From 8a0eb853b5e1a46e7c39a6b61b158f13829da7f72d772e3df2d70a9b2cf4fbe2 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Tue, 10 Sep 2019 08:34:40 +0000 Subject: [PATCH] - Add 0001-avcodec-h2645_parse-zero-initialize-the-rbsp-buffer.patch [boo#1149839, CVE-2019-15942] OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/ffmpeg-4?expand=0&rev=90 --- ...arse-zero-initialize-the-rbsp-buffer.patch | 49 +++++++++++++++++++ ffmpeg-4.changes | 14 ++++-- 2 files changed, 59 insertions(+), 4 deletions(-) create mode 100644 0001-avcodec-h2645_parse-zero-initialize-the-rbsp-buffer.patch diff --git a/0001-avcodec-h2645_parse-zero-initialize-the-rbsp-buffer.patch b/0001-avcodec-h2645_parse-zero-initialize-the-rbsp-buffer.patch new file mode 100644 index 0000000..adb763b --- /dev/null +++ b/0001-avcodec-h2645_parse-zero-initialize-the-rbsp-buffer.patch @@ -0,0 +1,49 @@ +From af70bfbeadc0c9b9215cf045ff2a6a31e8ac3a71 Mon Sep 17 00:00:00 2001 +From: James Almer +Date: Mon, 26 Aug 2019 00:54:20 -0300 +Subject: [PATCH] avcodec/h2645_parse: zero initialize the rbsp buffer + +Fixes ticket #8093 + +Reviewed-by: Andreas Rheinhardt +Signed-off-by: James Almer +--- + libavcodec/h2645_parse.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/libavcodec/h2645_parse.c b/libavcodec/h2645_parse.c +index 24658b3dfa..307e8643e6 100644 +--- a/libavcodec/h2645_parse.c ++++ b/libavcodec/h2645_parse.c +@@ -345,13 +345,18 @@ static int find_next_start_code(const uint8_t *buf, const uint8_t *next_avc) + + static void alloc_rbsp_buffer(H2645RBSP *rbsp, unsigned int size, int use_ref) + { ++ int min_size = size; ++ + if (size > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) + goto fail; + size += AV_INPUT_BUFFER_PADDING_SIZE; + + if (rbsp->rbsp_buffer_alloc_size >= size && +- (!rbsp->rbsp_buffer_ref || av_buffer_is_writable(rbsp->rbsp_buffer_ref))) ++ (!rbsp->rbsp_buffer_ref || av_buffer_is_writable(rbsp->rbsp_buffer_ref))) { ++ av_assert0(rbsp->rbsp_buffer); ++ memset(rbsp->rbsp_buffer + min_size, 0, AV_INPUT_BUFFER_PADDING_SIZE); + return; ++ } + + size = FFMIN(size + size / 16 + 32, INT_MAX); + +@@ -360,7 +365,7 @@ static void alloc_rbsp_buffer(H2645RBSP *rbsp, unsigned int size, int use_ref) + else + av_free(rbsp->rbsp_buffer); + +- rbsp->rbsp_buffer = av_malloc(size); ++ rbsp->rbsp_buffer = av_mallocz(size); + if (!rbsp->rbsp_buffer) + goto fail; + rbsp->rbsp_buffer_alloc_size = size; +-- +2.23.0 + diff --git a/ffmpeg-4.changes b/ffmpeg-4.changes index dd6f15d..162afea 100644 --- a/ffmpeg-4.changes +++ b/ffmpeg-4.changes @@ -1,7 +1,13 @@ +------------------------------------------------------------------- +Tue Sep 10 08:30:36 UTC 2019 - Jan Engelhardt + +- Add 0001-avcodec-h2645_parse-zero-initialize-the-rbsp-buffer.patch + [boo#1149839, CVE-2019-15942] + ------------------------------------------------------------------- Wed Sep 4 12:05:35 UTC 2019 - Ismail Dönmez -- Make ffmpeg-4.2-dlopen-fdk_aac.patch less verbose +- Make ffmpeg-4.2-dlopen-fdk_aac.patch less verbose ------------------------------------------------------------------- Thu Aug 22 08:45:17 UTC 2019 - Ismail Dönmez @@ -283,8 +289,8 @@ Tue Nov 06 01:39:11 UTC 2018 - sean@suspend.net Sat Nov 03 14:48:35 UTC 2018 - sean@suspend.net -- Remove 0001-avformat-fivenc-Check-audio-packet-size.patch (fixed upstream (bsc#8591d16) -- Update ffmpeg to 4.0.3 +- Remove 0001-avformat-fivenc-Check-audio-packet-size.patch (fixed upstream (bsc#8591d16) +- Update ffmpeg to 4.0.3 * For complete changelog, see https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n4.0.3 ------------------------------------------------------------------- @@ -1347,7 +1353,7 @@ Mon Dec 7 12:18:36 UTC 2015 - idonmez@suse.com * All packman specific changes are protected with BUILD_ORIG - Added the following patches * ffmpeg-2.4.5-arm6l.patch - * ffmpeg-libcdio_cdda-pkgconfig.patch + * ffmpeg-libcdio_cdda-pkgconfig.patch ------------------------------------------------------------------- Sun Nov 29 11:24:54 UTC 2015 - jengelh@inai.de