qzhao/ffmpeg-4
SHA256
1
0
Fork 0
forked from jengelh/ffmpeg-4
Code Pull Requests Activity

Add patches for 6 CVEs

Browse Source
This commit is contained in:
Cliff Zhao 2025-02-24 23:44:16 +08:00 committed by Jan Engelhardt
parent b6a9351332
commit 71230d5ab3
7 changed files with 194 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
ffmpeg-4-CVE-2024-12361.patch Normal file
View File

@ -0,0 +1,32 @@
From 4065ff69a2ed49872f8694a03d0642b18c9d977c Mon Sep 17 00:00:00 2001
From: Jiasheng Jiang <jiashengjiangcool@outlook.com>
Date: Mon, 10 Jun 2024 14:18:11 +0000
Subject: [PATCH] avcodec/mpegvideo_enc: Add check for
av_packet_new_side_data()
Add check for av_packet_new_side_data() to avoid null pointer
dereference if allocation fails.
Fixes: bdc1220eeb ("h263enc: Add an option for outputting info about MBs as side data")
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@outlook.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
libavcodec/mpegvideo_enc.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c
index 620ca08869..d33754d115 100644
--- a/libavcodec/mpegvideo_enc.c
+++ b/libavcodec/mpegvideo_enc.c
@@ -1825,6 +1825,8 @@ int ff_mpv_encode_picture(AVCodecContext *avctx, AVPacket *pkt,
s->mb_info_ptr = av_packet_new_side_data(pkt,
AV_PKT_DATA_H263_MB_INFO,
s->mb_width*s->mb_height*12);
+ if (!s->mb_info_ptr)
+ return AVERROR(ENOMEM);
s->prev_mb_info = s->last_mb_info = s->mb_info_size = 0;
}
--
2.44.0

29
ffmpeg-4-CVE-2025-0518.patch Normal file
View File

@ -0,0 +1,29 @@
From b5b6391d64807578ab872dc58fb8aa621dcfc38a Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Mon, 6 Jan 2025 22:01:39 +0100
Subject: [PATCH] avfilter/af_pan: Fix sscanf() use
Fixes: Memory Data Leak
Found-by: Simcha Kosman <simcha.kosman@cyberark.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavfilter/af_pan.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavfilter/af_pan.c b/libavfilter/af_pan.c
index 0d20b0307b..5feb2439c7 100644
--- a/libavfilter/af_pan.c
+++ b/libavfilter/af_pan.c
@@ -196,7 +196,7 @@ static av_cold int init(AVFilterContext *ctx)
sign = 1;
while (1) {
gain = 1;
- if (sscanf(arg, "%lf%n *%n", &gain, &len, &len))
+ if (sscanf(arg, "%lf%n *%n", &gain, &len, &len) >= 1)
arg += len;
if (parse_channel_name(&arg, &in_ch_id, &named)){
av_log(ctx, AV_LOG_ERROR,
--
2.44.0

29
ffmpeg-4-CVE-2025-22919.patch Normal file
View File

@ -0,0 +1,29 @@
From 1446e37d3d032e1452844778b3e6ba2c20f0c322 Mon Sep 17 00:00:00 2001
From: James Almer <jamrial@gmail.com>
Date: Mon, 30 Dec 2024 00:25:41 -0300
Subject: [PATCH] avfilter/buffersrc: check for valid sample rate
A sample rate <= 0 is invalid.
Fixes an assert in ffmpeg_enc.c that assumed a valid sample rate would be set.
Fixes ticket #11385.
Signed-off-by: James Almer <jamrial@gmail.com>
---
libavfilter/buffersrc.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/libavfilter/buffersrc.c
+++ b/libavfilter/buffersrc.c
@@ -337,6 +337,11 @@
return AVERROR(EINVAL);
}
+ if (s->sample_rate <= 0) {
+ av_log(ctx, AV_LOG_ERROR, "Sample rate not set\n");
+ return AVERROR(EINVAL);
+ }
+
if (!s->time_base.num)
s->time_base = (AVRational){1, s->sample_rate};

29
ffmpeg-4-CVE-2025-22921.patch Normal file
View File

@ -0,0 +1,29 @@
From 7f9c7f9849a2155224711f0ff57ecdac6e4bfb57 Mon Sep 17 00:00:00 2001
From: James Almer <jamrial@gmail.com>
Date: Wed, 1 Jan 2025 23:58:39 -0300
Subject: [PATCH] avcodec/jpeg2000dec: clear array length when freeing it
Fixes NULL pointer dereferences.
Fixes ticket #11393.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: James Almer <jamrial@gmail.com>
---
libavcodec/jpeg2000dec.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index e5e897a29f..b82d85d5ee 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -1521,6 +1521,7 @@ static int jpeg2000_decode_packet(Jpeg2000DecoderContext *s, Jpeg2000Tile *tile,
}
}
av_freep(&cblk->lengthinc);
+ cblk->nb_lengthinc = 0;
}
}
// Save state of stream
--
2.44.0

