diff mbox series

[kirkstone,03/11] ffmpeg: fix for CVE-2022-3109

Message ID 30119a4797c89b8b501246c4266b08a62467833d.1673490673.git.steve@sakoman.com
State New, archived
Headers show
Series [kirkstone,01/11] systemd: CVE-2022-45873 deadlock in systemd-coredump via a crash with a long backtrace | expand

Commit Message

Steve Sakoman Jan. 12, 2023, 2:33 a.m. UTC 
From: Narpat Mali <narpat.mali@windriver.com>

An issue was discovered in the FFmpeg package, where vp3_decode_frame in libavcodec/vp3.c lacks check of
the return value of av_malloc() and will cause a null pointer dereference, impacting availability.

CVE: CVE-2022-3109

Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/656cb0450aeb73b25d7d26980af342b37ac4c568]

Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...-vp3-Add-missing-check-for-av_malloc.patch | 44 +++++++++++++++++++
 .../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb |  3 +-
 2 files changed, 46 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch

Comments

Martin Jansa Jan. 16, 2023, noon UTC | #1 
This patch doesn't apply cleanly on ffmpeg-5.0.1:

ERROR: ffmpeg-5.0.1-r0 do_patch: Fuzz detected:

Applying patch 0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch
patching file libavcodec/vp3.c
Hunk #1 succeeded at 2677 with fuzz 1 (offset -2 lines).


The context lines in the patches can be updated with devtool:

    devtool modify ffmpeg
    devtool finish --force-patch-refresh ffmpeg <layer_path>

Don't forget to review changes done by devtool!

ERROR: ffmpeg-5.0.1-r0 do_patch: QA Issue: Patch log indicates that patches
do not apply cleanly. [patch-fuzz]

Narpat: Should I send a fix or will you handle that?

On Thu, Jan 12, 2023 at 3:33 AM Steve Sakoman <steve@sakoman.com> wrote:

> From: Narpat Mali <narpat.mali@windriver.com>
>
> An issue was discovered in the FFmpeg package, where vp3_decode_frame in
> libavcodec/vp3.c lacks check of
> the return value of av_malloc() and will cause a null pointer dereference,
> impacting availability.
>
> CVE: CVE-2022-3109
>
> Upstream-Status: Backport [
> https://github.com/FFmpeg/FFmpeg/commit/656cb0450aeb73b25d7d26980af342b37ac4c568
> ]
>
> Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> ---
>  ...-vp3-Add-missing-check-for-av_malloc.patch | 44 +++++++++++++++++++
>  .../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb |  3 +-
>  2 files changed, 46 insertions(+), 1 deletion(-)
>  create mode 100644
> meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch
>
> diff --git
> a/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch
> b/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch
> new file mode 100644
> index 0000000000..94858a6cdd
> --- /dev/null
> +++
> b/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch
> @@ -0,0 +1,44 @@
