From patchwork Tue Feb 11 20:09:06 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 57159 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A2E8FC021A5 for ; Tue, 11 Feb 2025 20:09:37 +0000 (UTC) Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) by mx.groups.io with SMTP id smtpd.web11.3296.1739304571837564487 for ; Tue, 11 Feb 2025 12:09:31 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=wZdWMhA7; spf=softfail (domain: sakoman.com, ip: 209.85.214.174, mailfrom: steve@sakoman.com) Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-21f6a47d617so61484875ad.2 for ; Tue, 11 Feb 2025 12:09:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1739304571; x=1739909371; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=4U5XBBbVi8atKGTNTp2CMT0NzmYGcpm2NQ5BNyIhOj8=; b=wZdWMhA77bEG9z2q92mRlEB22Bhc68vewg3+FdTwFiCNfoCvZH/1GAiyhUNJ94PoUg HRE0X8mWnbG84RjXwCTLir1ljlB0+LDERSr7r/m9qNpvwIwtj0z9dCHnvL1DZa2p3q8D tpDAPSLqs8GfyTvaKiku9esbzBi6lzxmH6lHDgNHXsCKS/E5OFwbX29KphLxR5UT46K+ 3DUtXPSAUdKBFGXm9oAzEXT7B6XJQ+qsJGMXIHOMJMimZFN3dSlNk6Owi68jYMAwtcBj nTrLCQ4j1fnFIpypuz9JxLbWwQBxUYZtgS5LuHFQskFoyvmdej8PphkMFCjsUdQILQHZ tj3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1739304571; x=1739909371; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=4U5XBBbVi8atKGTNTp2CMT0NzmYGcpm2NQ5BNyIhOj8=; b=V9GEkt7yypY2p4lkWSNV83v8l0Bg3deBcl4pHlJosFo/sFeMW+WpbpeHDFQwRLvKOX E+ssDf+EW62H5iIaXvF0QDXzmBjKMXWL/385i6ghT/AHzLqe32blXn0w8Fx7EHLAjCnn dR9AIVUHcdcrOG8MiSWZjT7avTmw4iKEk2gwdIE75VQUAwBMFae0HWm1wjLuP4RT95At vThCJcUMQ+Vj4ddc8xaowICSDadfnbxBpGOmKJ6TImEBRQXxRIsLoHwodAOoroyVxsKf 1VS2doDVb1uPD3PHICqUWfFVfDiPml9hHYf1n+JyDhCfbO6ABakvIhIJzzMOkoy1GQB2 jJrQ== X-Gm-Message-State: AOJu0YxfcrXMdnMpB7X1Ewj3QjJJPUl3UbjKln4krwjOkV8XBX8fQA7f onAq1/G7Hrpk6oSLdXr/+r9Y+ll4pDEpIlRQMKJHYLuGPw/kA/5Y7quGZTEcDnr9vfQ4EISmc4V Z X-Gm-Gg: ASbGncuFezyVe1FJXB4iwZgEgzBxLX4f2aXpFrWbqWKMsCK/B/H68RJcajBLhZtLnYR 2nzyoKAgQZ0EAKaiKq75LergSybq7KKFI1WTRQtAU7VshDM4Y8vBlnTyafbu44ShlfcwBSA9opM Er0pE2x/kI2QsmoGwF8g4gOfP9bQUMJhwi/HFpC2QcKNknPWwgZTojXkLmSmjPskHic4FklavoZ B8ffqHhAR/5Bu8wFN6mkE9F0YsSd/mlzwv3sOfFc0zQLRgh5q6Qby1JO9Mhl6pEK9T0y75EEq6Z liok X-Google-Smtp-Source: AGHT+IEt19Vgx13KgfjPWLQyA36i611KWEDam3L0/bE8Ty3Ezuj78GvRrawvZLM82DU9xihqnl4bvA== X-Received: by 2002:a17:902:ce02:b0:21f:93be:8b12 with SMTP id d9443c01a7336-220bbb1cf46mr9526745ad.30.1739304571028; Tue, 11 Feb 2025 12:09:31 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-21f3687e696sm100486485ad.209.2025.02.11.12.09.30 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Feb 2025 12:09:30 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 07/14] ffmpeg: fix CVE-2024-35369 Date: Tue, 11 Feb 2025 12:09:06 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Feb 2025 20:09:37 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/211176 From: Archana Polampalli In FFmpeg version n6.1.1, specifically within the avcodec/speexdec.c module, a potential security vulnerability exists due to insufficient validation of certain parameters when parsing Speex codec extradata. This vulnerability could lead to integer overflow conditions, potentially resulting in undefined behavior or crashes during the decoding process. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../ffmpeg/ffmpeg/CVE-2024-35369.patch | 37 +++++++++++++++++++ .../recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb | 1 + 2 files changed, 38 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35369.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35369.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35369.patch new file mode 100644 index 0000000000..72dc8d14a7 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35369.patch @@ -0,0 +1,37 @@ +From 0895ef0d6d6406ee6cd158fc4d47d80f201b8e9c Mon Sep 17 00:00:00 2001 +From: James Almer +Date: Sat, 17 Feb 2024 09:45:57 -0300 +Subject: [PATCH] avcodec/speexdec: further check for sane frame_size values + +Prevent potential integer overflows. + +Signed-off-by: James Almer + +CVE: CVE-2024-35369 + +Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/0895ef0d6d6406ee6cd158fc4d47d80f201b8e9c] + +Signed-off-by: Archana Polampalli +--- + libavcodec/speexdec.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/libavcodec/speexdec.c b/libavcodec/speexdec.c +index 23b8605..a034009 100644 +--- a/libavcodec/speexdec.c ++++ b/libavcodec/speexdec.c +@@ -1420,9 +1420,10 @@ static int parse_speex_extradata(AVCodecContext *avctx, + return AVERROR_INVALIDDATA; + s->bitrate = bytestream_get_le32(&buf); + s->frame_size = bytestream_get_le32(&buf); +- if (s->frame_size < NB_FRAME_SIZE << s->mode) ++ if (s->frame_size < NB_FRAME_SIZE << (s->mode > 0) || ++ s->frame_size > INT32_MAX >> (s->mode > 0)) + return AVERROR_INVALIDDATA; +- s->frame_size *= 1 + (s->mode > 0); ++ s->frame_size <<= (s->mode > 0); + s->vbr = bytestream_get_le32(&buf); + s->frames_per_packet = bytestream_get_le32(&buf); + if (s->frames_per_packet <= 0 || +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb index dff78ccc53..91ee6c6b0d 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb @@ -46,6 +46,7 @@ SRC_URI = " \ file://CVE-2024-36617.patch \ file://CVE-2024-36618.patch \ file://CVE-2024-36619.patch \ + file://CVE-2024-35369.patch \ " SRC_URI[sha256sum] = "8684f4b00f94b85461884c3719382f1261f0d9eb3d59640a1f4ac0873616f968"