packages/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:c8b80a2ecb311b03b808ce66cf1fc256e1d4753a
Branches Tags
packages:main
..
compare: packages:93f75f44400f900208848411d67ba2e6ff8d47f1
Branches Tags
packages:main

No commits in common. "c8b80a2ecb311b03b808ce66cf1fc256e1d4753a" and "93f75f44400f900208848411d67ba2e6ff8d47f1" have entirely different histories.
c8b80a2ecb ... 93f75f4440

9 changed files with 1 additions and 311 deletions
Show Stats Expand all files Collapse all files

57
backport-CVE-2024-35365.patch
View File

@ -1,57 +0,0 @@
From ced5c5fdb8634d39ca9472a2026b2d2fea16c4e5 Mon Sep 17 00:00:00 2001
From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Date: Mon, 25 Mar 2024 16:54:25 +0100
Subject: [PATCH] fftools/ffmpeg_mux_init: Fix double-free on error
MATCH_PER_STREAM_OPT iterates over all options of a given
OptionDef and tests whether they apply to the current stream;
if so, they are set to ost->apad, otherwise, the code errors
out. If no error happens, ost->apad is av_strdup'ed in order
to take ownership of this pointer.
But this means that setting it originally was premature,
as it leads to double-frees when an error happens lateron.
This can simply be reproduced with
ffmpeg -filter_complex anullsrc -apad bar -apad:n baz -f null -
This is a regression since 83ace80bfd80fcdba2c65fa1d554923ea931d5bd.
Fix this by using a temporary variable instead of directly
setting ost->apad. Also only strdup the string if it actually
is != NULL.
Reviewed-by: Marth64 <marth64@proxyid.net>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
---
fftools/ffmpeg_mux_init.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/fftools/ffmpeg_mux_init.c b/fftools/ffmpeg_mux_init.c
index 63a25a3..e0220ef 100644
--- a/fftools/ffmpeg_mux_init.c
+++ b/fftools/ffmpeg_mux_init.c
@@ -845,6 +845,7 @@ static int new_stream_audio(Muxer *mux, const OptionsContext *o,
int channels = 0;
char *layout = NULL;
char *sample_fmt = NULL;
+ const char *apad = NULL;
MATCH_PER_STREAM_OPT(audio_channels, i, channels, oc, st);
if (channels) {
@@ -882,8 +883,12 @@ static int new_stream_audio(Muxer *mux, const OptionsContext *o,
MATCH_PER_STREAM_OPT(audio_sample_rate, i, audio_enc->sample_rate, oc, st);
- MATCH_PER_STREAM_OPT(apad, str, ost->apad, oc, st);
- ost->apad = av_strdup(ost->apad);
+ MATCH_PER_STREAM_OPT(apad, str, apad, oc, st);
+ if (apad) {
+ ost->apad = av_strdup(apad);
+ if (!ost->apad)
+ return AVERROR(ENOMEM);
+ }
#if FFMPEG_OPT_MAP_CHANNEL
/* check for channel mapping for this audio stream */
--
2.46.0

35
backport-CVE-2024-35368.patch
View File

@ -1,35 +0,0 @@
From 4513300989502090c4fd6560544dce399a8cd53c Mon Sep 17 00:00:00 2001
From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Date: Sun, 24 Sep 2023 13:15:48 +0200
Subject: [PATCH] avcodec/rkmppdec: Fix double-free on error
After having created the AVBuffer that is put into frame->buf[0],
ownership of several objects (namely an AVDRMFrameDescriptor,
an MppFrame and some AVBufferRefs framecontextref and decoder_ref)
has passed to the AVBuffer and therefore to the frame.
Yet it has nevertheless been freed manually on error
afterwards, which would lead to a double-free as soon
as the AVFrame is unreferenced.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
---
libavcodec/rkmppdec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/rkmppdec.c b/libavcodec/rkmppdec.c
index 7665098c6a..6889545b20 100644
--- a/libavcodec/rkmppdec.c
+++ b/libavcodec/rkmppdec.c
@@ -463,8 +463,8 @@ static int rkmpp_retrieve_frame(AVCodecContext *avctx, AVFrame *frame)
frame->hw_frames_ctx = av_buffer_ref(decoder->frames_ref);
if (!frame->hw_frames_ctx) {
- ret = AVERROR(ENOMEM);
- goto fail;
+ av_frame_unref(frame);
+ return AVERROR(ENOMEM);
}
return 0;
--
2.33.0

