Message ID | 30119a4797c89b8b501246c4266b08a62467833d.1673490673.git.steve@sakoman.com |
---|---|
State | New, archived |
Headers | show |
Series | [kirkstone,01/11] systemd: CVE-2022-45873 deadlock in systemd-coredump via a crash with a long backtrace | expand |
This patch doesn't apply cleanly on ffmpeg-5.0.1: ERROR: ffmpeg-5.0.1-r0 do_patch: Fuzz detected: Applying patch 0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch patching file libavcodec/vp3.c Hunk #1 succeeded at 2677 with fuzz 1 (offset -2 lines). The context lines in the patches can be updated with devtool: devtool modify ffmpeg devtool finish --force-patch-refresh ffmpeg <layer_path> Don't forget to review changes done by devtool! ERROR: ffmpeg-5.0.1-r0 do_patch: QA Issue: Patch log indicates that patches do not apply cleanly. [patch-fuzz] Narpat: Should I send a fix or will you handle that? On Thu, Jan 12, 2023 at 3:33 AM Steve Sakoman <steve@sakoman.com> wrote: > From: Narpat Mali <narpat.mali@windriver.com> > > An issue was discovered in the FFmpeg package, where vp3_decode_frame in > libavcodec/vp3.c lacks check of > the return value of av_malloc() and will cause a null pointer dereference, > impacting availability. > > CVE: CVE-2022-3109 > > Upstream-Status: Backport [ > https://github.com/FFmpeg/FFmpeg/commit/656cb0450aeb73b25d7d26980af342b37ac4c568 > ] > > Signed-off-by: Narpat Mali <narpat.mali@windriver.com> > Signed-off-by: Steve Sakoman <steve@sakoman.com> > --- > ...-vp3-Add-missing-check-for-av_malloc.patch | 44 +++++++++++++++++++ > .../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 3 +- > 2 files changed, 46 insertions(+), 1 deletion(-) > create mode 100644 > meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch > > diff --git > a/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch > b/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch > new file mode 100644 > index 0000000000..94858a6cdd > --- /dev/null > +++ > b/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch > @@ -0,0 +1,44 @@ > +From 656cb0450aeb73b25d7d26980af342b37ac4c568 Mon Sep 17 00:00:00 2001 > +From: Jiasheng Jiang <jiasheng@iscas.ac.cn> > +Date: Tue, 15 Feb 2022 17:58:08 +0800 > +Subject: [PATCH] avcodec/vp3: Add missing check for av_malloc > + > +Since the av_malloc() may fail and return NULL pointer, > +it is needed that the 's->edge_emu_buffer' should be checked > +whether the new allocation is success. > + > +Fixes: d14723861b ("VP3: fix decoding of videos with stride > 2048") > +Reviewed-by: Peter Ross <pross@xvid.org> > +Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn> > + > +CVE: CVE-2022-3109 > + > +Upstream-Status: Backport [ > https://github.com/FFmpeg/FFmpeg/commit/656cb0450aeb73b25d7d26980af342b37ac4c568 > ] > + > +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> > +--- > + libavcodec/vp3.c | 7 ++++++- > + 1 file changed, 6 insertions(+), 1 deletion(-) > + > +diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c > +index e9ab54d736..e2418eb6fa 100644 > +--- a/libavcodec/vp3.c > ++++ b/libavcodec/vp3.c > +@@ -2679,8 +2679,13 @@ static int vp3_decode_frame(AVCodecContext *avctx, > + AV_GET_BUFFER_FLAG_REF)) < 0) > + goto error; > + > +- if (!s->edge_emu_buffer) > ++ if (!s->edge_emu_buffer) { > + s->edge_emu_buffer = av_malloc(9 * > FFABS(s->current_frame.f->linesize[0])); > ++ if (!s->edge_emu_buffer) { > ++ ret = AVERROR(ENOMEM); > ++ goto error; > ++ } > ++ } > + > + if (s->keyframe) { > + if (!s->theora) { > +-- > +2.34.1 > + > diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb > b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb > index 95b4bf50ac..c5bebe9c2d 100644 > --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb > +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb > @@ -26,7 +26,8 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz > \ > > file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \ > > file://0001-avcodec-rpzaenc-stop-accessing-out-of-bounds-frame.patch \ > > file://0001-avcodec-smcenc-stop-accessing-out-of-bounds-frame.patch \ > - " > + file://0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch \ > + " > > SRC_URI[sha256sum] = > "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b" > > -- > 2.25.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#175776): > https://lists.openembedded.org/g/openembedded-core/message/175776 > Mute This Topic: https://lists.openembedded.org/mt/96215555/3617156 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ > Martin.Jansa@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > >
