From 58f08a96764094189b5aaf3cc8b4cc0c95e23409 Mon Sep 17 00:00:00 2001 From: Yue Tao Date: Tue, 22 Jul 2014 15:46:36 +0800 Subject: gst-ffmpeg: Add CVE patches Security Advisory - ffmpeg - CVE-2013-0866 The aac_decode_init function in libavcodec/aacdec.c in FFmpeg before 1.0.4 and 1.1.x before 1.1.2 allows remote attackers to have an unspecified impact via a large number of channels in an AAC file, which triggers an out-of-bounds array access. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0866 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0875 The ff_add_png_paeth_prediction function in libavcodec/pngdec.c in FFmpeg before 1.1.3 allows remote attackers to have an unspecified impact via a crafted PNG image, related to an out-of-bounds array access. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0875 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0860 The ff_er_frame_end function in libavcodec/error_resilience.c in FFmpeg before 1.0.4 and 1.1.x before 1.1.1 does not properly verify that a frame is fully initialized, which allows remote attackers to trigger a NULL pointer dereference via crafted picture data. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0860 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3934 Double free vulnerability in the vp3_update_thread_context function in libavcodec/vp3.c in FFmpeg before 0.10 allows remote attackers to have an unspecified impact via crafted vp3 data. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3934 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3946 The ff_h264_decode_sei function in libavcodec/h264_sei.c in FFmpeg before 0.10 allows remote attackers to have an unspecified impact via crafted Supplemental enhancement information (SEI) data, which triggers an infinite loop. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3946 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-7023 The ff_combine_frame function in libavcodec/parser.c in FFmpeg before 2.1 does not properly handle certain memory-allocation errors, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted data. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7023 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-7009 The rpza_decode_stream function in libavcodec/rpza.c in FFmpeg before 2.1 does not properly maintain a pointer to pixel data, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Apple RPZA data. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7009 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0855 Integer overflow in the alac_decode_close function in libavcodec/alac.c in FFmpeg before 1.1 allows remote attackers to have an unspecified impact via a large number of samples per frame in Apple Lossless Audio Codec (ALAC) data, which triggers an out-of-bounds array access. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0855 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-4351 Buffer overflow in FFmpeg before 0.5.6, 0.6.x before 0.6.4, 0.7.x before 0.7.8, and 0.8.x before 0.8.8 allows remote attackers to execute arbitrary code via unspecified vectors. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4351 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0848 The decode_init function in libavcodec/huffyuv.c in FFmpeg before 1.1 allows remote attackers to have an unspecified impact via a crafted width in huffyuv data with the predictor set to median and the colorspace set to YUV422P, which triggers an out-of-bounds array access. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0848 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3944 The smacker_decode_header_tree function in libavcodec/smacker.c in FFmpeg before 0.10 allows remote attackers to have an unspecified impact via crafted Smacker data. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3944 file://0001-huffyuvdec-check-width-more-completely-avoid-out-of-.patch \ gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-7010 Multiple integer signedness errors in libavcodec/dsputil.c in FFmpeg before 2.1 allow remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted data. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7010 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3941 The decode_mb function in libavcodec/error_resilience.c in FFmpeg before 0.10 allows remote attackers to have an unspecified impact via vectors related to an uninitialized block index, which triggers an out-of-bound write. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3941 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0846 Array index error in the qdm2_decode_super_block function in libavcodec/qdm2.c in FFmpeg before 1.1 allows remote attackers to have an unspecified impact via crafted QDM2 data, which triggers an out-of-bounds array access. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0846 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2012-6618 The av_probe_input_buffer function in libavformat/utils.c in FFmpeg before 1.0.2, when running with certain -probesize values, allows remote attackers to cause a denial of service (crash) via a crafted MP3 file, possibly related to frame size or lack of sufficient frames to estimate rate. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6618 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2012-6617 The prepare_sdp_description function in ffserver.c in FFmpeg before 1.0.2 allows remote attackers to cause a denial of service (crash) via vectors related to the rtp format. