* [OE-core] [PATCH] ffmpeg: CVE-2020-35965 Security Advisory
@ 2021-01-19 5:45 Wang Mingyu
2021-01-19 5:45 ` [OE-core] [PATCH] ghostscript: CVE-2013-6629 " Wang Mingyu
2021-01-19 6:57 ` [OE-core] [PATCH] ffmpeg: CVE-2020-35965 " Anuj Mittal
0 siblings, 2 replies; 4+ messages in thread
From: Wang Mingyu @ 2021-01-19 5:45 UTC (permalink / raw)
To: openembedded-core; +Cc: Wang Mingyu
refresh patch:CVE-2020-35965.patch
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35965
Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
---
.../ffmpeg/ffmpeg/CVE-2020-35965.patch | 64 ++++++++++++++-----
1 file changed, 49 insertions(+), 15 deletions(-)
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35965.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35965.patch
index ddab8e9aca..e865fa387d 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35965.patch
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35965.patch
@@ -1,35 +1,69 @@
-From 3e5959b3457f7f1856d997261e6ac672bba49e8b Mon Sep 17 00:00:00 2001
-From: Michael Niedermayer <michael@niedermayer.cc>
-Date: Sat, 24 Oct 2020 22:21:48 +0200
-Subject: [PATCH] avcodec/exr: Check ymin vs. h
+Subject: [PATCH] CVE-2020-35965
+
+commit id:3e5959b3457f7f1856d997261e6ac672bba49e8b
+avcodec/exr: Check ymin vs. h:
Fixes: out of array access
Fixes: 26532/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5613925708857344
Fixes: 27443/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5631239813595136
-Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
-Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
-Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/3e5959b3457f7f1856d997261e6ac672bba49e8b]
+commit id:b0a8b40294ea212c1938348ff112ef1b9bf16bb3
+avcodec/exr: skip bottom clearing loop when its outside the image:
-CVE: CVE-2020-35965
+Fixes: signed integer overflow: 1633771809 * 32960 cannot be represented in type 'int'
+Fixes: 26532/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5613925708857344
+Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
---
- libavcodec/exr.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
+ libavcodec/exr.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
-index e907c5c46401..8b701d1cd298 100644
+index 68d5bef..a933bbf 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
-@@ -1830,7 +1830,7 @@ static int decode_frame(AVCodecContext *avctx, void *data,
+@@ -1654,7 +1654,7 @@ static int decode_frame(AVCodecContext *avctx, void *data,
+ AVFrame *picture = data;
+ uint8_t *ptr;
+
+- int i, y, ret;
++ int i, y, ret, ymax;
+ int planes;
+ int out_line_size;
+ int nb_blocks; /* nb scanline or nb tile */
+@@ -1794,7 +1794,7 @@ static int decode_frame(AVCodecContext *avctx, void *data,
// Zero out the start if ymin is not 0
for (i = 0; i < planes; i++) {
ptr = picture->data[i];
- for (y = 0; y < s->ymin; y++) {
-+ for (y = 0; y < FFMIN(s->ymin, s->h); y++) {
++ for (y = 0; y < FFMIN(s->ymin, s->h); y++) {
memset(ptr, 0, out_line_size);
ptr += picture->linesize[i];
}
+@@ -1804,14 +1804,16 @@ static int decode_frame(AVCodecContext *avctx, void *data,
+
+ avctx->execute2(avctx, decode_block, s->thread_data, NULL, nb_blocks);
+
++ ymax = FFMAX(0, s->ymax + 1);
+ // Zero out the end if ymax+1 is not h
+- for (i = 0; i < planes; i++) {
+- ptr = picture->data[i] + ((s->ymax+1) * picture->linesize[i]);
+- for (y = s->ymax + 1; y < avctx->height; y++) {
+- memset(ptr, 0, out_line_size);
+- ptr += picture->linesize[i];
++ if (ymax < avctx->height)
++ for (i = 0; i < planes; i++) {
++ ptr = picture->data[i] + (ymax * picture->linesize[i]);
++ for (y = ymax; y < avctx->height; y++) {
++ memset(ptr, 0, out_line_size);
++ ptr += picture->linesize[i];
++ }
+ }
+- }
+
+ picture->pict_type = AV_PICTURE_TYPE_I;
+ *got_frame = 1;
+--
+2.25.1
+
--
2.25.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [OE-core] [PATCH] ghostscript: CVE-2013-6629 Security Advisory
