initial commit for Enea Linux 4.0-140929daisy-140929

Migrated from the internal git server on the daisy-enea-point-release branch Signed-off-by: Tudor Florea <tudor.florea@enea.com>
author: Tudor Florea <tudor.florea@enea.com> 2014-10-10 03:20:04 +0200
committer: Tudor Florea <tudor.florea@enea.com> 2014-10-10 03:20:04 +0200
commit: 1b8dfe266937a37a4c642f96ceb2347bf4c00a17 (patch)
tree: 0c6aab146bb3c82efd9c7846a9a4e70dcb0ec84f /meta-oe/recipes-multimedia/webm/libvpx/CVE-2010-4203.patch
download: meta-openembedded-daisy-140929.tar.gz
1 files changed, 69 insertions, 0 deletions
diff --git a/meta-oe/recipes-multimedia/webm/libvpx/CVE-2010-4203.patch b/meta-oe/recipes-multimedia/webm/libvpx/CVE-2010-4203.patch
new file mode 100644
index 0000000000..37f5108a51
--- /dev/null
+++ b/meta-oe/recipes-multimedia/webm/libvpx/CVE-2010-4203.patch
@@ -0,0 +1,69 @@
+From: John Koleszar <jkoleszar@google.com>
+Date: Thu, 4 Nov 2010 20:59:26 +0000 (-0400)
+Subject: fix integer promotion bug in partition size check
+X-Git-Url: https://review.webmproject.org/gitweb?p=libvpx.git;a=commitdiff_plain;h=9fb80f7170ec48e23c3c7b477149eeb37081c699
+fix integer promotion bug in partition size check
+The check '(user_data_end - partition < partition_size)' must be
+evaluated as a signed comparison, but because partition_size was
+unsigned, the LHS was promoted to unsigned, causing an incorrect
+result on 32-bit. Instead, check the upper and lower bounds of
+the segment separately.
+Change-Id: I6266aba7fd7de084268712a3d2a81424ead7aa06
+---
+diff --git a/vp8/decoder/decodframe.c b/vp8/decoder/decodframe.c
+index 2d81d61..f5e49a1 100644
+--- a/vp8/decoder/decodframe.c
+++ b/vp8/decoder/decodframe.c
+@@ -462,7 +462,8 @@ static void setup_token_decoder(VP8D_COMP *pbi,
+             partition_size = user_data_end - partition;
+         }
+ 
+-        if (user_data_end - partition < partition_size)
+        if (partition + partition_size > user_data_end
+            || partition + partition_size < partition)
+             vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
+                                "Truncated packet or corrupt partition "
+                                "%d length", i + 1);
+@@ -580,7 +581,8 @@ int vp8_decode_frame(VP8D_COMP *pbi)
+         (data[0] | (data[1] << 8) | (data[2] << 16)) >> 5;
+     data += 3;
+ 
+-    if (data_end - data < first_partition_length_in_bytes)
+    if (data + first_partition_length_in_bytes > data_end
+        || data + first_partition_length_in_bytes < data)
+         vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
+                            "Truncated packet or corrupt partition 0 length");
+     vp8_setup_version(pc);
+diff --git a/vp8/vp8_dx_iface.c b/vp8/vp8_dx_iface.c
+index e7e5356..f0adf5b 100644
+--- a/vp8/vp8_dx_iface.c
+++ b/vp8/vp8_dx_iface.c
+@@ -253,8 +253,11 @@ static vpx_codec_err_t vp8_peek_si(const uint8_t         *data,
+                                    unsigned int           data_sz,
+                                    vpx_codec_stream_info_t *si)
+ {
+-
+     vpx_codec_err_t res = VPX_CODEC_OK;
+
+    if(data + data_sz <= data)
+        res = VPX_CODEC_INVALID_PARAM;
+    else
+     {
+         /* Parse uncompresssed part of key frame header.
+          * 3 bytes:- including version, frame type and an offset
+@@ -331,7 +334,10 @@ static vpx_codec_err_t vp8_decode(vpx_codec_alg_priv_t  *ctx,
+ 
+     ctx->img_avail = 0;
+ 
+-    /* Determine the stream parameters */
+    /* Determine the stream parameters. Note that we rely on peek_si to
+     * validate that we have a buffer that does not wrap around the top
+     * of the heap.
