diff --git a/backport-CVE-2024-35366.patch b/backport-CVE-2024-35366.patch new file mode 100644 index 0000000..f98ae9b --- /dev/null +++ b/backport-CVE-2024-35366.patch @@ -0,0 +1,29 @@ +From 0bed22d597b78999151e3bde0768b7fe763fc2a6 Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer +Date: Tue, 26 Mar 2024 00:39:49 +0100 +Subject: [PATCH] avformat/sbgdec: Check for negative duration + +Fixes: signed integer overflow: 9223372036854775807 - -8000000 cannot be represented in type 'long' +Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-5133181743136768 + +Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg +Signed-off-by: Michael Niedermayer +--- + libavformat/sbgdec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c +index bc2469afd1..e60eb1481e 100644 +--- a/libavformat/sbgdec.c ++++ b/libavformat/sbgdec.c +@@ -387,7 +387,7 @@ static int parse_options(struct sbg_parser *p) + case 'L': + FORWARD_ERROR(parse_optarg(p, opt, &oarg)); + r = str_to_time(oarg.s, &p->scs.opt_duration); +- if (oarg.e != oarg.s + r) { ++ if (oarg.e != oarg.s + r || p->scs.opt_duration < 0) { + snprintf(p->err_msg, sizeof(p->err_msg), + "syntax error for option -L"); + return AVERROR_INVALIDDATA; +-- +2.33.0 diff --git a/backport-CVE-2024-35367.patch b/backport-CVE-2024-35367.patch new file mode 100644 index 0000000..e549cc0 --- /dev/null +++ b/backport-CVE-2024-35367.patch @@ -0,0 +1,41 @@ +From 09e6840cf7a3ee07a73c3ae88a020bf27ca1a667 Mon Sep 17 00:00:00 2001 +From: Andreas Rheinhardt +Date: Wed, 13 Mar 2024 02:10:26 +0100 +Subject: [PATCH] avcodec/ppc/vp8dsp_altivec: Fix out-of-bounds access + +h_subpel_filters_inner[i] and h_subpel_filters_outer[i / 2] +belong together and the former allows the range 0..6, +so the latter needs to support 0..3. But it has only three +elements. Add another one. +The value for the last element has been guesstimated +from subpel_filters in libavcodec/vp8dsp.c. + +This is also intended to fix FATE-failures with UBSan here: +https://fate.ffmpeg.org/report.cgi?time=20240312011016&slot=ppc-linux-gcc-13.2-ubsan-altivec-qemu + +Tested-by: Sean McGovern +Signed-off-by: Andreas Rheinhardt +--- + libavcodec/ppc/vp8dsp_altivec.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libavcodec/ppc/vp8dsp_altivec.c b/libavcodec/ppc/vp8dsp_altivec.c +index 12dac8b0a8..061914fc38 100644 +--- a/libavcodec/ppc/vp8dsp_altivec.c ++++ b/libavcodec/ppc/vp8dsp_altivec.c +@@ -50,11 +50,12 @@ static const vec_s8 h_subpel_filters_inner[7] = + // for 6tap filters, these are the outer two taps + // The zeros mask off pixels 4-7 when filtering 0-3 + // and vice-versa +-static const vec_s8 h_subpel_filters_outer[3] = ++static const vec_s8 h_subpel_filters_outer[4] = + { + REPT4(0, 0, 2, 1), + REPT4(0, 0, 3, 3), + REPT4(0, 0, 1, 2), ++ REPT4(0, 0, 0, 0), + }; + + #define LOAD_H_SUBPEL_FILTER(i) \ +-- +2.33.0 diff --git a/ffmpeg.spec b/ffmpeg.spec index f5aaf7f..a8254db 100644 --- a/ffmpeg.spec +++ b/ffmpeg.spec @@ -62,7 +62,7 @@ Summary: Digital VCR and streaming server Name: ffmpeg%{?flavor} Version: 6.1.1 -Release: 14 +Release: 15 License: GPL-3.0-or-later URL: http://ffmpeg.org/ Source0: http://ffmpeg.org/releases/ffmpeg-%{version}.tar.xz @@ -78,6 +78,8 @@ Patch7: fix-CVE-2023-49502.patch Patch8: fix-CVE-2024-32230.patch Patch9: CVE-2024-7055.patch Patch10: CVE-2023-49501.patch +Patch11: backport-CVE-2024-35366.patch +Patch12: backport-CVE-2024-35367.patch Requires: %{name}-libs%{?_isa} = %{version}-%{release} %{?_with_cuda:BuildRequires: cuda-minimal-build-%{_cuda_version_rpm} cuda-drivers-devel} @@ -407,6 +409,9 @@ install -pm755 tools/qt-faststart %{buildroot}%{_bindir} %changelog +* Sat Nov 30 2024 liningjie - 6.1.1-15 +- fix CVE-2024-35366 CVE-2024-35367 + * Wed Sep 18 2024 happyworker <208suo@208suo.com> - 6.1.1-14 - CVE-2023-49501.patch