> +From 656cb0450aeb73b25d7d26980af342b37ac4c568 Mon Sep 17 00:00:00 2001
> +From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
> +Date: Tue, 15 Feb 2022 17:58:08 +0800
> +Subject: [PATCH] avcodec/vp3: Add missing check for av_malloc
> +
> +Since the av_malloc() may fail and return NULL pointer,
> +it is needed that the 's->edge_emu_buffer' should be checked
> +whether the new allocation is success.
> +
> +Fixes: d14723861b ("VP3: fix decoding of videos with stride > 2048")
> +Reviewed-by: Peter Ross <pross@xvid.org>
> +Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
> +
> +CVE: CVE-2022-3109
> +
> +Upstream-Status: Backport [
> https://github.com/FFmpeg/FFmpeg/commit/656cb0450aeb73b25d7d26980af342b37ac4c568
> ]
> +
> +Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
> +---
> + libavcodec/vp3.c | 7 ++++++-
> + 1 file changed, 6 insertions(+), 1 deletion(-)
> +
> +diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
> +index e9ab54d736..e2418eb6fa 100644
> +--- a/libavcodec/vp3.c
> ++++ b/libavcodec/vp3.c
> +@@ -2679,8 +2679,13 @@ static int vp3_decode_frame(AVCodecContext *avctx,
> +                                         AV_GET_BUFFER_FLAG_REF)) < 0)
> +         goto error;
> +
> +-    if (!s->edge_emu_buffer)
> ++    if (!s->edge_emu_buffer) {
> +         s->edge_emu_buffer = av_malloc(9 *
> FFABS(s->current_frame.f->linesize[0]));
> ++        if (!s->edge_emu_buffer) {
> ++            ret = AVERROR(ENOMEM);
> ++            goto error;
> ++        }
> ++    }
> +
> +     if (s->keyframe) {
> +         if (!s->theora) {
> +--
> +2.34.1
> +
> diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
> b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
> index 95b4bf50ac..c5bebe9c2d 100644
> --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
> +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
> @@ -26,7 +26,8 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz
> \
>
> file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \
>
> file://0001-avcodec-rpzaenc-stop-accessing-out-of-bounds-frame.patch \
>
> file://0001-avcodec-smcenc-stop-accessing-out-of-bounds-frame.patch \
> -           "
> +           file://0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch \
> +          "
>
>  SRC_URI[sha256sum] =
> "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b"
>
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#175776):
> https://lists.openembedded.org/g/openembedded-core/message/175776
> Mute This Topic: https://lists.openembedded.org/mt/96215555/3617156
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> Martin.Jansa@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
Steve Sakoman Jan. 16, 2023, 2:32 p.m. UTC | #2 
On Mon, Jan 16, 2023 at 2:00 AM Martin Jansa <martin.jansa@gmail.com> wrote:
>
> This patch doesn't apply cleanly on ffmpeg-5.0.1:

