From 6a6cec787270fa0fc6a277c98358e4825b175b3f6c7b6422b1eb9f2208f46c64 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Mon, 22 Apr 2024 13:35:00 +0000 Subject: [PATCH 1/5] - address 4 bugzilla issues/CVEs OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/ffmpeg-5?expand=0&rev=82 --- ...ialoguenhance-do-output-scaling-once.patch | 42 +++++++++++ ...lter-af_dialoguenhance-fix-overreads.patch | 54 +++++++++++++++ ...ialoguenhance-simplify-channels-copy.patch | 69 +++++++++++++++++++ ...-avf_showspectrum-fix-off-by-1-error.patch | 32 +++++++++ ...f_codecview-fix-heap-buffer-overflow.patch | 29 ++++++++ ...-Don-t-assume-frames_uninit-is-reent.patch | 44 ++++++++++++ ffmpeg-5.changes | 14 ++++ ffmpeg-5.spec | 14 +++- 8 files changed, 296 insertions(+), 2 deletions(-) create mode 100644 0001-avfilter-af_dialoguenhance-do-output-scaling-once.patch create mode 100644 0001-avfilter-af_dialoguenhance-fix-overreads.patch create mode 100644 0001-avfilter-af_dialoguenhance-simplify-channels-copy.patch create mode 100644 0001-avfilter-avf_showspectrum-fix-off-by-1-error.patch create mode 100644 0001-avfilter-vf_codecview-fix-heap-buffer-overflow.patch create mode 100644 0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch diff --git a/0001-avfilter-af_dialoguenhance-do-output-scaling-once.patch b/0001-avfilter-af_dialoguenhance-do-output-scaling-once.patch new file mode 100644 index 0000000..b858bcc --- /dev/null +++ b/0001-avfilter-af_dialoguenhance-do-output-scaling-once.patch @@ -0,0 +1,42 @@ +From f1f973313b6edc460339c2dfa4675dd3ad72fe98 Mon Sep 17 00:00:00 2001 +From: Paul B Mahol +Date: Mon, 27 Nov 2023 11:52:37 +0100 +Subject: [PATCH] avfilter/af_dialoguenhance: do output scaling once + +--- + libavfilter/af_dialoguenhance.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/libavfilter/af_dialoguenhance.c b/libavfilter/af_dialoguenhance.c +index 5c8614c185..2674313f5c 100644 +--- a/libavfilter/af_dialoguenhance.c ++++ b/libavfilter/af_dialoguenhance.c +@@ -108,7 +108,7 @@ static int config_input(AVFilterLink *inlink) + + generate_window_func(s->window, s->fft_size, WFUNC_SINE, &overlap); + +- iscale = 1.f / s->fft_size; ++ iscale = 1.f / (s->fft_size * 1.5f); + + ret = av_tx_init(&s->tx_ctx[0], &s->tx_fn, AV_TX_FLOAT_RDFT, 0, s->fft_size, &scale, 0); + if (ret < 0) +@@ -296,13 +296,10 @@ static int de_stereo(AVFilterContext *ctx, AVFrame *out) + memcpy(left_osamples, left_in, overlap * sizeof(float)); + memcpy(right_osamples, right_in, overlap * sizeof(float)); + +- // 4 times overlap with squared hanning window results in 1.5 time increase in amplitude +- if (!ctx->is_disabled) { +- for (int i = 0; i < overlap; i++) +- center_osamples[i] = left_out[i] / 1.5f; +- } else { ++ if (ctx->is_disabled) + memset(center_osamples, 0, overlap * sizeof(float)); +- } ++ else ++ memcpy(center_osamples, left_out, overlap * sizeof(float)); + + return 0; + } +-- +2.44.0 + diff --git a/0001-avfilter-af_dialoguenhance-fix-overreads.patch b/0001-avfilter-af_dialoguenhance-fix-overreads.patch new file mode 100644 index 0000000..0a0df78 --- /dev/null +++ b/0001-avfilter-af_dialoguenhance-fix-overreads.patch @@ -0,0 +1,54 @@ +From 2d9ed64859c9887d0504cd71dbd5b2c15e14251a Mon Sep 17 00:00:00 2001 +From: Paul B Mahol +Date: Sat, 25 Nov 2023 12:54:28 +0100 +Subject: [PATCH] avfilter/af_dialoguenhance: fix overreads + +--- + libavfilter/af_dialoguenhance.