diff options
Diffstat (limited to 'meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-CVE-2013-0855.patch')
| -rw-r--r-- | meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-CVE-2013-0855.patch | 100 |
1 files changed, 100 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-CVE-2013-0855.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-CVE-2013-0855.patch new file mode 100644 index 0000000000..3c8d8e353e --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/gst-ffmpeg-CVE-2013-0855.patch @@ -0,0 +1,100 @@ +gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0855 + +Upstream-Status: Backport + +Signed-off-by: Yue Tao <yue.tao@windriver.com> + +diff --git a/gst-libs/ext/libav/libavcodec/alac.c.old b/gst-libs/ext/libav/libavcodec/alac.c +index 2a0df8c..bcbd56d 100644 +--- a/gst-libs/ext/libav/libavcodec/alac.c.old ++++ b/gst-libs/ext/libav/libavcodec/alac.c +@@ -87,18 +87,44 @@ typedef struct { + int wasted_bits; + } ALACContext; + +-static void allocate_buffers(ALACContext *alac) ++static av_cold int alac_decode_close(AVCodecContext *avctx) ++{ ++ ALACContext *alac = avctx->priv_data; ++ ++ int chan; ++ for (chan = 0; chan < MAX_CHANNELS; chan++) { ++ av_freep(&alac->predicterror_buffer[chan]); ++ av_freep(&alac->outputsamples_buffer[chan]); ++ av_freep(&alac->wasted_bits_buffer[chan]); ++ } ++ ++ return 0; ++} ++ ++static int allocate_buffers(ALACContext *alac) + { + int chan; ++ int buf_size; ++ ++ if (alac->setinfo_max_samples_per_frame > INT_MAX / sizeof(int32_t)) ++ goto buf_alloc_fail; ++ buf_size = alac->setinfo_max_samples_per_frame * sizeof(int32_t); ++ + for (chan = 0; chan < MAX_CHANNELS; chan++) { +- alac->predicterror_buffer[chan] = +- av_malloc(alac->setinfo_max_samples_per_frame * 4); + +- alac->outputsamples_buffer[chan] = +- av_malloc(alac->setinfo_max_samples_per_frame * 4); ++ FF_ALLOC_OR_GOTO(alac->avctx, alac->predicterror_buffer[chan], ++ buf_size, buf_alloc_fail); + +- alac->wasted_bits_buffer[chan] = av_malloc(alac->setinfo_max_samples_per_frame * 4); ++ FF_ALLOC_OR_GOTO(alac->avctx, alac->outputsamples_buffer[chan], ++ buf_size, buf_alloc_fail); ++ ++ FF_ALLOC_OR_GOTO(alac->avctx, alac->wasted_bits_buffer[chan], ++ buf_size, buf_alloc_fail); + } ++ return 0; ++buf_alloc_fail: ++ alac_decode_close(alac->avctx); ++ return AVERROR(ENOMEM); + } + + static int alac_set_info(ALACContext *alac) +@@ -131,8 +157,6 @@ static int alac_set_info(ALACContext *alac) + bytestream_get_be32(&ptr); /* bitrate ? */ + bytestream_get_be32(&ptr); /* samplerate */ + +- allocate_buffers(alac); +- + return 0; + } + +@@ -659,6 +683,7 @@ static int alac_decode_frame(AVCodecContext *avctx, + + static av_cold int alac_decode_init(AVCodecContext * avctx) + { ++ int ret; + ALACContext *alac = avctx->priv_data; + alac->avctx = avctx; + alac->numchannels = alac->avctx->channels; +@@ -674,18 +699,9 @@ static av_cold int alac_decode_init(AVCodecContext * avctx) + return -1; + } + +- return 0; +-} +- +-static av_cold int alac_decode_close(AVCodecContext *avctx) +-{ +- ALACContext *alac = avctx->priv_data; +- +- int chan; +- for (chan = 0; chan < MAX_CHANNELS; chan++) { +- av_freep(&alac->predicterror_buffer[chan]); +- av_freep(&alac->outputsamples_buffer[chan]); +- av_freep(&alac->wasted_bits_buffer[chan]); ++ if ((ret = allocate_buffers(alac)) < 0) { ++ av_log(avctx, AV_LOG_ERROR, "Error allocating buffers\n"); ++ return ret; + } + + return 0; |