From 5da3fcd40ac752ff0dc0d3e73f2d1b055dfeb4cc Mon Sep 17 00:00:00 2001
From: Natanael Copa <ncopa@alpinelinux.org>
Date: Wed, 3 Sep 2014 13:04:12 +0000
Subject: main/ffmpeg: security fix (CVE-2014-5271,CVE-2014-5272)

fixes #3317
---
 main/ffmpeg/APKBUILD            | 19 ++++++++++----
 main/ffmpeg/CVE-2014-5271.patch | 55 +++++++++++++++++++++++++++++++++++++++++
 main/ffmpeg/CVE-2014-5272.patch | 32 ++++++++++++++++++++++++
 3 files changed, 101 insertions(+), 5 deletions(-)
 create mode 100644 main/ffmpeg/CVE-2014-5271.patch
 create mode 100644 main/ffmpeg/CVE-2014-5272.patch

diff --git a/main/ffmpeg/APKBUILD b/main/ffmpeg/APKBUILD
index be68d35ce4..9f6acf403d 100644
--- a/main/ffmpeg/APKBUILD
+++ b/main/ffmpeg/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=ffmpeg
 pkgver=2.1.5
-pkgrel=0
+pkgrel=1
 pkgdesc="Complete and free Internet live audio and video broadcasting solution for Linux/Unix"
 url="http://ffmpeg.org/"
 arch="all"
@@ -15,7 +15,10 @@ depends=
 source="http://ffmpeg.org/releases/ffmpeg-$pkgver.tar.bz2
 	configure-dlvsym.patch
 	fix-defines.patch
-	fix-libv4l2-errors.patch"
+	fix-libv4l2-errors.patch
+	CVE-2014-5271.patch
+	CVE-2014-5272.patch
+	"
 
