From: Yue Tao <yue....@windriver.com> The roq_decode_init function in libavcodec/roqvideodec.c in FFmpeg before 1.1 allows remote attackers to have an unspecified impact via a crafted (1) width or (2) height dimension that is not a multiple of sixteen in id RoQ video data.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0849 Signed-off-by: Yue Tao <yue....@windriver.com> Signed-off-by: Roy Li <rongqing...@windriver.com> --- ...001-roqvideodec-check-dimensions-validity.patch | 36 ++++++++++++++++++++ .../gstreamer/gst-ffmpeg_0.10.13.bb | 1 + 2 files changed, 37 insertions(+) create mode 100644 meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-roqvideodec-check-dimensions-validity.patch diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-roqvideodec-check-dimensions-validity.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-roqvideodec-check-dimensions-validity.patch new file mode 100644 index 0000000..7e58afc --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-roqvideodec-check-dimensions-validity.patch @@ -0,0 +1,36 @@ +From 391e0fc6c90ced6656b74f50f3a487b6dc76ea63 Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer <michae...@gmx.at> +Date: Thu, 29 Nov 2012 15:18:17 +0100 +Subject: [PATCH] roqvideodec: check dimensions validity + +Upstream-Status: Backport + +Commit 391e0fc6c90ced6656b74f50f3a487b6dc76ea63 release/0.7 + +Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind +Signed-off-by: Michael Niedermayer <michae...@gmx.at> +(cherry picked from commit 3ae610451170cd5a28b33950006ff0bd23036845) + +Signed-off-by: Michael Niedermayer <michae...@gmx.at> +--- + libavcodec/roqvideodec.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/libavcodec/roqvideodec.c b/libavcodec/roqvideodec.c +index f0977f6..4e34231 100644 +--- a/gst-libs/ext/libav/libavcodec/roqvideodec.c ++++ b/gst-libs/ext/libav/libavcodec/roqvideodec.c +@@ -157,6 +157,12 @@ static av_cold int roq_decode_init(AVCodecContext *avctx) + RoqContext *s = avctx->priv_data; + + s->avctx = avctx; ++ ++ if (avctx->width%16 || avctx->height%16) { ++ av_log_ask_for_sample(avctx, "dimensions not being a multiple of 16 are unsupported\n"); ++ return AVERROR_PATCHWELCOME; ++ } ++ + s->width = avctx->width; + s->height = avctx->height; + avcodec_get_frame_defaults(&s->frames[0]); +-- diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb index ad85fa2..a3b2f5c 100644 --- a/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb @@ -35,6 +35,7 @@ SRC_URI = "http://gstreamer.freedesktop.org/src/${BPN}/${BPN}-${PV}.tar.bz2 \ file://0001-mjpegdec-check-SE.patch \ file://0001-alac-fix-nb_samples-order-case.patch \ file://0001-h264-correct-ref-count-check-and-limit-fix-out-of-ar.patch \ + file://0001-roqvideodec-check-dimensions-validity.patch \ " SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4" -- 1.7.10.4 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
