From patchwork Fri Feb 7 15:41:06 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Polampalli, Archana" X-Patchwork-Id: 56860 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8DA9EC02199 for ; Fri, 7 Feb 2025 15:41:23 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.72480.1738942877891616398 for ; Fri, 07 Feb 2025 07:41:17 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=4133c6c9d8=archana.polampalli@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 517FY2DF010078 for ; Fri, 7 Feb 2025 07:41:17 -0800 Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 44hm0pxj0u-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 07 Feb 2025 07:41:17 -0800 (PST) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Fri, 7 Feb 2025 07:41:16 -0800 Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Fri, 7 Feb 2025 07:41:15 -0800 From: To: Subject: [oe-core][scarthgap][PATCH 1/8] ffmpeg: fix CVE-2024-35365 Date: Fri, 7 Feb 2025 15:41:06 +0000 Message-ID: <20250207154113.281835-1-archana.polampalli@windriver.com> X-Mailer: git-send-email 2.40.0 MIME-Version: 1.0 X-Authority-Analysis: v=2.4 cv=PqlpbxM3 c=1 sm=1 tr=0 ts=67a6299d cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=T2h4t0Lz3GQA:10 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=UqCG9HQmAAAA:8 a=YH4T7oyaAAAA:8 a=b4Hp6kgha0tOKkJaIcgA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=yvBOfwjK7_2gsrmNK_ll:22 X-Proofpoint-ORIG-GUID: vQUaBmvrbm_KALXSkzE3m2Y0uH8dUHgp X-Proofpoint-GUID: vQUaBmvrbm_KALXSkzE3m2Y0uH8dUHgp X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-02-07_07,2025-02-07_03,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 adultscore=0 suspectscore=0 bulkscore=0 clxscore=1015 phishscore=0 lowpriorityscore=0 mlxscore=0 mlxlogscore=999 spamscore=0 impostorscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2501170000 definitions=main-2502070119 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 07 Feb 2025 15:41:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/210984 From: Archana Polampalli FFmpeg version n6.1.1 has a double-free vulnerability in the fftools/ffmpeg_mux_init.c component of FFmpeg, specifically within the new_stream_audio function. Signed-off-by: Archana Polampalli --- .../ffmpeg/ffmpeg/CVE-2024-35365.patch | 62 +++++++++++++++++++ .../recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb | 1 + 2 files changed, 63 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35365.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35365.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35365.patch new file mode 100644 index 0000000000..2b5646e07c --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35365.patch @@ -0,0 +1,62 @@ +From ced5c5fdb8634d39ca9472a2026b2d2fea16c4e5 Mon Sep 17 00:00:00 2001 +From: Andreas Rheinhardt +Date: Mon, 25 Mar 2024 16:54:25 +0100 +Subject: [PATCH] fftools/ffmpeg_mux_init: Fix double-free on error + +MATCH_PER_STREAM_OPT iterates over all options of a given +OptionDef and tests whether they apply to the current stream; +if so, they are set to ost->apad, otherwise, the code errors +out. If no error happens, ost->apad is av_strdup'ed in order +to take ownership of this pointer. + +But this means that setting it originally was premature, +as it leads to double-frees when an error happens lateron. +This can simply be reproduced with +ffmpeg -filter_complex anullsrc -apad bar -apad:n baz -f null - +This is a regression since 83ace80bfd80fcdba2c65fa1d554923ea931d5bd. + +Fix this by using a temporary variable instead of directly +setting ost->apad. Also only strdup the string if it actually +is != NULL. + +Reviewed-by: Marth64 +Signed-off-by: Andreas Rheinhardt + +CVE: CVE-2024-35365 + +Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/ced5c5fdb8634d39ca9472a2026b2d2fea16c4e5] + +Signed-off-by: Archana Polampalli +--- + fftools/ffmpeg_mux_init.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/fftools/ffmpeg_mux_init.c b/fftools/ffmpeg_mux_init.c +index 63a25a3..685c064 100644 +--- a/fftools/ffmpeg_mux_init.c ++++ b/fftools/ffmpeg_mux_init.c +@@ -845,6 +845,7 @@ static int new_stream_audio(Muxer *mux, const OptionsContext *o, + int channels = 0; + char *layout = NULL; + char *sample_fmt = NULL; ++ const char *apad = NULL; + + MATCH_PER_STREAM_OPT(audio_channels, i, channels, oc, st); + if (channels) { +@@ -882,8 +883,12 @@ static int new_stream_audio(Muxer *mux, const OptionsContext *o, + + MATCH_PER_STREAM_OPT(audio_sample_rate, i, audio_enc->sample_rate, oc, st); + +- MATCH_PER_STREAM_OPT(apad, str, ost->apad, oc, st); +- ost->apad = av_strdup(ost->apad); ++ MATCH_PER_STREAM_OPT(apad, str, apad, oc, st); ++ if (apad) { ++ ost->apad = av_strdup(apad); ++ if (!ost->apad) ++ return AVERROR(ENOMEM); ++ } + + #if FFMPEG_OPT_MAP_CHANNEL + /* check for channel mapping for this audio stream */ +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb index c3cfc87669..fb3f954904 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb @@ -40,6 +40,7 @@ SRC_URI = " \ file://CVE-2024-35366.patch \ file://CVE-2024-35367.patch \ file://CVE-2024-35368.patch \ + file://CVE-2024-35365.patch \ " SRC_URI[sha256sum] = "8684f4b00f94b85461884c3719382f1261f0d9eb3d59640a1f4ac0873616f968" From patchwork Fri Feb 7 15:41:07 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Polampalli, Archana" X-Patchwork-Id: 56862 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8DA70C02194 for ; Fri, 7 Feb 2025 15:41:23 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web10.72343.1738942879257417204 for ; Fri, 07 Feb 2025 07:41:19 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=4133c6c9d8=archana.polampalli@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 517FZjJk013339 for ; Fri, 7 Feb 2025 07:41:19 -0800 Received: from ala-exchng02.corp.ad.wrs.com (ala-exchng02.wrs.com [147.11.82.254]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 44hm0pxj0y-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 07 Feb 2025 07:41:18 -0800 (PST) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Fri, 7 Feb 2025 07:41:18 -0800 Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Fri, 7 Feb 2025 07:41:16 -0800 From: To: Subject: [oe-core][scarthgap][PATCH 2/8] ffmpeg: fix CVE-2024-36613 Date: Fri, 7 Feb 2025 15:41:07 +0000 Message-ID: <20250207154113.281835-2-archana.polampalli@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20250207154113.281835-1-archana.polampalli@windriver.com> References: <20250207154113.281835-1-archana.polampalli@windriver.com> MIME-Version: 1.0 X-Authority-Analysis: v=2.4 cv=PqlpbxM3 c=1 sm=1 tr=0 ts=67a6299e cx=c_pps a=K4BcnWQioVPsTJd46EJO2w==:117 a=K4BcnWQioVPsTJd46EJO2w==:17 a=T2h4t0Lz3GQA:10 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=9byoB5ip3-claXsH1wQA:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-ORIG-GUID: 9V565lckCGCmvLHrj56ytV7-PA-gmeUe X-Proofpoint-GUID: 9V565lckCGCmvLHrj56ytV7-PA-gmeUe X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-02-07_07,2025-02-07_03,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 adultscore=0 suspectscore=0 bulkscore=0 clxscore=1015 phishscore=0 lowpriorityscore=0 mlxscore=0 mlxlogscore=999 spamscore=0 impostorscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2501170000 definitions=main-2502070119 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 07 Feb 2025 15:41:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/210985 From: Archana Polampalli FFmpeg n6.1.1 has a vulnerability in the DXA demuxer of the libavformat library allowing for an integer overflow, potentially resulting in a denial-of-service (DoS) condition or other undefined behavior. Signed-off-by: Archana Polampalli --- .../ffmpeg/ffmpeg/CVE-2024-36613.patch | 37 +++++++++++++++++++ .../recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb | 1 + 2 files changed, 38 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36613.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36613.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36613.patch new file mode 100644 index 0000000000..0061b7ad98 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36613.patch @@ -0,0 +1,37 @@ +From 50d8e4f27398fd5778485a827d7a2817921f8540 Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer +Date: Sat, 30 Sep 2023 00:51:29 +0200 +Subject: [PATCH] avformat/dxa: Adjust order of operations around block align + +Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_DXA_fuzzer-5730576523198464 +Fixes: signed integer overflow: 2147483566 + 82 cannot be represented in type 'int' + +Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg +Signed-off-by: Michael Niedermayer +(cherry picked from commit 50d8e4f27398fd5778485a827d7a2817921f8540) +Signed-off-by: Michael Niedermayer + +CVE: CVE-2024-36613 + +Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/50d8e4f27398fd5778485a827d7a2817921f8540] + +Signed-off-by: Archana Polampalli +--- + libavformat/dxa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libavformat/dxa.c b/libavformat/dxa.c +index 474b852..b4d9d00 100644 +--- a/libavformat/dxa.c ++++ b/libavformat/dxa.c +@@ -122,7 +122,7 @@ static int dxa_read_header(AVFormatContext *s) + if(ast->codecpar->block_align) { + if (c->bpc > INT_MAX - ast->codecpar->block_align + 1) + return