From b9153ed9546ab00eb78c30899a62d3e868a7a778 Mon Sep 17 00:00:00 2001 From: Peter Korsgaard Date: Mon, 3 Jul 2017 17:01:40 +0200 Subject: [PATCH] vlc: add upstream security patches fixing CVE-2017-10699 avcodec 2.2.x, as used in VideoLAN VLC media player 2.2.7-x before 2017-06-29, allows out-of-bounds heap memory write due to calling memcpy() with a wrong size, leading to a denial of service (application crash) or possibly code execution. https://trac.videolan.org/vlc/ticket/18467 Signed-off-by: Peter Korsgaard --- ...-avcodec-check-avcodec-visible-sizes.patch | 33 +++++++++++++++++++ ...ck-visible-size-when-creating-buffer.patch | 33 +++++++++++++++++++ 2 files changed, 66 insertions(+) create mode 100644 package/vlc/0013-codec-avcodec-check-avcodec-visible-sizes.patch create mode 100644 package/vlc/0014-decoder-check-visible-size-when-creating-buffer.patch diff --git a/package/vlc/0013-codec-avcodec-check-avcodec-visible-sizes.patch b/package/vlc/0013-codec-avcodec-check-avcodec-visible-sizes.patch new file mode 100644 index 0000000000..41a5e25d38 --- /dev/null +++ b/package/vlc/0013-codec-avcodec-check-avcodec-visible-sizes.patch @@ -0,0 +1,33 @@ +From 6cc73bcad19da2cd2e95671173f2e0d203a57e9b Mon Sep 17 00:00:00 2001 +From: Francois Cartegnie +Date: Thu, 29 Jun 2017 09:45:20 +0200 +Subject: [PATCH] codec: avcodec: check avcodec visible sizes + +refs #18467 + +Signed-off-by: Peter Korsgaard +--- + modules/codec/avcodec/video.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/modules/codec/avcodec/video.c b/modules/codec/avcodec/video.c +index 1bcad21..ce52544 100644 +--- a/modules/codec/avcodec/video.c ++++ b/modules/codec/avcodec/video.c +@@ -137,9 +137,11 @@ static inline picture_t *ffmpeg_NewPictBuf( decoder_t *p_dec, + } + + +- if( width == 0 || height == 0 || width > 8192 || height > 8192 ) ++ if( width == 0 || height == 0 || width > 8192 || height > 8192 || ++ width < p_context->width || height < p_context->height ) + { +- msg_Err( p_dec, "Invalid frame size %dx%d.", width, height ); ++ msg_Err( p_dec, "Invalid frame size %dx%d. vsz %dx%d", ++ width, height, p_context->width, p_context->height ); + return NULL; /* invalid display size */ + } + p_dec->fmt_out.video.i_width = width; +-- +2.1.4 + diff --git a/package/vlc/0014-decoder-check-visible-size-when-creating-buffer.patch b/package/vlc/0014-decoder-check-visible-size-when-creating-buffer.patch new file mode 100644 index 0000000000..a16dcf0e97 --- /dev/null +++ b/package/vlc/0014-decoder-check-visible-size-when-creating-buffer.patch @@ -0,0 +1,33 @@ +From a38a85db58c569cc592d9380cc07096757ef3d49 Mon Sep 17 00:00:00 2001 +From: Francois Cartegnie +Date: Thu, 29 Jun 2017 11:09:02 +0200 +Subject: [PATCH] decoder: check visible size when creating buffer + +early reject invalid visible size +mishandled by filters. + +refs #18467 + +Signed-off-by: Peter Korsgaard +--- + src/input/decoder.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/input/decoder.c b/src/input/decoder.c +index 2c0823f..a216165 100644 +--- a/src/input/decoder.c ++++ b/src/input/decoder.c +@@ -2060,7 +2060,9 @@ static picture_t *vout_new_buffer( decoder_t *p_dec ) + vout_thread_t *p_vout; + + if( !p_dec->fmt_out.video.i_width || +- !p_dec->fmt_out.video.i_height ) ++ !p_dec->fmt_out.video.i_height || ++ p_dec->fmt_out.video.i_width < p_dec->fmt_out.video.i_visible_width || ++ p_dec->fmt_out.video.i_height < p_dec->fmt_out.video.i_visible_height ) + { + /* Can't create a new vout without display size */ + return NULL; +-- +2.1.4 + -- 2.30.2