diff options
-rw-r--r-- | meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-3566.patch | 61 | ||||
-rw-r--r-- | meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-38291.patch | 53 | ||||
-rw-r--r-- | meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb | 4 |
3 files changed, 117 insertions, 1 deletions
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-3566.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-3566.patch new file mode 100644 index 0000000000..abfc024820 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-3566.patch | |||
@@ -0,0 +1,61 @@ | |||
1 | From 3bce9e9b3ea35c54bacccc793d7da99ea5157532 Mon Sep 17 00:00:00 2001 | ||
2 | From: Paul B Mahol <onemda@gmail.com> | ||
3 | Date: Mon, 27 Jan 2020 21:53:08 +0100 | ||
4 | Subject: [PATCH] avformat/tty: add probe function | ||
5 | |||
6 | CVE: CVE-2021-3566 | ||
7 | Signed-off-by: Saloni Jain <salonij@kpit.com> | ||
8 | |||
9 | Upstream-Status: Backport [http://git.videolan.org/?p=ffmpeg.git;a=patch;h=3bce9e9b3ea35c54bacccc793d7da99ea5157532] | ||
10 | Comment: No changes/refreshing done. | ||
11 | --- | ||
12 | libavformat/tty.c | 21 ++++++++++++++++++++- | ||
13 | 1 file changed, 20 insertions(+), 1 deletion(-) | ||
14 | |||
15 | diff --git a/libavformat/tty.c b/libavformat/tty.c | ||
16 | index 8d48f2c45c12..60f7e9f87ee7 100644 | ||
17 | --- a/libavformat/tty.c | ||
18 | +++ b/libavformat/tty.c | ||
19 | @@ -34,6 +34,13 @@ | ||
20 | #include "internal.h" | ||
21 | #include "sauce.h" | ||
22 | |||
23 | +static int isansicode(int x) | ||
24 | +{ | ||
25 | + return x == 0x1B || x == 0x0A || x == 0x0D || (x >= 0x20 && x < 0x7f); | ||
26 | +} | ||
27 | + | ||
28 | +static const char tty_extensions[31] = "ans,art,asc,diz,ice,nfo,txt,vt"; | ||
29 | + | ||
30 | typedef struct TtyDemuxContext { | ||
31 | AVClass *class; | ||
32 | int chars_per_frame; | ||
33 | @@ -42,6 +49,17 @@ typedef struct TtyDemuxContext { | ||
34 | AVRational framerate; /**< Set by a private option. */ | ||
35 | } TtyDemuxContext; | ||
36 | |||
37 | +static int read_probe(const AVProbeData *p) | ||
38 | +{ | ||
39 | + int cnt = 0; | ||
40 | + | ||
41 | + for (int i = 0; i < p->buf_size; i++) | ||
42 | + cnt += !!isansicode(p->buf[i]); | ||
43 | + | ||
44 | + return (cnt * 100LL / p->buf_size) * (cnt > 400) * | ||
45 | + !!av_match_ext(p->filename, tty_extensions); | ||
46 | +} | ||
47 | + | ||
48 | /** | ||
49 | * Parse EFI header | ||
50 | */ | ||
51 | @@ -153,8 +171,9 @@ AVInputFormat ff_tty_demuxer = { | ||
52 | .name = "tty", | ||
53 | .long_name = NULL_IF_CONFIG_SMALL("Tele-typewriter"), | ||
54 | .priv_data_size = sizeof(TtyDemuxContext), | ||
55 | + .read_probe = read_probe, | ||
56 | .read_header = read_header, | ||
57 | .read_packet = read_packet, | ||
58 | - .extensions = "ans,art,asc,diz,ice,nfo,txt,vt", | ||
59 | + .extensions = tty_extensions, | ||
60 | .priv_class = &tty_demuxer_class, | ||
61 | }; | ||
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-38291.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-38291.patch new file mode 100644 index 0000000000..e5be985fc3 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-38291.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From e01d306c647b5827102260b885faa223b646d2d1 Mon Sep 17 00:00:00 2001 | ||
