From patchwork Mon Jul 3 15:01:40 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Korsgaard X-Patchwork-Id: 783514 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3x1Vhs5DDqz9s71 for ; Tue, 4 Jul 2017 01:01:49 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="V6SFSN/d"; dkim-atps=neutral Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 49E2186BD0; Mon, 3 Jul 2017 15:01:48 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xVoFg7AmvyMZ; Mon, 3 Jul 2017 15:01:47 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by hemlock.osuosl.org (Postfix) with ESMTP id 3E94486BE6; Mon, 3 Jul 2017 15:01:47 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id DFD101C00E9 for ; Mon, 3 Jul 2017 15:01:45 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id DB5AA30106 for ; Mon, 3 Jul 2017 15:01:45 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b8zFiDvSVcxI for ; Mon, 3 Jul 2017 15:01:45 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-wm0-f65.google.com (mail-wm0-f65.google.com [74.125.82.65]) by silver.osuosl.org (Postfix) with ESMTPS id 0E6B724992 for ; Mon, 3 Jul 2017 15:01:45 +0000 (UTC) Received: by mail-wm0-f65.google.com with SMTP id p204so21102046wmg.1 for ; Mon, 03 Jul 2017 08:01:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id; bh=udossM0aQ4C/mwQRAV/zCzD4Ssww9x4HtzKj5R9joLA=; b=V6SFSN/dMpc8neljduI5NcHc5bmyTgCQBiKDiY3vDSwl8ZsJIKi5x38hsYYH4Fxgm0 HJP3Wp212YE5Q1BGzTDDD8lippVtAIu7D+hqcJiHBQCN9dxg0XKDj36CfUpL0zCSsL58 89alPDaFbe30vwK/oVz5wrHYExe38P/L87+HNCFr4XLKwy92TE5Z/ZKIL6KVtQFxUCiY f5dS9gZx4kh4TJAGQS/Rq+o3WlhWCJaRtTrY3P7SbqymPHfv1cc8rna2UE7XSN2O6oW1 eyQT1+Gf3yOViF7gQLWChPm4rHHQbHWZ6xLn3Rnl5Krz9ghG+EzK6WbM9nFbFx69wbR1 BgTA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id; bh=udossM0aQ4C/mwQRAV/zCzD4Ssww9x4HtzKj5R9joLA=; b=NsLyMOjfVJG+5objZR1h8PD0WmiK4ijnBOnLzNt9jquFa5s8O5ufIA0fhZ5xQSFADs UIx+ckWPT6d9ycmiwnVY99Il3HByFbvjVmhgkIIVLR9aHaMyUMKHBvRfMIFK8lI50r7w L/he/GDODTEZOTrOWNXIfU4vHIel6OHJghGRlmStfDsnaHu0SCUycIBpo0NvKsY32IGX xomCFaKe5buyH1czvR2dkrzev/84XnUlbJbzy8Cy+/4UaJ0tK/FAW+8N/4gR7Z873m4K XqaaT7mIlKQMnQVy0wzE4EtOsYsZTNlo2DxL2DY4CbIf3znAmSBDPH1MAy8rIalYPWXx 6Hqw== X-Gm-Message-State: AIVw110dranfDfg95xP9vKwhxavTWRP3eXQKdAlRkpX1UcekhTcB80+q XT4vQjERAxYH+NQ8c00= X-Received: by 10.28.146.12 with SMTP id u12mr4613315wmd.15.1499094103053; Mon, 03 Jul 2017 08:01:43 -0700 (PDT) Received: from dell.be.48ers.dk (ARennes-651-1-1-150.w86-215.abo.wanadoo.fr. [86.215.144.150]) by smtp.gmail.com with ESMTPSA id f21sm21119979wra.5.2017.07.03.08.01.42 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 03 Jul 2017 08:01:42 -0700 (PDT) Received: from peko by dell.be.48ers.dk with local (Exim 4.88) (envelope-from ) id 1dS2r7-0005JX-0g; Mon, 03 Jul 2017 17:01:41 +0200 From: Peter Korsgaard To: buildroot@buildroot.org Date: Mon, 3 Jul 2017 17:01:40 +0200 Message-Id: <20170703150140.20387-1-peter@korsgaard.com> X-Mailer: git-send-email 2.11.0 Subject: [Buildroot] [PATCH] vlc: add upstream security patches fixing CVE-2017-10699 X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" avcodec 2.2.x, as used in VideoLAN VLC media player 2.2.7-x before 2017-06-29, allows out-of-bounds heap memory write due to calling