ffmpeg: Add fix for CVEs

Add fix for below CVE: CVE-2021-3566 Link: [http://git.videolan.org/?p=ffmpeg.git;a=patch;h=3bce9e9b3ea35c54bacccc793d7da99ea5157532] CVE-2021-38291 Link: [http://git.videolan.org/?p=ffmpeg.git;a=patch;h=e01d306c647b5827102260b885faa223b646d2d1] (From OE-Core rev: 89df45b9e69a0d5c62a7e05156bc0d3fc85c77fd) Signed-off-by: Saloni Jain <jainsaloni0918@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Saloni <salonij@kpit.com> 2021-10-05 11:02:21 -0400
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-10-23 23:14:16 +0100
commit: e86adf76ab5622add5d7632006104fe448094ff5 (patch)
tree: 55523466ce2cb4c8297ade9da6897a8c3dafede5 /meta/recipes-multimedia/ffmpeg
parent: 9c007cb1e35f4744682f9f00fe15ceb18fbf7ffc (diff)
download: poky-e86adf76ab5622add5d7632006104fe448094ff5.tar.gz
3 files changed, 117 insertions, 1 deletions
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-3566.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-3566.patch
new file mode 100644
index 0000000000..abfc024820
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-3566.patch
@@ -0,0 +1,61 @@
+From 3bce9e9b3ea35c54bacccc793d7da99ea5157532 Mon Sep 17 00:00:00 2001
+From: Paul B Mahol <onemda@gmail.com>
+Date: Mon, 27 Jan 2020 21:53:08 +0100
+Subject: [PATCH] avformat/tty: add probe function
+CVE: CVE-2021-3566
+Signed-off-by: Saloni Jain <salonij@kpit.com>
+Upstream-Status: Backport [http://git.videolan.org/?p=ffmpeg.git;a=patch;h=3bce9e9b3ea35c54bacccc793d7da99ea5157532]
+Comment: No changes/refreshing done.
+---
+ libavformat/tty.c | 21 ++++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+diff --git a/libavformat/tty.c b/libavformat/tty.c
+index 8d48f2c45c12..60f7e9f87ee7 100644
+--- a/libavformat/tty.c
+++ b/libavformat/tty.c
+@@ -34,6 +34,13 @@
+ #include "internal.h"
+ #include "sauce.h"
+ 
+static int isansicode(int x)
+{
+    return x == 0x1B || x == 0x0A || x == 0x0D || (x >= 0x20 && x < 0x7f);
+}
+
+static const char tty_extensions[31] = "ans,art,asc,diz,ice,nfo,txt,vt";
+
+ typedef struct TtyDemuxContext {
+     AVClass *class;
+     int chars_per_frame;
+@@ -42,6 +49,17 @@ typedef struct TtyDemuxContext {
+     AVRational framerate; /**< Set by a private option. */
+ } TtyDemuxContext;
+ 
+static int read_probe(const AVProbeData *p)
+{
+    int cnt = 0;
+
+    for (int i = 0; i < p->buf_size; i++)
+        cnt += !!isansicode(p->buf[i]);
+
+    return (cnt * 100LL / p->buf_size) * (cnt > 400) *
+        !!av_match_ext(p->filename, tty_extensions);
+}
+
+ /**
+  * Parse EFI header
+  */
+@@ -153,8 +171,9 @@ AVInputFormat ff_tty_demuxer = {
+     .name           = "tty",
+     .long_name      = NULL_IF_CONFIG_SMALL("Tele-typewriter"),
+     .priv_data_size = sizeof(TtyDemuxContext),
+    .read_probe     = read_probe,
+     .read_header    = read_header,
+     .read_packet    = read_packet,
+-    .extensions     = "ans,art,asc,diz,ice,nfo,txt,vt",
+    .extensions     = tty_extensions,
+     .priv_class     = &tty_demuxer_class,
+ };
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-38291.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-38291.patch
new file mode 100644
index 0000000000..e5be985fc3
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-38291.patch
@@ -0,0 +1,53 @@
+From e01d306c647b5827102260b885faa223b646d2d1 Mon Sep 17 00:00:00 2001
+From: James Almer <jamrial@gmail.com>
+Date: Wed, 21 Jul 2021 01:02:44 -0300
+Subject: [PATCH] avcodec/utils: don't return negative values in
+ av_get_audio_frame_duration()
+In some extrme cases, like with adpcm_ms samples with an extremely high channel
+count, get_audio_frame_duration() may return a negative frame duration value.
+Don't propagate it, and instead return 0, signaling that a duration could not
+be determined.
+CVE: CVE-2021-3566
+Fixes ticket #9312
+Signed-off-by: James Almer <jamrial@gmail.com>
+Signed-off-by: Saloni Jain <salonij@kpit.com>
+Upstream-Status: Backport [http://git.videolan.org/?p=ffmpeg.git;a=patch;h=e01d306c647b5827102260b885faa223b646d2d1]
+Comment: No changes/refreshing done.
