From 1e8f598ca6896d48b533ba9e73ecfcbf90c07d565de49da2a3eaa507be3ebe63 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Thu, 8 Jul 2021 13:26:34 +0000 Subject: [PATCH] Accepting request 904700 from home:AZhou:branches:multimedia:libs - Add ffmpeg-CVE-2020-22046.patch: Backport from upstream to fix a denial of service vulnerability exists in FFmpeg 4.2 due to a memory leak in the avpriv_float_dsp_allocl function in libavutil/float_dsp.c (bsc#1186849). - Add ffmpeg-CVE-2021-33815.patch: Backport from upstream to fix dwa_uncompress in libavcodec/exr.c in FFmpeg 4.4 allows an out-of-bounds array access because dc_count is not strictly checked (bsc#1186865). OBS-URL: https://build.opensuse.org/request/show/904700 OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/ffmpeg-4?expand=0&rev=166 --- ffmpeg-4.changes | 12 ++++++++++++ ffmpeg-4.spec | 2 ++ ffmpeg-CVE-2020-22046.patch | 38 +++++++++++++++++++++++++++++++++++++ ffmpeg-CVE-2021-33815.patch | 38 +++++++++++++++++++++++++++++++++++++ 4 files changed, 90 insertions(+) create mode 100644 ffmpeg-CVE-2020-22046.patch create mode 100644 ffmpeg-CVE-2021-33815.patch diff --git a/ffmpeg-4.changes b/ffmpeg-4.changes index bd25550..fb4e2fe 100644 --- a/ffmpeg-4.changes +++ b/ffmpeg-4.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Thu Jul 8 06:43:28 UTC 2021 - Alynx Zhou + +- Add ffmpeg-CVE-2020-22046.patch: Backport from upstream to fix + a denial of service vulnerability exists in FFmpeg 4.2 due to a + memory leak in the avpriv_float_dsp_allocl function in + libavutil/float_dsp.c (bsc#1186849). +- Add ffmpeg-CVE-2021-33815.patch: Backport from upstream to fix + dwa_uncompress in libavcodec/exr.c in FFmpeg 4.4 allows an + out-of-bounds array access because dc_count is not strictly + checked (bsc#1186865). + ------------------------------------------------------------------- Fri Jun 4 12:29:16 UTC 2021 - Jan Engelhardt diff --git a/ffmpeg-4.spec b/ffmpeg-4.spec index c919575..9bb79ac 100644 --- a/ffmpeg-4.spec +++ b/ffmpeg-4.spec @@ -117,6 +117,8 @@ Patch3: ffmpeg-codec-choice.diff Patch4: ffmpeg-4.2-dlopen-fdk_aac.patch Patch5: soversion.patch Patch8: vmaf-trim-usr-local.patch +Patch9: ffmpeg-CVE-2020-22046.patch +Patch10: ffmpeg-CVE-2021-33815.patch BuildRequires: ladspa-devel BuildRequires: libgsm-devel BuildRequires: libmp3lame-devel diff --git a/ffmpeg-CVE-2020-22046.patch b/ffmpeg-CVE-2020-22046.patch new file mode 100644 index 0000000..0285e55 --- /dev/null +++ b/ffmpeg-CVE-2020-22046.patch @@ -0,0 +1,38 @@ +From 097c917c147661f5378dae8fe3f7e46f43236426 Mon Sep 17 00:00:00 2001 +From: Andreas Rheinhardt +Date: Thu, 17 Oct 2019 11:11:55 +0200 +Subject: [PATCH] avcodec/ac3enc: Fix memleak + +Fixes ticket #8294. + +Signed-off-by: Andreas Rheinhardt +--- + libavcodec/ac3enc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/libavcodec/ac3enc.c b/libavcodec/ac3enc.c +index 76872a8fe0..25318f8631 100644 +--- a/libavcodec/ac3enc.c ++++ b/libavcodec/ac3enc.c +@@ -2051,7 +2051,8 @@ av_cold int ff_ac3_encode_close(AVCodecContext *avctx) + av_freep(&block->cpl_coord_mant); + } + +- s->mdct_end(s); ++ if (s->mdct_end) ++ s->mdct_end(s); + + return 0; + } +@@ -2433,7 +2434,7 @@ av_cold int ff_ac3_encode_init(AVCodecContext *avctx) + + ret = validate_options(s); + if (ret) +- return ret; ++ goto init_fail; + + avctx->frame_size = AC3_BLOCK_SIZE * s->num_blocks; + avctx->initial_padding = AC3_BLOCK_SIZE; +-- +2.32.0 + diff --git a/ffmpeg-CVE-2021-33815.patch b/ffmpeg-CVE-2021-33815.patch new file mode 100644 index 0000000..b2632a2 --- /dev/null +++ b/ffmpeg-CVE-2021-33815.patch @@ -0,0 +1,38 @@ +From 26d3c81bc5ef2f8c3f09d45eaeacfb4b1139a777 Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer +Date: Tue, 25 May 2021 19:29:18 +0200 +Subject: [PATCH] avcodec/exr: More strictly check dc_count +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: out of array access +Fixes: exr/deneme + +Found-by: Burak Çarıkçı +Signed-off-by: Michael Niedermayer +--- + libavcodec/exr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libavcodec/exr.c b/libavcodec/exr.c +index 9377a89169..4648ed7d62 100644 +--- a/libavcodec/exr.c ++++ b/libavcodec/exr.c +@@ -1059,11 +1059,11 @@ static int dwa_uncompress(EXRContext *s, const uint8_t *src, int compressed_size + bytestream2_skip(&gb, ac_size); + } + +- if (dc_size > 0) { ++ { + unsigned long dest_len = dc_count * 2LL; + GetByteContext agb = gb; + +- if (dc_count > (6LL * td->xsize * td->ysize + 63) / 64) ++ if (dc_count != dc_w * dc_h * 3) + return AVERROR_INVALIDDATA; + + av_fast_padded_malloc(&td->dc_data, &td->dc_size, FFALIGN(dest_len, 64) * 2); +-- +2.32.0 +