Accepting request 727247 from home:atopt:branches:multimedia:libs

- Backported commit 47e5890 and 64875fa to fix CVE-2019-15784 (boo#1148844)
  and avoid a potential array overflow.
  * Added CVE-2019-15784.patch

OBS-URL: https://build.opensuse.org/request/show/727247
OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/srt?expand=0&rev=18
This commit is contained in:
Bjørn Lie 2019-08-30 15:02:22 +00:00 committed by Git OBS Bridge
parent 06cc18daff
commit fabeae70bb
3 changed files with 200 additions and 1 deletions

192
CVE-2019-15784.patch Normal file
View File

@ -0,0 +1,192 @@
Index: srt-1.3.4/srtcore/queue.cpp
===================================================================
--- srt-1.3.4.orig/srtcore/queue.cpp
+++ srt-1.3.4/srtcore/queue.cpp
@@ -256,7 +256,7 @@ void CUnitQueue::makeUnitGood(CUnit * un
CSndUList::CSndUList():
m_pHeap(NULL),
- m_iArrayLength(4096),
+ m_iArrayLength(512),
m_iLastEntry(-1),
m_ListLock(),
m_pWindowLock(NULL),
@@ -273,32 +273,6 @@ CSndUList::~CSndUList()
pthread_mutex_destroy(&m_ListLock);
}
-void CSndUList::insert(int64_t ts, const CUDT* u)
-{
- CGuard listguard(m_ListLock);
-
- // increase the heap array size if necessary
- if (m_iLastEntry == m_iArrayLength - 1)
- {
- CSNode** temp = NULL;
-
- try
- {
- temp = new CSNode*[m_iArrayLength * 2];
- }
- catch(...)
- {
- return;
- }
-
- memcpy(temp, m_pHeap, sizeof(CSNode*) * m_iArrayLength);
- m_iArrayLength *= 2;
- delete [] m_pHeap;
- m_pHeap = temp;
- }
-
- insert_(ts, u);
-}
void CSndUList::update(const CUDT* u, EReschedule reschedule)
{
@@ -319,6 +293,8 @@ void CSndUList::update(const CUDT* u, ER
}
remove_(u);
+ insert_norealloc_(1, u);
+ return;
}
insert_(1, u);
@@ -366,7 +342,7 @@ int CSndUList::pop(sockaddr*& addr, CPac
// insert a new entry, ts is the next processing time
if (ts > 0)
- insert_(ts, u);
+ insert_norealloc_(ts, u);
return 1;
}
@@ -388,14 +364,47 @@ uint64_t CSndUList::getNextProcTime()
return m_pHeap[0]->m_llTimeStamp_tk;
}
+
+void CSndUList::realloc_()
+{
+ CSNode** temp = NULL;
+
+ try
+ {
+ temp = new CSNode *[2 * m_iArrayLength];
+ }
+ catch (...)
+ {
+ throw CUDTException(MJ_SYSTEMRES, MN_MEMORY, 0);
+ }
+
+ memcpy(temp, m_pHeap, sizeof(CSNode*) * m_iArrayLength);
+ m_iArrayLength *= 2;
+ delete[] m_pHeap;
+ m_pHeap = temp;
+}
+
+
void CSndUList::insert_(int64_t ts, const CUDT* u)
{
+ // increase the heap array size if necessary
+ if (m_iLastEntry == m_iArrayLength - 1)
+ realloc_();
+
+ insert_norealloc_(ts, u);
+}
+
+
+void CSndUList::insert_norealloc_(int64_t ts, const CUDT* u)
+{
CSNode* n = u->m_pSNode;
// do not insert repeated node
if (n->m_iHeapLoc >= 0)
return;
+ SRT_ASSERT(m_iLastEntry < m_iArrayLength);
+
m_iLastEntry ++;
m_pHeap[m_iLastEntry] = n;
n->m_llTimeStamp_tk = ts;
@@ -405,16 +414,12 @@ void CSndUList::insert_(int64_t ts, cons
while (p != 0)
{
p = (q - 1) >> 1;
