[scarthgap,07/14] ffmpeg: fix CVE-2024-35369

Message ID	c46bb37a76582ee7352f2bc027920e8ba76e5c15.1739304425.git.steve@sakoman.com
State	Accepted
Delegated to:	Steve Sakoman
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.214.174, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 07/14] ffmpeg: fix CVE-2024-35369 Date: Tue, 11 Feb 2025 12:09:06 -0800 Message-ID: <c46bb37a76582ee7352f2bc027920e8ba76e5c15.1739304425.git.steve@sakoman.com> In-Reply-To: <cover.1739304425.git.steve@sakoman.com> References: <cover.1739304425.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[scarthgap,01/14] ffmpeg: fix CVE-2024-35365 \| expand [scarthgap,01/14] ffmpeg: fix CVE-2024-35365 [scarthgap,02/14] ffmpeg: fix CVE-2024-36613 [scarthgap,03/14] ffmpeg: fix CVE-2024-36616 [scarthgap,04/14] ffmpeg: fix CVE-2024-36617 [scarthgap,05/14] ffmpeg: fix CVE-2024-36618 [scarthgap,06/14] ffmpeg: fix CVE-2024-36619 [scarthgap,07/14] ffmpeg: fix CVE-2024-35369 [scarthgap,08/14] gstreamer1.0-rtsp-server: fix CVE-2024-44331 [scarthgap,09/14] python3: upgrade 3.12.8 -> 3.12.9 [scarthgap,10/14] linux-yocto/6.6: update to v6.6.75 [scarthgap,11/14] go: upgrade 1.22.11 -> 1.22.12 [scarthgap,12/14] cmake: apply parallel build settings to ptest tasks [scarthgap,13/14] qemu: Do not define sched_attr with glibc >= 2.41 [scarthgap,14/14] base-files: Drop /bin/sh dependency

Message ID

c46bb37a76582ee7352f2bc027920e8ba76e5c15.1739304425.git.steve@sakoman.com

State

Accepted

Delegated to:

Steve Sakoman

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 07/14] ffmpeg: fix CVE-2024-35369
Date: Tue, 11 Feb 2025 12:09:06 -0800
Message-ID: 
 <c46bb37a76582ee7352f2bc027920e8ba76e5c15.1739304425.git.steve@sakoman.com>
In-Reply-To: <cover.1739304425.git.steve@sakoman.com>
References: <cover.1739304425.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[scarthgap,01/14] ffmpeg: fix CVE-2024-35365 | expand

Commit Message

Steve Sakoman Feb. 11, 2025, 8:09 p.m. UTC

From: Archana Polampalli <archana.polampalli@windriver.com>

In FFmpeg version n6.1.1, specifically within the avcodec/speexdec.c module,
a potential security vulnerability exists due to insufficient validation
of certain parameters when parsing Speex codec extradata. This vulnerability
could lead to integer overflow conditions, potentially resulting in undefined
behavior or crashes during the decoding process.

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../ffmpeg/ffmpeg/CVE-2024-35369.patch        | 37 +++++++++++++++++++
 .../recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb |  1 +
 2 files changed, 38 insertions(+)
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35369.patch

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35369.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35369.patch
new file mode 100644
index 0000000000..72dc8d14a7
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35369.patch
@@ -0,0 +1,37 @@ 
+From 0895ef0d6d6406ee6cd158fc4d47d80f201b8e9c Mon Sep 17 00:00:00 2001
+From: James Almer <jamrial@gmail.com>
+Date: Sat, 17 Feb 2024 09:45:57 -0300
+Subject: [PATCH] avcodec/speexdec: further check for sane frame_size values
+
+Prevent potential integer overflows.
+
+Signed-off-by: James Almer <jamrial@gmail.com>
+
+CVE: CVE-2024-35369
+
+Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/0895ef0d6d6406ee6cd158fc4d47d80f201b8e9c]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ libavcodec/speexdec.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/libavcodec/speexdec.c b/libavcodec/speexdec.c
+index 23b8605..a034009 100644
+--- a/libavcodec/speexdec.c
++++ b/libavcodec/speexdec.c
+@@ -1420,9 +1420,10 @@ static int parse_speex_extradata(AVCodecContext *avctx,
+         return AVERROR_INVALIDDATA;
+     s->bitrate = bytestream_get_le32(&buf);
+     s->frame_size = bytestream_get_le32(&buf);
+-    if (s->frame_size < NB_FRAME_SIZE << s->mode)
++    if (s->frame_size < NB_FRAME_SIZE << (s->mode > 0) ||
++        s->frame_size >     INT32_MAX >> (s->mode > 0))
+         return AVERROR_INVALIDDATA;
+-    s->frame_size *= 1 + (s->mode > 0);
++    s->frame_size <<= (s->mode > 0);
+     s->vbr = bytestream_get_le32(&buf);
+     s->frames_per_packet = bytestream_get_le32(&buf);
+     if (s->frames_per_packet <= 0 ||
+--
+2.40.0
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb
index dff78ccc53..91ee6c6b0d 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb
@@ -46,6 +46,7 @@  SRC_URI = " \
     file://CVE-2024-36617.patch \
     file://CVE-2024-36618.patch \
     file://CVE-2024-36619.patch \
+    file://CVE-2024-35369.patch \
 "
 
 SRC_URI[sha256sum] = "8684f4b00f94b85461884c3719382f1261f0d9eb3d59640a1f4ac0873616f968"

[scarthgap,07/14] ffmpeg: fix CVE-2024-35369

Commit Message

Patch