From 884a853b7555e693a799d16d11f77452f873f88f Mon Sep 17 00:00:00 2001 From: cenhuilin Date: Mon, 29 Apr 2024 17:53:07 +0800 Subject: [PATCH] fix CVE-2024-31578 and CVE-2024-31582 --- 0001-fix-CVE-2024-31578.patch | 43 +++++++++++++++++++++++++++++++++++ 0002-fix-CVE-2024-31582.patch | 28 +++++++++++++++++++++++ ffmpeg.spec | 8 ++++++- 3 files changed, 78 insertions(+), 1 deletion(-) create mode 100644 0001-fix-CVE-2024-31578.patch create mode 100644 0002-fix-CVE-2024-31582.patch diff --git a/0001-fix-CVE-2024-31578.patch b/0001-fix-CVE-2024-31578.patch new file mode 100644 index 0000000..14a799f --- /dev/null +++ b/0001-fix-CVE-2024-31578.patch @@ -0,0 +1,43 @@ +From 3bb00c0a420c3ce83c6fafee30270d69622ccad7 Mon Sep 17 00:00:00 2001 +From: Zhao Zhili +Date: Mon, 29 Apr 2024 17:02:47 +0800 +Subject: [PATCH] avutil/hwcontext: Don't assume frames_uninit is reentrant. +Fix heap use after free when vulkan_frames_init failed. + +Signed-off-by: Zhao Zhili +--- + libavutil/hwcontext.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/libavutil/hwcontext.c b/libavutil/hwcontext.c +index 3650d46..0ef3479 100644 +--- a/libavutil/hwcontext.c ++++ b/libavutil/hwcontext.c +@@ -363,7 +363,7 @@ int av_hwframe_ctx_init(AVBufferRef *ref) + if (ctx->internal->hw_type->frames_init) { + ret = ctx->internal->hw_type->frames_init(ctx); + if (ret < 0) +- goto fail; ++ return ret; + } + + if (ctx->internal->pool_internal && !ctx->pool) +@@ -373,14 +373,10 @@ int av_hwframe_ctx_init(AVBufferRef *ref) + if (ctx->initial_pool_size > 0) { + ret = hwframe_pool_prealloc(ref); + if (ret < 0) +- goto fail; ++ return ret; + } + + return 0; +-fail: +- if (ctx->internal->hw_type->frames_uninit) +- ctx->internal->hw_type->frames_uninit(ctx); +- return ret; + } + + int av_hwframe_transfer_get_formats(AVBufferRef *hwframe_ref, +-- +2.27.0 + diff --git a/0002-fix-CVE-2024-31582.patch b/0002-fix-CVE-2024-31582.patch new file mode 100644 index 0000000..f460af2 --- /dev/null +++ b/0002-fix-CVE-2024-31582.patch @@ -0,0 +1,28 @@ +From 99debe5f823f45a482e1dc08de35879aa9c74bd2 Mon Sep 17 00:00:00 2001 +From: Zhao Zhili +Date: Mon, 29 Apr 2024 17:42:23 +0800 +Subject: [PATCH] avfilter/vf_codecview: fix heap buffer overflow. +And improve the performance by a little bit. + +Signed-off-by: Zhao Zhili +--- + libavfilter/vf_codecview.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/libavfilter/vf_codecview.c b/libavfilter/vf_codecview.c +index 55d9c8c..f65ccbd 100644 +--- a/libavfilter/vf_codecview.c ++++ b/libavfilter/vf_codecview.c +@@ -216,9 +216,6 @@ static void draw_block_rectangle(uint8_t *buf, int sx, int sy, int w, int h, ptr + buf[sx + w - 1] = color; + buf += stride; + } +- +- for (int x = sx; x < sx + w; x++) +- buf[x] = color; + } + + static int filter_frame(AVFilterLink *inlink, AVFrame *frame) +-- +2.27.0 + diff --git a/ffmpeg.spec b/ffmpeg.spec index 1d7eab5..6fe7247 100644 --- a/ffmpeg.spec +++ b/ffmpeg.spec @@ -59,7 +59,7 @@ ExclusiveArch: armv7hnl Summary: Digital VCR and streaming server Name: ffmpeg%{?flavor} Version: 6.1.1 -Release: 2 +Release: 3 License: GPL-3.0-or-later URL: http://ffmpeg.org/ Source0: http://ffmpeg.org/releases/ffmpeg-%{version}.tar.xz @@ -68,6 +68,9 @@ Source0: http://ffmpeg.org/releases/ffmpeg-%{version}.tar.xz Patch0: avformat-get_first_dts.patch %endif +Patch1: 0001-fix-CVE-2024-31578.patch +Patch2: 0002-fix-CVE-2024-31582.patch + Requires: %{name}-libs%{?_isa} = %{version}-%{release} %{?_with_cuda:BuildRequires: cuda-minimal-build-%{_cuda_version_rpm} cuda-drivers-devel} %{?_with_libnpp:BuildRequires: pkgconfig(nppc-%{_cuda_version})} @@ -395,6 +398,9 @@ install -pm755 tools/qt-faststart %{buildroot}%{_bindir} %changelog +* Mon Apr 29 2024 cenhuilin - 6.1.1-3 +- fix CVE-2024-31578 CVE-2024-31582 + * Wed Apr 03 2024 misaka00251 - 6.1.1-2 - Add patch to fix chromium build on riscv64 & Cleanup patches