diff options
Diffstat (limited to 'meta/recipes-multimedia')
34 files changed, 748 insertions, 209 deletions
diff --git a/meta/recipes-multimedia/alsa/alsa-tools_1.2.5.bb b/meta/recipes-multimedia/alsa/alsa-tools_1.2.5.bb index 540f4f79f4..e6fe83a186 100644 --- a/meta/recipes-multimedia/alsa/alsa-tools_1.2.5.bb +++ b/meta/recipes-multimedia/alsa/alsa-tools_1.2.5.bb @@ -71,6 +71,7 @@ python do_compile() { } python do_install() { + d.delVarFlag("autotools_do_install", "cleandirs") for subdir in d.getVar("PACKAGECONFIG").split(): subdir = subdir.replace("--", "/") bb.note("Installing %s" % subdir) diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2021-38114.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2021-38114.patch new file mode 100644 index 0000000000..ab3ecfecbb --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2021-38114.patch @@ -0,0 +1,67 @@ +CVE: CVE-2021-38114 +Upstream-Status: Backport +Signed-off-by: Kiran Surendran <kiran.surendran@windriver.com> + +From 463dbe4e78cc560ca5b09f23a07add0eb78ccee8 Mon Sep 17 00:00:00 2001 +From: maryam ebr <me22bee@outlook.com> +Date: Tue, 3 Aug 2021 01:05:47 -0400 +Subject: [PATCH] avcodec/dnxhddec: check and propagate function return value + +Similar to CVE-2013-0868, here return value check for 'init_vlc' is needed. +crafted DNxHD data can cause unspecified impact. + +Reviewed-by: Paul B Mahol <onemda@gmail.com> +Signed-off-by: James Almer <jamrial@gmail.com> +--- + libavcodec/dnxhddec.c | 22 +++++++++++++++------- + 1 file changed, 15 insertions(+), 7 deletions(-) + +diff --git a/libavcodec/dnxhddec.c b/libavcodec/dnxhddec.c +index c78d55aee5..9b475a6979 100644 +--- a/libavcodec/dnxhddec.c ++++ b/libavcodec/dnxhddec.c +@@ -112,6 +112,7 @@ static av_cold int dnxhd_decode_init(AVCodecContext *avctx) + + static int dnxhd_init_vlc(DNXHDContext *ctx, uint32_t cid, int bitdepth) + { ++ int ret; + if (cid != ctx->cid) { + const CIDEntry *cid_table = ff_dnxhd_get_cid_table(cid); + +@@ -132,19 +133,26 @@ static int dnxhd_init_vlc(DNXHDContext *ctx, uint32_t cid, int bitdepth) + ff_free_vlc(&ctx->dc_vlc); + ff_free_vlc(&ctx->run_vlc); + +- init_vlc(&ctx->ac_vlc, DNXHD_VLC_BITS, 257, ++ if ((ret = init_vlc(&ctx->ac_vlc, DNXHD_VLC_BITS, 257, + ctx->cid_table->ac_bits, 1, 1, +- ctx->cid_table->ac_codes, 2, 2, 0); +- init_vlc(&ctx->dc_vlc, DNXHD_DC_VLC_BITS, bitdepth > 8 ? 14 : 12, ++ ctx->cid_table->ac_codes, 2, 2, 0)) < 0) ++ goto out; ++ if ((ret = init_vlc(&ctx->dc_vlc, DNXHD_DC_VLC_BITS, bitdepth > 8 ? 14 : 12, + ctx->cid_table->dc_bits, 1, 1, +- ctx->cid_table->dc_codes, 1, 1, 0); +- init_vlc(&ctx->run_vlc, DNXHD_VLC_BITS, 62, ++ ctx->cid_table->dc_codes, 1, 1, 0)) < 0) ++ goto out; ++ if ((ret = init_vlc(&ctx->run_vlc, DNXHD_VLC_BITS, 62, + ctx->cid_table->run_bits, 1, 1, +- ctx->cid_table->run_codes, 2, 2, 0); ++ ctx->cid_table->run_codes, 2, 2, 0)) < 0) ++ goto out; + + ctx->cid = cid; + } +- return 0; ++ ret = 0; ++out: ++ if (ret < 0) ++ av_log(ctx->avctx, AV_LOG_ERROR, "init_vlc failed\n"); ++ return ret; + } + + static int dnxhd_get_profile(int cid) +-- +2.31.1 + diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb index 0c6af6549d..c0318ef01d 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb @@ -31,7 +31,8 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://fix-CVE-2020-22021.patch \ file://fix-CVE-2020-22033-CVE-2020-22019.patch \ file://fix-CVE-2021-33815.patch \ - file://fix-CVE-2021-38171.patch \ + file://fix-CVE-2021-38171.patch \ + file://fix-CVE-2021-38114.patch \ " SRC_URI[sha256sum] = "06b10a183ce5371f915c6bb15b7b1fffbe046e8275099c96affc29e17645d909" diff --git a/meta/recipes-multimedia/gstreamer/gst-devtools_1.18.4.bb b/meta/recipes-multimedia/gstreamer/gst-devtools_1.18.6.bb index be554a6a14..4f4ded8d24 100644 --- a/meta/recipes-multimedia/gstreamer/gst-devtools_1.18.4.bb +++ b/meta/recipes-multimedia/gstreamer/gst-devtools_1.18.6.bb @@ -12,7 +12,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-devtools/gst-devtools-${PV} file://0001-connect-has-a-different-signature-on-musl.patch \ " -SRC_URI[sha256sum] = "ffbd194c40912cb5e7fca2863648bf9dd8257b7af97d3a60c4fcd4efd8526ccf" +SRC_URI[sha256sum] = "3725622c740a635452e54b79d065f963ab7706ca2403de6c43072ae7610a0de4" DEPENDS = "json-glib glib-2.0 glib-2.0-native gstreamer1.0 gstreamer1.0-plugins-base" RRECOMMENDS:${PN} = "git" diff --git a/meta/recipes-multimedia/gstreamer/gst-examples_1.18.4.bb b/meta/recipes-multimedia/gstreamer/gst-examples_1.18.6.bb index 9d8fef86ed..2a7a3c3111 100644 --- a/meta/recipes-multimedia/gstreamer/gst-examples_1.18.4.bb +++ b/meta/recipes-multimedia/gstreamer/gst-examples_1.18.6.bb @@ -12,7 +12,7 @@ SRC_URI = "git://gitlab.freedesktop.org/gstreamer/gst-examples.git;protocol=http file://gst-player.desktop \ " -SRCREV = "959bb246a5b1f5f9c78557da11c3f22b42ff89c0" +SRCREV = "70e4fcf4fc8ae19641aa990de5f37d758cdfcea4" S = "${WORKDIR}/git" diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.18.4.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.18.6.bb index 0c4f50c564..d46342285d 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.18.4.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.18.6.bb @@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=6762ed442b3822387a51c92d928ead0d \ " SRC_URI = "https://gstreamer.freedesktop.org/src/gst-libav/gst-libav-${PV}.tar.xz" -SRC_URI[sha256sum] = "344a463badca216c2cef6ee36f9510c190862bdee48dc4591c0a430df7e8c396" +SRC_URI[sha256sum] = "e4e50dcd5a29441ae34de60d2221057e8064ed824bb6ca4dc0fd9ee88fbe9b81" S = "${WORKDIR}/gst-libav-${PV}" diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.18.4.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.18.6.bb index 7baccfe288..a220d677aa 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.18.4.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.18.6.bb @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c \ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-omx/gst-omx-${PV}.tar.xz" -SRC_URI[sha256sum] = "e35051cf891eb2f31d6fcf176ff37d985f97f33874ac31b0b3ad3b5b95035043" +SRC_URI[sha256sum] = "b5281c938e959fd2418e989cfb6065fdd9fe5f6f87ee86236c9427166e708163" S = "${WORKDIR}/gst-omx-${PV}" diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.18.4.