On Mon, Jan 16, 2023 at 2:00 AM Martin Jansa <martin.jansa@gmail.com> wrote: > > This patch doesn't apply cleanly on ffmpeg-5.0.1: Thanks for the review Martin. Not sure why this didn't show up in my testing! But since Richard hasn't taken the pull request yet I will remove this patch from the current pull request and move it to my next set of patches (along with your fix). Thanks! Steve > > ERROR: ffmpeg-5.0.1-r0 do_patch: Fuzz detected: > > Applying patch 0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch > patching file libavcodec/vp3.c > Hunk #1 succeeded at 2677 with fuzz 1 (offset -2 lines). > > > The context lines in the patches can be updated with devtool: > > devtool modify ffmpeg > devtool finish --force-patch-refresh ffmpeg <layer_path> > > Don't forget to review changes done by devtool! > > ERROR: ffmpeg-5.0.1-r0 do_patch: QA Issue: Patch log indicates that patches do not apply cleanly. [patch-fuzz] > > Narpat: Should I send a fix or will you handle that? > > On Thu, Jan 12, 2023 at 3:33 AM Steve Sakoman <steve@sakoman.com> wrote: >> >> From: Narpat Mali <narpat.mali@windriver.com> >> >> An issue was discovered in the FFmpeg package, where vp3_decode_frame in libavcodec/vp3.c lacks check of >> the return value of av_malloc() and will cause a null pointer dereference, impacting availability. >> >> CVE: CVE-2022-3109 >> >> Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/656cb0450aeb73b25d7d26980af342b37ac4c568] >> >> Signed-off-by: Narpat Mali <narpat.mali@windriver.com> >> Signed-off-by: Steve Sakoman <steve@sakoman.com> >> --- >> ...-vp3-Add-missing-check-for-av_malloc.patch | 44 +++++++++++++++++++ >> .../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 3 +- >> 2 files changed, 46 insertions(+), 1 deletion(-) >> create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch >> >> diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch >> new file mode 100644 >> index 0000000000..94858a6cdd >> --- /dev/null >> +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch >> @@ -0,0 +1,44 @@ >> +From 656cb0450aeb73b25d7d26980af342b37ac4c568 Mon Sep 17 00:00:00 2001 >> +From: Jiasheng Jiang <jiasheng@iscas.ac.cn> >> +Date: Tue, 15 Feb 2022 17:58:08 +0800 >> +Subject: [PATCH] avcodec/vp3: Add missing check for av_malloc >> + >> +Since the av_malloc() may fail and return NULL pointer, >> +it is needed that the 's->edge_emu_buffer' should be checked >> +whether the new allocation is success. >> + >> +Fixes: d14723861b ("VP3: fix decoding of videos with stride > 2048") >> +Reviewed-by: Peter Ross <pross@xvid.org> >> +Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn> >> + >> +CVE: CVE-2022-3109 >> + >> +Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/656cb0450aeb73b25d7d26980af342b37ac4c568] >> + >> +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> >> +--- >> + libavcodec/vp3.c | 7 ++++++- >> + 1 file changed, 6 insertions(+), 1 deletion(-) >> + >> +diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c >> +index e9ab54d736..e2418eb6fa 100644 >> +--- a/libavcodec/vp3.c >> ++++ b/libavcodec/vp3.c >> +@@ -2679,8 +2679,13 @@ static int vp3_decode_frame(AVCodecContext *avctx, >> + AV_GET_BUFFER_FLAG_REF)) < 0) >> + goto error; >> + >> +- if (!s->edge_emu_buffer) >> ++ if (!s->edge_emu_buffer) { >> + s->edge_emu_buffer = av_malloc(9 * FFABS(s->current_frame.f->linesize[0])); >> ++ if (!s->edge_emu_buffer) { >> ++ ret = AVERROR(ENOMEM); >> ++ goto error; >> ++ } >> ++ } >> + >> + if (s->keyframe) { >> + if (!s->theora) { >> +-- >> +2.34.1 >> + >> diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb >> index 95b4bf50ac..c5bebe9c2d 100644 >> --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb >> +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb >> @@ -26,7 +26,8 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ >> file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \ >> file://0001-avcodec-rpzaenc-stop-accessing-out-of-bounds-frame.patch \ >> file://0001-avcodec-smcenc-stop-accessing-out-of-bounds-frame.patch \ >> - " >> + file://0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch \ >> + " >> >> SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b" >> >> -- >> 2.25.1 >> >> >> -=-=-=-=-=-=-=-=-=-=-=- >> Links: You receive all messages sent to this group. >> View/Reply Online (#175776): https://lists.openembedded.org/g/openembedded-core/message/175776 >> Mute This Topic: https://lists.openembedded.org/mt/96215555/3617156 >> Group Owner: openembedded-core+owner@lists.openembedded.org >> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [Martin.Jansa@gmail.com] >> -=-=-=-=-=-=-=-=-=-=-=- >>