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6617 Signed-off-by: Yue Tao Signed-off-by: Roy Li Signed-off-by: Richard Purdie --- .../0001-aacdec-check-channel-count.patch | 34 ++++ ...util-fix-signedness-in-sizeof-comparissio.patch | 40 +++++ ...c-parser-reset-indexes-on-realloc-failure.patch | 50 ++++++ ...a-Perform-pointer-advance-and-checks-befo.patch | 81 +++++++++ ...-error-concealment-initialize-block-index.patch | 29 ++++ ...alment-Check-that-the-picture-is-not-in-a.patch | 37 +++++ .../0001-ffserver-set-oformat.patch | 36 ++++ .../0001-h264_sei-Fix-infinite-loop.patch | 39 +++++ ...check-width-more-completely-avoid-out-of-.patch | 30 ++++ ...f-compute-probe-buffer-size-more-reliably.patch | 45 +++++ ...er-dont-access-out-of-array-elements-at-t.patch | 44 +++++ ...array-index-before-use-fix-out-of-array-a.patch | 30 ++++ .../0001-qdm2dec-fix-buffer-overflow.patch | 58 +++++++ ...Check-that-the-last-indexes-are-within-th.patch | 32 ++++ ...-vp3-Copy-all-3-frames-for-thread-updates.patch | 32 ++++ ...-read-for-negative-tokens-and-memleaks-on.patch | 183 +++++++++++++++++++++ .../gst-ffmpeg-CVE-2013-0855.patch | 100 +++++++++++ .../gstreamer/gst-ffmpeg_0.10.13.bb | 17 ++ 18 files changed, 917 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-aacdec-check-channel-count.patch create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-dsputil-fix-signedness-in-sizeof-comparissio.patch create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-parser-reset-indexes-on-realloc-failure.patch create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-rpza-Perform-pointer-advance-and-checks-befo.patch create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-error-concealment-initialize-block-index.patch create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-error_concealment-Check-that-the-picture-is-not-in-a.patch create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-ffserver-set-oformat.patch create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264_sei-Fix-infinite-loop.patch create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-check-width-more-completely-avoid-out-of-.patch create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-lavf-compute-probe-buffer-size-more-reliably.patch create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-pngdec-filter-dont-access-out-of-array-elements-at-t.patch create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-qdm2-check-array-index-before-use-fix-out-of-array-a.patch create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-qdm2dec-fix-buffer-overflow.patch create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-smackerdec-Check-that-the-last-indexes-are-within-th.patch create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-Copy-all-3-frames-for-thread-updates.patch create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-fix-oob-read-for-negative-tokens-and-memleaks-on.patch create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-CVE-2013-0855.patch (limited to 'meta') diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-aacdec-check-channel-count.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-aacdec-check-channel-count.patch new file mode 100644 index 0000000000..7da0e14525 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-aacdec-check-channel-count.patch @@ -0,0 +1,34 @@ +gst-ffmpeg: aacdec: check channel count + +Prevent out of array accesses + +Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind +Signed-off-by: Michael Niedermayer +(cherry picked from commit 96f452ac647dae33c53c242ef3266b65a9beafb6) + +Upstream-Status: Backport + +Signed-off-by: Yue Tao +--- + libavcodec/aacdec.c | 5 +++++ + 1 files changed, 5 insertions(+), 0 deletions(-) + +diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c +index 239153a..6c17c33 100644 +--- a/gst-libs/ext/libav/libavcodec/aacdec.c ++++ b/gst-libs/ext/libav/libavcodec/aacdec.c +@@ -914,6 +914,11 @@ static av_cold int aac_decode_init(AVCodecContext *avctx) + } + } + ++ if (avctx->channels > MAX_CHANNELS) { ++ av_log(avctx, AV_LOG_ERROR, "Too many channels\n"); ++ return AVERROR_INVALIDDATA; ++ } ++ + AAC_INIT_VLC_STATIC( 0, 304); + AAC_INIT_VLC_STATIC( 1, 270); + AAC_INIT_VLC_STATIC( 2, 550); +-- +1.7.5.4 + diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-dsputil-fix-signedness-in-sizeof-comparissio.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-dsputil-fix-signedness-in-sizeof-comparissio.patch new file mode 100644 index 0000000000..31fa51a3ea --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-dsputil-fix-signedness-in-sizeof-comparissio.patch @@ -0,0 +1,40 @@ +From a99aff4e4bbef8e64b51f267cd1769214e1b4e80 Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer +Date: Fri, 30 Aug 2013 23:40:47 +0200 +Subject: [PATCH] avcodec/dsputil: fix signedness in sizeof() comparissions + +Signed-off-by: Michael Niedermayer +(cherry picked from commit 454a11a1c9c686c78aa97954306fb63453299760) + +Upstream-Status: Backport + +Signed-off-by: Michael Niedermayer +--- + libavcodec/dsputil.