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.18.6.bb index 81c8391213..df148c0aff 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.18.4.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.18.6.bb @@ -11,7 +11,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad file://0004-opencv-resolve-missing-opencv-data-dir-in-yocto-buil.patch \ file://0005-msdk-fix-includedir-path.patch \ " -SRC_URI[sha256sum] = "74e806bc5595b18c70e9ca93571e27e79dfb808e5d2e7967afa952b52e99c85f" +SRC_URI[sha256sum] = "0b1b50ac6311f0c510248b6cd64d6d3c94369344828baa602db85ded5bc70ec9" S = "${WORKDIR}/gst-plugins-bad-${PV}" diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/4ef5c91697a141fea7317aff7f0f28e5a861db99.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/4ef5c91697a141fea7317aff7f0f28e5a861db99.patch deleted file mode 100644 index a2f5dff5e9..0000000000 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/4ef5c91697a141fea7317aff7f0f28e5a861db99.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 4ef5c91697a141fea7317aff7f0f28e5a861db99 Mon Sep 17 00:00:00 2001 -From: Xavier Claessens <xavier.claessens@collabora.com> -Date: Mon, 26 Apr 2021 14:25:03 -0400 -Subject: [PATCH] gstgl: Fix build when Meson >= 0.58.0rc1 - -"implicit_include_directories: false" now also means that current build -directory is not added to include paths by default any more. We have to -add it manually because we have some custom_target() that generate -headers in current build directory. - -See https://github.com/mesonbuild/meson/issues/8700. - -Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/merge_requests/1125> -Upstream-Status: Backport -Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> ---- - gst-libs/gst/gl/meson.build | 15 ++++++++++++--- - 1 file changed, 12 insertions(+), 3 deletions(-) - -diff --git a/gst-libs/gst/gl/meson.build b/gst-libs/gst/gl/meson.build -index 66668644e..53891625a 100644 ---- a/gst-libs/gst/gl/meson.build -+++ b/gst-libs/gst/gl/meson.build -@@ -1004,11 +1004,20 @@ if build_gstgl - command : [mkenums, glib_mkenums, '@OUTPUT@', '@INPUT@']) - gen_sources = [gl_enumtypes_h] - -+ common_args = gst_plugins_base_args + gl_cpp_args + ['-DBUILDING_GST_GL'] -+ -+ # We have custom_target() that generate headers in the current build dir, -+ # but with implicit_include_directories: false, meson >= 0.58.0 won't include -+ # it by default. We cannot use include_directories('.') here because it would -+ # also include current source dir which is what we want to avoid because -+ # case-insensitive FS would include gst-libs/gl/egl/egl.h as EGL/egl.h. -+ common_args += '-I@0@'.format(meson.current_build_dir()) -+ - gstgl = library('gstgl-' + api_version, - gl_sources, gl_egl_sources, gl_x11_sources, gl_wayland_sources, gl_priv_sources, gl_enumtypes_c, gl_enumtypes_h, -- c_args : gst_plugins_base_args + gl_cpp_args + ['-DBUILDING_GST_GL'], -- cpp_args : gst_plugins_base_args + gl_cpp_args + ['-DBUILDING_GST_GL'], -- objc_args : gst_plugins_base_args + gl_cpp_args + gl_objc_args + ['-DBUILDING_GST_GL'], -+ c_args : common_args, -+ cpp_args : common_args, -+ objc_args : common_args + gl_objc_args, - include_directories : [configinc, libsinc, gl_includes], - version : libversion, - soversion : soversion, --- -GitLab - diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.18.4.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.18.6.bb index 90a8d7dfbb..e20145ea8d 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.18.4.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.18.6.bb @@ -11,9 +11,8 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-ba file://0003-viv-fb-Make-sure-config.h-is-included.patch \ file://0002-ssaparse-enhance-SSA-text-lines-parsing.patch \ file://0004-glimagesink-Downrank-to-marginal.patch \ - file://4ef5c91697a141fea7317aff7f0f28e5a861db99.patch \ " -SRC_URI[sha256sum] = "29e53229a84d01d722f6f6db13087231cdf6113dd85c25746b9b58c3d68e8323" +SRC_URI[sha256sum] = "56a9ff2fe9e6603b9e658cf6897d412a173d2180829fe01e92568549c6bd0f5b" S = "${WORKDIR}/gst-plugins-base-${PV}" diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0002-rtpjitterbuffer-Fix-parsing-of-the-mediaclk-direct-f.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0002-rtpjitterbuffer-Fix-parsing-of-the-mediaclk-direct-f.patch deleted file mode 100644 index 14a9fe23aa..0000000000 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0002-rtpjitterbuffer-Fix-parsing-of-the-mediaclk-direct-f.patch +++ /dev/null @@ -1,33 +0,0 @@ -From ec1949dffd931d0ec7e4f67108a08ab1e2af0cfe Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com> -Date: Tue, 16 Mar 2021 19:25:36 +0200 -Subject: [PATCH] rtpjitterbuffer: Fix parsing of the mediaclk:direct= field - -Due to an off-by-one when parsing the string, the most significant digit -or the clock offset was skipped when parsing the offset. - -Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/merge_requests/910> - -Upstream-Status: Backport [b5bb4ede3a42273fafc1054f9cf106ca527e3c26] - -Signed-off-by: Jose Quaresma <quaresma.jose@gmail.com> ---- - gst/rtpmanager/gstrtpjitterbuffer.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/gst/rtpmanager/gstrtpjitterbuffer.c b/gst/rtpmanager/gstrtpjitterbuffer.c -index 60d8ad875..02fe15adc 100644 ---- a/gst/rtpmanager/gstrtpjitterbuffer.c -+++ b/gst/rtpmanager/gstrtpjitterbuffer.c -@@ -1534,7 +1534,7 @@ gst_jitter_buffer_sink_parse_caps (GstRtpJitterBuffer * jitterbuffer, - GST_DEBUG_OBJECT (jitterbuffer, "Got media clock %s", mediaclk); - - if (!g_str_has_prefix (mediaclk, "direct=") || -- !g_ascii_string_to_unsigned (&mediaclk[8], 10, 0, G_MAXUINT64, -+ !g_ascii_string_to_unsigned (&mediaclk[7], 10, 0, G_MAXUINT64, - &clock_offset, NULL)) - GST_FIXME_OBJECT (jitterbuffer, "Unsupported media clock"); - if (strstr (mediaclk, "rate=") != NULL) { --- -2.31.0 - diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0003-Remove-volatile-from-static-vars-to-fix-build-with-g.