[OE-core] [PATCH 1/2] gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-4358
Rongqing Li
rongqing.li at windriver.com
Thu Oct 16 02:56:21 UTC 2014
Ping, please merge these two CVE patches.
Thanks
-Roy
On 08/29/2014 02:46 PM, Yue Tao wrote:
> libavcodec/h264.c in FFmpeg before 0.11.4 allows remote attackers to
> cause a denial of service (crash) via vectors related to alternating bit
> depths in H.264 data.
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4358
>
> Signed-off-by: Yue Tao <Yue.Tao at windriver.com>
> ---
> ...t-parameters-from-SPS-whenever-it-changes.patch | 145 ++++++++++++++++++++
> .../gstreamer/gst-ffmpeg_0.10.13.bb | 1 +
> 2 files changed, 146 insertions(+)
> create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264-set-parameters-from-SPS-whenever-it-changes.patch
>
> diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264-set-parameters-from-SPS-whenever-it-changes.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264-set-parameters-from-SPS-whenever-it-changes.patch
> new file mode 100644
> index 0000000..05a9de3
> --- /dev/null
> +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264-set-parameters-from-SPS-whenever-it-changes.patch
> @@ -0,0 +1,145 @@
> +gst-ffmpeg: h264: set parameters from SPS whenever it changes
> +
> +Fixes a crash in the fuzzed sample sample_varPAR.avi_s26638 with
> +alternating bit depths.
> +
> +Upstream-Status: Backport
> +
> +Signed-off-by: Yue Tao <yue.tao at windriver.com>
> +
> +diff --git a/gst-libs/ext/libav/libavcodec/h264.c.old b/gst-libs/ext/libav/libavcodec/h264.c
> +index 3621f41..718906a 100644
> +--- a/gst-libs/ext/libav/libavcodec/h264.c.old
> ++++ b/gst-libs/ext/libav/libavcodec/h264.c
> +@@ -2491,6 +2491,34 @@ int ff_h264_get_profile(SPS *sps)
> + return profile;
> + }
> +
> ++static int h264_set_parameter_from_sps(H264Context *h)
> ++{
> ++ MpegEncContext *s = &h->s;
> ++ AVCodecContext * avctx= s->avctx;
> ++
> ++ if (s->flags& CODEC_FLAG_LOW_DELAY ||
> ++ (h->sps.bitstream_restriction_flag && !h->sps.num_reorder_frames))
> ++ s->low_delay=1;
> ++
> ++ if(avctx->has_b_frames < 2)
> ++ avctx->has_b_frames= !s->low_delay;
> ++
> ++ if (avctx->bits_per_raw_sample != h->sps.bit_depth_luma) {
> ++ if (h->sps.bit_depth_luma >= 8 && h->sps.bit_depth_luma <= 10) {
> ++ avctx->bits_per_raw_sample = h->sps.bit_depth_luma;
> ++ h->pixel_shift = h->sps.bit_depth_luma > 8;
> ++
> ++ ff_h264dsp_init(&h->h264dsp, h->sps.bit_depth_luma);
> ++ ff_h264_pred_init(&h->hpc, s->codec_id, h->sps.bit_depth_luma);
> ++ dsputil_init(&s->dsp, s->avctx);
> ++ } else {
> ++ av_log(avctx, AV_LOG_DEBUG, "Unsupported bit depth: %d\n", h->sps.bit_depth_luma);
> ++ return -1;
> ++ }
> ++ }
> ++ return 0;
> ++}
> ++
> + /**
> + * decodes a slice header.
> + * This will also call MPV_common_init() and frame_start() as needed.
