ffmpeg: fix CVE-2023-50007

Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a local attacker to execute arbitrary code via theav_samples_set_silence function in the libavutil/samplefmt.c:260:9 component. (From OE-Core rev: 88a1fc5a6445e72e6cc78c39a6feff3aa96beea6) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Archana Polampalli <archana.polampalli@windriver.com> 2024-11-27 09:24:36 +0000
committer: Steve Sakoman <steve@sakoman.com> 2024-12-02 06:23:20 -0800
commit: 73b340f6c1e57c6dd9a7b1ea2e1db662b2411bda (patch)
tree: 6a975619e281228293452aa1b81f8d530ea77966
parent: 184e980c3cbd6fec6892303f5e9e847d18e0cff4 (diff)
download: poky-73b340f6c1e57c6dd9a7b1ea2e1db662b2411bda.tar.gz
2 files changed, 79 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-50007.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-50007.patch
new file mode 100644
index 0000000000..fd4dc486ee
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-50007.patch
@@ -0,0 +1,78 @@
+From b1942734c7cbcdc9034034373abcc9ecb9644c47 Mon Sep 17 00:00:00 2001
+From: Paul B Mahol <onemda@gmail.com>
+Date: Mon, 27 Nov 2023 11:45:34 +0100
+Subject: [PATCH 2/4] avfilter/af_afwtdn: fix crash with EOF handling
+CVE: CVE-2023-50007
+Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/b1942734c7cbcdc9034034373abcc9ecb9644c47]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ libavfilter/af_afwtdn.c | 34 +++++++++++++++++++---------------
+ 1 file changed, 19 insertions(+), 15 deletions(-)
+diff --git a/libavfilter/af_afwtdn.c b/libavfilter/af_afwtdn.c
+index 09b504d..1839190 100644
+--- a/libavfilter/af_afwtdn.c
+++ b/libavfilter/af_afwtdn.c
+@@ -410,6 +410,7 @@ typedef struct AudioFWTDNContext {
+     uint64_t sn;
+     int64_t eof_pts;
+    int eof;
+     int wavelet_type;
+     int channels;
+@@ -1071,7 +1072,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in)
+         s->drop_samples = 0;
+     } else {
+         if (s->padd_samples < 0 && eof) {
+-            out->nb_samples += s->padd_samples;
+            out->nb_samples = FFMAX(0, out->nb_samples + s->padd_samples);
+             s->padd_samples = 0;
+         }
+         if (!eof)
+@@ -1210,23 +1211,26 @@ static int activate(AVFilterContext *ctx)
+     FF_FILTER_FORWARD_STATUS_BACK(outlink, inlink);
+-    ret = ff_inlink_consume_samples(inlink, s->nb_samples, s->nb_samples, &in);
+-    if (ret < 0)
+-        return ret;
+-    if (ret > 0)
+-        return filter_frame(inlink, in);
+    if (!s->eof) {
+        ret = ff_inlink_consume_samples(inlink, s->nb_samples, s->nb_samples, &in);
+        if (ret < 0)
+            return ret;
+        if (ret > 0)
+            return filter_frame(inlink, in);
+    }
+     if (ff_inlink_acknowledge_status(inlink, &status, &pts)) {
+-        if (status == AVERROR_EOF) {
+-            while (s->padd_samples != 0) {
+-                ret = filter_frame(inlink, NULL);
+-                if (ret < 0)
+-                    return ret;
+-            }
+-            ff_outlink_set_status(outlink, status, pts);
+-            return ret;
+-        }
+        if (status == AVERROR_EOF)
+            s->eof = 1;
+     }
+
+    if (s->eof && s->padd_samples != 0) {
+        return filter_frame(inlink, NULL);
+    } else if (s->eof) {
+        ff_outlink_set_status(outlink, AVERROR_EOF, s->eof_pts);
+        return 0;
+    }
+
+     FF_FILTER_FORWARD_WANTED(outlink, inlink);
+     return FFERROR_NOT_READY;
+--
+2.40.0
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
index d233ced662..ee13081e4d 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
@@ -37,6 +37,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
           file://CVE-2023-51794.patch \
           file://CVE-2023-51798.patch \
           file://CVE-2023-47342.patch \
+           file://CVE-2023-50007.patch \
          "
 SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b"
author	Archana Polampalli <archana.polampalli@windriver.com>	2024-11-27 09:24:36 +0000
committer	Steve Sakoman <steve@sakoman.com>	2024-12-02 06:23:20 -0800
commit	73b340f6c1e57c6dd9a7b1ea2e1db662b2411bda (patch)
tree	6a975619e281228293452aa1b81f8d530ea77966
parent	184e980c3cbd6fec6892303f5e9e847d18e0cff4 (diff)
download	poky-73b340f6c1e57c6dd9a7b1ea2e1db662b2411bda.tar.gz

