From 071d231bdce150d82088abe7fef3f01786d7b111 Mon Sep 17 00:00:00 2001
From: Koen Kooi <koen@dominion.thruhere.net>
Date: Tue, 16 Aug 2011 16:04:35 +0200
Subject: [PATCH] libvpx 0.9.5: import from OE rev
 e02237d7e46e60fbd9eb4a05a308e6adcf916ebb

(From meta-openembedded rev: 7ad1aec3ede9b5b07bcba40a86528eb669dd42cd)

Signed-off-by: Koen Kooi <koen@dominion.thruhere.net>
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
 .../meta-oe/recipes-multimedia/webm/libvpx.inc     | 38 ++++++++++++
 .../webm/libvpx/CVE-2010-4203.patch                | 69 ++++++++++++++++++++++
 .../libvpx-configure-support-blank-prefix.patch    | 43 ++++++++++++++
 .../recipes-multimedia/webm/libvpx_0.9.5.bb        | 18 ++++++
 4 files changed, 168 insertions(+)
 create mode 100644 meta-openembedded/meta-oe/recipes-multimedia/webm/libvpx.inc
 create mode 100644 meta-openembedded/meta-oe/recipes-multimedia/webm/libvpx/CVE-2010-4203.patch
 create mode 100644 meta-openembedded/meta-oe/recipes-multimedia/webm/libvpx/libvpx-configure-support-blank-prefix.patch
 create mode 100644 meta-openembedded/meta-oe/recipes-multimedia/webm/libvpx_0.9.5.bb

