diff --git a/0001-avfilter-af_dialoguenhance-do-output-scaling-once.patch b/0001-avfilter-af_dialoguenhance-do-output-scaling-once.patch new file mode 100644 index 0000000..bfd6f74 --- /dev/null +++ b/0001-avfilter-af_dialoguenhance-do-output-scaling-once.patch @@ -0,0 +1,44 @@ +From f1f973313b6edc460339c2dfa4675dd3ad72fe98 Mon Sep 17 00:00:00 2001 +From: Paul B Mahol +Date: Mon, 27 Nov 2023 11:52:37 +0100 +Subject: [PATCH] avfilter/af_dialoguenhance: do output scaling once +References: https://bugzilla.opensuse.org/1222730 +References: CVE-2023-49528 + +--- + libavfilter/af_dialoguenhance.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/libavfilter/af_dialoguenhance.c b/libavfilter/af_dialoguenhance.c +index 5c8614c185..2674313f5c 100644 +--- a/libavfilter/af_dialoguenhance.c ++++ b/libavfilter/af_dialoguenhance.c +@@ -108,7 +108,7 @@ static int config_input(AVFilterLink *inlink) + + generate_window_func(s->window, s->fft_size, WFUNC_SINE, &overlap); + +- iscale = 1.f / s->fft_size; ++ iscale = 1.f / (s->fft_size * 1.5f); + + ret = av_tx_init(&s->tx_ctx[0], &s->tx_fn, AV_TX_FLOAT_RDFT, 0, s->fft_size, &scale, 0); + if (ret < 0) +@@ -296,13 +296,10 @@ static int de_stereo(AVFilterContext *ctx, AVFrame *out) + memcpy(left_osamples, left_in, overlap * sizeof(float)); + memcpy(right_osamples, right_in, overlap * sizeof(float)); + +- // 4 times overlap with squared hanning window results in 1.5 time increase in amplitude +- if (!ctx->is_disabled) { +- for (int i = 0; i < overlap; i++) +- center_osamples[i] = left_out[i] / 1.5f; +- } else { ++ if (ctx->is_disabled) + memset(center_osamples, 0, overlap * sizeof(float)); +- } ++ else ++ memcpy(center_osamples, left_out, overlap * sizeof(float)); + + return 0; + } +-- +2.44.0 + diff --git a/0001-avfilter-af_dialoguenhance-fix-overreads.patch b/0001-avfilter-af_dialoguenhance-fix-overreads.patch new file mode 100644 index 0000000..591bfad --- /dev/null +++ b/0001-avfilter-af_dialoguenhance-fix-overreads.patch @@ -0,0 +1,56 @@ +From 2d9ed64859c9887d0504cd71dbd5b2c15e14251a Mon Sep 17 00:00:00 2001 +From: Paul B Mahol +Date: Sat, 25 Nov 2023 12:54:28 +0100 +Subject: [PATCH] avfilter/af_dialoguenhance: fix overreads +References: https://bugzilla.opensuse.org/1222730 +References: CVE-2023-49528 + +--- + libavfilter/af_dialoguenhance.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/libavfilter/af_dialoguenhance.c b/libavfilter/af_dialoguenhance.c +index 1762ea7cde..29c8ab10a7 100644 +--- a/libavfilter/af_dialoguenhance.c ++++ b/libavfilter/af_dialoguenhance.c +@@ -96,12 +96,12 @@ static int config_input(AVFilterLink *inlink) + if (!s->window) + return AVERROR(ENOMEM); + +- s->in_frame = ff_get_audio_buffer(inlink, s->fft_size * 4); +- s->center_frame = ff_get_audio_buffer(inlink, s->fft_size * 4); +- s->out_dist_frame = ff_get_audio_buffer(inlink, s->fft_size * 4); +- s->windowed_frame = ff_get_audio_buffer(inlink, s->fft_size * 4); +- s->windowed_out = ff_get_audio_buffer(inlink, s->fft_size * 4); +- s->windowed_prev = ff_get_audio_buffer(inlink, s->fft_size * 4); ++ s->in_frame = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2); ++ s->center_frame = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2); ++ s->out_dist_frame = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2); ++ s->windowed_frame = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2); ++ s->windowed_out = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2); ++ s->windowed_prev = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2); + if (!s->in_frame || !s->windowed_out || !s->windowed_prev || + !s->out_dist_frame || !s->windowed_frame || !s->center_frame) + return AVERROR(ENOMEM); +@@ -250,6 +250,7 @@ static int de_stereo(AVFilterContext *ctx, AVFrame *out) + float *right_osamples = (float *)out->extended_data[1]; + float *center_osamples = (float *)out->extended_data[2]; + const int offset = s->fft_size - s->overlap; ++ const int nb_samples = FFMIN(s->overlap, s->in->nb_samples); + float vad; + + // shift in/out buffers +@@ -258,8 +259,8 @@ static int de_stereo(AVFilterContext *ctx, AVFrame *out) + memmove(left_out, &left_out[s->overlap], offset * sizeof(float)); + memmove(right_out, &right_out[s->overlap], offset * sizeof(float)); + +- memcpy(&left_in[offset], left_samples, s->overlap * sizeof(float)); +- memcpy(&right_in[offset], right_samples, s->overlap * sizeof(float)); ++ memcpy(&left_in[offset], left_samples, nb_samples * sizeof(float)); ++ memcpy(&right_in[offset], right_samples, nb_samples * sizeof(float)); + memset(&left_out[offset], 0, s->overlap * sizeof(float)); + memset(&right_out[offset], 0, s->overlap * sizeof(float)); + +-- +2.44.0 + diff --git a/0001-avfilter-af_dialoguenhance-simplify-channels-copy.patch b/0001-avfilter-af_dialoguenhance-simplify-channels-copy.patch new file mode 100644 index 0000000..3f7bebf --- /dev/null +++ b/0001-avfilter-af_dialoguenhance-simplify-channels-copy.patch @@ -0,0 +1,71 @@ +From 4671fb7dfb8e72b228e04f3b81da7f2003c62240 Mon Sep 17 00:00:00 2001 +From: Paul B Mahol +Date: Mon, 27 Nov 2023 00:38:56 +0100 +Subject: [PATCH] avfilter/af_dialoguenhance: simplify channels copy +References: https://bugzilla.opensuse.org/1222730 +References: CVE-2023-49528 + +--- + libavfilter/af_dialoguenhance.c | 32 +++++++++++++++++--------------- + 1 file changed, 17 insertions(+), 15 deletions(-) + +diff --git a/libavfilter/af_dialoguenhance.c b/libavfilter/af_dialoguenhance.c +index 29c8ab10a7..5c8614c185 100644 +--- a/libavfilter/af_dialoguenhance.c ++++ b/libavfilter/af_dialoguenhance.c +@@ -249,20 +249,21 @@ static int de_stereo(AVFilterContext *ctx, AVFrame *out) + float *left_osamples = (float *)out->extended_data[0]; + float *right_osamples = (float *)out->extended_data[1]; + float *center_osamples = (float *)out->extended_data[2]; +- const int offset = s->fft_size - s->overlap; +- const int nb_samples = FFMIN(s->overlap, s->in->nb_samples); ++ const int overlap = s->overlap; ++ const int offset = s->fft_size - overlap; ++ const int nb_samples = FFMIN(overlap, s->in->nb_samples); + float vad; + + // shift in/out buffers +- memmove(left_in, &left_in[s->overlap], offset * sizeof(float)); +- memmove(right_in, &right_in[s->overlap], offset * sizeof(float)); +- memmove(left_out, &left_out[s->overlap], offset * sizeof(float)); +- memmove(right_out, &right_out[s->overlap], offset * sizeof(float)); ++ memmove(left_in, &left_in[overlap], offset * sizeof(float)); ++ memmove(right_in, &right_in[overlap], offset * sizeof(float)); ++ memmove(left_out, &left_out[overlap], offset * sizeof(float)); ++ memmove(right_out, &right_out[overlap], offset * sizeof(float)); + + memcpy(&left_in[offset], left_samples, nb_samples * sizeof(float)); + memcpy(&right_in[offset], right_samples, nb_samples * sizeof(float)); +- memset(&left_out[offset], 0, s->overlap * sizeof(float)); +- memset(&right_out[offset], 0, s->overlap * sizeof(float)); ++ memset(&left_out[offset], 0, overlap * sizeof(float)); ++ memset(&right_out[offset], 0, overlap * sizeof(float)); + + apply_window(s, left_in, windowed_left, 0); + apply_window(s, right_in, windowed_right, 0); +@@ -292,14 +293,15 @@ static int de_stereo(AVFilterContext *ctx, AVFrame *out) + + apply_window(s, windowed_oleft, left_out, 1); + +- for (int i = 0; i < s->overlap; i++) { +- // 4 times overlap with squared hanning window results in 1.5 time increase in amplitude +- if (!ctx->is_disabled) ++ memcpy(left_osamples, left_in, overlap * sizeof(float)); ++ memcpy(right_osamples, right_in, overlap * sizeof(float)); ++ ++ // 4 times overlap with squared hanning window results in 1.5 time increase in amplitude ++ if (!ctx->is_disabled) { ++ for (int i = 0; i < overlap; i++) + center_osamples[i] = left_out[i] / 1.5f; +- else +- center_osamples[i] = 0.f; +- left_osamples[i] = left_in[i]; +- right_osamples[i] = right_in[i]; ++ } else { ++ memset(center_osamples, 0, overlap * sizeof(float)); + } + + return 0; +-- +2.44.0 + diff --git a/0001-avfilter-asrc_afirsrc-fix-by-one-smaller-allocation-.patch b/0001-avfilter-asrc_afirsrc-fix-by-one-smaller-allocation-.patch new file mode 100644 index 0000000..474b5e3 --- /dev/null +++ b/0001-avfilter-asrc_afirsrc-fix-by-one-smaller-allocation-.patch @@ -0,0 +1,28 @@ +From 4adb93dff05dd947878c67784d98c9a4e13b57a7 Mon Sep 17 00:00:00 2001 +From: Paul B Mahol +Date: Thu, 23 Nov 2023 14:58:35 +0100 +Subject: [PATCH] avfilter/asrc_afirsrc: fix by one smaller allocation of + buffer +References: https://bugzilla.opensuse.org/1223215 +References: CVE-2023-49501 + +--- + libavfilter/asrc_afirsrc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libavfilter/asrc_afirsrc.c b/libavfilter/asrc_afirsrc.c +index e2359c159f..ea04c35759 100644 +--- a/libavfilter/asrc_afirsrc.c ++++ b/libavfilter/asrc_afirsrc.c +@@ -480,7 +480,7 @@ static av_cold int config_eq_output(AVFilterLink *outlink) + if (ret < 0) + return ret; + +- s->magnitude = av_calloc(s->nb_magnitude, sizeof(*s->magnitude)); ++ s->magnitude = av_calloc(s->nb_magnitude + 1, sizeof(*s->magnitude)); + if (!s->magnitude) + return AVERROR(ENOMEM); + memcpy(s->magnitude, eq_presets[s->preset].gains, sizeof(*s->magnitude) * s->nb_magnitude); +-- +2.44.0 + diff --git a/0001-avfilter-bwdif-account-for-chroma-sub-sampling-in-mi.patch b/0001-avfilter-bwdif-account-for-chroma-sub-sampling-in-mi.patch new file mode 100644 index 0000000..44941a7 --- /dev/null +++ b/0001-avfilter-bwdif-account-for-chroma-sub-sampling-in-mi.patch @@ -0,0 +1,104 @@ +From 737ede405b11a37fdd61d19cf25df296a0cb0b75 Mon Sep 17 00:00:00 2001 +From: Cosmin Stejerean +Date: Wed, 6 Dec 2023 18:39:32 +0800 +Subject: [PATCH] avfilter/bwdif: account for chroma sub-sampling in min size + calculation +References: https://bugzilla.opensuse.org/1223235 +References: CVE-2023-49502 + +The current logic for detecting frames that are too small for the +algorithm does not account for chroma sub-sampling, and so a sample +where the luma plane is large enough, but the chroma planes are not +will not be rejected. In that event, a heap overflow will occur. + +This change adjusts the logic to consider the chroma planes and makes +the change to all three bwdif implementations. + +Fixes #10688 + +Signed-off-by: Cosmin Stejerean +Reviewed-by: Thomas Mundt +Signed-off-by: Philip Langdale +--- + libavfilter/vf_bwdif.c | 9 +++++---- + libavfilter/vf_bwdif_cuda.c | 11 ++++++----- + libavfilter/vf_bwdif_vulkan.c | 11 +++++------ + 3 files changed, 16 insertions(+), 15 deletions(-) + +diff --git a/libavfilter/vf_bwdif.c b/libavfilter/vf_bwdif.c +index 137cd5ef13..353cd0b61a 100644 +--- a/libavfilter/vf_bwdif.c ++++ b/libavfilter/vf_bwdif.c +@@ -191,13 +191,14 @@ static int config_props(AVFilterLink *link) + return ret; + } + +- if (link->w < 3 || link->h < 4) { +- av_log(ctx, AV_LOG_ERROR, "Video of less than 3 columns or 4 lines is not supported\n"); ++ yadif->csp = av_pix_fmt_desc_get(link->format); ++ yadif->filter = filter; ++ ++ if (AV_CEIL_RSHIFT(link->w, yadif->csp->log2_chroma_w) < 3 || AV_CEIL_RSHIFT(link->h, yadif->csp->log2_chroma_h) < 4) { ++ av_log(ctx, AV_LOG_ERROR, "Video with planes less than 3 columns or 4 lines is not supported\n"); + return AVERROR(EINVAL); + } + +- yadif->csp = av_pix_fmt_desc_get(link->format); +- yadif->filter = filter; + ff_bwdif_init_filter_line(&s->dsp, yadif->csp->comp[0].depth); + + return 0; +diff --git a/libavfilter/vf_bwdif_cuda.c b/libavfilter/vf_bwdif_cuda.c +index a5ecfbadb6..418f15f989 100644 +--- a/libavfilter/vf_bwdif_cuda.c ++++ b/libavfilter/vf_bwdif_cuda.c +@@ -296,15 +296,16 @@ static int config_output(AVFilterLink *link) + link->frame_rate = av_mul_q(ctx->inputs[0]->frame_rate, + (AVRational){2, 1}); + +- if (link->w < 3 || link->h < 3) { +- av_log(ctx, AV_LOG_ERROR, "Video of less than 3 columns or lines is not supported\n"); +- ret = AVERROR(EINVAL); +- goto exit; +- } + + y->csp = av_pix_fmt_desc_get(output_frames->sw_format); + y->filter = filter; + ++ if (AV_CEIL_RSHIFT(link->w, y->csp->log2_chroma_w) < 3 || AV_CEIL_RSHIFT(link->h, y->csp->log2_chroma_h) < 3) { ++ av_log(ctx, AV_LOG_ERROR, "Video with planes less than 3 columns or lines is not supported\n"); ++ ret = AVERROR(EINVAL); ++ goto exit; ++ } ++ + ret = CHECK_CU(cu->cuCtxPushCurrent(s->hwctx->cuda_ctx)); + if (ret < 0) + goto exit; +diff --git a/libavfilter/vf_bwdif_vulkan.c b/libavfilter/vf_bwdif_vulkan.c +index 690a89c4ba..c51df9aa26 100644 +--- a/libavfilter/vf_bwdif_vulkan.c ++++ b/libavfilter/vf_bwdif_vulkan.c +@@ -362,15 +362,14 @@ static int