packages/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:fa9242aec725a5170fc3416ebbc544883b9b4d4c
Branches Tags
packages:main
..
compare: packages:94d2c8b96ba3c67a5ca80b5a8f3d7669629e737b
Branches Tags
packages:main

No commits in common. "fa9242aec725a5170fc3416ebbc544883b9b4d4c" and "94d2c8b96ba3c67a5ca80b5a8f3d7669629e737b" have entirely different histories.
fa9242aec7 ... 94d2c8b96b

9 changed files with 1 additions and 284 deletions
Show Stats Expand all files Collapse all files

25
CVE-2020-35965.patch
View File

@ -1,25 +0,0 @@
From 1672c855be7edde17571f98fa603c4fc5270e516 Mon Sep 17 00:00:00 2001
From: happyworker <208suo@208suo.com>
Date: Wed, 18 Sep 2024 15:57:22 +0800
Subject: [PATCH] CVE-2020-35965
---
libavcodec/exr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index ba6e3fd..5558d55 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1791,7 +1791,7 @@ static int decode_frame(AVCodecContext *avctx, void *data,
ptr = picture->data[0];
// Zero out the start if ymin is not 0
- for (y = 0; y < s->ymin; y++) {
+ for (y = 0; y < FFMIN(s->ymin, s->h); y++) {
memset(ptr, 0, out_line_size);
ptr += picture->linesize[0];
}
--
2.27.0

29
backport-CVE-2024-35366.patch
View File

@ -1,29 +0,0 @@
From 0bed22d597b78999151e3bde0768b7fe763fc2a6 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Tue, 26 Mar 2024 00:39:49 +0100
Subject: [PATCH] avformat/sbgdec: Check for negative duration
Fixes: signed integer overflow: 9223372036854775807 - -8000000 cannot be represented in type 'long'
Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-5133181743136768
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavformat/sbgdec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c
index bc2469afd1..e60eb1481e 100644
--- a/libavformat/sbgdec.c
+++ b/libavformat/sbgdec.c
@@ -387,7 +387,7 @@ static int parse_options(struct sbg_parser *p)
case 'L':
FORWARD_ERROR(parse_optarg(p, opt, &oarg));
r = str_to_time(oarg.s, &p->scs.opt_duration);
- if (oarg.e != oarg.s + r) {
+ if (oarg.e != oarg.s + r || p->scs.opt_duration < 0) {
snprintf(p->err_msg, sizeof(p->err_msg),
"syntax error for option -L");
return AVERROR_INVALIDDATA;
--
2.33.0

41
backport-CVE-2024-35367.patch
View File

@ -1,41 +0,0 @@
From 09e6840cf7a3ee07a73c3ae88a020bf27ca1a667 Mon Sep 17 00:00:00 2001
From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Date: Wed, 13 Mar 2024 02:10:26 +0100
Subject: [PATCH] avcodec/ppc/vp8dsp_altivec: Fix out-of-bounds access
h_subpel_filters_inner[i] and h_subpel_filters_outer[i / 2]
belong together and the former allows the range 0..6,
so the latter needs to support 0..3. But it has only three
elements. Add another one.
The value for the last element has been guesstimated
from subpel_filters in libavcodec/vp8dsp.c.
This is also intended to fix FATE-failures with UBSan here:
https://fate.ffmpeg.org/report.cgi?time=20240312011016&slot=ppc-linux-gcc-13.2-ubsan-altivec-qemu
Tested-by: Sean McGovern <gseanmcg@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
---
libavcodec/ppc/vp8dsp_altivec.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libavcodec/ppc/vp8dsp_altivec.c b/libavcodec/ppc/vp8dsp_altivec.c
index 12dac8b0a8..061914fc38 100644
--- a/libavcodec/ppc/vp8dsp_altivec.c
+++ b/libavcodec/ppc/vp8dsp_altivec.c
@@ -50,11 +50,12 @@ static const vec_s8 h_subpel_filters_inner[7] =
// for 6tap filters, these are the outer two taps
// The zeros mask off pixels 4-7 when filtering 0-3
// and vice-versa
-static const vec_s8 h_subpel_filters_outer[3] =
+static const vec_s8 h_subpel_filters_outer[4] =
{
REPT4(0, 0, 2, 1),
REPT4(0, 0, 3, 3),
REPT4(0, 0, 1, 2),
+ REPT4(0, 0, 0, 0),
};
#define LOAD_H_SUBPEL_FILTER(i) \
--
2.33.0

