Use secure_getenv(3) to improve security
This patch is in response to the following security vulnerabilities
(CVEs) reported to NVIDIA against libvdpau:
CVE-2015-5198
CVE-2015-5199
CVE-2015-5200
To address these CVEs, this patch:
- replaces all uses of getenv(3) with secure_getenv(3);
- uses secure_getenv(3) when available, with a fallback option;
- protects VDPAU_DRIVER against directory traversal by checking for '/'
On platforms where secure_getenv(3) is not available, the C preprocessor
will print a warning at compile time. Then, a preprocessor macro will
replace secure_getenv(3) with our getenv_wrapper(), which utilizes the check:
getuid() == geteuid() && getgid() == getegid()
See getuid(2) and getgid(2) for further details.
-
Implement workarounds for Adobe Flash bugs
Implement two workarounds:
1) Swap U and V planes to VdpVideoSurfacePutBitsYCbCr to fix blue-tinged
videos.
2) Disable VdpPresentationQueueSetBackgroundColor, so that Flash doesn't
set the background to pure black or pure white, which would cause the
VDPAU image to bleed through to other parts of the desktop with those
very common colors.
-
vdpau_wrapper.c: Track dynamic library handles and free them on exit
using __attribute__((destructor))
Changes since 0.4:
vdpau.h: Clarify video mixer field amount recommendation
More doc issues pointed out by Xine authors.
* Fix Doxygen warning; it gets confused by quotes.
* Add subsection names, so part of the title doesn't get swallowed as the
subsection name.
* Document data required from MPEG-4 Part 2 & DivX bitstream.
vpdau.h: Fix typo and clarify wording.
The Video Decode and Presentation API for Unix (VDPAU) provides a complete
solution for decoding, post-processing, compositing, and displaying
compressed or uncompressed video streams. These video streams may be
combined (composited) with bitmap content, to implement OSDs and other
application user interfaces.
This VDPAU API allows video programs to offload portions of the video
decoding process and video post-processing to the GPU video-hardware.
