[PATCH 00/12 v2] ffmpeg: backport 12 CVE patches

[PATCH 00/12 v2] ffmpeg: backport 12 CVE patches

[rongqing.li]

From: Roy Li <rongqing.li@windriver.com>

Diff with V1: use ffmpeg as prefix of commit header 

The following changes since commit e273301efa0037a13c3a60b4414140364d9c9873:

  gstreamer/lame: Better gcc 4.9 fix (2014-05-15 23:27:41 +0100)

are available in the git repository at:

  git://git.pokylinux.org/poky-contrib roy/ffmpeg-2
  http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=roy/ffmpeg-2

Yue Tao (12):
  ffmpeg: fix for Security Advisory CVE-2014-2263
  ffmpeg: fix for Security Advisory CVE-2013-0865
  ffmpeg: fix for Security Advisory CVE-2014-2099
  ffmpeg: fix for Security Advisory CVE-2013-0868
  ffmpeg: fix for Security Advisory CVE-2013-0845
  ffmpeg: fix for Security Advisory CVE-2013-0852
  ffmpeg: fix for Security Advisory CVE-2013-0858
  ffmpeg: fix for Security Advisory CVE-2013-0851
  ffmpeg: fix for Security Advisory CVE-2013-0854
  ffmpeg: fix for Security Advisory CVE-2013-0856
  ffmpeg: fix for Security Advisory CVE-2013-0850
  ffmpeg: fix for Security Advisory CVE-2013-0849

 .../0001-alac-fix-nb_samples-order-case.patch      |   30 +++++++
 .../0001-alsdec-check-block-length.patch           |   61 ++++++++++++++
 ...ac3dec-Check-coding-mode-against-channels.patch |   37 +++++++++
 ...le-use-av_image_get_linesize-to-calculate.patch |   50 +++++++++++
 ...egtsenc-Check-data-array-size-in-mpegts_w.patch |   69 ++++++++++++++++
 .../0001-eamad-fix-out-of-array-accesses.patch     |   29 +++++++
 ...t-ref-count-check-and-limit-fix-out-of-ar.patch |   29 +++++++
 ...01-huffyuvdec-Check-init_vlc-return-codes.patch |   87 ++++++++++++++++++++
 .../0001-huffyuvdec-Skip-len-0-cases.patch         |   59 +++++++++++++
 .../0001-mjpegdec-check-SE.patch                   |   32 +++++++
 ...heck-RLE-size-before-copying.-Fix-out-of-.patch |   34 ++++++++
 ...001-roqvideodec-check-dimensions-validity.patch |   36 ++++++++
 ...o-check-chunk-sizes-before-reading-chunks.patch |   51 ++++++++++++
 .../gstreamer/gst-ffmpeg_0.10.13.bb                |   13 +++
 14 files changed, 617 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-alac-fix-nb_samples-order-case.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-alsdec-check-block-length.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-atrac3dec-Check-coding-mode-against-channels.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-msrle-use-av_image_get_linesize-to-calculate.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avformat-mpegtsenc-Check-data-array-size-in-mpegts_w.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-eamad-fix-out-of-array-accesses.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264-correct-ref-count-check-and-limit-fix-out-of-ar.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-init_vlc-return-codes.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Skip-len-0-cases.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-mjpegdec-check-SE.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-pgssubdec-check-RLE-size-before-copying.-Fix-out-of-.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-roqvideodec-check-dimensions-validity.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vqavideo-check-chunk-sizes-before-reading-chunks.patch

-- 
1.7.10.4

[PATCH 01/12] ffmpeg: fix for Security Advisory CVE-2014-2263

[rongqing.li]

From: Yue Tao <Yue.Tao@windriver.com>

The mpegts_write_pmt function in the MPEG2 transport stream (aka DVB)
muxer (libavformat/mpegtsenc.c) in FFmpeg, possibly 2.1 and earlier,
allows remote attackers to have unspecified impact and vectors, which
trigger an out-of-bounds write.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2263

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
 ...egtsenc-Check-data-array-size-in-mpegts_w.patch |   69 ++++++++++++++++++++
 .../gstreamer/gst-ffmpeg_0.10.13.bb                |    1 +
 2 files changed, 70 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avformat-mpegtsenc-Check-data-array-size-in-mpegts_w.patch

diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avformat-mpegtsenc-Check-data-array-size-in-mpegts_w.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avformat-mpegtsenc-Check-data-array-size-in-mpegts_w.patch
new file mode 100644
index 0000000..68bb66e
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avformat-mpegtsenc-Check-data-array-size-in-mpegts_w.patch
@@ -0,0 +1,69 @@
+From 12770701856a05b6b3cd706f708f8e9a4e8a1336 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Thu, 13 Feb 2014 13:59:51 +0100
+Subject: [PATCH] avformat/mpegtsenc: Check data array size in
+ mpegts_write_pmt()
+
+Upstream-Status: Backport
+
+COmmit 12770701856a05b6b3cd706f708f8e9a4e8a1336 release/0.11
+
+Prevents out of array writes
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit 842b6c14bcfc1c5da1a2d288fd65386eb8c158ad)
+
+Conflicts:
+
+	libavformat/mpegtsenc.c
+(cherry picked from commit e87de3f50b765134588d0b048c32ed4b8acc16fb)
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavformat/mpegtsenc.c |    9 +++++++--
+ 1 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/libavformat/mpegtsenc.c b/libavformat/mpegtsenc.c
+index 793e205..a12d19f 100644
+--- a/gst-libs/ext/libav/libavformat/mpegtsenc.c
++++ b/gst-libs/ext/libav/libavformat/mpegtsenc.c
+@@ -240,7 +240,7 @@ static void mpegts_write_pat(AVFormatContext *s)
+                           data, q - data);
+ }
+ 
+-static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
++static int mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
+ {
+     //    MpegTSWrite *ts = s->priv_data;
+     uint8_t data[1012], *q, *desc_length_ptr, *program_info_length_ptr;
+@@ -293,6 +293,10 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
+             stream_type = STREAM_TYPE_PRIVATE_DATA;
+             break;
+         }
++
++        if (q - data > sizeof(data) - 32)
++            return AVERROR(EINVAL);
++
+         *q++ = stream_type;
+         put16(&q, 0xe000 | ts_st->pid);
+         desc_length_ptr = q;
+@@ -324,7 +328,7 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
+                 len_ptr = q++;
+                 *len_ptr = 0;
+ 
+-                for (p = lang->value; next && *len_ptr < 255 / 4 * 4; p = next + 1) {
++                for (p = lang->value; next && *len_ptr < 255 / 4 * 4 && q - data < sizeof(data) - 4; p = next + 1) {
+                     next = strchr(p, ',');
+                     if (strlen(p) != 3 && (!next || next != p + 3))
+                         continue; /* not a 3-letter code */
+@@ -386,6 +390,7 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
+     }
+     mpegts_write_section1(&service->pmt, PMT_TID, service->sid, 0, 0, 0,
+                           data, q - data);
++    return 0;
+ }
+ 
+ /* NOTE: str == NULL is accepted for an empty string */
+-- 
+1.7.5.4
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index e1257a2..4913539 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -23,6 +23,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://libav_e500mc.patch \
            file://libav_e5500.patch \
            file://gst-ffmpeg-CVE-2013-3674.patch \
+           file://0001-avformat-mpegtsenc-Check-data-array-size-in-mpegts_w.patch \
 "
 
 SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
-- 
1.7.10.4

[PATCH 02/12] ffmpeg: fix for Security Advisory CVE-2013-0865

[rongqing.li]

From: Yue Tao <Yue.Tao@windriver.com>

The vqa_decode_chunk function in libavcodec/vqavideo.c in FFmpeg before
1.0.4 and 1.1.x before 1.1.2 allows remote attackers to have an
unspecified impact via a large (1) cbp0 or (2) cbpz chunk in Westwood
Studios VQA Video file, which triggers an out-of-bounds write.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0865