35
backport-CVE-2024-35368.patch
View File

@ -1,35 +0,0 @@
From 4513300989502090c4fd6560544dce399a8cd53c Mon Sep 17 00:00:00 2001
From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Date: Sun, 24 Sep 2023 13:15:48 +0200
Subject: [PATCH] avcodec/rkmppdec: Fix double-free on error
After having created the AVBuffer that is put into frame->buf[0],
ownership of several objects (namely an AVDRMFrameDescriptor,
an MppFrame and some AVBufferRefs framecontextref and decoder_ref)
has passed to the AVBuffer and therefore to the frame.
Yet it has nevertheless been freed manually on error
afterwards, which would lead to a double-free as soon
as the AVFrame is unreferenced.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
---
libavcodec/rkmppdec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/rkmppdec.c b/libavcodec/rkmppdec.c
index 7665098c6a..6889545b20 100644
--- a/libavcodec/rkmppdec.c
+++ b/libavcodec/rkmppdec.c
@@ -463,8 +463,8 @@ static int rkmpp_retrieve_frame(AVCodecContext *avctx, AVFrame *frame)
frame->hw_frames_ctx = av_buffer_ref(decoder->frames_ref);
if (!frame->hw_frames_ctx) {
- ret = AVERROR(ENOMEM);
- goto fail;
+ av_frame_unref(frame);
+ return AVERROR(ENOMEM);
}
return 0;
--
2.33.0

36
backport-CVE-2024-36613.patch
View File

@ -1,36 +0,0 @@
From 1f6fcc64179377114b4ecc3b9f63bd5774a64edf Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sat, 30 Sep 2023 00:51:29 +0200
Subject: [PATCH] avformat/dxa: Adjust order of operations around block
align
Fixes:
51896/clusterfuzz-testcase-minimized-ffmpeg_dem_DXA_fuzzer-5730576523198464
Fixes: signed integer overflow: 2147483566 + 82 cannot be represented in
type 'int'
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 50d8e4f27398fd5778485a827d7a2817921f8540)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavformat/dxa.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavformat/dxa.c b/libavformat/dxa.c
index 298cda0..e46c9b0 100644
--- a/libavformat/dxa.c
+++ b/libavformat/dxa.c
@@ -120,7 +120,7 @@ static int dxa_read_header(AVFormatContext *s)
}
c->bpc = (fsize + c->frames - 1) / c->frames;
if(ast->codecpar->block_align)
- c->bpc = ((c->bpc + ast->codecpar->block_align - 1) / ast->codecpar->block_align) * ast->codecpar->block_align;
+ c->bpc = ((c->bpc - 1 + ast->codecpar->block_align) / ast->codecpar->block_align) * ast->codecpar->block_align;
c->bytes_left = fsize;
c->wavpos = avio_tell(pb);
avio_seek(pb, c->vidpos, SEEK_SET);
--
2.41.0

29
backport-CVE-2024-36616.patch
View File

@ -1,29 +0,0 @@
From 86f73277bf014e2ce36dd2594f1e0fb8b3bd6661 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Tue, 26 Mar 2024 01:00:13 +0100
Subject: [PATCH] avformat/westwood_vqa: Fix 2g packets
Fixes: signed integer overflow: 2147483424 * 2 cannot be represented in type 'int'
Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_WSVQA_fuzzer-4576211411795968
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavformat/westwood_vqa.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavformat/westwood_vqa.c b/libavformat/westwood_vqa.c
index 954710a6f0..3a31e3f5e8 100644
--- a/libavformat/westwood_vqa.c
+++ b/libavformat/westwood_vqa.c
@@ -262,7 +262,7 @@ static int wsvqa_read_packet(AVFormatContext *s,
break;
case SND2_TAG:
/* 2 samples/byte, 1 or 2 samples per frame depending on stereo */
- pkt->duration = (chunk_size * 2) / wsvqa->channels;
+ pkt->duration = (chunk_size * 2LL) / wsvqa->channels;
break;
}
break;
--
2.33.0

31
backport-CVE-2024-36617.patch
View File

@ -1,31 +0,0 @@
From d973fcbcc2f944752ff10e6a76b0b2d9329937a7 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sat, 30 Sep 2023 00:38:17 +0200
Subject: [PATCH] avformat/cafdec: dont seek beyond 64bit
Fixes: signed integer overflow: 64 + 9223372036854775807 cannot be represented in type 'long long'
Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6418242730328064
Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6418242730328064
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavformat/cafdec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c
index 8622859..f5c62a8 100644
--- a/libavformat/cafdec.c
+++ b/libavformat/cafdec.c
@@ -209,7 +209,7 @@ static int read_pakt_chunk(AVFormatContext *s, int64_t size)
st->duration += caf->frames_per_packet ? caf->frames_per_packet : ff_mp4_read_descr_len(pb);
}
- if (avio_tell(pb) - ccount > size) {
+ if (avio_tell(pb) - ccount > size || size > INT64_MAX - ccount) {
av_log(s, AV_LOG_ERROR, "error reading packet table\n");
return AVERROR_INVALIDDATA;
}
--
2.43.0