> +@@ -2505,7 +2533,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
> + MpegEncContext * const s0 = &h0->s;
> + unsigned int first_mb_in_slice;
> + unsigned int pps_id;
> +- int num_ref_idx_active_override_flag;
> ++ int num_ref_idx_active_override_flag, ret;
> + unsigned int slice_type, tmp, i, j;
> + int default_ref_list_done = 0;
> + int last_pic_structure;
> +@@ -2569,7 +2597,17 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
> + av_log(h->s.avctx, AV_LOG_ERROR, "non-existing SPS %u referenced\n", h->pps.sps_id);
> + return -1;
> + }
> +- h->sps = *h0->sps_buffers[h->pps.sps_id];
> ++
> ++ if (h->pps.sps_id != h->current_sps_id ||
> ++ h0->sps_buffers[h->pps.sps_id]->new) {
> ++ h0->sps_buffers[h->pps.sps_id]->new = 0;
> ++
> ++ h->current_sps_id = h->pps.sps_id;
> ++ h->sps = *h0->sps_buffers[h->pps.sps_id];
> ++
> ++ if ((ret = h264_set_parameter_from_sps(h)) < 0)
> ++ return ret;
> ++ }
> +
> + s->avctx->profile = ff_h264_get_profile(&h->sps);
> + s->avctx->level = h->sps.level_idc;
> +@@ -3811,26 +3811,8 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){
> + case NAL_SPS:
> + init_get_bits(&s->gb, ptr, bit_length);
> + ff_h264_decode_seq_parameter_set(h);
> +-
> +- if (s->flags& CODEC_FLAG_LOW_DELAY ||
> +- (h->sps.bitstream_restriction_flag && !h->sps.num_reorder_frames))
> +- s->low_delay=1;
> +-
> +- if(avctx->has_b_frames < 2)
> +- avctx->has_b_frames= !s->low_delay;
> +-
> +- if (avctx->bits_per_raw_sample != h->sps.bit_depth_luma) {
> +- if (h->sps.bit_depth_luma >= 8 && h->sps.bit_depth_luma <= 10) {
> +- avctx->bits_per_raw_sample = h->sps.bit_depth_luma;
> +- h->pixel_shift = h->sps.bit_depth_luma > 8;
> +-
> +- ff_h264dsp_init(&h->h264dsp, h->sps.bit_depth_luma);
> +- ff_h264_pred_init(&h->hpc, s->codec_id, h->sps.bit_depth_luma);
> +- dsputil_init(&s->dsp, s->avctx);
> +- } else {
> +- av_log(avctx, AV_LOG_DEBUG, "Unsupported bit depth: %d\n", h->sps.bit_depth_luma);
> +- return -1;
> +- }
> ++ if (h264_set_parameter_from_sps(h) < 0) {
> ++ return -1;
> + }
> + break;
> + case NAL_PPS:
> +diff --git a/gst-libs/ext/libav/libavcodec/h264.h.old b/gst-libs/ext/libav/libavcodec/h264.h
> +index e3cc815..b77ad98 100644
> +--- a/gst-libs/ext/libav/libavcodec/h264.h.old
> ++++ b/gst-libs/ext/libav/libavcodec/h264.h
> +@@ -202,6 +202,7 @@ typedef struct SPS{
> + int bit_depth_chroma; ///< bit_depth_chroma_minus8 + 8
> + int residual_color_transform_flag; ///< residual_colour_transform_flag
> + int constraint_set_flags; ///< constraint_set[0-3]_flag
> ++ int new; ///< flag to keep track if the decoder context needs re-init due to changed SPS
> + }SPS;
> +
> + /**
> +@@ -333,6 +334,7 @@ typedef struct H264Context{
> + int emu_edge_width;
> + int emu_edge_height;
> +
> ++ unsigned current_sps_id; ///< id of the current SPS
> + SPS sps; ///< current sps
> +
> + /**
> +diff --git a/gst-libs/ext/libav/libavcodec/h264_ps.c.old b/gst-libs/ext/libav/libavcodec/h264_ps.c
> +index 7491807..0929098 100644
> +--- a/gst-libs/ext/libav/libavcodec/h264_ps.c.old
> ++++ b/gst-libs/ext/libav/libavcodec/h264_ps.c
> +@@ -438,10 +438,13 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){
> + sps->timing_info_present_flag ? sps->time_scale : 0
> + );
> + }
> ++ sps->new = 1;
> +
> + av_free(h->sps_buffers[sps_id]);
> +- h->sps_buffers[sps_id]= sps;
> +- h->sps = *sps;
> ++ h->sps_buffers[sps_id] = sps;
> ++ h->sps = *sps;
> ++ h->current_sps_id = sps_id;
> ++
> + return 0;
> + fail:
> + av_free(sps);
> diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
> index bbe3308..3ccb7be 100644
> --- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
> +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
> @@ -53,6 +53,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
> file://0001-qdm2-check-array-index-before-use-fix-out-of-array-a.patch \
> file://0001-lavf-compute-probe-buffer-size-more-reliably.patch \
> file://0001-ffserver-set-oformat.patch \
> + file://0001-h264-set-parameters-from-SPS-whenever-it-changes.patch \
> ${@bb.utils.contains('PACKAGECONFIG', 'libav9', 'file://libav-9.patch', '', d)} \
> "
>
>
--
Best Reagrds,
Roy | RongQing Li
More information about the Openembedded-core
mailing list