On Mon, Jan 16, 2023 at 4:32 AM Steve Sakoman via lists.openembedded.org <steve=sakoman.com@lists.openembedded.org> wrote: > > On Mon, Jan 16, 2023 at 2:00 AM Martin Jansa <martin.jansa@gmail.com> wrote: > > > > This patch doesn't apply cleanly on ffmpeg-5.0.1: > > Thanks for the review Martin. > > Not sure why this didn't show up in my testing! But since Richard > hasn't taken the pull request yet I will remove this patch from the > current pull request and move it to my next set of patches (along with > your fix). Sigh, clearly I haven't had enough coffee yet this morning -- Richard has indeed already taken the pull request! I'll put your fix patch in the next set of patches for kirkstone and send a new pull request right after testing. Steve > > > > ERROR: ffmpeg-5.0.1-r0 do_patch: Fuzz detected: > > > > Applying patch 0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch > > patching file libavcodec/vp3.c > > Hunk #1 succeeded at 2677 with fuzz 1 (offset -2 lines). > > > > > > The context lines in the patches can be updated with devtool: > > > > devtool modify ffmpeg > > devtool finish --force-patch-refresh ffmpeg <layer_path> > > > > Don't forget to review changes done by devtool! > > > > ERROR: ffmpeg-5.0.1-r0 do_patch: QA Issue: Patch log indicates that patches do not apply cleanly. [patch-fuzz] > > > > Narpat: Should I send a fix or will you handle that? > > > > On Thu, Jan 12, 2023 at 3:33 AM Steve Sakoman <steve@sakoman.com> wrote: > >> > >> From: Narpat Mali <narpat.mali@windriver.com> > >> > >> An issue was discovered in the FFmpeg package, where vp3_decode_frame in libavcodec/vp3.c lacks check of > >> the return value of av_malloc() and will cause a null pointer dereference, impacting availability. > >> > >> CVE: CVE-2022-3109 > >> > >> Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/656cb0450aeb73b25d7d26980af342b37ac4c568] > >> > >> Signed-off-by: Narpat Mali <narpat.mali@windriver.com> > >> Signed-off-by: Steve Sakoman <steve@sakoman.com> > >> --- > >> ...-vp3-Add-missing-check-for-av_malloc.patch | 44 +++++++++++++++++++ > >> .../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 3 +- > >> 2 files changed, 46 insertions(+), 1 deletion(-) > >> create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch > >> > >> diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch > >> new file mode 100644 > >> index 0000000000..94858a6cdd > >> --- /dev/null > >> +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch > >> @@ -0,0 +1,44 @@ > >> +From 656cb0450aeb73b25d7d26980af342b37ac4c568 Mon Sep 17 00:00:00 2001 > >> +From: Jiasheng Jiang <jiasheng@iscas.ac.cn> > >> +Date: Tue, 15 Feb 2022 17:58:08 +0800 > >> +Subject: [PATCH] avcodec/vp3: Add missing check for av_malloc > >> + > >> +Since the av_malloc() may fail and return NULL pointer, > >> +it is needed that the 's->edge_emu_buffer' should be checked > >> +whether the new allocation is success. > >> + > >> +Fixes: d14723861b ("VP3: fix decoding of videos with stride > 2048") > >> +Reviewed-by: Peter Ross <pross@xvid.org> > >> +Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn> > >> + > >> +CVE: CVE-2022-3109 > >> + > >> +Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/656cb0450aeb73b25d7d26980af342b37ac4c568] > >> + > >> +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> > >> +--- > >> + libavcodec/vp3.c | 7 ++++++- > >> + 1 file changed, 6 insertions(+), 1 deletion(-) > >> + > >> +diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c > >> +index e9ab54d736..e2418eb6fa 100644 > >> +--- a/libavcodec/vp3.c > >> ++++ b/libavcodec/vp3.c > >> +@@ -2679,8 +2679,13 @@ static int vp3_decode_frame(AVCodecContext *avctx, > >> + AV_GET_BUFFER_FLAG_REF)) < 0) > >> + goto error; > >> + > >> +- if (!s->edge_emu_buffer) > >> ++ if (!s->edge_emu_buffer) { > >> + s->edge_emu_buffer = av_malloc(9 * FFABS(s->current_frame.f->linesize[0])); > >> ++ if (!s->edge_emu_buffer) { > >> ++ ret = AVERROR(ENOMEM); > >> ++ goto