31
backport-CVE-2024-36618.patch
View File

@ -1,31 +0,0 @@
From 7a089ed8e049e3bfcb22de1250b86f2106060857 Mon Sep 17 00:00:00 2001
From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Date: Tue, 12 Mar 2024 23:23:17 +0100
Subject: [PATCH] avformat/avidec: Fix integer overflow iff ULONG_MAX <
INT64_MAX
Affects many FATE-tests, see
https://fate.ffmpeg.org/report.cgi?time=20240312011016&slot=ppc-linux-gcc-13.2-ubsan-altivec-qemu
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
---
libavformat/avidec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavformat/avidec.c b/libavformat/avidec.c
index 59c06ea..81e904d 100644
--- a/libavformat/avidec.c
+++ b/libavformat/avidec.c
@@ -1645,7 +1645,7 @@ static int check_stream_max_drift(AVFormatContext *s)
int *idx = av_mallocz_array(s->nb_streams, sizeof(*idx));
if (!idx)
return AVERROR(ENOMEM);
- for (min_pos = pos = 0; min_pos != INT64_MAX; pos = min_pos + 1LU) {
+ for (min_pos = pos = 0; min_pos != INT64_MAX; pos = min_pos + 1ULL) {
int64_t max_dts = INT64_MIN / 2;
int64_t min_dts = INT64_MAX / 2;
int64_t max_buffer = 0;
--
2.43.0

28
ffmpeg.spec
View File

@ -60,7 +60,7 @@
Summary: Digital VCR and streaming server Summary: Digital VCR and streaming server
Name: ffmpeg%{?flavor} Name: ffmpeg%{?flavor}
Version: 4.2.4 Version: 4.2.4
Release: 22 Release: 17
License: %{ffmpeg_license} License: %{ffmpeg_license}
URL: http://ffmpeg.org/ URL: http://ffmpeg.org/
%if 0%{?date} %if 0%{?date}
@ -86,14 +86,6 @@ Patch14: CVE-2021-28429.patch
Patch15: fix-CVE-2024-32230.patch Patch15: fix-CVE-2024-32230.patch
Patch16: CVE-2022-1475.patch Patch16: CVE-2022-1475.patch
Patch17: CVE-2022-48434.patch Patch17: CVE-2022-48434.patch
Patch18: CVE-2020-35965.patch
Patch19: backport-CVE-2024-35366.patch
Patch20: backport-CVE-2024-35367.patch
Patch21: backport-CVE-2024-35368.patch
Patch22: backport-CVE-2024-36616.patch
Patch23: backport-CVE-2024-36618.patch
Patch24: backport-CVE-2024-36617.patch
Patch25: backport-CVE-2024-36613.patch
Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires: %{name}-libs%{?_isa} = %{version}-%{release}
%{?_with_cuda:BuildRequires: cuda-minimal-build-%{_cuda_version_rpm} cuda-drivers-devel} %{?_with_cuda:BuildRequires: cuda-minimal-build-%{_cuda_version_rpm} cuda-drivers-devel}
@ -427,24 +419,6 @@ install -pm755 tools/qt-faststart %{buildroot}%{_bindir}
%changelog %changelog
* Sun Jan 5 2025 changtao <changtao@kylinos.cn> - 4.2.4-22
- Type: CVE
- CVE: CVE-2024-36613
- SUG: NA
- DESC: fix CVE-2024-36613
* Fri Dec 13 2024 liningjie <liningjie@xfusion.com> - 4.2.4-21
- fix CVE-2024-36617 CVE-2024-36618
* Mon Dec 02 2024 liningjie <liningjie@xfusion.com> - 4.2.4-20
- fix CVE-2024-35368 CVE-2024-36616
* Sat Nov 30 2024 liningjie <liningjie@xfusion.com> - 4.2.4-19
- fix CVE-2024-35366 CVE-2024-35367
* Wed Sep 18 2024 happyworker <208suo@208suo.com> - 4.2.4-18
- Fix CVE-2020-35965.patch
* Mon Jul 15 2024 happyworker <208suo@208suo.com> - 4.2.4-17 * Mon Jul 15 2024 happyworker <208suo@208suo.com> - 4.2.4-17
- Fix CVE-2022-48434 - Fix CVE-2022-48434