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
 ...o-check-chunk-sizes-before-reading-chunks.patch |   51 ++++++++++++++++++++
 .../gstreamer/gst-ffmpeg_0.10.13.bb                |    1 +
 2 files changed, 52 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vqavideo-check-chunk-sizes-before-reading-chunks.patch

diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vqavideo-check-chunk-sizes-before-reading-chunks.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vqavideo-check-chunk-sizes-before-reading-chunks.patch
new file mode 100644
index 0000000..7e4f682
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vqavideo-check-chunk-sizes-before-reading-chunks.patch
@@ -0,0 +1,51 @@
+From 2cac35086c9e103fa98960c546d5017e7363803a Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Fri, 25 Jan 2013 06:11:59 +0100
+Subject: [PATCH] vqavideo: check chunk sizes before reading chunks
+
+Upstream-Status: Backport
+
+Commit 2cac35086c9e103fa98960c546d5017e7363803a release/0.7
+
+Fixes out of array writes
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit ab6c9332bfa1e20127a16392a0b85a4aa4840889)
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/vqavideo.c |   10 ++++++++++
+ 1 files changed, 10 insertions(+), 0 deletions(-)
+
+diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c
+index d1eab5b..6e1ce6c 100644
+--- a/gst-libs/ext/libav/libavcodec/vqavideo.c
++++ b/gst-libs/ext/libav/libavcodec/vqavideo.c
+@@ -527,6 +527,11 @@ static void vqa_decode_chunk(VqaContext *s)
+         chunk_size = AV_RB32(&s->buf[cbp0_chunk + 4]);
+         cbp0_chunk += CHUNK_PREAMBLE_SIZE;
+ 
++        if (chunk_size > MAX_CODEBOOK_SIZE - s->next_codebook_buffer_index) {
++            av_log(s->avctx, AV_LOG_ERROR, "cbp0 chunk too large (0x%X bytes)\n", chunk_size);
++            return AVERROR_INVALIDDATA;
++        }
++
+         /* accumulate partial codebook */
+         memcpy(&s->next_codebook_buffer[s->next_codebook_buffer_index],
+             &s->buf[cbp0_chunk], chunk_size);
+@@ -550,6 +555,11 @@ static void vqa_decode_chunk(VqaContext *s)
+         chunk_size = AV_RB32(&s->buf[cbpz_chunk + 4]);
+         cbpz_chunk += CHUNK_PREAMBLE_SIZE;
+ 
++        if (chunk_size > MAX_CODEBOOK_SIZE - s->next_codebook_buffer_index) {
++            av_log(s->avctx, AV_LOG_ERROR, "cbpz chunk too large (0x%X bytes)\n", chunk_size);
++            return AVERROR_INVALIDDATA;
++        }
++
+         /* accumulate partial codebook */
+         memcpy(&s->next_codebook_buffer[s->next_codebook_buffer_index],
+             &s->buf[cbpz_chunk], chunk_size);
+-- 
+1.7.5.4
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index 4913539..3d1f207 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -24,6 +24,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://libav_e5500.patch \
            file://gst-ffmpeg-CVE-2013-3674.patch \
            file://0001-avformat-mpegtsenc-Check-data-array-size-in-mpegts_w.patch \
+           file://0001-vqavideo-check-chunk-sizes-before-reading-chunks.patch \
 "
 
 SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
-- 
1.7.10.4

[PATCH 03/12] ffmpeg: fix for Security Advisory CVE-2014-2099

[rongqing.li]

From: Yue Tao <Yue.Tao@windriver.com>

The msrle_decode_frame function in libavcodec/msrle.c in FFmpeg before
2.1.4 does not properly calculate line sizes, which allows remote
attackers to cause a denial of service (out-of-bounds array access) or
possibly have unspecified other impact via crafted Microsoft RLE video
data.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2099

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
 ...le-use-av_image_get_linesize-to-calculate.patch |   50 ++++++++++++++++++++
 .../gstreamer/gst-ffmpeg_0.10.13.bb                |    1 +
 2 files changed, 51 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-msrle-use-av_image_get_linesize-to-calculate.patch

diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-msrle-use-av_image_get_linesize-to-calculate.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-msrle-use-av_image_get_linesize-to-calculate.patch
new file mode 100644
index 0000000..b0a3fb1
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-msrle-use-av_image_get_linesize-to-calculate.patch
@@ -0,0 +1,50 @@
+From 573d5fdedae72bf59d8c0b0766fdee171063d36f Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Sun, 16 Feb 2014 23:08:52 +0100
+Subject: [PATCH] avcodec/msrle: use av_image_get_linesize() to calculate the
+ linesize
+
+Upstream-Status: Backport
+
+Commit 573d5fdedae72bf59d8c0b0766fdee171063d36f release/0.9
+
+Fixes out of array access
+Fixes: 14a74a0a2dc67ede543f0e35d834fbbe-asan_heap-oob_49572c_556_cov_215466444_44_001_engine_room.mov
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit c919e1ca2ecfc47d796382973ba0e48b8f6f92a2)
+
+Conflicts:
+
+	libavcodec/msrle.c
+(cherry picked from commit bc1c8ec5e65098fd2ccd8456f667151dfc9cda42)
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/msrle.c |    3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/libavcodec/msrle.c b/libavcodec/msrle.c
+index 30159bb..c39ae7b 100644
+--- a/gst-libs/ext/libav/libavcodec/msrle.c
++++ b/gst-libs/ext/libav/libavcodec/msrle.c
+@@ -35,6 +35,7 @@
+ #include "avcodec.h"
+ #include "dsputil.h"
+ #include "msrledec.h"
++#include "libavutil/imgutils.h"
+ 
+ typedef struct MsrleContext {
+     AVCodecContext *avctx;
+@@ -107,7 +108,7 @@ static int msrle_decode_frame(AVCodecContext *avctx,
+ 
+     /* FIXME how to correctly detect RLE ??? */
+     if (avctx->height * istride == avpkt->size) { /* assume uncompressed */
+-        int linesize = avctx->width * avctx->bits_per_coded_sample / 8;
++        int linesize = av_image_get_linesize(avctx->pix_fmt, avctx->width, 0);
+         uint8_t *ptr = s->frame.data[0];
+         uint8_t *buf = avpkt->data + (avctx->height-1)*istride;
+         int i, j;
+-- 
+1.7.5.4
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index 3d1f207..05cc404 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -25,6 +25,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://gst-ffmpeg-CVE-2013-3674.patch \
            file://0001-avformat-mpegtsenc-Check-data-array-size-in-mpegts_w.patch \
            file://0001-vqavideo-check-chunk-sizes-before-reading-chunks.patch \
+           file://0001-avcodec-msrle-use-av_image_get_linesize-to-calculate.patch \
 "
 
 SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
-- 
1.7.10.4

[PATCH 04/12] ffmpeg: fix for Security Advisory CVE-2013-0868

[rongqing.li]

From: Yue Tao <Yue.Tao@windriver.com>

libavcodec/huffyuvdec.c in FFmpeg before 1.1.2 allows remote attackers
to have an unspecified impact via crafted Huffyuv data, related to an
out-of-bounds write and (1) unchecked return codes from the init_vlc
function and (2) len==0 cases.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0868

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
 ...01-huffyuvdec-Check-init_vlc-return-codes.patch |   87 ++++++++++++++++++++
 .../0001-huffyuvdec-Skip-len-0-cases.patch         |   59 +++++++++++++
 .../gstreamer/gst-ffmpeg_0.10.13.bb                |    2 +
 3 files changed, 148 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-init_vlc-return-codes.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Skip-len-0-cases.patch

diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-init_vlc-return-codes.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-init_vlc-return-codes.patch
new file mode 100644
index 0000000..e859e44
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-init_vlc-return-codes.patch
@@ -0,0 +1,87 @@
+From b666debffec1fcbb19ef377635a53b9a58bca8a4 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Tue, 29 Jan 2013 18:29:41 +0100
+Subject: [PATCH] huffyuvdec: Check init_vlc() return codes.
+
+Upstream-Status: Backport
+
+Commit b666debffec1fcbb19ef377635a53b9a58bca8a4 release/1.0
+
+Prevents out of array writes
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit f67a0d115254461649470452058fa3c28c0df294)
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/huffyuv.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c
+index 58da789..993e524 100644
+--- a/gst-libs/ext/libav/libavcodec/huffyuv.c
++++ b/gst-libs/ext/libav/libavcodec/huffyuv.c
+@@ -33,6 +33,7 @@
+ #include "put_bits.h"
+ #include "dsputil.h"
+ #include "thread.h"
++#include "libavutil/avassert.h"
+ 
+ #define VLC_BITS 11
+ 
+@@ -287,6 +287,7 @@ static void generate_joint_tables(HYuvCo
+                     int len1 = s->len[p][u];
+                     if (len1 > limit || !len1)
+                         continue;
++                    av_assert0(i < (1 << VLC_BITS));
+                     len[i] = len0 + len1;
+                     bits[i] = (s->bits[0][y] << len1) + s->bits[p][u];
+                     symbols[i] = (y<<8) + u;
+@@ -320,6 +321,7 @@ static void generate_joint_tables(HYuvCo
+                     int len2 = s->len[2][r&255];
+                     if (len2 > limit1 || !len2)
+                         continue;
++                    av_assert0(i < (1 << VLC_BITS));
+                     len[i] = len0 + len1 + len2;
+                     bits[i] = (code << len2) + s->bits[2][r&255];
+                     if(s->decorrelate){
+@@ -343,6 +345,7 @@ static void generate_joint_tables(HYuvCo
+ static int read_huffman_tables(HYuvContext *s, const uint8_t *src, int length){
+     GetBitContext gb;
+     int i;
++    int ret;
+ 
+     init_get_bits(&gb, src, length*8);
+ 
+@@ -353,7 +356,9 @@ static int read_huffman_tables(HYuvConte
+             return -1;
+         }
+         free_vlc(&s->vlc[i]);
+-        init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0);
++        if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1,
++                           s->bits[i], 4, 4, 0)) < 0)
++            return ret;
+     }
+ 
+     generate_joint_tables(s);
+@@ -365,6 +370,7 @@ static int read_old_huffman_tables(HYuvC
+ #if 1
+     GetBitContext gb;
+     int i;
++    int ret;
+ 
+     init_get_bits(&gb, classic_shift_luma, sizeof(classic_shift_luma)*8);
+     if(read_len_table(s->len[0], &gb)<0)
+@@ -385,7 +391,9 @@ static int read_old_huffman_tables(HYuvC
+ 
+     for(i=0; i<3; i++){
+         free_vlc(&s->vlc[i]);
+-        init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0);
++        if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1,
++                            s->bits[i], 4, 4, 0)) < 0)
++            return ret;
+     }
+ 
+     generate_joint_tables(s);
+-- 
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Skip-len-0-cases.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Skip-len-0-cases.patch
new file mode 100644
index 0000000..68bc966
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Skip-len-0-cases.patch
@@ -0,0 +1,59 @@
+From db0f7f7394e1f994ed38db043f78ed0f10bde0da Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Tue, 29 Jan 2013 19:22:33 +0100
+Subject: [PATCH] huffyuvdec: Skip len==0 cases
+
+Commit db0f7f7394e1f994ed38db043f78ed0f10bde0da release/1.0
+
+Fixes vlc decoding for hypothetical files that would contain such cases.
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit 0dfc01c2bbf4b71bb56201bc4a393321e15d1b31)
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/huffyuv.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c
+index 993e524..72ed351 100644
+--- a/gst-libs/ext/libav/libavcodec/huffyuv.c
++++ b/gst-libs/ext/libav/libavcodec/huffyuv.c
+@@ -281,11 +281,11 @@ static void generate_joint_tables(HYuvCo
+             for(i=y=0; y<256; y++){
+                 int len0 = s->len[0][y];
+                 int limit = VLC_BITS - len0;
+-                if(limit <= 0)
++                if(limit <= 0 || !len0)
+                     continue;
+                 for(u=0; u<256; u++){
+                     int len1 = s->len[p][u];
+-                    if(len1 > limit)
++                    if (len1 > limit || !len1)
+                         continue;
+                     len[i] = len0 + len1;
+                     bits[i] = (s->bits[0][y] << len1) + s->bits[p][u];
+@@ -308,17 +308,17 @@ static void generate_joint_tables(HYuvCo
+         for(i=0, g=-16; g<16; g++){
+             int len0 = s->len[p0][g&255];
+             int limit0 = VLC_BITS - len0;
+-            if(limit0 < 2)
++            if (limit0 < 2 || !len0)
+                 continue;
+             for(b=-16; b<16; b++){
+                 int len1 = s->len[p1][b&255];
+                 int limit1 = limit0 - len1;
+-                if(limit1 < 1)
++                if (limit1 < 1 || !len1)
+                     continue;
+                 code = (s->bits[p0][g&255] << len1) + s->bits[p1][b&255];
+                 for(r=-16; r<16; r++){
+                     int len2 = s->len[2][r&255];
+-                    if(len2 > limit1)
++                    if (len2 > limit1 || !len2)
+                         continue;
+                     len[i] = len0 + len1 + len2;
+                     bits[i] = (code << len2) + s->bits[2][r&255];
+-- 
+1.8.5.2.233.g932f7e4
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index 05cc404..847b927 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -26,6 +26,8 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://0001-avformat-mpegtsenc-Check-data-array-size-in-mpegts_w.patch \
            file://0001-vqavideo-check-chunk-sizes-before-reading-chunks.patch \
            file://0001-avcodec-msrle-use-av_image_get_linesize-to-calculate.patch \
+           file://0001-huffyuvdec-Skip-len-0-cases.patch \
+           file://0001-huffyuvdec-Check-init_vlc-return-codes.patch \
 "
 
 SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
-- 
1.7.10.4

[PATCH 05/12] ffmpeg: fix for Security Advisory CVE-2013-0845

[rongqing.li]

From: Yue Tao <Yue.Tao@windriver.com>

libavcodec/alsdec.c in FFmpeg before 1.0.4 allows remote attackers to
have an unspecified impact via a crafted block length, which triggers an
out-of-bounds write.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0845

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
 .../0001-alsdec-check-block-length.patch           |   61 ++++++++++++++++++++
 .../gstreamer/gst-ffmpeg_0.10.13.bb                |    1 +
 2 files changed, 62 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-alsdec-check-block-length.patch

diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-alsdec-check-block-length.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-alsdec-check-block-length.patch
new file mode 100644
index 0000000..73980f4
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-alsdec-check-block-length.patch
@@ -0,0 +1,61 @@
+From 6df0d3e2916c223dbe4262bf1b876dff1cb3f980 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Wed, 12 Dec 2012 12:28:45 +0100
+Subject: [PATCH] alsdec: check block length
+
+Upstream-Status: Backport
+
+Commit 6df0d3e2916c223dbe4262bf1b876dff1cb3f980 release/1.0
+
+Fix writing over the end
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit 0ceca269b66ec12a23bf0907bd2c220513cdbf16)
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/alsdec.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c
+index 46dd0b4..1095b01 100644
+--- a/gst-libs/ext/libav/libavcodec/alsdec.c
++++ b/gst-libs/ext/libav/libavcodec/alsdec.c
+@@ -552,12 +552,15 @@ static void get_block_sizes(ALSDecContext *ctx, unsigned int *div_blocks,
+ 
+ /** Read the block data for a constant block
+  */
+-static void read_const_block_data(ALSDecContext *ctx, ALSBlockData *bd)
++static int read_const_block_data(ALSDecContext *ctx, ALSBlockData *bd)
+ {
+     ALSSpecificConfig *sconf = &ctx->sconf;
+     AVCodecContext *avctx    = ctx->avctx;
+     GetBitContext *gb        = &ctx->gb;
+ 
++    if (bd->block_length <= 0)
++        return -1;
++
+     *bd->raw_samples = 0;
+     *bd->const_block = get_bits1(gb);    // 1 = constant value, 0 = zero block (silence)
+     bd->js_blocks    = get_bits1(gb);
+@@ -572,6 +575,8 @@ static void read_const_block_data(ALSDecContext *ctx, ALSBlockData *bd)
+ 
+     // ensure constant block decoding by reusing this field
+     *bd->const_block = 1;
++
++    return 0;
+ }
+ 
+ 
+@@ -971,7 +976,8 @@ static int read_block(ALSDecContext *ctx, ALSBlockData *bd)
+         if (read_var_block_data(ctx, bd))
+             return -1;
+     } else {
+-        read_const_block_data(ctx, bd);
++        if (read_const_block_data(ctx, bd) < 0)
++            return -1;
+     }
+ 
+     return 0;
+-- 
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index 847b927..430bcc7 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -28,6 +28,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://0001-avcodec-msrle-use-av_image_get_linesize-to-calculate.patch \
            file://0001-huffyuvdec-Skip-len-0-cases.patch \
            file://0001-huffyuvdec-Check-init_vlc-return-codes.patch \
+           file://0001-alsdec-check-block-length.patch \
 "
 
 SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
-- 
1.7.10.4

[PATCH 06/12] ffmpeg: fix for Security Advisory CVE-2013-0852

[rongqing.li]

From: Yue Tao <Yue.Tao@windriver.com>

The parse_picture_segment function in libavcodec/pgssubdec.c in FFmpeg
before 1.1 allows remote attackers to have an unspecified impact via
crafted RLE data, which triggers an out-of-bounds array access.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0852

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
 ...heck-RLE-size-before-copying.-Fix-out-of-.patch |   34 ++++++++++++++++++++
 .../gstreamer/gst-ffmpeg_0.10.13.bb                |    1 +
 2 files changed, 35 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-pgssubdec-check-RLE-size-before-copying.-Fix-out-of-.patch

diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-pgssubdec-check-RLE-size-before-copying.-Fix-out-of-.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-pgssubdec-check-RLE-size-before-copying.-Fix-out-of-.patch
new file mode 100644
index 0000000..1041347
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-pgssubdec-check-RLE-size-before-copying.-Fix-out-of-.patch
@@ -0,0 +1,34 @@
+From 28bf685bfc6d0c744369cdf367f61a78d80d0b01 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Thu, 15 Nov 2012 16:41:28 +0100
+Subject: [PATCH] pgssubdec: check RLE size before copying. Fix out of array
+ accesses
+
+Upstream-Status: Backport
+
+Commit 28bf685bfc6d0c744369cdf367f61a78d80d0b01 release/1.1
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit c0d68be555f5858703383040e04fcd6529777061)
+---
+ libavcodec/pgssubdec.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c
+index 728f178..26a3c2a 100644
+--- a/gst-libs/ext/libav/libavcodec/pgssubdec.c
++++ b/gst-libs/ext/libav/libavcodec/pgssubdec.c
+@@ -202,6 +202,11 @@ static int parse_picture_segment(AVCodec
+         return -1;
+     }
+ 
++    if (buf_size > rle_bitmap_len) {
++        av_log(avctx, AV_LOG_ERROR, "too much RLE data\n");
++        return AVERROR_INVALIDDATA;
++    }
++
+     ctx->picture.w = width;
+     ctx->picture.h = height;
+ 
+-- 
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index 430bcc7..eded98b 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -29,6 +29,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://0001-huffyuvdec-Skip-len-0-cases.patch \
            file://0001-huffyuvdec-Check-init_vlc-return-codes.patch \
            file://0001-alsdec-check-block-length.patch \
+           file://0001-pgssubdec-check-RLE-size-before-copying.-Fix-out-of-.patch \
 "
 
 SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
-- 
1.7.10.4

[PATCH 07/12] ffmpeg: fix for Security Advisory CVE-2013-0858

[rongqing.li]

From: Yue Tao <Yue.Tao@windriver.com>

The atrac3_decode_init function in libavcodec/atrac3.c in FFmpeg before
1.0.4 allows remote attackers to have an unspecified impact via ATRAC3
data with the joint stereo coding mode set and fewer than two channels.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0858

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
 ...ac3dec-Check-coding-mode-against-channels.patch |   37 ++++++++++++++++++++
 .../gstreamer/gst-ffmpeg_0.10.13.bb                |    1 +
 2 files changed, 38 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-atrac3dec-Check-coding-mode-against-channels.patch

diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-atrac3dec-Check-coding-mode-against-channels.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-atrac3dec-Check-coding-mode-against-channels.patch
new file mode 100644
index 0000000..42cb5f4
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-atrac3dec-Check-coding-mode-against-channels.patch
@@ -0,0 +1,37 @@
+From 2502914c5f8eb77659d7c0868396862557a63245 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Fri, 9 Nov 2012 13:26:20 +0100
+Subject: [PATCH] atrac3dec: Check coding mode against channels.
+
+Upstream-Status: Backport
+
+Commit 2502914c5f8eb77659d7c0868396862557a63245 release/1.0
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit 13451f5520ce6b0afde861b2285dda659f8d4fb4)
+
+Conflicts:
+
+	libavcodec/atrac3.c
+---
+ libavcodec/atrac3.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/libavcodec/atrac3.c b/libavcodec/atrac3.c
+index 7d076be..1da4c78 100644
+--- a/gst-libs/ext/libav/libavcodec/atrac3.c
++++ b/gst-libs/ext/libav/libavcodec/atrac3.c
+@@ -955,6 +955,11 @@ static av_cold int atrac3_decode_init(AVCodecContext *avctx)
+     }
+     /* Check the extradata. */
+ 
++    if (q->codingMode == JOINT_STEREO && avctx->channels < 2) {
++        av_log(avctx, AV_LOG_ERROR, "Invalid coding mode\n");
++        return AVERROR_INVALIDDATA;
++    }
++
+     if (q->atrac3version != 4) {
+         av_log(avctx,AV_LOG_ERROR,"Version %d != 4.\n",q->atrac3version);
+         return AVERROR_INVALIDDATA;
+-- 
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index eded98b..a603ff5 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -30,6 +30,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://0001-huffyuvdec-Check-init_vlc-return-codes.patch \
            file://0001-alsdec-check-block-length.patch \
            file://0001-pgssubdec-check-RLE-size-before-copying.-Fix-out-of-.patch \
+           file://0001-atrac3dec-Check-coding-mode-against-channels.patch \
 "
 
 SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
-- 
1.7.10.4

[PATCH 08/12] ffmpeg: fix for Security Advisory CVE-2013-0851

[rongqing.li]

From: Yue Tao <Yue.Tao@windriver.com>

The decode_frame function in libavcodec/eamad.c in FFmpeg before 1.1
allows remote attackers to have an unspecified impact via crafted
Electronic Arts Madcow video data, which triggers an out-of-bounds array
access.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0851

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
 .../0001-eamad-fix-out-of-array-accesses.patch     |   29 ++++++++++++++++++++
 .../gstreamer/gst-ffmpeg_0.10.13.bb                |    1 +
 2 files changed, 30 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-eamad-fix-out-of-array-accesses.patch

diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-eamad-fix-out-of-array-accesses.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-eamad-fix-out-of-array-accesses.patch
new file mode 100644
index 0000000..f45e3fd
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-eamad-fix-out-of-array-accesses.patch
@@ -0,0 +1,29 @@
+From 63ac64864c6e0e84355aa3caa5b92208997a9a8d Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Sat, 17 Nov 2012 16:26:55 +0100
+Subject: [PATCH] eamad: fix out of array accesses
+
+Upstream-Status: Backport
+
+Commit 63ac64864c6e0e84355aa3caa5b92208997a9a8d release/1.1
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/eamad.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libavcodec/eamad.c b/libavcodec/eamad.c
+index 2805195..e38650e 100644
+--- a/gst-libs/ext/libav/libavcodec/eamad.c
++++ b/gst-libs/ext/libav/libavcodec/eamad.c
+@@ -237,7 +237,7 @@ static int decode_frame(AVCodecContext *avctx,
+     int chunk_type;
+     int inter;
+ 
+-    if (buf_size < 17) {
++    if (buf_size < 26) {
+         av_log(avctx, AV_LOG_ERROR, "Input buffer too small\n");
+         *data_size = 0;
+         return -1;
+-- 
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index a603ff5..0d0ba9a 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -31,6 +31,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://0001-alsdec-check-block-length.patch \
            file://0001-pgssubdec-check-RLE-size-before-copying.-Fix-out-of-.patch \
            file://0001-atrac3dec-Check-coding-mode-against-channels.patch \
+           file://0001-eamad-fix-out-of-array-accesses.patch \
 "
 
 SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
-- 
1.7.10.4

[PATCH 09/12] ffmpeg: fix for Security Advisory CVE-2013-0854

[rongqing.li]

From: Yue Tao <Yue.Tao@windriver.com>

The mjpeg_decode_scan_progressive_ac function in libavcodec/mjpegdec.c
in FFmpeg before 1.1 allows remote attackers to have an unspecified
impact via crafted MJPEG data.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0854

