[OE-core] [PATCH 05/16] gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3946

rongqing.li at windriver.com rongqing.li at windriver.com
Tue Jul 22 06:16:06 UTC 2014 

From: Yue Tao <Yue.Tao at windriver.com>

The ff_h264_decode_sei function in libavcodec/h264_sei.c in FFmpeg
before 0.10 allows remote attackers to have an unspecified impact via
crafted Supplemental enhancement information (SEI) data, which triggers
an infinite loop.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3946

Signed-off-by: Yue Tao <Yue.Tao at windriver.com>
Signed-off-by: Roy Li <rongqing.li at windriver.com>
---
 .../0001-h264_sei-Fix-infinite-loop.patch          |   39 ++++++++++++++++++++
 .../gstreamer/gst-ffmpeg_0.10.13.bb                |    1 +
 2 files changed, 40 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264_sei-Fix-infinite-loop.patch

diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264_sei-Fix-infinite-loop.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264_sei-Fix-infinite-loop.patch
new file mode 100644
index 0000000..954ea5b
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264_sei-Fix-infinite-loop.patch
@@ -0,0 +1,39 @@
+gst-ffmpeg: h264_sei: Fix infinite loop.
+
+Fixsot yet fixed parts of CVE-2011-3946.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
+
+Upstream-Status: Pending
+
+Signed-off-by: Yue Tao <yue.tao at windriver.com>
+
+---
+ libavcodec/h264_sei.c |    4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+
+diff --git a/libavcodec/h264_sei.c b/libavcodec/h264_sei.c
+index 374e53d..80d70e5 100644
+--- a/gst-libs/ext/libav/libavcodec/h264_sei.c
++++ b/gst-libs/ext/libav/libavcodec/h264_sei.c
+@@ -169,11 +169,15 @@ int ff_h264_decode_sei(H264Context *h){
+ 
+         type=0;
+         do{
++            if (get_bits_left(&s->gb) < 8)
++                return -1;
+             type+= show_bits(&s->gb, 8);
+         }while(get_bits(&s->gb, 8) == 255);
+ 
+         size=0;
+         do{
++            if (get_bits_left(&s->gb) < 8)
++                return -1;
+             size+= show_bits(&s->gb, 8);
+         }while(get_bits(&s->gb, 8) == 255);
+ 
+-- 
+1.7.5.4
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index c014fc2..ad4dd34 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -41,6 +41,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://0001-error_concealment-Check-that-the-picture-is-not-in-a.patch \
            file://0001-vp3-fix-oob-read-for-negative-tokens-and-memleaks-on.patch \
            file://0001-vp3-Copy-all-3-frames-for-thread-updates.patch \
+           file://0001-h264_sei-Fix-infinite-loop.patch \
 "
 
 SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
-- 
1.7.10.4

More information about the Openembedded-core mailing list