summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKhairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>2021-01-12 17:37:31 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2021-01-13 23:13:46 +0000
commitda5e394782246acd5c09d2c3209568959e59d019 (patch)
tree83002ae0050c88351761a96756537d2596c781d2
parentcf73a72632806a609ea900bfcb28c2b68ad7ba08 (diff)
downloadpoky-da5e394782246acd5c09d2c3209568959e59d019.tar.gz
ffmpeg: Fix CVE-2020-35964, CVE-2020-35965
Backport the CVE patches from upstream: https://github.com/FFmpeg/FFmpeg/commit/27a99e2c7d450fef15594671eef4465c8a166bd7 https://github.com/FFmpeg/FFmpeg/commit/3e5959b3457f7f1856d997261e6ac672bba49e8b CVE: CVE-2020-35964 CVE-2020-35965 (From OE-Core rev: 526ee4ca2c493de1ac494b69e5ce9a9e55835c3a) Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35964.patch75
-rw-r--r--meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35965.patch35
-rw-r--r--meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.1.bb2
3 files changed, 112 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35964.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35964.patch
new file mode 100644
index 0000000000..6b96bd674f
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35964.patch
@@ -0,0 +1,75 @@
1From 27a99e2c7d450fef15594671eef4465c8a166bd7 Mon Sep 17 00:00:00 2001
2From: Michael Niedermayer <michael@niedermayer.cc>
3Date: Wed, 28 Oct 2020 20:11:54 +0100
4Subject: [PATCH] avformat/vividas: improve extradata packing checks in
5 track_header()
6
7Fixes: out of array accesses
8Fixes: 26622/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVIDAS_fuzzer-6581200338288640
9
10Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
11Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
12
13Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/27a99e2c7d450fef15594671eef4465c8a166bd7]
14
15CVE: CVE-2020-35964
16
17Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
18Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
19---
20 libavformat/vividas.c | 12 ++++++------
21 1 file changed, 6 insertions(+), 6 deletions(-)
22
23diff --git a/libavformat/vividas.c b/libavformat/vividas.c
24index 83d0ed116787..46c66bf9a0ae 100644
25--- a/libavformat/vividas.c
26+++ b/libavformat/vividas.c
27@@ -28,6 +28,7 @@
28 * @sa http://wiki.multimedia.cx/index.php?title=Vividas_VIV
29 */
30
31+#include "libavutil/avassert.h"
32 #include "libavutil/intreadwrite.h"
33 #include "avio_internal.h"
34 #include "avformat.h"
35@@ -379,7 +380,7 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t *
36
37 if (avio_tell(pb) < off) {
38 int num_data;
39- int xd_size = 0;
40+ int xd_size = 1;
41 int data_len[256];
42 int offset = 1;
43 uint8_t *p;
44@@ -393,10 +394,10 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t *
45 return AVERROR_INVALIDDATA;
46 }
47 data_len[j] = len;
48- xd_size += len;
49+ xd_size += len + 1 + len/255;
50 }
51
52- ret = ff_alloc_extradata(st->codecpar, 64 + xd_size + xd_size / 255);
53+ ret = ff_alloc_extradata(st->codecpar, xd_size);
54 if (ret < 0)
55 return ret;
56
57@@ -405,9 +406,7 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t *
58
59 for (j = 0; j < num_data - 1; j++) {
60 unsigned delta = av_xiphlacing(&p[offset], data_len[j]);
61- if (delta > data_len[j]) {
62- return AVERROR_INVALIDDATA;
63- }
64+ av_assert0(delta <= xd_size - offset);
65 offset += delta;
66 }
67
68@@ -418,6 +417,7 @@ static int track_header(VividasDemuxContext *viv, AVFormatContext *s, uint8_t *
69 av_freep(&st->codecpar->extradata);
70 break;
71 }
72+ av_assert0(data_len[j] <= xd_size - offset);
73 offset += data_len[j];
74 }
75
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35965.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35965.patch
new file mode 100644
index 0000000000..ddab8e9aca
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35965.patch
@@ -0,0 +1,35 @@
1From 3e5959b3457f7f1856d997261e6ac672bba49e8b Mon Sep 17 00:00:00 2001
2From: Michael Niedermayer <michael@niedermayer.cc>
3Date: Sat, 24 Oct 2020 22:21:48 +0200
4Subject: [PATCH] avcodec/exr: Check ymin vs. h
5
6Fixes: out of array access
7Fixes: 26532/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5613925708857344
8Fixes: 27443/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5631239813595136
9
10Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
11Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
12
13Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/3e5959b3457f7f1856d997261e6ac672bba49e8b]
14
15CVE: CVE-2020-35965
16
17Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
18Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
19---
20 libavcodec/exr.c | 2 +-
21 1 file changed, 1 insertion(+), 1 deletion(-)
22
23diff --git a/libavcodec/exr.c b/libavcodec/exr.c
24index e907c5c46401..8b701d1cd298 100644
25--- a/libavcodec/exr.c
26+++ b/libavcodec/exr.c
27@@ -1830,7 +1830,7 @@ static int decode_frame(AVCodecContext *avctx, void *data,
28 // Zero out the start if ymin is not 0
29 for (i = 0; i < planes; i++) {
30 ptr = picture->data[i];
31- for (y = 0; y < s->ymin; y++) {
32+ for (y = 0; y < FFMIN(s->ymin, s->h); y++) {
33 memset(ptr, 0, out_line_size);
34 ptr += picture->linesize[i];
35 }
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.1.bb
index 97b2d21d31..ded8232713 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.1.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.1.bb
@@ -27,6 +27,8 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
27 file://mips64_cpu_detection.patch \ 27 file://mips64_cpu_detection.patch \
28 file://0001-lavf-srt-fix-build-fail-when-used-the-libsrt-1.4.1.patch \ 28 file://0001-lavf-srt-fix-build-fail-when-used-the-libsrt-1.4.1.patch \
29 file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \ 29 file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \
30 file://CVE-2020-35964.patch \
31 file://CVE-2020-35965.patch \
30 " 32 "
31SRC_URI[sha256sum] = "ad009240d46e307b4e03a213a0f49c11b650e445b1f8be0dda2a9212b34d2ffb" 33SRC_URI[sha256sum] = "ad009240d46e307b4e03a213a0f49c11b650e445b1f8be0dda2a9212b34d2ffb"
32 34