From 1e8f598ca6896d48b533ba9e73ecfcbf90c07d565de49da2a3eaa507be3ebe63 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Thu, 8 Jul 2021 13:26:34 +0000 Subject: [PATCH 1/2] Accepting request 904700 from home:AZhou:branches:multimedia:libs - Add ffmpeg-CVE-2020-22046.patch: Backport from upstream to fix a denial of service vulnerability exists in FFmpeg 4.2 due to a memory leak in the avpriv_float_dsp_allocl function in libavutil/float_dsp.c (bsc#1186849). - Add ffmpeg-CVE-2021-33815.patch: Backport from upstream to fix dwa_uncompress in libavcodec/exr.c in FFmpeg 4.4 allows an out-of-bounds array access because dc_count is not strictly checked (bsc#1186865). OBS-URL: https://build.opensuse.org/request/show/904700 OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/ffmpeg-4?expand=0&rev=166 --- ffmpeg-4.changes | 12 ++++++++++++ ffmpeg-4.spec | 2 ++ ffmpeg-CVE-2020-22046.patch | 38 +++++++++++++++++++++++++++++++++++++ ffmpeg-CVE-2021-33815.patch | 38 +++++++++++++++++++++++++++++++++++++ 4 files changed, 90 insertions(+) create mode 100644 ffmpeg-CVE-2020-22046.patch create mode 100644 ffmpeg-CVE-2021-33815.patch diff --git a/ffmpeg-4.changes b/ffmpeg-4.changes index bd25550..fb4e2fe 100644 --- a/ffmpeg-4.changes +++ b/ffmpeg-4.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Thu Jul 8 06:43:28 UTC 2021 - Alynx Zhou + +- Add ffmpeg-CVE-2020-22046.patch: Backport from upstream to fix + a denial of service vulnerability exists in FFmpeg 4.2 due to a + memory leak in the avpriv_float_dsp_allocl function in + libavutil/float_dsp.c (bsc#1186849). +- Add ffmpeg-CVE-2021-33815.patch: Backport from upstream to fix + dwa_uncompress in libavcodec/exr.c in FFmpeg 4.4 allows an + out-of-bounds array access because dc_count is not strictly + checked (bsc#1186865). + ------------------------------------------------------------------- Fri Jun 4 12:29:16 UTC 2021 - Jan Engelhardt diff --git a/ffmpeg-4.spec b/ffmpeg-4.spec index c919575..9bb79ac 100644 --- a/ffmpeg-4.spec +++ b/ffmpeg-4.spec @@ -117,6 +117,8 @@ Patch3: ffmpeg-codec-choice.diff Patch4: ffmpeg-4.2-dlopen-fdk_aac.patch Patch5: soversion.patch Patch8: vmaf-trim-usr-local.patch +Patch9: ffmpeg-CVE-2020-22046.patch +Patch10: ffmpeg-CVE-2021-33815.patch BuildRequires: ladspa-devel BuildRequires: libgsm-devel BuildRequires: libmp3lame-devel diff --git a/ffmpeg-CVE-2020-22046.patch b/ffmpeg-CVE-2020-22046.patch new file mode 100644 index 0000000..0285e55 --- /dev/null +++ b/ffmpeg-CVE-2020-22046.patch @@ -0,0 +1,38 @@ +From 097c917c147661f5378dae8fe3f7e46f43236426 Mon Sep 17 00:00:00 2001 +From: Andreas Rheinhardt +Date: Thu, 17 Oct 2019 11:11:55 +0200 +Subject: [PATCH] avcodec/ac3enc: Fix memleak + +Fixes ticket #8294. + +Signed-off-by: Andreas Rheinhardt +--- + libavcodec/ac3enc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/libavcodec/ac3enc.c b/libavcodec/ac3enc.c +index 76872a8fe0..25318f8631 100644 +--- a/libavcodec/ac3enc.c ++++ b/libavcodec/ac3enc.c +@@ -2051,7 +2051,8 @@ av_cold int ff_ac3_encode_close(AVCodecContext *avctx) + av_freep(&block->cpl_coord_mant); + } + +- s->mdct_end(s); ++ if (s->mdct_end) ++ s->mdct_end(s); + + return 0; + } +@@ -2433,7 +2434,7 @@ av_cold int ff_ac3_encode_init(AVCodecContext *avctx) + + ret = validate_options(s); + if (ret) +- return ret; ++ goto init_fail; + + avctx->frame_size = AC3_BLOCK_SIZE * s->num_blocks; + avctx->initial_padding = AC3_BLOCK_SIZE; +-- +2.32.0 + diff --git a/ffmpeg-CVE-2021-33815.patch b/ffmpeg-CVE-2021-33815.patch new file mode 100644 index 0000000..b2632a2 --- /dev/null +++ b/ffmpeg-CVE-2021-33815.patch @@ -0,0 +1,38 @@ +From 26d3c81bc5ef2f8c3f09d45eaeacfb4b1139a777 Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer +Date: Tue, 25 May 2021 19:29:18 +0200 +Subject: [PATCH] avcodec/exr: More strictly check dc_count +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: out of array access +Fixes: exr/deneme + +Found-by: Burak Çarıkçı +Signed-off-by: Michael Niedermayer +--- + libavcodec/exr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libavcodec/exr.c b/libavcodec/exr.c +index 9377a89169..4648ed7d62 100644 +--- a/libavcodec/exr.c ++++ b/libavcodec/exr.c +@@ -1059,11 +1059,11 @@ static int dwa_uncompress(EXRContext *s, const uint8_t *src, int compressed_size + bytestream2_skip(&gb, ac_size); + } + +- if (dc_size > 0) { ++ { + unsigned long dest_len = dc_count * 2LL; + GetByteContext agb = gb; + +- if (dc_count > (6LL * td->xsize * td->ysize + 63) / 64) ++ if (dc_count != dc_w * dc_h * 3) + return AVERROR_INVALIDDATA; + + av_fast_padded_malloc(&td->dc_data, &td->dc_size, FFALIGN(dest_len, 64) * 2); +-- +2.32.0 + From 3ed162e90cf9105c5d17f35cd4a36578599ba6d5391823ca58651e54ec536184 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sat, 10 Jul 2021 10:30:49 +0000 Subject: [PATCH 2/2] Accepting request 905444 from home:frispete:branches:multimedia:libs - Remove second hunk of ffmpeg-CVE-2020-22046.patch, that contains a goto to a none existing label. In order to distinguish this patch from the original, I renamed it to ffmpeg-4.4-CVE-2020-22046.patch - While at it, refresh the other patches with offsets OBS-URL: https://build.opensuse.org/request/show/905444 OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/ffmpeg-4?expand=0&rev=167 --- ffmpeg-4.2-dlopen-fdk_aac.patch | 32 +++++++++---------- ...6.patch => ffmpeg-4.4-CVE-2020-22046.patch | 18 ++--------- ffmpeg-4.changes | 9 ++++++ ffmpeg-4.spec | 2 +- ffmpeg-codec-choice.diff | 10 +++--- soversion.patch | 8 ++--- 6 files changed, 38 insertions(+), 41 deletions(-) rename ffmpeg-CVE-2020-22046.patch => ffmpeg-4.4-CVE-2020-22046.patch (55%) diff --git a/ffmpeg-4.2-dlopen-fdk_aac.patch b/ffmpeg-4.2-dlopen-fdk_aac.patch index 0627e40..5b27482 100644 --- a/ffmpeg-4.2-dlopen-fdk_aac.patch +++ b/ffmpeg-4.2-dlopen-fdk_aac.patch @@ -1,7 +1,7 @@ -Index: ffmpeg-4.2.1/configure +Index: b/configure =================================================================== ---- ffmpeg-4.2.1.orig/configure -+++ ffmpeg-4.2.1/configure +--- a/configure ++++ b/configure @@ -232,6 +232,7 @@ External library support: --enable-libdc1394 enable IIDC-1394 grabbing using libdc1394 and libraw1394 [no] @@ -10,7 +10,7 @@ Index: ffmpeg-4.2.1/configure --enable-libflite enable flite (voice synthesis) support via libflite [no] --enable-libfontconfig enable libfontconfig, useful for drawtext filter [no] --enable-libfreetype enable libfreetype, needed for drawtext filter [no] -@@ -1724,6 +1725,7 @@ EXTERNAL_LIBRARY_GPL_LIST=" +@@ -1735,6 +1736,7 @@ EXTERNAL_LIBRARY_GPL_LIST=" EXTERNAL_LIBRARY_NONFREE_LIST=" decklink libfdk_aac @@ -18,7 +18,7 @@ Index: ffmpeg-4.2.1/configure openssl libtls " -@@ -6203,6 +6205,7 @@ enabled libdrm && require_pkg +@@ -6360,6 +6362,7 @@ enabled libdrm && require_pkg enabled libfdk_aac && { check_pkg_config libfdk_aac fdk-aac "fdk-aac/aacenc_lib.h" aacEncOpen || { require libfdk_aac fdk-aac/aacenc_lib.h aacEncOpen -lfdk-aac && warn "using libfdk without pkg-config"; } } @@ -26,10 +26,10 @@ Index: ffmpeg-4.2.1/configure flite_extralibs="-lflite_cmu_time_awb -lflite_cmu_us_awb -lflite_cmu_us_kal -lflite_cmu_us_kal16 -lflite_cmu_us_rms -lflite_cmu_us_slt -lflite_usenglish -lflite_cmulex -lflite" enabled libflite && require libflite "flite/flite.h" flite_init $flite_extralibs enabled fontconfig && enable libfontconfig -Index: ffmpeg-4.2.1/libavcodec/dlopen.h +Index: b/libavcodec/dlopen.h =================================================================== --- /dev/null -+++ ffmpeg-4.2.1/libavcodec/dlopen.h ++++ b/libavcodec/dlopen.h @@ -0,0 +1,12 @@ +#ifndef LOCALINC_DLOPEN_H +#define LOCALINC_DLOPEN_H @@ -43,10 +43,10 @@ Index: ffmpeg-4.2.1/libavcodec/dlopen.h + goto error; + +#endif -Index: ffmpeg-4.2.1/libavcodec/libfdk-aacdec.c +Index: b/libavcodec/libfdk-aacdec.c =================================================================== ---- ffmpeg-4.2.1.orig/libavcodec/libfdk-aacdec.c -+++ ffmpeg-4.2.1/libavcodec/libfdk-aacdec.c +--- a/libavcodec/libfdk-aacdec.c ++++ b/libavcodec/libfdk-aacdec.c @@ -37,6 +37,54 @@ #define AAC_PCM_MAX_OUTPUT_CHANNELS AAC_PCM_OUTPUT_CHANNELS #endif @@ -102,7 +102,7 @@ Index: ffmpeg-4.2.1/libavcodec/libfdk-aacdec.c enum ConcealMethod { CONCEAL_METHOD_SPECTRAL_MUTING = 0, CONCEAL_METHOD_NOISE_SUBSTITUTION = 1, -@@ -224,6 +272,11 @@ static av_cold int fdk_aac_decode_init(A +@@ -229,6 +277,11 @@ static av_cold int fdk_aac_decode_init(A FDKAACDecContext *s = avctx->priv_data; AAC_DECODER_ERROR err; @@ -114,11 +114,11 @@ Index: ffmpeg-4.2.1/libavcodec/libfdk-aacdec.c s->handle = aacDecoder_Open(avctx->extradata_size ? TT_MP4_RAW : TT_MP4_ADTS, 1); if (!s->handle) { av_log(avctx, AV_LOG_ERROR, "Error opening decoder\n"); -Index: ffmpeg-4.2.1/libavcodec/libfdk-aacenc.c +Index: b/libavcodec/libfdk-aacenc.c =================================================================== ---- ffmpeg-4.2.1.orig/libavcodec/libfdk-aacenc.c -+++ ffmpeg-4.2.1/libavcodec/libfdk-aacenc.c -@@ -34,6 +34,48 @@ +--- a/libavcodec/libfdk-aacenc.c ++++ b/libavcodec/libfdk-aacenc.c +@@ -35,6 +35,48 @@ #define FDKENC_VER_AT_LEAST(vl0, vl1) 0 #endif @@ -167,7 +167,7 @@ Index: ffmpeg-4.2.1/libavcodec/libfdk-aacenc.c typedef struct AACContext { const AVClass *class; HANDLE_AACENCODER handle; -@@ -126,6 +168,11 @@ static av_cold int aac_encode_init(AVCod +@@ -128,6 +170,11 @@ static av_cold int aac_encode_init(AVCod int aot = FF_PROFILE_AAC_LOW + 1; int sce = 0, cpe = 0; diff --git a/ffmpeg-CVE-2020-22046.patch b/ffmpeg-4.4-CVE-2020-22046.patch similarity index 55% rename from ffmpeg-CVE-2020-22046.patch rename to ffmpeg-4.4-CVE-2020-22046.patch index 0285e55..ecb1318 100644 --- a/ffmpeg-CVE-2020-22046.patch +++ b/ffmpeg-4.4-CVE-2020-22046.patch @@ -10,11 +10,11 @@ Signed-off-by: Andreas Rheinhardt libavcodec/ac3enc.