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0003-Remove-volatile-from-static-vars-to-fix-build-with-g.patch deleted file mode 100644 index 87223826c6..0000000000 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/0003-Remove-volatile-from-static-vars-to-fix-build-with-g.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 07572920319ea86cebb6dd073ab65915ec207eed Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Andreas=20M=C3=BCller?= <schnitzeltony@gmail.com> -Date: Sat, 8 May 2021 14:08:41 +0200 -Subject: [PATCH] Remove volatile from static vars to fix build with gcc11 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Stolen from [1] - -[1] https://src.fedoraproject.org/rpms/gstreamer1-plugins-good/blob/rawhide/f/gstreamer1-plugins-good-gcc11.patch - -Upstream-Status: Pending - -Signed-off-by: Andreas Müller <schnitzeltony@gmail.com> ---- - ext/qt/gstqsgtexture.cc | 2 +- - ext/qt/gstqtglutility.cc | 2 +- - ext/qt/qtglrenderer.cc | 2 +- - ext/qt/qtitem.cc | 2 +- - ext/qt/qtwindow.cc | 4 ++-- - 5 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/ext/qt/gstqsgtexture.cc b/ext/qt/gstqsgtexture.cc -index 4cc9fc6..50c8d7f 100644 ---- a/ext/qt/gstqsgtexture.cc -+++ b/ext/qt/gstqsgtexture.cc -@@ -35,7 +35,7 @@ GST_DEBUG_CATEGORY_STATIC (GST_CAT_DEFAULT); - - GstQSGTexture::GstQSGTexture () - { -- static volatile gsize _debug; -+ static gsize _debug; - - initializeOpenGLFunctions(); - -diff --git a/ext/qt/gstqtglutility.cc b/ext/qt/gstqtglutility.cc -index acb89b6..d2c0922 100644 ---- a/ext/qt/gstqtglutility.cc -+++ b/ext/qt/gstqtglutility.cc -@@ -66,7 +66,7 @@ gst_qt_get_gl_display () - { - GstGLDisplay *display = NULL; - QGuiApplication *app = static_cast<QGuiApplication *> (QCoreApplication::instance ()); -- static volatile gsize _debug; -+ static gsize _debug; - - g_assert (app != NULL); - -diff --git a/ext/qt/qtglrenderer.cc b/ext/qt/qtglrenderer.cc -index 2ad5601..bffba8f 100644 ---- a/ext/qt/qtglrenderer.cc -+++ b/ext/qt/qtglrenderer.cc -@@ -22,7 +22,7 @@ GST_DEBUG_CATEGORY_STATIC (GST_CAT_DEFAULT); - static void - init_debug (void) - { -- static volatile gsize _debug; -+ static gsize _debug; - - if (g_once_init_enter (&_debug)) { - GST_DEBUG_CATEGORY_INIT (GST_CAT_DEFAULT, "qtglrenderer", 0, -diff --git a/ext/qt/qtitem.cc b/ext/qt/qtitem.cc -index 7659800..bc99639 100644 ---- a/ext/qt/qtitem.cc -+++ b/ext/qt/qtitem.cc -@@ -104,7 +104,7 @@ void InitializeSceneGraph::run() - - QtGLVideoItem::QtGLVideoItem() - { -- static volatile gsize _debug; -+ static gsize _debug; - - if (g_once_init_enter (&_debug)) { - GST_DEBUG_CATEGORY_INIT (GST_CAT_DEFAULT, "qtglwidget", 0, "Qt GL Widget"); -diff --git a/ext/qt/qtwindow.cc b/ext/qt/qtwindow.cc -index 0dfd3f1..f1bd4ae 100644 ---- a/ext/qt/qtwindow.cc -+++ b/ext/qt/qtwindow.cc -@@ -103,7 +103,7 @@ QtGLWindow::QtGLWindow ( QWindow * parent, QQuickWindow *src ) : - QQuickWindow( parent ), source (src) - { - QGuiApplication *app = static_cast<QGuiApplication *> (QCoreApplication::instance ()); -- static volatile gsize _debug; -+ static gsize _debug; - - g_assert (app != NULL); - -@@ -152,7 +152,7 @@ QtGLWindow::beforeRendering() - - g_mutex_lock (&this->priv->lock); - -- static volatile gsize once = 0; -+ static gsize once = 0; - if (g_once_init_enter(&once)) { - this->priv->start = QDateTime::currentDateTime().toMSecsSinceEpoch(); - g_once_init_leave(&once,1); --- -2.30.2 - diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.18.4.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.18.6.bb index a90594ade5..a43b8095c5 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.18.4.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.18.6.bb @@ -6,11 +6,9 @@ BUGTRACKER = "https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/issues SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-good-${PV}.tar.xz \ file://0001-qt-include-ext-qt-gstqtgl.h-instead-of-gst-gl-gstglf.patch \ - file://0002-rtpjitterbuffer-Fix-parsing-of-the-mediaclk-direct-f.patch \ - file://0003-Remove-volatile-from-static-vars-to-fix-build-with-g.patch \ " -SRC_URI[sha256sum] = "b6e50e3a9bbcd56ee6ec71c33aa8332cc9c926b0c1fae995aac8b3040ebe39b0" +SRC_URI[sha256sum] = "26723ac01fcb360ade1f41d168c7c322d8af4ceb7e55c8c12ed2690d06a76eed" S = "${WORKDIR}/gst-plugins-good-${PV}" diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.18.4.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.18.6.bb index 817dffe839..5b31627141 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.18.4.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.18.6.bb @@ -13,7 +13,7 @@ LICENSE_FLAGS = "commercial" SRC_URI = " \ https://gstreamer.freedesktop.org/src/gst-plugins-ugly/gst-plugins-ugly-${PV}.tar.xz \ " -SRC_URI[sha256sum] = "218df0ce0d31e8ca9cdeb01a3b0c573172cc9c21bb3d41811c7820145623d13c" +SRC_URI[sha256sum] = "4969c409cb6a88317d2108b8577108e18623b2333d7b587ae3f39459c70e3a7f" S = "${WORKDIR}/gst-plugins-ugly-${PV}" diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.18.4.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.18.6.bb index 2fd73cb389..c80c3928eb 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.18.4.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.18.6.bb @@ -8,7 +8,7 @@ LICENSE = "LGPLv2.1" LIC_FILES_CHKSUM = "file://COPYING;md5=c34deae4e395ca07e725ab0076a5f740" SRC_URI = "https://gstreamer.freedesktop.org/src/${PNREAL}/${PNREAL}-${PV}.tar.xz" -SRC_URI[sha256sum] = "cb68e08a7e825e08b83a12a22dcd6e4f1b328a7b02a7ac84f42f68f4ddc7098e" +SRC_URI[sha256sum] = "bdc0ea22fbd7335ad9decc151561aacc53c51206a9735b81eac700ce5b0bbd4a" DEPENDS = "gstreamer1.0 gstreamer1.0-plugins-base python3-pygobject" RDEPENDS:${PN} += "gstreamer1.0 gstreamer1.0-plugins-base python3-pygobject" diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.18.4.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.18.6.bb index f7bfe98985..f105713f33 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.18.4.