[OE-core] [PATCH 07/16] gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-7009
rongqing.li at windriver.com
rongqing.li at windriver.com
Tue Jul 22 07:46:42 UTC 2014
From: Yue Tao <Yue.Tao at windriver.com>
The rpza_decode_stream function in libavcodec/rpza.c in FFmpeg before
2.1 does not properly maintain a pointer to pixel data, which allows
remote attackers to cause a denial of service (out-of-bounds array
access) or possibly have unspecified other impact via crafted Apple RPZA
data.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7009
Signed-off-by: Yue Tao <Yue.Tao at windriver.com>
Signed-off-by: Roy Li <rongqing.li at windriver.com>
---
...a-Perform-pointer-advance-and-checks-befo.patch | 81 ++++++++++++++++++++
.../gstreamer/gst-ffmpeg_0.10.13.bb | 1 +
2 files changed, 82 insertions(+)
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-rpza-Perform-pointer-advance-and-checks-befo.patch
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-rpza-Perform-pointer-advance-and-checks-befo.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-rpza-Perform-pointer-advance-and-checks-befo.patch
new file mode 100644
index 0000000..7f6eb48
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-rpza-Perform-pointer-advance-and-checks-befo.patch
@@ -0,0 +1,81 @@
+gst-ffmpeg: avcodec/rpza: Perform pointer advance and checks before
+ using the pointers
+
+Fixes out of array accesses
+Fixes Ticket2850
+
+Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
+(cherry picked from commit 3819db745da2ac7fb3faacb116788c32f4753f34)
+
+Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
+
+Upstream-Status: Backport
+
+Singed-off-by: Yue Tao <yue.tao at windriver.com>
+
+---
+ libavcodec/rpza.c | 8 ++++----
+ 1 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c
+index 635b406..f291a95 100644
+--- a/gst-libs/ext/libav/libavcodec/rpza.c
++++ b/gst-libs/ext/libav/libavcodec/rpza.c
+@@ -83,7 +83,7 @@ static void rpza_decode_stream(RpzaContext *s)
+ unsigned short *pixels = (unsigned short *)s->frame.data[0];
+
+ int row_ptr = 0;
+- int pixel_ptr = 0;
++ int pixel_ptr = -4;
+ int block_ptr;
+ int pixel_x, pixel_y;
+ int total_blocks;
+@@ -139,6 +139,7 @@ static void rpza_decode_stream(RpzaContext *s)
+ colorA = AV_RB16 (&s->buf[stream_ptr]);
+ stream_ptr += 2;
+ while (n_blocks--) {
++ ADVANCE_BLOCK()
+ block_ptr = row_ptr + pixel_ptr;
+ for (pixel_y = 0; pixel_y < 4; pixel_y++) {
+ for (pixel_x = 0; pixel_x < 4; pixel_x++){
+@@ -147,7 +148,6 @@ static void rpza_decode_stream(RpzaContext *s)
+ }
+ block_ptr += row_inc;
+ }
+- ADVANCE_BLOCK();
+ }
+ break;
+
+@@ -184,6 +184,7 @@ static void rpza_decode_stream(RpzaContext *s)
+ color4[2] |= ((21 * ta + 11 * tb) >> 5);
+
+ while (n_blocks--) {
++ ADVANCE_BLOCK();
+ block_ptr = row_ptr + pixel_ptr;
+ for (pixel_y = 0; pixel_y < 4; pixel_y++) {
+ index = s->buf[stream_ptr++];
+@@ -194,12 +195,12 @@ static void rpza_decode_stream(RpzaContext *s)
+ }
+ block_ptr += row_inc;
+ }
+- ADVANCE_BLOCK();
+ }
+ break;
+
+ /* Fill block with 16 colors */
+ case 0x00:
++ ADVANCE_BLOCK();
+ block_ptr = row_ptr + pixel_ptr;
+ for (pixel_y = 0; pixel_y < 4; pixel_y++) {
+ for (pixel_x = 0; pixel_x < 4; pixel_x++){
+@@ -213,7 +214,6 @@ static void rpza_decode_stream(RpzaContext *s)
+ }
+ block_ptr += row_inc;
+ }
+- ADVANCE_BLOCK();
+ break;
+
+ /* Unknown opcode */
+--
+1.7.5.4
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index 138b660..42878e6 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -43,6 +43,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
file://0001-vp3-Copy-all-3-frames-for-thread-updates.patch \
file://0001-h264_sei-Fix-infinite-loop.patch \
file://0001-avcodec-parser-reset-indexes-on-realloc-failure.patch \
+ file://0001-avcodec-rpza-Perform-pointer-advance-and-checks-befo.patch \
"
SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
--
1.7.10.4
More information about the Openembedded-core
mailing list