Thanks for the review Martin.

Not sure why this didn't show up in my testing!  But since Richard
hasn't taken the pull request yet I will remove this patch from the
current pull request and move it to my next set of patches (along with
your fix).

Thanks!

Steve

>
> ERROR: ffmpeg-5.0.1-r0 do_patch: Fuzz detected:
>
> Applying patch 0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch
> patching file libavcodec/vp3.c
> Hunk #1 succeeded at 2677 with fuzz 1 (offset -2 lines).
>
>
> The context lines in the patches can be updated with devtool:
>
>     devtool modify ffmpeg
>     devtool finish --force-patch-refresh ffmpeg <layer_path>
>
> Don't forget to review changes done by devtool!
>
> ERROR: ffmpeg-5.0.1-r0 do_patch: QA Issue: Patch log indicates that patches do not apply cleanly. [patch-fuzz]
>
> Narpat: Should I send a fix or will you handle that?
>
> On Thu, Jan 12, 2023 at 3:33 AM Steve Sakoman <steve@sakoman.com> wrote:
>>
>> From: Narpat Mali <narpat.mali@windriver.com>
>>
>> An issue was discovered in the FFmpeg package, where vp3_decode_frame in libavcodec/vp3.c lacks check of
>> the return value of av_malloc() and will cause a null pointer dereference, impacting availability.
>>
>> CVE: CVE-2022-3109
>>
>> Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/656cb0450aeb73b25d7d26980af342b37ac4c568]
>>
>> Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
>> Signed-off-by: Steve Sakoman <steve@sakoman.com>
>> ---
>>  ...-vp3-Add-missing-check-for-av_malloc.patch | 44 +++++++++++++++++++
>>  .../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb |  3 +-
>>  2 files changed, 46 insertions(+), 1 deletion(-)
>>  create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch
>>
>> diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch
>> new file mode 100644
>> index 0000000000..94858a6cdd
>> --- /dev/null
>> +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch
>> @@ -0,0 +1,44 @@
>> +From 656cb0450aeb73b25d7d26980af342b37ac4c568 Mon Sep 17 00:00:00 2001
>> +From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
>> +Date: Tue, 15 Feb 2022 17:58:08 +0800
>> +Subject: [PATCH] avcodec/vp3: Add missing check for av_malloc
>> +
>> +Since the av_malloc() may fail and return NULL pointer,
>> +it is needed that the 's->edge_emu_buffer' should be checked
>> +whether the new allocation is success.
>> +
>> +Fixes: d14723861b ("VP3: fix decoding of videos with stride > 2048")
>> +Reviewed-by: Peter Ross <pross@xvid.org>
>> +Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
>> +
>> +CVE: CVE-2022-3109
>> +
>> +Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/656cb0450aeb73b25d7d26980af342b37ac4c568]
>> +
>> +Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
>> +---
>> + libavcodec/vp3.c | 7 ++++++-
>> + 1 file changed, 6 insertions(+), 1 deletion(-)
>> +
>> +diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
>> +index e9ab54d736..e2418eb6fa 100644
>> +--- a/libavcodec/vp3.c
>> ++++ b/libavcodec/vp3.c
>> +@@ -2679,8 +2679,13 @@ static int vp3_decode_frame(AVCodecContext *avctx,
>> +                                         AV_GET_BUFFER_FLAG_REF)) < 0)
>> +         goto error;
>> +
>> +-    if (!s->edge_emu_buffer)
>> ++    if (!s->edge_emu_buffer) {
>> +         s->edge_emu_buffer = av_malloc(9 * FFABS(s->current_frame.f->linesize[0]));
>> ++        if (!s->edge_emu_buffer) {
>> ++            ret = AVERROR(ENOMEM);
>> ++            goto error;
>> ++        }
>> ++    }
>> +
>> +     if (s->keyframe) {
>> +         if (!s->theora) {
>> +--
>> +2.34.1
>> +
>> diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
>> index 95b4bf50ac..c5bebe9c2d 100644
>> --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
>> +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
>> @@ -26,7 +26,8 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
>>             file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \
>>             file://0001-avcodec-rpzaenc-stop-accessing-out-of-bounds-frame.patch \
>>             file://0001-avcodec-smcenc-stop-accessing-out-of-bounds-frame.patch \
>> -           "
>> +           file://0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch \
>> +          "
>>
>>  SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b"
>>
>> --
>> 2.25.1
>>
>>
>> -=-=-=-=-=-=-=-=-=-=-=-
>> Links: You receive all messages sent to this group.
>> View/Reply Online (#175776): https://lists.openembedded.org/g/openembedded-core/message/175776
>> Mute This Topic: https://lists.openembedded.org/mt/96215555/3617156
>> Group Owner: openembedded-core+owner@lists.openembedded.org
>> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [Martin.Jansa@gmail.com]
>> -=-=-=-=-=-=-=-=-=-=-=-
>>
Steve Sakoman Jan. 16, 2023, 2:39 p.m. UTC | #3 
On Mon, Jan 16, 2023 at 4:32 AM Steve Sakoman via
lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
wrote:
>
> On Mon, Jan 16, 2023 at 2:00 AM Martin Jansa <martin.jansa@gmail.com> wrote:
> >
> > This patch doesn't apply cleanly on ffmpeg-5.0.1:
>
> Thanks for the review Martin.
>
> Not sure why this didn't show up in my testing!  But since Richard
> hasn't taken the pull request yet I will remove this patch from the
> current pull request and move it to my next set of patches (along with
> your fix).

Sigh, clearly I haven't had enough coffee yet this morning -- Richard
has indeed already taken the pull request!

I'll put your fix patch in the next set of patches for kirkstone and
send a new pull request right after testing.