AVERROR_INVALIDDATA; +- c->bpc = ((c->bpc + ast->codecpar->block_align - 1) / ast->codecpar->block_align) * ast->codecpar->block_align; ++ c->bpc = ((c->bpc - 1 + ast->codecpar->block_align) / ast->codecpar->block_align) * ast->codecpar->block_align; + } + c->bytes_left = fsize; + c->wavpos = avio_tell(pb); +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb index fb3f954904..5e22fd4080 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb @@ -41,6 +41,7 @@ SRC_URI = " \ file://CVE-2024-35367.patch \ file://CVE-2024-35368.patch \ file://CVE-2024-35365.patch \ + file://CVE-2024-36613.patch \ " SRC_URI[sha256sum] = "8684f4b00f94b85461884c3719382f1261f0d9eb3d59640a1f4ac0873616f968" From patchwork Fri Feb 7 15:41:08 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Polampalli, Archana" X-Patchwork-Id: 56861 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8F4A8C0219C for ; Fri, 7 Feb 2025 15:41:23 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.72482.1738942882405781532 for ; Fri, 07 Feb 2025 07:41:22 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=4133c6c9d8=archana.polampalli@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 517FYGJK008144 for ; Fri, 7 Feb 2025 15:41:21 GMT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 44hak8err3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 07 Feb 2025 15:41:21 +0000 (GMT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Fri, 7 Feb 2025 07:41:20 -0800 Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Fri, 7 Feb 2025 07:41:18 -0800 From: To: Subject: [oe-core][scarthgap][PATCH 3/8] ffmpeg: fix CVE-2024-36616 Date: Fri, 7 Feb 2025 15:41:08 +0000 Message-ID: <20250207154113.281835-3-archana.polampalli@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20250207154113.281835-1-archana.polampalli@windriver.com> References: <20250207154113.281835-1-archana.polampalli@windriver.com> MIME-Version: 1.0 X-Authority-Analysis: v=2.4 cv=ecXHf6EH c=1 sm=1 tr=0 ts=67a629a1 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=T2h4t0Lz3GQA:10 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=82Cr7RGH3xNVZYPddgwA:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-ORIG-GUID: J_B2WsL4EtqTBOUdjuT3AeHlAJC6C0h1 X-Proofpoint-GUID: J_B2WsL4EtqTBOUdjuT3AeHlAJC6C0h1 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-02-07_07,2025-02-07_03,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 suspectscore=0 adultscore=0 malwarescore=0 mlxlogscore=999 priorityscore=1501 impostorscore=0 clxscore=1015 lowpriorityscore=0 spamscore=0 bulkscore=0 phishscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2501170000 definitions=main-2502070119 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 07 Feb 2025 15:41:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/210986 From: Archana Polampalli An integer overflow in the component /libavformat/westwood_vqa.c of FFmpeg n6.1.1 allows attackers to cause a denial of service in the application via a crafted VQA file. Signed-off-by: Archana Polampalli --- .../ffmpeg/ffmpeg/CVE-2024-36616.patch | 35 +++++++++++++++++++ .../recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb | 1 + 2 files changed, 36 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36616.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36616.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36616.patch new file mode 100644 index 0000000000..3f02c45b33 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36616.patch @@ -0,0 +1,35 @@ +From 86f73277bf014e2ce36dd2594f1e0fb8b3bd6661 Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer +Date: Tue, 26 Mar 2024 01:00:13 +0100 +Subject: [PATCH] avformat/westwood_vqa: Fix 2g packets + +Fixes: signed integer overflow: 2147483424 * 2 cannot be represented in type 'int' +Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_WSVQA_fuzzer-4576211411795968 + +Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg +Signed-off-by: Michael Niedermayer + +CVE: CVE-2024-36616 + +Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/86f73277bf014e2ce36dd2594f1e0fb8b3bd6661] + +Signed-off-by: Archana Polampalli +--- + libavformat/westwood_vqa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libavformat/westwood_vqa.c b/libavformat/westwood_vqa.c +index 03b2d9e..024f5d3 100644 +--- a/libavformat/westwood_vqa.c ++++ b/libavformat/westwood_vqa.c +@@ -262,7 +262,7 @@ static int wsvqa_read_packet(AVFormatContext *s, + break; + case SND2_TAG: + /* 2 samples/byte, 1 or 2 samples per frame depending on stereo */ +- pkt->duration = (chunk_size * 2) / wsvqa->channels; ++ pkt->duration = (chunk_size * 