Accepting request 282450 from multimedia:libs

- Add vlc-CVE-2014-9625.patch: Fix various buffer overflows and
  null ptr dereferencing (boo#914268, CVE-2014-9625). (forwarded request 282449 from dimstar)

OBS-URL: https://build.opensuse.org/request/show/282450
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/vlc?expand=0&rev=32

vlc-CVE-2014-9625.patch

@@ -0,0 +1,253 @@
+From b915dc931fe886add566f208650e0ab225acbe3a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?R=C3=A9mi=20Denis-Courmont?= <remi@remlab.net>
+Date: Wed, 30 Jul 2014 19:05:43 +0300
+Subject: [PATCH 18/39] avformat: initialize probe data (fixes #11851)
+
+(cherry picked from commit 49bd1c657d960ba107d9db8752f716139a938eee)
+---
+ modules/demux/avformat/demux.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/modules/demux/avformat/demux.c b/modules/demux/avformat/demux.c
+index 3bb1266..902ef01 100644
+--- a/modules/demux/avformat/demux.c
++++ b/modules/demux/avformat/demux.c
+@@ -106,7 +106,7 @@ int OpenDemux( vlc_object_t *p_this )
+ {
+     demux_t       *p_demux = (demux_t*)p_this;
+     demux_sys_t   *p_sys;
+-    AVProbeData   pd;
++    AVProbeData   pd = { };
+     AVInputFormat *fmt = NULL;
+     unsigned int  i;
+     int64_t       i_start_time = -1;
+-- 
+2.2.1
+
+From 74996ceefd63adf07e28ea80198200d74a164c9d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?R=C3=A9mi=20Denis-Courmont?= <remi@remlab.net>
+Date: Sat, 30 Aug 2014 16:41:53 +0300
+Subject: [PATCH 27/39] decomp: fix heap overflow (fixes #12052)
+
+---
+ modules/stream_filter/decomp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/modules/stream_filter/decomp.c b/modules/stream_filter/decomp.c
+index 5a12e87..16a4901 100644
+--- a/modules/stream_filter/decomp.c
++++ b/modules/stream_filter/decomp.c
+@@ -207,7 +207,7 @@ static int Read (stream_t *stream, void *buf, unsigned int buflen)
+         p_sys->offset += length;
+ 
+         if (buflen > 0)
+-            length += Read (stream, ((char *)buf) + length, buflen - length);
++            length += Read (stream, buf, buflen);
+         return length;
+     }
+     assert ((buf != NULL) || (buflen == 0));
+-- 
+2.2.1
+
+From 9ddfcbb6e5222871de9b2047c939cf1da1fdbe7b Mon Sep 17 00:00:00 2001
+From: Fabian Yamaguchi <fyamagu@gwdg.de>
+Date: Sat, 6 Dec 2014 13:12:38 +0100
+Subject: [PATCH 34/39] misc: update: fix buffer overflow in updater
+
+On 32 bit builds, parsing of update status files with a size of
+4294967295 or more lead to an integer truncation in a call to malloc
+and a subsequent buffer overflow. This happened prior to checking the
+files' signature. The commit fixes this by disallowing overly large
+status files (above 65k in practice)
+
+Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org>
+(cherry picked from commit fbe2837bc80f155c001781041a54c58b5524fc14)
+Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org>
+---
+ src/misc/update.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/misc/update.c b/src/misc/update.c
+index 600e900..32e8701 100644
+--- a/src/misc/update.c
++++ b/src/misc/update.c
+@@ -193,6 +193,13 @@ static bool GetUpdateFile( update_t *p_update )
+     }
+ 
+     const int64_t i_read = stream_Size( p_stream );
++
++    if( i_read < 0 || i_read >= UINT16_MAX)
++    {
++        msg_Err(p_update->p_libvlc, "Status file too large");
++        goto error;
++    }
++
+     psz_update_data = malloc( i_read + 1 ); /* terminating '\0' */
+     if( !psz_update_data )
+         goto error;
+-- 
+2.2.1
+
+From a99d9cc2fede1a18140b43ffb59cde37cef7478d Mon Sep 17 00:00:00 2001
+From: Fabian Yamaguchi <fyamagu@gwdg.de>
+Date: Fri, 5 Dec 2014 15:18:22 +0100
+Subject: [PATCH 35/39] codec: schroedinger: fix potential buffer overflow.
+
+The variable len is a raw 32 bit value read using GetDWBE. If this
+value is larger than UINT32_MAX - sizeof(eos), this will cause an
+integer overflow in the subsequent call to malloc, and finally a
+buffer overflow when calling memcpy. We fix this by checking len
+accordingly.
+
+Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org>
+(cherry picked from commit 9bb0353a5c63a7f8c6fc853faa3df4b4df1f5eb5)
+Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org>
+---
+ modules/codec/schroedinger.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/modules/codec/schroedinger.c b/modules/codec/schroedinger.c
+index 0c5a7e7..93b72e1 100644
+--- a/modules/codec/schroedinger.c
++++ b/modules/codec/schroedinger.c
+@@ -1548,6 +1548,10 @@ static block_t *Encode( encoder_t *p_enc, picture_t *p_pic )
+                      * is appended to the sequence header to allow guard
+                      * against poor streaming servers */
+                     /* XXX, should this be done using the packetizer ? */
++
++                    if( len > UINT32_MAX - sizeof( eos ) )
++                        return NULL;
++