Steve

> >
> > ERROR: ffmpeg-5.0.1-r0 do_patch: Fuzz detected:
> >
> > Applying patch 0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch
> > patching file libavcodec/vp3.c
> > Hunk #1 succeeded at 2677 with fuzz 1 (offset -2 lines).
> >
> >
> > The context lines in the patches can be updated with devtool:
> >
> >     devtool modify ffmpeg
> >     devtool finish --force-patch-refresh ffmpeg <layer_path>
> >
> > Don't forget to review changes done by devtool!
> >
> > ERROR: ffmpeg-5.0.1-r0 do_patch: QA Issue: Patch log indicates that patches do not apply cleanly. [patch-fuzz]
> >
> > Narpat: Should I send a fix or will you handle that?
> >
> > On Thu, Jan 12, 2023 at 3:33 AM Steve Sakoman <steve@sakoman.com> wrote:
> >>
> >> From: Narpat Mali <narpat.mali@windriver.com>
> >>
> >> An issue was discovered in the FFmpeg package, where vp3_decode_frame in libavcodec/vp3.c lacks check of
> >> the return value of av_malloc() and will cause a null pointer dereference, impacting availability.
> >>
> >> CVE: CVE-2022-3109
> >>
> >> Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/656cb0450aeb73b25d7d26980af342b37ac4c568]
> >>
> >> Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
> >> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> >> ---
> >>  ...-vp3-Add-missing-check-for-av_malloc.patch | 44 +++++++++++++++++++
> >>  .../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb |  3 +-
> >>  2 files changed, 46 insertions(+), 1 deletion(-)
> >>  create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch
> >>
> >> diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch
> >> new file mode 100644
> >> index 0000000000..94858a6cdd
> >> --- /dev/null
> >> +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch
> >> @@ -0,0 +1,44 @@
> >> +From 656cb0450aeb73b25d7d26980af342b37ac4c568 Mon Sep 17 00:00:00 2001
> >> +From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
> >> +Date: Tue, 15 Feb 2022 17:58:08 +0800
> >> +Subject: [PATCH] avcodec/vp3: Add missing check for av_malloc
> >> +
> >> +Since the av_malloc() may fail and return NULL pointer,
> >> +it is needed that the 's->edge_emu_buffer' should be checked
> >> +whether the new allocation is success.
> >> +
> >> +Fixes: d14723861b ("VP3: fix decoding of videos with stride > 2048")
> >> +Reviewed-by: Peter Ross <pross@xvid.org>
> >> +Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
> >> +
> >> +CVE: CVE-2022-3109
> >> +
> >> +Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/656cb0450aeb73b25d7d26980af342b37ac4c568]
> >> +
> >> +Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
> >> +---
> >> + libavcodec/vp3.c | 7 ++++++-
> >> + 1 file changed, 6 insertions(+), 1 deletion(-)
> >> +
> >> +diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
> >> +index e9ab54d736..e2418eb6fa 100644
> >> +--- a/libavcodec/vp3.c
> >> ++++ b/libavcodec/vp3.c
> >> +@@ -2679,8 +2679,13 @@ static int vp3_decode_frame(AVCodecContext *avctx,
> >> +                                         AV_GET_BUFFER_FLAG_REF)) < 0)
> >> +         goto error;
> >> +
> >> +-    if (!s->edge_emu_buffer)
> >> ++    if (!s->edge_emu_buffer) {
> >> +         s->edge_emu_buffer = av_malloc(9 * FFABS(s->current_frame.f->linesize[0]));
> >> ++        if (!s->edge_emu_buffer) {
> >> ++            ret = AVERROR(ENOMEM);
> >> ++            goto error;
> >> ++        }
> >> ++    }
> >> +
> >> +     if (s->keyframe) {
> >> +         if (!s->theora) {
> >> +--
> >> +2.34.1
> >> +
> >> diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
> >> index 95b4bf50ac..c5bebe9c2d 100644
> >> --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
> >> +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
> >> @@ -26,7 +26,8 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
> >>             file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \
> >>             file://0001-avcodec-rpzaenc-stop-accessing-out-of-bounds-frame.patch \
> >>             file://0001-avcodec-smcenc-stop-accessing-out-of-bounds-frame.patch \
> >> -           "
> >> +           file://0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch \
> >> +          "
> >>
> >>  SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b"
> >>
> >> --
> >> 2.25.1
> >>
> >>
> >>
> >>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#175987): https://lists.openembedded.org/g/openembedded-core/message/175987
> Mute This Topic: https://lists.openembedded.org/mt/96215555/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
Martin Jansa Jan. 16, 2023, 2:45 p.m. UTC | #4 
> Not sure why this didn't show up in my testing!

It's shown only when do_patch task is really executed and it doesn't cause
the do_patch to fail completely. So it's possible that you've built it once
with the warning/error shown and then the next time you were doing the
final test for kirkstone it was just re-using ffmpeg from sstate (without
the need to re-executed do_patch again).

Maybe we should consider this issue to be fatal for do_fetch when
patch-fuzz is in ERROR_QA (I even thought it was working like that at some
time).