bwdif_vulkan_config_output(AVFilterLink *outlink) + outlink->frame_rate = av_mul_q(avctx->inputs[0]->frame_rate, + (AVRational){2, 1}); + +- if (outlink->w < 4 || outlink->h < 4) { +- av_log(avctx, AV_LOG_ERROR, "Video of less than 4 columns or lines is not " +- "supported\n"); +- return AVERROR(EINVAL); +- } +- + y->csp = av_pix_fmt_desc_get(vkctx->frames->sw_format); + y->filter = bwdif_vulkan_filter_frame; + ++ if (AV_CEIL_RSHIFT(outlink->w, y->csp->log2_chroma_w) < 4 || AV_CEIL_RSHIFT(outlink->h, y->csp->log2_chroma_h) < 4) { ++ av_log(avctx, AV_LOG_ERROR, "Video with planes less than 4 columns or lines is not supported\n"); ++ return AVERROR(EINVAL); ++ } ++ + return init_filter(avctx); + } + +-- +2.44.0 + diff --git a/0001-avfilter-vf_codecview-fix-heap-buffer-overflow.patch b/0001-avfilter-vf_codecview-fix-heap-buffer-overflow.patch new file mode 100644 index 0000000..00b9203 --- /dev/null +++ b/0001-avfilter-vf_codecview-fix-heap-buffer-overflow.patch @@ -0,0 +1,31 @@ +From 99debe5f823f45a482e1dc08de35879aa9c74bd2 Mon Sep 17 00:00:00 2001 +From: Zhao Zhili +Date: Fri, 29 Dec 2023 05:56:43 +0800 +Subject: [PATCH] avfilter/vf_codecview: fix heap buffer overflow +References: https://bugzilla.opensuse.org/1223085 +References: CVE-2024-31582 + +And improve the performance by a little bit. + +Signed-off-by: Zhao Zhili +--- + libavfilter/vf_codecview.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/libavfilter/vf_codecview.c b/libavfilter/vf_codecview.c +index 55d9c8c04f..f65ccbda70 100644 +--- a/libavfilter/vf_codecview.c ++++ b/libavfilter/vf_codecview.c +@@ -216,9 +216,6 @@ static void draw_block_rectangle(uint8_t *buf, int sx, int sy, int w, int h, ptr + buf[sx + w - 1] = color; + buf += stride; + } +- +- for (int x = sx; x < sx + w; x++) +- buf[x] = color; + } + + static int filter_frame(AVFilterLink *inlink, AVFrame *frame) +-- +2.44.0 + diff --git a/0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch b/0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch new file mode 100644 index 0000000..6501dad --- /dev/null +++ b/0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch @@ -0,0 +1,46 @@ +From 3bb00c0a420c3ce83c6fafee30270d69622ccad7 Mon Sep 17 00:00:00 2001 +From: Zhao Zhili +Date: Tue, 20 Feb 2024 20:08:55 +0800 +Subject: [PATCH] avutil/hwcontext: Don't assume frames_uninit is reentrant +References: https://bugzilla.opensuse.org/1223070 +References: CVE-2024-31578 + +Fix heap use after free when vulkan_frames_init failed. + +Signed-off-by: Zhao Zhili +--- + libavutil/hwcontext.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/libavutil/hwcontext.c b/libavutil/hwcontext.c +index 1d2c2d7920..aa1329bf2b 100644 +--- a/libavutil/hwcontext.c ++++ b/libavutil/hwcontext.c +@@ -359,7 +359,7 @@ int av_hwframe_ctx_init(AVBufferRef *ref) + if (ctx->internal->hw_type->frames_init) { + ret = ctx->internal->hw_type->frames_init(ctx); + if (ret < 0) +- goto fail; ++ return ret; + } + + if (ctx->internal->pool_internal && !ctx->pool) +@@ -369,14 +369,10 @@ int av_hwframe_ctx_init(AVBufferRef *ref) + if (ctx->initial_pool_size > 0) { + ret = hwframe_pool_prealloc(ref); + if (ret < 0) +- goto fail; ++ return ret; + } + + return 0; +-fail: +- if (ctx->internal->hw_type->frames_uninit) +- ctx->internal->hw_type->frames_uninit(ctx); +- return ret; + } + + int av_hwframe_transfer_get_formats(AVBufferRef *hwframe_ref, +-- +2.44.0 + diff --git a/ffmpeg-6.changes b/ffmpeg-6.changes index 8c9de46..2e94c14 100644 --- a/ffmpeg-6.changes +++ b/ffmpeg-6.changes @@ -1,3 +1,19 @@ +------------------------------------------------------------------- +Mon Apr 22 12:41:55 UTC 2024 - Jan Engelhardt + +- Address boo#1223215/CVE-2023-49501: add patch + 0001-avfilter-asrc_afirsrc-fix-by-one-smaller-allocation-.patch +- Address boo#1223235/CVE-2023-49502: add patch + 0001-avfilter-bwdif-account-for-chroma-sub-sampling-in-mi.patch +- Address boo#1222730/CVE-2023-49528: add patches + 0001-avfilter-af_dialoguenhance-fix-overreads.patch, + 0001-avfilter-af_dialoguenhance-simplify-channels-copy.patch, + 0001-avfilter-af_dialoguenhance-do-output-scaling-once.patch +- Address boo#1223070/CVE-2024-31578: add patch + 0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch +- Address boo#1223085/CVE-2024-31582: add patch + 0001-avfilter-vf_codecview-fix-heap-buffer-overflow.patch + ------------------------------------------------------------------- Fri Mar 22 09:25:28 UTC 2024 - Jan Engelhardt diff --git a/ffmpeg-6.spec b/ffmpeg-6.spec index 1f5fe09..8b13fe6 100644 --- a/ffmpeg-6.spec +++ b/ffmpeg-6.spec @@ -111,7 +111,14 @@ Patch3: ffmpeg-codec-choice.diff Patch4: ffmpeg-4.2-dlopen-fdk_aac.patch Patch5: work-around-abi-break.patch Patch6: 0001-avcodec-tests-rename-the-bundled-Mesa-AV1-vulkan-vid.patch -Patch10: ffmpeg-chromium.patch +Patch7: 0001-avfilter-asrc_afirsrc-fix-by-one-smaller-allocation-.patch +Patch8: 0001-avfilter-bwdif-account-for-chroma-sub-sampling-in-mi.patch +Patch9: 0001-avfilter-af_dialoguenhance-fix-overreads.patch +Patch10: 0001-avfilter-af_dialoguenhance-simplify-channels-copy.patch +Patch11: 0001-avfilter-af_dialoguenhance-do-output-scaling-once.patch +Patch12: 0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch +Patch13: 0001-avfilter-vf_codecview-fix-heap-buffer-overflow.patch +Patch90: ffmpeg-chromium.patch Patch91: ffmpeg-dlopen-openh264.patch BuildRequires: ladspa-devel @@ -824,7 +831,15 @@ Patch1: ffmpeg-arm6l.diff Patch3: ffmpeg-codec-choice.diff Patch4: ffmpeg-4.2-dlopen-fdk_aac.patch Patch5: work-around-abi-break.patch -Patch10: ffmpeg-chromium.patch +Patch6: 0001-avcodec-tests-rename-the-bundled-Mesa-AV1-vulkan-vid.patch +Patch7: 0001-avfilter-asrc_afirsrc-fix-by-one-smaller-allocation-.patch +Patch8: 0001-avfilter-bwdif-account-for-chroma-sub-sampling-in-mi.patch +Patch9: 0001-avfilter-af_dialoguenhance-fix-overreads.patch +Patch10: 0001-avfilter-af_dialoguenhance-simplify-channels-copy.patch +Patch11: 0001-avfilter-af_dialoguenhance-do-output-scaling-once.patch +Patch12: 0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch +Patch13: 0001-avfilter-vf_codecview-fix-heap-buffer-overflow.patch +Patch90: ffmpeg-chromium.patch Patch91: ffmpeg-dlopen-openh264.patch BuildRequires: c_compiler Requires: this-is-only-for-build-envs