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/libavfilter/af_dialoguenhance.c b/libavfilter/af_dialoguenhance.c +index 1762ea7cde..29c8ab10a7 100644 +--- a/libavfilter/af_dialoguenhance.c ++++ b/libavfilter/af_dialoguenhance.c +@@ -96,12 +96,12 @@ static int config_input(AVFilterLink *inlink) + if (!s->window) + return AVERROR(ENOMEM); + +- s->in_frame = ff_get_audio_buffer(inlink, s->fft_size * 4); +- s->center_frame = ff_get_audio_buffer(inlink, s->fft_size * 4); +- s->out_dist_frame = ff_get_audio_buffer(inlink, s->fft_size * 4); +- s->windowed_frame = ff_get_audio_buffer(inlink, s->fft_size * 4); +- s->windowed_out = ff_get_audio_buffer(inlink, s->fft_size * 4); +- s->windowed_prev = ff_get_audio_buffer(inlink, s->fft_size * 4); ++ s->in_frame = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2); ++ s->center_frame = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2); ++ s->out_dist_frame = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2); ++ s->windowed_frame = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2); ++ s->windowed_out = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2); ++ s->windowed_prev = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2); + if (!s->in_frame || !s->windowed_out || !s->windowed_prev || + !s->out_dist_frame || !s->windowed_frame || !s->center_frame) + return AVERROR(ENOMEM); +@@ -250,6 +250,7 @@ static int de_stereo(AVFilterContext *ctx, AVFrame *out) + float *right_osamples = (float *)out->extended_data[1]; + float *center_osamples = (float *)out->extended_data[2]; + const int offset = s->fft_size - s->overlap; ++ const int nb_samples = FFMIN(s->overlap, s->in->nb_samples); + float vad; + + // shift in/out buffers +@@ -258,8 +259,8 @@ static int de_stereo(AVFilterContext *ctx, AVFrame *out) + memmove(left_out, &left_out[s->overlap], offset * sizeof(float)); + memmove(right_out, &right_out[s->overlap], offset * sizeof(float)); + +- memcpy(&left_in[offset], left_samples, s->overlap * sizeof(float)); +- memcpy(&right_in[offset], right_samples, s->overlap * sizeof(float)); ++ memcpy(&left_in[offset], left_samples, nb_samples * sizeof(float)); ++ memcpy(&right_in[offset], right_samples, nb_samples * sizeof(float)); + memset(&left_out[offset], 0, s->overlap * sizeof(float)); + memset(&right_out[offset], 0, s->overlap * sizeof(float)); + +-- +2.44.0 + diff --git a/0001-avfilter-af_dialoguenhance-simplify-channels-copy.patch b/0001-avfilter-af_dialoguenhance-simplify-channels-copy.patch new file mode 100644 index 0000000..76cc5b2 --- /dev/null +++ b/0001-avfilter-af_dialoguenhance-simplify-channels-copy.patch @@ -0,0 +1,69 @@ +From 4671fb7dfb8e72b228e04f3b81da7f2003c62240 Mon Sep 17 00:00:00 2001 +From: Paul B Mahol +Date: Mon, 27 Nov 2023 00:38:56 +0100 +Subject: [PATCH] avfilter/af_dialoguenhance: simplify channels copy + +--- + libavfilter/af_dialoguenhance.c | 32 +++++++++++++++++--------------- + 1 file changed, 17 insertions(+), 15 deletions(-) + +diff --git a/libavfilter/af_dialoguenhance.c b/libavfilter/af_dialoguenhance.c +index 29c8ab10a7..5c8614c185 100644 +--- a/libavfilter/af_dialoguenhance.c ++++ b/libavfilter/af_dialoguenhance.c +@@ -249,20 +249,21 @@ static int de_stereo(AVFilterContext *ctx, AVFrame *out) + float *left_osamples = (float *)out->extended_data[0]; + float *right_osamples = (float *)out->extended_data[1]; + float *center_osamples = (float *)out->extended_data[2]; +- const int offset = s->fft_size - s->overlap; +- const int nb_samples = FFMIN(s->overlap, s->in->nb_samples); ++ const int overlap = s->overlap; ++ const int offset = s->fft_size - overlap; ++ const int nb_samples = FFMIN(overlap, s->in->nb_samples); + float vad; + + // shift in/out buffers +- memmove(left_in, &left_in[s->overlap], offset * sizeof(float)); +- memmove(right_in, &right_in[s->overlap], offset * sizeof(float)); +- memmove(left_out, &left_out[s->overlap], offset * sizeof(float)); +- memmove(right_out, &right_out[s->overlap], offset * sizeof(float)); ++ memmove(left_in, &left_in[overlap], offset * sizeof(float)); ++ memmove(right_in, &right_in[overlap], offset * sizeof(float)); ++ memmove(left_out, &left_out[overlap], offset * sizeof(float)); ++ memmove(right_out, &right_out[overlap], offset * sizeof(float)); + + memcpy(&left_in[offset], left_samples, nb_samples * sizeof(float)); + memcpy(&right_in[offset], right_samples, nb_samples * sizeof(float)); +- memset(&left_out[offset], 0, s->overlap * sizeof(float)); +- memset(&right_out[offset], 0, s->overlap * sizeof(float)); ++ memset(&left_out[offset], 0, overlap * sizeof(float)); ++ memset(&right_out[offset], 0, overlap * sizeof(float)); + + apply_window(s, left_in, windowed_left, 0); + apply_window(s, right_in, windowed_right, 0); +@@ -292,14 +293,15 @@ static int de_stereo(AVFilterContext *ctx, AVFrame *out) + + apply_window(s, windowed_oleft, left_out, 1); + +- for (int i = 0; i < s->overlap; i++) { +- // 4 times overlap with squared hanning window results in 1.5 time increase in amplitude +- if (!ctx->is_disabled) ++ memcpy(left_osamples, left_in, overlap * sizeof(float)); ++ memcpy(right_osamples, right_in, overlap * sizeof(float)); ++ ++ // 4 times overlap with squared hanning window results in 1.5 time increase in amplitude ++ if (!ctx->is_disabled) { ++ for (int i = 0; i < overlap; i++) + center_osamples[i] = left_out[i] / 1.5f; +- else +- center_osamples[i] = 0.f; +- left_osamples[i] = left_in[i]; +- right_osamples[i] = right_in[i]; ++ } else { ++ memset(center_osamples, 0, overlap * sizeof(float)); + } + + return 0; +-- +2.44.0 + diff --git a/0001-avfilter-avf_showspectrum-fix-off-by-1-error.patch b/0001-avfilter-avf_showspectrum-fix-off-by-1-error.patch new file mode 100644 index 0000000..25feb0a --- /dev/null +++ b/0001-avfilter-avf_showspectrum-fix-off-by-1-error.patch @@ -0,0 +1,32 @@ +From ab0fdaedd1e7224f7e84ea22fcbfaa4ca75a6c06 Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer +Date: Sun, 24 Dec 2023 20:31:02 +0100 +Subject: [PATCH] avfilter/avf_showspectrum: fix off by 1 error + +Fixes: out of array access +Fixes: tickets/10749/poc15ffmpeg + +Regression since: 81df787b53eb5c6433731f6eaaf7f2a94d8a8c80 + +Found-by: Zeng Yunxiang +Signed-off-by: Michael Niedermayer +--- + libavfilter/avf_showspectrum.