ffmpeg: fix CVE-2020-22021

avfilter/vf_yadif: Fix handing of tiny images Fixes: out of array access Fixes: Ticket8240 Fixes: CVE-2020-22021 (From OE-Core rev: b30f647225ecc71207696df3951716e85b886ca4) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> CVE: CVE-2020-22021 Upstream-Status: Backport [7971f62120a55c141ec437aa3f0bacc1c1a3526b] Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Tony Tascioglu <tony.tascioglu@windriver.com> 2021-07-27 16:20:45 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-07-28 23:47:00 +0100
commit: 01d224ae48a20c9f1e992d187ac3e466f7d6d365 (patch)
tree: 4b78d6e857eb4bb520c88f5c105f0425f2212350 /meta/recipes-multimedia/ffmpeg
parent: 92704af67d9bcac0c838f903c5cc2c07a9caf84d (diff)
download: poky-01d224ae48a20c9f1e992d187ac3e466f7d6d365.tar.gz
2 files changed, 88 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22021.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22021.patch
new file mode 100644
index 0000000000..6f7fce0e4c
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22021.patch
@@ -0,0 +1,87 @@
+From 7971f62120a55c141ec437aa3f0bacc1c1a3526b Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Sat, 29 May 2021 11:17:35 +0200
+Subject: [PATCH] avfilter/vf_yadif: Fix handing of tiny images
+Fixes: out of array access
+Fixes: Ticket8240
+Fixes: CVE-2020-22021
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+CVE: CVE-2020-22021
+Upstream-Status: Backport [7971f62120a55c141ec437aa3f0bacc1c1a3526b]
+Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
+---
+ libavfilter/vf_yadif.c | 32 ++++++++++++++++++--------------
+ 1 file changed, 18 insertions(+), 14 deletions(-)
+diff --git a/libavfilter/vf_yadif.c b/libavfilter/vf_yadif.c
+index 91cc79ecc3..b0d9fbaf1f 100644
+--- a/libavfilter/vf_yadif.c
+++ b/libavfilter/vf_yadif.c
+@@ -123,20 +123,22 @@ static void filter_edges(void *dst1, void *prev1, void *cur1, void *next1,
+     uint8_t *next2 = parity ? cur  : next;
+ 
+     const int edge = MAX_ALIGN - 1;
+    int offset = FFMAX(w - edge, 3);
+ 
+     /* Only edge pixels need to be processed here.  A constant value of false
+      * for is_not_edge should let the compiler ignore the whole branch. */
+-    FILTER(0, 3, 0)
+    FILTER(0, FFMIN(3, w), 0)
+ 
+-    dst  = (uint8_t*)dst1  + w - edge;
+-    prev = (uint8_t*)prev1 + w - edge;
+-    cur  = (uint8_t*)cur1  + w - edge;
+-    next = (uint8_t*)next1 + w - edge;
+    dst  = (uint8_t*)dst1  + offset;
+    prev = (uint8_t*)prev1 + offset;
+    cur  = (uint8_t*)cur1  + offset;
+    next = (uint8_t*)next1 + offset;
+     prev2 = (uint8_t*)(parity ? prev : cur);
+     next2 = (uint8_t*)(parity ? cur  : next);
+ 
+-    FILTER(w - edge, w - 3, 1)
+-    FILTER(w - 3, w, 0)
+    FILTER(offset, w - 3, 1)
+    offset = FFMAX(offset, w - 3);
+    FILTER(offset, w, 0)
+ }
+ 
+ 
+@@ -170,21 +172,23 @@ static void filter_edges_16bit(void *dst1, void *prev1, void *cur1, void *next1,
+     uint16_t *next2 = parity ? cur  : next;
+ 
+     const int edge = MAX_ALIGN / 2 - 1;
+    int offset = FFMAX(w - edge, 3);
+ 
+     mrefs /= 2;
+     prefs /= 2;
+ 
+-    FILTER(0, 3, 0)
+    FILTER(0,  FFMIN(3, w), 0)
+ 
+-    dst   = (uint16_t*)dst1  + w - edge;
+-    prev  = (uint16_t*)prev1 + w - edge;
+-    cur   = (uint16_t*)cur1  + w - edge;
+-    next  = (uint16_t*)next1 + w - edge;
+    dst   = (uint16_t*)dst1  + offset;
+    prev  = (uint16_t*)prev1 + offset;
+    cur   = (uint16_t*)cur1  + offset;
+    next  = (uint16_t*)next1 + offset;
+     prev2 = (uint16_t*)(parity ? prev : cur);
+     next2 = (uint16_t*)(parity ? cur  : next);
+ 
+-    FILTER(w - edge, w - 3, 1)
+-    FILTER(w - 3, w, 0)
+    FILTER(offset, w - 3, 1)
+    offset = FFMAX(offset, w - 3);
+    FILTER(offset, w, 0)
+ }
+ 
+ static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs)
+-- 
+2.32.0
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb
index 786f7abc20..f1b3c027e3 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb
@@ -28,6 +28,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
           file://fix-CVE-2020-20446.patch \
           file://fix-CVE-2020-20453.patch \
           file://fix-CVE-2020-22015.patch \
+           file://fix-CVE-2020-22021.patch \
           "
 SRC_URI[sha256sum] = "06b10a183ce5371f915c6bb15b7b1fffbe046e8275099c96affc29e17645d909"
author	Tony Tascioglu <tony.tascioglu@windriver.com>	2021-07-27 16:20:45 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-07-28 23:47:00 +0100
commit	01d224ae48a20c9f1e992d187ac3e466f7d6d365 (patch)
tree	4b78d6e857eb4bb520c88f5c105f0425f2212350 /meta/recipes-multimedia/ffmpeg
parent	92704af67d9bcac0c838f903c5cc2c07a9caf84d (diff)
download	poky-01d224ae48a20c9f1e992d187ac3e466f7d6d365.tar.gz