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libavcodec/dsputil.c b/libavcodec/dsputil.c +index 53dc2eb..6264832 100644 +--- a/gst-libs/ext/libav/libavcodec/dsputil.c ++++ b/gst-libs/ext/libav/libavcodec/dsputil.c +@@ -1912,7 +1912,7 @@ void ff_set_cmp(DSPContext* c, me_cmp_func *cmp, int type){ + + static void add_bytes_c(uint8_t *dst, uint8_t *src, int w){ + long i; +- for(i=0; i<=w-sizeof(long); i+=sizeof(long)){ ++ for(i=0; i<=w-(int)sizeof(long); i+=sizeof(long)){ + long a = *(long*)(src+i); + long b = *(long*)(dst+i); + *(long*)(dst+i) = ((a&pb_7f) + (b&pb_7f)) ^ ((a^b)&pb_80); +@@ -1937,7 +1937,7 @@ static void diff_bytes_c(uint8_t *dst, uint8_t *src1, uint8_t *src2, int w){ + } + }else + #endif +- for(i=0; i<=w-sizeof(long); i+=sizeof(long)){ ++ for(i=0; i<=w-(int)sizeof(long); i+=sizeof(long)){ + long a = *(long*)(src1+i); + long b = *(long*)(src2+i); + *(long*)(dst+i) = ((a|pb_80) - (b&pb_7f)) ^ ((a^b^pb_80)&pb_80); +-- +1.7.5.4 + diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-parser-reset-indexes-on-realloc-failure.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-parser-reset-indexes-on-realloc-failure.patch new file mode 100644 index 0000000000..5ff65834e4 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-parser-reset-indexes-on-realloc-failure.patch @@ -0,0 +1,50 @@ +gst-ffmpeg: avcodec/parser: reset indexes on realloc failure + +Fixes Ticket2982 + +Signed-off-by: Michael Niedermayer +(cherry picked from commit f31011e9abfb2ae75bb32bc44e2c34194c8dc40a) + +Signed-off-by: Michael Niedermayer + +Upstream-Status: Backport + +Signed-off-by: Yue Tao + +--- + libavcodec/parser.c | 10 +++++++--- + 1 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/libavcodec/parser.c b/libavcodec/parser.c +index 2c6de6e..66eca06 100644 +--- a/gst-libs/ext/libav/libavcodec/parser.c ++++ b/gst-libs/ext/libav/libavcodec/parser.c +@@ -241,8 +241,10 @@ int ff_combine_frame(ParseContext *pc, int next, const uint8_t **buf, int *buf_s + if(next == END_NOT_FOUND){ + void* new_buffer = av_fast_realloc(pc->buffer, &pc->buffer_size, (*buf_size) + pc->index + FF_INPUT_BUFFER_PADDING_SIZE); + +- if(!new_buffer) ++ if(!new_buffer) { ++ pc->index = 0; + return AVERROR(ENOMEM); ++ } + pc->buffer = new_buffer; + memcpy(&pc->buffer[pc->index], *buf, *buf_size); + pc->index += *buf_size; +@@ -255,9 +257,11 @@ int ff_combine_frame(ParseContext *pc, int next, const uint8_t **buf, int *buf_s + /* append to buffer */ + if(pc->index){ + void* new_buffer = av_fast_realloc(pc->buffer, &pc->buffer_size, next + pc->index + FF_INPUT_BUFFER_PADDING_SIZE); +- +- if(!new_buffer) ++ if(!new_buffer) { ++ pc->overread_index = ++ pc->index = 0; + return AVERROR(ENOMEM); ++ } + pc->buffer = new_buffer; + if (next > -FF_INPUT_BUFFER_PADDING_SIZE) + memcpy(&pc->buffer[pc->index], *buf, +-- +1.7.5.4 + diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-rpza-Perform-pointer-advance-and-checks-befo.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-rpza-Perform-pointer-advance-and-checks-befo.patch new file mode 100644 index 0000000000..7f6eb48889 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-rpza-Perform-pointer-advance-and-checks-befo.patch @@ -0,0 +1,81 @@ +gst-ffmpeg: avcodec/rpza: Perform pointer advance and checks before + using the pointers + +Fixes out of array accesses +Fixes Ticket2850 + +Signed-off-by: Michael Niedermayer +(cherry picked from commit 3819db745da2ac7fb3faacb116788c32f4753f34) + +Signed-off-by: Michael Niedermayer + +Upstream-Status: Backport + +Singed-off-by: Yue Tao + +--- + libavcodec/rpza.c | 8 ++++---- + 1 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c +index 635b406..f291a95 100644 +--- a/gst-libs/ext/libav/libavcodec/rpza.c ++++ b/gst-libs/ext/libav/libavcodec/rpza.c +@@ -83,7 +83,7 @@ static void rpza_decode_stream(RpzaContext *s) + unsigned short *pixels = (unsigned short *)s->frame.data[0]; + + int row_ptr = 0; +- int pixel_ptr = 0; ++ int pixel_ptr = -4; + int block_ptr; + int pixel_x, pixel_y; + int total_blocks; +@@ -139,6 +139,7 @@ static void rpza_decode_stream(RpzaContext *s) + colorA = AV_RB16 (&s->buf[stream_ptr]); + stream_ptr += 2; + while (n_blocks--) { ++ ADVANCE_BLOCK() + block_ptr = row_ptr + pixel_ptr; + for (pixel_y = 0; pixel_y < 4; pixel_y++) { + for (pixel_x = 0; pixel_x < 4; pixel_x++){ +@@ -147,7 +148,6 @@ static void rpza_decode_stream(RpzaContext *s) + } + block_ptr += row_inc; + } +- ADVANCE_BLOCK(); + } + break; + +@@ -184,6 +184,7 @@ static void rpza_decode_stream(RpzaContext *s) + color4[2] |= ((21 * ta + 11 * tb) >> 5); + + while (n_blocks--) { ++ ADVANCE_BLOCK(); + block_ptr = row_ptr + pixel_ptr; + for (pixel_y = 0; pixel_y < 4; pixel_y++) { + index = s->buf[stream_ptr++]; +@@ -194,12 +195,12 @@ static void rpza_decode_stream(RpzaContext *s) + } + block_ptr += row_inc; + } +- ADVANCE_BLOCK(); + } + break; + + /* Fill block with 16 colors */ + case 0x00: ++ ADVANCE_BLOCK(); + block_ptr = row_ptr + pixel_ptr; + for (pixel_y = 0; pixel_y < 4; pixel_y++) { + for (pixel_x = 0; pixel_x < 4; pixel_x++){ +@@ -213,7 +214,6 @@ static void rpza_decode_stream(RpzaContext *s) + } + block_ptr += row_inc; + } +- ADVANCE_BLOCK(); + break; + + /* Unknown opcode */ +-- +1.7.5.4 + diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-error-concealment-initialize-block-index.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-error-concealment-initialize-block-index.patch new file mode 100644 index 0000000000..e0e4239c2f --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-error-concealment-initialize-block-index.patch @@ -0,0 +1,29 @@ +gst-ffmpeg: error concealment: initialize block index. + +Fixes CVE-2011-3941 (out of bounds write) + +Upstream-Status: Backport + +Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind +Signed-off-by: Michael Niedermayer +--- + libavcodec/error_resilience.