From 2d6b5c11b20d99f50a6a3d95c9376fe10ed6a39e700d09db02000a2bf78f2392 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Wed, 16 Nov 2022 11:52:06 +0000 Subject: [PATCH] Accepting request 1035934 from home:AZhou:branches:multimedia:libs - Add ffmpeg-CVE-2022-3964.patch: Backport from upstream to fix out of bounds read in update_block_in_prev_frame() (bsc#1205388). OBS-URL: https://build.opensuse.org/request/show/1035934 OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/ffmpeg-5?expand=0&rev=33 --- ffmpeg-5.changes | 6 ++++ ffmpeg-5.spec | 1 + ffmpeg-CVE-2022-3964.patch | 70 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 77 insertions(+) create mode 100644 ffmpeg-CVE-2022-3964.patch diff --git a/ffmpeg-5.changes b/ffmpeg-5.changes index 604649e..e0338e9 100644 --- a/ffmpeg-5.changes +++ b/ffmpeg-5.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Nov 16 01:32:19 UTC 2022 - Alynx Zhou + +- Add ffmpeg-CVE-2022-3964.patch: Backport from upstream to fix + out of bounds read in update_block_in_prev_frame() (bsc#1205388). + ------------------------------------------------------------------- Sat Oct 15 17:22:52 UTC 2022 - Neal Gompa diff --git a/ffmpeg-5.spec b/ffmpeg-5.spec index b8ed433..cb2629a 100644 --- a/ffmpeg-5.spec +++ b/ffmpeg-5.spec @@ -103,6 +103,7 @@ Patch4: ffmpeg-4.2-dlopen-fdk_aac.patch Patch5: work-around-abi-break.patch Patch9: ffmpeg-4.4-CVE-2020-22046.patch Patch10: ffmpeg-chromium.patch +Patch11: ffmpeg-CVE-2022-3964.patch Patch91: ffmpeg-dlopen-openh264.patch %if %{with amf_sdk} diff --git a/ffmpeg-CVE-2022-3964.patch b/ffmpeg-CVE-2022-3964.patch new file mode 100644 index 0000000..25842f6 --- /dev/null +++ b/ffmpeg-CVE-2022-3964.patch @@ -0,0 +1,70 @@ +diff --unified --recursive --text --new-file --color ffmpeg-4.4.old/libavcodec/rpzaenc.c ffmpeg-4.4.new/libavcodec/rpzaenc.c +--- ffmpeg-4.4.old/libavcodec/rpzaenc.c 2022-11-15 14:41:42.262978968 +0800 ++++ ffmpeg-4.4.new/libavcodec/rpzaenc.c 2022-11-15 14:43:37.183516204 +0800 +@@ -204,7 +204,7 @@ + + // loop thru and compare pixels + for (y = 0; y < bi->block_height; y++) { +- for (x = 0; x < bi->block_width; x++){ ++ for (x = 0; x < bi->block_width; x++) { + // TODO: optimize + min_r = FFMIN(R(block_ptr[x]), min_r); + min_g = FFMIN(G(block_ptr[x]), min_g); +@@ -276,7 +276,7 @@ + return -1; + + for (i = 0; i < bi->block_height; i++) { +- for (j = 0; j < bi->block_width; j++){ ++ for (j = 0; j < bi->block_width; j++) { + x = GET_CHAN(block_ptr[j], xchannel); + y = GET_CHAN(block_ptr[j], ychannel); + sumx += x; +@@ -323,7 +323,7 @@ + int max_err = 0; + + for (i = 0; i < bi->block_height; i++) { +- for (j = 0; j < bi->block_width; j++){ ++ for (j = 0; j < bi->block_width; j++) { + int x_inc, lin_y, lin_x; + x = GET_CHAN(block_ptr[j], xchannel); + y = GET_CHAN(block_ptr[j], ychannel); +@@ -418,7 +418,9 @@ + uint16_t *dest_pixels, + const BlockInfo *bi, int block_counter) + { +- for (int y = 0; y < 4; y++) { ++ const int y_size = FFMIN(4, bi->image_height - bi->row * 4); ++ ++ for (int y = 0; y < y_size; y++) { + memcpy(dest_pixels, src_pixels, 8); + dest_pixels += bi->rowstride; + src_pixels += bi->rowstride; +@@ -728,13 +730,14 @@ + + if (err > s->sixteen_color_thresh) { // DO SIXTEEN COLOR BLOCK + uint16_t *row_ptr; +- int rgb555; ++ int y_size, rgb555; + + block_offset = get_block_info(&bi, block_counter); + + row_ptr = &src_pixels[block_offset]; ++ y_size = FFMIN(4, bi.image_height - bi.row * 4); + +- for (int y = 0; y < 4; y++) { ++ for (int y = 0; y < y_size; y++) { + for (int x = 0; x < 4; x++){ + rgb555 = row_ptr[x] & ~0x8000; + +@@ -743,6 +746,11 @@ + row_ptr += bi.rowstride; + } + ++ for (int y = y_size; y < 4; y++) { ++ for (int x = 0; x < 4; x++) ++ put_bits(&s->pb, 16, 0); ++ } ++ + block_counter++; + } else { // FOUR COLOR BLOCK + block_counter += encode_four_color_block(min_color, max_color,