- if (m_pHeap[p]->m_llTimeStamp_tk > m_pHeap[q]->m_llTimeStamp_tk)
- {
- CSNode* t = m_pHeap[p];
- m_pHeap[p] = m_pHeap[q];
- m_pHeap[q] = t;
- t->m_iHeapLoc = q;
- q = p;
- }
- else
- break;
+ if (m_pHeap[p]->m_llTimeStamp_tk <= m_pHeap[q]->m_llTimeStamp_tk)
+ break;
+
+ swap(m_pHeap[p], m_pHeap[q]);
+ m_pHeap[q]->m_iHeapLoc = q;
+ q = p;
}
n->m_iHeapLoc = q;
@@ -452,10 +457,8 @@ void CSndUList::remove_(const CUDT* u)
if (m_pHeap[q]->m_llTimeStamp_tk > m_pHeap[p]->m_llTimeStamp_tk)
{
- CSNode* t = m_pHeap[p];
- m_pHeap[p] = m_pHeap[q];
- m_pHeap[p]->m_iHeapLoc = p;
- m_pHeap[q] = t;
+ swap(m_pHeap[p], m_pHeap[q]);
+ m_pHeap[p]->m_iHeapLoc = p;
m_pHeap[q]->m_iHeapLoc = q;
q = p;
Index: srt-1.3.4/srtcore/queue.h
===================================================================
--- srt-1.3.4.orig/srtcore/queue.h
+++ srt-1.3.4/srtcore/queue.h
@@ -166,12 +166,6 @@ public:
static EReschedule rescheduleIf(bool cond) { return cond ? DO_RESCHEDULE : DONT_RESCHEDULE; }
- /// Insert a new UDT instance into the list.
- /// @param [in] ts time stamp: next processing time
- /// @param [in] u pointer to the UDT instance
-
- void insert(int64_t ts, const CUDT* u);
-
/// Update the timestamp of the UDT instance on the list.
/// @param [in] u pointer to the UDT instance
/// @param [in] resechedule if the timestampe shoudl be rescheduled
@@ -196,7 +190,26 @@ public:
uint64_t getNextProcTime();
private:
+
+ /// Doubles the size of the list.
+ ///
+ void realloc_();
+
+ /// Insert a new UDT instance into the list with realloc if required.
+ ///
+ /// @param [in] ts time stamp: next processing time
+ /// @param [in] u pointer to the UDT instance
void insert_(int64_t ts, const CUDT* u);
+
+ /// Insert a new UDT instance into the list without realloc.
+ /// Should be called if there is a gauranteed space for the element.
+ ///
+ /// @param [in] ts time stamp: next processing time
+ /// @param [in] u pointer to the UDT instance
+
+ void insert_norealloc_(int64_t ts, const CUDT* u);
+
+
void remove_(const CUDT* u);
private:

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Fri Aug 30 12:47:57 UTC 2019 - Alexandros Toptsoglou <atoptsoglou@suse.com>
- Backported commit 47e5890 and 64875fa to fix CVE-2019-15784 (boo#1148844)
and avoid a potential array overflow.
* Added CVE-2019-15784.patch
-------------------------------------------------------------------
Thu Aug 29 16:02:56 UTC 2019 - Alexandros Toptsoglou <atoptsoglou@suse.com>

View File

@ -27,6 +27,7 @@ Group: Development/Libraries/C and C++
URL: https://www.srtalliance.org
Source0: https://github.com/Haivision/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
Source99: baselibs.conf
Patch0: CVE-2019-15784.patch
BuildRequires: cmake
BuildRequires: fdupes
@ -62,7 +63,6 @@ needed to develop applications with Secure Reliable Transport
%prep
%autosetup -p1
%build
%cmake \
-DCMAKE_INSTALL_PREFIX=%{_prefix} \