31
backport-CVE-2024-35369.patch
View File

@ -1,31 +0,0 @@
From 0895ef0d6d6406ee6cd158fc4d47d80f201b8e9c Mon Sep 17 00:00:00 2001
From: James Almer <jamrial@gmail.com>
Date: Sat, 17 Feb 2024 09:45:57 -0300
Subject: [PATCH] avcodec/speexdec: further check for sane frame_size values
Prevent potential integer overflows.
Signed-off-by: James Almer <jamrial@gmail.com>
---
libavcodec/speexdec.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/libavcodec/speexdec.c b/libavcodec/speexdec.c
index 08c7e77..46d2587 100644
--- a/libavcodec/speexdec.c
+++ b/libavcodec/speexdec.c
@@ -1420,8 +1420,10 @@ static int parse_speex_extradata(AVCodecContext *avctx,
return AVERROR_INVALIDDATA;
s->bitrate = bytestream_get_le32(&buf);
s->frame_size = bytestream_get_le32(&buf);
- if (s->frame_size < NB_FRAME_SIZE << s->mode)
+ if (s->frame_size < NB_FRAME_SIZE << s->mode ||
+ s->frame_size > INT32_MAX >> s->mode)
return AVERROR_INVALIDDATA;
+ s->frame_size <<= s->mode;
s->vbr = bytestream_get_le32(&buf);
s->frames_per_packet = bytestream_get_le32(&buf);
if (s->frames_per_packet <= 0 ||
--
2.33.0

36
backport-CVE-2024-36613.patch
View File

@ -1,36 +0,0 @@
From 1f6fcc64179377114b4ecc3b9f63bd5774a64edf Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sat, 30 Sep 2023 00:51:29 +0200
Subject: [PATCH] avformat/dxa: Adjust order of operations around block
align
Fixes:
51896/clusterfuzz-testcase-minimized-ffmpeg_dem_DXA_fuzzer-5730576523198464
Fixes: signed integer overflow: 2147483566 + 82 cannot be represented in
type 'int'
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 50d8e4f27398fd5778485a827d7a2817921f8540)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavformat/dxa.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavformat/dxa.c b/libavformat/dxa.c
index 474b852..167241f 100644
--- a/libavformat/dxa.c
+++ b/libavformat/dxa.c
@@ -122,7 +122,7 @@ static int dxa_read_header(AVFormatContext *s)
if(ast->codecpar->block_align) {
if (c->bpc > INT_MAX - ast->codecpar->block_align + 1)
return AVERROR_INVALIDDATA;
- c->bpc = ((c->bpc + ast->codecpar->block_align - 1) / ast->codecpar->block_align) * ast->codecpar->block_align;
+ c->bpc = ((c->bpc - 1 + ast->codecpar->block_align) / ast->codecpar->block_align) * ast->codecpar->block_align;
}
c->bytes_left = fsize;
c->wavpos = avio_tell(pb);
--
2.41.0

29
backport-CVE-2024-36616.patch
View File

@ -1,29 +0,0 @@
From 86f73277bf014e2ce36dd2594f1e0fb8b3bd6661 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Tue, 26 Mar 2024 01:00:13 +0100
Subject: [PATCH] avformat/westwood_vqa: Fix 2g packets
Fixes: signed integer overflow: 2147483424 * 2 cannot be represented in type 'int'
Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_WSVQA_fuzzer-4576211411795968
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavformat/westwood_vqa.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavformat/westwood_vqa.c b/libavformat/westwood_vqa.c
index 954710a6f0..3a31e3f5e8 100644
--- a/libavformat/westwood_vqa.c
+++ b/libavformat/westwood_vqa.c
@@ -262,7 +262,7 @@ static int wsvqa_read_packet(AVFormatContext *s,
break;
case SND2_TAG:
/* 2 samples/byte, 1 or 2 samples per frame depending on stereo */
- pkt->duration = (chunk_size * 2) / wsvqa->channels;
+ pkt->duration = (chunk_size * 2LL) / wsvqa->channels;
break;
}
break;
--
2.33.0

31
backport-CVE-2024-36617.patch
View File

@ -1,31 +0,0 @@
From d973fcbcc2f944752ff10e6a76b0b2d9329937a7 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sat, 30 Sep 2023 00:38:17 +0200
Subject: [PATCH] avformat/cafdec: dont seek beyond 64bit
Fixes: signed integer overflow: 64 + 9223372036854775807 cannot be represented in type 'long long'
Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6418242730328064
Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6418242730328064
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavformat/cafdec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c
index 426c56b9bd..72809fd1de 100644
--- a/libavformat/cafdec.c
+++ b/libavformat/cafdec.c
@@ -271,7 +271,7 @@ static int read_pakt_chunk(AVFormatContext *s, int64_t size)
}
}
- if (avio_tell(pb) - ccount > size) {
+ if (avio_tell(pb) - ccount > size || size > INT64_MAX - ccount) {
av_log(s, AV_LOG_ERROR, "error reading packet table\n");
return AVERROR_INVALIDDATA;
}
--
2.43.0

