manfred-h/ffmpeg-5
SHA256
1
0
Fork 0
forked from jengelh/ffmpeg-5
Code Pull Requests Activity

Accepting request 1169772 from multimedia:libs

Browse Source 
Address a bunch of CVEs

OBS-URL: https://build.opensuse.org/request/show/1169772
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ffmpeg-5?expand=0&rev=23
This commit is contained in:
Ana Guerrero 2024-04-23 16:56:17 +00:00 committed by Git OBS Bridge
commit 9b780d0326
9 changed files with 353 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
0001-avfilter-af_dialoguenhance-do-output-scaling-once.patch Normal file
View File

@ -0,0 +1,44 @@
From f1f973313b6edc460339c2dfa4675dd3ad72fe98 Mon Sep 17 00:00:00 2001
From: Paul B Mahol <onemda@gmail.com>
Date: Mon, 27 Nov 2023 11:52:37 +0100
Subject: [PATCH] avfilter/af_dialoguenhance: do output scaling once
References: https://bugzilla.opensuse.org/1222730
References: CVE-2023-49528
---
libavfilter/af_dialoguenhance.c | 11 ++++-------
1 file changed, 4 insertions(+), 7 deletions(-)
diff --git a/libavfilter/af_dialoguenhance.c b/libavfilter/af_dialoguenhance.c
index 5c8614c185..2674313f5c 100644
--- a/libavfilter/af_dialoguenhance.c
+++ b/libavfilter/af_dialoguenhance.c
@@ -108,7 +108,7 @@ static int config_input(AVFilterLink *inlink)
generate_window_func(s->window, s->fft_size, WFUNC_SINE, &overlap);
- iscale = 1.f / s->fft_size;
+ iscale = 1.f / (s->fft_size * 1.5f);
ret = av_tx_init(&s->tx_ctx[0], &s->tx_fn, AV_TX_FLOAT_RDFT, 0, s->fft_size, &scale, 0);
if (ret < 0)
@@ -296,13 +296,10 @@ static int de_stereo(AVFilterContext *ctx, AVFrame *out)
memcpy(left_osamples, left_in, overlap * sizeof(float));
memcpy(right_osamples, right_in, overlap * sizeof(float));
- // 4 times overlap with squared hanning window results in 1.5 time increase in amplitude
- if (!ctx->is_disabled) {
- for (int i = 0; i < overlap; i++)
- center_osamples[i] = left_out[i] / 1.5f;
- } else {
+ if (ctx->is_disabled)
memset(center_osamples, 0, overlap * sizeof(float));
- }
+ else
+ memcpy(center_osamples, left_out, overlap * sizeof(float));
return 0;
}
--
2.44.0

56
0001-avfilter-af_dialoguenhance-fix-overreads.patch Normal file
View File

@ -0,0 +1,56 @@
From 2d9ed64859c9887d0504cd71dbd5b2c15e14251a Mon Sep 17 00:00:00 2001
From: Paul B Mahol <onemda@gmail.com>
Date: Sat, 25 Nov 2023 12:54:28 +0100
Subject: [PATCH] avfilter/af_dialoguenhance: fix overreads
References: https://bugzilla.opensuse.org/1222730
References: CVE-2023-49528
---
libavfilter/af_dialoguenhance.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/libavfilter/af_dialoguenhance.c b/libavfilter/af_dialoguenhance.c
index 1762ea7cde..29c8ab10a7 100644
--- a/libavfilter/af_dialoguenhance.c
+++ b/libavfilter/af_dialoguenhance.c
@@ -96,12 +96,12 @@ static int config_input(AVFilterLink *inlink)
if (!s->window)
return AVERROR(ENOMEM);
- s->in_frame = ff_get_audio_buffer(inlink, s->fft_size * 4);
- s->center_frame = ff_get_audio_buffer(inlink, s->fft_size * 4);
- s->out_dist_frame = ff_get_audio_buffer(inlink, s->fft_size * 4);
- s->windowed_frame = ff_get_audio_buffer(inlink, s->fft_size * 4);
- s->windowed_out = ff_get_audio_buffer(inlink, s->fft_size * 4);
- s->windowed_prev = ff_get_audio_buffer(inlink, s->fft_size * 4);
+ s->in_frame = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2);
+ s->center_frame = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2);
+ s->out_dist_frame = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2);
+ s->windowed_frame = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2);
+ s->windowed_out = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2);
+ s->windowed_prev = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2);
if (!s->in_frame || !s->windowed_out || !s->windowed_prev ||
!s->out_dist_frame || !s->windowed_frame || !s->center_frame)
return AVERROR(ENOMEM);
@@ -250,6 +250,7 @@ static int de_stereo(AVFilterContext *ctx, AVFrame *out)
float *right_osamples = (float *)out->extended_data[1];
float *center_osamples = (float *)out->extended_data[2];
const int offset = s->fft_size - s->overlap;
+ const int nb_samples = FFMIN(s->overlap, s->in->nb_samples);
float vad;
// shift in/out buffers
@@ -258,8 +259,8 @@ static int de_stereo(AVFilterContext *ctx, AVFrame *out)
memmove(left_out, &left_out[s->overlap], offset * sizeof(float));
memmove(right_out, &right_out[s->overlap], offset * sizeof(float));
- memcpy(&left_in[offset], left_samples, s->overlap * sizeof(float));
- memcpy(&right_in[offset], right_samples, s->overlap * sizeof(float));
+ memcpy(&left_in[offset], left_samples, nb_samples * sizeof(float));
+ memcpy(&right_in[offset], right_samples, nb_samples * sizeof(float));
memset(&left_out[offset], 0, s->overlap * sizeof(float));
memset(&right_out[offset], 0, s->overlap * sizeof(float));
--
2.44.0

