From 465a3a0580260765d60ddca45a21acf749687a757d36b4f7ea15fc69ad701f47 Mon Sep 17 00:00:00 2001 From: ZhaoQiang Date: Wed, 21 Aug 2024 14:02:10 +0800 Subject: [PATCH] Add ffmpeg-5-CVE-2024-7272.patch: Backporting 9903ba28 from upstream. error out on invalid layouts. * If it's unsupported or invalid, then there's no point trying to rebuild it using a value that may have been derived from the same layout to begin with. * Move the checks before the attempts at copying the layout while at it. (CVE-2024-7272, bsc#1229261) --- ffmpeg-5-CVE-2024-7272.patch | 114 +++++++++++++++++++++++++++++++++++ ffmpeg-5.changes | 12 ++++ ffmpeg-5.spec | 2 + 3 files changed, 128 insertions(+) create mode 100644 ffmpeg-5-CVE-2024-7272.patch diff --git a/ffmpeg-5-CVE-2024-7272.patch b/ffmpeg-5-CVE-2024-7272.patch new file mode 100644 index 0000000..0adc6a6 --- /dev/null +++ b/ffmpeg-5-CVE-2024-7272.patch @@ -0,0 +1,114 @@ +From 9903ba28c28ab18dc7b7b6fb8571cc8b5caae1a6 Mon Sep 17 00:00:00 2001 +From: James Almer +Date: Thu, 8 Sep 2022 19:43:03 -0300 +Subject: [PATCH] swsresample/swresample: error out on invalid layouts +References: CVE-2024-7272 +References: bsc#1229261 +Upstream: Backport from upstream + +If it's unsupported or invalid, then there's no point trying to rebuild it +using a value that may have been derived from the same layout to begin with. + +Move the checks before the attempts at copying the layout while at it. + +Fixes ticket #9908. + +Signed-off-by: James Almer +--- + libswresample/swresample.c | 48 +++++++++++++++++++++++++------------- + 1 file changed, 32 insertions(+), 16 deletions(-) + +diff --git a/libswresample/swresample.c b/libswresample/swresample.c +index 6f04d130d3..5884f8d533 100644 +--- a/libswresample/swresample.c ++++ b/libswresample/swresample.c +@@ -227,7 +227,7 @@ av_cold int swr_init(struct SwrContext *s){ + s->in_ch_layout.order = AV_CHANNEL_ORDER_UNSPEC; + s->in_ch_layout.nb_channels = s->user_in_ch_count; + } +- } else ++ } else if (av_channel_layout_check(&s->user_in_chlayout)) + av_channel_layout_copy(&s->in_ch_layout, &s->user_in_chlayout); + + if ((s->user_out_ch_count && s->user_out_ch_count != s->user_out_chlayout.nb_channels) || +@@ -240,17 +240,45 @@ av_cold int swr_init(struct SwrContext *s){ + s->out_ch_layout.order = AV_CHANNEL_ORDER_UNSPEC; + s->out_ch_layout.nb_channels = s->user_out_ch_count; + } +- } else ++ } else if (av_channel_layout_check(&s->user_out_chlayout)) + av_channel_layout_copy(&s->out_ch_layout, &s->user_out_chlayout); + + if (!s->out.ch_count && !s->user_out_ch_layout) + s->out.ch_count = s->out_ch_layout.nb_channels; + if (!s-> in.ch_count && !s-> user_in_ch_layout) + s-> in.ch_count = s->in_ch_layout.nb_channels; ++ ++ if (!(ret = av_channel_layout_check(&s->in_ch_layout)) || s->in_ch_layout.nb_channels > SWR_CH_MAX) { ++ if (ret) ++ av_channel_layout_describe(&s->in_ch_layout, l1, sizeof(l1)); ++ av_log(s, AV_LOG_WARNING, "Input channel layout \"%s\" is invalid or unsupported.\n", ret ? l1 : ""); ++ return AVERROR(EINVAL); ++ } ++ ++ if (!(ret = av_channel_layout_check(&s->out_ch_layout)) || s->out_ch_layout.nb_channels > SWR_CH_MAX) { ++ if (ret) ++ av_channel_layout_describe(&s->out_ch_layout, l2, sizeof(l2)); ++ av_log(s, AV_LOG_WARNING, "Output channel layout \"%s\" is invalid or unsupported.\n", ret ? l2 : ""); ++ return AVERROR(EINVAL); ++ } + #else + s->out.ch_count = s-> user_out_chlayout.nb_channels; + s-> in.ch_count = s-> user_in_chlayout.nb_channels; + ++ if (!