ffmpeg: fix CVE-2021-38291

backport from upstream (From OE-Core rev: cbb7b8cfbd4cfe6115e858e14f415d89d182f550) Signed-off-by: Kiran Surendran <kiran.surendran@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Kiran Surendran <ksurendr@ala-lpggp3.wrs.com> 2021-09-09 10:13:12 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-09-17 21:31:37 +0100
commit: 97bcb75926ac8d7e547f81d8084320b6ef9b0d8d (patch)
tree: 51b229eaa17168a0df0c7207461061a586bf6022 /meta/recipes-multimedia
parent: cfc17a7ab5d3b0d6354a7194b8c8746c501959d9 (diff)
download: poky-97bcb75926ac8d7e547f81d8084320b6ef9b0d8d.tar.gz
2 files changed, 55 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2021-38291.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2021-38291.patch
new file mode 100644
index 0000000000..ef1c760286
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2021-38291.patch
@@ -0,0 +1,54 @@
+CVE: CVE-2021-38291
+Upstream-Status: Backport
+Signed-off-by: Kiran Surendran <kiran.surendran@windriver.com>
+From e908bdb157fa493be2b50e2a11055d19c5254a15 Mon Sep 17 00:00:00 2001
+From: James Almer <jamrial@gmail.com>
+Date: Wed, 21 Jul 2021 01:02:44 -0300
+Subject: [PATCH] avcodec/utils: don't return negative values in
+ av_get_audio_frame_duration()
+In some extrme cases, like with adpcm_ms samples with an extremely high channel
+count, get_audio_frame_duration() may return a negative frame duration value.
+Don't propagate it, and instead return 0, signaling that a duration could not
+be determined.
+Fixes ticket #9312
+Signed-off-by: James Almer <jamrial@gmail.com>
+---
+ libavcodec/utils.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+diff --git a/libavcodec/utils.c b/libavcodec/utils.c
+index 81e34254e8..5fdb10fe09 100644
+--- a/libavcodec/utils.c
+++ b/libavcodec/utils.c
+@@ -1776,20 +1776,22 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba,
+ 
+ int av_get_audio_frame_duration(AVCodecContext *avctx, int frame_bytes)
+ {
+-    return get_audio_frame_duration(avctx->codec_id, avctx->sample_rate,
+    int duration = get_audio_frame_duration(avctx->codec_id, avctx->sample_rate,
+                                     avctx->channels, avctx->block_align,
+                                     avctx->codec_tag, avctx->bits_per_coded_sample,
+                                     avctx->bit_rate, avctx->extradata, avctx->frame_size,
+                                     frame_bytes);
+    return FFMAX(0, duration);
+ }
+ 
+ int av_get_audio_frame_duration2(AVCodecParameters *par, int frame_bytes)
+ {
+-    return get_audio_frame_duration(par->codec_id, par->sample_rate,
+    int duration = get_audio_frame_duration(par->codec_id, par->sample_rate,
+                                     par->channels, par->block_align,
+                                     par->codec_tag, par->bits_per_coded_sample,
+                                     par->bit_rate, par->extradata, par->frame_size,
+                                     frame_bytes);
+    return FFMAX(0, duration);
+ }
+ 
+ #if !HAVE_THREADS
+-- 
+2.25.1
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb
index 0a49493abd..3e7ceb859f 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb
@@ -31,6 +31,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
           file://fix-CVE-2020-22015.patch \
           file://fix-CVE-2020-22021.patch \
           file://fix-CVE-2020-22033-CVE-2020-22019.patch \
+           file://fix-CVE-2021-38291.patch \
           "
 SRC_URI[sha256sum] = "46e4e64f1dd0233cbc0934b9f1c0da676008cad34725113fb7f802cfa84ccddb"
author	Kiran Surendran <ksurendr@ala-lpggp3.wrs.com>	2021-09-09 10:13:12 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-09-17 21:31:37 +0100
commit	97bcb75926ac8d7e547f81d8084320b6ef9b0d8d (patch)
tree	51b229eaa17168a0df0c7207461061a586bf6022 /meta/recipes-multimedia
parent	cfc17a7ab5d3b0d6354a7194b8c8746c501959d9 (diff)
download	poky-97bcb75926ac8d7e547f81d8084320b6ef9b0d8d.tar.gz