 _builddir="$srcdir"/$pkgname-$pkgver
 prepare() {
@@ -82,12 +85,18 @@ libs() {
 md5sums="c97586adb18e61f56b819b6ebb1d6a1d  ffmpeg-2.1.5.tar.bz2
 2cdc11a99bf97c63c7cca27b073cb47c  configure-dlvsym.patch
 fad4fc1e886146a4a2befc8fda052d50  fix-defines.patch
-2b6897f352583ee8efdc0c09ef27a30f  fix-libv4l2-errors.patch"
+2b6897f352583ee8efdc0c09ef27a30f  fix-libv4l2-errors.patch
+cb4f5424c5364d7cf44b39be90bf9422  CVE-2014-5271.patch
+03a55ca19064afd17123422143c7104d  CVE-2014-5272.patch"
 sha256sums="10476f2c8f2ac7c9586c619e86b586384a25d209d5f5568bcd05a264846800ff  ffmpeg-2.1.5.tar.bz2
 0854db61ec784935d77516ba9a467ba61e118f951149c07acb6887a6b417ac55  configure-dlvsym.patch
 4ccac0cf75fe53685c4cdda4061f7248de9a9b98e11f8e3aed8e1822b94d35d1  fix-defines.patch
-872236e91e393b62a1a9d7aebdf0c417314f874a67cef55ad37b39ee57cf9edb  fix-libv4l2-errors.patch"
+872236e91e393b62a1a9d7aebdf0c417314f874a67cef55ad37b39ee57cf9edb  fix-libv4l2-errors.patch
+7675ffbddc841132084e8d6646291244f6fbc672bce6815b707d656c8d4bde79  CVE-2014-5271.patch
+d4d5ee3c0b8c3e8a5752a317f77fa07c035413b0acfb168dc3853a58aa2ff4f8  CVE-2014-5272.patch"
 sha512sums="541c115f52e641a128ad1c96f98f2ad1601a4bb685614a60977a8b74818004f6be61da5da704a31fedf073d050fee121cd1d0ad733f6f919306cf3d675f02136  ffmpeg-2.1.5.tar.bz2
 635c80ca801577439bd1cf8470fb760755c243e59adc8b4d9b8412f24e2dc336802afddde09f3d59443e29d92123d0308482be8ad32ab0f265c960315632636f  configure-dlvsym.patch
 ea2630d4ae5383bc24a322318aa8c41af745145755333660deec4ed256096eca73a49c41a0921544dfaa53d8087378cb2b5654001332c7262ea39f18e5c472c8  fix-defines.patch
-56bba30f200c748d47d60d2b18147522dbceec7e8c97f434d3dbfa239547113a3e9d3b280e22816adeafa994b22eefac4b968448afef1a07aa1c46d3ec359e68  fix-libv4l2-errors.patch"
+56bba30f200c748d47d60d2b18147522dbceec7e8c97f434d3dbfa239547113a3e9d3b280e22816adeafa994b22eefac4b968448afef1a07aa1c46d3ec359e68  fix-libv4l2-errors.patch
+9056f66102702e7aef6e0abc77a8f91207a82a5ca6f65104f7e1e712f613169ccc7d2e2f6ce7609aed5ff289bb1084771bbfc24ab6f9148ee6ae5c9f9b1523a4  CVE-2014-5271.patch
+3e9c0303d76e6124da0d913323aec7e476423e52a174c0ba1b53a1170a3e7b786a447e53293e557f8aae119cac9478052a971487c6ecd2410de2d18a7d25b47a  CVE-2014-5272.patch"
diff --git a/main/ffmpeg/CVE-2014-5271.patch b/main/ffmpeg/CVE-2014-5271.patch
new file mode 100644
index 0000000000..f496fb4afe
--- /dev/null
+++ b/main/ffmpeg/CVE-2014-5271.patch
@@ -0,0 +1,55 @@
+From 52b81ff4635c077b2bc8b8d3637d933b6629d803 Mon Sep 17 00:00:00 2001
+From: Christophe Gisquet <christophe.gisquet@gmail.com>
+Date: Mon, 11 Aug 2014 22:06:08 +0000
+Subject: [PATCH] proresenc_kostya: report buffer overflow
+
+If the allocated size, despite best efforts, is too small, exit
+with the appropriate error.
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/proresenc_kostya.c |   13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/libavcodec/proresenc_kostya.c b/libavcodec/proresenc_kostya.c
+index 24cb333..a70ae3c 100644
+--- a/libavcodec/proresenc_kostya.c
++++ b/libavcodec/proresenc_kostya.c
+@@ -570,6 +570,11 @@ static int encode_slice(AVCodecContext *avctx, const AVFrame *pic,
+                                           quant);
+         }
+         total_size += sizes[i];
++        if (put_bits_left(pb) < 0) {
++            av_log(avctx, AV_LOG_ERROR, "Serious underevaluation of"
++                   "required buffer size");
++            return AVERROR_BUFFER_TOO_SMALL;
++        }
+     }
+     return total_size;
+ }
+@@ -940,9 +945,9 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt,
+     avctx->coded_frame->pict_type = AV_PICTURE_TYPE_I;
+     avctx->coded_frame->key_frame = 1;
+ 
+-    pkt_size = ctx->frame_size_upper_bound + FF_MIN_BUFFER_SIZE;
++    pkt_size = ctx->frame_size_upper_bound;
+ 
+-    if ((ret = ff_alloc_packet2(avctx, pkt, pkt_size)) < 0)
++    if ((ret = ff_alloc_packet2(avctx, pkt, pkt_size + FF_MIN_BUFFER_SIZE)) < 0)
+         return ret;
+ 
+     orig_buf = pkt->data;
+@@ -1019,7 +1024,9 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt,
+                 slice_hdr = buf;
+                 buf += slice_hdr_size - 1;
+                 init_put_bits(&pb, buf, (pkt_size - (buf - orig_buf)) * 8);
+-                encode_slice(avctx, pic, &pb, sizes, x, y, q, mbs_per_slice);
++                ret = encode_slice(avctx, pic, &pb, sizes, x, y, q, mbs_per_slice);
++                if (ret < 0)
++                    return ret;
+ 
+                 bytestream_put_byte(&slice_hdr, q);
+                 slice_size = slice_hdr_size + sizes[ctx->num_planes - 1];
+-- 
+1.7.10.4
+
diff --git a/main/ffmpeg/CVE-2014-5272.patch b/main/ffmpeg/CVE-2014-5272.patch
new file mode 100644
index 0000000000..e272e7ccd2
--- /dev/null
+++ b/main/ffmpeg/CVE-2014-5272.patch
@@ -0,0 +1,32 @@
+From 3539d6c63a16e1b2874bb037a86f317449c58770 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Sun, 10 Aug 2014 21:59:33 +0200
+Subject: [PATCH] avcodec/iff: check pixfmt for rgb8 / rgbn
+
+Fixes out of array access
+
+Found-by: Piotr Bandurski <ami_stuff@o2.pl>
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/iff.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libavcodec/iff.c b/libavcodec/iff.c
+index 00f5261..ce06b36 100644
+--- a/libavcodec/iff.c
++++ b/libavcodec/iff.c
+@@ -849,9 +849,9 @@ static int decode_frame(AVCodecContext *avctx,
+         break;
+     case 4:
+         bytestream2_init(&gb, buf, buf_size);
+-        if (avctx->codec_tag == MKTAG('R', 'G', 'B', '8'))
++        if (avctx->codec_tag == MKTAG('R', 'G', 'B', '8') && avctx->pix_fmt == AV_PIX_FMT_RGB32)
+             decode_rgb8(&gb, s->frame->data[0], avctx->width, avctx->height, s->frame->linesize[0]);
+-        else if (avctx->codec_tag == MKTAG('R', 'G', 'B', 'N'))
++        else if (avctx->codec_tag == MKTAG('R', 'G', 'B', 'N') && avctx->pix_fmt == AV_PIX_FMT_RGB444)
+             decode_rgbn(&gb, s->frame->data[0], avctx->width, avctx->height, s->frame->linesize[0]);
+         else
+             return unsupported(avctx);
+-- 
+1.7.10.4
+
-- 
cgit v1.2.3