fix CVE-2024-35366 CVE-2024-35367
(cherry picked from commit 1fb81e551764d3bf478f8aefac0e67291396ad3e)
This commit is contained in:
李宁杰
openeuler-sync-bot
parent
693354ff60
commit
77008daaae
29
backport-CVE-2024-35366.patch
Normal file
29
backport-CVE-2024-35366.patch
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
From 0bed22d597b78999151e3bde0768b7fe763fc2a6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Michael Niedermayer <michael@niedermayer.cc>
|
||||||
|
Date: Tue, 26 Mar 2024 00:39:49 +0100
|
||||||
|
Subject: [PATCH] avformat/sbgdec: Check for negative duration
|
||||||
|
|
||||||
|
Fixes: signed integer overflow: 9223372036854775807 - -8000000 cannot be represented in type 'long'
|
||||||
|
Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-5133181743136768
|
||||||
|
|
||||||
|
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
|
||||||
|
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
||||||
|
---
|
||||||
|
libavformat/sbgdec.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c
|
||||||
|
index bc2469afd1..e60eb1481e 100644
|
||||||
|
--- a/libavformat/sbgdec.c
|
||||||
|
+++ b/libavformat/sbgdec.c
|
||||||
|
@@ -387,7 +387,7 @@ static int parse_options(struct sbg_parser *p)
|
||||||
|
case 'L':
|
||||||
|
FORWARD_ERROR(parse_optarg(p, opt, &oarg));
|
||||||
|
r = str_to_time(oarg.s, &p->scs.opt_duration);
|
||||||
|
- if (oarg.e != oarg.s + r) {
|
||||||
|
+ if (oarg.e != oarg.s + r || p->scs.opt_duration < 0) {
|
||||||
|
snprintf(p->err_msg, sizeof(p->err_msg),
|
||||||
|
"syntax error for option -L");
|
||||||
|
return AVERROR_INVALIDDATA;
|
||||||
|
--
|
||||||
|
2.33.0
|
||||||
41
backport-CVE-2024-35367.patch
Normal file
41
backport-CVE-2024-35367.patch
Normal file
@ -0,0 +1,41 @@
|
|||||||
|
From 09e6840cf7a3ee07a73c3ae88a020bf27ca1a667 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
|
||||||
|
Date: Wed, 13 Mar 2024 02:10:26 +0100
|
||||||
|
Subject: [PATCH] avcodec/ppc/vp8dsp_altivec: Fix out-of-bounds access
|
||||||
|
|
||||||
|
h_subpel_filters_inner[i] and h_subpel_filters_outer[i / 2]
|
||||||
|
belong together and the former allows the range 0..6,
|
||||||
|
so the latter needs to support 0..3. But it has only three
|
||||||
|
elements. Add another one.
|
||||||
|
The value for the last element has been guesstimated
|
||||||
|
from subpel_filters in libavcodec/vp8dsp.c.
|
||||||
|
|
||||||
|
This is also intended to fix FATE-failures with UBSan here:
|
||||||
|
https://fate.ffmpeg.org/report.cgi?time=20240312011016&slot=ppc-linux-gcc-13.2-ubsan-altivec-qemu
|
||||||
|
|
||||||
|
Tested-by: Sean McGovern <gseanmcg@gmail.com>
|
||||||
|
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
|
||||||
|
---
|
||||||
|
libavcodec/ppc/vp8dsp_altivec.c | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/libavcodec/ppc/vp8dsp_altivec.c b/libavcodec/ppc/vp8dsp_altivec.c
|
||||||
|
index 12dac8b0a8..061914fc38 100644
|
||||||
|
--- a/libavcodec/ppc/vp8dsp_altivec.c
|
||||||
|
+++ b/libavcodec/ppc/vp8dsp_altivec.c
|
||||||
|
@@ -50,11 +50,12 @@ static const vec_s8 h_subpel_filters_inner[7] =
|
||||||
|
// for 6tap filters, these are the outer two taps
|
||||||
|
// The zeros mask off pixels 4-7 when filtering 0-3
|
||||||
|
// and vice-versa
|
||||||
|
-static const vec_s8 h_subpel_filters_outer[3] =
|
||||||
|
+static const vec_s8 h_subpel_filters_outer[4] =
|
||||||
|
{
|
||||||
|
REPT4(0, 0, 2, 1),
|
||||||
|
REPT4(0, 0, 3, 3),
|
||||||
|
REPT4(0, 0, 1, 2),
|
||||||
|
+ REPT4(0, 0, 0, 0),
|
||||||
|
};
|
||||||
|
|
||||||
|
#define LOAD_H_SUBPEL_FILTER(i) \
|
||||||
|
--
|
||||||
|
2.33.0
|
||||||
@ -62,7 +62,7 @@
|
|||||||
Summary: Digital VCR and streaming server
|
Summary: Digital VCR and streaming server
|
||||||
Name: ffmpeg%{?flavor}
|
Name: ffmpeg%{?flavor}
|
||||||
Version: 6.1.1
|
Version: 6.1.1
|
||||||
Release: 14
|
Release: 15
|
||||||
License: GPL-3.0-or-later
|
License: GPL-3.0-or-later
|
||||||
URL: http://ffmpeg.org/
|
URL: http://ffmpeg.org/
|
||||||
Source0: http://ffmpeg.org/releases/ffmpeg-%{version}.tar.xz
|
Source0: http://ffmpeg.org/releases/ffmpeg-%{version}.tar.xz
|
||||||
@ -78,6 +78,8 @@ Patch7: fix-CVE-2023-49502.patch
|
|||||||
Patch8: fix-CVE-2024-32230.patch
|
Patch8: fix-CVE-2024-32230.patch
|
||||||
Patch9: CVE-2024-7055.patch
|
Patch9: CVE-2024-7055.patch
|
||||||
Patch10: CVE-2023-49501.patch
|
Patch10: CVE-2023-49501.patch
|
||||||
|
Patch11: backport-CVE-2024-35366.patch
|
||||||
|
Patch12: backport-CVE-2024-35367.patch
|
||||||
|
|
||||||
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
%{?_with_cuda:BuildRequires: cuda-minimal-build-%{_cuda_version_rpm} cuda-drivers-devel}
|
%{?_with_cuda:BuildRequires: cuda-minimal-build-%{_cuda_version_rpm} cuda-drivers-devel}
|
||||||
@ -407,6 +409,9 @@ install -pm755 tools/qt-faststart %{buildroot}%{_bindir}
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Sat Nov 30 2024 liningjie <liningjie@xfusion.com> - 6.1.1-15
|
||||||
|
- fix CVE-2024-35366 CVE-2024-35367
|
||||||
|
|
||||||
* Wed Sep 18 2024 happyworker <208suo@208suo.com> - 6.1.1-14
|
* Wed Sep 18 2024 happyworker <208suo@208suo.com> - 6.1.1-14
|
||||||
- CVE-2023-49501.patch
|
- CVE-2023-49501.patch
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user