freeswitch-stable: fix CVE in libvpx

Patch copied from Debian to fix CVE-2017-13194.

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>

diff --git a/net/freeswitch-stable/Makefile b/net/freeswitch-stable/Makefile
index b08f19bfe01474bce6c65a47ec1a4680838d3245..9124ca8d7a42bac77e96d3f87a70cacace13fe7c 100644 (file)
--- a/net/freeswitch-stable/Makefile
+++ b/net/freeswitch-stable/Makefile
@@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
 PRG_NAME:=freeswitch
 PKG_NAME:=$(PRG_NAME)-stable
 PKG_VERSION:=1.6.20
-PKG_RELEASE:=3
+PKG_RELEASE:=4
 PKG_MAINTAINER:=Sebastian Kemper <sebastian_ml@gmx.net>
 
 PKG_SOURCE:=$(PRG_NAME)-$(PKG_VERSION).tar.xz

diff --git a/net/freeswitch-stable/patches/340-libvpx-CVE-2017-13194.patch b/net/freeswitch-stable/patches/340-libvpx-CVE-2017-13194.patch
new file mode 100644 (file)
index 0000000..2f53b12
--- /dev/null
+++ b/net/freeswitch-stable/patches/340-libvpx-CVE-2017-13194.patch
@@ -0,0 +1,45 @@
+Subject: Fix OOB caused by odd frame width, CVE-2017-13194
+Origin: https://android.googlesource.com/platform/external/libvpx/+/55cd1dd7c8d0a3de907d22e0f12718733f4e41d
+
+diff --git a/libs/libvpx/libvpx/vpx/src/vpx_image.c b/libs/libvpx/libvpx/vpx/src/vpx_image.c
+index dba439c..af7c529 100644
+--- a/libs/libvpx/vpx/src/vpx_image.c
++++ b/libs/libvpx/vpx/src/vpx_image.c
+@@ -88,11 +88,10 @@
+     default: ycs = 0; break;
+   }
+ 
+-  /* Calculate storage sizes given the chroma subsampling */
+-  align = (1 << xcs) - 1;
+-  w = (d_w + align) & ~align;
+-  align = (1 << ycs) - 1;
+-  h = (d_h + align) & ~align;
++  /* Calculate storage sizes. If the buffer was allocated externally, the width
++   * and height shouldn't be adjusted. */
++  w = d_w;
++  h = d_h;
+   s = (fmt & VPX_IMG_FMT_PLANAR) ? w : bps * w / 8;
+   s = (s + stride_align - 1) & ~(stride_align - 1);
+   stride_in_bytes = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
+@@ -111,9 +110,18 @@
+   img->img_data = img_data;
+ 
+   if (!img_data) {
+-    const uint64_t alloc_size = (fmt & VPX_IMG_FMT_PLANAR)
+-                                    ? (uint64_t)h * s * bps / 8
+-                                    : (uint64_t)h * s;
++    uint64_t alloc_size;
++    /* Calculate storage sizes given the chroma subsampling */
++    align = (1 << xcs) - 1;
++    w = (d_w + align) & ~align;
++    align = (1 << ycs) - 1;
++    h = (d_h + align) & ~align;
++
++    s = (fmt & VPX_IMG_FMT_PLANAR) ? w : bps * w / 8;
++    s = (s + stride_align - 1) & ~(stride_align - 1);
++    stride_in_bytes = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
++    alloc_size = (fmt & VPX_IMG_FMT_PLANAR) ? (uint64_t)h * s * bps / 8
++                                            : (uint64_t)h * s;
+ 
+     if (alloc_size != (size_t)alloc_size) goto fail;
+