[scarthgap,03/10] ffmpeg: fix CVE-2024-35366

Message ID	a07bc254011736c0f0445607c56609be677ea8a7.1734553652.git.steve@sakoman.com
State	RFC
Delegated to:	Steve Sakoman
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.210.182, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 03/10] ffmpeg: fix CVE-2024-35366 Date: Wed, 18 Dec 2024 14:02:07 -0800 Message-Id: <a07bc254011736c0f0445607c56609be677ea8a7.1734553652.git.steve@sakoman.com> In-Reply-To: <cover.1734553652.git.steve@sakoman.com> References: <cover.1734553652.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[scarthgap,01/10] binutils: Fix CVE-2024-53589 \| expand [scarthgap,01/10] binutils: Fix CVE-2024-53589 [scarthgap,02/10] subversion: fix CVE-2024-46901 [scarthgap,03/10] ffmpeg: fix CVE-2024-35366 [scarthgap,04/10] ffmpeg: fix CVE-2024-35367 [scarthgap,05/10] ffmpeg: fix CVE-2024-35368 [scarthgap,06/10] gcc: Fix c++: tweak for Wrange-loop-construct [scarthgap,07/10] python3: Drop empty patch [scarthgap,08/10] python3: add dependency on -compression to -core [scarthgap,09/10] kern-tools-native: fix SyntaxWarning for RegEx calls on Python 3.12 [scarthgap,10/10] rust: add reproducibility patch to eliminate host leakage

Message ID

a07bc254011736c0f0445607c56609be677ea8a7.1734553652.git.steve@sakoman.com

State

RFC

Delegated to:

Steve Sakoman

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 03/10] ffmpeg: fix CVE-2024-35366
Date: Wed, 18 Dec 2024 14:02:07 -0800
Message-Id: 
 <a07bc254011736c0f0445607c56609be677ea8a7.1734553652.git.steve@sakoman.com>
In-Reply-To: <cover.1734553652.git.steve@sakoman.com>
References: <cover.1734553652.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[scarthgap,01/10] binutils: Fix CVE-2024-53589 | expand

Commit Message

Steve Sakoman Dec. 18, 2024, 10:02 p.m. UTC

From: Archana Polampalli <archana.polampalli@windriver.com>

FFmpeg n6.1.1 is Integer Overflow. The vulnerability exists in the parse_options
function of sbgdec.c within the libavformat module. When parsing certain options,
the software does not adequately validate the input. This allows for negative
duration values to be accepted without proper bounds checking.

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../ffmpeg/ffmpeg/CVE-2024-35366.patch        | 35 +++++++++++++++++++
 .../recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb |  1 +
 2 files changed, 36 insertions(+)
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35366.patch

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35366.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35366.patch
new file mode 100644
index 0000000000..f7f16a5b92
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35366.patch
@@ -0,0 +1,35 @@ 
+From 0bed22d597b78999151e3bde0768b7fe763fc2a6 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Tue, 26 Mar 2024 00:39:49 +0100
+Subject: [PATCH] avformat/sbgdec: Check for negative duration
+
+Fixes: signed integer overflow: 9223372036854775807 - -8000000 cannot be represented in type 'long'
+Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-5133181743136768
+
+Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+
+CVE: CVE-2024-35366
+
+Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/0bed22d597b78999151e3bde0768b7fe763fc2a6]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ libavformat/sbgdec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c
+index b2662ea..281fe62 100644
+--- a/libavformat/sbgdec.c
++++ b/libavformat/sbgdec.c
+@@ -386,7 +386,7 @@ static int parse_options(struct sbg_parser *p)
+                 case 'L':
+                     FORWARD_ERROR(parse_optarg(p, opt, &oarg));
+                     r = str_to_time(oarg.s, &p->scs.opt_duration);
+-                    if (oarg.e != oarg.s + r) {
++                    if (oarg.e != oarg.s + r || p->scs.opt_duration < 0) {
+                         snprintf(p->err_msg, sizeof(p->err_msg),
+                                  "syntax error for option -L");
+                         return AVERROR_INVALIDDATA;
+--
+2.40.0
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb
index 8f4a8d34c0..dd95629648 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb
@@ -37,6 +37,7 @@  SRC_URI = " \
     file://CVE-2023-50007.patch \
     file://CVE-2023-49528.patch \
     file://CVE-2024-7055.patch \
+    file://CVE-2024-35366.patch \
 "
 
 SRC_URI[sha256sum] = "8684f4b00f94b85461884c3719382f1261f0d9eb3d59640a1f4ac0873616f968"

[scarthgap,03/10] ffmpeg: fix CVE-2024-35366

Commit Message

Patch