SHA256
1
0
forked from jengelh/ffmpeg-4
ffmpeg-4/ffmpeg-CVE-2021-33815.patch
Jan Engelhardt 1e8f598ca6 Accepting request 904700 from home:AZhou:branches:multimedia:libs
- Add ffmpeg-CVE-2020-22046.patch: Backport from upstream to fix
  a denial of service vulnerability exists in FFmpeg 4.2 due to a
  memory leak in the avpriv_float_dsp_allocl function in
  libavutil/float_dsp.c (bsc#1186849).
- Add ffmpeg-CVE-2021-33815.patch: Backport from upstream to fix
  dwa_uncompress in libavcodec/exr.c in FFmpeg 4.4 allows an
  out-of-bounds array access because dc_count is not strictly
  checked (bsc#1186865).

OBS-URL: https://build.opensuse.org/request/show/904700
OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/ffmpeg-4?expand=0&rev=166
2021-07-08 13:26:34 +00:00

39 lines
1.2 KiB
Diff
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

From 26d3c81bc5ef2f8c3f09d45eaeacfb4b1139a777 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Tue, 25 May 2021 19:29:18 +0200
Subject: [PATCH] avcodec/exr: More strictly check dc_count
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes: out of array access
Fixes: exr/deneme
Found-by: Burak Çarıı <burakcarikci@crypttech.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/exr.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 9377a89169..4648ed7d62 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1059,11 +1059,11 @@ static int dwa_uncompress(EXRContext *s, const uint8_t *src, int compressed_size
bytestream2_skip(&gb, ac_size);
}
- if (dc_size > 0) {
+ {
unsigned long dest_len = dc_count * 2LL;
GetByteContext agb = gb;
- if (dc_count > (6LL * td->xsize * td->ysize + 63) / 64)
+ if (dc_count != dc_w * dc_h * 3)
return AVERROR_INVALIDDATA;
av_fast_padded_malloc(&td->dc_data, &td->dc_size, FFALIGN(dest_len, 64) * 2);
--
2.32.0