+                     p_enc->fmt_out.p_extra = malloc( len + sizeof( eos ) );
+                     if( !p_enc->fmt_out.p_extra )
+                         return NULL;
+-- 
+2.2.1
+
+From 4e6137bbcd3d74630aa6f0e8b8b5b8aa0c19647d Mon Sep 17 00:00:00 2001
+From: Fabian Yamaguchi <fyamagu@gwdg.de>
+Date: Fri, 5 Dec 2014 15:37:05 +0100
+Subject: [PATCH 36/39] codec: dmo: avoid null-pointer dereference.
+
+Check the return value of malloc to avoid a null-pointer dereference.
+
+Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org>
+(cherry picked from commit 229c385a79d48e41687fae8b4dfeaeef9c8c3eb7)
+Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org>
+---
+ modules/codec/dmo/dmo.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/modules/codec/dmo/dmo.c b/modules/codec/dmo/dmo.c
+index 6595f70..dd1fbbc 100644
+--- a/modules/codec/dmo/dmo.c
++++ b/modules/codec/dmo/dmo.c
+@@ -1310,6 +1310,9 @@ static int EncoderSetAudioType( encoder_t *p_enc, IMediaObject *p_dmo )
+         msg_Dbg( p_enc, "found cbSize: %i", p_wf->cbSize );
+         p_enc->fmt_out.i_extra = p_wf->cbSize;
+         p_enc->fmt_out.p_extra = malloc( p_enc->fmt_out.i_extra );
++        if( p_enc->fmt_out.p_extra == NULL)
++            return VLC_EGENERIC;
++
+         memcpy( p_enc->fmt_out.p_extra, &p_wf[1], p_enc->fmt_out.i_extra );
+     }
+ 
+-- 
+2.2.1
+
+From 8eab5c92136ffc60873c41c06e7a6a9266e8af7c Mon Sep 17 00:00:00 2001
+From: Fabian Yamaguchi <fyamagu@gwdg.de>
+Date: Fri, 5 Dec 2014 13:52:42 +0100
+Subject: [PATCH 37/39] demux: mp4: fix buffer overflow in parsing of string
+ boxes.
+
+We ensure that pbox->i_size is never smaller than 8 to avoid an
+integer underflow in the third argument of the subsequent call to
+memcpy. We also make sure no truncation occurs when passing values
+derived from the 64 bit integer p_box->i_size to arguments of malloc
+and memcpy that may be 32 bit integers on 32 bit platforms.
+
+Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org>
+(cherry picked from commit 2e7c7091a61aa5d07e7997b393d821e91f593c39)
+Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org>
+
+Conflicts:
+	modules/demux/mp4/libmp4.c
+---
+ modules/demux/mp4/libmp4.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/modules/demux/mp4/libmp4.c b/modules/demux/mp4/libmp4.c
+index 3abb940..ba6dcb9 100644
+--- a/modules/demux/mp4/libmp4.c
++++ b/modules/demux/mp4/libmp4.c
+@@ -2596,6 +2596,9 @@ static int MP4_ReadBox_name( stream_t *p_stream, MP4_Box_t *p_box )
+ {
+     MP4_READBOX_ENTER( MP4_Box_data_name_t );
+ 
++    if( p_box->i_size < 8 || p_box->i_size > SIZE_MAX )
++        MP4_READBOX_EXIT( 0 );
++
+     p_box->data.p_name->psz_text = malloc( p_box->i_size + 1 - 8 ); /* +\0, -name, -size */
+     if( p_box->data.p_name->psz_text == NULL )
+         MP4_READBOX_EXIT( 0 );
+-- 
+2.2.1
+
+From 41c52fbf434d6fc59e1a5e90118b8c924ea6f50d Mon Sep 17 00:00:00 2001
+From: Fabian Yamaguchi <fyamagu@gwdg.de>
+Date: Fri, 5 Dec 2014 13:58:24 +0100
+Subject: [PATCH 38/39] stream_out: rtp: don't use VLA for user controlled data
+
+It should fix a possible invalid memory access
+
+When streaming ogg-files via rtp, an ogg-file can trigger an invalid
+write access using an overly long 'configuration' string.
+
+The original code attemps to allocate space to hold the string on the stack
+and hence, cannot verify if allocation succeeds. Instead, we now allocate the
+buffer on the heap and return if allocation fails.
+
+In detail, rtp_packetize_xiph_config allocates a buffer on the stack at (1) where
+the size depends on the local variable 'len'. The variable 'len' is
+calculated at (0) to be the length of a string contained in a specially
+crafted Ogg Vorbis file, and therefore, it is attacker-controlled.
+
+Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org>
+(cherry picked from commit 204291467724867b79735c0ee3aeb0dbc2200f97)
+Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org>
+
+Conflicts:
+	modules/stream_out/rtpfmt.c
+---
+ modules/stream_out/rtpfmt.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/modules/stream_out/rtpfmt.c b/modules/stream_out/rtpfmt.c
+index 7b71588..f19f41b 100644
+--- a/modules/stream_out/rtpfmt.c
++++ b/modules/stream_out/rtpfmt.c
+@@ -540,7 +540,11 @@ int rtp_packetize_xiph_config( sout_stream_id_t *id, const char *fmtp,
+     char *end = strchr(start, ';');
+     assert(end != NULL);
+     size_t len = end - start;
+-    char b64[len + 1];
++
++    char *b64 = malloc(len + 1);
++    if(!b64)
++        return VLC_EGENERIC;
++
+     memcpy(b64, start, len);
+     b64[len] = '\0';
+ 
+@@ -550,6 +554,7 @@ int rtp_packetize_xiph_config( sout_stream_id_t *id, const char *fmtp,
+     int i_data;
+ 
+     i_data = vlc_b64_decode_binary(&p_orig, b64);
++    free(b64);
+     if (i_data == 0)
+         return VLC_EGENERIC;
+     assert(i_data > 9);
+-- 
+2.2.1
+

