From 751137144c9cfc5db0278abfae3997d57da254b4 Mon Sep 17 00:00:00 2001 From: Archana Polampalli Date: Thu, 21 Nov 2024 06:45:49 +0000 Subject: ffmpeg: fix CVE-2023-51793 Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker to execute arbitrary code via the libavutil/imgutils.c:353:9 in image_copy_plane. (From OE-Core rev: be875832526636638a034680f837241c16e2b26d) Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../ffmpeg/ffmpeg/CVE-2023-51793.patch | 67 ++++++++++++++++++++++ meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 1 + 2 files changed, 68 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-51793.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-51793.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-51793.patch new file mode 100644 index 0000000000..71eeb92422 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-51793.patch @@ -0,0 +1,67 @@ +From 0ecc1f0e48930723d7a467761b66850811c23e62 Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer +Date: Fri, 22 Dec 2023 12:31:35 +0100 +Subject: [PATCH 2/5] avfilter/vf_weave: Fix odd height handling + +Fixes: out of array access +Fixes: tickets/10743/poc10ffmpeg + +Found-by: Zeng Yunxiang and Li Zeyuan +Signed-off-by: Michael Niedermayer + +CVE: CVE-2023-51793 + +Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/0ecc1f0e48930723d7a467761b66850811c23e62] + +Signed-off-by: Archana Polampalli +--- + libavfilter/vf_weave.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/libavfilter/vf_weave.c b/libavfilter/vf_weave.c +index 2bd3994..de9f79c 100644 +--- a/libavfilter/vf_weave.c ++++ b/libavfilter/vf_weave.c +@@ -30,6 +30,7 @@ typedef struct WeaveContext { + int double_weave; + int nb_planes; + int planeheight[4]; ++ int outheight[4]; + int linesize[4]; + + AVFrame *prev; +@@ -79,6 +80,9 @@ static int config_props_output(AVFilterLink *outlink) + s->planeheight[1] = s->planeheight[2] = AV_CEIL_RSHIFT(inlink->h, desc->log2_chroma_h); + s->planeheight[0] = s->planeheight[3] = inlink->h; + ++ s->outheight[1] = s->outheight[2] = AV_CEIL_RSHIFT(2*inlink->h, desc->log2_chroma_h); ++ s->outheight[0] = s->outheight[3] = 2*inlink->h; ++ + s->nb_planes = av_pix_fmt_count_planes(inlink->format); + + return 0; +@@ -104,19 +108,20 @@ static int weave_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs) + const int height = s->planeheight[i]; + const int start = (height * jobnr) / nb_jobs; + const int end = (height * (jobnr+1)) / nb_jobs; ++ const int compensation = 2*end > s->outheight[i]; + + av_image_copy_plane(out->data[i] + out->linesize[i] * field1 + + out->linesize[i] * start * 2, + out->linesize[i] * 2, + in->data[i] + start * in->linesize[i], + in->linesize[i], +- s->linesize[i], end - start); ++ s->linesize[i], end - start - compensation * field1); + av_image_copy_plane(out->data[i] + out->linesize[i] * field2 + + out->linesize[i] * start * 2, + out->linesize[i] * 2, + s->prev->data[i] + start * s->prev->linesize[i], + s->prev->linesize[i], +- s->linesize[i], end - start); ++ s->linesize[i], end - start - compensation * field2); + } + + return 0; +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb index 40963d1254..9a99951f91 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb @@ -30,6 +30,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://0001-avformat-nutdec-Add-check-for-avformat_new_stream.patch \ file://CVE-2022-48434.patch \ file://CVE-2024-32230.patch \ + file://CVE-2023-51793.patch \ " SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b" -- cgit v1.2.3-54-g00ecf