Accepting request 1185067 from multimedia:libs

- Add ffmpeg-7-CVE-2024-32230.patch: Backporting 96449cfe from upstream, Fix 1 line and one column images. (CVE-2024-32230 bsc#1227296) - Add ffmpeg-7-CVE-2024-32228.patch: Backporting 45964876 from upstream, Fix segfault on invalid film grain metadata. (CVE-2024-32228, bsc#1227277) OBS-URL: https://build.opensuse.org/request/show/1185067 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ffmpeg-7?expand=0&rev=2
2024-07-04 14:24:10 +00:00 · 2024-07-04 14:24:10 +00:00 · 64b2585ab8
commit 64b2585ab8
parent 864d1ce0ff 8ec2a2c630
4 changed files with 97 additions and 2 deletions
--- a/ffmpeg-7-CVE-2024-32228.patch
+++ b/ffmpeg-7-CVE-2024-32228.patch
@ -0,0 +1,55 @@
+From 459648761f5412acdc3317d5bac982ceaa257584 Mon Sep 17 00:00:00 2001
+From: Niklas Haas <git@haasn.dev>
+Date: Sat Apr 6 13:11:09 2024 +0200
+Subject: avcodec/hevcdec: fix segfault on invalid film grain metadata
+References: CVE-2024-32228
+References: https://bugzilla.opensuse.org/1227277
+Upstream: Backport from upstream
+
+
+Invalid input files may contain film grain metadata which survives
+ff_h274_film_grain_params_supported() but does not pass
+av_film_grain_params_select(), leading to a SIGSEGV on hevc_frame_end().
+
+Fix this by duplicating the av_film_grain_params_select() check at frame
+init time.
+
+An alternative solution here would be to defer the incompatibility check
+to hevc_frame_end(), but this has the downside of allocating a film
+grain buffer even when we already know we can't apply film grain.
+
+Fixes: https://trac.ffmpeg.org/ticket/10951
+
+--- ffmpeg-7.0/libavcodec/hevcdec.c	2024-04-05 07:22:59.000000000 +0800
+++ ffmpeg-7.0_new/libavcodec/hevcdec.c	2024-07-02 22:48:49.293996651 +0800
+@@ -2892,10 +2892,16 @@
+         !(s->avctx->export_side_data & AV_CODEC_EXPORT_DATA_FILM_GRAIN) &&
+         !s->avctx->hwaccel;
+ 
+    ret = set_side_data(s);
+    if (ret < 0)
+        goto fail;
+
+     if (s->ref->needs_fg &&
+-        s->sei.common.film_grain_characteristics.present &&
+-        !ff_h274_film_grain_params_supported(s->sei.common.film_grain_characteristics.model_id,
+-                                             s->ref->frame->format)) {
+        ( s->sei.common.film_grain_characteristics.present &&
+          !ff_h274_film_grain_params_supported(s->sei.common.film_grain_characteristics.model_id,
+                                               s->ref->frame->format))
+          || !av_film_grain_params_select(s->ref->frame)) {
+
+         av_log_once(s->avctx, AV_LOG_WARNING, AV_LOG_DEBUG, &s->film_grain_warning_shown,
+                     "Unsupported film grain parameters. Ignoring film grain.\n");
+         s->ref->needs_fg = 0;
+@@ -2909,10 +2915,6 @@
+             goto fail;
+     }
+ 
+-    ret = set_side_data(s);
+-    if (ret < 0)
+-        goto fail;
+-
+     s->frame->pict_type = 3 - s->sh.slice_type;
+ 
+     if (!IS_IRAP(s))
--- a/ffmpeg-7-CVE-2024-32230.patch
+++ b/ffmpeg-7-CVE-2024-32230.patch
@ -0,0 +1,25 @@
+From 96449cfeaeb95fcfd7a2b8d9ccf7719e97471ed1 Mon Sep 17 00:00:00 2001
+Author: Michael Niedermayer <michael@niedermayer.cc>
+Date:   Mon Apr 8 18:38:42 2024 +0200
+Subject: avcodec/mpegvideo_enc: Fix 1 line and one column images
+References: CVE-2024-32230
+References: https://bugzilla.opensuse.org/1227296
+Upstream: Backport from upstream
+
+Fixes: Ticket10952
+Fixes: poc21ffmpeg
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+
+--- ffmpeg-7.0/libavcodec/mpegvideo_enc.c	2024-04-05 07:22:59.000000000 +0800
+++ ffmpeg-7.0_new/libavcodec/mpegvideo_enc.c	2024-07-02 23:24:47.410634866 +0800
+@@ -1198,8 +1198,8 @@
+                 ptrdiff_t dst_stride = i ? s->uvlinesize : s->linesize;
+                 int h_shift = i ? s->chroma_x_shift : 0;
+                 int v_shift = i ? s->chroma_y_shift : 0;
+-                int w = s->width  >> h_shift;
+-                int h = s->height >> v_shift;
+                int w = AV_CEIL_RSHIFT(s->width , h_shift);
+                int h = AV_CEIL_RSHIFT(s->height, v_shift);
+                 const uint8_t *src = pic_arg->data[i];
+                 uint8_t *dst = pic->f->data[i];
+                 int vpad = 16;
--- a/ffmpeg-7.changes
+++ b/ffmpeg-7.changes
@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Tue Jul  2 12:26:28 UTC 2024 - Cliff Zhao <qzhao@suse.com>
+
+- Add ffmpeg-7-CVE-2024-32230.patch:
+  Backporting 96449cfe from upstream, Fix 1 line and one column images.
+  (CVE-2024-32230 bsc#1227296)
+
+-------------------------------------------------------------------
+Tue Jul  2 11:57:01 UTC 2024 - Cliff Zhao <qzhao@suse.com>
+
+- Add ffmpeg-7-CVE-2024-32228.patch:
+  Backporting 45964876 from upstream, Fix segfault on invalid film
+  grain metadata.
+  (CVE-2024-32228, bsc#1227277)
+
 -------------------------------------------------------------------
 Sun Apr  7 11:39:41 UTC 2024 - Jan Engelhardt <jengelh@inai.de>

--- a/ffmpeg-7.spec
+++ b/ffmpeg-7.spec
@ -104,7 +104,6 @@ Source6:        ffmpeg-dlopen-headers.tar.xz
 Source92:       ffmpeg_get_dlopen_headers.sh
 Source98:       http://ffmpeg.org/ffmpeg-devel.asc#/ffmpeg-7.keyring
 Source99:       baselibs.conf
-
 Patch1:         ffmpeg-arm6l.diff
 Patch2:         ffmpeg-new-coder-errors.diff
 Patch3:         ffmpeg-codec-choice.diff
@ -112,7 +111,8 @@ Patch4:         ffmpeg-4.2-dlopen-fdk_aac.patch
 Patch5:         work-around-abi-break.patch
 Patch10:        ffmpeg-chromium.patch
 Patch91:        ffmpeg-dlopen-openh264.patch
-
+Patch92:        ffmpeg-7-CVE-2024-32228.patch
+Patch93:        ffmpeg-7-CVE-2024-32230.patch
 BuildRequires:  ladspa-devel
 BuildRequires:  libgsm-devel
 BuildRequires:  libmp3lame-devel >= 3.98.3