From 6e1ca12e6be4004ebe114d8da2b26a35161651c04aac7f2729b1fced4ea850c3 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Tue, 23 Apr 2024 14:33:01 +0000 Subject: [PATCH 1/4] - Address boo#1223304/CVE-2023-51798: add patch 0001-avfilter-vf_minterpolate-Check-pts-before-division.patch OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/ffmpeg-4?expand=0&rev=211 --- ...nterpolate-Check-pts-before-division.patch | 40 +++++++++++++++++++ ffmpeg-4.changes | 6 +++ ffmpeg-4.spec | 1 + 3 files changed, 47 insertions(+) create mode 100644 0001-avfilter-vf_minterpolate-Check-pts-before-division.patch diff --git a/0001-avfilter-vf_minterpolate-Check-pts-before-division.patch b/0001-avfilter-vf_minterpolate-Check-pts-before-division.patch new file mode 100644 index 0000000..8bff1b6 --- /dev/null +++ b/0001-avfilter-vf_minterpolate-Check-pts-before-division.patch @@ -0,0 +1,40 @@ +From 68146f06f852078866b3ef1564556e3a272920c7 Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer +Date: Sat, 30 Dec 2023 02:51:32 +0100 +Subject: [PATCH] avfilter/vf_minterpolate: Check pts before division +References: https://bugzilla.opensuse.org/1223304 +References: CVE-2023-51798 + +Fixes: FPE +Fixes: tickets/10758/poc20ffmpeg + +Discovered by Zeng Yunxiang + +Signed-off-by: Michael Niedermayer +--- + libavfilter/vf_minterpolate.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/libavfilter/vf_minterpolate.c b/libavfilter/vf_minterpolate.c +index 9920210ece..b2242a15ee 100644 +--- a/libavfilter/vf_minterpolate.c ++++ b/libavfilter/vf_minterpolate.c +@@ -1075,8 +1075,13 @@ static void interpolate(AVFilterLink *inlink, AVFrame *avf_out) + pts = av_rescale(avf_out->pts, (int64_t) ALPHA_MAX * outlink->time_base.num * inlink->time_base.den, + (int64_t) outlink->time_base.den * inlink->time_base.num); + +- alpha = (pts - mi_ctx->frames[1].avf->pts * ALPHA_MAX) / (mi_ctx->frames[2].avf->pts - mi_ctx->frames[1].avf->pts); +- alpha = av_clip(alpha, 0, ALPHA_MAX); ++ if (mi_ctx->frames[2].avf->pts > mi_ctx->frames[1].avf->pts) { ++ alpha = (pts - mi_ctx->frames[1].avf->pts * ALPHA_MAX) / (mi_ctx->frames[2].avf->pts - mi_ctx->frames[1].avf->pts); ++ alpha = av_clip(alpha, 0, ALPHA_MAX); ++ } else { ++ av_log(ctx, AV_LOG_DEBUG, "duplicate input PTS detected\n"); ++ alpha = 0; ++ } + + if (alpha == 0 || alpha == ALPHA_MAX) { + av_frame_copy(avf_out, alpha ? mi_ctx->frames[2].avf : mi_ctx->frames[1].avf); +-- +2.44.0 + diff --git a/ffmpeg-4.changes b/ffmpeg-4.changes index ed86223..c51e42b 100644 --- a/ffmpeg-4.changes +++ b/ffmpeg-4.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Apr 23 14:25:53 UTC 2024 - Jan Engelhardt + +- Address boo#1223304/CVE-2023-51798: add patch + 0001-avfilter-vf_minterpolate-Check-pts-before-division.patch + ------------------------------------------------------------------- Mon Apr 22 12:41:55 UTC 2024 - Jan Engelhardt diff --git a/ffmpeg-4.spec b/ffmpeg-4.spec index ada5612..b449828 100644 --- a/ffmpeg-4.spec +++ b/ffmpeg-4.spec @@ -126,6 +126,7 @@ Patch12: 0001-avcodec-libsvtav1-remove-compressed_ten_bit_format-a.patch Patch13: 0001-avcodec-x86-mathops-clip-constants-used-with-shift-i.patch Patch14: ffmpeg-glslang-cxx17.patch Patch15: 0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch +Patch16: 0001-avfilter-vf_minterpolate-Check-pts-before-division.patch BuildRequires: ladspa-devel BuildRequires: libgsm-devel BuildRequires: libmp3lame-devel From c72074a6f9277d54aac617d13dcf3df5ea9127660064f7bec2579902ebcbb949 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Thu, 25 Apr 2024 21:43:06 +0000 Subject: [PATCH 2/4] Accepting request 1170205 from home:qzhao:branches:multimedia:libs Add ffmpeg-CVE-2023-49502.patch ffmpeg-CVE-2023-51793.patch to fix CVE bugs. OBS-URL: https://build.opensuse.org/request/show/1170205 OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/ffmpeg-4?expand=0&rev=213 --- ffmpeg-4.changes | 15 ++++++++++ ffmpeg-4.spec | 4 +++ ffmpeg-CVE-2023-49502.patch | 42 ++++++++++++++++++++++++++++ ffmpeg-CVE-2023-51793.patch | 56 +++++++++++++++++++++++++++++++++++++ 4 files changed, 117 insertions(+) create mode 100644 ffmpeg-CVE-2023-49502.patch create mode 100644 ffmpeg-CVE-2023-51793.patch diff --git a/ffmpeg-4.changes b/ffmpeg-4.changes index c51e42b..56964a3 100644 --- a/ffmpeg-4.changes +++ b/ffmpeg-4.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Thu Apr 23 16:14:18 UTC 2024 - Cliff Zhao + +- Add ffmpeg-CVE-2023-51793.patch: + Backporting 0ecc1f0e from upstream, Fix odd height handling. + (CVE-2023-51793 bsc#1223272) + +------------------------------------------------------------------- +Thu Apr 23 15:35:32 UTC 2024 - Cliff Zhao + +- Add ffmpeg-CVE-2023-49502.patch: + Backporting 737ede40 from upstream, account for chroma sub-sampling + in min size calculation. + (CVE-2023-49502 bsc#1223235) + ------------------------------------------------------------------- Tue Apr 23 14:25:53 UTC 2024 - Jan Engelhardt diff --git a/ffmpeg-4.spec b/ffmpeg-4.spec index b449828..e87fff7 100644 --- a/ffmpeg-4.spec +++ b/ffmpeg-4.spec @@ -127,6 +127,10 @@ Patch13: 0001-avcodec-x86-mathops-clip-constants-used-with-shift-i.patch Patch14: ffmpeg-glslang-cxx17.patch Patch15: 0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch Patch16: 0001-avfilter-vf_minterpolate-Check-pts-before-division.patch +# PATCH-FIX-UPSTREAM ffmpeg-CVE-2023-49502.patch CVE-2023-49502 bsc#1223235 qzhao@suse.com -- Account for chroma sub-sampling in min size calculation. +Patch17: ffmpeg-CVE-2023-49502.patch +# PATCH-FIX-UPSTREAM ffmpeg-CVE-2023-51793.patch CVE-2023-51793 bsc#1223272 qzhao@suse.com -- Fix odd height handling. +Patch18: ffmpeg-CVE-2023-51793.patch BuildRequires: ladspa-devel BuildRequires: libgsm-devel BuildRequires: libmp3lame-devel diff --git a/ffmpeg-CVE-2023-49502.patch b/ffmpeg-CVE-2023-49502.patch new file mode 100644 index 0000000..2937842 --- /dev/null +++ b/ffmpeg-CVE-2023-49502.patch @@ -0,0 +1,42 @@ +commit 737ede405b11a37fdd61d19cf25df296a0cb0b75 +Author: Cosmin Stejerean +Date: Wed Dec 6 18:39:32 2023 +0800 + + avfilter/bwdif: account for chroma sub-sampling in min size calculation + + The current logic for detecting frames that are too small for the + algorithm does not account for chroma sub-sampling, and so a sample + where the luma plane is large enough, but the chroma planes are not + will not be rejected. In that event, a heap overflow will occur. + + This change adjusts the logic to consider the chroma planes and makes + the change to all three bwdif implementations. + + Fixes #10688 + + Signed-off-by: Cosmin Stejerean + Reviewed-by: Thomas Mundt + Signed-off-by: Philip Langdale + +diff -Nura ffmpeg-4.4.4/libavfilter/vf_bwdif.c ffmpeg-4.4.4_new/libavfilter/vf_bwdif.c +--- ffmpeg-4.4.4/libavfilter/vf_bwdif.c 2023-04-13 02:01:50.000000000 +0800 ++++ ffmpeg-4.4.4_new/libavfilter/vf_bwdif.c 2024-04-26 02:21:48.162806014 +0800 +@@ -343,13 +343,14 @@ + if(yadif->mode&1) + link->frame_rate = av_mul_q(link->src->inputs[0]->frame_rate, (AVRational){2,1}); + +- if (link->w < 3 || link->h < 4) { +- av_log(ctx, AV_LOG_ERROR, "Video of less than 3 columns or 4 lines is not