+     */
+     if (!ctx->si.h)
+         res = ctx->base.iface->dec.peek_si(data, data_sz, &ctx->si);
+
author	Tudor Florea <tudor.florea@enea.com>	2014-10-10 03:20:04 +0200
committer	Tudor Florea <tudor.florea@enea.com>	2014-10-10 03:20:04 +0200
commit	1b8dfe266937a37a4c642f96ceb2347bf4c00a17 (patch)
tree	0c6aab146bb3c82efd9c7846a9a4e70dcb0ec84f /meta-oe/recipes-multimedia/webm/libvpx/CVE-2010-4203.patch
download	meta-openembedded-daisy-140929.tar.gz

diff --git a/meta-oe/recipes-multimedia/webm/libvpx/CVE-2010-4203.patch b/meta-oe/recipes-multimedia/webm/libvpx/CVE-2010-4203.patch new file mode 100644 index 0000000000..37f5108a51 --- /dev/null +++ b/meta-oe/recipes-multimedia/webm/libvpx/CVE-2010-4203.patch
@@ -0,0 +1,69 @@
	1	From: John Koleszar <jkoleszar@google.com>
	2	Date: Thu, 4 Nov 2010 20:59:26 +0000 (-0400)
	3	Subject: fix integer promotion bug in partition size check
	4	X-Git-Url: https://review.webmproject.org/gitweb?p=libvpx.git;a=commitdiff_plain;h=9fb80f7170ec48e23c3c7b477149eeb37081c699
	5
	6	fix integer promotion bug in partition size check
	7
	8	The check '(user_data_end - partition < partition_size)' must be
	9	evaluated as a signed comparison, but because partition_size was
	10	unsigned, the LHS was promoted to unsigned, causing an incorrect
	11	result on 32-bit. Instead, check the upper and lower bounds of
	12	the segment separately.
	13
	14	Change-Id: I6266aba7fd7de084268712a3d2a81424ead7aa06
	15	---
	16
	17	diff --git a/vp8/decoder/decodframe.c b/vp8/decoder/decodframe.c
	18	index 2d81d61..f5e49a1 100644
	19	--- a/vp8/decoder/decodframe.c
	20	+++ b/vp8/decoder/decodframe.c
	21	@@ -462,7 +462,8 @@ static void setup_token_decoder(VP8D_COMP *pbi,
	22	partition_size = user_data_end - partition;
	23	}
	24
	25	- if (user_data_end - partition < partition_size)
	26	+ if (partition + partition_size > user_data_end
	27	+ \|\| partition + partition_size < partition)
	28	vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
	29	"Truncated packet or corrupt partition "
	30	"%d length", i + 1);
	31	@@ -580,7 +581,8 @@ int vp8_decode_frame(VP8D_COMP *pbi)
	32	(data[0] \| (data[1] << 8) \| (data[2] << 16)) >> 5;
	33	data += 3;
	34
	35	- if (data_end - data < first_partition_length_in_bytes)
	36	+ if (data + first_partition_length_in_bytes > data_end
	37	+ \|\| data + first_partition_length_in_bytes < data)
	38	vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
	39	"Truncated packet or corrupt partition 0 length");
	40	vp8_setup_version(pc);
	41	diff --git a/vp8/vp8_dx_iface.c b/vp8/vp8_dx_iface.c
	42	index e7e5356..f0adf5b 100644
	43	--- a/vp8/vp8_dx_iface.c
	44	+++ b/vp8/vp8_dx_iface.c
	45	@@ -253,8 +253,11 @@ static vpx_codec_err_t vp8_peek_si(const uint8_t *data,
	46	unsigned int data_sz,
	47	vpx_codec_stream_info_t *si)
	48	{
	49	-
	50	vpx_codec_err_t res = VPX_CODEC_OK;
	51	+
	52	+ if(data + data_sz <= data)
	53	+ res = VPX_CODEC_INVALID_PARAM;
	54	+ else
	55	{
	56	/* Parse uncompresssed part of key frame header.
	57	* 3 bytes:- including version, frame type and an offset
	58	@@ -331,7 +334,10 @@ static vpx_codec_err_t vp8_decode(vpx_codec_alg_priv_t *ctx,
	59
	60	ctx->img_avail = 0;
	61
	62	- /* Determine the stream parameters */
	63	+ /* Determine the stream parameters. Note that we rely on peek_si to
	64	+ * validate that we have a buffer that does not wrap around the top
	65	+ * of the heap.
	66	+ */
	67	if (!ctx->si.h)
	68	res = ctx->base.iface->dec.peek_si(data, data_sz, &ctx->si);
	69