Patchwork [07/16] gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-7009

login
register
mail settings
Submitter rongqing.li@windriver.com
Date July 22, 2014, 7:46 a.m.
Message ID <fa727f4c377c7ad56a76157bbfa39a343e3349f5.1406015054.git.rongqing.li@windriver.com>
Download mbox | patch
Permalink /patch/76313/
State New
Headers show

Comments

rongqing.li@windriver.com - July 22, 2014, 7:46 a.m.
From: Yue Tao <Yue.Tao@windriver.com>

The rpza_decode_stream function in libavcodec/rpza.c in FFmpeg before
2.1 does not properly maintain a pointer to pixel data, which allows
remote attackers to cause a denial of service (out-of-bounds array
access) or possibly have unspecified other impact via crafted Apple RPZA
data.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7009

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
 ...a-Perform-pointer-advance-and-checks-befo.patch |   81 ++++++++++++++++++++
 .../gstreamer/gst-ffmpeg_0.10.13.bb                |    1 +
 2 files changed, 82 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-rpza-Perform-pointer-advance-and-checks-befo.patch

Patch

diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-rpza-Perform-pointer-advance-and-checks-befo.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-rpza-Perform-pointer-advance-and-checks-befo.patch
new file mode 100644
index 0000000..7f6eb48
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-avcodec-rpza-Perform-pointer-advance-and-checks-befo.patch
@@ -0,0 +1,81 @@ 
+gst-ffmpeg: avcodec/rpza: Perform pointer advance and checks before
+ using the pointers
+
+Fixes out of array accesses
+Fixes Ticket2850
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit 3819db745da2ac7fb3faacb116788c32f4753f34)
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+
+Upstream-Status: Backport 
+
+Singed-off-by: Yue Tao <yue.tao@windriver.com>
+
+---
+ libavcodec/rpza.c |    8 ++++----
+ 1 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c
+index 635b406..f291a95 100644
+--- a/gst-libs/ext/libav/libavcodec/rpza.c
++++ b/gst-libs/ext/libav/libavcodec/rpza.c
+@@ -83,7 +83,7 @@ static void rpza_decode_stream(RpzaContext *s)
+     unsigned short *pixels = (unsigned short *)s->frame.data[0];
+ 
+     int row_ptr = 0;
+-    int pixel_ptr = 0;
++    int pixel_ptr = -4;
+     int block_ptr;
+     int pixel_x, pixel_y;
+     int total_blocks;
+@@ -139,6 +139,7 @@ static void rpza_decode_stream(RpzaContext *s)
+             colorA = AV_RB16 (&s->buf[stream_ptr]);
+             stream_ptr += 2;
+             while (n_blocks--) {
++                ADVANCE_BLOCK()
+                 block_ptr = row_ptr + pixel_ptr;
+                 for (pixel_y = 0; pixel_y < 4; pixel_y++) {
+                     for (pixel_x = 0; pixel_x < 4; pixel_x++){
+@@ -147,7 +148,6 @@ static void rpza_decode_stream(RpzaContext *s)
+                     }
+                     block_ptr += row_inc;
+                 }
+-                ADVANCE_BLOCK();
+             }
+             break;
+ 
+@@ -184,6 +184,7 @@ static void rpza_decode_stream(RpzaContext *s)
+             color4[2] |= ((21 * ta + 11 * tb) >> 5);
+ 
+             while (n_blocks--) {
++                ADVANCE_BLOCK();
+                 block_ptr = row_ptr + pixel_ptr;
+                 for (pixel_y = 0; pixel_y < 4; pixel_y++) {
+                     index = s->buf[stream_ptr++];
+@@ -194,12 +195,12 @@ static void rpza_decode_stream(RpzaContext *s)
+                     }
+                     block_ptr += row_inc;
+                 }
+-                ADVANCE_BLOCK();
+             }
+             break;
+ 
+         /* Fill block with 16 colors */
+         case 0x00:
++            ADVANCE_BLOCK();
+             block_ptr = row_ptr + pixel_ptr;
+             for (pixel_y = 0; pixel_y < 4; pixel_y++) {
+                 for (pixel_x = 0; pixel_x < 4; pixel_x++){
+@@ -213,7 +214,6 @@ static void rpza_decode_stream(RpzaContext *s)
+                 }
+                 block_ptr += row_inc;
+             }
+-            ADVANCE_BLOCK();
+             break;
+ 
+         /* Unknown opcode */
+-- 
+1.7.5.4
+
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
index 138b660..42878e6 100644
--- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
@@ -43,6 +43,7 @@  SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://0001-vp3-Copy-all-3-frames-for-thread-updates.patch \
            file://0001-h264_sei-Fix-infinite-loop.patch \
            file://0001-avcodec-parser-reset-indexes-on-realloc-failure.patch \
+           file://0001-avcodec-rpza-Perform-pointer-advance-and-checks-befo.patch \
 "
 
 SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"