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
 .../0001-mjpegdec-check-SE.patch                   |   32 ++++++++++++++++++++
 .../gstreamer/gst-ffmpeg_0.10.13.bb                |    1 +
 2 files changed, 33 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-mjpegdec-check-SE.patch

diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-mjpegdec-check-SE.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-mjpegdec-check-SE.patch
new file mode 100644
index 0000000..d90bafa
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-mjpegdec-check-SE.patch
@@ -0,0 +1,32 @@
+From 1f41cffe1e3e79620f587545bdfcbd7e6e68ed29 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Sun, 11 Nov 2012 00:01:24 +0100
+Subject: [PATCH] mjpegdec: check SE.
+
+Upstream-Status: Backport
+
+Commit 1f41cffe1e3e79620f587545bdfcbd7e6e68ed29 release/1.1
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/mjpegdec.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
+index 6b5266d..0a71a6f 100644
+--- a/gst-libs/ext/libav/libavcodec/mjpegdec.c
++++ b/gst-libs/ext/libav/libavcodec/mjpegdec.c
+@@ -905,6 +905,11 @@ static int mjpeg_decode_scan_progressive
+     int16_t *quant_matrix = s->quant_matrixes[ s->quant_index[c] ];
+     GetBitContext mb_bitmask_gb;
+ 
++    if (se > 63) {
++        av_log(s->avctx, AV_LOG_ERROR, "SE %d is too large\n", se);
++        return AVERROR_INVALIDDATA;
++    }
++
+     if (mb_bitmask) {
+         init_get_bits(&mb_bitmask_gb, mb_bitmask, s->mb_width*s->mb_height);
+     }
+-- 
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index 0d0ba9a..28ea29e 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -32,6 +32,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://0001-pgssubdec-check-RLE-size-before-copying.-Fix-out-of-.patch \
            file://0001-atrac3dec-Check-coding-mode-against-channels.patch \
            file://0001-eamad-fix-out-of-array-accesses.patch \
+           file://0001-mjpegdec-check-SE.patch \
 "
 
 SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
-- 
1.7.10.4

[PATCH 10/12] ffmpeg: fix for Security Advisory CVE-2013-0856

[rongqing.li]

From: Yue Tao <Yue.Tao@windriver.com>

The lpc_prediction function in libavcodec/alac.c in FFmpeg before 1.1
allows remote attackers to have an unspecified impact via crafted Apple
Lossless Audio Codec (ALAC) data, related to a large nb_samples value.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0856

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
 .../0001-alac-fix-nb_samples-order-case.patch      |   30 ++++++++++++++++++++
 .../gstreamer/gst-ffmpeg_0.10.13.bb                |    1 +
 2 files changed, 31 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-alac-fix-nb_samples-order-case.patch

diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-alac-fix-nb_samples-order-case.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-alac-fix-nb_samples-order-case.patch
new file mode 100644
index 0000000..10ce0f3
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-alac-fix-nb_samples-order-case.patch
@@ -0,0 +1,30 @@
+From e0884eadf6a15e93142131b695f48776f9a0ac31 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Sat, 10 Nov 2012 17:14:04 +0100
+Subject: [PATCH] alac: fix nb_samples < order case
+
+Upstream-Status: Backport
+
+Commit e0884eadf6a15e93142131b695f48776f9a0ac31 release/1.0
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit fd4f4923cce6a2cbf4f48640b4ac706e614a1594)
+---
+ libavcodec/alac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libavcodec/alac.c b/libavcodec/alac.c
+index 9cd1737..e8e844a 100644
+--- a/gst-libs/ext/libav/libavcodec/alac.c
++++ b/gst-libs/ext/libav/libavcodec/alac.c
+@@ -278,7 +278,7 @@ static void predictor_decompress_fir_ada
+ 
+     /* read warm-up samples */
+     if (predictor_coef_num > 0)
+-        for (i = 0; i < predictor_coef_num; i++) {
++        for (i = 0; i < predictor_coef_num && i < output_size; i++) {
+             int32_t val;
+ 
+             val = buffer_out[i] + error_buffer[i+1];
+-- 
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index 28ea29e..a0673fd 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -33,6 +33,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://0001-atrac3dec-Check-coding-mode-against-channels.patch \
            file://0001-eamad-fix-out-of-array-accesses.patch \
            file://0001-mjpegdec-check-SE.patch \
+           file://0001-alac-fix-nb_samples-order-case.patch \
 "
 
 SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
-- 
1.7.10.4

[PATCH 11/12] ffmpeg: fix for Security Advisory CVE-2013-0850

[rongqing.li]

From: Yue Tao <Yue.Tao@windriver.com>

The decode_slice_header function in libavcodec/h264.c in FFmpeg before
1.1 allows remote attackers to have an unspecified impact via crafted
H.264 data, which triggers an out-of-bounds array access.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0850

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
 ...t-ref-count-check-and-limit-fix-out-of-ar.patch |   29 ++++++++++++++++++++
 .../gstreamer/gst-ffmpeg_0.10.13.bb                |    1 +
 2 files changed, 30 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264-correct-ref-count-check-and-limit-fix-out-of-ar.patch

diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264-correct-ref-count-check-and-limit-fix-out-of-ar.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264-correct-ref-count-check-and-limit-fix-out-of-ar.patch
new file mode 100644
index 0000000..d4f55b2
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264-correct-ref-count-check-and-limit-fix-out-of-ar.patch
@@ -0,0 +1,29 @@
+From d6c184880ee2e09fd68c0ae217173832cee5afc1 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Sun, 18 Nov 2012 16:29:04 +0100
+Subject: [PATCH] h264: correct ref count check and limit, fix out of array
+ accesses.
+
+Upstream-Status: Backport
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/h264.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libavcodec/h264.c b/libavcodec/h264.c
+index da43f1e..32cede5 100644
+--- a/gst-libs/ext/libav/libavcodec/h264.c
++++ b/gst-libs/ext/libav/libavcodec/h264.c
+@@ -2870,6 +2870,9 @@ static int decode_slice_header(H264Conte
+             h->ref_count[0]= get_ue_golomb(&s->gb) + 1;
+             if(h->slice_type_nos==AV_PICTURE_TYPE_B)
+                 h->ref_count[1]= get_ue_golomb(&s->gb) + 1;
++            else
++                // full range is spec-ok in this case, even for frames
++                h->ref_count[1] = 1;
+ 
+             if(h->ref_count[0]-1 > 32-1 || h->ref_count[1]-1 > 32-1){
+                 av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow\n");
+-- 
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index a0673fd..ad85fa2 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -34,6 +34,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://0001-eamad-fix-out-of-array-accesses.patch \
            file://0001-mjpegdec-check-SE.patch \
            file://0001-alac-fix-nb_samples-order-case.patch \
+           file://0001-h264-correct-ref-count-check-and-limit-fix-out-of-ar.patch \
 "
 
 SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
-- 
1.7.10.4

[PATCH 12/12] ffmpeg: fix for Security Advisory CVE-2013-0849

[rongqing.li]

From: Yue Tao <Yue.Tao@windriver.com>

The roq_decode_init function in libavcodec/roqvideodec.c in FFmpeg
before 1.1 allows remote attackers to have an unspecified impact via a
crafted (1) width or (2) height dimension that is not a multiple of
sixteen in id RoQ video data.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0849

