diff options
Diffstat (limited to 'poky/meta/recipes-multimedia')
4 files changed, 74 insertions, 1 deletions
diff --git a/poky/meta/recipes-multimedia/libid3tag/libid3tag/10_utf16.dpatch b/poky/meta/recipes-multimedia/libid3tag/libid3tag/10_utf16.dpatch new file mode 100644 index 000000000..8d09ce7b6 --- /dev/null +++ b/poky/meta/recipes-multimedia/libid3tag/libid3tag/10_utf16.dpatch @@ -0,0 +1,33 @@ +libid3tag: patch for CVE-2004-2779 + +The patch comes from +https://sources.debian.org/patches/libid3tag/0.15.1b-13/10_utf16.dpatch + +Upstream-Status: Pending + +CVE: CVE-2004-2779 + +Signed-off-by: Changqing Li <changqing.li@windriver.com> + +diff -urNad libid3tag-0.15.1b/utf16.c /tmp/dpep.tKvO7a/libid3tag-0.15.1b/utf16.c +--- libid3tag-0.15.1b/utf16.c 2006-01-13 15:26:29.000000000 +0100 ++++ /tmp/dpep.tKvO7a/libid3tag-0.15.1b/utf16.c 2006-01-13 15:27:19.000000000 +0100 +@@ -282,5 +282,18 @@ + + free(utf16); + ++ if (end == *ptr && length % 2 != 0) ++ { ++ /* We were called with a bogus length. It should always ++ * be an even number. We can deal with this in a few ways: ++ * - Always give an error. ++ * - Try and parse as much as we can and ++ * - return an error if we're called again when we ++ * already tried to parse everything we can. ++ * - tell that we parsed it, which is what we do here. ++ */ ++ (*ptr)++; ++ } ++ + return ucs4; + } diff --git a/poky/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb b/poky/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb index f6139d612..fe3164610 100644 --- a/poky/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb +++ b/poky/meta/recipes-multimedia/libid3tag/libid3tag_0.15.1b.bb @@ -13,6 +13,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/mad/libid3tag-${PV}.tar.gz \ file://addpkgconfig.patch \ file://obsolete_automake_macros.patch \ file://0001-Fix-gperf-3.1-incompatibility.patch \ + file://10_utf16.dpatch \ " UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/mad/files/libid3tag/" UPSTREAM_CHECK_REGEX = "/projects/mad/files/libid3tag/(?P<pver>.*)/$" diff --git a/poky/meta/recipes-multimedia/libpng/files/CVE-2018-13785.patch b/poky/meta/recipes-multimedia/libpng/files/CVE-2018-13785.patch new file mode 100644 index 000000000..84b1af1fb --- /dev/null +++ b/poky/meta/recipes-multimedia/libpng/files/CVE-2018-13785.patch @@ -0,0 +1,37 @@ +From 8a05766cb74af05c04c53e6c9d60c13fc4d59bf2 Mon Sep 17 00:00:00 2001 +From: Cosmin Truta <ctruta@gmail.com> +Date: Sun, 17 Jun 2018 22:56:29 -0400 +Subject: [PATCH] [libpng16] Fix the calculation of row_factor in + png_check_chunk_length + +(Bug report by Thuan Pham, SourceForge issue #278) +Upstream-Status: Backport [https://github.com/glennrp/libpng/commit/8a05766cb74af05c04c53e6c9d60c13fc4d59bf2] +Signed-off-by: Sinan Kaya <okaya@kernel.org> +--- + pngrutil.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/pngrutil.c b/pngrutil.c +index 95571b517..5ba995abf 100644 +--- a/pngrutil.c ++++ b/pngrutil.c +@@ -3167,10 +3167,13 @@ png_check_chunk_length(png_const_structrp png_ptr, const png_uint_32 length) + { + png_alloc_size_t idat_limit = PNG_UINT_31_MAX; + size_t row_factor = +- (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1) +- + 1 + (png_ptr->interlaced? 6: 0)); ++ (size_t)png_ptr->width ++ * (size_t)png_ptr->channels ++ * (png_ptr->bit_depth > 8? 2: 1) ++ + 1 ++ + (png_ptr->interlaced? 6: 0); + if (png_ptr->height > PNG_UINT_32_MAX/row_factor) +- idat_limit=PNG_UINT_31_MAX; ++ idat_limit = PNG_UINT_31_MAX; + else + idat_limit = png_ptr->height * row_factor; + row_factor = row_factor > 32566? 32566 : row_factor; +-- +2.19.0 + diff --git a/poky/meta/recipes-multimedia/libpng/libpng_1.6.34.bb b/poky/meta/recipes-multimedia/libpng/libpng_1.6.34.bb index e52d03228..3877d6cbf 100644 --- a/poky/meta/recipes-multimedia/libpng/libpng_1.6.34.bb +++ b/poky/meta/recipes-multimedia/libpng/libpng_1.6.34.bb @@ -8,7 +8,9 @@ DEPENDS = "zlib" LIBV = "16" -SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz" +SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz \ + file://CVE-2018-13785.patch \ +" SRC_URI[md5sum] = "c05b6ca7190a5e387b78657dbe5536b2" SRC_URI[sha256sum] = "2f1e960d92ce3b3abd03d06dfec9637dfbd22febf107a536b44f7a47c60659f6" |