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.18.6.bb @@ -10,7 +10,7 @@ PNREAL = "gst-rtsp-server" SRC_URI = "https://gstreamer.freedesktop.org/src/${PNREAL}/${PNREAL}-${PV}.tar.xz" -SRC_URI[sha256sum] = "a46bb8de40b971a048580279d2660e616796f871ad3ed00c8a95fe4d273a6c94" +SRC_URI[sha256sum] = "826f32afbcf94b823541efcac4a0dacdb62f6145ef58f363095749f440262be9" S = "${WORKDIR}/${PNREAL}-${PV}" diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.18.4.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.18.6.bb index 5c9025fbb6..f3255e5554 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.18.4.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.18.6.bb @@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING.LIB;md5=4fbd65380cdd255951079008b364516c" SRC_URI = "https://gstreamer.freedesktop.org/src/${REALPN}/${REALPN}-${PV}.tar.xz" -SRC_URI[sha256sum] = "92db98af86f3150d429c9ab17e88d2364f9c07a140c8f445ed739e8f10252aea" +SRC_URI[sha256sum] = "ab6270f1e5e4546fbe6f5ea246d86ca3d196282eb863d46e6cdcc96f867449e0" S = "${WORKDIR}/${REALPN}-${PV}" DEPENDS = "libva gstreamer1.0 gstreamer1.0-plugins-base gstreamer1.0-plugins-bad" diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0/0002-Remove-unused-valgrind-detection.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0/0002-Remove-unused-valgrind-detection.patch index 96abef17b0..5121044734 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0/0002-Remove-unused-valgrind-detection.patch +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0/0002-Remove-unused-valgrind-detection.patch @@ -1,4 +1,4 @@ -From 598d108e2c438d8f2ecd3bf948fa3ebbd3681490 Mon Sep 17 00:00:00 2001 +From e275ba2bd854ac15a4b65a8f07d9f042021950da Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim-Philipp=20M=C3=BCller?= <tim@centricular.com> Date: Fri, 14 Aug 2020 16:38:26 +0100 Subject: [PATCH 2/3] Remove unused valgrind detection @@ -19,7 +19,7 @@ Signed-off-by: Jose Quaresma <quaresma.jose@gmail.com> 3 files changed, 42 deletions(-) diff --git a/gst/gst_private.h b/gst/gst_private.h -index eefd044d9..8252ede51 100644 +index eefd044..8252ede 100644 --- a/gst/gst_private.h +++ b/gst/gst_private.h @@ -116,8 +116,6 @@ G_GNUC_INTERNAL gboolean _priv_plugin_deps_env_vars_changed (GstPlugin * plugin @@ -32,12 +32,12 @@ index eefd044d9..8252ede51 100644 G_GNUC_INTERNAL void _priv_gst_quarks_initialize (void); G_GNUC_INTERNAL void _priv_gst_mini_object_initialize (void); diff --git a/gst/gstinfo.c b/gst/gstinfo.c -index 5d317877b..097f8b20d 100644 +index eea1a21..d3035d6 100644 --- a/gst/gstinfo.c +++ b/gst/gstinfo.c @@ -305,36 +305,6 @@ static gboolean pretty_tags = PRETTY_TAGS_DEFAULT; - static volatile gint G_GNUC_MAY_ALIAS __default_level = GST_LEVEL_DEFAULT; - static volatile gint G_GNUC_MAY_ALIAS __use_color = GST_DEBUG_COLOR_MODE_ON; + static gint G_GNUC_MAY_ALIAS __default_level = GST_LEVEL_DEFAULT; + static gint G_GNUC_MAY_ALIAS __use_color = GST_DEBUG_COLOR_MODE_ON; -/* FIXME: export this? */ -gboolean @@ -82,7 +82,7 @@ index 5d317877b..097f8b20d 100644 env = g_getenv ("GST_DEBUG_OPTIONS"); if (env != NULL) { if (strstr (env, "full_tags") || strstr (env, "full-tags")) -@@ -2503,12 +2470,6 @@ gst_debug_construct_win_color (guint colorinfo) +@@ -2505,12 +2472,6 @@ gst_debug_construct_win_color (guint colorinfo) return 0; } @@ -96,7 +96,7 @@ index 5d317877b..097f8b20d 100644 _gst_debug_dump_mem (GstDebugCategory * cat, const gchar * file, const gchar * func, gint line, GObject * obj, const gchar * msg, diff --git a/meson.build b/meson.build -index ce1921aa4..7a84d0981 100644 +index 82a1728..42ae617 100644 --- a/meson.build +++ b/meson.build @@ -200,7 +200,6 @@ check_headers = [ diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.18.4.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.18.6.bb index ee418322ad..4bf89ed109 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.18.4.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.18.6.bb @@ -25,7 +25,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gstreamer/gstreamer-${PV}.tar.x file://0006-tests-use-a-dictionaries-for-environment.patch \ file://0007-tests-install-the-environment-for-installed_tests.patch \ " -SRC_URI[sha256sum] = "9aeec99b38e310817012aa2d1d76573b787af47f8a725a65b833880a094dfbc5" +SRC_URI[sha256sum] = "4ec816010dd4d3a93cf470ad0a6f25315f52b204eb1d71dfa70ab8a1c3bd06e6" PACKAGECONFIG ??= "${@bb.utils.contains('PTEST_ENABLED', '1', 'tests', '', d)} \ check \ diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-4156.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-4156.patch new file mode 100644 index 0000000000..b0ff1a0885 --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-4156.patch @@ -0,0 +1,32 @@ +From 5adbc377cd90aa40f0cd56ae325ca70065a8aa19 Mon Sep 17 00:00:00 2001 +From: Changqing Li <changqing.li@windriver.com> +Date: Thu, 13 Jan 2022 16:45:59 +0800 +Subject: [PATCH] flac: Fix improper buffer reusing + +CVE: CVE-2021-4156.patch +Upstream-Status: Backport [https://github.com/libsndfile/libsndfile/issues/731] + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + src/flac.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/flac.c b/src/flac.c +index 0be82ac..6548bba 100644 +--- a/src/flac.c ++++ b/src/flac.c +@@ -952,7 +952,11 @@ flac_read_loop (SF_PRIVATE *psf, unsigned len) + /* Decode some more. */ + while (pflac->pos < pflac->len) + { if (FLAC__stream_decoder_process_single (pflac->fsd) == 0) ++ { psf_log_printf (psf, "FLAC__stream_decoder_process_single returned false\n") ; ++ /* Current frame is busted, so NULL the pointer. */ ++ pflac->frame = NULL ; + break ; ++ } + state = FLAC__stream_decoder_get_state (pflac->fsd) ; + if (state >= FLAC__STREAM_DECODER_END_OF_STREAM) + { psf_log_printf (psf, "FLAC__stream_decoder_get_state returned %s\n", FLAC__StreamDecoderStateString [state]) ; +-- +2.17.1 + diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb index 443ca95e32..884d680fbe 100644 --- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb +++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb @@ -20,6 +20,7 @@ SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \ file://CVE-2017-12562.patch \ file://CVE-2018-19758.patch \ file://CVE-2019-3832.patch \ + file://CVE-2021-4156.patch \ " SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c" diff --git a/meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch b/meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch new file mode 100644 index 0000000000..f1a4ab4251 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch @@ -0,0 +1,38 @@ +CVE: CVE-2022-0865 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From 88da11ae3c4db527cb870fb1017456cc8fbac2e7 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Thu, 24 Feb 2022 22:26:02 +0100 +Subject: [PATCH 1/6] tif_jbig.c: fix crash when reading a file with multiple + IFD in memory-mapped mode and when bit reversal is needed (fixes #385) + +--- + libtiff/tif_jbig.