vlc: add upstream security patches fixing CVE-2017-10699

avcodec 2.2.x, as used in VideoLAN VLC media player 2.2.7-x before 2017-06-29, allows out-of-bounds heap memory write due to calling memcpy() with a wrong size, leading to a denial of service (application crash) or possibly code execution. https://trac.videolan.org/vlc/ticket/18467 Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-07-03 17:01:40 +02:00 · 2017-07-03 17:01:40 +02:00 · b9153ed954
commit b9153ed954
parent a6b49a7e8c
2 changed files with 66 additions and 0 deletions
--- a/package/vlc/0013-codec-avcodec-check-avcodec-visible-sizes.patch
+++ b/package/vlc/0013-codec-avcodec-check-avcodec-visible-sizes.patch
@ -0,0 +1,33 @@
 From 6cc73bcad19da2cd2e95671173f2e0d203a57e9b Mon Sep 17 00:00:00 2001
 From: Francois Cartegnie <fcvlcdev@free.fr>
 Date: Thu, 29 Jun 2017 09:45:20 +0200
 Subject: [PATCH] codec: avcodec: check avcodec visible sizes
 refs #18467
 Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
 ---
 modules/codec/avcodec/video.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)
 diff --git a/modules/codec/avcodec/video.c b/modules/codec/avcodec/video.c
 index 1bcad21..ce52544 100644
 --- a/modules/codec/avcodec/video.c
 +++ b/modules/codec/avcodec/video.c
@@ -137,9 +137,11 @@ static inline picture_t *ffmpeg_NewPictBuf( decoder_t *p_dec,
     }
 -    if( width == 0 || height == 0 || width > 8192 || height > 8192 )
 +    if( width == 0 || height == 0 || width > 8192 || height > 8192 ||
 +        width < p_context->width || height < p_context->height )
     {
 -        msg_Err( p_dec, "Invalid frame size %dx%d.", width, height );
 +        msg_Err( p_dec, "Invalid frame size %dx%d. vsz %dx%d",
 +                 width, height, p_context->width, p_context->height );
         return NULL; /* invalid display size */
     }
     p_dec->fmt_out.video.i_width = width;
 -- 
 2.1.4
--- a/package/vlc/0014-decoder-check-visible-size-when-creating-buffer.patch
+++ b/package/vlc/0014-decoder-check-visible-size-when-creating-buffer.patch
@ -0,0 +1,33 @@
 From a38a85db58c569cc592d9380cc07096757ef3d49 Mon Sep 17 00:00:00 2001
 From: Francois Cartegnie <fcvlcdev@free.fr>
 Date: Thu, 29 Jun 2017 11:09:02 +0200
 Subject: [PATCH] decoder: check visible size when creating buffer
 early reject invalid visible size
 mishandled by filters.
 refs #18467
 Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
 ---
 src/input/decoder.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
 diff --git a/src/input/decoder.c b/src/input/decoder.c
 index 2c0823f..a216165 100644
 --- a/src/input/decoder.c
 +++ b/src/input/decoder.c
@@ -2060,7 +2060,9 @@ static picture_t *vout_new_buffer( decoder_t *p_dec )
         vout_thread_t *p_vout;
         if( !p_dec->fmt_out.video.i_width ||
 -            !p_dec->fmt_out.video.i_height )
 +            !p_dec->fmt_out.video.i_height ||
 +            p_dec->fmt_out.video.i_width < p_dec->fmt_out.video.i_visible_width ||
 +            p_dec->fmt_out.video.i_height < p_dec->fmt_out.video.i_visible_height )
         {
             /* Can't create a new vout without display size */
             return NULL;
 -- 
 2.1.4