From b8335667a60801bf2d1a421e956365c56fbb6b14333b0fd7ec8e219468eb00c1 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Wed, 29 May 2024 09:17:54 +0000 Subject: [PATCH] - Add 0001-avfilter-af_stereowiden-Check-length.patch [boo#1223437, CVE-2023-51794] OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/ffmpeg-5?expand=0&rev=94 --- ...avfilter-af_stereowiden-Check-length.patch | 29 +++++++++++++++++++ ffmpeg-5.changes | 6 ++++ ffmpeg-5.spec | 2 ++ 3 files changed, 37 insertions(+) create mode 100644 0001-avfilter-af_stereowiden-Check-length.patch diff --git a/0001-avfilter-af_stereowiden-Check-length.patch b/0001-avfilter-af_stereowiden-Check-length.patch new file mode 100644 index 0000000..3d439ab --- /dev/null +++ b/0001-avfilter-af_stereowiden-Check-length.patch @@ -0,0 +1,29 @@ +From 50f0f8c53c818f73fe2d752708e2fa9d2a2d8a07 Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer +Date: Sat, 23 Dec 2023 04:03:01 +0100 +Subject: [PATCH] avfilter/af_stereowiden: Check length +References: https://bugzilla.opensuse.org/1223437 +References: CVE-2023-51794 + +Fixes: out of array access +Fixes: tickets/10746/poc13ffmpeg + +Found-by: Zeng Yunxiang +Signed-off-by: Michael Niedermayer +--- + libavfilter/af_stereowiden.c | 2 ++ + 1 file changed, 2 insertions(+) + +Index: ffmpeg-4.4.4/libavfilter/af_stereowiden.c +=================================================================== +--- ffmpeg-4.4.4.orig/libavfilter/af_stereowiden.c ++++ ffmpeg-4.4.4/libavfilter/af_stereowiden.c +@@ -75,6 +75,8 @@ static int config_input(AVFilterLink *in + + s->length = s->delay * inlink->sample_rate / 1000; + s->length *= 2; ++ if (s->length == 0) ++ return AVERROR(EINVAL); + s->buffer = av_calloc(s->length, sizeof(*s->buffer)); + if (!s->buffer) + return AVERROR(ENOMEM); diff --git a/ffmpeg-5.changes b/ffmpeg-5.changes index 67a2a9b..3ece908 100644 --- a/ffmpeg-5.changes +++ b/ffmpeg-5.changes @@ -5,6 +5,12 @@ Tue Apr 27 11:38:35 UTC 2024 - Cliff Zhao Backporting e4d2666b from upstream, fixes the out of array access. (CVE-2023-50010 bsc#1223256) +------------------------------------------------------------------- +Fri Apr 26 22:16:48 UTC 2024 - Jan Engelhardt + +- Add 0001-avfilter-af_stereowiden-Check-length.patch + [boo#1223437, CVE-2023-51794] + ------------------------------------------------------------------- Tue Apr 26 12:18:26 UTC 2024 - Cliff Zhao diff --git a/ffmpeg-5.spec b/ffmpeg-5.spec index 4d250d1..117cd60 100644 --- a/ffmpeg-5.spec +++ b/ffmpeg-5.spec @@ -118,6 +118,7 @@ Patch13: 0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch Patch14: 0001-avfilter-avf_showspectrum-fix-off-by-1-error.patch Patch15: 0001-avfilter-vf_codecview-fix-heap-buffer-overflow.patch Patch16: 0001-avfilter-f_reverse-Apply-PTS-compensation-only-when-.patch +Patch17: 0001-avfilter-af_stereowiden-Check-length.patch Patch90: ffmpeg-chromium.patch Patch91: ffmpeg-dlopen-openh264.patch Patch93: soname.diff @@ -851,6 +852,7 @@ Patch13: 0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch Patch14: 0001-avfilter-avf_showspectrum-fix-off-by-1-error.patch Patch15: 0001-avfilter-vf_codecview-fix-heap-buffer-overflow.patch Patch16: 0001-avfilter-f_reverse-Apply-PTS-compensation-only-when-.patch +Patch17: 0001-avfilter-af_stereowiden-Check-length.patch Patch90: ffmpeg-chromium.patch Patch91: ffmpeg-dlopen-openh264.patch Patch93: soname.diff