diff --git a/ffmpeg-5.changes b/ffmpeg-5.changes index 84cacb5..adad674 100644 --- a/ffmpeg-5.changes +++ b/ffmpeg-5.changes @@ -1,3 +1,32 @@ +------------------------------------------------------------------- +Thu Apr 23 16:14:18 UTC 2024 - Cliff Zhao + +- Add ffmpeg-CVE-2023-51793.patch: + Backporting 0ecc1f0e from upstream, Fix odd height handling. + (CVE-2023-51793 bsc#1223272) + +------------------------------------------------------------------- +Thu Apr 23 15:35:32 UTC 2024 - Cliff Zhao + +- Add ffmpeg-CVE-2023-49502.patch: + Backporting 737ede40 from upstream, account for chroma sub-sampling + in min size calculation. + (CVE-2023-49502 bsc#1223235) + +------------------------------------------------------------------- +Thu Apr 23 14:05:28 UTC 2024 - Cliff Zhao + +- Add ffmpeg-CVE-2023-50008.patch: + Backporting 5f87a68c from upstream, Fix memory leaks. + (CVE-2023-50008 bsc#1223254) + +------------------------------------------------------------------- +Thu Apr 23 12:22:53 UTC 2024 - Cliff Zhao + +- Add ffmpeg-CVE-2023-50007.patch: + Backporting b1942734 from upstream, Fix crash with EOF handling. + (CVE-2023-50007 bsc#1223253) + ------------------------------------------------------------------- Mon Apr 22 23:10:31 UTC 2024 - Jan Engelhardt diff --git a/ffmpeg-5.spec b/ffmpeg-5.spec index a69a903..2deeee9 100644 --- a/ffmpeg-5.spec +++ b/ffmpeg-5.spec @@ -121,7 +121,10 @@ Patch16: 0001-avfilter-f_reverse-Apply-PTS-compensation-only-when-.patch Patch90: ffmpeg-chromium.patch Patch91: ffmpeg-dlopen-openh264.patch Patch93: soname.diff - +Patch94: ffmpeg-CVE-2023-50007.patch +Patch95: ffmpeg-CVE-2023-50008.patch +Patch96: ffmpeg-CVE-2023-49502.patch +Patch97: ffmpeg-CVE-2023-51793.patch %if %{with amf_sdk} BuildRequires: AMF-devel %endif @@ -817,7 +820,7 @@ done %files private-devel %_includedir/ffmpeg/private/ -%else # "flavor" == "ffmpeg-5-mini" +%else %define _name ffmpeg @@ -848,6 +851,14 @@ Patch16: 0001-avfilter-f_reverse-Apply-PTS-compensation-only-when-.patch Patch90: ffmpeg-chromium.patch Patch91: ffmpeg-dlopen-openh264.patch Patch93: soname.diff +# PATCH-FIX-UPSTREAM ffmpeg-CVE-2023-50007.patch CVE-2023-50007 bsc#1223253 qzhao@suse.com -- Fix crash with EOF handling. +Patch94: ffmpeg-CVE-2023-50007.patch +# PATCH-FIX-UPSTREAM ffmpeg-CVE-2023-50008.patch CVE-2023-50008 bsc#1223254 qzhao@suse.com -- Fix memory leaks. +Patch95: ffmpeg-CVE-2023-50008.patch +# PATCH-FIX-UPSTREAM ffmpeg-CVE-2023-49502.patch CVE-2023-49502 bsc#1223235 qzhao@suse.com -- Account for chroma sub-sampling in min size calculation. +Patch96: ffmpeg-CVE-2023-49502.patch +# PATCH-FIX-UPSTREAM ffmpeg-CVE-2023-51793.patch CVE-2023-51793 bsc#1223272 qzhao@suse.com -- Fix odd height handling. +Patch97: ffmpeg-CVE-2023-51793.patch BuildRequires: c_compiler Requires: this-is-only-for-build-envs @@ -946,6 +957,6 @@ rm -Rf "$b/%_datadir/ffmpeg/examples" %_libdir/pkgconfig/*.pc %_includedir/ffmpeg/ -%endif # "flavor" == "ffmpeg-5-mini" +%endif %changelog diff --git a/ffmpeg-CVE-2023-49502.patch b/ffmpeg-CVE-2023-49502.patch new file mode 100644 index 0000000..f7137b4 --- /dev/null +++ b/ffmpeg-CVE-2023-49502.patch @@ -0,0 +1,43 @@ +From 737ede405b11a37fdd61d19cf25df296a0cb0b75 +From: Cosmin Stejerean +Date: Wed Dec 6 18:39:32 2023 +0800 +Subject: avfilter/bwdif: account for chroma sub-sampling in min size