Re: [OE-core] [PATCH][gatesgarth] ffmpeg: Fix CVE-2020-35964, CVE-2020-35965

Wed, 13 Jan 2021 08:41:48 -0800 

Please ignore this. Wrongly sent.

Thank you & Kind regards,
Khairul

-----Original Message-----
From: openembedded-core@lists.openembedded.org 
<openembedded-core@lists.openembedded.org> On Behalf Of Jamaluddin, Khairul 
Rohaizzat
Sent: Thursday, January 14, 2021 12:40 AM
To: openembedded-core@lists.openembedded.org
Cc: Jamaluddin, Khairul Rohaizzat <khairul.rohaizzat.jamalud...@intel.com>
Subject: [OE-core] [PATCH][gatesgarth] ffmpeg: Fix CVE-2020-35964, 
CVE-2020-35965

From: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamalud...@intel.com>

Backport the CVE patches from upstream:
https://github.com/FFmpeg/FFmpeg/commit/27a99e2c7d450fef15594671eef4465c8a166bd7
https://github.com/FFmpeg/FFmpeg/commit/3e5959b3457f7f1856d997261e6ac672bba49e8b

CVE:
CVE-2020-35964
CVE-2020-35965

Signed-off-by: Khairul Rohaizzat Jamaluddin 
<khairul.rohaizzat.jamalud...@intel.com>
---
 .../ffmpeg/ffmpeg/CVE-2020-35964.patch             | 68 ++++++++++++++++++++++
 .../ffmpeg/ffmpeg/CVE-2020-35965.patch             | 28 +++++++++
 meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.1.bb     |  2 +
 3 files changed, 98 insertions(+)
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35964.patch
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35965.patch

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35964.patch 
b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35964.patch
new file mode 100644
index 0000000..eaee3a9
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35964.patch
@@ -0,0 +1,68 @@
+From 27a99e2c7d450fef15594671eef4465c8a166bd7 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <mich...@niedermayer.cc>
+Date: Wed, 28 Oct 2020 20:11:54 +0100
+Subject: [PATCH] avformat/vividas: improve extradata packing checks in
+ track_header()
+
+Fixes: out of array accesses
+Fixes: 
+26622/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVIDAS_fuzzer-65812003
+38288640
+
+Found-by: continuous fuzzing process 
+https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
+Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
+---
+ libavformat/vividas.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/libavformat/vividas.c b/libavformat/vividas.c index 
+83d0ed116787..46c66bf9a0ae 100644
+--- a/libavformat/vividas.c
++++ b/libavformat/vividas.c
+@@ -28,6 +28,7 @@
+  * @sa http://wiki.multimedia.cx/index.php?title=Vividas_VIV
+  */
+ 
++#include "libavutil/avassert.h"
+ #include "libavutil/intreadwrite.h"
+ #include "avio_internal.h"
+ #include "avformat.h"
+@@ -379,7 +380,7 @@ static int track_header(VividasDemuxContext *viv, 
+AVFormatContext *s,  uint8_t *
+ 
+         if (avio_tell(pb) < off) {
+             int num_data;
+-            int xd_size = 0;
++            int xd_size = 1;
+             int data_len[256];
+             int offset = 1;
+             uint8_t *p;
+@@ -393,10 +394,10 @@ static int track_header(VividasDemuxContext *viv, 
AVFormatContext *s,  uint8_t *
+                     return AVERROR_INVALIDDATA;
+                 }
+                 data_len[j] = len;
+-                xd_size += len;
++                xd_size += len + 1 + len/255;
+             }
+ 
+-            ret = ff_alloc_extradata(st->codecpar, 64 + xd_size + xd_size / 
255);
++            ret = ff_alloc_extradata(st->codecpar, xd_size);
+             if (ret < 0)
+                 return ret;
+ 
+@@ -405,9 +406,7 @@ static int track_header(VividasDemuxContext *viv, 
+AVFormatContext *s,  uint8_t *
+ 
+             for (j = 0; j < num_data - 1; j++) {
+                 unsigned delta = av_xiphlacing(&p[offset], data_len[j]);
+-                if (delta > data_len[j]) {
+-                    return AVERROR_INVALIDDATA;
+-                }
++                av_assert0(delta <= xd_size - offset);
+                 offset += delta;
+             }
+ 
+@@ -418,6 +417,7 @@ static int track_header(VividasDemuxContext *viv, 
AVFormatContext *s,  uint8_t *
+                     av_freep(&st->codecpar->extradata);
+                     break;
+                 }
++                av_assert0(data_len[j] <= xd_size - offset);
+                 offset += data_len[j];
+             }
+ 
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35965.patch 
b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35965.patch
new file mode 100644
index 0000000..b3ecc45b
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35965.patch
@@ -0,0 +1,28 @@
+From 3e5959b3457f7f1856d997261e6ac672bba49e8b Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <mich...@niedermayer.cc>
+Date: Sat, 24 Oct 2020 22:21:48 +0200
+Subject: [PATCH] avcodec/exr: Check ymin vs. h
+
+Fixes: out of array access
+Fixes: 
+26532/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5613
+925708857344
+Fixes: 
+27443/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5631
+239813595136
+
+Found-by: continuous fuzzing process 
+https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
+Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
+---
+ libavcodec/exr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 
+e907c5c46401..8b701d1cd298 100644
+--- a/libavcodec/exr.c
++++ b/libavcodec/exr.c
+@@ -1830,7 +1830,7 @@ static int decode_frame(AVCodecContext *avctx, void 
*data,
+     // Zero out the start if ymin is not 0
+     for (i = 0; i < planes; i++) {
+         ptr = picture->data[i];
+-        for (y = 0; y < s->ymin; y++) {
++        for (y = 0; y < FFMIN(s->ymin, s->h); y++) {
+             memset(ptr, 0, out_line_size);
+             ptr += picture->linesize[i];
+         }
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.1.bb 
b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.1.bb
index 37647e8..f902b08 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.1.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.1.bb
@@ -26,6 +26,8 @@ LIC_FILES_CHKSUM = 
"file://COPYING.GPLv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \  SRC_URI = 
"https://www.ffmpeg.org/releases/${BP}.tar.xz \
            file://mips64_cpu_detection.patch \
            
file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \
+           file://CVE-2020-35964.patch \
+           file://CVE-2020-35965.patch \
            "
 SRC_URI[sha256sum] = 
"ad009240d46e307b4e03a213a0f49c11b650e445b1f8be0dda2a9212b34d2ffb"
 
--
2.7.4


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#146660): 
https://lists.openembedded.org/g/openembedded-core/message/146660
Mute This Topic: https://lists.openembedded.org/mt/79655064/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to