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libavfilter/avf_showspectrum.c b/libavfilter/avf_showspectrum.c +index 8cf73fce70..99a5c33d09 100644 +--- a/libavfilter/avf_showspectrum.c ++++ b/libavfilter/avf_showspectrum.c +@@ -1784,7 +1784,7 @@ static int showspectrumpic_request_frame(AVFilterLink *outlink) + int acc_samples = 0; + int dst_offset = 0; + +- while (nb_frame <= s->nb_frames) { ++ while (nb_frame < s->nb_frames) { + AVFrame *cur_frame = s->frames[nb_frame]; + int cur_frame_samples = cur_frame->nb_samples; + int nb_samples = 0; +-- +2.44.0 + diff --git a/0001-avfilter-vf_codecview-fix-heap-buffer-overflow.patch b/0001-avfilter-vf_codecview-fix-heap-buffer-overflow.patch new file mode 100644 index 0000000..09ac8bc --- /dev/null +++ b/0001-avfilter-vf_codecview-fix-heap-buffer-overflow.patch @@ -0,0 +1,29 @@ +From 99debe5f823f45a482e1dc08de35879aa9c74bd2 Mon Sep 17 00:00:00 2001 +From: Zhao Zhili +Date: Fri, 29 Dec 2023 05:56:43 +0800 +Subject: [PATCH] avfilter/vf_codecview: fix heap buffer overflow + +And improve the performance by a little bit. + +Signed-off-by: Zhao Zhili +--- + libavfilter/vf_codecview.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/libavfilter/vf_codecview.c b/libavfilter/vf_codecview.c +index 55d9c8c04f..f65ccbda70 100644 +--- a/libavfilter/vf_codecview.c ++++ b/libavfilter/vf_codecview.c +@@ -216,9 +216,6 @@ static void draw_block_rectangle(uint8_t *buf, int sx, int sy, int w, int h, ptr + buf[sx + w - 1] = color; + buf += stride; + } +- +- for (int x = sx; x < sx + w; x++) +- buf[x] = color; + } + + static int filter_frame(AVFilterLink *inlink, AVFrame *frame) +-- +2.44.0 + diff --git a/0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch b/0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch new file mode 100644 index 0000000..8700084 --- /dev/null +++ b/0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch @@ -0,0 +1,44 @@ +From 3bb00c0a420c3ce83c6fafee30270d69622ccad7 Mon Sep 17 00:00:00 2001 +From: Zhao Zhili +Date: Tue, 20 Feb 2024 20:08:55 +0800 +Subject: [PATCH] avutil/hwcontext: Don't assume frames_uninit is reentrant + +Fix heap use after free when vulkan_frames_init failed. + +Signed-off-by: Zhao Zhili +--- + libavutil/hwcontext.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/libavutil/hwcontext.c b/libavutil/hwcontext.c +index 1d2c2d7920..aa1329bf2b 100644 +--- a/libavutil/hwcontext.c ++++ b/libavutil/hwcontext.c +@@ -359,7 +359,7 @@ int av_hwframe_ctx_init(AVBufferRef *ref) + if (ctx->internal->hw_type->frames_init) { + ret = ctx->internal->hw_type->frames_init(ctx); + if (ret < 0) +- goto fail; ++ return ret; + } + + if (ctx->internal->pool_internal && !ctx->pool) +@@ -369,14 +369,10 @@ int av_hwframe_ctx_init(AVBufferRef *ref) + if (ctx->initial_pool_size > 0) { + ret = hwframe_pool_prealloc(ref); + if (ret < 0) +- goto fail; ++ return ret; + } + + return 0; +-fail: +- if (ctx->internal->hw_type->frames_uninit) +- ctx->internal->hw_type->frames_uninit(ctx); +- return ret; + } + + int av_hwframe_transfer_get_formats(AVBufferRef *hwframe_ref, +-- +2.44.0 + diff --git a/ffmpeg-5.changes b/ffmpeg-5.changes index c05c2d7..bcce16b 100644 --- a/ffmpeg-5.changes +++ b/ffmpeg-5.