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2021-38291.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2021-38291.patch new file mode 100644 index 0000000000..ef1c760286 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2021-38291.patch
@@ -0,0 +1,54 @@
		1	CVE: CVE-2021-38291
		2	Upstream-Status: Backport
		3	Signed-off-by: Kiran Surendran <kiran.surendran@windriver.com>
		4
		5	From e908bdb157fa493be2b50e2a11055d19c5254a15 Mon Sep 17 00:00:00 2001
		6	From: James Almer <jamrial@gmail.com>
		7	Date: Wed, 21 Jul 2021 01:02:44 -0300
		8	Subject: [PATCH] avcodec/utils: don't return negative values in
		9	av_get_audio_frame_duration()
		10
		11	In some extrme cases, like with adpcm_ms samples with an extremely high channel
		12	count, get_audio_frame_duration() may return a negative frame duration value.
		13	Don't propagate it, and instead return 0, signaling that a duration could not
		14	be determined.
		15
		16	Fixes ticket #9312
		17
		18	Signed-off-by: James Almer <jamrial@gmail.com>
		19	---
		20	libavcodec/utils.c \| 6 ++++--
		21	1 file changed, 4 insertions(+), 2 deletions(-)
		22
		23	diff --git a/libavcodec/utils.c b/libavcodec/utils.c
		24	index 81e34254e8..5fdb10fe09 100644
		25	--- a/libavcodec/utils.c
		26	+++ b/libavcodec/utils.c
		27	@@ -1776,20 +1776,22 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba,
		28
		29	int av_get_audio_frame_duration(AVCodecContext *avctx, int frame_bytes)
		30	{
		31	- return get_audio_frame_duration(avctx->codec_id, avctx->sample_rate,
		32	+ int duration = get_audio_frame_duration(avctx->codec_id, avctx->sample_rate,
		33	avctx->channels, avctx->block_align,
		34	avctx->codec_tag, avctx->bits_per_coded_sample,
		35	avctx->bit_rate, avctx->extradata, avctx->frame_size,
		36	frame_bytes);
		37	+ return FFMAX(0, duration);
		38	}
		39
		40	int av_get_audio_frame_duration2(AVCodecParameters *par, int frame_bytes)
		41	{
		42	- return get_audio_frame_duration(par->codec_id, par->sample_rate,
		43	+ int duration = get_audio_frame_duration(par->codec_id, par->sample_rate,
		44	par->channels, par->block_align,
		45	par->codec_tag, par->bits_per_coded_sample,
		46	par->bit_rate, par->extradata, par->frame_size,
		47	frame_bytes);
		48	+ return FFMAX(0, duration);
		49	}
		50
		51	#if !HAVE_THREADS
		52	--
		53	2.25.1
		54


diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb index 0a49493abd..3e7ceb859f 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb
@@ -31,6 +31,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
31	file://fix-CVE-2020-22015.patch \	31	file://fix-CVE-2020-22015.patch \
32	file://fix-CVE-2020-22021.patch \	32	file://fix-CVE-2020-22021.patch \
33	file://fix-CVE-2020-22033-CVE-2020-22019.patch \	33	file://fix-CVE-2020-22033-CVE-2020-22019.patch \
		34	file://fix-CVE-2021-38291.patch \
34	"	35	"
35	SRC_URI[sha256sum] = "46e4e64f1dd0233cbc0934b9f1c0da676008cad34725113fb7f802cfa84ccddb"	36	SRC_URI[sha256sum] = "46e4e64f1dd0233cbc0934b9f1c0da676008cad34725113fb7f802cfa84ccddb"
36		37