26
ffmpeg-4-CVE-2025-25473.patch Normal file
View File

@ -0,0 +1,26 @@
From c08d300481b8ebb846cd43a473988fdbc6793d1b Mon Sep 17 00:00:00 2001
From: James Almer <jamrial@gmail.com>
Date: Fri, 17 Jan 2025 00:05:31 -0300
Subject: [PATCH] avformat/avformat: also clear FFFormatContext packet queue
when closing a muxer
packet_buffer is used in mux.c, and if a muxing process fails at a point where
packets remained in said queue, they will leak.
Fixes ticket #11419
Signed-off-by: James Almer <jamrial@gmail.com>
---
libavformat/avformat.c | 1 +
1 file changed, 1 insertion(+)
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -4478,6 +4478,7 @@
av_dict_free(&s->internal->id3v2_meta);
av_packet_free(&s->internal->pkt);
av_packet_free(&s->internal->parse_pkt);
+ avpriv_packet_list_free(&s->internal->packet_buffer, &s->internal->packet_buffer_end);
av_freep(&s->streams);
flush_packet_queue(s);
av_freep(&s->internal);

44
ffmpeg-4.changes
View File

@ -1,3 +1,44 @@
-------------------------------------------------------------------
Fri Feb 19 05:17:22 UTC 2025 - Cliff Zhao <qzhao@suse.com>
- Add ffmpeg-7-CVE-2025-22921.patch:
Backporting 7f9c7f98 from upstream, clear array length when
freeing it.
(CVE-2025-22921, bsc#1237382)
-------------------------------------------------------------------
Fri Feb 19 04:27:06 UTC 2025 - Cliff Zhao <qzhao@suse.com>
- Add ffmpeg-7-CVE-2025-25473.patch:
Backporting c08d3004 from upstream, clear FFFormatContext packet.
When packet_buffer is used in mux.c, and if a muxing process fails
at a point where packets remained in said queue.
(CVE-2025-25473, bsc#1237351)
-------------------------------------------------------------------
Fri Feb 19 03:18:02 UTC 2025 - Cliff Zhao <qzhao@suse.com>
- Add ffmpeg-7-CVE-2025-0518.patch:
Backporting b5b6391d from upstream, fixes memory data leak when
use sscanf().
(CVE-2025-0518, bsc#1236007)
-------------------------------------------------------------------
Fri Feb 19 02:58:01 UTC 2025 - Cliff Zhao <qzhao@suse.com>
- Add ffmpeg-7-CVE-2025-22919.patch:
Backporting 1446e37d from upstream, check for valid sample rate
As the sample rate <= 0 is invalid.
(CVE-2025-22919, bsc#1237371)
-------------------------------------------------------------------
Fri Feb 19 01:48:22 UTC 2025 - Cliff Zhao <qzhao@suse.com>
- Add ffmpeg-4-CVE-2024-12361.patch:
Backporting 4065ff69 from upstream, add check for av_packet_new_side_data()
to avoid null pointer dereference if allocation fails.
(CVE-2024-12361, bsc#1237358)
-------------------------------------------------------------------
Tue Oct 15 08:18:54 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
@ -8,6 +49,9 @@ Mon Jan 6 11:53:32 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
- Update to release 4.4.5
* Reliability/bug fixes
Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_DXA_fuzzer-5730576523198464
Fixes: signed integer overflow: 2147483566 + 82 cannot be represented in type 'int'
(CVE-2024-36613, bsc#1235092)
- Delete
0001-avcodec-libsvtav1-remove-compressed_ten_bit_format-a.patch
0001-avcodec-x86-mathops-clip-constants-used-with-shift-i.patch

5
ffmpeg-4.spec
View File

@ -137,6 +137,11 @@ Patch15: 0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch
Patch17: ffmpeg-CVE-2023-49502.patch
Patch22: ffmpeg-c99.patch
Patch23: 0001-libavcodec-arm-mlpdsp_armv5te-fix-label-format-to-wo.patch
Patch24: ffmpeg-4-CVE-2024-12361.patch
Patch25: ffmpeg-4-CVE-2025-22919.patch
Patch26: ffmpeg-4-CVE-2025-0518.patch
Patch27: ffmpeg-4-CVE-2025-25473.patch
Patch28: ffmpeg-4-CVE-2025-22921.patch
BuildRequires: ladspa-devel
BuildRequires: libgsm-devel
BuildRequires: libmp3lame-devel