supported\n"); ++ yadif->csp = av_pix_fmt_desc_get(link->format); ++ yadif->filter = filter; ++ ++ if (AV_CEIL_RSHIFT(link->w, yadif->csp->log2_chroma_w) < 3 || AV_CEIL_RSHIFT(link->h, yadif->csp->log2_chroma_h) < 4) { ++ av_log(ctx, AV_LOG_ERROR, "Video with planes less than 3 columns or 4 lines is not supported\n"); + return AVERROR(EINVAL); + } + +- yadif->csp = av_pix_fmt_desc_get(link->format); +- yadif->filter = filter; + if (yadif->csp->comp[0].depth > 8) { + s->filter_intra = filter_intra_16bit; + s->filter_line = filter_line_c_16bit; diff --git a/ffmpeg-CVE-2023-51793.patch b/ffmpeg-CVE-2023-51793.patch new file mode 100644 index 0000000..ebdb422 --- /dev/null +++ b/ffmpeg-CVE-2023-51793.patch @@ -0,0 +1,56 @@ +commit 0ecc1f0e48930723d7a467761b66850811c23e62 +Author: Michael Niedermayer +Date: Fri Dec 22 12:31:35 2023 +0100 + + avfilter/vf_weave: Fix odd height handling + + Fixes: out of array access + Fixes: tickets/10743/poc10ffmpeg + + Found-by: Zeng Yunxiang and Li Zeyuan + Signed-off-by: Michael Niedermayer + +diff -Nura ffmpeg-4.4.4/libavfilter/vf_weave.c ffmpeg-4.4.4_new/libavfilter/vf_weave.c +--- ffmpeg-4.4.4/libavfilter/vf_weave.c 2023-04-13 02:01:50.000000000 +0800 ++++ ffmpeg-4.4.4_new/libavfilter/vf_weave.c 2024-04-26 02:30:07.113807721 +0800 +@@ -30,6 +30,7 @@ + int double_weave; + int nb_planes; + int planeheight[4]; ++ int outheight[4]; + int linesize[4]; + + AVFrame *prev; +@@ -85,6 +86,9 @@ + s->planeheight[1] = s->planeheight[2] = AV_CEIL_RSHIFT(inlink->h, desc->log2_chroma_h); + s->planeheight[0] = s->planeheight[3] = inlink->h; + ++ s->outheight[1] = s->outheight[2] = AV_CEIL_RSHIFT(2*inlink->h, desc->log2_chroma_h); ++ s->outheight[0] = s->outheight[3] = 2*inlink->h; ++ + s->nb_planes = av_pix_fmt_count_planes(inlink->format); + + return 0; +@@ -110,19 +114,20 @@ + const int height = s->planeheight[i]; + const int start = (height * jobnr) / nb_jobs; + const int end = (height * (jobnr+1)) / nb_jobs; ++ const int compensation = 2*end > s->outheight[i]; + + av_image_copy_plane(out->data[i] + out->linesize[i] * field1 + + out->linesize[i] * start * 2, + out->linesize[i] * 2, + in->data[i] + start * in->linesize[i], + in->linesize[i], +- s->linesize[i], end - start); ++ s->linesize[i], end - start - compensation * field1); + av_image_copy_plane(out->data[i] + out->linesize[i] * field2 + + out->linesize[i] * start * 2, + out->linesize[i] * 2, + s->prev->data[i] + start * s->prev->linesize[i], + s->prev->linesize[i], +- s->linesize[i], end - start); ++ s->linesize[i], end - start - compensation * field2); + } + + return 0; From c86bcacd17232348e0512fb41641727672a937498f02e4c49521af7bd7c530b9 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Thu, 25 Apr 2024 21:44:57 +0000 Subject: [PATCH 3/4] Move metadata into patch/use established git patch line tags as far as doable OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/ffmpeg-4?expand=0&rev=214 --- ffmpeg-CVE-2023-49502.patch | 37 +++++++++++++++++++------------------ ffmpeg-CVE-2023-51793.patch | 19 ++++++++++--------- 2 files changed, 29 insertions(+), 27 deletions(-) diff --git a/ffmpeg-CVE-2023-49502.patch b/ffmpeg-CVE-2023-49502.patch index 2937842..95a0423 100644 --- a/ffmpeg-CVE-2023-49502.patch +++ b/ffmpeg-CVE-2023-49502.patch @@ -1,22 +1,23 @@ -commit 737ede405b11a37fdd61d19cf25df296a0cb0b75 -Author: Cosmin Stejerean -Date: Wed Dec 6 18:39:32 2023 +0800 +From 737ede405b11a37fdd61d19cf25df296a0cb0b75 +From: Cosmin Stejerean +Date: Wed Dec 6 18:39:32 2023 +0800 +Subject: avfilter/bwdif: account for chroma sub-sampling