diff --git a/meta-openembedded/meta-oe/recipes-multimedia/webm/libvpx.inc b/meta-openembedded/meta-oe/recipes-multimedia/webm/libvpx.inc
new file mode 100644
index 0000000..76e319f
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-multimedia/webm/libvpx.inc
@@ -0,0 +1,38 @@
+DESCRIPTION = "vpx Multi-Format Codec SDK"
+LICENSE = "BSD"
+
+INC_PR = "r0"
+
+SRC_URI = "http://webm.googlecode.com/files/libvpx-v${PV}.tar.bz2"
+S = "${WORKDIR}/libvpx-v${PV}"
+
+# ffmpeg links with this and fails 
+# sysroots/armv4t-oe-linux-gnueabi/usr/lib/libvpx.a(vpx_encoder.c.o)(.text+0xc4): unresolvable R_ARM_THM_CALL relocation against symbol `memcpy@@GLIBC_2.4'
+ARM_INSTRUCTION_SET = "arm"
+
+CFLAGS += "-fPIC"
+
+export CC
+export LD = "${CC}"
+
+VPXTARGET_armv5te = "armv5te-linux-gcc"
+VPXTARGET_armv6 = "armv6-linux-gcc"
+VPXTARGET_armv7a = "armv7-linux-gcc"
+VPXTARGET ?= "generic-gnu"
+
+CONFIGUREOPTS = " \
+          --target=${VPXTARGET} \
+          --enable-vp8 \
+          --enable-libs \
+          --disable-install-docs \
+"
+do_configure() {
+	${S}/configure ${CONFIGUREOPTS}
+}
+do_compile() {
+	oe_runmake
+}
+do_install() {
+	oe_runmake install DESTDIR=${D}
+}
+
diff --git a/meta-openembedded/meta-oe/recipes-multimedia/webm/libvpx/CVE-2010-4203.patch b/meta-openembedded/meta-oe/recipes-multimedia/webm/libvpx/CVE-2010-4203.patch
new file mode 100644
index 0000000..37f5108
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-multimedia/webm/libvpx/CVE-2010-4203.patch
@@ -0,0 +1,69 @@
+From: John Koleszar <jkoleszar@google.com>
+Date: Thu, 4 Nov 2010 20:59:26 +0000 (-0400)
+Subject: fix integer promotion bug in partition size check
+X-Git-Url: https://review.webmproject.org/gitweb?p=libvpx.git;a=commitdiff_plain;h=9fb80f7170ec48e23c3c7b477149eeb37081c699
+
+fix integer promotion bug in partition size check
+
+The check '(user_data_end - partition < partition_size)' must be
+evaluated as a signed comparison, but because partition_size was
+unsigned, the LHS was promoted to unsigned, causing an incorrect
+result on 32-bit. Instead, check the upper and lower bounds of
+the segment separately.
+
+Change-Id: I6266aba7fd7de084268712a3d2a81424ead7aa06
+---
+
+diff --git a/vp8/decoder/decodframe.c b/vp8/decoder/decodframe.c
+index 2d81d61..f5e49a1 100644
+--- a/vp8/decoder/decodframe.c
++++ b/vp8/decoder/decodframe.c
+@@ -462,7 +462,8 @@ static void setup_token_decoder(VP8D_COMP *pbi,
+             partition_size = user_data_end - partition;
+         }
+ 
+-        if (user_data_end - partition < partition_size)
++        if (partition + partition_size > user_data_end
++            || partition + partition_size < partition)
+             vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
+                                "Truncated packet or corrupt partition "
+                                "%d length", i + 1);
+@@ -580,7 +581,8 @@ int vp8_decode_frame(VP8D_COMP *pbi)
+         (data[0] | (data[1] << 8) | (data[2] << 16)) >> 5;
+     data += 3;
+ 
+-    if (data_end - data < first_partition_length_in_bytes)
++    if (data + first_partition_length_in_bytes > data_end
++        || data + first_partition_length_in_bytes < data)
+         vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
+                            "Truncated packet or corrupt partition 0 length");
+     vp8_setup_version(pc);
+diff --git a/vp8/vp8_dx_iface.c b/vp8/vp8_dx_iface.c
+index e7e5356..f0adf5b 100644
+--- a/vp8/vp8_dx_iface.c
++++ b/vp8/vp8_dx_iface.c
+@@ -253,8 +253,11 @@ static vpx_codec_err_t vp8_peek_si(const uint8_t         *data,
+                                    unsigned int           data_sz,
+                                    vpx_codec_stream_info_t *si)
+ {
+-
+     vpx_codec_err_t res = VPX_CODEC_OK;
++
++    if(data + data_sz <= data)
++        res = VPX_CODEC_INVALID_PARAM;
++    else
+     {
+         /* Parse uncompresssed part of key frame header.
+          * 3 bytes:- including version, frame type and an offset
+@@ -331,7 +334,10 @@ static vpx_codec_err_t vp8_decode(vpx_codec_alg_priv_t  *ctx,
+ 
+     ctx->img_avail = 0;
+ 
+-    /* Determine the stream parameters */
++    /* Determine the stream parameters. Note that we rely on peek_si to
++     * validate that we have a buffer that does not wrap around the top
++     * of the heap.
++     */
+     if (!ctx->si.h)
+         res = ctx->base.iface->dec.peek_si(data, data_sz, &ctx->si);
+ 
diff --git a/meta-openembedded/meta-oe/recipes-multimedia/webm/libvpx/libvpx-configure-support-blank-prefix.patch b/meta-openembedded/meta-oe/recipes-multimedia/webm/libvpx/libvpx-configure-support-blank-prefix.patch
new file mode 100644
index 0000000..1bf863d
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-multimedia/webm/libvpx/libvpx-configure-support-blank-prefix.patch
@@ -0,0 +1,43 @@
+Upstream: not yet
+
+Fix configure to accept "--prefix=" (a blank prefix).
+
+--- libvpx-0.9.1/build/make/configure.sh.orig	2010-06-17 09:08:56.000000000 -0400
++++ libvpx-0.9.1/build/make/configure.sh	2010-09-23 14:27:48.000000000 -0400
+@@ -444,6 +444,8 @@
+         ;;
+         --prefix=*)
+         prefix="${optval}"
++        # Distinguish between "prefix not set" and "prefix set to ''"
++        prefixset=1
+         ;;
+         --libdir=*)
+         libdir="${optval}"
+@@ -471,13 +473,23 @@
+ 
+ 
+ post_process_common_cmdline() {
+-    prefix="${prefix:-/usr/local}"
++    if [ "$prefixset" != "1" ]
++    then
++        prefix=/usr/local
++    fi
++
++    # Strip trailing slash
+     prefix="${prefix%/}"
++
+     libdir="${libdir:-${prefix}/lib}"
+     libdir="${libdir%/}"
+-    if [ "${libdir#${prefix}}" = "${libdir}" ]; then
+-        die "Libdir ${libdir} must be a subdirectory of ${prefix}"
+-    fi
++
++    case "$libdir" in
++        "${prefix}/"*) ;;
++        *)
++            die "Libdir ${libdir} must be a subdirectory of ${prefix}"
++            ;;
++    esac
+ }
+ 
+ 
diff --git a/meta-openembedded/meta-oe/recipes-multimedia/webm/libvpx_0.9.5.bb b/meta-openembedded/meta-oe/recipes-multimedia/webm/libvpx_0.9.5.bb
new file mode 100644
index 0000000..2236524
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-multimedia/webm/libvpx_0.9.5.bb
@@ -0,0 +1,18 @@
+require libvpx.inc
+
+LIC_FILES_CHKSUM = "file://LICENSE;md5=6e8dee932c26f2dab503abf70c96d8bb"
+
+PR = "${INC_PR}.0"
+
+SRC_URI += "file://libvpx-configure-support-blank-prefix.patch \
+            file://CVE-2010-4203.patch \
+            "
+
+SRC_URI[md5sum] = "4bf2f2c76700202c1fe9201fcb0680e3"
+SRC_URI[sha256sum] = "2e93968afcded113a7e218de047feecf6659a089058803a9e40fb687de5f9bfa"
+
+CONFIGUREOPTS += " \
+        --prefix=${prefix} \
+        --libdir=${libdir} \
+"
+
-- 
2.7.4