71
0001-avfilter-af_dialoguenhance-simplify-channels-copy.patch Normal file
View File

@ -0,0 +1,71 @@
From 4671fb7dfb8e72b228e04f3b81da7f2003c62240 Mon Sep 17 00:00:00 2001
From: Paul B Mahol <onemda@gmail.com>
Date: Mon, 27 Nov 2023 00:38:56 +0100
Subject: [PATCH] avfilter/af_dialoguenhance: simplify channels copy
References: https://bugzilla.opensuse.org/1222730
References: CVE-2023-49528
---
libavfilter/af_dialoguenhance.c | 32 +++++++++++++++++---------------
1 file changed, 17 insertions(+), 15 deletions(-)
diff --git a/libavfilter/af_dialoguenhance.c b/libavfilter/af_dialoguenhance.c
index 29c8ab10a7..5c8614c185 100644
--- a/libavfilter/af_dialoguenhance.c
+++ b/libavfilter/af_dialoguenhance.c
@@ -249,20 +249,21 @@ static int de_stereo(AVFilterContext *ctx, AVFrame *out)
float *left_osamples = (float *)out->extended_data[0];
float *right_osamples = (float *)out->extended_data[1];
float *center_osamples = (float *)out->extended_data[2];
- const int offset = s->fft_size - s->overlap;
- const int nb_samples = FFMIN(s->overlap, s->in->nb_samples);
+ const int overlap = s->overlap;
+ const int offset = s->fft_size - overlap;
+ const int nb_samples = FFMIN(overlap, s->in->nb_samples);
float vad;
// shift in/out buffers
- memmove(left_in, &left_in[s->overlap], offset * sizeof(float));
- memmove(right_in, &right_in[s->overlap], offset * sizeof(float));
- memmove(left_out, &left_out[s->overlap], offset * sizeof(float));
- memmove(right_out, &right_out[s->overlap], offset * sizeof(float));
+ memmove(left_in, &left_in[overlap], offset * sizeof(float));
+ memmove(right_in, &right_in[overlap], offset * sizeof(float));
+ memmove(left_out, &left_out[overlap], offset * sizeof(float));
+ memmove(right_out, &right_out[overlap], offset * sizeof(float));
memcpy(&left_in[offset], left_samples, nb_samples * sizeof(float));
memcpy(&right_in[offset], right_samples, nb_samples * sizeof(float));
- memset(&left_out[offset], 0, s->overlap * sizeof(float));
- memset(&right_out[offset], 0, s->overlap * sizeof(float));
+ memset(&left_out[offset], 0, overlap * sizeof(float));
+ memset(&right_out[offset], 0, overlap * sizeof(float));
apply_window(s, left_in, windowed_left, 0);
apply_window(s, right_in, windowed_right, 0);
@@ -292,14 +293,15 @@ static int de_stereo(AVFilterContext *ctx, AVFrame *out)
apply_window(s, windowed_oleft, left_out, 1);
- for (int i = 0; i < s->overlap; i++) {
- // 4 times overlap with squared hanning window results in 1.5 time increase in amplitude
- if (!ctx->is_disabled)
+ memcpy(left_osamples, left_in, overlap * sizeof(float));
+ memcpy(right_osamples, right_in, overlap * sizeof(float));
+
+ // 4 times overlap with squared hanning window results in 1.5 time increase in amplitude
+ if (!ctx->is_disabled) {
+ for (int i = 0; i < overlap; i++)
center_osamples[i] = left_out[i] / 1.5f;
- else
- center_osamples[i] = 0.f;
- left_osamples[i] = left_in[i];
- right_osamples[i] = right_in[i];
+ } else {
+ memset(center_osamples, 0, overlap * sizeof(float));
}
return 0;
--
2.44.0