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) -diff --git a/libavcodec/ac3enc.c b/libavcodec/ac3enc.c -index 76872a8fe0..25318f8631 100644 +Index: b/libavcodec/ac3enc.c +=================================================================== --- a/libavcodec/ac3enc.c +++ b/libavcodec/ac3enc.c -@@ -2051,7 +2051,8 @@ av_cold int ff_ac3_encode_close(AVCodecContext *avctx) +@@ -2148,7 +2148,8 @@ av_cold int ff_ac3_encode_close(AVCodecC av_freep(&block->cpl_coord_mant); } @@ -24,15 +24,3 @@ index 76872a8fe0..25318f8631 100644 return 0; } -@@ -2433,7 +2434,7 @@ av_cold int ff_ac3_encode_init(AVCodecContext *avctx) - - ret = validate_options(s); - if (ret) -- return ret; -+ goto init_fail; - - avctx->frame_size = AC3_BLOCK_SIZE * s->num_blocks; - avctx->initial_padding = AC3_BLOCK_SIZE; --- -2.32.0 - diff --git a/ffmpeg-4.changes b/ffmpeg-4.changes index fb4e2fe..de26636 100644 --- a/ffmpeg-4.changes +++ b/ffmpeg-4.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Sat Jul 10 10:11:32 UTC 2021 - Hans-Peter Jansen + +- Remove second hunk of ffmpeg-CVE-2020-22046.patch, that contains + a goto to a none existing label. In order to distinguish this + patch from the original, I renamed it to + ffmpeg-4.4-CVE-2020-22046.patch +- While at it, refresh the other patches with offsets + ------------------------------------------------------------------- Thu Jul 8 06:43:28 UTC 2021 - Alynx Zhou diff --git a/ffmpeg-4.spec b/ffmpeg-4.spec index 9bb79ac..b30dd13 100644 --- a/ffmpeg-4.spec +++ b/ffmpeg-4.spec @@ -117,7 +117,7 @@ Patch3: ffmpeg-codec-choice.diff Patch4: ffmpeg-4.2-dlopen-fdk_aac.patch Patch5: soversion.patch Patch8: vmaf-trim-usr-local.patch -Patch9: ffmpeg-CVE-2020-22046.patch +Patch9: ffmpeg-4.4-CVE-2020-22046.patch Patch10: ffmpeg-CVE-2021-33815.patch BuildRequires: ladspa-devel BuildRequires: libgsm-devel diff --git a/ffmpeg-codec-choice.diff b/ffmpeg-codec-choice.diff index 269fa63..ae4d659 100644 --- a/ffmpeg-codec-choice.diff +++ b/ffmpeg-codec-choice.diff @@ -11,11 +11,11 @@ reduced codec selection list. libavformat/matroskaenc.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) -Index: ffmpeg-4.3/libavformat/matroskaenc.c +Index: b/libavformat/matroskaenc.c =================================================================== ---- ffmpeg-4.3.orig/libavformat/matroskaenc.c -+++ ffmpeg-4.3/libavformat/matroskaenc.c -@@ -2805,16 +2805,24 @@ static const AVClass matroska_class = { +--- a/libavformat/matroskaenc.c ++++ b/libavformat/matroskaenc.c +@@ -2834,16 +2834,24 @@ static const AVClass matroska_class = { .version = LIBAVUTIL_VERSION_INT, }; @@ -44,7 +44,7 @@ Index: ffmpeg-4.3/libavformat/matroskaenc.c .init = mkv_init, .deinit = mkv_deinit, .write_header = mkv_write_header, -@@ -2876,8 +2884,7 @@ AVOutputFormat ff_matroska_audio_muxer = +@@ -2905,8 +2913,7 @@ AVOutputFormat ff_matroska_audio_muxer = .mime_type = "audio/x-matroska", .extensions = "mka", .priv_data_size = sizeof(MatroskaMuxContext), diff --git a/soversion.patch b/soversion.patch index fc2bcb7..7f7d7d1 100644 --- a/soversion.patch +++ b/soversion.patch @@ -24,11 +24,11 @@ what dlopening programs have to deal with. configure | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -Index: ffmpeg-4.3.1/configure +Index: b/configure =================================================================== ---- ffmpeg-4.3.1.orig/configure -+++ ffmpeg-4.3.1/configure -@@ -3794,10 +3794,10 @@ SLIBPREF="lib" +--- a/configure ++++ b/configure +@@ -3833,10 +3833,10 @@ SLIBPREF="lib" SLIBSUF=".so" SLIBNAME='$(SLIBPREF)$(FULLNAME)$(SLIBSUF)' SLIBNAME_WITH_VERSION='$(SLIBNAME).$(LIBVERSION)'