From a81b5e5b560bc7bc2ae8374b1e2df893485ab462 Mon Sep 17 00:00:00 2001 From: Natanael Copa Date: Mon, 21 Nov 2011 15:02:09 +0000 Subject: [PATCH] main/ffmpeg: security fix (CVE-2011-3504) fixes #804 --- main/ffmpeg/APKBUILD | 7 +- main/ffmpeg/cve-2011-3504.patch | 113 ++++++++++++++++++++++++++++++++ 2 files changed, 118 insertions(+), 2 deletions(-) create mode 100644 main/ffmpeg/cve-2011-3504.patch diff --git a/main/ffmpeg/APKBUILD b/main/ffmpeg/APKBUILD index e2b3ca7e779..242e0962ec2 100644 --- a/main/ffmpeg/APKBUILD +++ b/main/ffmpeg/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa pkgname=ffmpeg pkgver=0.6.1 -pkgrel=1 +pkgrel=2 pkgdesc="Complete and free Internet live audio and video broadcasting solution for Linux/Unix" url="http://ffmpeg.mplayerhq.hu/" license="GPL" @@ -10,12 +10,14 @@ makedepends="lame-dev libvorbis-dev faad2-dev faac-dev xvidcore-dev zlib-dev imlib2-dev x264-dev libtheora-dev coreutils bzip2-dev perl libvpx-dev" depends= source="http://ffmpeg.org/releases/ffmpeg-$pkgver.tar.bz2 + cve-2011-3504.patch pic.patch" _builddir="$srcdir"/$pkgname-$pkgver prepare() { cd "$_builddir" - patch -p1 -i "$srcdir"/pic.patch + patch -p1 -i "$srcdir"/pic.patch || return 1 + patch -p1 -i "$srcdir"/cve-2011-3504.patch || return 1 } build() { @@ -52,4 +54,5 @@ package() { # strip --strip-debug "$pkgdir"/usr/lib/*.a || return 1 } md5sums="4f5d732d25eedfb072251b5314ba2093 ffmpeg-0.6.1.tar.bz2 +7efdfc8423314500a9ae1327d5f368c2 cve-2011-3504.patch d4870ae7350caed041d2b39e406a173b pic.patch" diff --git a/main/ffmpeg/cve-2011-3504.patch b/main/ffmpeg/cve-2011-3504.patch new file mode 100644 index 00000000000..d373cfc4e21 --- /dev/null +++ b/main/ffmpeg/cve-2011-3504.patch @@ -0,0 +1,113 @@ +From: Michael Niedermayer +Date: Thu, 28 Jul 2011 12:59:54 +0000 (+0200) +Subject: Fix memory (re)allocation in matroskadec.c, related to MSVR-11-0080. +X-Git-Url: http://git.libav.org/?p=libav.git;a=commitdiff_plain;h=77d2ef13a8fa630e5081f14bde3fd20f84c90aec + +Fix memory (re)allocation in matroskadec.c, related to MSVR-11-0080. + +Whitespace of the patch cleaned up by Aurel +Some of the issues have been reported by Steve Manzuik / Microsoft Vulnerability Research (MSVR) +Signed-off-by: Michael Niedermayer + +(cherry picked from commit 956c901c68eff78288f40e3c8f41ee2fa081d4a8) + +Further suggestions from Kostya have been +implemented by Reinhard Tartler + +Signed-off-by: Reinhard Tartler +--- + +diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c +index af5532b..89df095 100644 +--- a/libavformat/matroskadec.c ++++ b/libavformat/matroskadec.c +@@ -801,11 +801,15 @@ static int ebml_parse_elem(MatroskaDemuxContext *matroska, + uint32_t id = syntax->id; + uint64_t length; + int res; ++ void *newelem; + + data = (char *)data + syntax->data_offset; + if (syntax->list_elem_size) { + EbmlList *list = data; +- list->elem = av_realloc(list->elem, (list->nb_elem+1)*syntax->list_elem_size); ++ newelem = av_realloc(list->elem, (list->nb_elem+1)*syntax->list_elem_size); ++ if (!newelem) ++ return AVERROR(ENOMEM); ++ list->elem = newelem; + data = (char*)list->elem + list->nb_elem*syntax->list_elem_size; + memset(data, 0, syntax->list_elem_size); + list->nb_elem++; +@@ -935,6 +939,7 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size, + uint8_t* data = *buf; + int isize = *buf_size; + uint8_t* pkt_data = NULL; ++ uint8_t* newpktdata; + int pkt_size = isize; + int result = 0; + int olen; +@@ -964,7 +969,12 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size, + zstream.avail_in = isize; + do { + pkt_size *= 3; +- pkt_data = av_realloc(pkt_data, pkt_size); ++ newpktdata = av_realloc(pkt_data, pkt_size); ++ if (!newpktdata) { ++ inflateEnd(&zstream); ++ goto failed; ++ } ++ pkt_data = newpktdata; + zstream.avail_out = pkt_size - zstream.total_out; + zstream.next_out = pkt_data + zstream.total_out; + result = inflate(&zstream, Z_NO_FLUSH); +@@ -985,7 +995,12 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size, + bzstream.avail_in = isize; + do { + pkt_size *= 3; +- pkt_data = av_realloc(pkt_data, pkt_size); ++ newpktdata = av_realloc(pkt_data, pkt_size); ++ if (!newpktdata) { ++ BZ2_bzDecompressEnd(&bzstream); ++ goto failed; ++ } ++ pkt_data = newpktdata; + bzstream.avail_out = pkt_size - bzstream.total_out_lo32; + bzstream.next_out = pkt_data + bzstream.total_out_lo32; + result = BZ2_bzDecompress(&bzstream); +@@ -1040,13 +1055,17 @@ static void matroska_fix_ass_packet(MatroskaDemuxContext *matroska, + } + } + +-static void matroska_merge_packets(AVPacket *out, AVPacket *in) ++static int matroska_merge_packets(AVPacket *out, AVPacket *in) + { +- out->data = av_realloc(out->data, out->size+in->size); ++ void *newdata = av_realloc(out->data, out->size+in->size); ++ if (!newdata) ++ return AVERROR(ENOMEM); ++ out->data = newdata; + memcpy(out->data+out->size, in->data, in->size); + out->size += in->size; + av_destruct_packet(in); + av_free(in); ++ return 0; + } + + static void matroska_convert_tag(AVFormatContext *s, EbmlList *list, +@@ -1604,11 +1623,13 @@ static int matroska_deliver_packet(MatroskaDemuxContext *matroska, + memcpy(pkt, matroska->packets[0], sizeof(AVPacket)); + av_free(matroska->packets[0]); + if (matroska->num_packets > 1) { ++ void *newpackets; + memmove(&matroska->packets[0], &matroska->packets[1], + (matroska->num_packets - 1) * sizeof(AVPacket *)); +- matroska->packets = +- av_realloc(matroska->packets, (matroska->num_packets - 1) * +- sizeof(AVPacket *)); ++ newpackets = av_realloc(matroska->packets, ++ (matroska->num_packets - 1) * sizeof(AVPacket *)); ++ if (newpackets) ++ matroska->packets = newpackets; + } else { + av_freep(&matroska->packets); + }