31
backport-CVE-2024-36618.patch
View File

@ -1,31 +0,0 @@
From 7a089ed8e049e3bfcb22de1250b86f2106060857 Mon Sep 17 00:00:00 2001
From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Date: Tue, 12 Mar 2024 23:23:17 +0100
Subject: [PATCH] avformat/avidec: Fix integer overflow iff ULONG_MAX <
INT64_MAX
Affects many FATE-tests, see
https://fate.ffmpeg.org/report.cgi?time=20240312011016&slot=ppc-linux-gcc-13.2-ubsan-altivec-qemu
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
---
libavformat/avidec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavformat/avidec.c b/libavformat/avidec.c
index f3183b2698..985a9bf022 100644
--- a/libavformat/avidec.c
+++ b/libavformat/avidec.c
@@ -1696,7 +1696,7 @@ static int check_stream_max_drift(AVFormatContext *s)
int *idx = av_calloc(s->nb_streams, sizeof(*idx));
if (!idx)
return AVERROR(ENOMEM);
- for (min_pos = pos = 0; min_pos != INT64_MAX; pos = min_pos + 1LU) {
+ for (min_pos = pos = 0; min_pos != INT64_MAX; pos = min_pos + 1ULL) {
int64_t max_dts = INT64_MIN / 2;
int64_t min_dts = INT64_MAX / 2;
int64_t max_buffer = 0;
--
2.43.0

31
backport-CVE-2024-36619.patch
View File

@ -1,31 +0,0 @@
From 28c7094b25b689185155a6833caf2747b94774a4 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Thu, 4 Apr 2024 00:15:27 +0200
Subject: [PATCH] avcodec/wavarc: fix signed integer overflow in block type
6/19
Fixes: signed integer overflow: -2088796289 + -91276551 cannot be represented in type 'int'
Fixes: 67772/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-6533568953122816
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/wavarc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/wavarc.c b/libavcodec/wavarc.c
index 7083494cd8..b4b26958e6 100644
--- a/libavcodec/wavarc.c
+++ b/libavcodec/wavarc.c
@@ -647,7 +647,7 @@ static int decode_5elp(AVCodecContext *avctx,
for (int o = 0; o < order; o++)
sum += s->filter[ch][o] * (unsigned)samples[n + 70 - o - 1];
- samples[n + 70] += ac_out[n] + (sum >> 4);
+ samples[n + 70] += ac_out[n] + (unsigned)(sum >> 4);
}
for (int n = 0; n < 70; n++)
--
2.33.0

31
ffmpeg.spec
View File

@ -62,7 +62,7 @@
Summary: Digital VCR and streaming server
Name: ffmpeg%{?flavor}
Version: 6.1.1
Release: 20
Release: 15
License: GPL-3.0-or-later
URL: http://ffmpeg.org/
Source0: http://ffmpeg.org/releases/ffmpeg-%{version}.tar.xz
@ -80,14 +80,6 @@ Patch9: CVE-2024-7055.patch
Patch10: CVE-2023-49501.patch
Patch11: backport-CVE-2024-35366.patch
Patch12: backport-CVE-2024-35367.patch
Patch13: backport-CVE-2024-35368.patch
Patch14: backport-CVE-2024-36616.patch
Patch15: backport-CVE-2024-36618.patch
Patch16: backport-CVE-2024-36617.patch
Patch17: backport-CVE-2024-36619.patch
Patch18: backport-CVE-2024-35369.patch
Patch19: backport-CVE-2024-36613.patch
Patch20: backport-CVE-2024-35365.patch
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
%{?_with_cuda:BuildRequires: cuda-minimal-build-%{_cuda_version_rpm} cuda-drivers-devel}
@ -417,27 +409,6 @@ install -pm755 tools/qt-faststart %{buildroot}%{_bindir}
%changelog
* Mon Jan 13 2025 changtao <changtao@kylinos.cn> - 6.1.1-20
- Type: CVE
- CVE: CVE-2024-35365
- SUG: NA
- DESC: fix CVE-2024-35365
* Sun Jan 5 2025 changtao <changtao@kylinos.cn> - 6.1.1-19
- Type: CVE
- CVE: CVE-2024-36613
- SUG: NA
- DESC: fix CVE-2024-36613
* Tue Dec 17 2024 liningjie <liningjie@xfusion.com> - 6.1.1-18
- fix CVE-2024-36619 CVE-2024-35369
* Fri Dec 13 2024 liningjie <liningjie@xfusion.com> - 6.1.1-17
- fix CVE-2024-36617 CVE-2024-36618
* Mon Dec 02 2024 liningjie <liningjie@xfusion.com> - 6.1.1-16
- fix CVE-2024-35368 CVE-2024-36616
* Sat Nov 30 2024 liningjie <liningjie@xfusion.com> - 6.1.1-15
- fix CVE-2024-35366 CVE-2024-35367