error; > >> ++ } > >> ++ } > >> + > >> + if (s->keyframe) { > >> + if (!s->theora) { > >> +-- > >> +2.34.1 > >> + > >> diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb > >> index 95b4bf50ac..c5bebe9c2d 100644 > >> --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb > >> +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb > >> @@ -26,7 +26,8 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ > >> file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \ > >> file://0001-avcodec-rpzaenc-stop-accessing-out-of-bounds-frame.patch \ > >> file://0001-avcodec-smcenc-stop-accessing-out-of-bounds-frame.patch \ > >> - " > >> + file://0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch \ > >> + " > >> > >> SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b" > >> > >> -- > >> 2.25.1 > >> > >> > >> > >> > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#175987): https://lists.openembedded.org/g/openembedded-core/message/175987 > Mute This Topic: https://lists.openembedded.org/mt/96215555/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
> Not sure why this didn't show up in my testing! It's shown only when do_patch task is really executed and it doesn't cause the do_patch to fail completely. So it's possible that you've built it once with the warning/error shown and then the next time you were doing the final test for kirkstone it was just re-using ffmpeg from sstate (without the need to re-executed do_patch again). Maybe we should consider this issue to be fatal for do_fetch when patch-fuzz is in ERROR_QA (I even thought it was working like that at some time). Regards, On Mon, Jan 16, 2023 at 3:32 PM Steve Sakoman <steve@sakoman.com> wrote: > On Mon, Jan 16, 2023 at 2:00 AM Martin Jansa <martin.jansa@gmail.com> > wrote: > > > > This patch doesn't apply cleanly on ffmpeg-5.0.1: > > Thanks for the review Martin. > > Not sure why this didn't show up in my testing! But since Richard > hasn't taken the pull request yet I will remove this patch from the > current pull request and move it to my next set of patches (along with > your fix). > > Thanks! > > Steve > > > > > ERROR: ffmpeg-5.0.1-r0 do_patch: Fuzz detected: > > > > Applying patch 0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch > > patching file libavcodec/vp3.c > > Hunk #1 succeeded at 2677 with fuzz 1 (offset -2 lines). > > > > > > The context lines in the patches can be updated with devtool: > > > > devtool modify ffmpeg > > devtool finish --force-patch-refresh ffmpeg <layer_path> > > > > Don't forget to review changes done by devtool! > > > > ERROR: ffmpeg-5.0.1-r0 do_patch: QA Issue: Patch log indicates that > patches do not apply cleanly. [patch-fuzz] > > > > Narpat: Should I send a fix or will you handle that? > > > > On Thu, Jan 12, 2023 at 3:33 AM Steve Sakoman <steve@sakoman.com> wrote: > >> > >> From: Narpat Mali <narpat.mali@windriver.com> > >> > >> An issue was discovered in the FFmpeg package, where vp3_decode_frame > in libavcodec/vp3.c lacks check of > >> the return value of av_malloc() and will cause a null pointer > dereference, impacting availability. > >> > >> CVE: CVE-2022-3109 > >> > >> Upstream-Status: Backport [ > https://github.com/FFmpeg/FFmpeg/commit/656cb0450aeb73b25d7d26980af342b37ac4c568 > ] > >> > >> Signed-off-by: Narpat Mali <narpat.mali@windriver.com> > >> Signed-off-by: Steve Sakoman <steve@sakoman.com> > >> --- > >> ...-vp3-Add-missing-check-for-av_malloc.patch | 44 +++++++++++++++++++ > >> .../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 3 +- > >> 2 files changed, 46 insertions(+), 1 deletion(-) > >> create mode 100644 > meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch > >> > >> diff --git > a/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch > b/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch > >> new file mode 100644 > >> index 0000000000..94858a6cdd > >> --- /dev/null > >> +++ > b/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch > >> @@ -0,0 +1,44 @@ > >> +From 656cb0450aeb73b25d7d26980af342b37ac4c568 Mon Sep 17 00:00:00 2001 > >> +From: Jiasheng Jiang <jiasheng@iscas.ac.cn> > >> +Date: Tue, 15 Feb 2022 17:58:08 +0800 > >> +Subject: [PATCH] avcodec/vp3: Add missing check for av_malloc > >> + > >> +Since the av_malloc() may fail and return NULL pointer, > >> +it is needed that the 's->edge_emu_buffer' should be checked > >> +whether the new allocation