+---
+ libavcodec/utils.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+diff --git a/libavcodec/utils.c b/libavcodec/utils.c
+index 5fad782f5a..cfc07cbcb8 100644
+--- a/libavcodec/utils.c
+++ b/libavcodec/utils.c
+@@ -810,20 +810,22 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba,
+ 
+ int av_get_audio_frame_duration(AVCodecContext *avctx, int frame_bytes)
+ {
+-    return get_audio_frame_duration(avctx->codec_id, avctx->sample_rate,
+    int duration = get_audio_frame_duration(avctx->codec_id, avctx->sample_rate,
+                                     avctx->channels, avctx->block_align,
+                                     avctx->codec_tag, avctx->bits_per_coded_sample,
+                                     avctx->bit_rate, avctx->extradata, avctx->frame_size,
+                                     frame_bytes);
+    return FFMAX(0, duration);
+ }
+ 
+ int av_get_audio_frame_duration2(AVCodecParameters *par, int frame_bytes)
+ {
+-    return get_audio_frame_duration(par->codec_id, par->sample_rate,
+    int duration = get_audio_frame_duration(par->codec_id, par->sample_rate,
+                                     par->channels, par->block_align,
+                                     par->codec_tag, par->bits_per_coded_sample,
+                                     par->bit_rate, par->extradata, par->frame_size,
+                                     frame_bytes);
+    return FFMAX(0, duration);
+ }
+ 
+ #if !HAVE_THREADS
+-- 
+2.20.1
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb
index 0e359848fa..1d6f2e528b 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb
@@ -27,7 +27,9 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
           file://mips64_cpu_detection.patch \
           file://CVE-2020-12284.patch \
           file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \
-           "
+           file://CVE-2021-3566.patch \
+           file://CVE-2021-38291.patch \
+          "
 SRC_URI[md5sum] = "348956fc2faa57a2f79bbb84ded9fbc3"
 SRC_URI[sha256sum] = "cb754255ab0ee2ea5f66f8850e1bd6ad5cac1cd855d0a2f4990fb8c668b0d29c"
author	Saloni <salonij@kpit.com>	2021-10-05 11:02:21 -0400
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-10-23 23:14:16 +0100
commit	e86adf76ab5622add5d7632006104fe448094ff5 (patch)
tree	55523466ce2cb4c8297ade9da6897a8c3dafede5 /meta/recipes-multimedia/ffmpeg
parent	9c007cb1e35f4744682f9f00fe15ceb18fbf7ffc (diff)
download	poky-e86adf76ab5622add5d7632006104fe448094ff5.tar.gz

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-3566.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-3566.patch new file mode 100644 index 0000000000..abfc024820 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-3566.patch
