Date: Thu, 26 Oct 2017 19:31:19 +0000 (UTC) From: Jan Beich <jbeich@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r452947 - in branches/2017Q4/multimedia/ffmpeg: . files Message-ID: <201710261931.v9QJVJXK025010@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jbeich Date: Thu Oct 26 19:31:18 2017 New Revision: 452947 URL: https://svnweb.freebsd.org/changeset/ports/452947 Log: multimedia/ffmpeg: backport DoS fix for AVI (direct commit) FFmpeg 3.4 (via r452570) already contains the fix but 3.3.5 hasn't been released yet. Obtained from: upstream (FFmpeg 3.3 relbranch) Security: CVE-2017-15186 Approved by: ports-secteam blanket Added: branches/2017Q4/multimedia/ffmpeg/files/patch-CVE-2017-15186 (contents, props changed) Modified: branches/2017Q4/multimedia/ffmpeg/Makefile Modified: branches/2017Q4/multimedia/ffmpeg/Makefile ============================================================================== --- branches/2017Q4/multimedia/ffmpeg/Makefile Thu Oct 26 19:26:52 2017 (r452946) +++ branches/2017Q4/multimedia/ffmpeg/Makefile Thu Oct 26 19:31:18 2017 (r452947) @@ -3,6 +3,7 @@ PORTNAME= ffmpeg PORTVERSION= 3.3.4 +PORTREVISION= 1 PORTEPOCH= 1 CATEGORIES= multimedia audio ipv6 net MASTER_SITES= http://ffmpeg.org/releases/ Added: branches/2017Q4/multimedia/ffmpeg/files/patch-CVE-2017-15186 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2017Q4/multimedia/ffmpeg/files/patch-CVE-2017-15186 Thu Oct 26 19:31:18 2017 (r452947) @@ -0,0 +1,70 @@ +commit 0a231e7dd32bdea4b2fc1c48040047986d1d4925 +Author: Michael Niedermayer <michael@niedermayer.cc> +Date: Sat Sep 30 00:20:09 2017 +0200 + + avcodec/x86/lossless_videoencdsp: Fix handling of small widths + + Fixes out of array access + Fixes: crash-huf.avi + + Regression since: 6b41b4414934cc930468ccd5db598dd6ef643987 + + This could also be fixed by adding checks in the C code that calls the dsp + + Found-by: Zhibin Hu and 连一汉 <lianyihan@360.cn> + Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> + (cherry picked from commit df62b70de8aaa285168e72fe8f6e740843ca91fa) + Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> + +--- libavcodec/x86/lossless_videoencdsp.asm.orig 2017-09-12 00:51:34 UTC ++++ libavcodec/x86/lossless_videoencdsp.asm +@@ -42,10 +42,11 @@ cglobal diff_bytes, 4,5,2, dst, src1, src2, w + %define i t0q + %endmacro + +-; label to jump to if w < regsize +-%macro DIFF_BYTES_LOOP_PREP 1 ++; labels to jump to if w < regsize and w < 0 ++%macro DIFF_BYTES_LOOP_PREP 2 + mov i, wq + and i, -2 * regsize ++ js %2 + jz %1 + add dstq, i + add src1q, i +@@ -87,7 +88,7 @@ cglobal diff_bytes, 4,5,2, dst, src1, src2, w + %if mmsize > 16 + ; fall back to narrower xmm + %define regsize mmsize / 2 +- DIFF_BYTES_LOOP_PREP .setup_loop_gpr_aa ++ DIFF_BYTES_LOOP_PREP .setup_loop_gpr_aa, .end_aa + .loop2_%1%2: + DIFF_BYTES_LOOP_CORE %1, %2, xm0, xm1 + add i, 2 * regsize +@@ -114,7 +115,7 @@ cglobal diff_bytes, 4,5,2, dst, src1, src2, w + INIT_MMX mmx + DIFF_BYTES_PROLOGUE + %define regsize mmsize +- DIFF_BYTES_LOOP_PREP .skip_main_aa ++ DIFF_BYTES_LOOP_PREP .skip_main_aa, .end_aa + DIFF_BYTES_BODY a, a + %undef i + %endif +@@ -122,7 +123,7 @@ DIFF_BYTES_PROLOGUE + INIT_XMM sse2 + DIFF_BYTES_PROLOGUE + %define regsize mmsize +- DIFF_BYTES_LOOP_PREP .skip_main_aa ++ DIFF_BYTES_LOOP_PREP .skip_main_aa, .end_aa + test dstq, regsize - 1 + jnz .loop_uu + test src1q, regsize - 1 +@@ -138,7 +139,7 @@ DIFF_BYTES_PROLOGUE + %define regsize mmsize + ; Directly using unaligned SSE2 version is marginally faster than + ; branching based on arguments. +- DIFF_BYTES_LOOP_PREP .skip_main_uu ++ DIFF_BYTES_LOOP_PREP .skip_main_uu, .end_uu + test dstq, regsize - 1 + jnz .loop_uu + test src1q, regsize - 1
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201710261931.v9QJVJXK025010>