2021-01-19 5:45 [OE-core] [PATCH] ffmpeg: CVE-2020-35965 Security Advisory Wang Mingyu
@ 2021-01-19 5:45 ` Wang Mingyu
2021-01-19 12:42 ` Richard Purdie
2021-01-19 6:57 ` [OE-core] [PATCH] ffmpeg: CVE-2020-35965 " Anuj Mittal
1 sibling, 1 reply; 4+ messages in thread
From: Wang Mingyu @ 2021-01-19 5:45 UTC (permalink / raw)
To: openembedded-core; +Cc: Wang Mingyu
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6629
Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
---
.../ghostscript/CVE-2013-6629.patch | 28 +++++++++++++++++++
.../ghostscript/ghostscript_9.53.3.bb | 1 +
2 files changed, 29 insertions(+)
create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2013-6629.patch
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2013-6629.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2013-6629.patch
new file mode 100644
index 0000000000..dffd215b4d
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2013-6629.patch
@@ -0,0 +1,28 @@
+Subject: [PATCH] CVE-2013-6629
+
+Author: pchelko
+---
+ jpeg/jdmarker.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/jpeg/jdmarker.c b/jpeg/jdmarker.c
+index 3fbe5c1..ea3ef4a 100644
+--- a/jpeg/jdmarker.c
++++ b/jpeg/jdmarker.c
+@@ -382,6 +382,13 @@ get_sos (j_decompress_ptr cinfo)
+
+ TRACEMS3(cinfo, 1, JTRC_SOS_COMPONENT, compptr->component_id,
+ compptr->dc_tbl_no, compptr->ac_tbl_no);
++
++ /* This CSi (cc) should differ from the previous CSi */
++ for (ci = 0; ci < i; ci++) {
++ if (cinfo->cur_comp_info[ci] == compptr) {
++ ERREXIT1(cinfo, JERR_BAD_COMPONENT_ID, cc);
++ }
++ }
+ }
+
+ /* Collect the additional scan parameters Ss, Se, Ah/Al. */
+--
+2.25.1
+
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb b/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb
index cbf60c8c85..24d17da263 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb
@@ -29,6 +29,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
file://do-not-check-local-libpng-source.patch \
file://avoid-host-contamination.patch \
file://mkdir-p.patch \
+ file://CVE-2013-6629.patch \
"
SRC_URI = "${SRC_URI_BASE} \
--
2.25.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [OE-core] [PATCH] ffmpeg: CVE-2020-35965 Security Advisory
2021-01-19 5:45 [OE-core] [PATCH] ffmpeg: CVE-2020-35965 Security Advisory Wang Mingyu
2021-01-19 5:45 ` [OE-core] [PATCH] ghostscript: CVE-2013-6629 " Wang Mingyu
@ 2021-01-19 6:57 ` Anuj Mittal
1 sibling, 0 replies; 4+ messages in thread
From: Anuj Mittal @ 2021-01-19 6:57 UTC (permalink / raw)
To: openembedded-core, wangmy
On Tue, 2021-01-19 at 13:45 +0800, Wang Mingyu wrote:
> -From 3e5959b3457f7f1856d997261e6ac672bba49e8b Mon Sep 17 00:00:00
> 2001
> -From: Michael Niedermayer <michael@niedermayer.cc>
> -Date: Sat, 24 Oct 2020 22:21:48 +0200
> -Subject: [PATCH] avcodec/exr: Check ymin vs. h
> +Subject: [PATCH] CVE-2020-35965
> +
> +commit id:3e5959b3457f7f1856d997261e6ac672bba49e8b
> +avcodec/exr: Check ymin vs. h:
>
> Fixes: out of array access
> Fixes: 26532/clusterfuzz-testcase-minimized-
> ffmpeg_AV_CODEC_ID_EXR_fuzzer-5613925708857344
> Fixes: 27443/clusterfuzz-testcase-minimized-
> ffmpeg_AV_CODEC_ID_EXR_fuzzer-5631239813595136
>
> -Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> -Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> -
> -Upstream-Status: Backport
> [https://github.com/FFmpeg/FFmpeg/commit/3e5959b3457f7f1856d997261e6ac672bba49e8b
> ]
> +commit id:b0a8b40294ea212c1938348ff112ef1b9bf16bb3
> +avcodec/exr: skip bottom clearing loop when its outside the image:
>
> -CVE: CVE-2020-35965
> +Fixes: signed integer overflow: 1633771809 * 32960 cannot be
> represented in type 'int'
> +Fixes: 26532/clusterfuzz-testcase-minimized-
> ffmpeg_AV_CODEC_ID_EXR_fuzzer-5613925708857344
>
> +Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> -Signed-off-by: Khairul Rohaizzat Jamaluddin
> <khairul.rohaizzat.jamaluddin@intel.com>
It looks like you are removing the CVE and Upstream-Status tag from
this patch.
