address +1 issue/CVE

OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/ffmpeg-5?expand=0&rev=85
2024-04-22 23:18:01 +00:00 · 2024-04-22 23:18:01 +00:00 · 8acab4b7f8
commit 8acab4b7f8
parent c7d526a909
3 changed files with 42 additions and 1 deletions
--- a/0001-avfilter-avf_showspectrum-fix-off-by-1-error.patch
+++ b/0001-avfilter-avf_showspectrum-fix-off-by-1-error.patch
@ -4,6 +4,8 @@ Date: Sun, 24 Dec 2023 20:31:02 +0100
 Subject: [PATCH] avfilter/avf_showspectrum: fix off by 1 error
 References: https://bugzilla.opensuse.org/1223087
 References: CVE-2024-31585
+References: https://bugzilla.opensuse.org/1223273
+References: CVE-2023-51795

 Fixes: out of array access
 Fixes: tickets/10749/poc15ffmpeg
--- a/0001-avfilter-f_reverse-Apply-PTS-compensation-only-when-.patch
+++ b/0001-avfilter-f_reverse-Apply-PTS-compensation-only-when-.patch
@ -0,0 +1,32 @@
+From 61e73851a33f0b4cb7662f8578a4695e77bd3c19 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Sat, 23 Dec 2023 18:04:32 +0100
+Subject: [PATCH] avfilter/f_reverse: Apply PTS compensation only when pts is
+ available
+References: https://bugzilla.opensuse.org/1223274
+References: CVE-2023-51796
+
+Fixes: out of array access
+Fixes: tickets/10753/poc16ffmpeg
+
+Regression since: 45dc668aea0edac34969b5a1ff76cf9ad3a09be1
+Found-by: Zeng Yunxiang
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+---
+ libavfilter/f_reverse.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Index: ffmpeg-5.1.4/libavfilter/f_reverse.c
+===================================================================
+--- ffmpeg-5.1.4.orig/libavfilter/f_reverse.c
+++ ffmpeg-5.1.4/libavfilter/f_reverse.c
+@@ -253,7 +253,8 @@ static int areverse_request_frame(AVFilt
+     if (ret == AVERROR_EOF && s->nb_frames > 0) {
+         AVFrame *out = s->frames[s->nb_frames - 1];
+         out->pts     = s->pts[s->flush_idx++] - s->nb_samples;
+-        s->nb_samples += s->pts[s->flush_idx] - s->pts[s->flush_idx - 1] - out->nb_samples;
+        if (s->nb_frames > 1)
+            s->nb_samples += s->pts[s->flush_idx] - s->pts[s->flush_idx - 1] - out->nb_samples;
+ 
+         if (av_sample_fmt_is_planar(out->format))
+             reverse_samples_planar(out);
--- a/ffmpeg-5.changes
+++ b/ffmpeg-5.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Mon Apr 22 23:10:31 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
+
+- Address boo#1223274/CVE-2023-51796: add patch
+  0001-avfilter-f_reverse-Apply-PTS-compensation-only-when-.patch
+
 -------------------------------------------------------------------
 Mon Apr 22 12:41:55 UTC 2024 - Jan Engelhardt <jengelh@inai.de>

@ -9,7 +15,8 @@ Mon Apr 22 12:41:55 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
  0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch
 - Address boo#1223085/CVE-2024-31582: add patch
  0001-avfilter-vf_codecview-fix-heap-buffer-overflow.patch
- Address boo#1223087/CVE-2024-31585: add patch
+- Address boo#1223087/CVE-2024-31585, boo#1223273/CVE-2023-51795:
+  add patch
  0001-avfilter-avf_showspectrum-fix-off-by-1-error.patch

 -------------------------------------------------------------------