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c +index 74086338..8bfa4cef 100644 +--- a/libtiff/tif_jbig.c ++++ b/libtiff/tif_jbig.c +@@ -209,6 +209,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme) + */ + tif->tif_flags |= TIFF_NOBITREV; + tif->tif_flags &= ~TIFF_MAPPED; ++ /* We may have read from a previous IFD and thus set TIFF_BUFFERMMAP and ++ * cleared TIFF_MYBUFFER. It is necessary to restore them to their initial ++ * value to be consistent with the state of a non-memory mapped file. ++ */ ++ if (tif->tif_flags&TIFF_BUFFERMMAP) { ++ tif->tif_rawdata = NULL; ++ tif->tif_rawdatasize = 0; ++ tif->tif_flags &= ~TIFF_BUFFERMMAP; ++ tif->tif_flags |= TIFF_MYBUFFER; ++ } + + /* Setup the function pointers for encode, decode, and cleanup. */ + tif->tif_setupdecode = JBIGSetupDecode; +-- +2.25.1 + diff --git a/meta/recipes-multimedia/libtiff/tiff/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch b/meta/recipes-multimedia/libtiff/tiff/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch new file mode 100644 index 0000000000..72776f09ba --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch @@ -0,0 +1,43 @@ +CVE: CVE-2022-22844 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From b12a0326e6064b6e0b051d1184a219877472f69b Mon Sep 17 00:00:00 2001 +From: 4ugustus <wangdw.augustus@qq.com> +Date: Tue, 25 Jan 2022 16:25:28 +0000 +Subject: [PATCH] tiffset: fix global-buffer-overflow for ASCII tags where + count is required (fixes #355) + +--- + tools/tiffset.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/tools/tiffset.c b/tools/tiffset.c +index 8c9e23c5..e7a88c09 100644 +--- a/tools/tiffset.c ++++ b/tools/tiffset.c +@@ -146,9 +146,19 @@ main(int argc, char* argv[]) + + arg_index++; + if (TIFFFieldDataType(fip) == TIFF_ASCII) { +- if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1) +- fprintf( stderr, "Failed to set %s=%s\n", +- TIFFFieldName(fip), argv[arg_index] ); ++ if(TIFFFieldPassCount( fip )) { ++ size_t len; ++ len = strlen(argv[arg_index]) + 1; ++ if (len > UINT16_MAX || TIFFSetField(tiff, TIFFFieldTag(fip), ++ (uint16_t)len, argv[arg_index]) != 1) ++ fprintf( stderr, "Failed to set %s=%s\n", ++ TIFFFieldName(fip), argv[arg_index] ); ++ } else { ++ if (TIFFSetField(tiff, TIFFFieldTag(fip), ++ argv[arg_index]) != 1) ++ fprintf( stderr, "Failed to set %s=%s\n", ++ TIFFFieldName(fip), argv[arg_index] ); ++ } + } else if (TIFFFieldWriteCount(fip) > 0 + || TIFFFieldWriteCount(fip) == TIFF_VARIABLE) { + int ret = 1; +-- +2.25.1 diff --git a/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch b/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch new file mode 100644 index 0000000000..812ffb232d --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch @@ -0,0 +1,219 @@ +CVE: CVE-2022-0891 +CVE: CVE-2022-1056 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From e46b49e60fddb2e924302fb1751f79eb9cfb2253 Mon Sep 17 00:00:00 2001 +From: Su Laus <sulau@freenet.de> +Date: Tue, 8 Mar 2022 17:02:44 +0000 +Subject: [PATCH 2/6] tiffcrop: fix issue #380 and #382 heap buffer overflow in + extractImageSection + +--- + tools/tiffcrop.c | 92 +++++++++++++++++++----------------------------- + 1 file changed, 36 insertions(+), 56 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index b85c2ce7..302a7e91 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -105,8 +105,8 @@ + * of messages to monitor progress without enabling dump logs. + */ + +-static char tiffcrop_version_id[] = "2.4"; +-static char tiffcrop_rev_date[] = "12-13-2010"; ++static char tiffcrop_version_id[] = "2.4.1"; ++static char tiffcrop_rev_date[] = "03-03-2010"; + + #include "tif_config.h" + #include "libport.h" +@@ -6710,10 +6710,10 @@ extractImageSection(struct image_data *image, struct pageseg *section, + #ifdef DEVELMODE + uint32_t img_length; + #endif +- uint32_t j, shift1, shift2, trailing_bits; ++ uint32_t j, shift1, trailing_bits; + uint32_t row, first_row, last_row, first_col, last_col; + uint32_t src_offset, dst_offset, row_offset, col_offset; +- uint32_t offset1, offset2, full_bytes; ++ uint32_t offset1, full_bytes; + uint32_t sect_width; + #ifdef DEVELMODE + uint32_t sect_length; +@@ -6723,7 +6723,6 @@ extractImageSection(struct image_data *image, struct pageseg *section, + #ifdef DEVELMODE + int k; + unsigned char bitset; +- static char *bitarray = NULL; + #endif + + img_width = image->width; +@@ -6741,17 +6740,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, + dst_offset = 0; + + #ifdef DEVELMODE +- if (bitarray == NULL) +- { +- if ((bitarray = (char *)malloc(img_width)) == NULL) +- { +- TIFFError ("", "DEBUG: Unable to allocate debugging bitarray"); +- return (-1); +- } +- } ++ char bitarray[39]; + #endif + +- /* rows, columns, width, length are expressed in pixels */ ++ /* rows, columns, width, length are expressed in pixels ++ * first_row, last_row, .. are index into image array starting at 0 to width-1, ++ * last_col shall be also extracted. */ + first_row = section->y1; + last_row = section->y2; + first_col = section->x1; +@@ -6761,9 +6755,14 @@ extractImageSection(struct image_data *image, struct pageseg *section, + #ifdef DEVELMODE + sect_length = last_row - first_row + 1; + #endif +- img_rowsize = ((img_width * bps + 7) / 8) * spp; +- full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */ +- trailing_bits = (sect_width * bps) % 8; ++ /* The read function loadImage() used copy separate plane data into a buffer as interleaved ++ * samples rather than separate planes so the same logic works to extract regions ++ * regardless of the way the data are organized in the input file. ++ * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1 ++ */ ++ img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */ ++ full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */ ++ trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */ + + #ifdef DEVELMODE + TIFFError ("", "First row: %"PRIu32", last row: %"PRIu32", First col: %"PRIu32", last col: %"PRIu32"\n", +@@ -6776,10 +6775,9 @@ extractImageSection(struct image_data *image, struct pageseg *section, + + if ((bps % 8) == 0) + { +- col_offset = first_col * spp * bps / 8; ++ col_offset = (first_col * spp * bps) / 8; + for (row = first_row; row <= last_row; row++) + { +- /* row_offset = row * img_width * spp * bps / 8; */ + row_offset = row * img_rowsize; + src_offset = row_offset + col_offset; + +@@ -6792,14 +6790,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, + } + else + { /* bps != 8 */ +- shift1 = spp * ((first_col * bps) % 8); +- shift2 = spp * ((last_col * bps) % 8); ++ shift1 = ((first_col * spp * bps) % 8); /* shift1 = bits to skip in the first byte of source buffer*/ + for (row = first_row; row <= last_row; row++) + { + /* pull out the first byte */ + row_offset = row * img_rowsize; +- offset1 = row_offset + (first_col * bps / 8); +- offset2 = row_offset + (last_col * bps / 8); ++ offset1 = row_offset + ((first_col * spp * bps) / 8); /* offset1 = offset into source of byte with first bits to be extracted */ + + #ifdef DEVELMODE + for (j = 0, k = 7; j < 8; j++, k--) +@@ -6811,12 +6807,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, + sprintf(&bitarray[9], " "); + for (j = 10, k = 7; j < 18; j++, k--) + { +- bitset = *(src_buff + offset2) & (((unsigned char)1 << k)) ? 1 : 0; ++ bitset = *(src_buff + offset1 + full_bytes) & (((unsigned char)1 << k)) ? 1 : 0; + sprintf(&bitarray[j], (bitset) ? "1" : "0"); + } + bitarray[18] = '\0'; +- TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Shift2: %"PRIu32"\n", +- row, offset1, shift1, offset2, shift2); ++ TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Trailing_bits: %"PRIu32"\n", ++ row, offset1, shift1, offset1+full_bytes, trailing_bits); + #endif + + bytebuff1 = bytebuff2 = 0; +@@ -6840,11 +6836,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, + + if (trailing_bits != 0) + { +- bytebuff2 = src_buff[offset2] & ((unsigned char)255 << (7 - shift2)); ++ /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */ ++ bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits)); + sect_buff[dst_offset] = bytebuff2; + #ifdef DEVELMODE + TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", +- offset2, dst_offset); ++ offset1 + full_bytes, dst_offset); + for (j = 30, k = 7; j < 38; j++, k--) + { + bitset = *(sect_buff + dst_offset) & (((unsigned char)1 << k)) ? 1 : 0; +@@ -6863,8 +6860,10 @@ extractImageSection(struct image_data *image, struct pageseg *section, + #endif + for (j = 0; j <= full_bytes; j++) + { +- bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1); +- bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (7 - shift1)); ++ /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/ ++ /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */ ++ bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1); ++ bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1)); + sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1)); + } + #ifdef DEVELMODE +@@ -6880,36 +6879,17 @@ extractImageSection(struct image_data *image, struct pageseg *section, + #endif + dst_offset += full_bytes; + ++ /* Copy the trailing_bits for the last byte in the destination buffer. ++ Could come from one ore two bytes of the source buffer. */ + if (trailing_bits != 0) + { + #ifdef DEVELMODE +- TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", offset1 + full_bytes, dst_offset); +-#endif +- if (shift2 > shift1) +- { +- bytebuff1 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (7 - shift2)); +- bytebuff2 = bytebuff1 & ((unsigned char)255 << shift1); +- sect_buff[dst_offset] = bytebuff2; +-#ifdef DEVELMODE +- TIFFError ("", " Shift2 > Shift1\n"); ++ TIFFError("", " Trailing bits %4"PRIu32" src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", trailing_bits, offset1 + full_bytes, dst_offset); + #endif ++ /* More than necessary bits are already copied into last destination buffer, ++ * only masking of last byte in destination buffer is necessary.*/ ++ sect_buff[dst_offset] &= ((uint8_t)0xFF << (8 - trailing_bits)); + } +- else +- { +- if (shift2 < shift1) +- { +- bytebuff2 = ((unsigned char)255 << (shift1 - shift2 - 1)); +- sect_buff[dst_offset] &= bytebuff2; +-#ifdef DEVELMODE +- TIFFError ("", " Shift2 < Shift1\n"); +-#endif +- } +-#ifdef DEVELMODE +- else +- TIFFError ("", " Shift2 == Shift1\n"); +-#endif +- } +- } + #ifdef DEVELMODE + sprintf(&bitarray[28], " "); + sprintf(&bitarray[29], " "); +@@ -7062,7 +7042,7 @@ writeImageSections(TIFF *in, TIFF *out, struct image_data *image, + width = sections[i].x2 - sections[i].x1 + 1; + length = sections[i].y2 - sections[i].y1 + 1; + sectsize = (uint32_t) +- ceil((width * image->bps + 7) / (double)8) * image->spp * length; ++ ceil((width * image->bps * image->spp + 7) / (double)8) * length; + /* allocate a buffer if we don't have one already */ + if (createImageSection(sectsize, sect_buff_ptr)) + { +-- +2.25.1 + diff --git a/meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-value-of-limitMalloc-392.patch b/meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-value-of-limitMalloc-392.patch new file mode 100644 index 0000000000..a0b856b9e1 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-value-of-limitMalloc-392.patch @@ -0,0 +1,93 @@ +CVE: CVE-2022-0907 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From a139191cc86f4dc44c74a0f22928e0fb38ed2485 Mon Sep 17 00:00:00 2001 +From: Augustus <wangdw.augustus@qq.com> +Date: Mon, 7 Mar 2022 18:21:49 +0800 +Subject: [PATCH 3/6] add checks for return value of limitMalloc (#392) + +--- + tools/tiffcrop.c | 33 +++++++++++++++++++++------------ + 1 file changed, 21 insertions(+), 12 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 302a7e91..e407bf51 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -7357,7 +7357,11 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) + if (!sect_buff) + { + sect_buff = (unsigned char *)limitMalloc(sectsize); +- *sect_buff_ptr = sect_buff; ++ if (!sect_buff) ++ { ++ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); ++ return (-1); ++ } + _TIFFmemset(sect_buff, 0, sectsize); + } + else +@@ -7373,15 +7377,15 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) + else + sect_buff = new_buff; + ++ if (!sect_buff) ++ { ++ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); ++ return (-1); ++ } + _TIFFmemset(sect_buff, 0, sectsize); + } + } + +- if (!sect_buff) +- { +- TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); +- return (-1); +- } + prev_sectsize = sectsize; + *sect_buff_ptr = sect_buff; + +@@ -7648,7 +7652,11 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, + if (!crop_buff) + { + crop_buff = (unsigned char *)limitMalloc(cropsize); +- *crop_buff_ptr = crop_buff; ++ if (!crop_buff) ++ { ++ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); ++ return (-1); ++ } + _TIFFmemset(crop_buff, 0, cropsize); + prev_cropsize = cropsize; + } +@@ -7664,15 +7672,15 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, + } + else + crop_buff = new_buff; ++ if (!crop_buff) ++ { ++ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); ++ return (-1); ++ } + _TIFFmemset(crop_buff, 0, cropsize); + } + } + +- if (!crop_buff) +- { +- TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); +- return (-1); +- } + *crop_buff_ptr = crop_buff; + + if (crop->crop_mode & CROP_INVERT) +@@ -9231,3 +9239,4 @@ invertImage(uint16_t photometric, uint16_t spp, uint16_t bps, uint32_t width, ui + * fill-column: 78 + * End: + */ ++ +-- +2.25.1 + diff --git a/meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch b/meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch new file mode 100644 index 0000000000..719dabaecc --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch @@ -0,0 +1,33 @@ +CVE: CVE-2022-0908 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From ef5a0bf271823df168642444d051528a68205cb0 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Thu, 17 Feb 2022 15:28:43 +0100 +Subject: [PATCH 4/6] TIFFFetchNormalTag(): avoid calling memcpy() with a null + source pointer and size of zero (fixes #383) + +--- + libtiff/tif_dirread.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index d84147a0..4e8ce729 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -5079,7 +5079,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover) + _TIFFfree(data); + return(0); + } +- _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count); ++ if (dp->tdir_count > 0 ) ++ { ++ _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count); ++ } + o[(uint32_t)dp->tdir_count]=0; + if (data!=0) + _TIFFfree(data); +-- +2.25.1 + diff --git a/meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-393.patch b/meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-393.patch new file mode 100644 index 0000000000..64dbe9ef92 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-393.patch @@ -0,0 +1,36 @@ +CVE: CVE-2022-0909 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From 4768355a074d562177e0a8b551c561d1af7eb74a Mon Sep 17 00:00:00 2001 +From: 4ugustus <wangdw.augustus@qq.com> +Date: Tue, 8 Mar 2022 16:22:04 +0000 +Subject: [PATCH 5/6] fix the FPE in tiffcrop (#393) + +--- + libtiff/tif_dir.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c +index a6c254fc..77da6ea4 100644 +--- a/libtiff/tif_dir.c ++++ b/libtiff/tif_dir.c +@@ -335,13 +335,13 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap) + break; + case TIFFTAG_XRESOLUTION: + dblval = va_arg(ap, double); +- if( dblval < 0 ) ++ if( dblval != dblval || dblval < 0 ) + goto badvaluedouble; + td->td_xresolution = _TIFFClampDoubleToFloat( dblval ); + break; + case TIFFTAG_YRESOLUTION: + dblval = va_arg(ap, double); +- if( dblval < 0 ) ++ if( dblval != dblval || dblval < 0 ) + goto badvaluedouble; + td->td_yresolution = _TIFFClampDoubleToFloat( dblval ); + break; +-- +2.25.1 + diff --git a/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch b/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch new file mode 100644 index 0000000000..afd5e59960 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch @@ -0,0 +1,57 @@ +CVE: CVE-2022-0924 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From 1074b9691322b1e3671cd8ea0b6b3509d08978fb Mon Sep 17 00:00:00 2001 +From: 4ugustus <wangdw.augustus@qq.com> +Date: Thu, 10 Mar 2022 08:48:00 +0000 +Subject: [PATCH 6/6] fix heap buffer overflow in tiffcp (#278) + +--- + tools/tiffcp.