2LL) / wsvqa->channels; + break; + } + break; +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb index 5e22fd4080..3a18580e51 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb @@ -42,6 +42,7 @@ SRC_URI = " \ file://CVE-2024-35368.patch \ file://CVE-2024-35365.patch \ file://CVE-2024-36613.patch \ + file://CVE-2024-36616.patch \ " SRC_URI[sha256sum] = "8684f4b00f94b85461884c3719382f1261f0d9eb3d59640a1f4ac0873616f968" From patchwork Fri Feb 7 15:41:09 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Polampalli, Archana" X-Patchwork-Id: 56864 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8A8F9C02194 for ; Fri, 7 Feb 2025 15:41:33 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.72346.1738942884114074745 for ; Fri, 07 Feb 2025 07:41:24 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=4133c6c9d8=archana.polampalli@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 517FYROk008224 for ; Fri, 7 Feb 2025 15:41:23 GMT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 44hak8err8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 07 Feb 2025 15:41:23 +0000 (GMT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Fri, 7 Feb 2025 07:41:22 -0800 Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Fri, 7 Feb 2025 07:41:20 -0800 From: To: Subject: [oe-core][scarthgap][PATCH 4/8] ffmpeg: fix CVE-2024-36617 Date: Fri, 7 Feb 2025 15:41:09 +0000 Message-ID: <20250207154113.281835-4-archana.polampalli@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20250207154113.281835-1-archana.polampalli@windriver.com> References: <20250207154113.281835-1-archana.polampalli@windriver.com> MIME-Version: 1.0 X-Authority-Analysis: v=2.4 cv=ecXHf6EH c=1 sm=1 tr=0 ts=67a629a3 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=T2h4t0Lz3GQA:10 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=ff_boylnZWn5v9o1B54A:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-ORIG-GUID: L3ieOoYSDO840Voay75owIbdNtZVkGrq X-Proofpoint-GUID: L3ieOoYSDO840Voay75owIbdNtZVkGrq X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-02-07_07,2025-02-07_03,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 suspectscore=0 adultscore=0 malwarescore=0 mlxlogscore=999 priorityscore=1501 impostorscore=0 clxscore=1015 lowpriorityscore=0 spamscore=0 bulkscore=0 phishscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2501170000 definitions=main-2502070119 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 07 Feb 2025 15:41:33 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/210987 From: Archana Polampalli FFmpeg n6.1.1 has an integer overflow vulnerability in the FFmpeg CAF decoder. Signed-off-by: Archana Polampalli --- .../ffmpeg/ffmpeg/CVE-2024-36617.patch | 36 +++++++++++++++++++ .../recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb | 1 + 2 files changed, 37 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36617.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36617.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36617.patch new file mode 100644 index 0000000000..5d751213e3 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36617.patch @@ -0,0 +1,36 @@ +From d973fcbcc2f944752ff10e6a76b0b2d9329937a7 Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer +Date: Sat, 30 Sep 2023 00:38:17 +0200 +Subject: [PATCH] avformat/cafdec: dont seek beyond 64bit + +Fixes: signed integer overflow: 64 + 9223372036854775807 cannot be represented in type 'long long' +Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6418242730328064 +Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6418242730328064 + +Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg +Signed-off-by: Michael Niedermayer + +CVE: CVE-2024-36617 + +Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/d973fcbcc2f944752ff10e6a76b0b2d9329937a7] + +Signed-off-by: Archana Polampalli +--- + libavformat/cafdec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c +index f5ba0f4..e92e327 100644 +--- a/libavformat/cafdec.c ++++ b/libavformat/cafdec.c +@@ -271,7 +271,7 @@ static int read_pakt_chunk(AVFormatContext *s, int64_t size) + } + } + +- if (avio_tell(pb) - ccount > size) { ++ if (avio_tell(pb) - ccount > size || size > INT64_MAX - ccount) { + av_log(s, AV_LOG_ERROR, "error reading packet table\n"); + return AVERROR_INVALIDDATA; + } +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb index 3a18580e51..3ef2d9099d 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb @@ -43,6 +43,7 @@ SRC_URI = " \ file://CVE-2024-35365.patch \ file://CVE-2024-36613.patch \ file://CVE-2024-36616.patch \ + file://CVE-2024-36617.patch \ " SRC_URI[sha256sum] = "8684f4b00f94b85461884c3719382f1261f0d9eb3d59640a1f4ac0873616f968" From