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +diff --git a/libavcodec/error_resilience.c b/libavcodec/error_resilience.c +index 8bb5d0c..d55c000 100644 +--- a/gst-libs/ext/libav/libavcodec/error_resilience.c ++++ b/gst-libs/ext/libav/libavcodec/error_resilience.c +@@ -45,6 +45,9 @@ static void decode_mb(MpegEncContext *s, int ref){ + s->dest[1] = s->current_picture.data[1] + (s->mb_y * (16>>s->chroma_y_shift) * s->uvlinesize) + s->mb_x * (16>>s->chroma_x_shift); + s->dest[2] = s->current_picture.data[2] + (s->mb_y * (16>>s->chroma_y_shift) * s->uvlinesize) + s->mb_x * (16>>s->chroma_x_shift); + ++ ff_init_block_index(s); ++ ff_update_block_index(s); ++ + if(CONFIG_H264_DECODER && s->codec_id == CODEC_ID_H264){ + H264Context *h= (void*)s; + h->mb_xy= s->mb_x + s->mb_y*s->mb_stride; +-- +1.7.5.4 + diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-error_concealment-Check-that-the-picture-is-not-in-a.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-error_concealment-Check-that-the-picture-is-not-in-a.patch new file mode 100644 index 0000000000..8eef6e99cc --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-error_concealment-Check-that-the-picture-is-not-in-a.patch @@ -0,0 +1,37 @@ +gst-ffmpeg: error_concealment: Check that the picture is not in a half + +Fixes state becoming inconsistent +Fixes a null pointer dereference + +Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind +Signed-off-by: Michael Niedermayer +(cherry picked from commit 23318a57358358e7a4dc551e830e4503f0638cfe) + +Upstream-Status: Backport + +Signed-off-by: Yue Tao + +--- + libavcodec/error_resilience.c | 6 ++++++ + 1 files changed, 6 insertions(+), 0 deletions(-) + +diff --git a/libavcodec/error_resilience.c b/libavcodec/error_resilience.c +index 01f7424..2b6bc42 100644 +--- a/gst-libs/ext/libav/libavcodec/error_resilience.c ++++ b/gst-libs/ext/libav/libavcodec/error_resilience.c +@@ -793,6 +793,12 @@ void ff_er_frame_end(MpegEncContext *s){ + s->picture_structure != PICT_FRAME || // we dont support ER of field pictures yet, though it should not crash if enabled + s->error_count==3*s->mb_width*(s->avctx->skip_top + s->avctx->skip_bottom)) return; + ++ if ( s->picture_structure == PICT_FRAME ++ && s->current_picture.linesize[0] != s->current_picture_ptr->linesize[0]) { ++ av_log(s->avctx, AV_LOG_ERROR, "Error concealment not possible, frame not fully initialized\n"); ++ return; ++ } ++ + if(s->current_picture.motion_val[0] == NULL){ + av_log(s->avctx, AV_LOG_ERROR, "Warning MVs not available\n"); + +-- +1.7.5.4 + diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-ffserver-set-oformat.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-ffserver-set-oformat.patch new file mode 100644 index 0000000000..80325db4d6 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-ffserver-set-oformat.patch @@ -0,0 +1,36 @@ +gst-ffmpeg: ffserver: set oformat + +Fix Ticket1986 + +Signed-off-by: Michael Niedermayer +(cherry picked from commit cbe43e62c9ac7d4aefdc13476f6f691bd626525f) + +Upstream-Status: Backport + +--- + ffserver.c | 4 +++- + 1 files changed, 3 insertions(+), 1 deletions(-) + +diff --git a/ffserver.c b/ffserver.c +index 4044d0f..8740140 100644 +--- a/gst-libs/ext/libav/ffserver.c ++++ b/gst-libs/ext/libav/ffserver.c +@@ -2937,12 +2937,14 @@ static int prepare_sdp_description(FFStream *stream, uint8_t **pbuffer, + { + AVFormatContext *avc; + AVStream *avs = NULL; ++ AVOutputFormat *rtp_format = av_guess_format("rtp", NULL, NULL); + int i; + + avc = avformat_alloc_context(); +- if (avc == NULL) { ++ if (avc == NULL || !rtp_format) { + return -1; + } ++ avc->oformat = rtp_format; + av_dict_set(&avc->metadata, "title", + stream->title[0] ? stream->title : "No Title", 0); + avc->nb_streams = stream->nb_streams; +-- +1.7.5.4 + diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264_sei-Fix-infinite-loop.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264_sei-Fix-infinite-loop.patch new file mode 100644 index 0000000000..1e62b50360 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264_sei-Fix-infinite-loop.patch @@ -0,0 +1,39 @@ +gst-ffmpeg: h264_sei: Fix infinite loop. + +Fixsot yet fixed parts of CVE-2011-3946. + +Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind +Signed-off-by: Michael Niedermayer + +Upstream-Status: Backport + +Signed-off-by: Yue Tao + +--- + libavcodec/h264_sei.c | 4 ++++ + 1 files changed, 4 insertions(+), 0 deletions(-) + + +diff --git a/libavcodec/h264_sei.c b/libavcodec/h264_sei.c +index 374e53d..80d70e5 100644 +--- a/gst-libs/ext/libav/libavcodec/h264_sei.c ++++ b/gst-libs/ext/libav/libavcodec/h264_sei.c +@@ -169,11 +169,15 @@ int ff_h264_decode_sei(H264Context *h){ + + type=0; + do{ ++ if (get_bits_left(&s->gb) < 8) ++ return -1; + type+= show_bits(&s->gb, 8); + }while(get_bits(&s->gb, 8) == 255); + + size=0; + do{ ++ if (get_bits_left(&s->gb) < 8) ++ return -1; + size+= show_bits(&s->gb, 8); + }while(get_bits(&s->gb, 8) == 255); + +-- +1.7.5.4 + diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-check-width-more-completely-avoid-out-of-.