ffmpeg: fix CVE-2024-31578

FFmpeg version n6.1.1 was discovered to contain a heap use-after-free via the av_hwframe_ctx_init function. (From OE-Core rev: bd9fe64c40f7f4e1d18b5d33a9a366e95c2ddd2d) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Archana Polampalli <archana.polampalli@windriver.com> 2024-07-24 09:56:25 +0000
committer: Steve Sakoman <steve@sakoman.com> 2024-08-01 06:08:08 -0700
commit: 89107e01fb1a930df701cffadc8546b2b110a00d (patch)
tree: 64002d15aa582ebbbbc16b6783db74b7f31c6365 /meta/recipes-multimedia
parent: 11415e5a611eb5d1e62d0175022fac73332192a5 (diff)
download: poky-89107e01fb1a930df701cffadc8546b2b110a00d.tar.gz
2 files changed, 50 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-31578.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-31578.patch
new file mode 100644
index 0000000000..f8e7e1283b
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-31578.patch
@@ -0,0 +1,49 @@
+From edeeb35cecb5bc0d433b14dd0e544ae826b7ece5 Mon Sep 17 00:00:00 2001
+From: Zhao Zhili <zhilizhao@tencent.com>
+Date: Tue, 20 Feb 2024 20:08:55 +0800
+Subject: [PATCH] avutil/hwcontext: Don't assume frames_uninit is reentrant
+Fix heap use after free when vulkan_frames_init failed.
+Signed-off-by: Zhao Zhili <zhilizhao@tencent.com>
+CVE: CVE-2024-31578
+Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/3bb00c0a420c3ce83]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ libavutil/hwcontext.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+diff --git a/libavutil/hwcontext.c b/libavutil/hwcontext.c
+index 3650d46..0ef3479 100644
+--- a/libavutil/hwcontext.c
+++ b/libavutil/hwcontext.c
+@@ -363,7 +363,7 @@ int av_hwframe_ctx_init(AVBufferRef *ref)
+     if (ctx->internal->hw_type->frames_init) {
+         ret = ctx->internal->hw_type->frames_init(ctx);
+         if (ret < 0)
+-            goto fail;
+            return ret;
+     }
+     if (ctx->internal->pool_internal && !ctx->pool)
+@@ -373,14 +373,10 @@ int av_hwframe_ctx_init(AVBufferRef *ref)
+     if (ctx->initial_pool_size > 0) {
+         ret = hwframe_pool_prealloc(ref);
+         if (ret < 0)
+-            goto fail;
+            return ret;
+     }
+     return 0;
+-fail:
+-    if (ctx->internal->hw_type->frames_uninit)
+-        ctx->internal->hw_type->frames_uninit(ctx);
+-    return ret;
+ }
+ int av_hwframe_transfer_get_formats(AVBufferRef *hwframe_ref,
+--
+2.40.0
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb
index 90c15782d1..06bd36e2e2 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb
@@ -28,6 +28,7 @@ SRC_URI = " \
    file://vulkan_av1_stable_API.patch \
    file://vulkan_fix_gcc14.patch \
    file://CVE-2023-49502.patch \
+    file://CVE-2024-31578.patch \
 "
 SRC_URI[sha256sum] = "8684f4b00f94b85461884c3719382f1261f0d9eb3d59640a1f4ac0873616f968"
author	Archana Polampalli <archana.polampalli@windriver.com>	2024-07-24 09:56:25 +0000
committer	Steve Sakoman <steve@sakoman.com>	2024-08-01 06:08:08 -0700
commit	89107e01fb1a930df701cffadc8546b2b110a00d (patch)
tree	64002d15aa582ebbbbc16b6783db74b7f31c6365 /meta/recipes-multimedia
parent	11415e5a611eb5d1e62d0175022fac73332192a5 (diff)
download	poky-89107e01fb1a930df701cffadc8546b2b110a00d.tar.gz

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-31578.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-31578.patch new file mode 100644 index 0000000000..f8e7e1283b --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-31578.patch
@@ -0,0 +1,49 @@
		1	From edeeb35cecb5bc0d433b14dd0e544ae826b7ece5 Mon Sep 17 00:00:00 2001
		2	From: Zhao Zhili <zhilizhao@tencent.com>
		3	Date: Tue, 20 Feb 2024 20:08:55 +0800
		4	Subject: [PATCH] avutil/hwcontext: Don't assume frames_uninit is reentrant
		5
		6	Fix heap use after free when vulkan_frames_init failed.
		7
		8	Signed-off-by: Zhao Zhili <zhilizhao@tencent.com>
		9
		10	CVE: CVE-2024-31578
		11
		12	Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/3bb00c0a420c3ce83]
		13
		14	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		15	---
		16	libavutil/hwcontext.c \| 8 ++------
		17	1 file changed, 2 insertions(+), 6 deletions(-)
		18
		19	diff --git a/libavutil/hwcontext.c b/libavutil/hwcontext.c
		20	index 3650d46..0ef3479 100644
		21	--- a/libavutil/hwcontext.c
		22	+++ b/libavutil/hwcontext.c
		23	@@ -363,7 +363,7 @@ int av_hwframe_ctx_init(AVBufferRef *ref)
		24	if (ctx->internal->hw_type->frames_init) {
		25	ret = ctx->internal->hw_type->frames_init(ctx);
		26	if (ret < 0)
		27	- goto fail;
		28	+ return ret;
		29	}
		30
		31	if (ctx->internal->pool_internal && !ctx->pool)
		32	@@ -373,14 +373,10 @@ int av_hwframe_ctx_init(AVBufferRef *ref)
		33	if (ctx->initial_pool_size > 0) {
		34	ret = hwframe_pool_prealloc(ref);
		35	if (ret < 0)
		36	- goto fail;
		37	+ return ret;
		38	}
		39
		40	return 0;
		41	-fail:
		42	- if (ctx->internal->hw_type->frames_uninit)
		43	- ctx->internal->hw_type->frames_uninit(ctx);
		44	- return ret;
		45	}
		46
		47	int av_hwframe_transfer_get_formats(AVBufferRef *hwframe_ref,
		48	--
		49	2.40.0


diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb index 90c15782d1..06bd36e2e2 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb
@@ -28,6 +28,7 @@ SRC_URI = " \
28	file://vulkan_av1_stable_API.patch \	28	file://vulkan_av1_stable_API.patch \
29	file://vulkan_fix_gcc14.patch \	29	file://vulkan_fix_gcc14.patch \
30	file://CVE-2023-49502.patch \	30	file://CVE-2023-49502.patch \
		31	file://CVE-2024-31578.patch \
31	"	32	"
32		33
33	SRC_URI[sha256sum] = "8684f4b00f94b85461884c3719382f1261f0d9eb3d59640a1f4ac0873616f968"	34	SRC_URI[sha256sum] = "8684f4b00f94b85461884c3719382f1261f0d9eb3d59640a1f4ac0873616f968"