memcpy() with a wrong size, leading to a denial of service (application crash) or possibly code execution. https://trac.videolan.org/vlc/ticket/18467 Signed-off-by: Peter Korsgaard --- ...codec-avcodec-check-avcodec-visible-sizes.patch | 33 ++++++++++++++++++++++ ...r-check-visible-size-when-creating-buffer.patch | 33 ++++++++++++++++++++++ 2 files changed, 66 insertions(+) create mode 100644 package/vlc/0013-codec-avcodec-check-avcodec-visible-sizes.patch create mode 100644 package/vlc/0014-decoder-check-visible-size-when-creating-buffer.patch diff --git a/package/vlc/0013-codec-avcodec-check-avcodec-visible-sizes.patch b/package/vlc/0013-codec-avcodec-check-avcodec-visible-sizes.patch new file mode 100644 index 0000000000..41a5e25d38 --- /dev/null +++ b/package/vlc/0013-codec-avcodec-check-avcodec-visible-sizes.patch @@ -0,0 +1,33 @@ +From 6cc73bcad19da2cd2e95671173f2e0d203a57e9b Mon Sep 17 00:00:00 2001 +From: Francois Cartegnie +Date: Thu, 29 Jun 2017 09:45:20 +0200 +Subject: [PATCH] codec: avcodec: check avcodec visible sizes + +refs #18467 + +Signed-off-by: Peter Korsgaard +--- + modules/codec/avcodec/video.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/modules/codec/avcodec/video.c b/modules/codec/avcodec/video.c +index 1bcad21..ce52544 100644 +--- a/modules/codec/avcodec/video.c ++++ b/modules/codec/avcodec/video.c +@@ -137,9 +137,11 @@ static inline picture_t *ffmpeg_NewPictBuf( decoder_t *p_dec, + } + + +- if( width == 0 || height == 0 || width > 8192 || height > 8192 ) ++ if( width == 0 || height == 0 || width > 8192 || height > 8192 || ++ width < p_context->width || height < p_context->height ) + { +- msg_Err( p_dec, "Invalid frame size %dx%d.", width, height ); ++ msg_Err( p_dec, "Invalid frame size %dx%d. vsz %dx%d", ++ width, height, p_context->width, p_context->height ); + return NULL; /* invalid display size */ + } + p_dec->fmt_out.video.i_width = width; +-- +2.1.4 + diff --git a/package/vlc/0014-decoder-check-visible-size-when-creating-buffer.patch b/package/vlc/0014-decoder-check-visible-size-when-creating-buffer.patch new file mode 100644 index 0000000000..a16dcf0e97 --- /dev/null +++ b/package/vlc/0014-decoder-check-visible-size-when-creating-buffer.patch @@ -0,0 +1,33 @@ +From a38a85db58c569cc592d9380cc07096757ef3d49 Mon Sep 17 00:00:00 2001 +From: Francois Cartegnie +Date: Thu, 29 Jun 2017 11:09:02 +0200 +Subject: [PATCH] decoder: check visible size when creating buffer + +early reject invalid visible size +mishandled by filters. + +refs #18467 + +Signed-off-by: Peter Korsgaard +--- + src/input/decoder.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/input/decoder.c b/src/input/decoder.c +index 2c0823f..a216165 100644 +--- a/src/input/decoder.c ++++ b/src/input/decoder.c +@@ -2060,7 +2060,9 @@ static picture_t *vout_new_buffer( decoder_t *p_dec ) + vout_thread_t *p_vout; + + if( !p_dec->fmt_out.video.i_width || +- !p_dec->fmt_out.video.i_height ) ++ !p_dec->fmt_out.video.i_height || ++ p_dec->fmt_out.video.i_width < p_dec->fmt_out.video.i_visible_width || ++ p_dec->fmt_out.video.i_height < p_dec->fmt_out.video.i_visible_height ) + { + /* Can't create a new vout without display size */ + return NULL; +-- +2.1.4 +