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
 ...001-roqvideodec-check-dimensions-validity.patch |   36 ++++++++++++++++++++
 .../gstreamer/gst-ffmpeg_0.10.13.bb                |    1 +
 2 files changed, 37 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-roqvideodec-check-dimensions-validity.patch

diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-roqvideodec-check-dimensions-validity.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-roqvideodec-check-dimensions-validity.patch
new file mode 100644
index 0000000..7e58afc
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-roqvideodec-check-dimensions-validity.patch
@@ -0,0 +1,36 @@
+From 391e0fc6c90ced6656b74f50f3a487b6dc76ea63 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Thu, 29 Nov 2012 15:18:17 +0100
+Subject: [PATCH] roqvideodec: check dimensions validity
+
+Upstream-Status: Backport
+
+Commit 391e0fc6c90ced6656b74f50f3a487b6dc76ea63 release/0.7
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit 3ae610451170cd5a28b33950006ff0bd23036845)
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/roqvideodec.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/libavcodec/roqvideodec.c b/libavcodec/roqvideodec.c
+index f0977f6..4e34231 100644
+--- a/gst-libs/ext/libav/libavcodec/roqvideodec.c
++++ b/gst-libs/ext/libav/libavcodec/roqvideodec.c
+@@ -157,6 +157,12 @@ static av_cold int roq_decode_init(AVCodecContext *avctx)
+     RoqContext *s = avctx->priv_data;
+ 
+     s->avctx = avctx;
++
++    if (avctx->width%16 || avctx->height%16) {
++         av_log_ask_for_sample(avctx, "dimensions not being a multiple of 16 are unsupported\n");
++         return AVERROR_PATCHWELCOME;
++    }
++
+     s->width = avctx->width;
+     s->height = avctx->height;
+     avcodec_get_frame_defaults(&s->frames[0]);
+-- 
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index ad85fa2..a3b2f5c 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -35,6 +35,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://0001-mjpegdec-check-SE.patch \
            file://0001-alac-fix-nb_samples-order-case.patch \
            file://0001-h264-correct-ref-count-check-and-limit-fix-out-of-ar.patch \
+           file://0001-roqvideodec-check-dimensions-validity.patch \
 "
 
 SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
-- 
1.7.10.4

Re: [PATCH 00/12 v2] ffmpeg: backport 12 CVE patches

[Paul Eggleton]

Hi Roy,

On Friday 16 May 2014 10:12:08 rongqing.li@windriver.com wrote:
> From: Roy Li <rongqing.li@windriver.com>
> 
> Diff with V1: use ffmpeg as prefix of commit header
> 
> The following changes since commit e273301efa0037a13c3a60b4414140364d9c9873:
> 
>   gstreamer/lame: Better gcc 4.9 fix (2014-05-15 23:27:41 +0100)
> 
> are available in the git repository at:
> 
>   git://git.pokylinux.org/poky-contrib roy/ffmpeg-2
>   http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=roy/ffmpeg-2
> 
> Yue Tao (12):
>   ffmpeg: fix for Security Advisory CVE-2014-2263
>   ffmpeg: fix for Security Advisory CVE-2013-0865
>   ffmpeg: fix for Security Advisory CVE-2014-2099
>   ffmpeg: fix for Security Advisory CVE-2013-0868
>   ffmpeg: fix for Security Advisory CVE-2013-0845
>   ffmpeg: fix for Security Advisory CVE-2013-0852
>   ffmpeg: fix for Security Advisory CVE-2013-0858
>   ffmpeg: fix for Security Advisory CVE-2013-0851
>   ffmpeg: fix for Security Advisory CVE-2013-0854
>   ffmpeg: fix for Security Advisory CVE-2013-0856
>   ffmpeg: fix for Security Advisory CVE-2013-0850
>   ffmpeg: fix for Security Advisory CVE-2013-0849

This should really be "gst-ffmpeg:" rather than just "ffmpeg:" since that's the 
recipe being modified.

Also, I'm not sure if you got my message yesterday (since there was a problem 
with the email transmission) however I'll repeat it here just in case:

> Note that whilst we should apply these patches, they won't actually have any
> effect on unmodified builds because we do not use gst-ffmpeg's internal
> copy of ffmpeg, we use libav instead. So if any of these fixes apply to
> libav (or if there are equivalent fixes) we will need to apply them to
> libav.

Would you be able to take care of the corresponding patches to libav?

Thanks,
Paul

-- 

Paul Eggleton
Intel Open Source Technology Centre

Re: [PATCH 00/12 v2] ffmpeg: backport 12 CVE patches

[Rongqing Li]

On 05/16/2014 07:09 PM, Paul Eggleton wrote:
> Hi Roy,
>
> On Friday 16 May 2014 10:12:08 rongqing.li@windriver.com wrote:
>> From: Roy Li <rongqing.li@windriver.com>
>>
>> Diff with V1: use ffmpeg as prefix of commit header
>>
>> The following changes since commit e273301efa0037a13c3a60b4414140364d9c9873:
>>
>>    gstreamer/lame: Better gcc 4.9 fix (2014-05-15 23:27:41 +0100)
>>
>> are available in the git repository at:
>>
>>    git://git.pokylinux.org/poky-contrib roy/ffmpeg-2
>>    http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=roy/ffmpeg-2
>>
>> Yue Tao (12):
>>    ffmpeg: fix for Security Advisory CVE-2014-2263
>>    ffmpeg: fix for Security Advisory CVE-2013-0865
>>    ffmpeg: fix for Security Advisory CVE-2014-2099
>>    ffmpeg: fix for Security Advisory CVE-2013-0868
>>    ffmpeg: fix for Security Advisory CVE-2013-0845
>>    ffmpeg: fix for Security Advisory CVE-2013-0852
>>    ffmpeg: fix for Security Advisory CVE-2013-0858
>>    ffmpeg: fix for Security Advisory CVE-2013-0851
>>    ffmpeg: fix for Security Advisory CVE-2013-0854
>>    ffmpeg: fix for Security Advisory CVE-2013-0856
>>    ffmpeg: fix for Security Advisory CVE-2013-0850
>>    ffmpeg: fix for Security Advisory CVE-2013-0849
>
> This should really be "gst-ffmpeg:" rather than just "ffmpeg:" since that's the
> recipe being modified.
>

Ok, I update it

=====================
The following changes since commit e273301efa0037a13c3a60b4414140364d9c9873:

   gstreamer/lame: Better gcc 4.9 fix (2014-05-15 23:27:41 +0100)

are available in the git repository at:

   git://git.pokylinux.org/poky-contrib roy/ffmpeg-2
   http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=roy/ffmpeg-2

Yue Tao (12):
   gst-ffmpeg: fix for Security Advisory CVE-2014-2263
   gst-ffmpeg: fix for Security Advisory CVE-2013-0865
   gst-ffmpeg: fix for Security Advisory CVE-2014-2099
   gst-ffmpeg: fix for Security Advisory CVE-2013-0868
   gst-ffmpeg: fix for Security Advisory CVE-2013-0845
   gst-ffmpeg: fix for Security Advisory CVE-2013-0852
   gst-ffmpeg: fix for Security Advisory CVE-2013-0858
   gst-ffmpeg: fix for Security Advisory CVE-2013-0851
   gst-ffmpeg: fix for Security Advisory CVE-2013-0854
   gst-ffmpeg: fix for Security Advisory CVE-2013-0856
   gst-ffmpeg: fix for Security Advisory CVE-2013-0850
   gst-ffmpeg: fix for Security Advisory CVE-2013-0849

  .../0001-alac-fix-nb_samples-order-case.patch      |   30 +++++++
  .../0001-alsdec-check-block-length.patch           |   61 ++++++++++++++
  ...ac3dec-Check-coding-mode-against-channels.patch |   37 +++++++++
  ...le-use-av_image_get_linesize-to-calculate.patch |   50 +++++++++++
  ...egtsenc-Check-data-array-size-in-mpegts_w.patch |   69 ++++++++++++++++
  .../0001-eamad-fix-out-of-array-accesses.patch     |   29 +++++++
  ...t-ref-count-check-and-limit-fix-out-of-ar.patch |   29 +++++++
  ...01-huffyuvdec-Check-init_vlc-return-codes.patch |   87 
++++++++++++++++++++
  .../0001-huffyuvdec-Skip-len-0-cases.patch         |   59 +++++++++++++
  .../0001-mjpegdec-check-SE.patch                   |   32 +++++++
  ...heck-RLE-size-before-copying.-Fix-out-of-.patch |   34 ++++++++
  ...001-roqvideodec-check-dimensions-validity.patch |   36 ++++++++
  ...o-check-chunk-sizes-before-reading-chunks.patch |   51 ++++++++++++
  .../gstreamer/gst-ffmpeg_0.10.13.bb                |   13 +++
  14 files changed, 617 insertions(+)
  create mode 100644 
meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-alac-fix-nb_samples-order-case.patch
  create mode 100644 
meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-alsdec-check-block-length.patch
  create mode 100644 
meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-atrac3dec-Check-coding-mode-against-channels.patch
  create mode 100644 
meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-msrle-use-av_image_get_linesize-to-calculate.patch
  create mode 100644 
meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avformat-mpegtsenc-Check-data-array-size-in-mpegts_w.patch
  create mode 100644 
meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-eamad-fix-out-of-array-accesses.patch
  create mode 100644 
meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264-correct-ref-count-check-and-limit-fix-out-of-ar.patch
  create mode 100644 
meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-init_vlc-return-codes.patch
  create mode 100644 
meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Skip-len-0-cases.patch
  create mode 100644 
meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-mjpegdec-check-SE.patch
  create mode 100644 
meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-pgssubdec-check-RLE-size-before-copying.-Fix-out-of-.patch



