ffmpeg: fix CVE-2020-12284

(From OE-Core rev: 326541919ba0d0e5a0c00cbda7dd6308230ff719) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Lee Chee Yang <chee.yang.lee@intel.com> 2020-10-25 13:51:47 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-10-30 17:23:20 +0000
commit: d548397dd00b7256397c85115d36689ae5c4958e (patch)
tree: 583af5ddb161cb90b55c803fba2eabb80d410838 /meta/recipes-multimedia
parent: f3be15a8a0e3c53d9d9edde3bdc2caa6431c1b67 (diff)
download: poky-d548397dd00b7256397c85115d36689ae5c4958e.tar.gz
2 files changed, 37 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-12284.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-12284.patch
new file mode 100644
index 0000000000..5fff4754f4
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-12284.patch
@@ -0,0 +1,36 @@
+From 1812352d767ccf5431aa440123e2e260a4db2726 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Sat, 7 Mar 2020 15:42:58 +0100
+Subject: [PATCH] avcodec/cbs_jpeg: Check length for SOS
+Fixes: out of array access
+Fixes: 19734/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-5673507031875584
+Fixes: 19353/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-5703944462663680
+Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+Upstream-Status: Backport [https://git.ffmpeg.org/gitweb/ffmpeg.git/patch/1812352d767ccf5431aa440123e2e260a4db2726]
+CVE: CVE-2020-12284
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ libavcodec/cbs_jpeg.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/libavcodec/cbs_jpeg.c b/libavcodec/cbs_jpeg.c
+index 6bbce5f..89512a2 100644
+--- a/libavcodec/cbs_jpeg.c
+++ b/libavcodec/cbs_jpeg.c
+@@ -197,6 +197,9 @@ static int cbs_jpeg_split_fragment(CodedBitstreamContext *ctx,
+         if (marker == JPEG_MARKER_SOS) {
+             length = AV_RB16(frag->data + start);
+ 
+            if (length > end - start)
+                return AVERROR_INVALIDDATA;
+
+             data_ref = NULL;
+             data     = av_malloc(end - start +
+                                  AV_INPUT_BUFFER_PADDING_SIZE);
+-- 
+2.7.4
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb
index d7b0641054..fddfef9e27 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb
@@ -25,6 +25,7 @@ LIC_FILES_CHKSUM = "file://COPYING.GPLv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
 SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
           file://mips64_cpu_detection.patch \
+           file://CVE-2020-12284.patch \
           "
 SRC_URI[md5sum] = "348956fc2faa57a2f79bbb84ded9fbc3"
 SRC_URI[sha256sum] = "cb754255ab0ee2ea5f66f8850e1bd6ad5cac1cd855d0a2f4990fb8c668b0d29c"
author	Lee Chee Yang <chee.yang.lee@intel.com>	2020-10-25 13:51:47 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2020-10-30 17:23:20 +0000
commit	d548397dd00b7256397c85115d36689ae5c4958e (patch)
tree	583af5ddb161cb90b55c803fba2eabb80d410838 /meta/recipes-multimedia
parent	f3be15a8a0e3c53d9d9edde3bdc2caa6431c1b67 (diff)
download	poky-d548397dd00b7256397c85115d36689ae5c4958e.tar.gz

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-12284.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-12284.patch new file mode 100644 index 0000000000..5fff4754f4 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-12284.patch
@@ -0,0 +1,36 @@
		1	From 1812352d767ccf5431aa440123e2e260a4db2726 Mon Sep 17 00:00:00 2001
		2	From: Michael Niedermayer <michael@niedermayer.cc>
		3	Date: Sat, 7 Mar 2020 15:42:58 +0100
		4	Subject: [PATCH] avcodec/cbs_jpeg: Check length for SOS
		5
		6	Fixes: out of array access
		7	Fixes: 19734/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-5673507031875584
		8	Fixes: 19353/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-5703944462663680
		9
		10	Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
		11	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
		12
		13	Upstream-Status: Backport [https://git.ffmpeg.org/gitweb/ffmpeg.git/patch/1812352d767ccf5431aa440123e2e260a4db2726]
		14	CVE: CVE-2020-12284
		15	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		16	---
		17	libavcodec/cbs_jpeg.c \| 3 +++
		18	1 file changed, 3 insertions(+)
		19
		20	diff --git a/libavcodec/cbs_jpeg.c b/libavcodec/cbs_jpeg.c
		21	index 6bbce5f..89512a2 100644
		22	--- a/libavcodec/cbs_jpeg.c
		23	+++ b/libavcodec/cbs_jpeg.c
		24	@@ -197,6 +197,9 @@ static int cbs_jpeg_split_fragment(CodedBitstreamContext *ctx,
		25	if (marker == JPEG_MARKER_SOS) {
		26	length = AV_RB16(frag->data + start);
		27
		28	+ if (length > end - start)
		29	+ return AVERROR_INVALIDDATA;
		30	+
		31	data_ref = NULL;
		32	data = av_malloc(end - start +
		33	AV_INPUT_BUFFER_PADDING_SIZE);
		34	--
		35	2.7.4
		36


diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb index d7b0641054..fddfef9e27 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb
@@ -25,6 +25,7 @@ LIC_FILES_CHKSUM = "file://COPYING.GPLv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
25		25
26	SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \	26	SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
27	file://mips64_cpu_detection.patch \	27	file://mips64_cpu_detection.patch \
		28	file://CVE-2020-12284.patch \
28	"	29	"
29	SRC_URI[md5sum] = "348956fc2faa57a2f79bbb84ded9fbc3"	30	SRC_URI[md5sum] = "348956fc2faa57a2f79bbb84ded9fbc3"
30	SRC_URI[sha256sum] = "cb754255ab0ee2ea5f66f8850e1bd6ad5cac1cd855d0a2f4990fb8c668b0d29c"	31	SRC_URI[sha256sum] = "cb754255ab0ee2ea5f66f8850e1bd6ad5cac1cd855d0a2f4990fb8c668b0d29c"