patchwork Fri Feb 7 15:41:10 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Polampalli, Archana" X-Patchwork-Id: 56863 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 92F45C0219D for ; Fri, 7 Feb 2025 15:41:33 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.72484.1738942886038269744 for ; Fri, 07 Feb 2025 07:41:26 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=4133c6c9d8=archana.polampalli@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 517FZZxn030183 for ; Fri, 7 Feb 2025 15:41:25 GMT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 44h8u16tj8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 07 Feb 2025 15:41:25 +0000 (GMT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Fri, 7 Feb 2025 07:41:24 -0800 Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Fri, 7 Feb 2025 07:41:22 -0800 From: To: Subject: [oe-core][scarthgap][PATCH 5/8] ffmpeg: fix CVE-2024-36618 Date: Fri, 7 Feb 2025 15:41:10 +0000 Message-ID: <20250207154113.281835-5-archana.polampalli@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20250207154113.281835-1-archana.polampalli@windriver.com> References: <20250207154113.281835-1-archana.polampalli@windriver.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: r4_qGgzruEOiPxOO1LWihviiR8SZJri4 X-Authority-Analysis: v=2.4 cv=HuqMG1TS c=1 sm=1 tr=0 ts=67a629a5 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=T2h4t0Lz3GQA:10 a=emhf11hzAAAA:8 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=UqCG9HQmAAAA:8 a=pGLkceISAAAA:8 a=9wfn_qWQEZF2Y-pX74EA:9 a=HLUCug_QN4oeKp6PugZw:22 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-GUID: r4_qGgzruEOiPxOO1LWihviiR8SZJri4 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-02-07_07,2025-02-07_03,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 mlxlogscore=999 phishscore=0 adultscore=0 suspectscore=0 clxscore=1015 impostorscore=0 spamscore=0 lowpriorityscore=0 mlxscore=0 malwarescore=0 bulkscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2501170000 definitions=main-2502070119 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 07 Feb 2025 15:41:33 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/210988 From: Archana Polampalli FFmpeg n6.1.1 has a vulnerability in the AVI demuxer of the libavformat library which allows for an integer overflow, potentially resulting in a denial-of-service (DoS) condition. Signed-off-by: Archana Polampalli --- .../ffmpeg/ffmpeg/CVE-2024-36618.patch | 36 +++++++++++++++++++ .../recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb | 1 + 2 files changed, 37 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36618.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36618.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36618.patch new file mode 100644 index 0000000000..5caca2da7c --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36618.patch @@ -0,0 +1,36 @@ +From 7a089ed8e049e3bfcb22de1250b86f2106060857 Mon Sep 17 00:00:00 2001 +From: Andreas Rheinhardt +Date: Tue, 12 Mar 2024 23:23:17 +0100 +Subject: [PATCH] avformat/avidec: Fix integer overflow iff ULONG_MAX < + INT64_MAX + +Affects many FATE-tests, see +https://fate.ffmpeg.org/report.cgi?time=20240312011016&slot=ppc-linux-gcc-13.2-ubsan-altivec-qemu + +Reviewed-by: James Almer +Signed-off-by: Andreas Rheinhardt + +CVE: CVE-2024-36618 + +Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/7a089ed8e049e3bfcb22de1250b86f2106060857] + +Signed-off-by: Archana Polampalli +--- + libavformat/avidec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libavformat/avidec.c b/libavformat/avidec.c +index 00bd7a9..bc95466 100644 +--- a/libavformat/avidec.c ++++ b/libavformat/avidec.c +@@ -1696,7 +1696,7 @@ static int check_stream_max_drift(AVFormatContext *s) + int *idx = av_calloc(s->nb_streams, sizeof(*idx)); + if (!idx) + return AVERROR(ENOMEM); +- for (min_pos = pos = 0; min_pos != INT64_MAX; pos = min_pos + 1LU) { ++ for (min_pos = pos = 0; min_pos != INT64_MAX; pos = min_pos + 1ULL) { + int64_t max_dts = INT64_MIN / 2; + int64_t min_dts = INT64_MAX / 2; + int64_t max_buffer = 0; +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb index 3ef2d9099d..37416ef01a 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb @@ -44,6 +44,7 @@ SRC_URI = " \ file://CVE-2024-36613.patch \ file://CVE-2024-36616.patch \ file://CVE-2024-36617.patch \ + file://CVE-2024-36618.patch \ " SRC_URI[sha256sum] = "8684f4b00f94b85461884c3719382f1261f0d9eb3d59640a1f4ac0873616f968" From patchwork Fri Feb 7 15:41:11 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Polampalli, Archana" X-Patchwork-Id: 56865 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9C318C0219C