in min size calculation +References: https://bugzilla.opensuse.org/1223235 +References: CVE-2023-49502 - avfilter/bwdif: account for chroma sub-sampling in min size calculation - - The current logic for detecting frames that are too small for the - algorithm does not account for chroma sub-sampling, and so a sample - where the luma plane is large enough, but the chroma planes are not - will not be rejected. In that event, a heap overflow will occur. - - This change adjusts the logic to consider the chroma planes and makes - the change to all three bwdif implementations. - - Fixes #10688 - - Signed-off-by: Cosmin Stejerean - Reviewed-by: Thomas Mundt - Signed-off-by: Philip Langdale +The current logic for detecting frames that are too small for the +algorithm does not account for chroma sub-sampling, and so a sample +where the luma plane is large enough, but the chroma planes are not +will not be rejected. In that event, a heap overflow will occur. + +This change adjusts the logic to consider the chroma planes and makes +the change to all three bwdif implementations. + +Fixes #10688 + +Signed-off-by: Cosmin Stejerean +Reviewed-by: Thomas Mundt +Signed-off-by: Philip Langdale diff -Nura ffmpeg-4.4.4/libavfilter/vf_bwdif.c ffmpeg-4.4.4_new/libavfilter/vf_bwdif.c --- ffmpeg-4.4.4/libavfilter/vf_bwdif.c 2023-04-13 02:01:50.000000000 +0800 diff --git a/ffmpeg-CVE-2023-51793.patch b/ffmpeg-CVE-2023-51793.patch index ebdb422..d61dff6 100644 --- a/ffmpeg-CVE-2023-51793.patch +++ b/ffmpeg-CVE-2023-51793.patch @@ -1,14 +1,15 @@ -commit 0ecc1f0e48930723d7a467761b66850811c23e62 -Author: Michael Niedermayer -Date: Fri Dec 22 12:31:35 2023 +0100 - - avfilter/vf_weave: Fix odd height handling +From 0ecc1f0e48930723d7a467761b66850811c23e62 +From: Michael Niedermayer +Date: Fri Dec 22 12:31:35 2023 +0100 +Subject: avfilter/vf_weave: Fix odd height handling +References: https://bugzilla.opensuse.org/1223272 +References: CVE-2023-51793 - Fixes: out of array access - Fixes: tickets/10743/poc10ffmpeg +Fixes: out of array access +Fixes: tickets/10743/poc10ffmpeg - Found-by: Zeng Yunxiang and Li Zeyuan - Signed-off-by: Michael Niedermayer +Found-by: Zeng Yunxiang and Li Zeyuan +Signed-off-by: Michael Niedermayer diff -Nura ffmpeg-4.4.4/libavfilter/vf_weave.c ffmpeg-4.4.4_new/libavfilter/vf_weave.c --- ffmpeg-4.4.4/libavfilter/vf_weave.c 2023-04-13 02:01:50.000000000 +0800 From d458caa706b7d08a20cae1c021c54610ba8cafcef27ccf07f0020af234b258eb Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Thu, 25 Apr 2024 21:45:08 +0000 Subject: [PATCH 4/4] Move metadata into patch/use established git patch line tags as far as doable OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/ffmpeg-4?expand=0&rev=215 --- ffmpeg-4.spec | 2 -- 1 file changed, 2 deletions(-) diff --git a/ffmpeg-4.spec b/ffmpeg-4.spec index e87fff7..c2695a0 100644 --- a/ffmpeg-4.spec +++ b/ffmpeg-4.spec @@ -127,9 +127,7 @@ Patch13: 0001-avcodec-x86-mathops-clip-constants-used-with-shift-i.patch Patch14: ffmpeg-glslang-cxx17.patch Patch15: 0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch Patch16: 0001-avfilter-vf_minterpolate-Check-pts-before-division.patch -# PATCH-FIX-UPSTREAM ffmpeg-CVE-2023-49502.patch CVE-2023-49502 bsc#1223235 qzhao@suse.com -- Account for chroma sub-sampling in min size calculation. Patch17: ffmpeg-CVE-2023-49502.patch -# PATCH-FIX-UPSTREAM ffmpeg-CVE-2023-51793.patch CVE-2023-51793 bsc#1223272 qzhao@suse.com -- Fix odd height handling. Patch18: ffmpeg-CVE-2023-51793.patch BuildRequires: ladspa-devel BuildRequires: libgsm-devel