diff options
| author | Archana Polampalli <archana.polampalli@windriver.com> | 2025-01-03 07:11:37 +0000 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2025-01-09 08:41:04 -0800 |
| commit | d078ab757714389d80cb2857a4f3d5958033f902 (patch) | |
| tree | 628a95e5d83f2cd32924de7a1400ff2e969339bb | |
| parent | c17700b7845a899d40bcd7012c46d984f12e6fab (diff) | |
| download | poky-d078ab757714389d80cb2857a4f3d5958033f902.tar.gz | |
ffmpeg: fix CVE-2024-35367
FFmpeg n6.1.1 has an Out-of-bounds Read via libavcodec/ppc/vp8dsp_altivec.c,
static const vec_s8 h_subpel_filters_outer
(From OE-Core rev: 623dd997856903be54d75e819f93d313b04edd8e)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
| -rw-r--r-- | meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35367.patch | 47 | ||||
| -rw-r--r-- | meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 1 |
2 files changed, 48 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35367.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35367.patch new file mode 100644 index 0000000000..69d42955da --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35367.patch | |||
| @@ -0,0 +1,47 @@ | |||
| 1 | From 09e6840cf7a3ee07a73c3ae88a020bf27ca1a667 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com> | ||
| 3 | Date: Wed, 13 Mar 2024 02:10:26 +0100 | ||
| 4 | Subject: [PATCH] avcodec/ppc/vp8dsp_altivec: Fix out-of-bounds access | ||
| 5 | |||
| 6 | h_subpel_filters_inner[i] and h_subpel_filters_outer[i / 2] | ||
| 7 | belong together and the former allows the range 0..6, | ||
| 8 | so the latter needs to support 0..3. But it has only three | ||
| 9 | elements. Add another one. | ||
| 10 | The value for the last element has been guesstimated | ||
| 11 | from subpel_filters in libavcodec/vp8dsp.c. | ||
| 12 | |||
| 13 | This is also intended to fix FATE-failures with UBSan here: | ||
| 14 | https://fate.ffmpeg.org/report.cgi?time=20240312011016&slot=ppc-linux-gcc-13.2-ubsan-altivec-qemu | ||
| 15 | |||
| 16 | Tested-by: Sean McGovern <gseanmcg@gmail.com> | ||
| 17 | Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com> | ||
| 18 | |||
| 19 | CVE: CVE-2024-35367 | ||
| 20 | |||
| 21 | Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/09e6840cf7a3ee07a73c3ae88a020bf27ca1a667] | ||
| 22 | |||
| 23 | Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> | ||
| 24 | --- | ||
| 25 | libavcodec/ppc/vp8dsp_altivec.c | 3 ++- | ||
| 26 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
| 27 | |||
| 28 | diff --git a/libavcodec/ppc/vp8dsp_altivec.c b/libavcodec/ppc/vp8dsp_altivec.c | ||
| 29 | index 12dac8b0a8..061914fc38 100644 | ||
| 30 | --- a/libavcodec/ppc/vp8dsp_altivec.c | ||
| 31 | +++ b/libavcodec/ppc/vp8dsp_altivec.c | ||
| 32 | @@ -50,11 +50,12 @@ static const vec_s8 h_subpel_filters_inner[7] = | ||
| 33 | // for 6tap filters, these are the outer two taps | ||
| 34 | // The zeros mask off pixels 4-7 when filtering 0-3 | ||
| 35 | // and vice-versa | ||
| 36 | -static const vec_s8 h_subpel_filters_outer[3] = | ||
| 37 | +static const vec_s8 h_subpel_filters_outer[4] = | ||
| 38 | { | ||
| 39 | REPT4(0, 0, 2, 1), | ||
| 40 | REPT4(0, 0, 3, 3), | ||
| 41 | REPT4(0, 0, 1, 2), | ||
| 42 | + REPT4(0, 0, 0, 0), | ||
| 43 | }; | ||
| 44 | |||
| 45 | #define LOAD_H_SUBPEL_FILTER(i) \ | ||
| 46 | -- | ||
| 47 | 2.40.0 | ||
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb index 39d79c343d..ac4ade276c 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | |||
| @@ -41,6 +41,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ | |||
| 41 | file://CVE-2023-51796.patch \ | 41 | file://CVE-2023-51796.patch \ |
| 42 | file://CVE-2024-7055.patch \ | 42 | file://CVE-2024-7055.patch \ |
| 43 | file://CVE-2024-35366.patch \ | 43 | file://CVE-2024-35366.patch \ |
| 44 | file://CVE-2024-35367.patch \ | ||
| 44 | " | 45 | " |
| 45 | 46 | ||
| 46 | SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b" | 47 | SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b" |
