[OE-core] [PATCH 4/4] gst-ffmpeg: fix CVEs
Kai Kang
kai.kang at windriver.com
Tue May 19 01:08:14 UTC 2015
Backport patches to fix CVEs: CVE-2014-7933, CVE-2014-9318 and
CVE-2014-9603.
Signed-off-by: Kai Kang <kai.kang at windriver.com>
---
.../gst-ffmpeg-fix-CVE-2014-7933.patch | 38 ++++++++++++++++++++
.../gst-ffmpeg-fix-CVE-2014-9318.patch | 37 +++++++++++++++++++
.../gst-ffmpeg-fix-CVE-2014-9603.patch | 41 ++++++++++++++++++++++
.../gstreamer/gst-ffmpeg_0.10.13.bb | 3 ++
4 files changed, 119 insertions(+)
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-7933.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-9318.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-9603.patch
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-7933.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-7933.patch
new file mode 100644
index 0000000..3c537c7
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-7933.patch
@@ -0,0 +1,38 @@
+From 2266b8bc3370856d874334ba62b337ce4f1eb255 Mon Sep 17 00:00:00 2001
+From: Kai Kang <kai.kang at windriver.com>
+Date: Wed, 13 May 2015 16:46:06 +0800
+Subject: [PATCH 2/2] gst-ffmpeg: fix CVE-2014-7933
+
+Upstream-Status: Backport
+
+http://git.videolan.org/?p=ffmpeg.git;a=commit;h=33301f00
+
+Signed-off-by: Kai Kang <kai.kang at windriver.com>
+---
+ gst-libs/ext/libav/libavformat/matroskadec.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/gst-libs/ext/libav/libavformat/matroskadec.c b/gst-libs/ext/libav/libavformat/matroskadec.c
+index 59dce4f..e5f5fc1 100644
+--- a/gst-libs/ext/libav/libavformat/matroskadec.c
++++ b/gst-libs/ext/libav/libavformat/matroskadec.c
+@@ -1916,7 +1916,7 @@ static int matroska_read_seek(AVFormatContext *s, int stream_index,
+ int64_t timestamp, int flags)
+ {
+ MatroskaDemuxContext *matroska = s->priv_data;
+- MatroskaTrack *tracks = matroska->tracks.elem;
++ MatroskaTrack *tracks = NULL;
+ AVStream *st = s->streams[stream_index];
+ int i, index, index_sub, index_min;
+
+@@ -1939,6 +1939,7 @@ static int matroska_read_seek(AVFormatContext *s, int stream_index,
+ return 0;
+
+ index_min = index;
++ tracks = matroska->tracks.elem;
+ for (i=0; i < matroska->tracks.nb_elem; i++) {
+ tracks[i].audio.pkt_cnt = 0;
+ tracks[i].audio.sub_packet_cnt = 0;
+--
+1.9.1
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-9318.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-9318.patch
new file mode 100644
index 0000000..0553cee
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-9318.patch
@@ -0,0 +1,37 @@
+From 0d3a3b9f8907625b361420d48fe05716859620ff Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni at gmx.at>
+Date: Wed, 26 Nov 2014 18:56:39 +0100
+Subject: [PATCH] avcodec/rawdec: Check the return code of
+ avpicture_get_size()
+
+(Upstream commit 1d3a3b9f8907625b361420d48fe05716859620ff)
+
+Fixes out of array access
+Fixes: asan_heap-oob_22388d0_3435_cov_3297128910_small_roll5_FlashCine1.cine
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+
+Upstream-Status: Backport
+
+Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
+Signed-off-by: Yue Tao <yue.tao at windriver.com>
+---
+ libavcodec/rawdec.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c
+index 28792a1..647dfa9 100644
+--- a/gst-libs/ext/libav/libavcodec/rawdec.c
++++ b/gst-libs/ext/libav/libavcodec/rawdec.c
+@@ -87,6 +87,9 @@ static av_cold int raw_init_decoder(AVCodecContext *avctx)
+
+ ff_set_systematic_pal2(context->palette, avctx->pix_fmt);
+ context->length = avpicture_get_size(avctx->pix_fmt, avctx->width, avctx->height);
++ if (context->length < 0)
++ return context->length;
++
+ if((avctx->bits_per_coded_sample == 4 || avctx->bits_per_coded_sample == 2) &&
+ avctx->pix_fmt==PIX_FMT_PAL8 &&
+ (!avctx->codec_tag || avctx->codec_tag == MKTAG('r','a','w',' '))){
+--
+1.7.9.5
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-9603.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-9603.patch
new file mode 100644
index 0000000..5dda4cc
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-fix-CVE-2014-9603.patch
@@ -0,0 +1,41 @@
+From dc68faf8339a885bc55fabe5b01f1de4f8f3782c Mon Sep 17 00:00:00 2001
+From: Kai Kang <kai.kang at windriver.com>
+Date: Wed, 13 May 2015 16:30:53 +0800
+Subject: [PATCH 1/2] gst-ffmpeg: fix CVE-2014-9603
+
+Upstream-Status: Backport
+
+Upstream is version 2.x and vmdav.c is splitted into 2 files vmdaudio.c
+and vmdvideo.c. Becuase source code changes, just partly backport commit which
+is applicable to version 0.10.13 to fix CVE-2014-9603.
+
+http://git.videolan.org/?p=ffmpeg.git;a=commit;h=3030fb7e0d41836f8add6399e9a7c7b740b48bfd
+
+Signed-off-by: Kai Kang <kai.kang at windriver.com>
+---
+ gst-libs/ext/libav/libavcodec/vmdav.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/gst-libs/ext/libav/libavcodec/vmdav.c b/gst-libs/ext/libav/libavcodec/vmdav.c
+index d258252..ba88ad8 100644
+--- a/gst-libs/ext/libav/libavcodec/vmdav.c
++++ b/gst-libs/ext/libav/libavcodec/vmdav.c
+@@ -294,10 +294,13 @@ static void vmd_decode(VmdVideoContext *s)
+ len = *pb++;
+ if (len & 0x80) {
+ len = (len & 0x7F) + 1;
+- if (*pb++ == 0xFF)
++ if (*pb++ == 0xFF) {
+ len = rle_unpack(pb, &dp[ofs], len, frame_width - ofs);
+- else
++ } else {
++ if (ofs + len > frame_width)
++ return;
+ memcpy(&dp[ofs], pb, len);
++ }
+ pb += len;
+ ofs += len;
+ } else {
+--
+1.9.1
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index b5c838f..b7d008e 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -57,6 +57,9 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
file://0001-avcodec-smc-fix-off-by-1-error.patch \
file://0002-avcodec-mjpegdec-check-bits-per-pixel-for-changes-si.patch \
file://libav-9.patch \
+ file://gst-ffmpeg-fix-CVE-2014-7933.patch \
+ file://gst-ffmpeg-fix-CVE-2014-9318.patch \
+ file://gst-ffmpeg-fix-CVE-2014-9603.patch \
"
SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
--
1.9.1
More information about the Openembedded-core
mailing list