!166 [sync] PR-164: fix CVE-2024-35366 CVE-2024-35367

From: @openeuler-sync-bot Reviewed-by: @open-bot Signed-off-by: @open-bot
2024-12-03 01:33:29 +00:00 · 2024-12-03 01:33:29 +00:00 · 93f75f4440
commit 93f75f4440
parent 693354ff60 77008daaae
3 changed files with 76 additions and 1 deletions
--- a/backport-CVE-2024-35366.patch
+++ b/backport-CVE-2024-35366.patch
@ -0,0 +1,29 @@
+From 0bed22d597b78999151e3bde0768b7fe763fc2a6 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Tue, 26 Mar 2024 00:39:49 +0100
+Subject: [PATCH] avformat/sbgdec: Check for negative duration
+
+Fixes: signed integer overflow: 9223372036854775807 - -8000000 cannot be represented in type 'long'
+Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-5133181743136768
+
+Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+---
+ libavformat/sbgdec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c
+index bc2469afd1..e60eb1481e 100644
+--- a/libavformat/sbgdec.c
+++ b/libavformat/sbgdec.c
+@@ -387,7 +387,7 @@ static int parse_options(struct sbg_parser *p)
+                 case 'L':
+                     FORWARD_ERROR(parse_optarg(p, opt, &oarg));
+                     r = str_to_time(oarg.s, &p->scs.opt_duration);
+-                    if (oarg.e != oarg.s + r) {
+                    if (oarg.e != oarg.s + r || p->scs.opt_duration < 0) {
+                         snprintf(p->err_msg, sizeof(p->err_msg),
+                                  "syntax error for option -L");
+                         return AVERROR_INVALIDDATA;
+-- 
+2.33.0
--- a/backport-CVE-2024-35367.patch
+++ b/backport-CVE-2024-35367.patch
@ -0,0 +1,41 @@
+From 09e6840cf7a3ee07a73c3ae88a020bf27ca1a667 Mon Sep 17 00:00:00 2001
+From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
+Date: Wed, 13 Mar 2024 02:10:26 +0100
+Subject: [PATCH] avcodec/ppc/vp8dsp_altivec: Fix out-of-bounds access
+
+h_subpel_filters_inner[i] and h_subpel_filters_outer[i / 2]
+belong together and the former allows the range 0..6,
+so the latter needs to support 0..3. But it has only three
+elements. Add another one.
+The value for the last element has been guesstimated
+from subpel_filters in libavcodec/vp8dsp.c.
+
+This is also intended to fix FATE-failures with UBSan here:
+https://fate.ffmpeg.org/report.cgi?time=20240312011016&slot=ppc-linux-gcc-13.2-ubsan-altivec-qemu
+
+Tested-by: Sean McGovern <gseanmcg@gmail.com>
+Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
+---
+ libavcodec/ppc/vp8dsp_altivec.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libavcodec/ppc/vp8dsp_altivec.c b/libavcodec/ppc/vp8dsp_altivec.c
+index 12dac8b0a8..061914fc38 100644
+--- a/libavcodec/ppc/vp8dsp_altivec.c
+++ b/libavcodec/ppc/vp8dsp_altivec.c
+@@ -50,11 +50,12 @@ static const vec_s8 h_subpel_filters_inner[7] =
+ // for 6tap filters, these are the outer two taps
+ // The zeros mask off pixels 4-7 when filtering 0-3
+ // and vice-versa
+-static const vec_s8 h_subpel_filters_outer[3] =
+static const vec_s8 h_subpel_filters_outer[4] =
+ {
+     REPT4(0, 0, 2, 1),
+     REPT4(0, 0, 3, 3),
+     REPT4(0, 0, 1, 2),
+    REPT4(0, 0, 0, 0),
+ };
+ 
+ #define LOAD_H_SUBPEL_FILTER(i) \
+-- 
+2.33.0
--- a/ffmpeg.spec
+++ b/ffmpeg.spec
@ -62,7 +62,7 @@
 Summary:        Digital VCR and streaming server
 Name:           ffmpeg%{?flavor}
 Version:        6.1.1
-Release:        14
+Release:        15
 License:        GPL-3.0-or-later
 URL:            http://ffmpeg.org/
 Source0:        http://ffmpeg.org/releases/ffmpeg-%{version}.tar.xz
@ -78,6 +78,8 @@ Patch7:         fix-CVE-2023-49502.patch
 Patch8:         fix-CVE-2024-32230.patch
 Patch9:         CVE-2024-7055.patch
 Patch10:        CVE-2023-49501.patch
+Patch11:        backport-CVE-2024-35366.patch
+Patch12:        backport-CVE-2024-35367.patch

 Requires:       %{name}-libs%{?_isa} = %{version}-%{release}
 %{?_with_cuda:BuildRequires: cuda-minimal-build-%{_cuda_version_rpm} cuda-drivers-devel}
@ -407,6 +409,9 @@ install -pm755 tools/qt-faststart %{buildroot}%{_bindir}


 %changelog
+* Sat Nov 30 2024 liningjie <liningjie@xfusion.com> - 6.1.1-15
+- fix CVE-2024-35366 CVE-2024-35367
+
 * Wed Sep 18 2024 happyworker <208suo@208suo.com> - 6.1.1-14
 - CVE-2023-49501.patch