@@ -0,0 +1,61 @@
		1	From 3bce9e9b3ea35c54bacccc793d7da99ea5157532 Mon Sep 17 00:00:00 2001
		2	From: Paul B Mahol <onemda@gmail.com>
		3	Date: Mon, 27 Jan 2020 21:53:08 +0100
		4	Subject: [PATCH] avformat/tty: add probe function
		5
		6	CVE: CVE-2021-3566
		7	Signed-off-by: Saloni Jain <salonij@kpit.com>
		8
		9	Upstream-Status: Backport [http://git.videolan.org/?p=ffmpeg.git;a=patch;h=3bce9e9b3ea35c54bacccc793d7da99ea5157532]
		10	Comment: No changes/refreshing done.
		11	---
		12	libavformat/tty.c \| 21 ++++++++++++++++++++-
		13	1 file changed, 20 insertions(+), 1 deletion(-)
		14
		15	diff --git a/libavformat/tty.c b/libavformat/tty.c
		16	index 8d48f2c45c12..60f7e9f87ee7 100644
		17	--- a/libavformat/tty.c
		18	+++ b/libavformat/tty.c
		19	@@ -34,6 +34,13 @@
		20	#include "internal.h"
		21	#include "sauce.h"
		22
		23	+static int isansicode(int x)
		24	+{
		25	+ return x == 0x1B \|\| x == 0x0A \|\| x == 0x0D \|\| (x >= 0x20 && x < 0x7f);
		26	+}
		27	+
		28	+static const char tty_extensions[31] = "ans,art,asc,diz,ice,nfo,txt,vt";
		29	+
		30	typedef struct TtyDemuxContext {
		31	AVClass *class;
		32	int chars_per_frame;
		33	@@ -42,6 +49,17 @@ typedef struct TtyDemuxContext {
		34	AVRational framerate; /*< Set by a private option. /
		35	} TtyDemuxContext;
		36
		37	+static int read_probe(const AVProbeData *p)
		38	+{
		39	+ int cnt = 0;
		40	+
		41	+ for (int i = 0; i < p->buf_size; i++)
		42	+ cnt += !!isansicode(p->buf[i]);
		43	+
		44	+ return (cnt * 100LL / p->buf_size) * (cnt > 400) *
		45	+ !!av_match_ext(p->filename, tty_extensions);
		46	+}
		47	+
		48	/**
		49	* Parse EFI header
		50	*/
		51	@@ -153,8 +171,9 @@ AVInputFormat ff_tty_demuxer = {
		52	.name = "tty",
		53	.long_name = NULL_IF_CONFIG_SMALL("Tele-typewriter"),
		54	.priv_data_size = sizeof(TtyDemuxContext),
		55	+ .read_probe = read_probe,
		56	.read_header = read_header,
		57	.read_packet = read_packet,
		58	- .extensions = "ans,art,asc,diz,ice,nfo,txt,vt",
		59	+ .extensions = tty_extensions,
		60	.priv_class = &tty_demuxer_class,
		61	};


diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-38291.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-38291.patch new file mode 100644 index 0000000000..e5be985fc3 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-38291.patch
@@ -0,0 +1,53 @@
		1	From e01d306c647b5827102260b885faa223b646d2d1 Mon Sep 17 00:00:00 2001
		2	From: James Almer <jamrial@gmail.com>
		3	Date: Wed, 21 Jul 2021 01:02:44 -0300
		4	Subject: [PATCH] avcodec/utils: don't return negative values in
		5	av_get_audio_frame_duration()
		6
		7	In some extrme cases, like with adpcm_ms samples with an extremely high channel
		8	count, get_audio_frame_duration() may return a negative frame duration value.
		9	Don't propagate it, and instead return 0, signaling that a duration could not
		10	be determined.
		11
		12	CVE: CVE-2021-3566
		13	Fixes ticket #9312
		14	Signed-off-by: James Almer <jamrial@gmail.com>
		15	Signed-off-by: Saloni Jain <salonij@kpit.com>
		16
		17	Upstream-Status: Backport [http://git.videolan.org/?p=ffmpeg.git;a=patch;h=e01d306c647b5827102260b885faa223b646d2d1]
		18	Comment: No changes/refreshing done.
		19	---
		20	libavcodec/utils.c \| 6 ++++--
		21	1 file changed, 4 insertions(+), 2 deletions(-)
		22
		23	diff --git a/libavcodec/utils.c b/libavcodec/utils.c
		24	index 5fad782f5a..cfc07cbcb8 100644
		25	--- a/libavcodec/utils.c
		26	+++ b/libavcodec/utils.c
		27	@@ -810,20 +810,22 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba,
		28
		29	int av_get_audio_frame_duration(AVCodecContext *avctx, int frame_bytes)
		30	{
		31	- return get_audio_frame_duration(avctx->codec_id, avctx->sample_rate,
		32	+ int duration = get_audio_frame_duration(avctx->codec_id, avctx->sample_rate,
		33	avctx->channels, avctx->block_align,
		34	avctx->codec_tag, avctx->bits_per_coded_sample,
		35	avctx->bit_rate, avctx->extradata, avctx->frame_size,
		36	frame_bytes);
		37	+ return FFMAX(0, duration);
		38	}
		39
		40	int av_get_audio_frame_duration2(AVCodecParameters *par, int frame_bytes)
		41	{
		42	- return get_audio_frame_duration(par->codec_id, par->sample_rate,
		43	+ int duration = get_audio_frame_duration(par->codec_id, par->sample_rate,
		44	par->channels, par->block_align,
		45	par->codec_tag, par->bits_per_coded_sample,
		46	par->bit_rate, par->extradata, par->frame_size,
		47	frame_bytes);
		48	+ return FFMAX(0, duration);
		49	}
		50
		51	#if !HAVE_THREADS
		52	--
		53	2.20.1


diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb index 0e359848fa..1d6f2e528b 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb
@@ -27,7 +27,9 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
27	file://mips64_cpu_detection.patch \	27	file://mips64_cpu_detection.patch \
28	file://CVE-2020-12284.patch \	28	file://CVE-2020-12284.patch \
29	file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \	29	file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \
30	"	30	file://CVE-2021-3566.patch \
		31	file://CVE-2021-38291.patch \
		32	"
31	SRC_URI[md5sum] = "348956fc2faa57a2f79bbb84ded9fbc3"	33	SRC_URI[md5sum] = "348956fc2faa57a2f79bbb84ded9fbc3"
32	SRC_URI[sha256sum] = "cb754255ab0ee2ea5f66f8850e1bd6ad5cac1cd855d0a2f4990fb8c668b0d29c"	34	SRC_URI[sha256sum] = "cb754255ab0ee2ea5f66f8850e1bd6ad5cac1cd855d0a2f4990fb8c668b0d29c"
33		35