It might be better to backport the second commit as a separate patch
instead of squashing it with the first one ...
Thanks,
Anuj
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [OE-core] [PATCH] ghostscript: CVE-2013-6629 Security Advisory
2021-01-19 5:45 ` [OE-core] [PATCH] ghostscript: CVE-2013-6629 " Wang Mingyu
@ 2021-01-19 12:42 ` Richard Purdie
0 siblings, 0 replies; 4+ messages in thread
From: Richard Purdie @ 2021-01-19 12:42 UTC (permalink / raw)
To: Wang Mingyu, openembedded-core
On Tue, 2021-01-19 at 13:45 +0800, Wang Mingyu wrote:
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6629
Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
---
.../ghostscript/CVE-2013-6629.patch | 28 +++++++++++++++++++
.../ghostscript/ghostscript_9.53.3.bb | 1 +
2 files changed, 29 insertions(+)
create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2013-6629.patch
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2013-6629.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2013-6629.patch
new file mode 100644
index 0000000000..dffd215b4d
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2013-6629.patch
@@ -0,0 +1,28 @@
+Subject: [PATCH] CVE-2013-6629
+
+Author: pchelko
+---
+ jpeg/jdmarker.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/jpeg/jdmarker.c b/jpeg/jdmarker.c
+index 3fbe5c1..ea3ef4a 100644
+--- a/jpeg/jdmarker.c
++++ b/jpeg/jdmarker.c
+@@ -382,6 +382,13 @@ get_sos (j_decompress_ptr cinfo)
+
+ TRACEMS3(cinfo, 1, JTRC_SOS_COMPONENT, compptr->component_id,
+ compptr->dc_tbl_no, compptr->ac_tbl_no);
++
++ /* This CSi (cc) should differ from the previous CSi */
++ for (ci = 0; ci < i; ci++) {
++ if (cinfo->cur_comp_info[ci] == compptr) {
++ ERREXIT1(cinfo, JERR_BAD_COMPONENT_ID, cc);
++ }
++ }
+ }
+
+ /* Collect the additional scan parameters Ss, Se, Ah/Al. */
+--
+2.25.1
+
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb b/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb
index cbf60c8c85..24d17da263 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.53.3.bb
@@ -29,6 +29,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
file://do-not-check-local-libpng-source.patch \
file://avoid-host-contamination.patch \
file://mkdir-p.patch \
+ file://CVE-2013-6629.patch \
"
SRC_URI = "${SRC_URI_BASE} \
Does ghostscript still have an open issue from 2013? I'd like to
understand a bit more about the background to this patch and why
upstream haven't taken it...
Cheers,
Richard
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-01-19 12:43 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-19 5:45 [OE-core] [PATCH] ffmpeg: CVE-2020-35965 Security Advisory Wang Mingyu
2021-01-19 5:45 ` [OE-core] [PATCH] ghostscript: CVE-2013-6629 " Wang Mingyu
2021-01-19 12:42 ` Richard Purdie
2021-01-19 6:57 ` [OE-core] [PATCH] ffmpeg: CVE-2020-35965 " Anuj Mittal
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.