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-check-width-more-completely-avoid-out-of-.patch new file mode 100644 index 0000000000..6b60d163fb --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-check-width-more-completely-avoid-out-of-.patch @@ -0,0 +1,30 @@ +gst-ffmpeg: huffyuvdec: check width more completely, avoid out of array + accesses + +Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind + +Upstream-Status: Backport + +Signed-off-by: Michael Niedermayer +--- + libavcodec/huffyuv.c | 5 ++++- + 1 files changed, 4 insertions(+), 1 deletions(-) + +diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c +index 6e88114..ca5bcd8 100644 +--- a/gst-libs/ext/libav/libavcodec/huffyuv.c ++++ b/gst-libs/ext/libav/libavcodec/huffyuv.c +@@ -526,6 +526,10 @@ s->bgr32=1; + assert(0); + } + ++ if (s->predictor == MEDIAN && avctx->pix_fmt == AV_PIX_FMT_YUV422P && avctx->width%4) { ++ av_log(avctx, AV_LOG_ERROR, "width must be a multiple of 4 this colorspace and predictor\n"); ++ return AVERROR_INVALIDDATA; ++ } + alloc_temp(s); + + // av_log(NULL, AV_LOG_DEBUG, "pred:%d bpp:%d hbpp:%d il:%d\n", s->predictor, s->bitstream_bpp, avctx->bits_per_coded_sample, s->interlaced); +-- +1.7.5.4 + diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-lavf-compute-probe-buffer-size-more-reliably.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-lavf-compute-probe-buffer-size-more-reliably.patch new file mode 100644 index 0000000000..ea4aa222b3 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-lavf-compute-probe-buffer-size-more-reliably.patch @@ -0,0 +1,45 @@ +gst-ffmpeg: lavf: compute probe buffer size more reliably. + +The previous code computes the offset by reversing the growth +of the allocated buffer size: it is complex and did lead to +inconsistencies when the size limit is reached. + +Fix trac ticket #1991. +(cherry picked from commit 03847eb8259291b4ff1bd840bd779d0699d71f96) + +Conflicts: + libavformat/utils.c + +Upstream-Status: Backport + +Signed-off-by: Yue Tao + +--- + libavformat/utils.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libavformat/utils.c b/libavformat/utils.c +index 7940037..be73c4a 100644 +--- a/gst-libs/ext/libav/libavformat/utils.c ++++ b/gst-libs/ext/libav/libavformat/utils.c +@@ -459,7 +459,7 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt, + { + AVProbeData pd = { filename ? filename : "", NULL, -offset }; + unsigned char *buf = NULL; +- int ret = 0, probe_size; ++ int ret = 0, probe_size, buf_offset = 0; + + if (!max_probe_size) { + max_probe_size = PROBE_BUF_MAX; +@@ -499,7 +499,7 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt, + score = 0; + ret = 0; /* error was end of file, nothing read */ + } +- pd.buf_size += ret; ++ pd.buf_size = buf_offset += ret; + pd.buf = &buf[offset]; + + memset(pd.buf + pd.buf_size, 0, AVPROBE_PADDING_SIZE); +-- +1.7.5.4 + diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-pngdec-filter-dont-access-out-of-array-elements-at-t.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-pngdec-filter-dont-access-out-of-array-elements-at-t.patch new file mode 100644 index 0000000000..1e5fb7deb1 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-pngdec-filter-dont-access-out-of-array-elements-at-t.patch @@ -0,0 +1,44 @@ +gst-ffmpeg: pngdec/filter: dont access out of array elements at the end + +Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind + +Upstream-Status: Backport + +Signed-off-by: Yue Tao +--- + libavcodec/pngdec.c | 12 ++++-------- + 1 files changed, 4 insertions(+), 8 deletions(-) + +diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c +index 97c0ad1..193e35e 100644 +--- a/gst-libs/ext/libav/libavcodec/pngdec.c ++++ b/gst-libs/ext/libav/libavcodec/pngdec.c +@@ -190,7 +190,7 @@ void ff_add_png_paeth_prediction(uint8_t *dst, uint8_t *src, uint8_t *top, int w + if(bpp >= 2) g = dst[1];\ + if(bpp >= 3) b = dst[2];\ + if(bpp >= 4) a = dst[3];\ +- for(; i < size; i+=bpp) {\ ++ for(; i <= size - bpp; i+=bpp) {\ + dst[i+0] = r = op(r, src[i+0], last[i+0]);\ + if(bpp == 1) continue;\ + dst[i+1] = g = op(g, src[i+1], last[i+1]);\ +@@ -206,13 +206,9 @@ void ff_add_png_paeth_prediction(uint8_t *dst, uint8_t *src, uint8_t *top, int w + else if(bpp == 2) UNROLL1(2, op)\ + else if(bpp == 3) UNROLL1(3, op)\ + else if(bpp == 4) UNROLL1(4, op)\ +- else {\ +- for (; i < size; i += bpp) {\ +- int j;\ +- for (j = 0; j < bpp; j++)\ +- dst[i+j] = op(dst[i+j-bpp], src[i+j], last[i+j]);\ +- }\ +- } ++ for (; i < size; i++) {\ ++ dst[i] = op(dst[i-bpp], src[i], last[i]);\ ++ }\ + + /* NOTE: 'dst' can be equal to 'last' */ + static void png_filter_row(PNGDSPContext *dsp, uint8_t *dst, int filter_type, +-- +1.7.5.4 + diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-qdm2-check-array-index-before-use-fix-out-of-array-a.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-qdm2-check-array-index-before-use-fix-out-of-array-a.patch new file mode 100644 index 0000000000..8c94232d6d --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-qdm2-check-array-index-before-use-fix-out-of-array-a.patch @@ -0,0 +1,30 @@ +gst-ffmpeg: qdm2: check array index before use, fix out of array + accesses + +Upstream-Status: Backport + +Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind +Signed-off-by: Michael Niedermayer +--- + libavcodec/qdm2.c | 5 +++++ + 1 files changed, 5 insertions(+), 0 deletions(-) + +diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c +index 4cf4b2f..1dfb8d5 100644 +--- a/gst-libs/ext/libav/libavcodec/qdm2.c ++++ b/gst-libs/ext/libav/libavcodec/qdm2.c +@@ -1257,6 +1257,11 @@ static void qdm2_decode_super_block (QDM2Context *q) + for (i = 0; packet_bytes > 0; i++) { + int j; + ++ if (i>=FF_ARRAY_ELEMS(q->sub_packet_list_A)) { ++ SAMPLES_NEEDED_2("too many packet bytes"); ++ return; ++ } ++ + q->sub_packet_list_A[i].next = NULL; + + if (i > 0) { +-- +1.7.5.4 + diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-qdm2dec-fix-buffer-overflow.