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/tools/tiffcp.c b/tools/tiffcp.c +index 1f889516..552d8fad 100644 +--- a/tools/tiffcp.c ++++ b/tools/tiffcp.c +@@ -1661,12 +1661,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips) + tdata_t obuf; + tstrip_t strip = 0; + tsample_t s; ++ uint16_t bps = 0, bytes_per_sample; + + obuf = limitMalloc(stripsize); + if (obuf == NULL) + return (0); + _TIFFmemset(obuf, 0, stripsize); + (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); ++ (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); ++ if( bps == 0 ) ++ { ++ TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample"); ++ _TIFFfree(obuf); ++ return 0; ++ } ++ if( (bps % 8) != 0 ) ++ { ++ TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8"); ++ _TIFFfree(obuf); ++ return 0; ++ } ++ bytes_per_sample = bps/8; + for (s = 0; s < spp; s++) { + uint32_t row; + for (row = 0; row < imagelength; row += rowsperstrip) { +@@ -1676,7 +1691,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips) + + cpContigBufToSeparateBuf( + obuf, (uint8_t*) buf + row * rowsize + s, +- nrows, imagewidth, 0, 0, spp, 1); ++ nrows, imagewidth, 0, 0, spp, bytes_per_sample); + if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) { + TIFFError(TIFFFileName(out), + "Error, can't write strip %"PRIu32, +-- +2.25.1 + diff --git a/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch b/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch new file mode 100644 index 0000000000..0b41dde606 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch @@ -0,0 +1,30 @@ +From 561599c99f987dc32ae110370cfdd7df7975586b Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Sat, 5 Feb 2022 20:36:41 +0100 +Subject: [PATCH] TIFFReadDirectory(): avoid calling memcpy() with a null + source pointer and size of zero (fixes #362) + +Upstream-Status: Backport +CVE: CVE-2022-0562 + +--- + libtiff/tif_dirread.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 2bbc4585..23194ced 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -4177,7 +4177,8 @@ TIFFReadDirectory(TIFF* tif) + goto bad; + } + +- memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t)); ++ if (old_extrasamples > 0) ++ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t)); + _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples); + _TIFFfree(new_sampleinfo); + } +-- +GitLab + diff --git a/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch b/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch new file mode 100644 index 0000000000..74f9649fdf --- /dev/null +++ b/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch @@ -0,0 +1,32 @@ +From eecb0712f4c3a5b449f70c57988260a667ddbdef Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Sun, 6 Feb 2022 13:08:38 +0100 +Subject: [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a null + source pointer and size of zero (fixes #362) + +Upstream-Status: Backport +CVE: CVE-2022-0561 + +--- + libtiff/tif_dirread.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 23194ced..50ebf8ac 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -5777,8 +5777,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32_t nstrips, uint64_t** l + _TIFFfree(data); + return(0); + } +- _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t)); +- _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t)); ++ if( dir->tdir_count ) ++ _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t)); ++ _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t)); + _TIFFfree(data); + data=resizeddata; + } +-- +GitLab + diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index 6852758c6a..0a82f0d780 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb @@ -9,7 +9,17 @@ LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=34da3db46fab7501992f9615d7e158cf" CVE_PRODUCT = "libtiff" SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ - " + file://0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch \ + file://561599c99f987dc32ae110370cfdd7df7975586b.patch \ + file://eecb0712f4c3a5b449f70c57988260a667ddbdef.patch \ + file://0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch \ + file://0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch \ + file://0003-add-checks-for-return-value-of-limitMalloc-392.patch \ + file://0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch \ + file://0005-fix-the-FPE-in-tiffcrop-393.patch \ + file://0006-fix-heap-buffer-overflow-in-tiffcp-278.patch \ + " + SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8" # exclude betas diff --git a/meta/recipes-multimedia/speex/speex/CVE-2020-23903.patch b/meta/recipes-multimedia/speex/speex/CVE-2020-23903.patch new file mode 100644 index 0000000000..eb16e95ffc --- /dev/null +++ b/meta/recipes-multimedia/speex/speex/CVE-2020-23903.patch @@ -0,0 +1,30 @@ +Backport patch to fix CVE-2020-23903. + +CVE: CVE-2020-23903 +Upstream-Status: Backport [https://github.com/xiph/speex/commit/870ff84] + +Signed-off-by: Kai Kang <kai.kang@windriver.com> + +From 870ff845b32f314aec0036641ffe18aba4916887 Mon Sep 17 00:00:00 2001 +From: Tristan Matthews <tmatth@videolan.org> +Date: Mon, 13 Jul 2020 23:25:03 -0400 +Subject: [PATCH] wav_io: guard against invalid channel numbers + +Fixes #13 +--- + src/wav_io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/wav_io.c b/src/wav_io.c +index b5183015..09d62eb0 100644 +--- a/src/wav_io.c ++++ b/src/wav_io.c +@@ -111,7 +111,7 @@ int read_wav_header(FILE *file, int *rate, int *channels, int *format, spx_int32 + stmp = le_short(stmp); + *channels = stmp; + +- if (stmp>2) ++ if (stmp>2 || stmp<1) + { + fprintf (stderr, "Only mono and (intensity) stereo supported\n"); + return -1; diff --git a/meta/recipes-multimedia/speex/speex_1.2.0.bb b/meta/recipes-multimedia/speex/speex_1.2.0.bb index 3a0911d6f8..ea475f0f1b 100644 --- a/meta/recipes-multimedia/speex/speex_1.2.0.bb +++ b/meta/recipes-multimedia/speex/speex_1.2.0.bb @@ -7,7 +7,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=314649d8ba9dd7045dfb6683f298d0a8 \ file://include/speex/speex.h;beginline=1;endline=34;md5=ef8c8ea4f7198d71cf3509c6ed05ea50" DEPENDS = "libogg speexdsp" -SRC_URI = "http://downloads.xiph.org/releases/speex/speex-${PV}.tar.gz" +SRC_URI = "http://downloads.xiph.org/releases/speex/speex-${PV}.tar.gz \ + file://CVE-2020-23903.patch \ + " UPSTREAM_CHECK_REGEX = "speex-(?P<pver>\d+(\.\d+)+)\.tar" SRC_URI[md5sum] = "8ab7bb2589110dfaf0ed7fa7757dc49c" diff --git a/meta/recipes-multimedia/x264/x264_git.bb b/meta/recipes-multimedia/x264/x264_git.bb index 9f23794df1..c49e935d1c 100644 --- a/meta/recipes-multimedia/x264/x264_git.bb +++ b/meta/recipes-multimedia/x264/x264_git.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" DEPENDS = "nasm-native" -SRC_URI = "git://github.com/mirror/x264;branch=stable \ +SRC_URI = "git://github.com/mirror/x264;branch=stable;protocol=https \ file://don-t-default-to-cortex-a9-with-neon.patch \ file://Fix-X32-build-by-disabling-asm.patch \ " |