2 | From: James Almer <jamrial@gmail.com> | ||
3 | Date: Wed, 21 Jul 2021 01:02:44 -0300 | ||
4 | Subject: [PATCH] avcodec/utils: don't return negative values in | ||
5 | av_get_audio_frame_duration() | ||
6 | |||
7 | In some extrme cases, like with adpcm_ms samples with an extremely high channel | ||
8 | count, get_audio_frame_duration() may return a negative frame duration value. | ||
9 | Don't propagate it, and instead return 0, signaling that a duration could not | ||
10 | be determined. | ||
11 | |||
12 | CVE: CVE-2021-3566 | ||
13 | Fixes ticket #9312 | ||
14 | Signed-off-by: James Almer <jamrial@gmail.com> | ||
15 | Signed-off-by: Saloni Jain <salonij@kpit.com> | ||
16 | |||
17 | Upstream-Status: Backport [http://git.videolan.org/?p=ffmpeg.git;a=patch;h=e01d306c647b5827102260b885faa223b646d2d1] | ||
18 | Comment: No changes/refreshing done. | ||
19 | --- | ||
20 | libavcodec/utils.c | 6 ++++-- | ||
21 | 1 file changed, 4 insertions(+), 2 deletions(-) | ||
22 | |||
23 | diff --git a/libavcodec/utils.c b/libavcodec/utils.c | ||
24 | index 5fad782f5a..cfc07cbcb8 100644 | ||
25 | --- a/libavcodec/utils.c | ||
26 | +++ b/libavcodec/utils.c | ||
27 | @@ -810,20 +810,22 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, | ||
28 | |||
29 | int av_get_audio_frame_duration(AVCodecContext *avctx, int frame_bytes) | ||
30 | { | ||
31 | - return get_audio_frame_duration(avctx->codec_id, avctx->sample_rate, | ||
32 | + int duration = get_audio_frame_duration(avctx->codec_id, avctx->sample_rate, | ||
33 | avctx->channels, avctx->block_align, | ||
34 | avctx->codec_tag, avctx->bits_per_coded_sample, | ||
35 | avctx->bit_rate, avctx->extradata, avctx->frame_size, | ||
36 | frame_bytes); | ||
37 | + return FFMAX(0, duration); | ||
38 | } | ||
39 | |||
40 | int av_get_audio_frame_duration2(AVCodecParameters *par, int frame_bytes) | ||
41 | { | ||
42 | - return get_audio_frame_duration(par->codec_id, par->sample_rate, | ||
43 | + int duration = get_audio_frame_duration(par->codec_id, par->sample_rate, | ||
44 | par->channels, par->block_align, | ||
45 | par->codec_tag, par->bits_per_coded_sample, | ||
46 | par->bit_rate, par->extradata, par->frame_size, | ||
47 | frame_bytes); | ||
48 | + return FFMAX(0, duration); | ||
49 | } | ||
50 | |||
51 | #if !HAVE_THREADS | ||
52 | -- | ||
53 | 2.20.1 | ||
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb index 0e359848fa..1d6f2e528b 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb | |||
@@ -27,7 +27,9 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ | |||
27 | file://mips64_cpu_detection.patch \ | 27 | file://mips64_cpu_detection.patch \ |
28 | file://CVE-2020-12284.patch \ | 28 | file://CVE-2020-12284.patch \ |
29 | file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \ | 29 | file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \ |
30 | " | 30 | file://CVE-2021-3566.patch \ |
31 | file://CVE-2021-38291.patch \ | ||
32 | " | ||
31 | SRC_URI[md5sum] = "348956fc2faa57a2f79bbb84ded9fbc3" | 33 | SRC_URI[md5sum] = "348956fc2faa57a2f79bbb84ded9fbc3" |
32 | SRC_URI[sha256sum] = "cb754255ab0ee2ea5f66f8850e1bd6ad5cac1cd855d0a2f4990fb8c668b0d29c" | 34 | SRC_URI[sha256sum] = "cb754255ab0ee2ea5f66f8850e1bd6ad5cac1cd855d0a2f4990fb8c668b0d29c" |
33 | 35 | ||