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-qdm2dec-fix-buffer-overflow.patch new file mode 100644 index 0000000000..43ffc03a69 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-qdm2dec-fix-buffer-overflow.patch @@ -0,0 +1,58 @@ +gst-ffmpeg: qdm2dec: fix buffer overflow. Fixes NGS00144 + +This also adds a few lines of code from master that are needed for this fix. + +Thanks to Phillip for suggestions to improve the patch. +Found-by: Phillip Langlois + +Upstream-Status: Backport + +Signed-off-by: Michael Niedermayer +--- + libavcodec/qdm2.c | 9 +++++++-- + 1 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c +index 3aa9e5b..e000df8 100644 +--- a/gst-libs/ext/libav/libavcodec/qdm2.c ++++ b/gst-libs/ext/libav/libavcodec/qdm2.c +@@ -76,6 +76,7 @@ do { \ + #define SAMPLES_NEEDED_2(why) \ + av_log (NULL,AV_LOG_INFO,"This file triggers some missing code. Please contact the developers.\nPosition: %s\n",why); + ++#define QDM2_MAX_FRAME_SIZE 512 + + typedef int8_t sb_int8_array[2][30][64]; + +@@ -168,7 +169,7 @@ typedef struct { + /// I/O data + const uint8_t *compressed_data; + int compressed_size; +- float output_buffer[1024]; ++ float output_buffer[QDM2_MAX_FRAME_SIZE * MPA_MAX_CHANNELS * 2]; + + /// Synthesis filter + MPADSPContext mpadsp; +@@ -1819,6 +1820,9 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx) + s->group_order = av_log2(s->group_size) + 1; + s->frame_size = s->group_size / 16; // 16 iterations per super block + ++ if (s->frame_size > QDM2_MAX_FRAME_SIZE) ++ return AVERROR_INVALIDDATA; ++ + s->sub_sampling = s->fft_order - 7; + s->frequency_range = 255 / (1 << (2 - s->sub_sampling)); + +@@ -1887,6 +1891,9 @@ static int qdm2_decode (QDM2Context *q, const uint8_t *in, int16_t *out) + int ch, i; + const int frame_size = (q->frame_size * q->channels); + ++ if((unsigned)frame_size > FF_ARRAY_ELEMS(q->output_buffer)/2) ++ return -1; ++ + /* select input buffer */ + q->compressed_data = in; + q->compressed_size = q->checksum_size; +-- +1.7.5.4 + diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-smackerdec-Check-that-the-last-indexes-are-within-th.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-smackerdec-Check-that-the-last-indexes-are-within-th.patch new file mode 100644 index 0000000000..15b161469c --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-smackerdec-Check-that-the-last-indexes-are-within-th.patch @@ -0,0 +1,32 @@ +gst-ffmpeg: smackerdec: Check that the last indexes are within the + table. + +Fixes CVE-2011-3944 + +Upstream-Status: Backport + +Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind +Signed-off-by: Michael Niedermayer +--- + libavcodec/smacker.c | 5 +++++ + 1 files changed, 5 insertions(+), 0 deletions(-) + +diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c +index 30f99b4..2a8bae8 100644 +--- a/gst-libs/ext/libav/libavcodec/smacker.c ++++ b/gst-libs/ext/libav/libavcodec/smacker.c +@@ -259,6 +259,11 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int + if(ctx.last[0] == -1) ctx.last[0] = huff.current++; + if(ctx.last[1] == -1) ctx.last[1] = huff.current++; + if(ctx.last[2] == -1) ctx.last[2] = huff.current++; ++ if(huff.current > huff.length){ ++ ctx.last[0] = ctx.last[1] = ctx.last[2] = 1; ++ av_log(smk->avctx, AV_LOG_ERROR, "bigtree damaged\n"); ++ return -1; ++ } + + *recodes = huff.values; + +-- +1.7.5.4 + diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-Copy-all-3-frames-for-thread-updates.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-Copy-all-3-frames-for-thread-updates.patch new file mode 100644 index 0000000000..a1989cfeab --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-Copy-all-3-frames-for-thread-updates.patch @@ -0,0 +1,32 @@ +gst-ffmpeg: vp3: Copy all 3 frames for thread updates. + +This fixes a double release of the current frame on deinit. +Fixes CVE-2011-3934 + +Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind +Signed-off-by: Michael Niedermayer + +Upstream-Status: Backport + +Signed-off-by: Yue.Tao + +--- + libavcodec/vp3.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c +index 738ae9f..b5daafc 100644 +--- a/gst-libs/ext/libav/libavcodec/vp3.c ++++ b/gst-libs/ext/libav/libavcodec/vp3.c +@@ -1859,7 +1859,7 @@ static int vp3_update_thread_context(AVCodecContext *dst, const AVCodecContext * + ||s->width != s1->width + ||s->height!= s1->height) { + if (s != s1) +- copy_fields(s, s1, golden_frame, current_frame); ++ copy_fields(s, s1, golden_frame, keyframe); + return -1; + } + +-- +1.7.5.4 + diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-fix-oob-read-for-negative-tokens-and-memleaks-on.