diff options
author | Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com> | 2021-01-12 17:37:31 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-01-13 23:13:46 +0000 |
commit | da5e394782246acd5c09d2c3209568959e59d019 (patch) | |
tree | 83002ae0050c88351761a96756537d2596c781d2 | |
parent | cf73a72632806a609ea900bfcb28c2b68ad7ba08 (diff) | |
download | poky-da5e394782246acd5c09d2c3209568959e59d019.tar.gz |
ffmpeg: Fix CVE-2020-35964, CVE-2020-35965
Backport the CVE patches from upstream:
https://github.com/FFmpeg/FFmpeg/commit/27a99e2c7d450fef15594671eef4465c8a166bd7
https://github.com/FFmpeg/FFmpeg/commit/3e5959b3457f7f1856d997261e6ac672bba49e8b
CVE:
CVE-2020-35964
CVE-2020-35965
(From OE-Core rev: 526ee4ca2c493de1ac494b69e5ce9a9e55835c3a)
Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35964.patch | 75 | ||||
-rw-r--r-- | meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35965.patch | 35 | ||||
-rw-r--r-- | meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.1.bb | 2 |
3 files changed, 112 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35964.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35964.patch new file mode 100644 index 0000000000..6b96bd674f --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35964.patch | |||
@@ -0,0 +1,75 @@ | |||
1 | From 27a99e2c7d450fef15594671eef4465c8a166bd7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Michael Niedermayer <michael@niedermayer.cc> | ||
3 | Date: Wed, 28 Oct 2020 20:11:54 +0100 | ||
4 | Subject: [PATCH] avformat/vividas: improve extradata packing checks in | ||
5 | track_header() | ||
6 | |||
7 | Fixes: out of array accesses | ||
8 | Fixes: 26622/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVIDAS_fuzzer-6581200338288640 | ||
9 | |||
10 | Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg | ||
11 | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | ||
12 | |||
13 | Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/27a99e2c7d450fef15594671eef4465c8a166bd7] | ||
14 | |||
15 | CVE: CVE-2020-35964 | ||
16 | |||
17 | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | ||
18 | Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com> | ||
19 | --- | ||
20 | libavformat/vividas.c | 12 ++++++------ | ||
21 | 1 file changed, 6 insertions(+), 6 deletions(-) | ||
22 | |||
23 | diff --git a/libavformat/vividas.c b/libavformat/vividas.c | ||
24 | index 83d0ed116787..46c66bf9a0ae 100644 | ||
25 | --- a/libavformat/vividas.c | ||
26 | +++ b/libavformat/vividas.c | ||
27 | @@ -28,6 +28,7 @@ | ||
28 | * @sa http://wiki.multimedia.cx/index.php?title=Vividas_VIV | ||
29 | */ | ||
30 | |||
31 | +#include "libavutil/avassert.h" | ||
32 | #include "libavutil/intreadwrite.h" | ||
33 | #include "avio_internal.h" | ||
34 | #include "avformat.h" | ||
35 | @@ -379,7 +380,7 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t * | ||
36 | |||
37 | if (avio_tell(pb) < off) { | ||
38 | int num_data; | ||
39 | - int xd_size = 0; | ||
40 | + int xd_size = 1; | ||
41 | int data_len[256]; | ||
42 | int offset = 1; | ||
43 | uint8_t *p; | ||
44 | @@ -393,10 +394,10 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t * | ||
45 | return AVERROR_INVALIDDATA; | ||
46 | } | ||
47 | data_len[j] = len; | ||
48 | - xd_size += len; | ||
49 | + xd_size += len + 1 + len/255; | ||
50 | } | ||
51 | |||
52 | - ret = ff_alloc_extradata(st->codecpar, 64 + xd_size + xd_size / 255); | ||
53 | + ret = ff_alloc_extradata(st->codecpar, xd_size); | ||
54 | if (ret < 0) | ||
55 | return ret; | ||
56 | |||
57 | @@ -405,9 +406,7 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t * | ||
58 | |||
59 | for (j = 0; j < num_data - 1; j++) { | ||
60 | unsigned delta = av_xiphlacing(&p[offset], data_len[j]); | ||
61 | - if (delta > data_len[j]) { | ||
62 | - return AVERROR_INVALIDDATA; | ||
63 | - } | ||
64 | + av_assert0(delta <= xd_size - offset); | ||
65 | offset += delta; | ||
66 | } | ||
67 | |||
68 | @@ -418,6 +417,7 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t * | ||
69 | av_freep(&st->codecpar->extradata); | ||
70 | break; | ||
71 | } | ||
72 | + av_assert0(data_len[j] <= xd_size - offset); | ||
73 | offset += data_len[j]; | ||
74 | } | ||
75 | |||
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35965.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35965.patch new file mode 100644 index 0000000000..ddab8e9aca --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35965.patch | |||
@@ -0,0 +1,35 @@ | |||
1 | From 3e5959b3457f7f1856d997261e6ac672bba49e8b Mon Sep 17 00:00:00 2001 | ||
2 | From: Michael Niedermayer <michael@niedermayer.cc> | ||
3 | Date: Sat, 24 Oct 2020 22:21:48 +0200 | ||
4 | Subject: [PATCH] avcodec/exr: Check ymin vs. h | ||
5 | |||
6 | Fixes: out of array access | ||
7 | Fixes: 26532/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5613925708857344 | ||
8 | Fixes: 27443/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5631239813595136 | ||
9 | |||
10 | Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg | ||
11 | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | ||
12 | |||
13 | Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/3e5959b3457f7f1856d997261e6ac672bba49e8b] | ||
14 | |||
15 | CVE: CVE-2020-35965 | ||
16 | |||
17 | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | ||
18 | Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com> | ||
19 | --- | ||
20 | libavcodec/exr.c | 2 +- | ||
21 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
22 | |||
23 | diff --git a/libavcodec/exr.c b/libavcodec/exr.c | ||
24 | index e907c5c46401..8b701d1cd298 100644 | ||
25 | --- a/libavcodec/exr.c | ||
26 | +++ b/libavcodec/exr.c | ||
27 | @@ -1830,7 +1830,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, | ||
28 | // Zero out the start if ymin is not 0 | ||
29 | for (i = 0; i < planes; i++) { | ||
30 | ptr = picture->data[i]; | ||
31 | - for (y = 0; y < s->ymin; y++) { | ||
32 | + for (y = 0; y < FFMIN(s->ymin, s->h); y++) { | ||
33 | memset(ptr, 0, out_line_size); | ||
34 | ptr += picture->linesize[i]; | ||
35 | } | ||
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.1.bb index 97b2d21d31..ded8232713 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.1.bb | |||
@@ -27,6 +27,8 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ | |||
27 | file://mips64_cpu_detection.patch \ | 27 | file://mips64_cpu_detection.patch \ |
28 | file://0001-lavf-srt-fix-build-fail-when-used-the-libsrt-1.4.1.patch \ | 28 | file://0001-lavf-srt-fix-build-fail-when-used-the-libsrt-1.4.1.patch \ |
29 | file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \ | 29 | file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \ |
30 | file://CVE-2020-35964.patch \ | ||
31 | file://CVE-2020-35965.patch \ | ||
30 | " | 32 | " |
31 | SRC_URI[sha256sum] = "ad009240d46e307b4e03a213a0f49c11b650e445b1f8be0dda2a9212b34d2ffb" | 33 | SRC_URI[sha256sum] = "ad009240d46e307b4e03a213a0f49c11b650e445b1f8be0dda2a9212b34d2ffb" |
32 | 34 | ||