(ret = av_channel_layout_check(&s->user_in_chlayout)) || s->user_in_chlayout.nb_channels > SWR_CH_MAX) { ++ if (ret) ++ av_channel_layout_describe(&s->user_in_chlayout, l1, sizeof(l1)); ++ av_log(s, AV_LOG_WARNING, "Input channel layout \"%s\" is invalid or unsupported.\n", ret ? l1 : ""); ++ return AVERROR(EINVAL); ++ } ++ ++ if (!(ret = av_channel_layout_check(&s->user_out_chlayout)) || s->user_out_chlayout.nb_channels > SWR_CH_MAX) { ++ if (ret) ++ av_channel_layout_describe(&s->user_out_chlayout, l2, sizeof(l2)); ++ av_log(s, AV_LOG_WARNING, "Output channel layout \"%s\" is invalid or unsupported.\n", ret ? l2 : ""); ++ return AVERROR(EINVAL); ++ } ++ + ret = av_channel_layout_copy(&s->in_ch_layout, &s->user_in_chlayout); + ret |= av_channel_layout_copy(&s->out_ch_layout, &s->user_out_chlayout); + if (ret < 0) +@@ -261,18 +289,6 @@ av_cold int swr_init(struct SwrContext *s){ + + s->dither.method = s->user_dither_method; + +- if (!av_channel_layout_check(&s->in_ch_layout) || s->in_ch_layout.nb_channels > SWR_CH_MAX) { +- av_channel_layout_describe(&s->in_ch_layout, l1, sizeof(l1)); +- av_log(s, AV_LOG_WARNING, "Input channel layout \"%s\" is invalid or unsupported.\n", l1); +- av_channel_layout_uninit(&s->in_ch_layout); +- } +- +- if (!av_channel_layout_check(&s->out_ch_layout) || s->out_ch_layout.nb_channels > SWR_CH_MAX) { +- av_channel_layout_describe(&s->out_ch_layout, l2, sizeof(l2)); +- av_log(s, AV_LOG_WARNING, "Output channel layout \"%s\" is invalid or unsupported.\n", l2); +- av_channel_layout_uninit(&s->out_ch_layout); +- } +- + switch(s->engine){ + #if CONFIG_LIBSOXR + case SWR_ENGINE_SOXR: s->resampler = &swri_soxr_resampler; break; +@@ -291,9 +307,9 @@ av_cold int swr_init(struct SwrContext *s){ + av_channel_layout_uninit(&s->in_ch_layout); + } + +- if (!s->in_ch_layout.nb_channels || s->in_ch_layout.order == AV_CHANNEL_ORDER_UNSPEC) ++ if (s->in_ch_layout.order == AV_CHANNEL_ORDER_UNSPEC) + av_channel_layout_default(&s->in_ch_layout, s->used_ch_count); +- if (!s->out_ch_layout.nb_channels || s->out_ch_layout.order == AV_CHANNEL_ORDER_UNSPEC) ++ if (s->out_ch_layout.order == AV_CHANNEL_ORDER_UNSPEC) + av_channel_layout_default(&s->out_ch_layout, s->out.ch_count); + + s->rematrix = av_channel_layout_compare(&s->out_ch_layout, &s->in_ch_layout) || +-- +2.41.0 + diff --git a/ffmpeg-5.changes b/ffmpeg-5.changes index 0d1cf73..319b5fc 100644 --- a/ffmpeg-5.changes +++ b/ffmpeg-5.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Sun Aug 18 01:42:12 UTC 2024 - Cliff Zhao + +- Add ffmpeg-5-CVE-2024-7272.patch: + Backporting 9903ba28 from upstream, error out on invalid layouts, + * If it's unsupported or invalid, then there's no point trying to + rebuild it using a value that may have been derived from the same + layout to begin with. + * Move the checks before the attempts at copying the layout while + at it. + (CVE-2024-7272, bsc#1229261) + ------------------------------------------------------------------- Thu Aug 15 09:56:01 UTC 2024 - Manfred Hollstein diff --git a/ffmpeg-5.spec b/ffmpeg-5.spec index 8de8784..a6a9142 100644 --- a/ffmpeg-5.spec +++ b/ffmpeg-5.spec @@ -124,6 +124,7 @@ Patch98: ffmpeg-Templatify-ff_gaussian_blur-and-ff-function.patch Patch99: ffmpeg-CVE-2023-50009.patch Patch100: ffmpeg-CVE-2023-50010.patch Patch102: ffmpeg-5-CVE-2024-32230.patch +Patch103: ffmpeg-5-CVE-2024-7272.patch # # preamble is present twice, watch out # @@ -862,6 +863,7 @@ Patch98: ffmpeg-Templatify-ff_gaussian_blur-and-ff-function.patch Patch99: ffmpeg-CVE-2023-50009.patch Patch100: ffmpeg-CVE-2023-50010.patch Patch102: ffmpeg-5-CVE-2024-32230.patch +Patch103: ffmpeg-5-CVE-2024-7272.patch BuildRequires: c_compiler Requires: this-is-only-for-build-envs