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-fix-oob-read-for-negative-tokens-and-memleaks-on.patch new file mode 100644 index 0000000000..e83d8f402b --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-fix-oob-read-for-negative-tokens-and-memleaks-on.patch @@ -0,0 +1,183 @@ +gst-ffmpeg: vp3: fix oob read for negative tokens and memleaks on error. + +Upstream-Status: Backport + +Signed-off-by: Yue.Tao + +--- + libavcodec/vp3.c | 59 +++++++++++++++++++++++++++++++++++++++++------------ + 1 files changed, 45 insertions(+), 14 deletions(-) + +diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c +index 36715bb..ce14e63 100644 +--- a/gst-libs/ext/libav/libavcodec/vp3.c ++++ b/gst-libs/ext/libav/libavcodec/vp3.c +@@ -45,6 +45,7 @@ + #define FRAGMENT_PIXELS 8 + + static av_cold int vp3_decode_end(AVCodecContext *avctx); ++static void vp3_decode_flush(AVCodecContext *avctx); + + //FIXME split things out into their own arrays + typedef struct Vp3Fragment { +@@ -890,7 +891,7 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb, + /* decode a VLC into a token */ + token = get_vlc2(gb, vlc_table, 11, 3); + /* use the token to get a zero run, a coefficient, and an eob run */ +- if (token <= 6) { ++ if ((unsigned) token <= 6U) { + eob_run = eob_run_base[token]; + if (eob_run_get_bits[token]) + eob_run += get_bits(gb, eob_run_get_bits[token]); +@@ -908,7 +909,7 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb, + coeff_i += eob_run; + eob_run = 0; + } +- } else { ++ } else if (token >= 0) { + bits_to_get = coeff_get_bits[token]; + if (bits_to_get) + bits_to_get = get_bits(gb, bits_to_get); +@@ -942,6 +943,10 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb, + for (i = coeff_index+1; i <= coeff_index+zero_run; i++) + s->num_coded_frags[plane][i]--; + coeff_i++; ++ } else { ++ av_log(s->avctx, AV_LOG_ERROR, ++ "Invalid token %d\n", token); ++ return -1; + } + } + +@@ -991,6 +996,8 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb) + /* unpack the Y plane DC coefficients */ + residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_y_table], 0, + 0, residual_eob_run); ++ if (residual_eob_run < 0) ++ return residual_eob_run; + + /* reverse prediction of the Y-plane DC coefficients */ + reverse_dc_prediction(s, 0, s->fragment_width[0], s->fragment_height[0]); +@@ -998,8 +1005,12 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb) + /* unpack the C plane DC coefficients */ + residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_c_table], 0, + 1, residual_eob_run); ++ if (residual_eob_run < 0) ++ return residual_eob_run; + residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_c_table], 0, + 2, residual_eob_run); ++ if (residual_eob_run < 0) ++ return residual_eob_run; + + /* reverse prediction of the C-plane DC coefficients */ + if (!(s->avctx->flags & CODEC_FLAG_GRAY)) +@@ -1036,11 +1047,17 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb) + for (i = 1; i <= 63; i++) { + residual_eob_run = unpack_vlcs(s, gb, y_tables[i], i, + 0, residual_eob_run); ++ if (residual_eob_run < 0) ++ return residual_eob_run; + + residual_eob_run = unpack_vlcs(s, gb, c_tables[i], i, + 1, residual_eob_run); ++ if (residual_eob_run < 0) ++ return residual_eob_run; + residual_eob_run = unpack_vlcs(s, gb, c_tables[i], i, + 2, residual_eob_run); ++ if (residual_eob_run < 0) ++ return residual_eob_run; + } + + return 0; +@@ -1777,10 +1794,15 @@ static int vp3_update_thread_context(AVCodecContext *dst, const AVCodecContext * + Vp3DecodeContext *s = dst->priv_data, *s1 = src->priv_data; + int qps_changed = 0, i, err; + ++#define copy_fields(to, from, start_field, end_field) memcpy(&to->start_field, &from->start_field, (char*)&to->end_field - (char*)&to->start_field) ++ + if (!s1->current_frame.data[0] + ||s->width != s1->width +- ||s->height!= s1->height) ++ ||s->height!= s1->height) { ++ if (s != s1) ++ copy_fields(s, s1, golden_frame, current_frame); + return -1; ++ } + + if (s != s1) { + // init tables if the first frame hasn't been decoded +@@ -1796,8 +1818,6 @@ static int vp3_update_thread_context(AVCodecContext *dst, const AVCodecContext * + memcpy(s->motion_val[1], s1->motion_val[1], c_fragment_count * sizeof(*s->motion_val[1])); + } + +-#define copy_fields(to, from, start_field, end_field) memcpy(&to->start_field, &from->start_field, (char*)&to->end_field - (char*)&to->start_field) +- + // copy previous frame data + copy_fields(s, s1, golden_frame, dsp); + +@@ -1987,9 +2007,6 @@ static av_cold int vp3_decode_end(AVCodecContext *avctx) + Vp3DecodeContext *s = avctx->priv_data; + int i; + +- if (avctx->is_copy && !s->current_frame.data[0]) +- return 0; +- + av_free(s->superblock_coding); + av_free(s->all_fragments); + av_free(s->coded_fragment_list[0]); +@@ -2016,12 +2033,7 @@ static av_cold int vp3_decode_end(AVCodecContext *avctx) + free_vlc(&s->motion_vector_vlc); + + /* release all frames */ +- if (s->golden_frame.data[0]) +- ff_thread_release_buffer(avctx, &s->golden_frame); +- if (s->last_frame.data[0] && s->last_frame.type != FF_BUFFER_TYPE_COPY) +- ff_thread_release_buffer(avctx, &s->last_frame); +- /* no need to release the current_frame since it will always be pointing +- * to the same frame as either the golden or last frame */ ++ vp3_decode_flush(avctx); + + return 0; + } +@@ -2341,6 +2353,23 @@ static void vp3_decode_flush(AVCodecContext *avctx) + ff_thread_release_buffer(avctx, &s->current_frame); + } + ++static int vp3_init_thread_copy(AVCodecContext *avctx) ++{ ++ Vp3DecodeContext *s = avctx->priv_data; ++ ++ s->superblock_coding = NULL; ++ s->all_fragments = NULL; ++ s->coded_fragment_list[0] = NULL; ++ s->dct_tokens_base = NULL; ++ s->superblock_fragments = NULL; ++ s->macroblock_coding = NULL; ++ s->motion_val[0] = NULL; ++ s->motion_val[1] = NULL; ++ s->edge_emu_buffer = NULL; ++ ++ return 0; ++} ++ + AVCodec ff_theora_decoder = { + .name = "theora", + .type = AVMEDIA_TYPE_VIDEO, +@@ -2352,6 +2381,7 @@ AVCodec ff_theora_decoder = { + .capabilities = CODEC_CAP_DR1 | CODEC_CAP_DRAW_HORIZ_BAND | CODEC_CAP_FRAME_THREADS, + .flush = vp3_decode_flush, + .long_name = NULL_IF_CONFIG_SMALL("Theora"), ++ .init_thread_copy = ONLY_IF_THREADS_ENABLED(vp3_init_thread_copy), + .update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context) + }; + #endif +@@ -2367,5 +2397,6 @@ AVCodec ff_vp3_decoder = { + .capabilities = CODEC_CAP_DR1 | CODEC_CAP_DRAW_HORIZ_BAND | CODEC_CAP_FRAME_THREADS, + .flush = vp3_decode_flush, + .long_name = NULL_IF_CONFIG_SMALL("On2 VP3"), ++ .init_thread_copy = ONLY_IF_THREADS_ENABLED(vp3_init_thread_copy), + .update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context) + }; +-- +1.7.5.4 + diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-CVE-2013-0855.