fix CVE-2021-30145

(cherry picked from commit 628bfe878e0d9468b231369064d41000979a374d)
2024-06-12 14:02:29 +08:00 · 2024-06-12 14:02:29 +08:00 · 40d806f5d4
commit 40d806f5d4
parent f12d6cebd4
2 changed files with 80 additions and 1 deletions
--- a/CVE-2021-30145.patch
+++ b/CVE-2021-30145.patch
@ -0,0 +1,75 @@
+From 150cceeb8e242367b53b16faf3974c74d8bea94b Mon Sep 17 00:00:00 2001
+From: Stefan Schiller
+Date: Wed, 12 Jun 2024 13:56:55 +0800
+Subject: [PATCH] demux_mf: improve format string processing
+
+Conflict:NA
+Reference:https://github.com/mpv-player/mpv/commit/d0c530919d8cd4d7a774e38ab064e0fabdae34e6
+
+---
+ demux/demux_mf.c | 39 +++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 37 insertions(+), 2 deletions(-)
+
+diff --git a/demux/demux_mf.c b/demux/demux_mf.c
+index ef5a513..7148862 100644
+--- a/demux/demux_mf.c
+++ b/demux/demux_mf.c
+@@ -121,7 +121,8 @@ static mf_t *open_mf_pattern(void *talloc_ctx, struct demuxer *d, char *filename
+         goto exit_mf;
+     }
+ 
+-    char *fname = talloc_size(mf, strlen(filename) + 32);
+    size_t fname_avail = strlen(filename) + 32;
+    char *fname = talloc_size(mf, fname_avail);
+ 
+ #if HAVE_GLOB
+     if (!strchr(filename, '%')) {
+@@ -148,10 +149,44 @@ static mf_t *open_mf_pattern(void *talloc_ctx, struct demuxer *d, char *filename
+     }
+ #endif
+ 
+    // We're using arbitrary user input as printf format with 1 int argument.
+    // Any format which uses exactly 1 int argument would be valid, but for
+    // simplicity we reject all conversion specifiers except %% and simple
+    // integer specifier: %[.][NUM]d where NUM is 1-3 digits (%.d is valid)
+    const char *f = filename;
+    int MAXDIGS = 3, nspec = 0, bad_spec = 0, c;
+
+    while (nspec < 2 && (c = *f++)) {
+        if (c != '%')
+            continue;
+        if (*f != '%') {
+            nspec++;  // conversion specifier which isn't %%
+            if (*f == '.')
+                f++;
+            for (int ndig = 0; mp_isdigit(*f) && ndig < MAXDIGS; ndig++, f++)
+                /* no-op */;
+            if (*f != 'd') {
+                bad_spec++;  // not int, or beyond our validation capacity
+                break;
+            }
+        }
+        // *f is '%' or 'd'
+        f++;
+    }
+
+    // nspec==0 (zero specifiers) is rejected because fname wouldn't advance.
+    if (bad_spec || nspec != 1) {
+        mp_err(log, "unsupported expr format: '%s'\n", filename);
+        goto exit_mf;
+    }
+
+     mp_info(log, "search expr: %s\n", filename);
+ 
+     while (error_count < 5) {
+-        sprintf(fname, filename, count++);
+        if (snprintf(fname, fname_avail, filename, count++) >= fname_avail) {
+            mp_err(log, "format result too long: '%s'\n", filename);
+            goto exit_mf;
+        }
+         if (!mp_path_exists(fname)) {
+             error_count++;
+             mp_verbose(log, "file not found: '%s'\n", fname);
+-- 
+2.33.0
+
--- a/mpv.spec
+++ b/mpv.spec
@ -1,6 +1,6 @@
 Name:           mpv
 Version:        0.32.0
-Release:        2
+Release:        3
 Summary:        Movie player playing most video formats and DVDs
 License:        GPLv2+ and LGPLv2+
 URL:            http://mpv.io/
@ -14,6 +14,7 @@ Patch0:         %{name}-config.patch
 Patch1:         ppc_fix.patch
 # Fix pause conflicting
 Patch2:         mpv-rename-local-function-conflicting-with-pause.patch
+Patch3:         CVE-2021-30145.patch

 BuildRequires:  pkgconfig(alsa)
 BuildRequires:  desktop-file-utils
@ -162,6 +163,9 @@ install -Dpm 644 README.md etc/input.conf etc/mpv.conf -t %{buildroot}%{_docdir}
 %{_libdir}/pkgconfig/mpv.pc

 %changelog
+* Wed Jun 12 2024 technology208 <technology@208suo.com> - 0.32.0-3
+- fix CVE-2021-30145
+
 * Tue Aug 10 2021 weidong <weidong@uniontech.com> - 0.32.0-2
 - rename local function conflicting with pause