aboutsummaryrefslogtreecommitdiffstats
path: root/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2011-4352.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2011-4352.patch')
-rw-r--r--meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2011-4352.patch64
1 files changed, 64 insertions, 0 deletions
diff --git a/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2011-4352.patch b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2011-4352.patch
new file mode 100644
index 0000000000..90f3fd0314
--- /dev/null
+++ b/meta-multimedia/recipes-multimedia/gstreamer-0.10/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2011-4352.patch
@@ -0,0 +1,64 @@
+From 8b94df0f2047e9728cb872adc9e64557b7a5152f Mon Sep 17 00:00:00 2001
+From: Reinhard Tartler <siretart@tauware.de>
+Date: Sun, 4 Dec 2011 10:10:33 +0100
+Subject: [PATCH] vp3dec: Check coefficient index in vp3_dequant()
+
+Based on a patch by Michael Niedermayer <michaelni@gmx.at>
+
+Fixes NGS00145, CVE-2011-4352
+
+Found-by: Phillip Langlois
+Signed-off-by: Reinhard Tartler <siretart@tauware.de>
+
+
+Upstream-Status: Backport
+
+http://git.videolan.org/?p=ffmpeg.git;a=commit;h=8b94df0f2047e9728cb872adc9e64557b7a5152f
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+ libavcodec/vp3.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
+index 51ab048..f44d084 100644
+--- a/gst-libs/ext/libav/libavcodec/vp3.c
++++ b/gst-libs/ext/libav/libavcodec/vp3.c
+@@ -1363,6 +1363,10 @@ static inline int vp3_dequant(Vp3DecodeContext *s, Vp3Fragment *frag,
+ case 1: // zero run
+ s->dct_tokens[plane][i]++;
+ i += (token >> 2) & 0x7f;
++ if (i > 63) {
++ av_log(s->avctx, AV_LOG_ERROR, "Coefficient index overflow\n");
++ return i;
++ }
+ block[perm[i]] = (token >> 9) * dequantizer[perm[i]];
+ i++;
+ break;
+@@ -1566,7 +1570,10 @@ static void render_slice(Vp3DecodeContext *s, int slice)
+ /* invert DCT and place (or add) in final output */
+
+ if (s->all_fragments[i].coding_method == MODE_INTRA) {
+- vp3_dequant(s, s->all_fragments + i, plane, 0, block);
++ int index;
++ index = vp3_dequant(s, s->all_fragments + i, plane, 0, block);
++ if (index > 63)
++ continue;
+ if(s->avctx->idct_algo!=FF_IDCT_VP3)
+ block[0] += 128<<3;
+ s->dsp.idct_put(
+@@ -1574,7 +1581,10 @@ static void render_slice(Vp3DecodeContext *s, int slice)
+ stride,
+ block);
+ } else {
+- if (vp3_dequant(s, s->all_fragments + i, plane, 1, block)) {
++ int index = vp3_dequant(s, s->all_fragments + i, plane, 1, block);
++ if (index > 63)
++ continue;
++ if (index > 0) {
+ s->dsp.idct_add(
+ output_plane + first_pixel,
+ stride,
+--
+2.1.1
+
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-04-27 13:43:38 +0000