diff options
| author | Archana Polampalli <archana.polampalli@windriver.com> | 2024-12-06 13:11:47 +0000 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2024-12-13 05:21:53 -0800 |
| commit | ac0988d9f2c741dd44a271c90d101244ac481331 (patch) | |
| tree | 382dfb053991ff7ae57872cb5e71cbae5c2a11cb /meta | |
| parent | 9edd744fd8a4d83018533361abd02ddee0ea6093 (diff) | |
| download | poky-ac0988d9f2c741dd44a271c90d101244ac481331.tar.gz | |
ffmpeg: fix CVE-2023-49528
Buffer Overflow vulnerability in FFmpeg version n6.1-3-g466799d4f5, allows a
local attacker to execute arbitrary code and cause a denial of service (DoS)
via the af_dialoguenhance.c:261:5 in the de_stereo component.
(From OE-Core rev: a5e0e1f8be3c6611c09158c80e26848ae3d4f4e7)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta')
| -rw-r--r-- | meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-49528.patch | 58 | ||||
| -rw-r--r-- | meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb | 1 |
2 files changed, 59 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-49528.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-49528.patch new file mode 100644 index 0000000000..37e1ab61d1 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-49528.patch | |||
| @@ -0,0 +1,58 @@ | |||
| 1 | From 2d9ed64859c9887d0504cd71dbd5b2c15e14251a Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Paul B Mahol <onemda@gmail.com> | ||
| 3 | Date: Sat, 25 Nov 2023 12:54:28 +0100 | ||
| 4 | Subject: [PATCH 3/3] avfilter/af_dialoguenhance: fix overreads | ||
| 5 | |||
| 6 | CVE: CVE-2023-49528 | ||
| 7 | |||
| 8 | Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/2d9ed64859c9887d0504cd71dbd5b2c15e14251a] | ||
| 9 | |||
| 10 | Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> | ||
| 11 | --- | ||
| 12 | libavfilter/af_dialoguenhance.c | 17 +++++++++-------- | ||
| 13 | 1 file changed, 9 insertions(+), 8 deletions(-) | ||
| 14 | |||
| 15 | diff --git a/libavfilter/af_dialoguenhance.c b/libavfilter/af_dialoguenhance.c | ||
| 16 | index 1762ea7..29c8ab1 100644 | ||
| 17 | --- a/libavfilter/af_dialoguenhance.c | ||
| 18 | +++ b/libavfilter/af_dialoguenhance.c | ||
| 19 | @@ -96,12 +96,12 @@ static int config_input(AVFilterLink *inlink) | ||
| 20 | if (!s->window) | ||
| 21 | return AVERROR(ENOMEM); | ||
| 22 | |||
| 23 | - s->in_frame = ff_get_audio_buffer(inlink, s->fft_size * 4); | ||
| 24 | - s->center_frame = ff_get_audio_buffer(inlink, s->fft_size * 4); | ||
| 25 | - s->out_dist_frame = ff_get_audio_buffer(inlink, s->fft_size * 4); | ||
| 26 | - s->windowed_frame = ff_get_audio_buffer(inlink, s->fft_size * 4); | ||
| 27 | - s->windowed_out = ff_get_audio_buffer(inlink, s->fft_size * 4); | ||
| 28 | - s->windowed_prev = ff_get_audio_buffer(inlink, s->fft_size * 4); | ||
| 29 | + s->in_frame = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2); | ||
| 30 | + s->center_frame = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2); | ||
| 31 | + s->out_dist_frame = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2); | ||
| 32 | + s->windowed_frame = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2); | ||
| 33 | + s->windowed_out = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2); | ||
| 34 | + s->windowed_prev = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2); | ||
| 35 | if (!s->in_frame || !s->windowed_out || !s->windowed_prev || | ||
| 36 | !s->out_dist_frame || !s->windowed_frame || !s->center_frame) | ||
| 37 | return AVERROR(ENOMEM); | ||
| 38 | @@ -250,6 +250,7 @@ static int de_stereo(AVFilterContext *ctx, AVFrame *out) | ||
| 39 | float *right_osamples = (float *)out->extended_data[1]; | ||
| 40 | float *center_osamples = (float *)out->extended_data[2]; | ||
| 41 | const int offset = s->fft_size - s->overlap; | ||
| 42 | + const int nb_samples = FFMIN(s->overlap, s->in->nb_samples); | ||
| 43 | float vad; | ||
| 44 | |||
| 45 | // shift in/out buffers | ||
| 46 | @@ -258,8 +259,8 @@ static int de_stereo(AVFilterContext *ctx, AVFrame *out) | ||
| 47 | memmove(left_out, &left_out[s->overlap], offset * sizeof(float)); | ||
| 48 | memmove(right_out, &right_out[s->overlap], offset * sizeof(float)); | ||
| 49 | |||
| 50 | - memcpy(&left_in[offset], left_samples, s->overlap * sizeof(float)); | ||
| 51 | - memcpy(&right_in[offset], right_samples, s->overlap * sizeof(float)); | ||
| 52 | + memcpy(&left_in[offset], left_samples, nb_samples * sizeof(float)); | ||
| 53 | + memcpy(&right_in[offset], right_samples, nb_samples * sizeof(float)); | ||
| 54 | memset(&left_out[offset], 0, s->overlap * sizeof(float)); | ||
| 55 | memset(&right_out[offset], 0, s->overlap * sizeof(float)); | ||
| 56 | |||
| 57 | -- | ||
| 58 | 2.40.0 | ||
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb index 05a4c05e24..a793817ec2 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb | |||
| @@ -35,6 +35,7 @@ SRC_URI = " \ | |||
| 35 | file://CVE-2023-49501.patch \ | 35 | file://CVE-2023-49501.patch \ |
| 36 | file://CVE-2024-28661.patch \ | 36 | file://CVE-2024-28661.patch \ |
| 37 | file://CVE-2023-50007.patch \ | 37 | file://CVE-2023-50007.patch \ |
| 38 | file://CVE-2023-49528.patch \ | ||
| 38 | " | 39 | " |
| 39 | 40 | ||
| 40 | SRC_URI[sha256sum] = "8684f4b00f94b85461884c3719382f1261f0d9eb3d59640a1f4ac0873616f968" | 41 | SRC_URI[sha256sum] = "8684f4b00f94b85461884c3719382f1261f0d9eb3d59640a1f4ac0873616f968" |