From: Archana Polampalli <archana.polampa...@windriver.com> In FFmpeg version n6.1.1, specifically within the avcodec/speexdec.c module, a potential security vulnerability exists due to insufficient validation of certain parameters when parsing Speex codec extradata. This vulnerability could lead to integer overflow conditions, potentially resulting in undefined behavior or crashes during the decoding process.
Signed-off-by: Archana Polampalli <archana.polampa...@windriver.com> Signed-off-by: Steve Sakoman <st...@sakoman.com> --- .../ffmpeg/ffmpeg/CVE-2024-35369.patch | 38 +++++++++++++++++++ .../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 1 + 2 files changed, 39 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35369.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35369.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35369.patch new file mode 100644 index 0000000000..b408ee2edc --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35369.patch @@ -0,0 +1,38 @@ +From 0895ef0d6d6406ee6cd158fc4d47d80f201b8e9c Mon Sep 17 00:00:00 2001 +From: James Almer <jamr...@gmail.com> +Date: Sat, 17 Feb 2024 09:45:57 -0300 +Subject: [PATCH] avcodec/speexdec: further check for sane frame_size + values + +Prevent potential integer overflows. + +Signed-off-by: James Almer <jamr...@gmail.com> + +CVE: CVE-2024-35369 + +Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/0895ef0d6d6406ee6cd158fc4d47d80f201b8e9c] + +Signed-off-by: Archana Polampalli <archana.polampa...@windriver.com> +--- + libavcodec/speexdec.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/libavcodec/speexdec.c b/libavcodec/speexdec.c +index 5b016df..f1f739a 100644 +--- a/libavcodec/speexdec.c ++++ b/libavcodec/speexdec.c +@@ -1419,9 +1419,10 @@ static int parse_speex_extradata(AVCodecContext *avctx, + return AVERROR_INVALIDDATA; + s->bitrate = bytestream_get_le32(&buf); + s->frame_size = bytestream_get_le32(&buf); +- if (s->frame_size < NB_FRAME_SIZE << (s->mode > 0)) ++ if (s->frame_size < NB_FRAME_SIZE << (s->mode > 0) || ++ s->frame_size > INT32_MAX >> (s->mode > 0)) + return AVERROR_INVALIDDATA; +- s->frame_size *= 1 + (s->mode > 0); ++ s->frame_size <<= (s->mode > 0); + s->vbr = bytestream_get_le32(&buf); + s->frames_per_packet = bytestream_get_le32(&buf); + if (s->frames_per_packet <= 0 || +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb index 2048e51962..2173105fd3 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb @@ -49,6 +49,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://CVE-2024-36617.patch \ file://CVE-2024-36618.patch \ file://CVE-2024-28661.patch \ + file://CVE-2024-35369.patch \ " SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b" -- 2.43.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#211905): https://lists.openembedded.org/g/openembedded-core/message/211905 Mute This Topic: https://lists.openembedded.org/mt/111377471/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
