ffmpeg: fix CVE-2024-35369

In FFmpeg version n6.1.1, specifically within the avcodec/speexdec.c module, a potential security vulnerability exists due to insufficient validation of certain parameters when parsing Speex codec extradata. This vulnerability could lead to integer overflow conditions, potentially resulting in undefined behavior or crashes during the decoding process. (From OE-Core rev: c46bb37a76582ee7352f2bc027920e8ba76e5c15) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Archana Polampalli <archana.polampalli@windriver.com> 2025-02-07 15:41:12 +0000
committer: Steve Sakoman <steve@sakoman.com> 2025-02-14 06:38:54 -0800
commit: f40fb67618936ab0328b5c5bc4b6222b7497824d (patch)
tree: 3222f01dd0acae9991375cd8722d3631bf4cc01e
parent: 8ad8857f149c5ac46ae7914a8539980e397a7293 (diff)
download: poky-f40fb67618936ab0328b5c5bc4b6222b7497824d.tar.gz
2 files changed, 38 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35369.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35369.patch
new file mode 100644
index 0000000000..72dc8d14a7
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35369.patch
@@ -0,0 +1,37 @@
+From 0895ef0d6d6406ee6cd158fc4d47d80f201b8e9c Mon Sep 17 00:00:00 2001
+From: James Almer <jamrial@gmail.com>
+Date: Sat, 17 Feb 2024 09:45:57 -0300
+Subject: [PATCH] avcodec/speexdec: further check for sane frame_size values
+Prevent potential integer overflows.
+Signed-off-by: James Almer <jamrial@gmail.com>
+CVE: CVE-2024-35369
+Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/0895ef0d6d6406ee6cd158fc4d47d80f201b8e9c]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ libavcodec/speexdec.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+diff --git a/libavcodec/speexdec.c b/libavcodec/speexdec.c
+index 23b8605..a034009 100644
+--- a/libavcodec/speexdec.c
+++ b/libavcodec/speexdec.c
+@@ -1420,9 +1420,10 @@ static int parse_speex_extradata(AVCodecContext *avctx,
+         return AVERROR_INVALIDDATA;
+     s->bitrate = bytestream_get_le32(&buf);
+     s->frame_size = bytestream_get_le32(&buf);
+-    if (s->frame_size < NB_FRAME_SIZE << s->mode)
+    if (s->frame_size < NB_FRAME_SIZE << (s->mode > 0) ||
+        s->frame_size >     INT32_MAX >> (s->mode > 0))
+         return AVERROR_INVALIDDATA;
+-    s->frame_size *= 1 + (s->mode > 0);
+    s->frame_size <<= (s->mode > 0);
+     s->vbr = bytestream_get_le32(&buf);
+     s->frames_per_packet = bytestream_get_le32(&buf);
+     if (s->frames_per_packet <= 0 ||
+--
+2.40.0
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb
index dff78ccc53..91ee6c6b0d 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb
@@ -46,6 +46,7 @@ SRC_URI = " \
    file://CVE-2024-36617.patch \
    file://CVE-2024-36618.patch \
    file://CVE-2024-36619.patch \
+    file://CVE-2024-35369.patch \
 "
 SRC_URI[sha256sum] = "8684f4b00f94b85461884c3719382f1261f0d9eb3d59640a1f4ac0873616f968"
author	Archana Polampalli <archana.polampalli@windriver.com>	2025-02-07 15:41:12 +0000
committer	Steve Sakoman <steve@sakoman.com>	2025-02-14 06:38:54 -0800
commit	f40fb67618936ab0328b5c5bc4b6222b7497824d (patch)
tree	3222f01dd0acae9991375cd8722d3631bf4cc01e
parent	8ad8857f149c5ac46ae7914a8539980e397a7293 (diff)
download	poky-f40fb67618936ab0328b5c5bc4b6222b7497824d.tar.gz

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35369.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35369.patch new file mode 100644 index 0000000000..72dc8d14a7 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35369.patch
@@ -0,0 +1,37 @@
		1	From 0895ef0d6d6406ee6cd158fc4d47d80f201b8e9c Mon Sep 17 00:00:00 2001
		2	From: James Almer <jamrial@gmail.com>
		3	Date: Sat, 17 Feb 2024 09:45:57 -0300
		4	Subject: [PATCH] avcodec/speexdec: further check for sane frame_size values
		5
		6	Prevent potential integer overflows.
		7
		8	Signed-off-by: James Almer <jamrial@gmail.com>
		9
		10	CVE: CVE-2024-35369
		11
		12	Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/0895ef0d6d6406ee6cd158fc4d47d80f201b8e9c]
		13
		14	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		15	---
		16	libavcodec/speexdec.c \| 5 +++--
		17	1 file changed, 3 insertions(+), 2 deletions(-)
		18
		19	diff --git a/libavcodec/speexdec.c b/libavcodec/speexdec.c
		20	index 23b8605..a034009 100644
		21	--- a/libavcodec/speexdec.c
		22	+++ b/libavcodec/speexdec.c
		23	@@ -1420,9 +1420,10 @@ static int parse_speex_extradata(AVCodecContext *avctx,
		24	return AVERROR_INVALIDDATA;
		25	s->bitrate = bytestream_get_le32(&buf);
		26	s->frame_size = bytestream_get_le32(&buf);
		27	- if (s->frame_size < NB_FRAME_SIZE << s->mode)
		28	+ if (s->frame_size < NB_FRAME_SIZE << (s->mode > 0) \|\|
		29	+ s->frame_size > INT32_MAX >> (s->mode > 0))
		30	return AVERROR_INVALIDDATA;
		31	- s->frame_size *= 1 + (s->mode > 0);
		32	+ s->frame_size <<= (s->mode > 0);
		33	s->vbr = bytestream_get_le32(&buf);
		34	s->frames_per_packet = bytestream_get_le32(&buf);
		35	if (s->frames_per_packet <= 0 \|\|
		36	--
		37	2.40.0


diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb index dff78ccc53..91ee6c6b0d 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb
@@ -46,6 +46,7 @@ SRC_URI = " \
46	file://CVE-2024-36617.patch \	46	file://CVE-2024-36617.patch \
47	file://CVE-2024-36618.patch \	47	file://CVE-2024-36618.patch \
48	file://CVE-2024-36619.patch \	48	file://CVE-2024-36619.patch \
		49	file://CVE-2024-35369.patch \
49	"	50	"
50		51
51	SRC_URI[sha256sum] = "8684f4b00f94b85461884c3719382f1261f0d9eb3d59640a1f4ac0873616f968"	52	SRC_URI[sha256sum] = "8684f4b00f94b85461884c3719382f1261f0d9eb3d59640a1f4ac0873616f968"