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Mon Apr 22 12:41:55 UTC 2024 - Jan Engelhardt + +- Address boo#1222730/CVE-2023-49528: add patches + 0001-avfilter-af_dialoguenhance-fix-overreads.patch, + 0001-avfilter-af_dialoguenhance-simplify-channels-copy.patch, + 0001-avfilter-af_dialoguenhance-do-output-scaling-once.patch +- Address boo#1223070/CVE-2024-31578: add patch + 0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch +- Address boo#1223085/CVE-2024-31582: add patch + 0001-avfilter-vf_codecview-fix-heap-buffer-overflow.patch +- Address boo#1223087/CVE-2024-31585: add patch + 0001-avfilter-avf_showspectrum-fix-off-by-1-error.patch + ------------------------------------------------------------------- Fri Feb 2 09:44:11 UTC 2024 - Stefan Dirsch diff --git a/ffmpeg-5.spec b/ffmpeg-5.spec index bd08438..4da125e 100644 --- a/ffmpeg-5.spec +++ b/ffmpeg-5.spec @@ -111,7 +111,12 @@ Patch3: ffmpeg-codec-choice.diff Patch4: ffmpeg-4.2-dlopen-fdk_aac.patch Patch5: work-around-abi-break.patch Patch9: ffmpeg-4.4-CVE-2020-22046.patch -Patch10: ffmpeg-chromium.patch +Patch10: 0001-avfilter-af_dialoguenhance-fix-overreads.patch +Patch11: 0001-avfilter-af_dialoguenhance-simplify-channels-copy.patch +Patch12: 0001-avfilter-af_dialoguenhance-do-output-scaling-once.patch +Patch13: 0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch +Patch14: 0001-avfilter-avf_showspectrum-fix-off-by-1-error.patch +Patch90: ffmpeg-chromium.patch Patch91: ffmpeg-dlopen-openh264.patch Patch93: soname.diff @@ -831,7 +836,12 @@ Patch3: ffmpeg-codec-choice.diff Patch4: ffmpeg-4.2-dlopen-fdk_aac.patch Patch5: work-around-abi-break.patch Patch9: ffmpeg-4.4-CVE-2020-22046.patch -Patch10: ffmpeg-chromium.patch +Patch10: 0001-avfilter-af_dialoguenhance-fix-overreads.patch +Patch11: 0001-avfilter-af_dialoguenhance-simplify-channels-copy.patch +Patch12: 0001-avfilter-af_dialoguenhance-do-output-scaling-once.patch +Patch13: 0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch +Patch14: 0001-avfilter-avf_showspectrum-fix-off-by-1-error.patch +Patch90: ffmpeg-chromium.patch Patch91: ffmpeg-dlopen-openh264.patch Patch93: soname.diff BuildRequires: c_compiler From 4aec72184ed09bf677a5e2c33b723998ac9194597e13d5b6f6c9e99562757ead Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Mon, 22 Apr 2024 13:36:07 +0000 Subject: [PATCH 2/5] (4/4) +0001-avfilter-vf_codecview-fix-heap-buffer-overflow.patch OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/ffmpeg-5?expand=0&rev=83 --- ffmpeg-5.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ffmpeg-5.spec b/ffmpeg-5.spec index 4da125e..835c674 100644 --- a/ffmpeg-5.spec +++ b/ffmpeg-5.spec @@ -116,6 +116,7 @@ Patch11: 0001-avfilter-af_dialoguenhance-simplify-channels-copy.patch Patch12: 0001-avfilter-af_dialoguenhance-do-output-scaling-once.patch Patch13: 0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch Patch14: 0001-avfilter-avf_showspectrum-fix-off-by-1-error.patch +Patch15: 0001-avfilter-vf_codecview-fix-heap-buffer-overflow.patch Patch90: ffmpeg-chromium.patch Patch91: ffmpeg-dlopen-openh264.patch Patch93: soname.diff @@ -841,6 +842,7 @@ Patch11: 0001-avfilter-af_dialoguenhance-simplify-channels-copy.patch Patch12: 0001-avfilter-af_dialoguenhance-do-output-scaling-once.patch Patch13: 0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch Patch14: 0001-avfilter-avf_showspectrum-fix-off-by-1-error.patch +Patch15: 0001-avfilter-vf_codecview-fix-heap-buffer-overflow.patch Patch90: ffmpeg-chromium.patch Patch91: ffmpeg-dlopen-openh264.patch Patch93: soname.diff From c7d526a909d7991216ae48521e4fbb39a71b6519b18d43daf7a22d02aabc1232 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Mon, 22 Apr 2024 15:55:23 +0000 Subject: [PATCH 3/5] update patches with issue report links OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/ffmpeg-5?expand=0&rev=84 --- 0001-avfilter-af_dialoguenhance-do-output-scaling-once.patch | 2 ++ 0001-avfilter-af_dialoguenhance-fix-overreads.patch | 2 ++ 0001-avfilter-af_dialoguenhance-simplify-channels-copy.patch | 2 ++ 0001-avfilter-avf_showspectrum-fix-off-by-1-error.patch | 2 ++ 0001-avfilter-vf_codecview-fix-heap-buffer-overflow.patch | 2 ++ 0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch | 2 ++ 6 files changed, 12 insertions(+) diff --git a/0001-avfilter-af_dialoguenhance-do-output-scaling-once.patch b/0001-avfilter-af_dialoguenhance-do-output-scaling-once.patch index b858bcc..bfd6f74 100644 --- a/0001-avfilter-af_dialoguenhance-do-output-scaling-once.patch +++ b/0001-avfilter-af_dialoguenhance-do-output-scaling-once.patch @@ -2,6 +2,8 @@ From f1f973313b6edc460339c2dfa4675dd3ad72fe98 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Mon, 27 Nov 2023 11:52:37 +0100 Subject: [PATCH] avfilter/af_dialoguenhance: do output scaling once +References: https://bugzilla.opensuse.org/1222730 +References: CVE-2023-49528 --- libavfilter/af_dialoguenhance.c | 11 ++++------- diff --git a/0001-avfilter-af_dialoguenhance-fix-overreads.patch b/0001-avfilter-af_dialoguenhance-fix-overreads.patch index 0a0df78..591bfad 100644 --- a/0001-avfilter-af_dialoguenhance-fix-overreads.patch +++ b/0001-avfilter-af_dialoguenhance-fix-overreads.patch @@ -2,6 +2,8 @@ From 2d9ed64859c9887d0504cd71dbd5b2c15e14251a Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sat, 25 Nov 2023 12:54:28 +0100 Subject: [PATCH] avfilter/af_dialoguenhance: fix overreads +References: https://bugzilla.opensuse.org/1222730 +References: CVE-2023-49528 --- libavfilter/af_dialoguenhance.c | 17 +++++++++-------- diff --git a/0001-avfilter-af_dialoguenhance-simplify-channels-copy.patch b/0001-avfilter-af_dialoguenhance-simplify-channels-copy.patch index 76cc5b2..3f7bebf 100644 --- a/0001-avfilter-af_dialoguenhance-simplify-channels-copy.patch +++ b/0001-avfilter-af_dialoguenhance-simplify-channels-copy.patch @@ -2,6 +2,8 @@ From 4671fb7dfb8e72b228e04f3b81da7f2003c62240 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Mon, 27 Nov 2023 00:38:56 +0100 Subject: [PATCH] avfilter/af_dialoguenhance: simplify channels copy +References: https://bugzilla.opensuse.org/1222730 +References: CVE-2023-49528 --- libavfilter/af_dialoguenhance.c | 32 +++++++++++++++++--------------- diff --git a/0001-avfilter-avf_showspectrum-fix-off-by-1-error.patch b/0001-avfilter-avf_showspectrum-fix-off-by-1-error.patch index 25feb0a..fcec025 100644 --- a/0001-avfilter-avf_showspectrum-fix-off-by-1-error.patch +++ b/0001-avfilter-avf_showspectrum-fix-off-by-1-error.patch @@ -2,6 +2,8 @@ From ab0fdaedd1e7224f7e84ea22fcbfaa4ca75a6c06 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 24 Dec 2023 20:31:02 +0100 