calculation +References: https://bugzilla.opensuse.org/1223235 +References: CVE-2023-49502 + +The current logic for detecting frames that are too small for the +algorithm does not account for chroma sub-sampling, and so a sample +where the luma plane is large enough, but the chroma planes are not +will not be rejected. In that event, a heap overflow will occur. + +This change adjusts the logic to consider the chroma planes and makes +the change to all three bwdif implementations. + +Fixes #10688 + +Signed-off-by: Cosmin Stejerean +Reviewed-by: Thomas Mundt +Signed-off-by: Philip Langdale + +diff -Nura ffmpeg-5.1.4/libavfilter/vf_bwdif.c ffmpeg-5.1.4_new/libavfilter/vf_bwdif.c +--- ffmpeg-5.1.4/libavfilter/vf_bwdif.c 2023-11-10 07:38:51.000000000 +0800 ++++ ffmpeg-5.1.4_new/libavfilter/vf_bwdif.c 2024-04-26 01:26:15.539021242 +0800 +@@ -333,13 +333,14 @@ + if(yadif->mode&1) + link->frame_rate = av_mul_q(link->src->inputs[0]->frame_rate, (AVRational){2,1}); + +- if (link->w < 3 || link->h < 4) { +- av_log(ctx, AV_LOG_ERROR, "Video of less than 3 columns or 4 lines is not supported\n"); ++ yadif->csp = av_pix_fmt_desc_get(link->format); ++ yadif->filter = filter; ++ ++ if (AV_CEIL_RSHIFT(link->w, yadif->csp->log2_chroma_w) < 3 || AV_CEIL_RSHIFT(link->h, yadif->csp->log2_chroma_h) < 4) { ++ av_log(ctx, AV_LOG_ERROR, "Video with planes less than 3 columns or 4 lines is not supported\n"); + return AVERROR(EINVAL); + } + +- yadif->csp = av_pix_fmt_desc_get(link->format); +- yadif->filter = filter; + if (yadif->csp->comp[0].depth > 8) { + s->filter_intra = filter_intra_16bit; + s->filter_line = filter_line_c_16bit; diff --git a/ffmpeg-CVE-2023-50007.patch b/ffmpeg-CVE-2023-50007.patch new file mode 100644 index 0000000..365136c --- /dev/null +++ b/ffmpeg-CVE-2023-50007.patch @@ -0,0 +1,68 @@ +From b1942734c7cbcdc9034034373abcc9ecb9644c47 +From: Paul B Mahol +Date: Mon Nov 27 11:45:34 2023 +0100 +Subject: avfilter/af_afwtdn: fix crash with EOF handling +References: https://bugzilla.opensuse.org/1223253 +References: CVE-2023-50007 + +diff -Nura ffmpeg-5.1.4/libavfilter/af_afwtdn.c ffmpeg-5.1.4_new/libavfilter/af_afwtdn.c +--- ffmpeg-5.1.4/libavfilter/af_afwtdn.c 2023-11-10 07:38:51.000000000 +0800 ++++ ffmpeg-5.1.4_new/libavfilter/af_afwtdn.c 2024-04-25 16:14:12.016919074 +0800 +@@ -410,6 +410,7 @@ + + uint64_t sn; + int64_t eof_pts; ++ int eof; + + int wavelet_type; + int channels; +@@ -1071,7 +1072,7 @@ + s->drop_samples = 0; + } else { + if (s->padd_samples < 0 && eof) { +- out->nb_samples += s->padd_samples; ++ out->nb_samples = FFMAX(0, out->nb_samples + s->padd_samples); + s->padd_samples = 0; + } + if (!eof) +@@ -1210,23 +1211,26 @@ + + FF_FILTER_FORWARD_STATUS_BACK(outlink, inlink); + +- ret = ff_inlink_consume_samples(inlink, s->nb_samples, s->nb_samples, &in); +- if (ret < 0) +- return ret; +- if (ret > 0) +- return filter_frame(inlink, in); ++ if (!s->eof) { ++ ret = ff_inlink_consume_samples(inlink, s->nb_samples, s->nb_samples, &in); ++ if (ret < 0) ++ return ret; ++ if (ret > 0) ++ return filter_frame(inlink, in); ++ } + + if (ff_inlink_acknowledge_status(inlink, &status, &pts)) { +- if (status == AVERROR_EOF) { +- while (s->padd_samples != 0) { +- ret = filter_frame(inlink, NULL); +- if (ret < 0) +- return ret; +- } +- ff_outlink_set_status(outlink, status, pts); +- return