is success. > >> + > >> +Fixes: d14723861b ("VP3: fix decoding of videos with stride > 2048") > >> +Reviewed-by: Peter Ross <pross@xvid.org> > >> +Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn> > >> + > >> +CVE: CVE-2022-3109 > >> + > >> +Upstream-Status: Backport [ > https://github.com/FFmpeg/FFmpeg/commit/656cb0450aeb73b25d7d26980af342b37ac4c568 > ] > >> + > >> +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> > >> +--- > >> + libavcodec/vp3.c | 7 ++++++- > >> + 1 file changed, 6 insertions(+), 1 deletion(-) > >> + > >> +diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c > >> +index e9ab54d736..e2418eb6fa 100644 > >> +--- a/libavcodec/vp3.c > >> ++++ b/libavcodec/vp3.c > >> +@@ -2679,8 +2679,13 @@ static int vp3_decode_frame(AVCodecContext > *avctx, > >> + AV_GET_BUFFER_FLAG_REF)) < 0) > >> + goto error; > >> + > >> +- if (!s->edge_emu_buffer) > >> ++ if (!s->edge_emu_buffer) { > >> + s->edge_emu_buffer = av_malloc(9 * > FFABS(s->current_frame.f->linesize[0])); > >> ++ if (!s->edge_emu_buffer) { > >> ++ ret = AVERROR(ENOMEM); > >> ++ goto error; > >> ++ } > >> ++ } > >> + > >> + if (s->keyframe) { > >> + if (!s->theora) { > >> +-- > >> +2.34.1 > >> + > >> diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb > b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb > >> index 95b4bf50ac..c5bebe9c2d 100644 > >> --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb > >> +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb > >> @@ -26,7 +26,8 @@ SRC_URI = " > https://www.ffmpeg.org/releases/${BP}.tar.xz \ > >> > file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \ > >> > file://0001-avcodec-rpzaenc-stop-accessing-out-of-bounds-frame.patch \ > >> > file://0001-avcodec-smcenc-stop-accessing-out-of-bounds-frame.patch \ > >> - " > >> + > file://0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch \ > >> + " > >> > >> SRC_URI[sha256sum] = > "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b" > >> > >> -- > >> 2.25.1 > >> > >> > >> -=-=-=-=-=-=-=-=-=-=-=- > >> Links: You receive all messages sent to this group. > >> View/Reply Online (#175776): > https://lists.openembedded.org/g/openembedded-core/message/175776 > >> Mute This Topic: https://lists.openembedded.org/mt/96215555/3617156 > >> Group Owner: openembedded-core+owner@lists.openembedded.org > >> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ > Martin.Jansa@gmail.com] > >> -=-=-=-=-=-=-=-=-=-=-=- > >> >
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch new file mode 100644 index 0000000000..94858a6cdd --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch @@ -0,0 +1,44 @@ +From 656cb0450aeb73b25d7d26980af342b37ac4c568 Mon Sep 17 00:00:00 2001 +From: Jiasheng Jiang <jiasheng@iscas.ac.cn> +Date: Tue, 15 Feb 2022 17:58:08 +0800 +Subject: [PATCH] avcodec/vp3: Add missing check for av_malloc + +Since the av_malloc() may fail and return NULL pointer, +it is needed that the 's->edge_emu_buffer' should be checked +whether the new allocation is success. + +Fixes: d14723861b ("VP3: fix decoding of videos with stride > 2048") +Reviewed-by: Peter Ross <pross@xvid.org> +Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn> + +CVE: CVE-2022-3109 + +Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/656cb0450aeb73b25d7d26980af342b37ac4c568] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + libavcodec/vp3.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c +index e9ab54d736..e2418eb6fa 100644 +--- a/libavcodec/vp3.c ++++ b/libavcodec/vp3.c +@@ -2679,8 +2679,13 @@ static int vp3_decode_frame(AVCodecContext *avctx, + AV_GET_BUFFER_FLAG_REF)) < 0) + goto error; + +- if (!s->edge_emu_buffer) ++ if (!s->edge_emu_buffer) { + s->edge_emu_buffer = av_malloc(9 * FFABS(s->current_frame.f->linesize[0])); ++ if (!s->edge_emu_buffer) { ++ ret = AVERROR(ENOMEM); ++ goto error; ++ } ++ } + + if (s->keyframe) { + if (!s->theora) { +-- +2.34.1 + diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb index 95b4bf50ac..c5bebe9c2d 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb @@ -26,7 +26,8 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \ file://0001-avcodec-rpzaenc-stop-accessing-out-of-bounds-frame.patch \ file://0001-avcodec-smcenc-stop-accessing-out-of-bounds-frame.patch \ - " + file://0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch \ + " SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b"