vlc.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Jan 22 15:03:10 UTC 2015 - dimstar@opensuse.org
+
+- Add vlc-CVE-2014-9625.patch: Fix various buffer overflows and
+  null ptr dereferencing (boo#914268, CVE-2014-9625).
+
 -------------------------------------------------------------------
 Sun Nov  9 16:06:10 UTC 2014 - seife+obs@b1-systems.com
 

vlc.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package vlc
 #
-# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
 # Copyright (c) 2012 Dominique Leuenberger, Amsterdam, The Netherlands
 #
 # All modifications and additions to the file contributed by third parties
@@ -43,6 +43,8 @@ Url:            http://www.videolan.org/
 Source:         http://download.videolan.org/%{name}/%{version}/%{name}-%{version}.tar.xz
 # PATCH-FIX-OPENSUSE vlc-2.1.5-fix-skins2-default-skin-creation.patch -- see description in patch header 
 Patch1:         vlc-2.1.5-fix-skins2-default-skin-creation.patch
+# PATCH-FIX-UPSTREAM vlc-CVE-2014-9625.patch boo#914268 CVE-2014-9625 dimstar@opensuse.org -- Fix various buffer overflows and null ptr deref
+Patch2:         vlc-CVE-2014-9625.patch
 Patch3:         0001-no-return-in-non-void.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  Mesa-devel
@@ -300,7 +302,9 @@ for gnome-vfs2.
 %prep
 %setup -q
 %patch1 -p1
+%patch2 -p1
 %patch3 -p1
+# We do not rely on contrib but make use of system libraries
 rm -rf contrib
 # fix builddate info
 # Remove build time references so build-compare can do its work