for ; Fri, 7 Feb 2025 15:41:33 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.72348.1738942888012492030 for ; Fri, 07 Feb 2025 07:41:28 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=4133c6c9d8=archana.polampalli@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 517FZZxo030183 for ; Fri, 7 Feb 2025 15:41:27 GMT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 44h8u16tjb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 07 Feb 2025 15:41:27 +0000 (GMT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Fri, 7 Feb 2025 07:41:25 -0800 Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Fri, 7 Feb 2025 07:41:24 -0800 From: To: Subject: [oe-core][scarthgap][PATCH 6/8] ffmpeg: fix CVE-2024-36619 Date: Fri, 7 Feb 2025 15:41:11 +0000 Message-ID: <20250207154113.281835-6-archana.polampalli@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20250207154113.281835-1-archana.polampalli@windriver.com> References: <20250207154113.281835-1-archana.polampalli@windriver.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: Yb2I6GgpeXoyuULhAnAxawKYp9UTqm_z X-Authority-Analysis: v=2.4 cv=HuqMG1TS c=1 sm=1 tr=0 ts=67a629a7 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=T2h4t0Lz3GQA:10 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=4UUNWYyMJp9rmnlkn0oA:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-GUID: Yb2I6GgpeXoyuULhAnAxawKYp9UTqm_z X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-02-07_07,2025-02-07_03,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 mlxlogscore=936 phishscore=0 adultscore=0 suspectscore=0 clxscore=1015 impostorscore=0 spamscore=0 lowpriorityscore=0 mlxscore=0 malwarescore=0 bulkscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2501170000 definitions=main-2502070119 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 07 Feb 2025 15:41:33 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/210989 From: Archana Polampalli FFmpeg n6.1.1 has a vulnerability in the WAVARC decoder of the libavcodec library which allows for an integer overflow when handling certain block types, leading to a denial-of-service (DoS) condition. Signed-off-by: Archana Polampalli --- .../ffmpeg/ffmpeg/CVE-2024-36619.patch | 36 +++++++++++++++++++ .../recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb | 1 + 2 files changed, 37 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36619.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36619.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36619.patch new file mode 100644 index 0000000000..63d08eabcc --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36619.patch @@ -0,0 +1,36 @@ +From 28c7094b25b689185155a6833caf2747b94774a4 Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer +Date: Thu, 4 Apr 2024 00:15:27 +0200 +Subject: [PATCH] avcodec/wavarc: fix signed integer overflow in block type + 6/19 + +Fixes: signed integer overflow: -2088796289 + -91276551 cannot be represented in type 'int' +Fixes: 67772/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-6533568953122816 + +Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg +Signed-off-by: Michael Niedermayer + +CVE: CVE-2024-36619 + +Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/28c7094b25b689185155a6833caf2747b94774a4] + +Signed-off-by: Archana Polampalli +--- + libavcodec/wavarc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libavcodec/wavarc.c b/libavcodec/wavarc.c +index 09ed4d4..51d91a4 100644 +--- a/libavcodec/wavarc.c ++++ b/libavcodec/wavarc.c +@@ -648,7 +648,7 @@ static int decode_5elp(AVCodecContext *avctx, + for (int o = 0; o < order; o++) + sum += s->filter[ch][o] * (unsigned)samples[n + 70 - o - 1]; + +- samples[n + 70] += ac_out[n] + (sum >> 4); ++ samples[n + 70] += ac_out[n] + (unsigned)(sum >> 4); + } + + for (int n = 0; n < 70; n++) +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb index 37416ef01a..dff78ccc53 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb @@ -45,6 +45,7 @@ SRC_URI = " \ file://CVE-2024-36616.patch \ file://CVE-2024-36617.patch \ file://CVE-2024-36618.patch \ + file://CVE-2024-36619.patch \ " SRC_URI[sha256sum] = "8684f4b00f94b85461884c3719382f1261f0d9eb3d59640a1f4ac0873616f968" From patchwork Fri Feb 7 15:41:12 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Polampalli, Archana" X-Patchwork-Id: 56866 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A10C1C0219E for ; Fri, 7 Feb 2025 15:41:33 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.72350.1738942889857966697 for ; Fri, 07 Feb 2025 07:41:30 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=4133c6c9d8=archana.polampalli@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 517FYhXg008987 for ; Fri, 7 Feb 2025 15:41:29 GMT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 44hak8erre-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 07 Feb 2025 15:41:28 +0000 (GMT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Fri, 7 Feb 2025 07:41:27 -0800 Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Fri, 7 Feb 2025 07:41:26 -0800 From: To: Subject: [oe-core][scarthgap][PATCH 7/8] ffmpeg: fix CVE-2024-35369 Date: Fri, 7 Feb 2025 15:41:12 +0000 Message-ID: <20250207154113.281835-7-archana.polampalli@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20250207154113.281835-1-archana.polampalli@windriver.com> References: <20250207154113.281835-1-archana.polampalli@windriver.com> MIME-Version: 1.0 X-Authority-Analysis: v=2.4 cv=ecXHf6EH c=1 sm=1 tr=0 ts=67a629a9 cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=T2h4t0Lz3GQA:10 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=pGLkceISAAAA:8 a=8SoALjWpfi_AlCRMZEkA:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-ORIG-GUID: CO1Vw430eypYmLHnmRMvZIXfn4gCzzqU X-Proofpoint-GUID: CO1Vw430eypYmLHnmRMvZIXfn4gCzzqU X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-02-07_07,2025-02-07_03,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 suspectscore=0 adultscore=0 malwarescore=0 mlxlogscore=999 priorityscore=1501 impostorscore=0 clxscore=1015 lowpriorityscore=0 spamscore=0 bulkscore=0 phishscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2501170000 definitions=main-2502070119 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 07 Feb 2025 15:41:33 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/210990 From: Archana Polampalli In FFmpeg version n6.1.1, specifically within the avcodec/speexdec.c module, a potential security vulnerability exists due to insufficient validation of certain parameters when parsing Speex codec extradata. This vulnerability could lead to integer overflow conditions, potentially resulting in undefined behavior or crashes during the decoding process. Signed-off-by: Archana Polampalli --- .../ffmpeg/ffmpeg/CVE-2024-35369.patch | 37 +++++++++++++++++++ .../recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb | 1 + 2 files changed, 38 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35369.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35369.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35369.patch new file mode 100644 index 0000000000..72dc8d14a7 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35369.patch @@ -0,0 +1,37 @@ +From 0895ef0d6d6406ee6cd158fc4d47d80f201b8e9c Mon Sep 17 00:00:00 2001 +From: James Almer +Date: Sat, 17 Feb 2024 09:45:57 -0300 +Subject: [PATCH] avcodec/speexdec: further check for sane frame_size values + +Prevent potential integer overflows. + +Signed-off-by: James Almer + +CVE: CVE-2024-35369 + +Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/0895ef0d6d6406ee6cd158fc4d47d80f201b8e9c] + +Signed-off-by: Archana Polampalli +--- + libavcodec/speexdec.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/libavcodec/speexdec.c b/libavcodec/speexdec.c +index 23b8605..a034009 100644 +--- a/libavcodec/speexdec.c ++++ b/libavcodec/speexdec.c +@@ -1420,9 +1420,10 @@ static int parse_speex_extradata(AVCodecContext *avctx, + return AVERROR_INVALIDDATA; + s->bitrate = bytestream_get_le32(&buf); + s->frame_size = bytestream_get_le32(&buf); +- if (s->frame_size < NB_FRAME_SIZE << s->mode) ++ if (s->frame_size < NB_FRAME_SIZE << (s->mode > 0) || ++ s->frame_size > INT32_MAX >> (s->mode > 0)) + return AVERROR_INVALIDDATA; +- s->frame_size *= 1 + (s->mode > 0); ++ s->frame_size <<= (s->mode > 0); + s->vbr = bytestream_get_le32(&buf); + s->frames_per_packet = bytestream_get_le32(&buf); + if (s->frames_per_packet <= 0 || +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb index dff78ccc53..91ee6c6b0d 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb @@ -46,6 +46,7 @@ SRC_URI = " \ file://CVE-2024-36617.patch \ file://CVE-2024-36618.patch \ file://CVE-2024-36619.patch \ + file://CVE-2024-35369.patch \ " SRC_URI[sha256sum] = "8684f4b00f94b85461884c3719382f1261f0d9eb3d59640a1f4ac0873616f968" From patchwork Fri Feb 7 15:41:13 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Polampalli, Archana" X-Patchwork-Id: 56867 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8A92CC02199 for ; Fri, 7 Feb 2025 15:41:33 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web10.72359.1738942891809622518 for ; Fri, 07 Feb 2025 07:41:31 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=4133c6c9d8=archana.polampalli@windriver.com) Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 