Accepting request 1170119 from multimedia:libs

(CVE-2023-50008 bsc#1223254) (CVE-2023-50007 bsc#1223253) OBS-URL: https://build.opensuse.org/request/show/1170119 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ffmpeg-6?expand=0&rev=11
2024-04-26 21:26:10 +00:00 · 2024-04-26 21:26:10 +00:00 · c635635fc0
commit c635635fc0
parent d11a839b13 e22a461db0
4 changed files with 105 additions and 1 deletions
--- a/ffmpeg-6.changes
+++ b/ffmpeg-6.changes
@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Thu Apr 23 14:05:28 UTC 2024 - Cliff Zhao <qzhao@suse.com>
+
+- Add ffmpeg-CVE-2023-50008.patch:
+  Backporting 5f87a68c from upstream, Fix memory leaks.
+  (CVE-2023-50008 bsc#1223254)
+
+-------------------------------------------------------------------
+Thu Apr 23 12:22:53 UTC 2024 - Cliff Zhao <qzhao@suse.com>
+
+- Add ffmpeg-CVE-2023-50007.patch:
+  Backporting b1942734 from upstream, Fix crash with EOF handling.
+  (CVE-2023-50007 bsc#1223253)
+
 -------------------------------------------------------------------
 Mon Apr 22 12:41:55 UTC 2024 - Jan Engelhardt <jengelh@inai.de>

--- a/ffmpeg-6.spec
+++ b/ffmpeg-6.spec
@ -120,7 +120,8 @@ Patch12:        0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch
 Patch13:        0001-avfilter-vf_codecview-fix-heap-buffer-overflow.patch
 Patch90:        ffmpeg-chromium.patch
 Patch91:        ffmpeg-dlopen-openh264.patch
-
+Patch92:        ffmpeg-CVE-2023-50007.patch
+Patch93:        ffmpeg-CVE-2023-50008.patch
 BuildRequires:  ladspa-devel
 BuildRequires:  libgsm-devel
 BuildRequires:  libmp3lame-devel >= 3.98.3
@ -841,6 +842,8 @@ Patch12:        0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch
 Patch13:        0001-avfilter-vf_codecview-fix-heap-buffer-overflow.patch
 Patch90:        ffmpeg-chromium.patch
 Patch91:        ffmpeg-dlopen-openh264.patch
+Patch92:        ffmpeg-CVE-2023-50007.patch
+Patch93:        ffmpeg-CVE-2023-50008.patch
 BuildRequires:  c_compiler
 Requires:       this-is-only-for-build-envs

--- a/ffmpeg-CVE-2023-50007.patch
+++ b/ffmpeg-CVE-2023-50007.patch
@ -0,0 +1,68 @@
+From b1942734c7cbcdc9034034373abcc9ecb9644c47 Mon Sep 17 00:00:00 2001
+From: Paul B Mahol <onemda@gmail.com>
+Date: Mon, 27 Nov 2023 11:45:34 +0100
+Subject: [PATCH] avfilter/af_afwtdn: fix crash with EOF handling
+References: https://bugzilla.opensuse.org/1223253
+References: CVE-2023-50007
+
+diff -Nura ffmpeg-6.1.1/libavfilter/af_afwtdn.c ffmpeg-6.1.1_new/libavfilter/af_afwtdn.c
+--- ffmpeg-6.1.1/libavfilter/af_afwtdn.c	2023-11-11 08:25:17.000000000 +0800
+++ ffmpeg-6.1.1_new/libavfilter/af_afwtdn.c	2024-04-25 14:15:23.737350315 +0800
+@@ -408,6 +408,7 @@
+ 
+     uint64_t sn;
+     int64_t eof_pts;
+    int eof;
+ 
+     int wavelet_type;
+     int channels;
+@@ -1069,7 +1070,7 @@
+         s->drop_samples = 0;
+     } else {
+         if (s->padd_samples < 0 && eof) {
+-            out->nb_samples += s->padd_samples;
+            out->nb_samples = FFMAX(0, out->nb_samples + s->padd_samples);
+             s->padd_samples = 0;
+         }
+         if (!eof)
+@@ -1208,23 +1209,26 @@
+ 
+     FF_FILTER_FORWARD_STATUS_BACK(outlink, inlink);
+ 
+-    ret = ff_inlink_consume_samples(inlink, s->nb_samples, s->nb_samples, &in);
+-    if (ret < 0)
+-        return ret;
+-    if (ret > 0)
+-        return filter_frame(inlink, in);
+    if (!s->eof) {
+        ret = ff_inlink_consume_samples(inlink, s->nb_samples, s->nb_samples, &in);
+        if (ret < 0)
+            return ret;
+        if (ret > 0)
+            return filter_frame(inlink, in);
+    }
+ 
+     if (ff_inlink_acknowledge_status(inlink, &status, &pts)) {
+-        if (status == AVERROR_EOF) {
+-            while (s->padd_samples != 0) {
+-                ret = filter_frame(inlink, NULL);
+-                if (ret < 0)
+-                    return ret;
+-            }
+-            ff_outlink_set_status(outlink, status, pts);
+-            return ret;
+-        }
+        if (status == AVERROR_EOF)
+            s->eof = 1;
+     }
+
+    if (s->eof && s->padd_samples != 0) {
+        return filter_frame(inlink, NULL);
+    } else if (s->eof) {
+        ff_outlink_set_status(outlink, AVERROR_EOF, s->eof_pts);
+        return 0;
+    }
+
+     FF_FILTER_FORWARD_WANTED(outlink, inlink);
+ 
+     return FFERROR_NOT_READY;
--- a/ffmpeg-CVE-2023-50008.patch
+++ b/ffmpeg-CVE-2023-50008.patch
@ -0,0 +1,19 @@
+From 5f87a68cf70dafeab2fb89b42e41a4c29053b89b  Mon Sep 17 00:00:00 2001
+From: Paul B Mahol <onemda@gmail.com>
+Date: Mon Nov 27 12:08:20 2023 +0100
+Subject: avfilter/vf_colorcorrect: fix memory leaks
+References: https://bugzilla.opensuse.org/1223254
+References: CVE-2023-50008
+
+diff -Nura ffmpeg-6.1.1/libavfilter/vf_colorcorrect.c ffmpeg-6.1.1_new/libavfilter/vf_colorcorrect.c
+--- ffmpeg-6.1.1/libavfilter/vf_colorcorrect.c	2023-11-11 08:25:17.000000000 +0800
+++ ffmpeg-6.1.1_new/libavfilter/vf_colorcorrect.c	2024-04-25 14:35:29.717468737 +0800
+@@ -497,6 +497,8 @@
+     ColorCorrectContext *s = ctx->priv;
+ 
+     av_freep(&s->analyzeret);
+    av_freep(&s->uhistogram);
+    av_freep(&s->vhistogram);
+ }
+ 
+ static const AVFilterPad colorcorrect_inputs[] = {