[oe-commits] Petr Štetiar : libvpx: fix fetch errors, remove older releases and add security fix

git version control git at git.openembedded.org
Sat Feb 26 17:50:21 UTC 2011 

Module: openembedded.git
Branch: master
Commit: 0478950960e5c600efc77c25559fc7eee311f686
URL:    http://gitweb.openembedded.net/?p=openembedded.git&a=commit;h=0478950960e5c600efc77c25559fc7eee311f686

Author: Petr Štetiar <ynezz at true.cz>
Date:   Fri Feb 25 16:07:05 2011 +0100

libvpx: fix fetch errors, remove older releases and add security fix

- remove old and unfetchable versions v0.9.0, v0.9.1, v0.9.2
- add v0.9.5 patch for CVE-2010-4203 security fix
- fix fetch errors for v0.9.2 and v0.9.5:

	ERROR: Function 'Fetch failed: Unable to fetch URL git://review.webmproject.org/libvpx.git;protocol=git;tag=v0.9.5 from any source.' failed

	this happens because of some errors in the git repo:

	error: missing object referenced by 'refs/tags/v0.9.5'
	error: missing object referenced by 'refs/tags/v0.9.2'
	error: missing object referenced by 'refs/tags/v0.9.1'
	error: missing object referenced by 'refs/tags/v0.9.0'
	error: refs/remotes/origin/aylesbury does not point to a valid object!

Signed-off-by: Petr Štetiar <ynezz at true.cz>
Signed-off-by: Tom Rini <tom_rini at mentor.com>

---

 recipes/webm/libvpx.inc                 |    6 +-
 recipes/webm/libvpx/CVE-2010-4203.patch |   69 +++++++++++++++++++++++++++++++
 recipes/webm/libvpx_0.9.0.bb            |   17 --------
 recipes/webm/libvpx_0.9.1.bb            |   14 ------
 recipes/webm/libvpx_0.9.2.bb            |   14 ------
 recipes/webm/libvpx_0.9.5.bb            |    8 ++-
 6 files changed, 77 insertions(+), 51 deletions(-)

diff --git a/recipes/webm/libvpx.inc b/recipes/webm/libvpx.inc
index 9913d5b..a1e02b1 100644
--- a/recipes/webm/libvpx.inc
+++ b/recipes/webm/libvpx.inc
@@ -1,10 +1,10 @@
 DESCRIPTION = "vpx Multi-Format Codec SDK"
 LICENSE = "BSD"
 
-INC_PR = "r5"
+INC_PR = "r6"
 
-SRC_URI = "git://review.webmproject.org/libvpx.git;protocol=git;tag=v${PV}"
-S = "${WORKDIR}/git"
+SRC_URI = "http://webm.googlecode.com/files/libvpx-v${PV}.tar.bz2"
+S = "${WORKDIR}/libvpx-v${PV}"
 
 CFLAGS += "-fPIC"
 
