diff options
| author | Archana Polampalli <archana.polampalli@windriver.com> | 2024-12-13 10:11:21 +0000 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2024-12-23 05:46:32 -0800 |
| commit | 93dc7300c09d2cf340d03d9bbb833f9bf8b28de9 (patch) | |
| tree | 2c273b01a27fc52216e9fead480d7a08bd571e3d | |
| parent | 8f8989071a41ea73e9c2977445f45d541b7a198f (diff) | |
| download | poky-93dc7300c09d2cf340d03d9bbb833f9bf8b28de9.tar.gz | |
ffmpeg: fix CVE-2024-35366
FFmpeg n6.1.1 is Integer Overflow. The vulnerability exists in the parse_options
function of sbgdec.c within the libavformat module. When parsing certain options,
the software does not adequately validate the input. This allows for negative
duration values to be accepted without proper bounds checking.
(From OE-Core rev: a07bc254011736c0f0445607c56609be677ea8a7)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
| -rw-r--r-- | meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35366.patch | 35 | ||||
| -rw-r--r-- | meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb | 1 |
2 files changed, 36 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35366.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35366.patch new file mode 100644 index 0000000000..f7f16a5b92 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35366.patch | |||
| @@ -0,0 +1,35 @@ | |||
| 1 | From 0bed22d597b78999151e3bde0768b7fe763fc2a6 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Michael Niedermayer <michael@niedermayer.cc> | ||
| 3 | Date: Tue, 26 Mar 2024 00:39:49 +0100 | ||
| 4 | Subject: [PATCH] avformat/sbgdec: Check for negative duration | ||
| 5 | |||
| 6 | Fixes: signed integer overflow: 9223372036854775807 - -8000000 cannot be represented in type 'long' | ||
| 7 | Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-5133181743136768 | ||
| 8 | |||
| 9 | Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg | ||
| 10 | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | ||
| 11 | |||
| 12 | CVE: CVE-2024-35366 | ||
| 13 | |||
| 14 | Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/0bed22d597b78999151e3bde0768b7fe763fc2a6] | ||
| 15 | |||
| 16 | Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> | ||
| 17 | --- | ||
| 18 | libavformat/sbgdec.c | 2 +- | ||
| 19 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
| 20 | |||
| 21 | diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c | ||
| 22 | index b2662ea..281fe62 100644 | ||
| 23 | --- a/libavformat/sbgdec.c | ||
| 24 | +++ b/libavformat/sbgdec.c | ||
| 25 | @@ -386,7 +386,7 @@ static int parse_options(struct sbg_parser *p) | ||
| 26 | case 'L': | ||
| 27 | FORWARD_ERROR(parse_optarg(p, opt, &oarg)); | ||
| 28 | r = str_to_time(oarg.s, &p->scs.opt_duration); | ||
| 29 | - if (oarg.e != oarg.s + r) { | ||
| 30 | + if (oarg.e != oarg.s + r || p->scs.opt_duration < 0) { | ||
| 31 | snprintf(p->err_msg, sizeof(p->err_msg), | ||
| 32 | "syntax error for option -L"); | ||
| 33 | return AVERROR_INVALIDDATA; | ||
| 34 | -- | ||
| 35 | 2.40.0 | ||
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb index 8f4a8d34c0..dd95629648 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb | |||
| @@ -37,6 +37,7 @@ SRC_URI = " \ | |||
| 37 | file://CVE-2023-50007.patch \ | 37 | file://CVE-2023-50007.patch \ |
| 38 | file://CVE-2023-49528.patch \ | 38 | file://CVE-2023-49528.patch \ |
| 39 | file://CVE-2024-7055.patch \ | 39 | file://CVE-2024-7055.patch \ |
| 40 | file://CVE-2024-35366.patch \ | ||
| 40 | " | 41 | " |
| 41 | 42 | ||
| 42 | SRC_URI[sha256sum] = "8684f4b00f94b85461884c3719382f1261f0d9eb3d59640a1f4ac0873616f968" | 43 | SRC_URI[sha256sum] = "8684f4b00f94b85461884c3719382f1261f0d9eb3d59640a1f4ac0873616f968" |