alloc_fail);
}
+ return 0;
+buf_alloc_fail:
+ alac_decode_close(alac->avctx);
+ return AVERROR(ENOMEM);
}
static int alac_set_info(ALACContext *alac)
@@ -131,8 +157,6 @@ static int alac_set_info(ALACContext *alac)
bytestream_get_be32(&ptr); /* bitrate ? */
bytestream_get_be32(&ptr); /* samplerate */
- allocate_buffers(alac);
-
return 0;
}
@@ -659,6 +683,7 @@ static int alac_decode_frame(AVCodecContext *avctx,
static av_cold int alac_decode_init(AVCodecContext * avctx)
{
+ int ret;
ALACContext *alac = avctx->priv_data;
alac->avctx = avctx;
alac->numchannels = alac->avctx->channels;
@@ -674,18 +699,9 @@ static av_cold int alac_decode_init(AVCodecContext * avctx)
return -1;
}
- return 0;
-}
-
-static av_cold int alac_decode_close(AVCodecContext *avctx)
-{
- ALACContext *alac = avctx->priv_data;
-
- int chan;
- for (chan = 0; chan < MAX_CHANNELS; chan++) {
- av_freep(&alac->predicterror_buffer[chan]);
- av_freep(&alac->outputsamples_buffer[chan]);
- av_freep(&alac->wasted_bits_buffer[chan]);
+ if ((ret = allocate_buffers(alac)) < 0) {
+ av_log(avctx, AV_LOG_ERROR, "Error allocating buffers\n");
+ return ret;
}
return 0;

17
meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
View File

@@ -36,6 +36,23 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
file://0001-alac-fix-nb_samples-order-case.patch \
file://0001-h264-correct-ref-count-check-and-limit-fix-out-of-ar.patch \
file://0001-roqvideodec-check-dimensions-validity.patch \
file://0001-aacdec-check-channel-count.patch \
file://0001-pngdec-filter-dont-access-out-of-array-elements-at-t.patch \
file://0001-error_concealment-Check-that-the-picture-is-not-in-a.patch \
file://0001-vp3-fix-oob-read-for-negative-tokens-and-memleaks-on.patch \
file://0001-vp3-Copy-all-3-frames-for-thread-updates.patch \
file://0001-h264_sei-Fix-infinite-loop.patch \
file://0001-avcodec-parser-reset-indexes-on-realloc-failure.patch \
file://0001-avcodec-rpza-Perform-pointer-advance-and-checks-befo.patch \
file://gst-ffmpeg-CVE-2013-0855.patch \
file://0001-qdm2dec-fix-buffer-overflow.patch \
file://0001-huffyuvdec-check-width-more-completely-avoid-out-of-.patch \
file://0001-smackerdec-Check-that-the-last-indexes-are-within-th.patch \
file://0001-avcodec-dsputil-fix-signedness-in-sizeof-comparissio.patch \
file://0001-error-concealment-initialize-block-index.patch \
file://0001-qdm2-check-array-index-before-use-fix-out-of-array-a.patch \
file://0001-lavf-compute-probe-buffer-size-more-reliably.patch \
file://0001-ffserver-set-oformat.patch \
"
SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"