[OE-core] [PATCH 2/5] libav: fix CVE-2015-3395
jackie.huang at windriver.com
jackie.huang at windriver.com
Fri Nov 13 08:03:26 UTC 2015
From: Jackie Huang <jackie.huang at windriver.com>
Cherry-pick patch from ffmpeg to fix CVE-2015-3395:
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=f7e1367f58263593e6cee3c282f7277d7ee9d553
Signed-off-by: Jackie Huang <jackie.huang at windriver.com>
---
.../libav/libav/libav-fix-CVE-2015-3395.patch | 113 +++++++++++++++++++++
meta/recipes-multimedia/libav/libav_9.18.bb | 1 +
2 files changed, 114 insertions(+)
create mode 100644 meta/recipes-multimedia/libav/libav/libav-fix-CVE-2015-3395.patch
diff --git a/meta/recipes-multimedia/libav/libav/libav-fix-CVE-2015-3395.patch b/meta/recipes-multimedia/libav/libav/libav-fix-CVE-2015-3395.patch
new file mode 100644
index 0000000..9ee4288
--- /dev/null
+++ b/meta/recipes-multimedia/libav/libav/libav-fix-CVE-2015-3395.patch
@@ -0,0 +1,113 @@
+Upstream-Status: Pending
+
+https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3395
+
+Cherry-pick from:
+http://git.videolan.org/?p=ffmpeg.git;a=commit;h=f7e1367f58263593e6cee3c282f7277d7ee9d553
+
+Signed-off-by: Jackie Huang <jackie.huang at windriver.com>
+---
+From f7e1367f58263593e6cee3c282f7277d7ee9d553 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni at gmx.at>
+Date: Tue, 24 Mar 2015 15:50:12 +0100
+Subject: [PATCH] avcodec/msrledec: restructure msrle_decode_pal4() based on
+ the line number instead of the pixel pointer
+
+Fixes out of array access
+Fixes: da14e86d8462be6493eab16bc2d40f88/asan_heap-oob_204cfd2_528_cov_340150052_COMPRESS.BMP
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
+---
+ libavcodec/msrledec.c | 25 +++++++++++--------------
+ 1 file changed, 11 insertions(+), 14 deletions(-)
+
+diff --git a/libavcodec/msrledec.c b/libavcodec/msrledec.c
+index 4d3da5b..deb6f86 100644
+--- a/libavcodec/msrledec.c
++++ b/libavcodec/msrledec.c
+@@ -37,16 +37,14 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic,
+ unsigned char extra_byte, odd_pixel;
+ unsigned char stream_byte;
+ unsigned int pixel_ptr = 0;
+- int row_dec = pic->linesize[0];
+- int row_ptr = (avctx->height - 1) * row_dec;
+- int frame_size = row_dec * avctx->height;
++ int line = avctx->height - 1;
+ int i;
+
+- while (row_ptr >= 0) {
++ while (line >= 0 && pixel_ptr <= avctx->width) {
+ if (bytestream2_get_bytes_left(gb) <= 0) {
+ av_log(avctx, AV_LOG_ERROR,
+- "MS RLE: bytestream overrun, %d rows left\n",
+- row_ptr);
++ "MS RLE: bytestream overrun, %dx%d left\n",
++ avctx->width - pixel_ptr, line);
+ return AVERROR_INVALIDDATA;
+ }
+ rle_code = stream_byte = bytestream2_get_byteu(gb);
+@@ -55,7 +53,7 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic,
+ stream_byte = bytestream2_get_byte(gb);
+ if (stream_byte == 0) {
+ /* line is done, goto the next one */
+- row_ptr -= row_dec;
++ line--;
+ pixel_ptr = 0;
+ } else if (stream_byte == 1) {
+ /* decode is done */
+@@ -65,13 +63,12 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic,
+ stream_byte = bytestream2_get_byte(gb);
+ pixel_ptr += stream_byte;
+ stream_byte = bytestream2_get_byte(gb);
+- row_ptr -= stream_byte * row_dec;
+ } else {
+ // copy pixels from encoded stream
+ odd_pixel = stream_byte & 1;
+ rle_code = (stream_byte + 1) / 2;
+ extra_byte = rle_code & 0x01;
+- if (row_ptr + pixel_ptr + stream_byte > frame_size ||
++ if (pixel_ptr + 2*rle_code - odd_pixel > avctx->width ||
+ bytestream2_get_bytes_left(gb) < rle_code) {
+ av_log(avctx, AV_LOG_ERROR,
+ "MS RLE: frame/stream ptr just went out of bounds (copy)\n");
+@@ -82,13 +79,13 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic,
+ if (pixel_ptr >= avctx->width)
+ break;
+ stream_byte = bytestream2_get_byteu(gb);
+- pic->data[0][row_ptr + pixel_ptr] = stream_byte >> 4;
++ pic->data[0][line * pic->linesize[0] + pixel_ptr] = stream_byte >> 4;
+ pixel_ptr++;
+ if (i + 1 == rle_code && odd_pixel)
+ break;
+ if (pixel_ptr >= avctx->width)
+ break;
+- pic->data[0][row_ptr + pixel_ptr] = stream_byte & 0x0F;
++ pic->data[0][line * pic->linesize[0] + pixel_ptr] = stream_byte & 0x0F;
+ pixel_ptr++;
+ }
+
+@@ -98,7 +95,7 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic,
+ }
+ } else {
+ // decode a run of data
+- if (row_ptr + pixel_ptr + stream_byte > frame_size) {
++ if (pixel_ptr + rle_code > avctx->width + 1) {
+ av_log(avctx, AV_LOG_ERROR,
+ "MS RLE: frame ptr just went out of bounds (run)\n");
+ return AVERROR_INVALIDDATA;
+@@ -108,9 +105,9 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic,
+ if (pixel_ptr >= avctx->width)
+ break;
+ if ((i & 1) == 0)
+- pic->data[0][row_ptr + pixel_ptr] = stream_byte >> 4;
++ pic->data[0][line * pic->linesize[0] + pixel_ptr] = stream_byte >> 4;
+ else
+- pic->data[0][row_ptr + pixel_ptr] = stream_byte & 0x0F;
++ pic->data[0][line * pic->linesize[0] + pixel_ptr] = stream_byte & 0x0F;
+ pixel_ptr++;
+ }
+ }
+--
+1.9.1
+
diff --git a/meta/recipes-multimedia/libav/libav_9.18.bb b/meta/recipes-multimedia/libav/libav_9.18.bb
index c2dd02c..4564def 100644
--- a/meta/recipes-multimedia/libav/libav_9.18.bb
+++ b/meta/recipes-multimedia/libav/libav_9.18.bb
@@ -5,4 +5,5 @@ SRC_URI[sha256sum] = "0875e835da683eef1a7bac75e1884634194149d7479d1538ba9fbe1614
SRC_URI += "file://libav-fix-CVE-2014-9676.patch \
file://libav-fix-CVE-2015-1872.patch \
+ file://libav-fix-CVE-2015-3395.patch \
"
--
1.9.1
More information about the Openembedded-core
mailing list