diff --git a/recipes/webm/libvpx/CVE-2010-4203.patch b/recipes/webm/libvpx/CVE-2010-4203.patch
new file mode 100644
index 0000000..37f5108
--- /dev/null
+++ b/recipes/webm/libvpx/CVE-2010-4203.patch
@@ -0,0 +1,69 @@
+From: John Koleszar <jkoleszar at google.com>
+Date: Thu, 4 Nov 2010 20:59:26 +0000 (-0400)
+Subject: fix integer promotion bug in partition size check
+X-Git-Url: https://review.webmproject.org/gitweb?p=libvpx.git;a=commitdiff_plain;h=9fb80f7170ec48e23c3c7b477149eeb37081c699
+
+fix integer promotion bug in partition size check
+
+The check '(user_data_end - partition < partition_size)' must be
+evaluated as a signed comparison, but because partition_size was
+unsigned, the LHS was promoted to unsigned, causing an incorrect
+result on 32-bit. Instead, check the upper and lower bounds of
+the segment separately.
+
+Change-Id: I6266aba7fd7de084268712a3d2a81424ead7aa06
+---
+
+diff --git a/vp8/decoder/decodframe.c b/vp8/decoder/decodframe.c
+index 2d81d61..f5e49a1 100644
+--- a/vp8/decoder/decodframe.c
++++ b/vp8/decoder/decodframe.c
+@@ -462,7 +462,8 @@ static void setup_token_decoder(VP8D_COMP *pbi,
+             partition_size = user_data_end - partition;
+         }
+ 
+-        if (user_data_end - partition < partition_size)
++        if (partition + partition_size > user_data_end
++            || partition + partition_size < partition)
+             vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
+                                "Truncated packet or corrupt partition "
+                                "%d length", i + 1);
+@@ -580,7 +581,8 @@ int vp8_decode_frame(VP8D_COMP *pbi)
+         (data[0] | (data[1] << 8) | (data[2] << 16)) >> 5;
+     data += 3;
+ 
+-    if (data_end - data < first_partition_length_in_bytes)
++    if (data + first_partition_length_in_bytes > data_end
++        || data + first_partition_length_in_bytes < data)
+         vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
+                            "Truncated packet or corrupt partition 0 length");
+     vp8_setup_version(pc);
+diff --git a/vp8/vp8_dx_iface.c b/vp8/vp8_dx_iface.c
+index e7e5356..f0adf5b 100644
+--- a/vp8/vp8_dx_iface.c
++++ b/vp8/vp8_dx_iface.c
+@@ -253,8 +253,11 @@ static vpx_codec_err_t vp8_peek_si(const uint8_t         *data,
+                                    unsigned int           data_sz,
+                                    vpx_codec_stream_info_t *si)
+ {
+-
+     vpx_codec_err_t res = VPX_CODEC_OK;
++
++    if(data + data_sz <= data)
++        res = VPX_CODEC_INVALID_PARAM;
++    else
+     {
+         /* Parse uncompresssed part of key frame header.
+          * 3 bytes:- including version, frame type and an offset
+@@ -331,7 +334,10 @@ static vpx_codec_err_t vp8_decode(vpx_codec_alg_priv_t  *ctx,
+ 
+     ctx->img_avail = 0;
+ 
+-    /* Determine the stream parameters */
++    /* Determine the stream parameters. Note that we rely on peek_si to
++     * validate that we have a buffer that does not wrap around the top
++     * of the heap.
++     */
+     if (!ctx->si.h)
+         res = ctx->base.iface->dec.peek_si(data, data_sz, &ctx->si);
+ 
diff --git a/recipes/webm/libvpx_0.9.0.bb b/recipes/webm/libvpx_0.9.0.bb
deleted file mode 100644
index bce50a6..0000000
--- a/recipes/webm/libvpx_0.9.0.bb
+++ /dev/null
@@ -1,17 +0,0 @@
-require libvpx.inc
-
-LICENSE = "VP8"
-
-PR = "${INC_PR}.0"
-
-SRC_URI[md5sum] = "9eb8e818d2f3263623c258fe66924082"
-SRC_URI[sha256sum] = "a0096ac6859cfb61cf06dd9bc0a79a3333a4ec389ba311911d84df8ff2a1b9dc"
-
-do_install() {
-       oe_runmake install
-       install -d ${D}${prefix}
-       cp -R ${S}/vpx-vp8-nopost-nodocs*${PV}/* ${D}${prefix}/
-       install -d ${D}${includedir}/vpx
-       mv ${D}${includedir}/*.h ${D}${includedir}/vpx
-}
-
diff --git a/recipes/webm/libvpx_0.9.1.bb b/recipes/webm/libvpx_0.9.1.bb
deleted file mode 100644
index bcb7358..0000000
--- a/recipes/webm/libvpx_0.9.1.bb
+++ /dev/null
@@ -1,14 +0,0 @@
-require libvpx.inc
-
-PR = "${INC_PR}.0"
-
-SRC_URI += "file://libvpx-configure-support-blank-prefix.patch;apply=yes"
-
-CONFIGUREOPTS += " \
-        --prefix=${prefix} \
-        --libdir=${libdir} \
-"
-
-SRC_URI[md5sum] = "e1442e74d0cca228785083fa520735a2"
-SRC_URI[sha256sum] = "c4e8e463e079ffde5b6948366a1d0873f1bf685dccd89ca137585c2b8247ec59"
-
diff --git a/recipes/webm/libvpx_0.9.2.bb b/recipes/webm/libvpx_0.9.2.bb
deleted file mode 100644
index b7ced8f..0000000
--- a/recipes/webm/libvpx_0.9.2.bb
+++ /dev/null
@@ -1,14 +0,0 @@
-require libvpx.inc
-
-PR = "${INC_PR}.0"
-
-SRC_URI += "file://libvpx-configure-support-blank-prefix.patch;apply=yes"
-
-SRC_URI[md5sum] = "609370925b274aeaa29e94fc34c74957"
-SRC_URI[sha256sum] = "7425853d06443a0ce8e9cfc7cd3b0a43228b22c10dca813da68af9b114510b3b"
-
-CONFIGUREOPTS += " \
-        --prefix=${prefix} \
-        --libdir=${libdir} \
-"
-
diff --git a/recipes/webm/libvpx_0.9.5.bb b/recipes/webm/libvpx_0.9.5.bb
index b7ced8f..42b4199 100644
--- a/recipes/webm/libvpx_0.9.5.bb
+++ b/recipes/webm/libvpx_0.9.5.bb
@@ -2,10 +2,12 @@ require libvpx.inc
 
 PR = "${INC_PR}.0"
 
-SRC_URI += "file://libvpx-configure-support-blank-prefix.patch;apply=yes"
+SRC_URI += "file://libvpx-configure-support-blank-prefix.patch \
+            file://CVE-2010-4203.patch \
+            "
 
-SRC_URI[md5sum] = "609370925b274aeaa29e94fc34c74957"
-SRC_URI[sha256sum] = "7425853d06443a0ce8e9cfc7cd3b0a43228b22c10dca813da68af9b114510b3b"
+SRC_URI[md5sum] = "4bf2f2c76700202c1fe9201fcb0680e3"
+SRC_URI[sha256sum] = "2e93968afcded113a7e218de047feecf6659a089058803a9e40fb687de5f9bfa"
 
 CONFIGUREOPTS += " \
         --prefix=${prefix} \

More information about the Openembedded-commits mailing list