ret; +- } ++ if (status == AVERROR_EOF) ++ s->eof = 1; + } ++ ++ if (s->eof && s->padd_samples != 0) { ++ return filter_frame(inlink, NULL); ++ } else if (s->eof) { ++ ff_outlink_set_status(outlink, AVERROR_EOF, s->eof_pts); ++ return 0; ++ } ++ + FF_FILTER_FORWARD_WANTED(outlink, inlink); + + return FFERROR_NOT_READY; diff --git a/ffmpeg-CVE-2023-50008.patch b/ffmpeg-CVE-2023-50008.patch new file mode 100644 index 0000000..a87ff56 --- /dev/null +++ b/ffmpeg-CVE-2023-50008.patch @@ -0,0 +1,19 @@ +From 5f87a68cf70dafeab2fb89b42e41a4c29053b89b +From: Paul B Mahol +Date: Mon Nov 27 12:08:20 2023 +0100 +Subject: avfilter/vf_colorcorrect: fix memory leaks +References: https://bugzilla.opensuse.org/1223254 +References: CVE-2023-50008 + +diff -Nura ffmpeg-5.1.4/libavfilter/vf_colorcorrect.c ffmpeg-5.1.4_new/libavfilter/vf_colorcorrect.c +--- ffmpeg-5.1.4/libavfilter/vf_colorcorrect.c 2023-11-10 07:38:51.000000000 +0800 ++++ ffmpeg-5.1.4_new/libavfilter/vf_colorcorrect.c 2024-04-25 16:21:53.290363296 +0800 +@@ -498,6 +498,8 @@ + ColorCorrectContext *s = ctx->priv; + + av_freep(&s->analyzeret); ++ av_freep(&s->uhistogram); ++ av_freep(&s->vhistogram); + } + + static const AVFilterPad colorcorrect_inputs[] = { diff --git a/ffmpeg-CVE-2023-51793.patch b/ffmpeg-CVE-2023-51793.patch new file mode 100644 index 0000000..18a6bc1 --- /dev/null +++ b/ffmpeg-CVE-2023-51793.patch @@ -0,0 +1,57 @@ +From 0ecc1f0e48930723d7a467761b66850811c23e62 +From: Michael Niedermayer +Date: Fri Dec 22 12:31:35 2023 +0100 +Subject: avfilter/vf_weave: Fix odd height handling +References: https://bugzilla.opensuse.org/1223272 +References: CVE-2023-51793 + +Fixes: out of array access +Fixes: tickets/10743/poc10ffmpeg + +Found-by: Zeng Yunxiang and Li Zeyuan +Signed-off-by: Michael Niedermayer + +diff -Nura ffmpeg-5.1.4/libavfilter/vf_weave.c ffmpeg-5.1.4_new/libavfilter/vf_weave.c +--- ffmpeg-5.1.4/libavfilter/vf_weave.c 2023-11-10 07:38:51.000000000 +0800 ++++ ffmpeg-5.1.4_new/libavfilter/vf_weave.c 2024-04-26 01:39:00.742700759 +0800 +@@ -30,6 +30,7 @@ + int double_weave; + int nb_planes; + int planeheight[4]; ++ int outheight[4]; + int linesize[4]; + + AVFrame *prev; +@@ -79,6 +80,9 @@ + s->planeheight[1] = s->planeheight[2] = AV_CEIL_RSHIFT(inlink->h, desc->log2_chroma_h); + s->planeheight[0] = s->planeheight[3] = inlink->h; + ++ s->outheight[1] = s->outheight[2] = AV_CEIL_RSHIFT(2*inlink->h, desc->log2_chroma_h); ++ s->outheight[0] = s->outheight[3] = 2*inlink->h; ++ + s->nb_planes = av_pix_fmt_count_planes(inlink->format); + + return 0; +@@ -104,19 +108,20 @@ + const int height = s->planeheight[i]; + const int start = (height * jobnr) / nb_jobs; + const int end = (height * (jobnr+1)) / nb_jobs; ++ const int compensation = 2*end > s->outheight[i]; + + av_image_copy_plane(out->data[i] + out->linesize[i] * field1 + + out->linesize[i] * start * 2, + out->linesize[i] * 2, + in->data[i] + start * in->linesize[i], + in->linesize[i], +- s->linesize[i], end - start); ++ s->linesize[i], end - start - compensation * field1); + av_image_copy_plane(out->data[i] + out->linesize[i] * field2 + + out->linesize[i] * start * 2, + out->linesize[i] * 2, + s->prev->data[i] + start * s->prev->linesize[i], + s->prev->linesize[i], +- s->linesize[i], end - start); ++ s->linesize[i], end - start - compensation * field2); + } + + return 0;