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-50007.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-50007.patch new file mode 100644 index 0000000000..fd4dc486ee --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-50007.patch
@@ -0,0 +1,78 @@
		1	From b1942734c7cbcdc9034034373abcc9ecb9644c47 Mon Sep 17 00:00:00 2001
		2	From: Paul B Mahol <onemda@gmail.com>
		3	Date: Mon, 27 Nov 2023 11:45:34 +0100
		4	Subject: [PATCH 2/4] avfilter/af_afwtdn: fix crash with EOF handling
		5
		6	CVE: CVE-2023-50007
		7
		8	Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/b1942734c7cbcdc9034034373abcc9ecb9644c47]
		9
		10	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		11	---
		12	libavfilter/af_afwtdn.c \| 34 +++++++++++++++++++---------------
		13	1 file changed, 19 insertions(+), 15 deletions(-)
		14
		15	diff --git a/libavfilter/af_afwtdn.c b/libavfilter/af_afwtdn.c
		16	index 09b504d..1839190 100644
		17	--- a/libavfilter/af_afwtdn.c
		18	+++ b/libavfilter/af_afwtdn.c
		19	@@ -410,6 +410,7 @@ typedef struct AudioFWTDNContext {
		20
		21	uint64_t sn;
		22	int64_t eof_pts;
		23	+ int eof;
		24
		25	int wavelet_type;
		26	int channels;
		27	@@ -1071,7 +1072,7 @@ static int filter_frame(AVFilterLink inlink, AVFrame in)
		28	s->drop_samples = 0;
		29	} else {
		30	if (s->padd_samples < 0 && eof) {
		31	- out->nb_samples += s->padd_samples;
		32	+ out->nb_samples = FFMAX(0, out->nb_samples + s->padd_samples);
		33	s->padd_samples = 0;
		34	}
		35	if (!eof)
		36	@@ -1210,23 +1211,26 @@ static int activate(AVFilterContext *ctx)
		37
		38	FF_FILTER_FORWARD_STATUS_BACK(outlink, inlink);
		39
		40	- ret = ff_inlink_consume_samples(inlink, s->nb_samples, s->nb_samples, &in);
		41	- if (ret < 0)
		42	- return ret;
		43	- if (ret > 0)
		44	- return filter_frame(inlink, in);
		45	+ if (!s->eof) {
		46	+ ret = ff_inlink_consume_samples(inlink, s->nb_samples, s->nb_samples, &in);
		47	+ if (ret < 0)
		48	+ return ret;
		49	+ if (ret > 0)
		50	+ return filter_frame(inlink, in);
		51	+ }
		52
		53	if (ff_inlink_acknowledge_status(inlink, &status, &pts)) {
		54	- if (status == AVERROR_EOF) {
		55	- while (s->padd_samples != 0) {
		56	- ret = filter_frame(inlink, NULL);
		57	- if (ret < 0)
		58	- return ret;
		59	- }
		60	- ff_outlink_set_status(outlink, status, pts);
		61	- return ret;
		62	- }
		63	+ if (status == AVERROR_EOF)
		64	+ s->eof = 1;
		65	}
		66	+
		67	+ if (s->eof && s->padd_samples != 0) {
		68	+ return filter_frame(inlink, NULL);
		69	+ } else if (s->eof) {
		70	+ ff_outlink_set_status(outlink, AVERROR_EOF, s->eof_pts);
		71	+ return 0;
		72	+ }
		73	+
		74	FF_FILTER_FORWARD_WANTED(outlink, inlink);
		75
		76	return FFERROR_NOT_READY;
		77	--
		78	2.40.0


diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb index d233ced662..ee13081e4d 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
@@ -37,6 +37,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
37	file://CVE-2023-51794.patch \	37	file://CVE-2023-51794.patch \
38	file://CVE-2023-51798.patch \	38	file://CVE-2023-51798.patch \
39	file://CVE-2023-47342.patch \	39	file://CVE-2023-47342.patch \
		40	file://CVE-2023-50007.patch \
40	"	41	"
41		42
42	SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b"	43	SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b"