> Also, I'm not sure if you got my message yesterday (since there was a problem
> with the email transmission) however I'll repeat it here just in case:
>
>> Note that whilst we should apply these patches, they won't actually have any
>> effect on unmodified builds because we do not use gst-ffmpeg's internal
>> copy of ffmpeg, we use libav instead. So if any of these fixes apply to
>> libav (or if there are equivalent fixes) we will need to apply them to
>> libav.
>
> Would you be able to take care of the corresponding patches to libav?
>

I did not see the CVE patches on libav

-Roy


> Thanks,
> Paul
>

-- 
Best Reagrds,
Roy | RongQing Li

Re: [PATCH 00/12 v2] ffmpeg: backport 12 CVE patches

[Paul Eggleton]

On Monday 19 May 2014 09:32:57 Rongqing Li wrote:
> On 05/16/2014 07:09 PM, Paul Eggleton wrote:
> > Hi Roy,
> > 
> > On Friday 16 May 2014 10:12:08 rongqing.li@windriver.com wrote:
> >> From: Roy Li <rongqing.li@windriver.com>
> >> 
> >> Diff with V1: use ffmpeg as prefix of commit header
> >> 
> >> The following changes since commit 
e273301efa0037a13c3a60b4414140364d9c9873:
> >>    gstreamer/lame: Better gcc 4.9 fix (2014-05-15 23:27:41 +0100)
> >> 
> >> are available in the git repository at:
> >>    git://git.pokylinux.org/poky-contrib roy/ffmpeg-2
> >>    http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=roy/ffmpeg-2
> >> 
> >> Yue Tao (12):
> >>    ffmpeg: fix for Security Advisory CVE-2014-2263
> >>    ffmpeg: fix for Security Advisory CVE-2013-0865
> >>    ffmpeg: fix for Security Advisory CVE-2014-2099
> >>    ffmpeg: fix for Security Advisory CVE-2013-0868
> >>    ffmpeg: fix for Security Advisory CVE-2013-0845
> >>    ffmpeg: fix for Security Advisory CVE-2013-0852
> >>    ffmpeg: fix for Security Advisory CVE-2013-0858
> >>    ffmpeg: fix for Security Advisory CVE-2013-0851
> >>    ffmpeg: fix for Security Advisory CVE-2013-0854
> >>    ffmpeg: fix for Security Advisory CVE-2013-0856
> >>    ffmpeg: fix for Security Advisory CVE-2013-0850
> >>    ffmpeg: fix for Security Advisory CVE-2013-0849
> > 
> > This should really be "gst-ffmpeg:" rather than just "ffmpeg:" since
> > that's the recipe being modified.
> 
> Ok, I update it
> 
> =====================
> The following changes since commit e273301efa0037a13c3a60b4414140364d9c9873:
> 
>    gstreamer/lame: Better gcc 4.9 fix (2014-05-15 23:27:41 +0100)
> 
> are available in the git repository at:
> 
>    git://git.pokylinux.org/poky-contrib roy/ffmpeg-2
>    http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=roy/ffmpeg-2
> 
> Yue Tao (12):
>    gst-ffmpeg: fix for Security Advisory CVE-2014-2263
>    gst-ffmpeg: fix for Security Advisory CVE-2013-0865
>    gst-ffmpeg: fix for Security Advisory CVE-2014-2099
>    gst-ffmpeg: fix for Security Advisory CVE-2013-0868
>    gst-ffmpeg: fix for Security Advisory CVE-2013-0845
>    gst-ffmpeg: fix for Security Advisory CVE-2013-0852
>    gst-ffmpeg: fix for Security Advisory CVE-2013-0858
>    gst-ffmpeg: fix for Security Advisory CVE-2013-0851
>    gst-ffmpeg: fix for Security Advisory CVE-2013-0854
>    gst-ffmpeg: fix for Security Advisory CVE-2013-0856
>    gst-ffmpeg: fix for Security Advisory CVE-2013-0850
>    gst-ffmpeg: fix for Security Advisory CVE-2013-0849
> 
>   .../0001-alac-fix-nb_samples-order-case.patch      |   30 +++++++
>   .../0001-alsdec-check-block-length.patch           |   61 ++++++++++++++
>   ...ac3dec-Check-coding-mode-against-channels.patch |   37 +++++++++
>   ...le-use-av_image_get_linesize-to-calculate.patch |   50 +++++++++++
>   ...egtsenc-Check-data-array-size-in-mpegts_w.patch |   69 ++++++++++++++++
> .../0001-eamad-fix-out-of-array-accesses.patch     |   29 +++++++
> ...t-ref-count-check-and-limit-fix-out-of-ar.patch |   29 +++++++
> ...01-huffyuvdec-Check-init_vlc-return-codes.patch |   87
> ++++++++++++++++++++
>   .../0001-huffyuvdec-Skip-len-0-cases.patch         |   59 +++++++++++++
>   .../0001-mjpegdec-check-SE.patch                   |   32 +++++++
>   ...heck-RLE-size-before-copying.-Fix-out-of-.patch |   34 ++++++++
>   ...001-roqvideodec-check-dimensions-validity.patch |   36 ++++++++
>   ...o-check-chunk-sizes-before-reading-chunks.patch |   51 ++++++++++++
>   .../gstreamer/gst-ffmpeg_0.10.13.bb                |   13 +++
>   14 files changed, 617 insertions(+)
>   create mode 100644
> meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-alac-fix-nb_sample
> s-order-case.patch create mode 100644
> meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-alsdec-check-block
> -length.patch create mode 100644
> meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-atrac3dec-Check-co
> ding-mode-against-channels.patch create mode 100644
> meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-msrle-use-
> av_image_get_linesize-to-calculate.patch create mode 100644
> meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avformat-mpegtsenc
> -Check-data-array-size-in-mpegts_w.patch create mode 100644
> meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-eamad-fix-out-of-a
> rray-accesses.patch create mode 100644
> meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-h264-correct-ref-c
> ount-check-and-limit-fix-out-of-ar.patch create mode 100644
> meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-i
> nit_vlc-return-codes.patch create mode 100644
> meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Skip-le
> n-0-cases.patch create mode 100644
> meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-mjpegdec-check-SE.
> patch create mode 100644
> meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-pgssubdec-check-RL
> E-size-before-copying.-Fix-out-of-.patch
> > Also, I'm not sure if you got my message yesterday (since there was a
> > problem> 
> > with the email transmission) however I'll repeat it here just in case:
> >> Note that whilst we should apply these patches, they won't actually have
> >> any effect on unmodified builds because we do not use gst-ffmpeg's
> >> internal copy of ffmpeg, we use libav instead. So if any of these fixes
> >> apply to libav (or if there are equivalent fixes) we will need to apply
> >> them to libav.
> > 
> > Would you be able to take care of the corresponding patches to libav?
> 
> I did not see the CVE patches on libav

If they are applicable to the built-in copy of ffmpeg, at least some of them 
should be applicable to libav.

Actually I've noticed we're a couple of releases behind on libav 0.8 upgrades 
(libav 0.8 is the version we are using with gst-ffmpeg), and we also need to do 
a libav 9 upgrade. I will take care of at least doing the upgrades, but we 
should double-check that these fixes are either not applicable or already 
applied after that is done.

