[OE-core] [fido][PATCH] gst-plugins-bad: fix CVE-2015-0797
Joshua Lock
joshua.lock at collabora.co.uk
Tue Jun 30 15:07:32 UTC 2015
On Mon, 2015-06-29 at 23:06 -0700, Andre McCurdy wrote:
> From: Kang Kai <kai.kang at windriver.com>
>
> Backport patch from debian to fix CVE-2015-0797.
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784220
> https://sources.debian.net/data/main/g/gst-plugins-bad0.10/0.10.23
> -7.1+deb7u2/debian/patches/buffer-overflow-mp4.patch
>
> Backported to oe-core fido from meta-oe/meta-multimedia:
>
> http://git.openembedded.org/meta
> -openembedded/commit/?id=6cb3b63559bf33946f1c5d43626413d9a651e83f
>
> Signed-off-by: Kai Kang <kai.kang at windriver.com>
> Signed-off-by: Martin Jansa <Martin.Jansa at gmail.com>
> Signed-off-by: Andre McCurdy <armccurdy at gmail.com>
Queued in my fido-next branch[1] - thanks!
Regards,
Joshua
1. http://cgit.openembedded.org/openembedded-core
-contrib/log/?h=joshuagl/fido-next
> ---
> .../gst-plugins-bad/buffer-overflow-mp4.patch | 36
> ++++++++++++++++++++++
> .../gstreamer/gst-plugins-bad_0.10.23.bb | 2 ++
> 2 files changed, 38 insertions(+)
> create mode 100644 meta/recipes-multimedia/gstreamer/gst-plugins
> -bad/buffer-overflow-mp4.patch
>
> diff --git a/meta/recipes-multimedia/gstreamer/gst-plugins-bad/buffer
> -overflow-mp4.patch b/meta/recipes-multimedia/gstreamer/gst-plugins
> -bad/buffer-overflow-mp4.patch
> new file mode 100644
> index 0000000..235acda
> --- /dev/null
> +++ b/meta/recipes-multimedia/gstreamer/gst-plugins-bad/buffer
> -overflow-mp4.patch
> @@ -0,0 +1,36 @@
> +Description: Fix buffer overflow in mp4 parsing
> +Author: Ralph Giles <giles at mozilla.com>
> +---
> +Backport patch from debian to fix CVE-2015-0797.
> +https://sources.debian.net/data/main/g/gst-plugins-bad0.10/0.10.23
> -7.1+deb7u2/debian/patches/buffer-overflow-mp4.patch
> +
> +Upstream-Status: Backport
> +
> +Signed-off-by: Kai Kang <kai.kang at windriver.com>
> +---
> +--- gst-plugins-bad0.10-0.10.23.orig/gst/videoparsers/gsth264parse.c
> ++++ gst-plugins-bad0.10-0.10.23/gst/videoparsers/gsth264parse.c
> +@@ -384,6 +384,11 @@ gst_h264_parse_wrap_nal (GstH264Parse *
> +
> + GST_DEBUG_OBJECT (h264parse, "nal length %d", size);
> +
> ++ if (size > G_MAXUINT32 - nl) {
> ++ GST_ELEMENT_ERROR (h264parse, STREAM, FAILED, (NULL),
> ++ ("overflow in nal size"));
> ++ return NULL;
> ++ }
> + buf = gst_buffer_new_and_alloc (size + nl + 4);
> + if (format == GST_H264_PARSE_FORMAT_AVC) {
> + GST_WRITE_UINT32_BE (GST_BUFFER_DATA (buf), size << (32 - 8 *
> nl));
> +@@ -452,6 +457,11 @@ gst_h264_parse_process_nal (GstH264Parse
> + GST_DEBUG_OBJECT (h264parse, "not processing nal size %u", nalu
> ->size);
> + return;
> + }
> ++ if (G_UNLIKELY (nalu->size > 20 * 1024 * 1024)) {
> ++ GST_DEBUG_OBJECT (h264parse, "not processing nal size %u (too
> big)",
> ++ nalu->size);
> ++ return;
> ++ }
> +
> + /* we have a peek as well */
> + nal_type = nalu->type;
> diff --git a/meta/recipes-multimedia/gstreamer/gst-plugins
> -bad_0.10.23.bb b/meta/recipes-multimedia/gstreamer/gst-plugins
> -bad_0.10.23.bb
> index 0f64871..4d94483 100644
> --- a/meta/recipes-multimedia/gstreamer/gst-plugins-bad_0.10.23.bb
> +++ b/meta/recipes-multimedia/gstreamer/gst-plugins-bad_0.10.23.bb
> @@ -10,6 +10,8 @@ DEPENDS += "gst-plugins-base"
>
> PR = "r4"
>
> +SRC_URI += "file://buffer-overflow-mp4.patch"
> +
> inherit gettext gsettings
>
> EXTRA_OECONF += "--disable-experimental \
> --
> 1.9.1
>
More information about the Openembedded-core
mailing list