Accepting request 1170214 from multimedia:libs
(CVE-2023-51793 bsc#1223272) (CVE-2023-49502 bsc#1223235) (CVE-2023-50008 bsc#1223254) (CVE-2023-50007 bsc#1223253) OBS-URL: https://build.opensuse.org/request/show/1170214 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ffmpeg-5?expand=0&rev=24
This commit is contained in:
commit
106a991aa6
@ -1,3 +1,32 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Apr 23 16:14:18 UTC 2024 - Cliff Zhao <qzhao@suse.com>
|
||||||
|
|
||||||
|
- Add ffmpeg-CVE-2023-51793.patch:
|
||||||
|
Backporting 0ecc1f0e from upstream, Fix odd height handling.
|
||||||
|
(CVE-2023-51793 bsc#1223272)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Apr 23 15:35:32 UTC 2024 - Cliff Zhao <qzhao@suse.com>
|
||||||
|
|
||||||
|
- Add ffmpeg-CVE-2023-49502.patch:
|
||||||
|
Backporting 737ede40 from upstream, account for chroma sub-sampling
|
||||||
|
in min size calculation.
|
||||||
|
(CVE-2023-49502 bsc#1223235)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Apr 23 14:05:28 UTC 2024 - Cliff Zhao <qzhao@suse.com>
|
||||||
|
|
||||||
|
- Add ffmpeg-CVE-2023-50008.patch:
|
||||||
|
Backporting 5f87a68c from upstream, Fix memory leaks.
|
||||||
|
(CVE-2023-50008 bsc#1223254)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Apr 23 12:22:53 UTC 2024 - Cliff Zhao <qzhao@suse.com>
|
||||||
|
|
||||||
|
- Add ffmpeg-CVE-2023-50007.patch:
|
||||||
|
Backporting b1942734 from upstream, Fix crash with EOF handling.
|
||||||
|
(CVE-2023-50007 bsc#1223253)
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Apr 22 23:10:31 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
|
Mon Apr 22 23:10:31 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
|
||||||
|
|
||||||
|
@ -121,7 +121,10 @@ Patch16: 0001-avfilter-f_reverse-Apply-PTS-compensation-only-when-.patch
|
|||||||
Patch90: ffmpeg-chromium.patch
|
Patch90: ffmpeg-chromium.patch
|
||||||
Patch91: ffmpeg-dlopen-openh264.patch
|
Patch91: ffmpeg-dlopen-openh264.patch
|
||||||
Patch93: soname.diff
|
Patch93: soname.diff
|
||||||
|
Patch94: ffmpeg-CVE-2023-50007.patch
|
||||||
|
Patch95: ffmpeg-CVE-2023-50008.patch
|
||||||
|
Patch96: ffmpeg-CVE-2023-49502.patch
|
||||||
|
Patch97: ffmpeg-CVE-2023-51793.patch
|
||||||
%if %{with amf_sdk}
|
%if %{with amf_sdk}
|
||||||
BuildRequires: AMF-devel
|
BuildRequires: AMF-devel
|
||||||
%endif
|
%endif
|
||||||
@ -817,7 +820,7 @@ done
|
|||||||
%files private-devel
|
%files private-devel
|
||||||
%_includedir/ffmpeg/private/
|
%_includedir/ffmpeg/private/
|
||||||
|
|
||||||
%else # "flavor" == "ffmpeg-5-mini"
|
%else
|
||||||
|
|
||||||
%define _name ffmpeg
|
%define _name ffmpeg
|
||||||
|
|
||||||
@ -848,6 +851,14 @@ Patch16: 0001-avfilter-f_reverse-Apply-PTS-compensation-only-when-.patch
|
|||||||
Patch90: ffmpeg-chromium.patch
|
Patch90: ffmpeg-chromium.patch
|
||||||
Patch91: ffmpeg-dlopen-openh264.patch
|
Patch91: ffmpeg-dlopen-openh264.patch
|
||||||
Patch93: soname.diff
|
Patch93: soname.diff
|
||||||
|
# PATCH-FIX-UPSTREAM ffmpeg-CVE-2023-50007.patch CVE-2023-50007 bsc#1223253 qzhao@suse.com -- Fix crash with EOF handling.
|
||||||
|
Patch94: ffmpeg-CVE-2023-50007.patch
|
||||||
|
# PATCH-FIX-UPSTREAM ffmpeg-CVE-2023-50008.patch CVE-2023-50008 bsc#1223254 qzhao@suse.com -- Fix memory leaks.
|
||||||
|
Patch95: ffmpeg-CVE-2023-50008.patch
|
||||||
|
# PATCH-FIX-UPSTREAM ffmpeg-CVE-2023-49502.patch CVE-2023-49502 bsc#1223235 qzhao@suse.com -- Account for chroma sub-sampling in min size calculation.
