From: Jackie Huang <jackie.hu...@windriver.com> Cherry-pick patch from ffmpeg to fix CVE-2015-6820: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=79a98294da6cd85f8c86b34764c5e0c43b09eea3
Signed-off-by: Jackie Huang <jackie.hu...@windriver.com> --- .../libav/libav/libav-fix-CVE-2015-6820.patch | 66 ++++++++++++++++++++++ meta/recipes-multimedia/libav/libav_9.18.bb | 1 + 2 files changed, 67 insertions(+) create mode 100644 meta/recipes-multimedia/libav/libav/libav-fix-CVE-2015-6820.patch diff --git a/meta/recipes-multimedia/libav/libav/libav-fix-CVE-2015-6820.patch b/meta/recipes-multimedia/libav/libav/libav-fix-CVE-2015-6820.patch new file mode 100644 index 0000000..00b124c --- /dev/null +++ b/meta/recipes-multimedia/libav/libav/libav-fix-CVE-2015-6820.patch @@ -0,0 +1,66 @@ +Upstream-Status: Pending + +https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6820 + +Cherry-pick from: +http://git.videolan.org/?p=ffmpeg.git;a=commit;h=79a98294da6cd85f8c86b34764c5e0c43b09eea3 + +Signed-off-by: Jackie Huang <jackie.hu...@windriver.com> +--- +From 79a98294da6cd85f8c86b34764c5e0c43b09eea3 Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer <michae...@gmx.at> +Date: Wed, 1 Jul 2015 02:05:43 +0200 +Subject: [PATCH] avcodec/aacsbr: check that the element type matches before + applying SBR + +Fixes out of array access +Fixes: signal_sigsegv_3670fc0_2818_cov_2307326154_moon.mux + +Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind +Signed-off-by: Michael Niedermayer <michae...@gmx.at> +--- + libavcodec/aacsbr.c | 8 ++++++++ + libavcodec/sbr.h | 1 + + 2 files changed, 9 insertions(+) + +diff --git a/libavcodec/aacsbr.c b/libavcodec/aacsbr.c +index 7e98834..ca6dad7 100644 +--- a/libavcodec/aacsbr.c ++++ b/libavcodec/aacsbr.c +@@ -1019,6 +1019,8 @@ static unsigned int read_sbr_data(AACContext *ac, SpectralBandReplication *sbr, + { + unsigned int cnt = get_bits_count(gb); + ++ sbr->id_aac = id_aac; ++ + if (id_aac == TYPE_SCE || id_aac == TYPE_CCE) { + if (read_sbr_single_channel_element(ac, sbr, gb)) { + sbr_turnoff(sbr); +@@ -1695,6 +1697,12 @@ void ff_sbr_apply(AACContext *ac, SpectralBandReplication *sbr, int id_aac, + int nch = (id_aac == TYPE_CPE) ? 2 : 1; + int err; + ++ if (id_aac != sbr->id_aac) { ++ av_log(ac->avctx, AV_LOG_ERROR, ++ "element type mismatch %d != %d\n", id_aac, sbr->id_aac); ++ sbr_turnoff(sbr); ++ } ++ + if (!sbr->kx_and_m_pushed) { + sbr->kx[0] = sbr->kx[1]; + sbr->m[0] = sbr->m[1]; +diff --git a/libavcodec/sbr.h b/libavcodec/sbr.h +index e28fccd..ff00acb 100644 +--- a/libavcodec/sbr.h ++++ b/libavcodec/sbr.h +@@ -137,6 +137,7 @@ typedef struct AACSBRContext { + struct SpectralBandReplication { + int sample_rate; + int start; ++ int id_aac; + int reset; + SpectrumParameters spectrum_params; + int bs_amp_res_header; +-- +1.9.1 + diff --git a/meta/recipes-multimedia/libav/libav_9.18.bb b/meta/recipes-multimedia/libav/libav_9.18.bb index 4564def..7d0cc70 100644 --- a/meta/recipes-multimedia/libav/libav_9.18.bb +++ b/meta/recipes-multimedia/libav/libav_9.18.bb @@ -6,4 +6,5 @@ SRC_URI[sha256sum] = "0875e835da683eef1a7bac75e1884634194149d7479d1538ba9fbe1614 SRC_URI += "file://libav-fix-CVE-2014-9676.patch \ file://libav-fix-CVE-2015-1872.patch \ file://libav-fix-CVE-2015-3395.patch \ + file://libav-fix-CVE-2015-6820.patch \ " -- 1.9.1 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
