FreeBSD Mail Archives

Date:      Thu, 26 Oct 2017 19:31:19 +0000 (UTC)
From:      Jan Beich <jbeich@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org
Subject:   svn commit: r452947 - in branches/2017Q4/multimedia/ffmpeg: . files
Message-ID:  <201710261931.v9QJVJXK025010@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help

Author: jbeich
Date: Thu Oct 26 19:31:18 2017
New Revision: 452947
URL: https://svnweb.freebsd.org/changeset/ports/452947

Log:
  multimedia/ffmpeg: backport DoS fix for AVI (direct commit)
  
  FFmpeg 3.4 (via r452570) already contains the fix but 3.3.5 hasn't
  been released yet.
  
  Obtained from:	upstream (FFmpeg 3.3 relbranch)
  Security:	CVE-2017-15186
  Approved by:	ports-secteam blanket

Added:
  branches/2017Q4/multimedia/ffmpeg/files/patch-CVE-2017-15186   (contents, props changed)
Modified:
  branches/2017Q4/multimedia/ffmpeg/Makefile

Modified: branches/2017Q4/multimedia/ffmpeg/Makefile
==============================================================================
--- branches/2017Q4/multimedia/ffmpeg/Makefile	Thu Oct 26 19:26:52 2017	(r452946)
+++ branches/2017Q4/multimedia/ffmpeg/Makefile	Thu Oct 26 19:31:18 2017	(r452947)
@@ -3,6 +3,7 @@
 
 PORTNAME=	ffmpeg
 PORTVERSION=	3.3.4
+PORTREVISION=	1
 PORTEPOCH=	1
 CATEGORIES=	multimedia audio ipv6 net
 MASTER_SITES=	http://ffmpeg.org/releases/

Added: branches/2017Q4/multimedia/ffmpeg/files/patch-CVE-2017-15186
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/2017Q4/multimedia/ffmpeg/files/patch-CVE-2017-15186	Thu Oct 26 19:31:18 2017	(r452947)
@@ -0,0 +1,70 @@
+commit 0a231e7dd32bdea4b2fc1c48040047986d1d4925
+Author: Michael Niedermayer <michael@niedermayer.cc>
+Date:   Sat Sep 30 00:20:09 2017 +0200
+
+    avcodec/x86/lossless_videoencdsp: Fix handling of small widths
+    
+    Fixes out of array access
+    Fixes: crash-huf.avi
+    
+    Regression since: 6b41b4414934cc930468ccd5db598dd6ef643987
+    
+    This could also be fixed by adding checks in the C code that calls the dsp
+    
+    Found-by: Zhibin Hu and 连一汉 <lianyihan@360.cn>
+    Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+    (cherry picked from commit df62b70de8aaa285168e72fe8f6e740843ca91fa)
+    Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+
+--- libavcodec/x86/lossless_videoencdsp.asm.orig	2017-09-12 00:51:34 UTC
++++ libavcodec/x86/lossless_videoencdsp.asm
+@@ -42,10 +42,11 @@ cglobal diff_bytes, 4,5,2, dst, src1, src2, w
+ %define i t0q
+ %endmacro
+ 
+-; label to jump to if w < regsize
+-%macro DIFF_BYTES_LOOP_PREP 1
++; labels to jump to if w < regsize and w < 0
++%macro DIFF_BYTES_LOOP_PREP 2
+     mov                i, wq
+     and                i, -2 * regsize
++        js            %2
+         jz            %1
+     add             dstq, i
+     add            src1q, i
+@@ -87,7 +88,7 @@ cglobal diff_bytes, 4,5,2, dst, src1, src2, w
+ %if mmsize > 16
+     ; fall back to narrower xmm
+     %define regsize mmsize / 2
+-    DIFF_BYTES_LOOP_PREP .setup_loop_gpr_aa
++    DIFF_BYTES_LOOP_PREP .setup_loop_gpr_aa, .end_aa
+ .loop2_%1%2:
+     DIFF_BYTES_LOOP_CORE %1, %2, xm0, xm1
+     add                i, 2 * regsize
+@@ -114,7 +115,7 @@ cglobal diff_bytes, 4,5,2, dst, src1, src2, w
+ INIT_MMX mmx
+ DIFF_BYTES_PROLOGUE
+     %define regsize mmsize
+-    DIFF_BYTES_LOOP_PREP .skip_main_aa
++    DIFF_BYTES_LOOP_PREP .skip_main_aa, .end_aa
+     DIFF_BYTES_BODY    a, a
+ %undef i
+ %endif
+@@ -122,7 +123,7 @@ DIFF_BYTES_PROLOGUE
+ INIT_XMM sse2
+ DIFF_BYTES_PROLOGUE
+     %define regsize mmsize
+-    DIFF_BYTES_LOOP_PREP .skip_main_aa
++    DIFF_BYTES_LOOP_PREP .skip_main_aa, .end_aa
+     test            dstq, regsize - 1
+         jnz     .loop_uu
+     test           src1q, regsize - 1
+@@ -138,7 +139,7 @@ DIFF_BYTES_PROLOGUE
+     %define regsize mmsize
+     ; Directly using unaligned SSE2 version is marginally faster than
+     ; branching based on arguments.
+-    DIFF_BYTES_LOOP_PREP .skip_main_uu
++    DIFF_BYTES_LOOP_PREP .skip_main_uu, .end_uu
+     test            dstq, regsize - 1
+         jnz     .loop_uu
+     test           src1q, regsize - 1

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201710261931.v9QJVJXK025010>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation