* [hardknott][PATCH 2/5] ffmpeg: fix CVE-2020-20453
2021-08-20 21:31 [hardknott][PATCH 1/5] ffmpeg: fix CVE-2020-20446 Tony Tascioglu
@ 2021-08-20 21:31 ` Tony Tascioglu
2021-08-20 21:31 ` [hardknott][PATCH 3/5] ffmpeg: fix CVE-2020-22015 Tony Tascioglu
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Tony Tascioglu @ 2021-08-20 21:31 UTC (permalink / raw)
To: openembedded-core; +Cc: tony.tascioglu, randy.macleod
avcodec/aacenc: Avoid 0 lambda
Fixes: Ticket8003
Fixes: CVE-2020-20453
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
CVE: CVE-2020-20453
Upstream-Status: Backport [a7a7f32c8ad0179a1a85d0a8cff35924e6d90be8]
Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
---
.../ffmpeg/ffmpeg/fix-CVE-2020-20453.patch | 42 +++++++++++++++++++
.../recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb | 1 +
2 files changed, 43 insertions(+)
create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-20453.patch
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-20453.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-20453.patch
new file mode 100644
index 0000000000..4e430726b0
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-20453.patch
@@ -0,0 +1,42 @@
+From 80f9cbee46757430af0769ec999ca702be652f7f Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Fri, 28 May 2021 21:37:26 +0200
+Subject: [PATCH 2/5] avcodec/aacenc: Avoid 0 lambda
+
+Fixes: Ticket8003
+Fixes: CVE-2020-20453
+
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+
+CVE: CVE-2020-20453
+Upstream-Status: Backport [a7a7f32c8ad0179a1a85d0a8cff35924e6d90be8]
+
+Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
+---
+ libavcodec/aacenc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c
+index db11e0ca29..9c6cb75be4 100644
+--- a/libavcodec/aacenc.c
++++ b/libavcodec/aacenc.c
+@@ -28,6 +28,7 @@
+ * TODOs:
+ * add sane pulse detection
+ ***********************************/
++#include <float.h>
+
+ #include "libavutil/libm.h"
+ #include "libavutil/thread.h"
+@@ -856,7 +857,7 @@ static int aac_encode_frame(AVCodecContext *avctx, AVPacket *avpkt,
+ /* Not so fast though */
+ ratio = sqrtf(ratio);
+ }
+- s->lambda = FFMIN(s->lambda * ratio, 65536.f);
++ s->lambda = av_clipf(s->lambda * ratio, FLT_MIN, 65536.f);
+
+ /* Keep iterating if we must reduce and lambda is in the sky */
+ if (ratio > 0.9f && ratio < 1.1f) {
+--
+2.32.0
+
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb
index b4fbebe414..3917ad9c2c 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb
@@ -27,6 +27,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
file://mips64_cpu_detection.patch \
file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \
file://fix-CVE-2020-20446.patch \
+ file://fix-CVE-2020-20453.patch \
"
SRC_URI[sha256sum] = "46e4e64f1dd0233cbc0934b9f1c0da676008cad34725113fb7f802cfa84ccddb"
--
2.31.1
^ permalink raw reply related [flat|nested] 5+ messages in thread* [hardknott][PATCH 3/5] ffmpeg: fix CVE-2020-22015
2021-08-20 21:31 [hardknott][PATCH 1/5] ffmpeg: fix CVE-2020-20446 Tony Tascioglu
2021-08-20 21:31 ` [hardknott][PATCH 2/5] ffmpeg: fix CVE-2020-20453 Tony Tascioglu
@ 2021-08-20 21:31 ` Tony Tascioglu
2021-08-20 21:31 ` [hardknott][PATCH 4/5] ffmpeg: fix CVE-2020-22021 Tony Tascioglu
2021-08-20 21:31 ` [hardknott][PATCH 5/5] ffmpeg: fix CVE-2020-22019 and CVE-2020-22033 Tony Tascioglu
3 siblings, 0 replies; 5+ messages in thread
From: Tony Tascioglu @ 2021-08-20 21:31 UTC (permalink / raw)
To: openembedded-core; +Cc: tony.tascioglu, randy.macleod
avformat/movenc: Check pal_size before use
Fixes: assertion failure
Fixes: out of array read
Fixes: Ticket8190
Fixes: CVE-2020-22015
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
CVE: CVE-2020-22015
Upstream-Status: Backport [4c1afa292520329eecd1cc7631bc59a8cca95c46]
Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
---
.../ffmpeg/ffmpeg/fix-CVE-2020-22015.patch | 44 +++++++++++++++++++
.../recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb | 1 +
2 files changed, 45 insertions(+)
create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22015.patch
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22015.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22015.patch
new file mode 100644
index 0000000000..1fdb31de7d
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22015.patch
@@ -0,0 +1,44 @@
+From dce5d2c2ee991f8cd96ab74d51a2d1a134a1a645 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Sat, 29 May 2021 09:22:27 +0200
+Subject: [PATCH 3/5] avformat/movenc: Check pal_size before use
+
+Fixes: assertion failure
+Fixes: out of array read
+Fixes: Ticket8190
+Fixes: CVE-2020-22015
+
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+
+
+CVE: CVE-2020-22015
+Upstream-Status: Backport [4c1afa292520329eecd1cc7631bc59a8cca95c46]
+
+Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
+---
+ libavformat/movenc.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/libavformat/movenc.c b/libavformat/movenc.c
+index c34d86522a..9603704083 100644
+--- a/libavformat/movenc.c
++++ b/libavformat/movenc.c
+@@ -2094,11 +2094,13 @@ static int mov_write_video_tag(AVFormatContext *s, AVIOContext *pb, MOVMuxContex
+ avio_wb16(pb, 0x18); /* Reserved */
+
+ if (track->mode == MODE_MOV && track->par->format == AV_PIX_FMT_PAL8) {
+- int pal_size = 1 << track->par->bits_per_coded_sample;
+- int i;
++ int pal_size, i;
+ avio_wb16(pb, 0); /* Color table ID */
+ avio_wb32(pb, 0); /* Color table seed */
+ avio_wb16(pb, 0x8000); /* Color table flags */
++ if (track->par->bits_per_coded_sample < 0 || track->par->bits_per_coded_sample > 8)
++ return AVERROR(EINVAL);
++ pal_size = 1 << track->par->bits_per_coded_sample;
+ avio_wb16(pb, pal_size - 1); /* Color table size (zero-relative) */
+ for (i = 0; i < pal_size; i++) {
+ uint32_t rgb = track->palette[i];
+--
+2.32.0
+
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb
index 3917ad9c2c..c9c82b0398 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb
@@ -28,6 +28,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \
file://fix-CVE-2020-20446.patch \
file://fix-CVE-2020-20453.patch \
+ file://fix-CVE-2020-22015.patch \
"
SRC_URI[sha256sum] = "46e4e64f1dd0233cbc0934b9f1c0da676008cad34725113fb7f802cfa84ccddb"
--
2.31.1
^ permalink raw reply related [flat|nested] 5+ messages in thread* [hardknott][PATCH 4/5] ffmpeg: fix CVE-2020-22021
2021-08-20 21:31 [hardknott][PATCH 1/5] ffmpeg: fix CVE-2020-20446 Tony Tascioglu
2021-08-20 21:31 ` [hardknott][PATCH 2/5] ffmpeg: fix CVE-2020-20453 Tony Tascioglu
2021-08-20 21:31 ` [hardknott][PATCH 3/5] ffmpeg: fix CVE-2020-22015 Tony Tascioglu
@ 2021-08-20 21:31 ` Tony Tascioglu
2021-08-20 21:31 ` [hardknott][PATCH 5/5] ffmpeg: fix CVE-2020-22019 and CVE-2020-22033 Tony Tascioglu
3 siblings, 0 replies; 5+ messages in thread
From: Tony Tascioglu @ 2021-08-20 21:31 UTC (permalink / raw)
To: openembedded-core; +Cc: tony.tascioglu, randy.macleod
avfilter/vf_yadif: Fix handing of tiny images
Fixes: out of array access
Fixes: Ticket8240
Fixes: CVE-2020-22021
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
CVE: CVE-2020-22021
Upstream-Status: Backport [7971f62120a55c141ec437aa3f0bacc1c1a3526b]
Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
---
.../ffmpeg/ffmpeg/fix-CVE-2020-22021.patch | 87 +++++++++++++++++++
.../recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb | 1 +
2 files changed, 88 insertions(+)
create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22021.patch
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22021.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22021.patch
new file mode 100644
index 0000000000..05cba736ff
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22021.patch
@@ -0,0 +1,87 @@
+From 384177ca945395c8cf0ebbddd4b8b1eae64e900f Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Sat, 29 May 2021 11:17:35 +0200
+Subject: [PATCH 4/5] avfilter/vf_yadif: Fix handing of tiny images
+
+Fixes: out of array access
+Fixes: Ticket8240
+Fixes: CVE-2020-22021
+
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+
+CVE: CVE-2020-22021
+Upstream-Status: Backport [7971f62120a55c141ec437aa3f0bacc1c1a3526b]
+
+Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
+---
+ libavfilter/vf_yadif.c | 32 ++++++++++++++++++--------------
+ 1 file changed, 18 insertions(+), 14 deletions(-)
+
+diff --git a/libavfilter/vf_yadif.c b/libavfilter/vf_yadif.c
+index 43dea67add..06fd24ecfa 100644
+--- a/libavfilter/vf_yadif.c
++++ b/libavfilter/vf_yadif.c
+@@ -123,20 +123,22 @@ static void filter_edges(void *dst1, void *prev1, void *cur1, void *next1,
+ uint8_t *next2 = parity ? cur : next;
+
+ const int edge = MAX_ALIGN - 1;
++ int offset = FFMAX(w - edge, 3);
+
+ /* Only edge pixels need to be processed here. A constant value of false
+ * for is_not_edge should let the compiler ignore the whole branch. */
+- FILTER(0, 3, 0)
++ FILTER(0, FFMIN(3, w), 0)
+
+- dst = (uint8_t*)dst1 + w - edge;
+- prev = (uint8_t*)prev1 + w - edge;
+- cur = (uint8_t*)cur1 + w - edge;
+- next = (uint8_t*)next1 + w - edge;
++ dst = (uint8_t*)dst1 + offset;
++ prev = (uint8_t*)prev1 + offset;
++ cur = (uint8_t*)cur1 + offset;
++ next = (uint8_t*)next1 + offset;
+ prev2 = (uint8_t*)(parity ? prev : cur);
+ next2 = (uint8_t*)(parity ? cur : next);
+
+- FILTER(w - edge, w - 3, 1)
+- FILTER(w - 3, w, 0)
++ FILTER(offset, w - 3, 1)
++ offset = FFMAX(offset, w - 3);
++ FILTER(offset, w, 0)
+ }
+
+
+@@ -170,21 +172,23 @@ static void filter_edges_16bit(void *dst1, void *prev1, void *cur1, void *next1,
+ uint16_t *next2 = parity ? cur : next;
+
+ const int edge = MAX_ALIGN / 2 - 1;
++ int offset = FFMAX(w - edge, 3);
+
+ mrefs /= 2;
+ prefs /= 2;
+
+- FILTER(0, 3, 0)
++ FILTER(0, FFMIN(3, w), 0)
+
+- dst = (uint16_t*)dst1 + w - edge;
+- prev = (uint16_t*)prev1 + w - edge;
+- cur = (uint16_t*)cur1 + w - edge;
+- next = (uint16_t*)next1 + w - edge;
++ dst = (uint16_t*)dst1 + offset;
++ prev = (uint16_t*)prev1 + offset;
++ cur = (uint16_t*)cur1 + offset;
++ next = (uint16_t*)next1 + offset;
+ prev2 = (uint16_t*)(parity ? prev : cur);
+ next2 = (uint16_t*)(parity ? cur : next);
+
+- FILTER(w - edge, w - 3, 1)
+- FILTER(w - 3, w, 0)
++ FILTER(offset, w - 3, 1)
++ offset = FFMAX(offset, w - 3);
++ FILTER(offset, w, 0)
+ }
+
+ static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs)
+--
+2.32.0
+
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb
index c9c82b0398..e68589d4c3 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb
@@ -29,6 +29,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
file://fix-CVE-2020-20446.patch \
file://fix-CVE-2020-20453.patch \
file://fix-CVE-2020-22015.patch \
+ file://fix-CVE-2020-22021.patch \
"
SRC_URI[sha256sum] = "46e4e64f1dd0233cbc0934b9f1c0da676008cad34725113fb7f802cfa84ccddb"
--
2.31.1
^ permalink raw reply related [flat|nested] 5+ messages in thread* [hardknott][PATCH 5/5] ffmpeg: fix CVE-2020-22019 and CVE-2020-22033
2021-08-20 21:31 [hardknott][PATCH 1/5] ffmpeg: fix CVE-2020-20446 Tony Tascioglu
` (2 preceding siblings ...)
2021-08-20 21:31 ` [hardknott][PATCH 4/5] ffmpeg: fix CVE-2020-22021 Tony Tascioglu
@ 2021-08-20 21:31 ` Tony Tascioglu
3 siblings, 0 replies; 5+ messages in thread
From: Tony Tascioglu @ 2021-08-20 21:31 UTC (permalink / raw)
To: openembedded-core; +Cc: tony.tascioglu, randy.macleod
avfilter/vf_vmafmotion: Check dimensions
Fixes: out of array access
Fixes: Ticket8241
Fixes: Ticket8246
Fixes: CVE-2020-22019
Fixes: CVE-2020-22033
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
CVE: CVE-2020-22033
CVE: CVE-2020-22019
Upstream-Status: Backport [82ad1b76751bcfad5005440db48c46a4de5d6f02]
Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
---
.../fix-CVE-2020-22033-CVE-2020-22019.patch | 39 +++++++++++++++++++
.../recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb | 1 +
2 files changed, 40 insertions(+)
create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22033-CVE-2020-22019.patch
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22033-CVE-2020-22019.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22033-CVE-2020-22019.patch
new file mode 100644
index 0000000000..e98ddaaede
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22033-CVE-2020-22019.patch
@@ -0,0 +1,39 @@
+From 2f3bf456fa641edf154a99c4586d7bf52c02a495 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Sat, 29 May 2021 09:58:31 +0200
+Subject: [PATCH 5/5] avfilter/vf_vmafmotion: Check dimensions
+
+Fixes: out of array access
+Fixes: Ticket8241
+Fixes: Ticket8246
+Fixes: CVE-2020-22019
+Fixes: CVE-2020-22033
+
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+
+CVE: CVE-2020-22033
+CVE: CVE-2020-22019
+Upstream-Status: Backport [82ad1b76751bcfad5005440db48c46a4de5d6f02]
+
+Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
+---
+ libavfilter/vf_vmafmotion.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/libavfilter/vf_vmafmotion.c b/libavfilter/vf_vmafmotion.c
+index 88d0b35095..0730147e7d 100644
+--- a/libavfilter/vf_vmafmotion.c
++++ b/libavfilter/vf_vmafmotion.c
+@@ -238,6 +238,9 @@ int ff_vmafmotion_init(VMAFMotionData *s,
+ int i;
+ const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(fmt);
+
++ if (w < 3 || h < 3)
++ return AVERROR(EINVAL);
++
+ s->width = w;
+ s->height = h;
+ s->stride = FFALIGN(w * sizeof(uint16_t), 32);
+--
+2.32.0
+
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb
index e68589d4c3..0a49493abd 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb
@@ -30,6 +30,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
file://fix-CVE-2020-20453.patch \
file://fix-CVE-2020-22015.patch \
file://fix-CVE-2020-22021.patch \
+ file://fix-CVE-2020-22033-CVE-2020-22019.patch \
"
SRC_URI[sha256sum] = "46e4e64f1dd0233cbc0934b9f1c0da676008cad34725113fb7f802cfa84ccddb"
--
2.31.1
^ permalink raw reply related [flat|nested] 5+ messages in thread