Subject: [PATCH] avfilter/avf_showspectrum: fix off by 1 error +References: https://bugzilla.opensuse.org/1223087 +References: CVE-2024-31585 Fixes: out of array access Fixes: tickets/10749/poc15ffmpeg diff --git a/0001-avfilter-vf_codecview-fix-heap-buffer-overflow.patch b/0001-avfilter-vf_codecview-fix-heap-buffer-overflow.patch index 09ac8bc..00b9203 100644 --- a/0001-avfilter-vf_codecview-fix-heap-buffer-overflow.patch +++ b/0001-avfilter-vf_codecview-fix-heap-buffer-overflow.patch @@ -2,6 +2,8 @@ From 99debe5f823f45a482e1dc08de35879aa9c74bd2 Mon Sep 17 00:00:00 2001 From: Zhao Zhili Date: Fri, 29 Dec 2023 05:56:43 +0800 Subject: [PATCH] avfilter/vf_codecview: fix heap buffer overflow +References: https://bugzilla.opensuse.org/1223085 +References: CVE-2024-31582 And improve the performance by a little bit. diff --git a/0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch b/0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch index 8700084..6501dad 100644 --- a/0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch +++ b/0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch @@ -2,6 +2,8 @@ From 3bb00c0a420c3ce83c6fafee30270d69622ccad7 Mon Sep 17 00:00:00 2001 From: Zhao Zhili Date: Tue, 20 Feb 2024 20:08:55 +0800 Subject: [PATCH] avutil/hwcontext: Don't assume frames_uninit is reentrant +References: https://bugzilla.opensuse.org/1223070 +References: CVE-2024-31578 Fix heap use after free when vulkan_frames_init failed. From 8acab4b7f869fd9942854c0b74ff3fb7754de4e347e3e5150a8b7e72b2e83c12 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Mon, 22 Apr 2024 23:18:01 +0000 Subject: [PATCH 4/5] address +1 issue/CVE OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/ffmpeg-5?expand=0&rev=85 --- ...-avf_showspectrum-fix-off-by-1-error.patch | 2 ++ ...se-Apply-PTS-compensation-only-when-.patch | 32 +++++++++++++++++++ ffmpeg-5.changes | 9 +++++- 3 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 0001-avfilter-f_reverse-Apply-PTS-compensation-only-when-.patch diff --git a/0001-avfilter-avf_showspectrum-fix-off-by-1-error.patch b/0001-avfilter-avf_showspectrum-fix-off-by-1-error.patch index fcec025..9d91ec6 100644 --- a/0001-avfilter-avf_showspectrum-fix-off-by-1-error.patch +++ b/0001-avfilter-avf_showspectrum-fix-off-by-1-error.patch @@ -4,6 +4,8 @@ Date: Sun, 24 Dec 2023 20:31:02 +0100 Subject: [PATCH] avfilter/avf_showspectrum: fix off by 1 error References: https://bugzilla.opensuse.org/1223087 References: CVE-2024-31585 +References: https://bugzilla.opensuse.org/1223273 +References: CVE-2023-51795 Fixes: out of array access Fixes: tickets/10749/poc15ffmpeg diff --git a/0001-avfilter-f_reverse-Apply-PTS-compensation-only-when-.patch b/0001-avfilter-f_reverse-Apply-PTS-compensation-only-when-.patch new file mode 100644 index 0000000..8946711 --- /dev/null +++ b/0001-avfilter-f_reverse-Apply-PTS-compensation-only-when-.patch @@ -0,0 +1,32 @@ +From 61e73851a33f0b4cb7662f8578a4695e77bd3c19 Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer +Date: Sat, 23 Dec 2023 18:04:32 +0100 +Subject: [PATCH] avfilter/f_reverse: Apply PTS compensation only when pts is + available +References: https://bugzilla.opensuse.org/1223274 +References: CVE-2023-51796 + +Fixes: out of array access +Fixes: tickets/10753/poc16ffmpeg + +Regression since: 45dc668aea0edac34969b5a1ff76cf9ad3a09be1 +Found-by: Zeng Yunxiang +Signed-off-by: Michael Niedermayer +--- + libavfilter/f_reverse.