36
0001-avfilter-avf_showspectrum-fix-off-by-1-error.patch Normal file
View File

@ -0,0 +1,36 @@
From ab0fdaedd1e7224f7e84ea22fcbfaa4ca75a6c06 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sun, 24 Dec 2023 20:31:02 +0100
Subject: [PATCH] avfilter/avf_showspectrum: fix off by 1 error
References: https://bugzilla.opensuse.org/1223087
References: CVE-2024-31585
References: https://bugzilla.opensuse.org/1223273
References: CVE-2023-51795
Fixes: out of array access
Fixes: tickets/10749/poc15ffmpeg
Regression since: 81df787b53eb5c6433731f6eaaf7f2a94d8a8c80
Found-by: Zeng Yunxiang
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavfilter/avf_showspectrum.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavfilter/avf_showspectrum.c b/libavfilter/avf_showspectrum.c
index 8cf73fce70..99a5c33d09 100644
--- a/libavfilter/avf_showspectrum.c
+++ b/libavfilter/avf_showspectrum.c
@@ -1784,7 +1784,7 @@ static int showspectrumpic_request_frame(AVFilterLink *outlink)
int acc_samples = 0;
int dst_offset = 0;
- while (nb_frame <= s->nb_frames) {
+ while (nb_frame < s->nb_frames) {
AVFrame *cur_frame = s->frames[nb_frame];
int cur_frame_samples = cur_frame->nb_samples;
int nb_samples = 0;
--
2.44.0

32
0001-avfilter-f_reverse-Apply-PTS-compensation-only-when-.patch Normal file
View File

@ -0,0 +1,32 @@
From 61e73851a33f0b4cb7662f8578a4695e77bd3c19 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sat, 23 Dec 2023 18:04:32 +0100
Subject: [PATCH] avfilter/f_reverse: Apply PTS compensation only when pts is
available
References: https://bugzilla.opensuse.org/1223274
References: CVE-2023-51796
Fixes: out of array access
Fixes: tickets/10753/poc16ffmpeg
Regression since: 45dc668aea0edac34969b5a1ff76cf9ad3a09be1
Found-by: Zeng Yunxiang
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavfilter/f_reverse.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
Index: ffmpeg-5.1.4/libavfilter/f_reverse.c
===================================================================
--- ffmpeg-5.1.4.orig/libavfilter/f_reverse.c
+++ ffmpeg-5.1.4/libavfilter/f_reverse.c
@@ -253,7 +253,8 @@ static int areverse_request_frame(AVFilt
if (ret == AVERROR_EOF && s->nb_frames > 0) {
AVFrame *out = s->frames[s->nb_frames - 1];
out->pts = s->pts[s->flush_idx++] - s->nb_samples;
- s->nb_samples += s->pts[s->flush_idx] - s->pts[s->flush_idx - 1] - out->nb_samples;
+ if (s->nb_frames > 1)
+ s->nb_samples += s->pts[s->flush_idx] - s->pts[s->flush_idx - 1] - out->nb_samples;
if (av_sample_fmt_is_planar(out->format))
reverse_samples_planar(out);

31
0001-avfilter-vf_codecview-fix-heap-buffer-overflow.patch Normal file
View File

@ -0,0 +1,31 @@
From 99debe5f823f45a482e1dc08de35879aa9c74bd2 Mon Sep 17 00:00:00 2001
From: Zhao Zhili <zhilizhao@tencent.com>
Date: Fri, 29 Dec 2023 05:56:43 +0800
Subject: [PATCH] avfilter/vf_codecview: fix heap buffer overflow
References: https://bugzilla.opensuse.org/1223085
References: CVE-2024-31582
And improve the performance by a little bit.
Signed-off-by: Zhao Zhili <zhilizhao@tencent.com>
---
libavfilter/vf_codecview.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/libavfilter/vf_codecview.c b/libavfilter/vf_codecview.c
index 55d9c8c04f..f65ccbda70 100644
--- a/libavfilter/vf_codecview.c
+++ b/libavfilter/vf_codecview.c
@@ -216,9 +216,6 @@ static void draw_block_rectangle(uint8_t *buf, int sx, int sy, int w, int h, ptr
buf[sx + w - 1] = color;
buf += stride;
}
-
- for (int x = sx; x < sx + w; x++)
- buf[x] = color;
}
static int filter_frame(AVFilterLink *inlink, AVFrame *frame)
--
2.44.0

46
0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch Normal file
View File