Cheers,
Paul

-- 

Paul Eggleton
Intel Open Source Technology Centre

Re: [PATCH 04/12] ffmpeg: fix for Security Advisory CVE-2013-0868

[Saul Wold]

On 05/15/2014 07:12 PM, rongqing.li@windriver.com wrote:
> From: Yue Tao <Yue.Tao@windriver.com>
>
> libavcodec/huffyuvdec.c in FFmpeg before 1.1.2 allows remote attackers
> to have an unspecified impact via crafted Huffyuv data, related to an
> out-of-bounds write and (1) unchecked return codes from the init_vlc
> function and (2) len==0 cases.
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0868
>
> Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
> Signed-off-by: Roy Li <rongqing.li@windriver.com>
> ---
>   ...01-huffyuvdec-Check-init_vlc-return-codes.patch |   87 ++++++++++++++++++++
>   .../0001-huffyuvdec-Skip-len-0-cases.patch         |   59 +++++++++++++
>   .../gstreamer/gst-ffmpeg_0.10.13.bb                |    2 +
>   3 files changed, 148 insertions(+)
>   create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-init_vlc-return-codes.patch
>   create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Skip-len-0-cases.patch
>
> diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-init_vlc-return-codes.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-init_vlc-return-codes.patch
> new file mode 100644
> index 0000000..e859e44
> --- /dev/null
> +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Check-init_vlc-return-codes.patch
> @@ -0,0 +1,87 @@
> +From b666debffec1fcbb19ef377635a53b9a58bca8a4 Mon Sep 17 00:00:00 2001
> +From: Michael Niedermayer <michaelni@gmx.at>
> +Date: Tue, 29 Jan 2013 18:29:41 +0100
> +Subject: [PATCH] huffyuvdec: Check init_vlc() return codes.
> +
> +Upstream-Status: Backport
> +
> +Commit b666debffec1fcbb19ef377635a53b9a58bca8a4 release/1.0
> +
> +Prevents out of array writes
> +
> +Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
> +Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
> +(cherry picked from commit f67a0d115254461649470452058fa3c28c0df294)
> +
> +Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
> +---
> + libavcodec/huffyuv.c | 14 ++++++++++----
> + 1 file changed, 10 insertions(+), 4 deletions(-)
> +
> +diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c
> +index 58da789..993e524 100644
> +--- a/gst-libs/ext/libav/libavcodec/huffyuv.c
> ++++ b/gst-libs/ext/libav/libavcodec/huffyuv.c
> +@@ -33,6 +33,7 @@
> + #include "put_bits.h"
> + #include "dsputil.h"
> + #include "thread.h"
> ++#include "libavutil/avassert.h"
> +
> + #define VLC_BITS 11
> +
> +@@ -287,6 +287,7 @@ static void generate_joint_tables(HYuvCo
> +                     int len1 = s->len[p][u];
> +                     if (len1 > limit || !len1)
> +                         continue;
> ++                    av_assert0(i < (1 << VLC_BITS));
> +                     len[i] = len0 + len1;
> +                     bits[i] = (s->bits[0][y] << len1) + s->bits[p][u];
> +                     symbols[i] = (y<<8) + u;
> +@@ -320,6 +321,7 @@ static void generate_joint_tables(HYuvCo
> +                     int len2 = s->len[2][r&255];
> +                     if (len2 > limit1 || !len2)
> +                         continue;
> ++                    av_assert0(i < (1 << VLC_BITS));
> +                     len[i] = len0 + len1 + len2;
> +                     bits[i] = (code << len2) + s->bits[2][r&255];
> +                     if(s->decorrelate){
> +@@ -343,6 +345,7 @@ static void generate_joint_tables(HYuvCo
> + static int read_huffman_tables(HYuvContext *s, const uint8_t *src, int length){
> +     GetBitContext gb;
> +     int i;
> ++    int ret;
> +
> +     init_get_bits(&gb, src, length*8);
> +
> +@@ -353,7 +356,9 @@ static int read_huffman_tables(HYuvConte
> +             return -1;
> +         }
> +         free_vlc(&s->vlc[i]);
> +-        init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0);
> ++        if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1,
> ++                           s->bits[i], 4, 4, 0)) < 0)
> ++            return ret;
> +     }
> +
> +     generate_joint_tables(s);
> +@@ -365,6 +370,7 @@ static int read_old_huffman_tables(HYuvC
> + #if 1
> +     GetBitContext gb;
> +     int i;
> ++    int ret;
> +
> +     init_get_bits(&gb, classic_shift_luma, sizeof(classic_shift_luma)*8);
> +     if(read_len_table(s->len[0], &gb)<0)
> +@@ -385,7 +391,9 @@ static int read_old_huffman_tables(HYuvC
> +
> +     for(i=0; i<3; i++){
> +         free_vlc(&s->vlc[i]);
> +-        init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0);
> ++        if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1,
> ++                            s->bits[i], 4, 4, 0)) < 0)
> ++            return ret;
> +     }
> +
> +     generate_joint_tables(s);
> +--
> diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Skip-len-0-cases.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Skip-len-0-cases.patch
> new file mode 100644
> index 0000000..68bc966
> --- /dev/null
> +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-huffyuvdec-Skip-len-0-cases.patch
> @@ -0,0 +1,59 @@
> +From db0f7f7394e1f994ed38db043f78ed0f10bde0da Mon Sep 17 00:00:00 2001
> +From: Michael Niedermayer <michaelni@gmx.at>
> +Date: Tue, 29 Jan 2013 19:22:33 +0100
> +Subject: [PATCH] huffyuvdec: Skip len==0 cases
> +
> +Commit db0f7f7394e1f994ed38db043f78ed0f10bde0da release/1.0
> +
> +Fixes vlc decoding for hypothetical files that would contain such cases.
> +
> +Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
> +(cherry picked from commit 0dfc01c2bbf4b71bb56201bc4a393321e15d1b31)
> +
Missing Upstream-Status

Sau!

> +Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
> +---
> + libavcodec/huffyuv.c | 10 +++++-----
> + 1 file changed, 5 insertions(+), 5 deletions(-)
> +
> +diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c
> +index 993e524..72ed351 100644
> +--- a/gst-libs/ext/libav/libavcodec/huffyuv.c
> ++++ b/gst-libs/ext/libav/libavcodec/huffyuv.c
> +@@ -281,11 +281,11 @@ static void generate_joint_tables(HYuvCo
> +             for(i=y=0; y<256; y++){
> +                 int len0 = s->len[0][y];
> +                 int limit = VLC_BITS - len0;
> +-                if(limit <= 0)
> ++                if(limit <= 0 || !len0)
> +                     continue;
> +                 for(u=0; u<256; u++){
> +                     int len1 = s->len[p][u];
> +-                    if(len1 > limit)
> ++                    if (len1 > limit || !len1)
> +                         continue;
> +                     len[i] = len0 + len1;
> +                     bits[i] = (s->bits[0][y] << len1) + s->bits[p][u];
> +@@ -308,17 +308,17 @@ static void generate_joint_tables(HYuvCo
> +         for(i=0, g=-16; g<16; g++){
> +             int len0 = s->len[p0][g&255];
> +             int limit0 = VLC_BITS - len0;
> +-            if(limit0 < 2)
> ++            if (limit0 < 2 || !len0)
> +                 continue;
> +             for(b=-16; b<16; b++){
> +                 int len1 = s->len[p1][b&255];
> +                 int limit1 = limit0 - len1;
> +-                if(limit1 < 1)
> ++                if (limit1 < 1 || !len1)
> +                     continue;
> +                 code = (s->bits[p0][g&255] << len1) + s->bits[p1][b&255];
> +                 for(r=-16; r<16; r++){
> +                     int len2 = s->len[2][r&255];
> +-                    if(len2 > limit1)
> ++                    if (len2 > limit1 || !len2)
> +                         continue;
> +                     len[i] = len0 + len1 + len2;
> +                     bits[i] = (code << len2) + s->bits[2][r&255];
> +--
> +1.8.5.2.233.g932f7e4
> +
> diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
> index 05cc404..847b927 100644
> --- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
> +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
> @@ -26,6 +26,8 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
>              file://0001-avformat-mpegtsenc-Check-data-array-size-in-mpegts_w.patch \
>              file://0001-vqavideo-check-chunk-sizes-before-reading-chunks.patch \
>              file://0001-avcodec-msrle-use-av_image_get_linesize-to-calculate.patch \
> +           file://0001-huffyuvdec-Skip-len-0-cases.patch \
> +           file://0001-huffyuvdec-Check-init_vlc-return-codes.patch \
>   "
>
>   SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
>