main/ffmpeg: security fixes (CVE-2011-3362, CVE-2011-3973)

fixes #829
2026-05-04 20:06:43 +02:00 · 2011-11-21 16:15:29 +00:00 · 2011-11-21 16:15:29 +00:00 · 31665f01dd
commit 31665f01dd
parent 338da40764
3 changed files with 105 additions and 3 deletions
--- a/main/ffmpeg/APKBUILD
+++ b/main/ffmpeg/APKBUILD
@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=ffmpeg
 pkgver=0.6.1
-pkgrel=2
+pkgrel=3
 pkgdesc="Complete and free Internet live audio and video broadcasting solution for Linux/Unix"
 url="http://ffmpeg.mplayerhq.hu/"
 license="GPL"
@ -10,14 +10,19 @@ makedepends="lame-dev libvorbis-dev faad2-dev faac-dev xvidcore-dev zlib-dev
 	imlib2-dev x264-dev libtheora-dev coreutils bzip2-dev perl libvpx-dev"
 depends=
 source="http://ffmpeg.org/releases/ffmpeg-$pkgver.tar.bz2
+	cve-2011-3362.patch
 	cve-2011-3504.patch
+	cve-2011-3973.patch
 	pic.patch"

 _builddir="$srcdir"/$pkgname-$pkgver
 prepare() {
 	cd "$_builddir"
-	patch -p1 -i "$srcdir"/pic.patch || return 1
-	patch -p1 -i "$srcdir"/cve-2011-3504.patch || return 1
+	for i in $source; do
+		case $i in
+		*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+		esac
+	done
 }

 build() {
@ -54,5 +59,7 @@ package() {
 #	strip --strip-debug "$pkgdir"/usr/lib/*.a || return 1
 }
 md5sums="4f5d732d25eedfb072251b5314ba2093  ffmpeg-0.6.1.tar.bz2
+2be7d71c2b942e62ed15e2f3b953dce8  cve-2011-3362.patch
 7efdfc8423314500a9ae1327d5f368c2  cve-2011-3504.patch
+1b0c1a8d9d3cd98f2658742105652a86  cve-2011-3973.patch
 d4870ae7350caed041d2b39e406a173b  pic.patch"
--- a/main/ffmpeg/cve-2011-3362.patch
+++ b/main/ffmpeg/cve-2011-3362.patch
@ -0,0 +1,28 @@
+From 91d5da9321c52e8197fb14046ebb335f3e6ff4a0 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Wed, 10 Aug 2011 13:28:36 +0200
+Subject: [PATCH] cavs: fix oCERT #2011-002 FFmpeg/libavcodec insufficient
+ boundary check
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/cavsdec.c |    3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c
+index c6ccb06..6e83a7d 100644
+--- a/libavcodec/cavsdec.c
+++ b/libavcodec/cavsdec.c
+@@ -115,7 +115,8 @@ static inline int get_ue_code(GetBitContext *gb, int order) {
+ static int decode_residual_block(AVSContext *h, GetBitContext *gb,
+                                  const struct dec_2dvlc *r, int esc_golomb_order,
+                                  int qp, uint8_t *dst, int stride) {
+-    int i, level_code, esc_code, level, run, mask;
+    int i, esc_code, level, mask;
+    unsigned int level_code, run;
+     DCTELEM level_buf[65];
+     uint8_t run_buf[65];
+     DCTELEM *block = h->block;
+-- 
+1.7.5.4
+
--- a/main/ffmpeg/cve-2011-3973.patch
+++ b/main/ffmpeg/cve-2011-3973.patch
@ -0,0 +1,67 @@
+From bd968d260aef322fb32e254a3de0d2036c57bd56 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Wed, 10 Aug 2011 18:52:11 +0100
+Subject: [PATCH] cavs: fix some crashes with invalid bitstreams
+
+This removes all valgrind-reported invalid writes with one
+specific test file.
+
+Fixes http://www.ocert.org/advisories/ocert-2011-002.html
+
+Signed-off-by: Mans Rullgard <mans@mansr.com>
+(cherry picked from commit 4a71da0f3ab7f5542decd11c81994f849d5b2c78)
+---
+ libavcodec/cavsdec.c |   11 ++++++++---
+ 1 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c
+index a9e4d37..35c37d0 100644
+--- a/libavcodec/cavsdec.c
+++ b/libavcodec/cavsdec.c
+@@ -130,12 +130,14 @@ static int decode_residual_block(AVSContext *h, GetBitContext *gb,
+                 r++;
+             mask = -(level_code & 1);
+             level = (level^mask) - mask;
+-        } else {
+        } else if (level_code >= 0) {
+             level = r->rltab[level_code][0];
+             if(!level) //end of block signal
+                 break;
+             run   = r->rltab[level_code][1];
+             r += r->rltab[level_code][2];
+        } else {
+            break;
+         }
+         level_buf[i] = level;
+         run_buf[i] = run;
+@@ -189,7 +191,8 @@ static inline int decode_residual_inter(AVSContext *h) {
+ 
+ static int decode_mb_i(AVSContext *h, int cbp_code) {
+     GetBitContext *gb = &h->s.gb;
+-    int block, pred_mode_uv;
+    unsigned pred_mode_uv;
+    int block;
+     uint8_t top[18];
+     uint8_t *left = NULL;
+     uint8_t *d;
+@@ -445,6 +448,8 @@ static inline int check_for_slice(AVSContext *h) {
+     if((show_bits_long(gb,24+align) & 0xFFFFFF) == 0x000001) {
+         skip_bits_long(gb,24+align);
+         h->stc = get_bits(gb,8);
+        if (h->stc >= h->mb_height)
+            return 0;
+         decode_slice_header(h,gb);
+         return 1;
+     }
+@@ -659,7 +664,7 @@ static int cavs_decode_frame(AVCodecContext * avctx,void *data, int *data_size,
+     buf_end = buf + buf_size;
+     for(;;) {
+         buf_ptr = ff_find_start_code(buf_ptr,buf_end, &stc);
+-        if(stc & 0xFFFFFE00)
+        if((stc & 0xFFFFFE00) || buf_ptr == buf_end)
+             return FFMAX(0, buf_ptr - buf - s->parse_context.last_index);
+         input_size = (buf_end - buf_ptr)*8;
+         switch(stc) {
+-- 
+1.7.5.4
+