|
||||||
|
Patch96: ffmpeg-CVE-2023-49502.patch
|
||||||
|
# PATCH-FIX-UPSTREAM ffmpeg-CVE-2023-51793.patch CVE-2023-51793 bsc#1223272 qzhao@suse.com -- Fix odd height handling.
|
||||||
|
Patch97: ffmpeg-CVE-2023-51793.patch
|
||||||
BuildRequires: c_compiler
|
BuildRequires: c_compiler
|
||||||
Requires: this-is-only-for-build-envs
|
Requires: this-is-only-for-build-envs
|
||||||
|
|
||||||
@ -946,6 +957,6 @@ rm -Rf "$b/%_datadir/ffmpeg/examples"
|
|||||||
%_libdir/pkgconfig/*.pc
|
%_libdir/pkgconfig/*.pc
|
||||||
%_includedir/ffmpeg/
|
%_includedir/ffmpeg/
|
||||||
|
|
||||||
%endif # "flavor" == "ffmpeg-5-mini"
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
43
ffmpeg-CVE-2023-49502.patch
Normal file
43
ffmpeg-CVE-2023-49502.patch
Normal file
@ -0,0 +1,43 @@
|
|||||||
|
From 737ede405b11a37fdd61d19cf25df296a0cb0b75
|
||||||
|
From: Cosmin Stejerean <cosmin@cosmin.at>
|
||||||
|
Date: Wed Dec 6 18:39:32 2023 +0800
|
||||||
|
Subject: avfilter/bwdif: account for chroma sub-sampling in min size calculation
|
||||||
|
References: https://bugzilla.opensuse.org/1223235
|
||||||
|
References: CVE-2023-49502
|
||||||
|
|
||||||
|
The current logic for detecting frames that are too small for the
|
||||||
|
algorithm does not account for chroma sub-sampling, and so a sample
|
||||||
|
where the luma plane is large enough, but the chroma planes are not
|
||||||
|
will not be rejected. In that event, a heap overflow will occur.
|
||||||
|
|
||||||
|
This change adjusts the logic to consider the chroma planes and makes
|
||||||
|
the change to all three bwdif implementations.
|
||||||
|
|
||||||
|
Fixes #10688
|
||||||
|
|
||||||
|
Signed-off-by: Cosmin Stejerean <cosmin@cosmin.at>
|
||||||
|
Reviewed-by: Thomas Mundt <tmundt75@gmail.com>
|
||||||
|
Signed-off-by: Philip Langdale <philipl@overt.org>
|
||||||
|
|
||||||
|
diff -Nura ffmpeg-5.1.4/libavfilter/vf_bwdif.c ffmpeg-5.1.4_new/libavfilter/vf_bwdif.c
|
||||||
|
--- ffmpeg-5.1.4/libavfilter/vf_bwdif.c 2023-11-10 07:38:51.000000000 +0800
|
||||||
|
+++ ffmpeg-5.1.4_new/libavfilter/vf_bwdif.c 2024-04-26 01:26:15.539021242 +0800
|
||||||
|
@@ -333,13 +333,14 @@
|
||||||
|
if(yadif->mode&1)
|
||||||
|
link->frame_rate = av_mul_q(link->src->inputs[0]->frame_rate, (AVRational){2,1});
|
||||||
|
|
||||||
|
- if (link->w < 3 || link->h < 4) {
|
||||||
|
- av_log(ctx, AV_LOG_ERROR, "Video of less than 3 columns or 4 lines is not supported\n");
|
||||||
|
+ yadif->csp = av_pix_fmt_desc_get(link->format);
|
||||||
|
+ yadif->filter = filter;
|
||||||
|
+
|
||||||
|
+ if (AV_CEIL_RSHIFT(link->w, yadif->csp->log2_chroma_w) < 3 || AV_CEIL_RSHIFT(link->h, yadif->csp->log2_chroma_h) < 4) {
|
||||||
|
+ av_log(ctx, AV_LOG_ERROR, "Video with planes less than 3 columns or 4 lines is not supported\n");
|
||||||
|
return AVERROR(EINVAL);
|
||||||
|
}
|
||||||
|
|
||||||
|
- yadif->csp = av_pix_fmt_desc_get(link->format);
|
||||||
|
- yadif->filter = filter;
|
||||||
|
if (yadif->csp->comp[0].depth > 8) {
|
||||||
|
s->filter_intra = filter_intra_16bit;
|
||||||
|
s->filter_line = filter_line_c_16bit;
|
68
ffmpeg-CVE-2023-50007.patch
Normal file
68
ffmpeg-CVE-2023-50007.patch