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +Index: ffmpeg-5.1.4/libavfilter/f_reverse.c +=================================================================== +--- ffmpeg-5.1.4.orig/libavfilter/f_reverse.c ++++ ffmpeg-5.1.4/libavfilter/f_reverse.c +@@ -253,7 +253,8 @@ static int areverse_request_frame(AVFilt + if (ret == AVERROR_EOF && s->nb_frames > 0) { + AVFrame *out = s->frames[s->nb_frames - 1]; + out->pts = s->pts[s->flush_idx++] - s->nb_samples; +- s->nb_samples += s->pts[s->flush_idx] - s->pts[s->flush_idx - 1] - out->nb_samples; ++ if (s->nb_frames > 1) ++ s->nb_samples += s->pts[s->flush_idx] - s->pts[s->flush_idx - 1] - out->nb_samples; + + if (av_sample_fmt_is_planar(out->format)) + reverse_samples_planar(out); diff --git a/ffmpeg-5.changes b/ffmpeg-5.changes index bcce16b..84cacb5 100644 --- a/ffmpeg-5.changes +++ b/ffmpeg-5.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Apr 22 23:10:31 UTC 2024 - Jan Engelhardt + +- Address boo#1223274/CVE-2023-51796: add patch + 0001-avfilter-f_reverse-Apply-PTS-compensation-only-when-.patch + ------------------------------------------------------------------- Mon Apr 22 12:41:55 UTC 2024 - Jan Engelhardt @@ -9,7 +15,8 @@ Mon Apr 22 12:41:55 UTC 2024 - Jan Engelhardt 0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch - Address boo#1223085/CVE-2024-31582: add patch 0001-avfilter-vf_codecview-fix-heap-buffer-overflow.patch -- Address boo#1223087/CVE-2024-31585: add patch +- Address boo#1223087/CVE-2024-31585, boo#1223273/CVE-2023-51795: + add patch 0001-avfilter-avf_showspectrum-fix-off-by-1-error.patch ------------------------------------------------------------------- From ce70338f7d8c060da5f5583dd0aa0a04aed5121b58ef81187ce39abccc923a7d Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Mon, 22 Apr 2024 23:23:08 +0000 Subject: [PATCH 5/5] +0001-avfilter-f_reverse-Apply-PTS-compensation-only-when-.patch OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/ffmpeg-5?expand=0&rev=86 --- ffmpeg-5.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ffmpeg-5.spec b/ffmpeg-5.spec index 835c674..a69a903 100644 --- a/ffmpeg-5.spec +++ b/ffmpeg-5.spec @@ -117,6 +117,7 @@ Patch12: 0001-avfilter-af_dialoguenhance-do-output-scaling-once.patch Patch13: 0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch Patch14: 0001-avfilter-avf_showspectrum-fix-off-by-1-error.patch Patch15: 0001-avfilter-vf_codecview-fix-heap-buffer-overflow.patch +Patch16: 0001-avfilter-f_reverse-Apply-PTS-compensation-only-when-.patch Patch90: ffmpeg-chromium.patch Patch91: ffmpeg-dlopen-openh264.patch Patch93: soname.diff @@ -843,6 +844,7 @@ Patch12: 0001-avfilter-af_dialoguenhance-do-output-scaling-once.patch Patch13: 0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch Patch14: 0001-avfilter-avf_showspectrum-fix-off-by-1-error.patch Patch15: 0001-avfilter-vf_codecview-fix-heap-buffer-overflow.patch +Patch16: 0001-avfilter-f_reverse-Apply-PTS-compensation-only-when-.patch Patch90: ffmpeg-chromium.patch Patch91: ffmpeg-dlopen-openh264.patch Patch93: soname.diff