From owner-svn-ports-all@freebsd.org Tue Nov 28 15:47:11 2017 Return-Path: Delivered-To: svn-ports-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2FB06DBA5F3; Tue, 28 Nov 2017 15:47:11 +0000 (UTC) (envelope-from jbeich@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 06C5E69D5E; Tue, 28 Nov 2017 15:47:10 +0000 (UTC) (envelope-from jbeich@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id vASFl9Gm042783; Tue, 28 Nov 2017 15:47:09 GMT (envelope-from jbeich@FreeBSD.org) Received: (from jbeich@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id vASFl9w7042781; Tue, 28 Nov 2017 15:47:09 GMT (envelope-from jbeich@FreeBSD.org) Message-Id: <201711281547.vASFl9w7042781@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: jbeich set sender to jbeich@FreeBSD.org using -f From: Jan Beich Date: Tue, 28 Nov 2017 15:47:09 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r455047 - in head/multimedia/ffmpeg: . files X-SVN-Group: ports-head X-SVN-Commit-Author: jbeich X-SVN-Commit-Paths: in head/multimedia/ffmpeg: . files X-SVN-Commit-Revision: 455047 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Nov 2017 15:47:11 -0000 Author: jbeich Date: Tue Nov 28 15:47:09 2017 New Revision: 455047 URL: https://svnweb.freebsd.org/changeset/ports/455047 Log: multimedia/ffmpeg: fix DoS in VC-2 encoder Reported by: Vladimir Krstulja Obtained from: upstream (release/3.4 branch) Security: CVE-2017-16840 Added: head/multimedia/ffmpeg/files/patch-CVE-2017-16840 (contents, props changed) Modified: head/multimedia/ffmpeg/Makefile (contents, props changed) Modified: head/multimedia/ffmpeg/Makefile ============================================================================== --- head/multimedia/ffmpeg/Makefile Tue Nov 28 15:41:22 2017 (r455046) +++ head/multimedia/ffmpeg/Makefile Tue Nov 28 15:47:09 2017 (r455047) @@ -3,7 +3,7 @@ PORTNAME= ffmpeg PORTVERSION= 3.4 -PORTREVISION= 1 +PORTREVISION= 2 PORTEPOCH= 1 CATEGORIES= multimedia audio ipv6 net MASTER_SITES= http://ffmpeg.org/releases/ Added: head/multimedia/ffmpeg/files/patch-CVE-2017-16840 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/multimedia/ffmpeg/files/patch-CVE-2017-16840 Tue Nov 28 15:47:09 2017 (r455047) @@ -0,0 +1,83 @@ +commit a94cb36ab2ad99d3a1331c9f91831ef593d94f74 +Author: Rostislav Pehlivanov +Date: Wed Nov 8 23:50:04 2017 +0000 + + vc2enc_dwt: pad the temporary buffer by the slice size + + Since non-Haar wavelets need to look into pixels outside the frame, we + need to pad the buffer. The old factor of two seemed to be a workaround + that fact and only padded to the left and bottom. This correctly pads + by the slice size and as such reduces memory usage and potential + exploits. + Reported by Liu Bingchang. + + Ideally, there should be no temporary buffer but the encoder is designed + to deinterleave the coefficients into the classical wavelet structure + with the lower frequency values in the top left corner. + + Signed-off-by: Rostislav Pehlivanov + (cherry picked from commit 3228ac730c11eca49d5680d5550128e397061c85) + +--- libavcodec/vc2enc.c.orig 2017-10-15 15:59:37 UTC ++++ libavcodec/vc2enc.c +@@ -1190,7 +1190,8 @@ static av_cold int vc2_encode_init(AVCodecContext *avc + /* DWT init */ + if (ff_vc2enc_init_transforms(&s->transform_args[i].t, + s->plane[i].coef_stride, +- s->plane[i].dwt_height)) ++ s->plane[i].dwt_height, ++ s->slice_width, s->slice_height)) + goto alloc_fail; + } + +--- libavcodec/vc2enc_dwt.c.orig 2017-09-12 00:51:34 UTC ++++ libavcodec/vc2enc_dwt.c +@@ -255,21 +255,27 @@ static void vc2_subband_dwt_haar_shift(VC2TransformCon + dwt_haar(t, data, stride, width, height, 1); + } + +-av_cold int ff_vc2enc_init_transforms(VC2TransformContext *s, int p_width, int p_height) ++av_cold int ff_vc2enc_init_transforms(VC2TransformContext *s, int p_stride, ++ int p_height, int slice_w, int slice_h) + { + s->vc2_subband_dwt[VC2_TRANSFORM_9_7] = vc2_subband_dwt_97; + s->vc2_subband_dwt[VC2_TRANSFORM_5_3] = vc2_subband_dwt_53; + s->vc2_subband_dwt[VC2_TRANSFORM_HAAR] = vc2_subband_dwt_haar; + s->vc2_subband_dwt[VC2_TRANSFORM_HAAR_S] = vc2_subband_dwt_haar_shift; + +- s->buffer = av_malloc(2*p_width*p_height*sizeof(dwtcoef)); ++ /* Pad by the slice size, only matters for non-Haar wavelets */ ++ s->buffer = av_calloc((p_stride + slice_w)*(p_height + slice_h), sizeof(dwtcoef)); + if (!s->buffer) + return 1; + ++ s->padding = (slice_h >> 1)*p_stride + (slice_w >> 1); ++ s->buffer += s->padding; ++ + return 0; + } + + av_cold void ff_vc2enc_free_transforms(VC2TransformContext *s) + { +- av_freep(&s->buffer); ++ av_free(s->buffer - s->padding); ++ s->buffer = NULL; + } +--- libavcodec/vc2enc_dwt.h.orig 2017-09-12 00:51:34 UTC ++++ libavcodec/vc2enc_dwt.h +@@ -41,12 +41,14 @@ enum VC2TransformType { + + typedef struct VC2TransformContext { + dwtcoef *buffer; ++ int padding; + void (*vc2_subband_dwt[VC2_TRANSFORMS_NB])(struct VC2TransformContext *t, + dwtcoef *data, ptrdiff_t stride, + int width, int height); + } VC2TransformContext; + +-int ff_vc2enc_init_transforms(VC2TransformContext *t, int p_width, int p_height); ++int ff_vc2enc_init_transforms(VC2TransformContext *t, int p_stride, int p_height, ++ int slice_w, int slice_h); + void ff_vc2enc_free_transforms(VC2TransformContext *t); + + #endif /* AVCODEC_VC2ENC_DWT_H */