Normal file
@ -0,0 +1,68 @@
|
|||||||
|
From b1942734c7cbcdc9034034373abcc9ecb9644c47
|
||||||
|
From: Paul B Mahol <onemda@gmail.com>
|
||||||
|
Date: Mon Nov 27 11:45:34 2023 +0100
|
||||||
|
Subject: avfilter/af_afwtdn: fix crash with EOF handling
|
||||||
|
References: https://bugzilla.opensuse.org/1223253
|
||||||
|
References: CVE-2023-50007
|
||||||
|
|
||||||
|
diff -Nura ffmpeg-5.1.4/libavfilter/af_afwtdn.c ffmpeg-5.1.4_new/libavfilter/af_afwtdn.c
|
||||||
|
--- ffmpeg-5.1.4/libavfilter/af_afwtdn.c 2023-11-10 07:38:51.000000000 +0800
|
||||||
|
+++ ffmpeg-5.1.4_new/libavfilter/af_afwtdn.c 2024-04-25 16:14:12.016919074 +0800
|
||||||
|
@@ -410,6 +410,7 @@
|
||||||
|
|
||||||
|
uint64_t sn;
|
||||||
|
int64_t eof_pts;
|
||||||
|
+ int eof;
|
||||||
|
|
||||||
|
int wavelet_type;
|
||||||
|
int channels;
|
||||||
|
@@ -1071,7 +1072,7 @@
|
||||||
|
s->drop_samples = 0;
|
||||||
|
} else {
|
||||||
|
if (s->padd_samples < 0 && eof) {
|
||||||
|
- out->nb_samples += s->padd_samples;
|
||||||
|
+ out->nb_samples = FFMAX(0, out->nb_samples + s->padd_samples);
|
||||||
|
s->padd_samples = 0;
|
||||||
|
}
|
||||||
|
if (!eof)
|
||||||
|
@@ -1210,23 +1211,26 @@
|
||||||
|
|
||||||
|
FF_FILTER_FORWARD_STATUS_BACK(outlink, inlink);
|
||||||
|
|
||||||
|
- ret = ff_inlink_consume_samples(inlink, s->nb_samples, s->nb_samples, &in);
|
||||||
|
- if (ret < 0)
|
||||||
|
- return ret;
|
||||||
|
- if (ret > 0)
|
||||||
|
- return filter_frame(inlink, in);
|
||||||
|
+ if (!s->eof) {
|
||||||
|
+ ret = ff_inlink_consume_samples(inlink, s->nb_samples, s->nb_samples, &in);
|
||||||
|
+ if (ret < 0)
|
||||||
|
+ return ret;
|
||||||
|
+ if (ret > 0)
|
||||||
|
+ return filter_frame(inlink, in);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if (ff_inlink_acknowledge_status(inlink, &status, &pts)) {
|
||||||
|
- if (status == AVERROR_EOF) {
|
||||||
|
- while (s->padd_samples != 0) {
|
||||||
|
- ret = filter_frame(inlink, NULL);
|
||||||
|
- if (ret < 0)
|
||||||
|
- return ret;
|
||||||
|
- }
|
||||||
|
- ff_outlink_set_status(outlink, status, pts);
|
||||||
|
- return ret;
|
||||||
|
- }
|
||||||
|
+ if (status == AVERROR_EOF)
|
||||||
|
+ s->eof = 1;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ if (s->eof && s->padd_samples != 0) {
|
||||||
|
+ return filter_frame(inlink, NULL);
|
||||||
|
+ } else if (s->eof) {
|
||||||
|
+ ff_outlink_set_status(outlink, AVERROR_EOF, s->eof_pts);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
FF_FILTER_FORWARD_WANTED(outlink, inlink);
|
||||||
|
|
||||||
|
return FFERROR_NOT_READY;
|
19
ffmpeg-CVE-2023-50008.patch
Normal file
19
ffmpeg-CVE-2023-50008.patch
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
From 5f87a68cf70dafeab2fb89b42e41a4c29053b89b
|
||||||
|
From: Paul B Mahol <onemda@gmail.com>
|
||||||
|
Date: Mon Nov 27 12:08:20 2023 +0100
|
||||||
|
Subject: avfilter/vf_colorcorrect: fix memory leaks
|
||||||
|
References: https://bugzilla.opensuse.org/1223254
|
||||||
|
References: CVE-2023-50008
|
||||||
|
|
||||||
|
diff -Nura ffmpeg-5.1.4/libavfilter/vf_colorcorrect.c ffmpeg-5.1.4_new/libavfilter/vf_colorcorrect.c
|
||||||
|