@ -0,0 +1,46 @@
From 3bb00c0a420c3ce83c6fafee30270d69622ccad7 Mon Sep 17 00:00:00 2001
From: Zhao Zhili <zhilizhao@tencent.com>
Date: Tue, 20 Feb 2024 20:08:55 +0800
Subject: [PATCH] avutil/hwcontext: Don't assume frames_uninit is reentrant
References: https://bugzilla.opensuse.org/1223070
References: CVE-2024-31578
Fix heap use after free when vulkan_frames_init failed.
Signed-off-by: Zhao Zhili <zhilizhao@tencent.com>
---
libavutil/hwcontext.c | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/libavutil/hwcontext.c b/libavutil/hwcontext.c
index 1d2c2d7920..aa1329bf2b 100644
--- a/libavutil/hwcontext.c
+++ b/libavutil/hwcontext.c
@@ -359,7 +359,7 @@ int av_hwframe_ctx_init(AVBufferRef *ref)
if (ctx->internal->hw_type->frames_init) {
ret = ctx->internal->hw_type->frames_init(ctx);
if (ret < 0)
- goto fail;
+ return ret;
}
if (ctx->internal->pool_internal && !ctx->pool)
@@ -369,14 +369,10 @@ int av_hwframe_ctx_init(AVBufferRef *ref)
if (ctx->initial_pool_size > 0) {
ret = hwframe_pool_prealloc(ref);
if (ret < 0)
- goto fail;
+ return ret;
}
return 0;
-fail:
- if (ctx->internal->hw_type->frames_uninit)
- ctx->internal->hw_type->frames_uninit(ctx);
- return ret;
}
int av_hwframe_transfer_get_formats(AVBufferRef *hwframe_ref,
--
2.44.0

21
ffmpeg-5.changes
View File

@ -1,3 +1,24 @@
-------------------------------------------------------------------
Mon Apr 22 23:10:31 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
- Address boo#1223274/CVE-2023-51796: add patch
0001-avfilter-f_reverse-Apply-PTS-compensation-only-when-.patch
-------------------------------------------------------------------
Mon Apr 22 12:41:55 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
- Address boo#1222730/CVE-2023-49528: add patches
0001-avfilter-af_dialoguenhance-fix-overreads.patch,
0001-avfilter-af_dialoguenhance-simplify-channels-copy.patch,
0001-avfilter-af_dialoguenhance-do-output-scaling-once.patch
- Address boo#1223070/CVE-2024-31578: add patch
0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch
- Address boo#1223085/CVE-2024-31582: add patch
0001-avfilter-vf_codecview-fix-heap-buffer-overflow.patch
- Address boo#1223087/CVE-2024-31585, boo#1223273/CVE-2023-51795:
add patch
0001-avfilter-avf_showspectrum-fix-off-by-1-error.patch
-------------------------------------------------------------------
Fri Feb 2 09:44:11 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>

18
ffmpeg-5.spec
View File

@ -111,7 +111,14 @@ Patch3: ffmpeg-codec-choice.diff
Patch4: ffmpeg-4.2-dlopen-fdk_aac.patch
Patch5: work-around-abi-break.patch
Patch9: ffmpeg-4.4-CVE-2020-22046.patch
Patch10: ffmpeg-chromium.patch
Patch10: 0001-avfilter-af_dialoguenhance-fix-overreads.patch
Patch11: 0001-avfilter-af_dialoguenhance-simplify-channels-copy.patch
Patch12: 0001-avfilter-af_dialoguenhance-do-output-scaling-once.patch
Patch13: 0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch
Patch14: 0001-avfilter-avf_showspectrum-fix-off-by-1-error.patch
Patch15: 0001-avfilter-vf_codecview-fix-heap-buffer-overflow.patch
Patch16: 0001-avfilter-f_reverse-Apply-PTS-compensation-only-when-.patch
Patch90: ffmpeg-chromium.patch
Patch91: ffmpeg-dlopen-openh264.patch
Patch93: soname.diff
@ -831,7 +838,14 @@ Patch3: ffmpeg-codec-choice.diff
Patch4: ffmpeg-4.2-dlopen-fdk_aac.patch
Patch5: work-around-abi-break.patch
Patch9: ffmpeg-4.4-CVE-2020-22046.patch
Patch10: ffmpeg-chromium.patch
Patch10: 0001-avfilter-af_dialoguenhance-fix-overreads.patch
Patch11: 0001-avfilter-af_dialoguenhance-simplify-channels-copy.patch
Patch12: 0001-avfilter-af_dialoguenhance-do-output-scaling-once.patch
Patch13: 0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch
Patch14: 0001-avfilter-avf_showspectrum-fix-off-by-1-error.patch
Patch15: 0001-avfilter-vf_codecview-fix-heap-buffer-overflow.patch
Patch16: 0001-avfilter-f_reverse-Apply-PTS-compensation-only-when-.patch
Patch90: ffmpeg-chromium.patch
Patch91: ffmpeg-dlopen-openh264.patch
Patch93: soname.diff
BuildRequires: c_compiler