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22021.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22021.patch new file mode 100644 index 0000000000..6f7fce0e4c --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22021.patch
@@ -0,0 +1,87 @@
		1	From 7971f62120a55c141ec437aa3f0bacc1c1a3526b Mon Sep 17 00:00:00 2001
		2	From: Michael Niedermayer <michael@niedermayer.cc>
		3	Date: Sat, 29 May 2021 11:17:35 +0200
		4	Subject: [PATCH] avfilter/vf_yadif: Fix handing of tiny images
		5
		6	Fixes: out of array access
		7	Fixes: Ticket8240
		8	Fixes: CVE-2020-22021
		9
		10	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
		11
		12	CVE: CVE-2020-22021
		13	Upstream-Status: Backport [7971f62120a55c141ec437aa3f0bacc1c1a3526b]
		14
		15	Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
		16	---
		17	libavfilter/vf_yadif.c \| 32 ++++++++++++++++++--------------
		18	1 file changed, 18 insertions(+), 14 deletions(-)
		19
		20	diff --git a/libavfilter/vf_yadif.c b/libavfilter/vf_yadif.c
		21	index 91cc79ecc3..b0d9fbaf1f 100644
		22	--- a/libavfilter/vf_yadif.c
		23	+++ b/libavfilter/vf_yadif.c
		24	@@ -123,20 +123,22 @@ static void filter_edges(void dst1, void prev1, void cur1, void next1,
		25	uint8_t *next2 = parity ? cur : next;
		26
		27	const int edge = MAX_ALIGN - 1;
		28	+ int offset = FFMAX(w - edge, 3);
		29
		30	/* Only edge pixels need to be processed here. A constant value of false
		31	* for is_not_edge should let the compiler ignore the whole branch. */
		32	- FILTER(0, 3, 0)
		33	+ FILTER(0, FFMIN(3, w), 0)
		34
		35	- dst = (uint8_t*)dst1 + w - edge;
		36	- prev = (uint8_t*)prev1 + w - edge;
		37	- cur = (uint8_t*)cur1 + w - edge;
		38	- next = (uint8_t*)next1 + w - edge;
		39	+ dst = (uint8_t*)dst1 + offset;
		40	+ prev = (uint8_t*)prev1 + offset;
		41	+ cur = (uint8_t*)cur1 + offset;
		42	+ next = (uint8_t*)next1 + offset;
		43	prev2 = (uint8_t*)(parity ? prev : cur);
		44	next2 = (uint8_t*)(parity ? cur : next);
		45
		46	- FILTER(w - edge, w - 3, 1)
		47	- FILTER(w - 3, w, 0)
		48	+ FILTER(offset, w - 3, 1)
		49	+ offset = FFMAX(offset, w - 3);
		50	+ FILTER(offset, w, 0)
		51	}
		52
		53
		54	@@ -170,21 +172,23 @@ static void filter_edges_16bit(void dst1, void prev1, void cur1, void next1,
		55	uint16_t *next2 = parity ? cur : next;
		56
		57	const int edge = MAX_ALIGN / 2 - 1;
		58	+ int offset = FFMAX(w - edge, 3);
		59
		60	mrefs /= 2;
		61	prefs /= 2;
		62
		63	- FILTER(0, 3, 0)
		64	+ FILTER(0, FFMIN(3, w), 0)
		65
		66	- dst = (uint16_t*)dst1 + w - edge;
		67	- prev = (uint16_t*)prev1 + w - edge;
		68	- cur = (uint16_t*)cur1 + w - edge;
		69	- next = (uint16_t*)next1 + w - edge;
		70	+ dst = (uint16_t*)dst1 + offset;
		71	+ prev = (uint16_t*)prev1 + offset;
		72	+ cur = (uint16_t*)cur1 + offset;
		73	+ next = (uint16_t*)next1 + offset;
		74	prev2 = (uint16_t*)(parity ? prev : cur);
		75	next2 = (uint16_t*)(parity ? cur : next);
		76
		77	- FILTER(w - edge, w - 3, 1)
		78	- FILTER(w - 3, w, 0)
		79	+ FILTER(offset, w - 3, 1)
		80	+ offset = FFMAX(offset, w - 3);
		81	+ FILTER(offset, w, 0)
		82	}
		83
		84	static int filter_slice(AVFilterContext ctx, void arg, int jobnr, int nb_jobs)
		85	--
		86	2.32.0
		87


diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb index 786f7abc20..f1b3c027e3 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb
@@ -28,6 +28,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
28	file://fix-CVE-2020-20446.patch \	28	file://fix-CVE-2020-20446.patch \
29	file://fix-CVE-2020-20453.patch \	29	file://fix-CVE-2020-20453.patch \
30	file://fix-CVE-2020-22015.patch \	30	file://fix-CVE-2020-22015.patch \
		31	file://fix-CVE-2020-22021.patch \
31	"	32	"
32	SRC_URI[sha256sum] = "06b10a183ce5371f915c6bb15b7b1fffbe046e8275099c96affc29e17645d909"	33	SRC_URI[sha256sum] = "06b10a183ce5371f915c6bb15b7b1fffbe046e8275099c96affc29e17645d909"
33		34