--- ffmpeg-5.1.4/libavfilter/vf_colorcorrect.c 2023-11-10 07:38:51.000000000 +0800
|
||||||
|
+++ ffmpeg-5.1.4_new/libavfilter/vf_colorcorrect.c 2024-04-25 16:21:53.290363296 +0800
|
||||||
|
@@ -498,6 +498,8 @@
|
||||||
|
ColorCorrectContext *s = ctx->priv;
|
||||||
|
|
||||||
|
av_freep(&s->analyzeret);
|
||||||
|
+ av_freep(&s->uhistogram);
|
||||||
|
+ av_freep(&s->vhistogram);
|
||||||
|
}
|
||||||
|
|
||||||
|
static const AVFilterPad colorcorrect_inputs[] = {
|
57
ffmpeg-CVE-2023-51793.patch
Normal file
57
ffmpeg-CVE-2023-51793.patch
Normal file
@ -0,0 +1,57 @@
|
|||||||
|
From 0ecc1f0e48930723d7a467761b66850811c23e62
|
||||||
|
From: Michael Niedermayer <michael@niedermayer.cc>
|
||||||
|
Date: Fri Dec 22 12:31:35 2023 +0100
|
||||||
|
Subject: avfilter/vf_weave: Fix odd height handling
|
||||||
|
References: https://bugzilla.opensuse.org/1223272
|
||||||
|
References: CVE-2023-51793
|
||||||
|
|
||||||
|
Fixes: out of array access
|
||||||
|
Fixes: tickets/10743/poc10ffmpeg
|
||||||
|
|
||||||
|
Found-by: Zeng Yunxiang and Li Zeyuan
|
||||||
|
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
||||||
|
|
||||||
|
diff -Nura ffmpeg-5.1.4/libavfilter/vf_weave.c ffmpeg-5.1.4_new/libavfilter/vf_weave.c
|
||||||
|
--- ffmpeg-5.1.4/libavfilter/vf_weave.c 2023-11-10 07:38:51.000000000 +0800
|
||||||
|
+++ ffmpeg-5.1.4_new/libavfilter/vf_weave.c 2024-04-26 01:39:00.742700759 +0800
|
||||||
|
@@ -30,6 +30,7 @@
|
||||||
|
int double_weave;
|
||||||
|
int nb_planes;
|
||||||
|
int planeheight[4];
|
||||||
|
+ int outheight[4];
|
||||||
|
int linesize[4];
|
||||||
|
|
||||||
|
AVFrame *prev;
|
||||||
|
@@ -79,6 +80,9 @@
|
||||||
|
s->planeheight[1] = s->planeheight[2] = AV_CEIL_RSHIFT(inlink->h, desc->log2_chroma_h);
|
||||||
|
s->planeheight[0] = s->planeheight[3] = inlink->h;
|
||||||
|
|
||||||
|
+ s->outheight[1] = s->outheight[2] = AV_CEIL_RSHIFT(2*inlink->h, desc->log2_chroma_h);
|
||||||
|
+ s->outheight[0] = s->outheight[3] = 2*inlink->h;
|
||||||
|
+
|
||||||
|
s->nb_planes = av_pix_fmt_count_planes(inlink->format);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
@@ -104,19 +108,20 @@
|
||||||
|
const int height = s->planeheight[i];
|
||||||
|
const int start = (height * jobnr) / nb_jobs;
|
||||||
|
const int end = (height * (jobnr+1)) / nb_jobs;
|
||||||
|
+ const int compensation = 2*end > s->outheight[i];
|
||||||
|
|
||||||
|
av_image_copy_plane(out->data[i] + out->linesize[i] * field1 +
|
||||||
|
out->linesize[i] * start * 2,
|
||||||
|
out->linesize[i] * 2,
|
||||||
|
in->data[i] + start * in->linesize[i],
|
||||||
|
in->linesize[i],
|
||||||
|
- s->linesize[i], end - start);
|
||||||
|
+ s->linesize[i], end - start - compensation * field1);
|
||||||
|
av_image_copy_plane(out->data[i] + out->linesize[i] * field2 +
|
||||||
|
out->linesize[i] * start * 2,
|
||||||
|
out->linesize[i] * 2,
|
||||||
|
s->prev->data[i] + start * s->prev->linesize[i],
|
||||||
|
s->prev->linesize[i],
|
||||||
|
- s->linesize[i], end - start);
|
||||||
|
+ s->linesize[i], end - start - compensation * field2);
|
||||||
|
}
|
||||||
|
|
||||||
|
return 0;
|
Loading…
Reference in New Issue
Block a user