1 files changed, 51 insertions, 0 deletions

diff --git a/multimedia/ffmpeg/files/patch-CVE-2018-7557 b/multimedia/ffmpeg/files/patch-CVE-2018-7557
new file mode 100644
index 000000000000..c1a6d78d9cb6
--- /dev/null
+++ b/multimedia/ffmpeg/files/patch-CVE-2018-7557
@@ -0,0 +1,51 @@
+commit ae49cc73f265a155e5c4b1715570aab3d9741b4d
+Author: Michael Niedermayer <michael@niedermayer.cc>
+Date:   Mon Feb 26 03:02:48 2018 +0100
+
+    avcodec/utvideodec: Check subsample factors
+    
+    Fixes: Out of array read
+    Fixes: heap_poc
+    
+    Found-by: GwanYeong Kim <gy741.kim@gmail.com>
+    Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+    (cherry picked from commit 7414d0bda7763f9bd69c26c068e482ab297c1c96)
+    Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+---
+ libavcodec/utvideodec.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git libavcodec/utvideodec.c libavcodec/utvideodec.c
+index d888cc3cdf..ebd9d55cf2 100644
+--- libavcodec/utvideodec.c
++++ libavcodec/utvideodec.c
+@@ -30,6 +30,7 @@
+ #define UNCHECKED_BITSTREAM_READER 1
+ 
+ #include "libavutil/intreadwrite.h"
++#include "libavutil/pixdesc.h"
+ #include "avcodec.h"
+ #include "bswapdsp.h"
+ #include "bytestream.h"
+@@ -789,6 +790,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
+ static av_cold int decode_init(AVCodecContext *avctx)
+ {
+     UtvideoContext * const c = avctx->priv_data;
++    int h_shift, v_shift;
+ 
+     c->avctx = avctx;
+ 
+@@ -886,6 +888,13 @@ static av_cold int decode_init(AVCodecContext *avctx)
+         return AVERROR_INVALIDDATA;
+     }
+ 
++    av_pix_fmt_get_chroma_sub_sample(avctx->pix_fmt, &h_shift, &v_shift);
++    if ((avctx->width  & ((1<<h_shift)-1)) ||
++        (avctx->height & ((1<<v_shift)-1))) {
++        avpriv_request_sample(avctx, "Odd dimensions");
++        return AVERROR_PATCHWELCOME;
++    }
++
+     return 0;
+ }
+