517FZKdF030126 for ; Fri, 7 Feb 2025 15:41:31 GMT Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 44h8u16tjh-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 07 Feb 2025 15:41:30 +0000 (GMT) Received: from ala-exchng01.corp.ad.wrs.com (147.11.82.252) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.43; Fri, 7 Feb 2025 07:41:29 -0800 Received: from blr-linux-engg1.wrs.com (147.11.136.210) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server id 15.1.2507.43 via Frontend Transport; Fri, 7 Feb 2025 07:41:28 -0800 From: To: Subject: [oe-core][scarthgap][PATCH 8/8] gstreamer1.0-rtsp-server: fix CVE-2024-44331 Date: Fri, 7 Feb 2025 15:41:13 +0000 Message-ID: <20250207154113.281835-8-archana.polampalli@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20250207154113.281835-1-archana.polampalli@windriver.com> References: <20250207154113.281835-1-archana.polampalli@windriver.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: 0-JNrz_Hgo0Tghwq-ClDUqNOTTit1qph X-Authority-Analysis: v=2.4 cv=HuqMG1TS c=1 sm=1 tr=0 ts=67a629aa cx=c_pps a=/ZJR302f846pc/tyiSlYyQ==:117 a=/ZJR302f846pc/tyiSlYyQ==:17 a=T2h4t0Lz3GQA:10 a=e5mUnYsNAAAA:8 a=t7CeM3EgAAAA:8 a=Gv6LgfnmAAAA:8 a=F9SKuhKrtmCxqDX-GtwA:9 a=Vxmtnl_E_bksehYqCbjh:22 a=FdTzh2GWekK77mhwV6Dw:22 a=IPA2cKvQ-hEu6qGqc7iX:22 X-Proofpoint-GUID: 0-JNrz_Hgo0Tghwq-ClDUqNOTTit1qph X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-02-07_07,2025-02-07_03,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 mlxlogscore=378 phishscore=0 adultscore=0 suspectscore=0 clxscore=1015 impostorscore=0 spamscore=0 lowpriorityscore=0 mlxscore=0 malwarescore=0 bulkscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2501170000 definitions=main-2502070119 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 07 Feb 2025 15:41:33 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/210991 From: Archana Polampalli Incorrect Access Control in GStreamer RTSP server 1.25.0 in gst-rtsp-server/rtsp-media.c allows remote attackers to cause a denial of service via a series of specially crafted hexstream requests. Signed-off-by: Archana Polampalli --- .../CVE-2024-44331.patch | 44 +++++++++++++++++++ .../gstreamer1.0-rtsp-server_1.22.12.bb | 4 +- 2 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server/CVE-2024-44331.patch diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server/CVE-2024-44331.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server/CVE-2024-44331.patch new file mode 100644 index 0000000000..eea58d3538 --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server/CVE-2024-44331.patch @@ -0,0 +1,44 @@ +From aa3e97d67c05d4648ea58c7ff7675e24a81ca72b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= +Date: Thu, 24 Oct 2024 20:12:55 +0300 +Subject: [PATCH] rtsp-server: Remove pointless assertions that can happen if + client provides invalid rates + +Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3731 +Fixes CVE-2024-44331 + +Part-of: + +CVE: CVE-2024-44331 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/aa3e97d67c05d4648ea58c7ff7675e24a81ca72b] + +Signed-off-by: Archana Polampalli +--- + gst/rtsp-server/rtsp-media.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/gst/rtsp-server/rtsp-media.c b/gst/rtsp-server/rtsp-media.c +index 8c62b0d..cbdc9f9 100644 +--- a/gst/rtsp-server/rtsp-media.c ++++ b/gst/rtsp-server/rtsp-media.c +@@ -2755,15 +2755,13 @@ gst_rtsp_media_get_rates (GstRTSPMedia * media, gdouble * rate, + first_stream = FALSE; + } else { + if (save_rate != *rate || save_applied_rate != *applied_rate) { +- /* diffrent rate or applied_rate, weird */ +- g_assert (FALSE); ++ /* different rate or applied_rate, weird */ + result = FALSE; + break; + } + } + } else { +- /* complete stream withot rate and applied_rate, weird */ +- g_assert (FALSE); ++ /* complete stream without rate and applied_rate, weird */ + result = FALSE; + break; + } +-- +2.40.0 diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.22.12.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.22.12.bb index c89c22f334..3cd21e7181 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.22.12.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.22.12.bb @@ -8,7 +8,9 @@ DEPENDS = "gstreamer1.0 gstreamer1.0-plugins-base" PNREAL = "gst-rtsp-server" -SRC_URI = "https://gstreamer.freedesktop.org/src/${PNREAL}/${PNREAL}-${PV}.tar.xz" +SRC_URI = "https://gstreamer.freedesktop.org/src/${PNREAL}/${PNREAL}-${PV}.tar.xz \ + file://CVE-2024-44331.patch \ + " SRC_URI[sha256sum] = "bf6c7871e7cf3528e4ec87ddc2f2949691cd269f98e536482ae744c1405cf451"