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-CVE-2013-0855.patch new file mode 100644 index 0000000000..3c8d8e353e --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-CVE-2013-0855.patch @@ -0,0 +1,100 @@ +gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0855 + +Upstream-Status: Backport + +Signed-off-by: Yue Tao + +diff --git a/gst-libs/ext/libav/libavcodec/alac.c.old b/gst-libs/ext/libav/libavcodec/alac.c +index 2a0df8c..bcbd56d 100644 +--- a/gst-libs/ext/libav/libavcodec/alac.c.old ++++ b/gst-libs/ext/libav/libavcodec/alac.c +@@ -87,18 +87,44 @@ typedef struct { + int wasted_bits; + } ALACContext; + +-static void allocate_buffers(ALACContext *alac) ++static av_cold int alac_decode_close(AVCodecContext *avctx) ++{ ++ ALACContext *alac = avctx->priv_data; ++ ++ int chan; ++ for (chan = 0; chan < MAX_CHANNELS; chan++) { ++ av_freep(&alac->predicterror_buffer[chan]); ++ av_freep(&alac->outputsamples_buffer[chan]); ++ av_freep(&alac->wasted_bits_buffer[chan]); ++ } ++ ++ return 0; ++} ++ ++static int allocate_buffers(ALACContext *alac) + { + int chan; ++ int buf_size; ++ ++ if (alac->setinfo_max_samples_per_frame > INT_MAX / sizeof(int32_t)) ++ goto buf_alloc_fail; ++ buf_size = alac->setinfo_max_samples_per_frame * sizeof(int32_t); ++ + for (chan = 0; chan < MAX_CHANNELS; chan++) { +- alac->predicterror_buffer[chan] = +- av_malloc(alac->setinfo_max_samples_per_frame * 4); + +- alac->outputsamples_buffer[chan] = +- av_malloc(alac->setinfo_max_samples_per_frame * 4); ++ FF_ALLOC_OR_GOTO(alac->avctx, alac->predicterror_buffer[chan], ++ buf_size, buf_alloc_fail); + +- alac->wasted_bits_buffer[chan] = av_malloc(alac->setinfo_max_samples_per_frame * 4); ++ FF_ALLOC_OR_GOTO(alac->avctx, alac->outputsamples_buffer[chan], ++ buf_size, buf_alloc_fail); ++ ++ FF_ALLOC_OR_GOTO(alac->avctx, alac->wasted_bits_buffer[chan], ++ buf_size, buf_alloc_fail); + } ++ return 0; ++buf_alloc_fail: ++ alac_decode_close(alac->avctx); ++ return AVERROR(ENOMEM); + } + + static int alac_set_info(ALACContext *alac) +@@ -131,8 +157,6 @@ static int alac_set_info(ALACContext *alac) + bytestream_get_be32(&ptr); /* bitrate ? */ + bytestream_get_be32(&ptr); /* samplerate */ + +- allocate_buffers(alac); +- + return 0; + } + +@@ -659,6 +683,7 @@ static int alac_decode_frame(AVCodecContext *avctx, + + static av_cold int alac_decode_init(AVCodecContext * avctx) + { ++ int ret; + ALACContext *alac = avctx->priv_data; + alac->avctx = avctx; + alac->numchannels = alac->avctx->channels; +@@ -674,18 +699,9 @@ static av_cold int alac_decode_init(AVCodecContext * avctx) + return -1; + } + +- return 0; +-} +- +-static av_cold int alac_decode_close(AVCodecContext *avctx) +-{ +- ALACContext *alac = avctx->priv_data; +- +- int chan; +- for (chan = 0; chan < MAX_CHANNELS; chan++) { +- av_freep(&alac->predicterror_buffer[chan]); +- av_freep(&alac->outputsamples_buffer[chan]); +- av_freep(&alac->wasted_bits_buffer[chan]); ++ if ((ret = allocate_buffers(alac)) < 0) { ++ av_log(avctx, AV_LOG_ERROR, "Error allocating buffers\n"); ++ return ret; + } + + return 0; diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb index a3b2f5cf29..e26b267f32 100644 --- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb @@ -36,6 +36,23 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \ file://0001-alac-fix-nb_samples-order-case.patch \ file://0001-h264-correct-ref-count-check-and-limit-fix-out-of-ar.patch \ file://0001-roqvideodec-check-dimensions-validity.patch \ + file://0001-aacdec-check-channel-count.patch \ + file://0001-pngdec-filter-dont-access-out-of-array-elements-at-t.patch \ + file://0001-error_concealment-Check-that-the-picture-is-not-in-a.patch \ + file://0001-vp3-fix-oob-read-for-negative-tokens-and-memleaks-on.patch \ + file://0001-vp3-Copy-all-3-frames-for-thread-updates.patch \ + file://0001-h264_sei-Fix-infinite-loop.patch \ + file://0001-avcodec-parser-reset-indexes-on-realloc-failure.patch \ + file://0001-avcodec-rpza-Perform-pointer-advance-and-checks-befo.patch \ + file://gst-ffmpeg-CVE-2013-0855.patch \ + file://0001-qdm2dec-fix-buffer-overflow.patch \ + file://0001-huffyuvdec-check-width-more-completely-avoid-out-of-.patch \ + file://0001-smackerdec-Check-that-the-last-indexes-are-within-th.patch \ + file://0001-avcodec-dsputil-fix-signedness-in-sizeof-comparissio.patch \ + file://0001-error-concealment-initialize-block-index.patch \ + file://0001-qdm2-check-array-index-before-use-fix-out-of-array-a.patch \ + file://0001-lavf-compute-probe-buffer-size-more-reliably.patch \ + file://0001-ffserver-set-oformat.patch \ " SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4" -- cgit 1.2.3-korg