Regards,

On Mon, Jan 16, 2023 at 3:32 PM Steve Sakoman <steve@sakoman.com> wrote:

> On Mon, Jan 16, 2023 at 2:00 AM Martin Jansa <martin.jansa@gmail.com>
> wrote:
> >
> > This patch doesn't apply cleanly on ffmpeg-5.0.1:
>
> Thanks for the review Martin.
>
> Not sure why this didn't show up in my testing!  But since Richard
> hasn't taken the pull request yet I will remove this patch from the
> current pull request and move it to my next set of patches (along with
> your fix).
>
> Thanks!
>
> Steve
>
> >
> > ERROR: ffmpeg-5.0.1-r0 do_patch: Fuzz detected:
> >
> > Applying patch 0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch
> > patching file libavcodec/vp3.c
> > Hunk #1 succeeded at 2677 with fuzz 1 (offset -2 lines).
> >
> >
> > The context lines in the patches can be updated with devtool:
> >
> >     devtool modify ffmpeg
> >     devtool finish --force-patch-refresh ffmpeg <layer_path>
> >
> > Don't forget to review changes done by devtool!
> >
> > ERROR: ffmpeg-5.0.1-r0 do_patch: QA Issue: Patch log indicates that
> patches do not apply cleanly. [patch-fuzz]
> >
> > Narpat: Should I send a fix or will you handle that?
> >
> > On Thu, Jan 12, 2023 at 3:33 AM Steve Sakoman <steve@sakoman.com> wrote:
> >>
> >> From: Narpat Mali <narpat.mali@windriver.com>
> >>
> >> An issue was discovered in the FFmpeg package, where vp3_decode_frame
> in libavcodec/vp3.c lacks check of
> >> the return value of av_malloc() and will cause a null pointer
> dereference, impacting availability.
> >>
> >> CVE: CVE-2022-3109
> >>
> >> Upstream-Status: Backport [
> https://github.com/FFmpeg/FFmpeg/commit/656cb0450aeb73b25d7d26980af342b37ac4c568
> ]
> >>
> >> Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
> >> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> >> ---
> >>  ...-vp3-Add-missing-check-for-av_malloc.patch | 44 +++++++++++++++++++
> >>  .../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb |  3 +-
> >>  2 files changed, 46 insertions(+), 1 deletion(-)
> >>  create mode 100644
> meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch
> >>
> >> diff --git
> a/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch
> b/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch
> >> new file mode 100644
> >> index 0000000000..94858a6cdd
> >> --- /dev/null
> >> +++
> b/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch
> >> @@ -0,0 +1,44 @@
> >> +From 656cb0450aeb73b25d7d26980af342b37ac4c568 Mon Sep 17 00:00:00 2001
> >> +From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
> >> +Date: Tue, 15 Feb 2022 17:58:08 +0800
> >> +Subject: [PATCH] avcodec/vp3: Add missing check for av_malloc
> >> +
> >> +Since the av_malloc() may fail and return NULL pointer,
> >> +it is needed that the 's->edge_emu_buffer' should be checked
> >> +whether the new allocation is success.
> >> +
> >> +Fixes: d14723861b ("VP3: fix decoding of videos with stride > 2048")
> >> +Reviewed-by: Peter Ross <pross@xvid.org>
> >> +Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
> >> +
> >> +CVE: CVE-2022-3109
> >> +
> >> +Upstream-Status: Backport [
> https://github.com/FFmpeg/FFmpeg/commit/656cb0450aeb73b25d7d26980af342b37ac4c568
> ]
> >> +
> >> +Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
> >> +---
> >> + libavcodec/vp3.c | 7 ++++++-
> >> + 1 file changed, 6 insertions(+), 1 deletion(-)
> >> +
> >> +diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
> >> +index e9ab54d736..e2418eb6fa 100644
> >> +--- a/libavcodec/vp3.c
> >> ++++ b/libavcodec/vp3.c
> >> +@@ -2679,8 +2679,13 @@ static int vp3_decode_frame(AVCodecContext
> *avctx,
> >> +                                         AV_GET_BUFFER_FLAG_REF)) < 0)
> >> +         goto error;
> >> +
> >> +-    if (!s->edge_emu_buffer)
> >> ++    if (!s->edge_emu_buffer) {
> >> +         s->edge_emu_buffer = av_malloc(9 *
> FFABS(s->current_frame.f->linesize[0]));
> >> ++        if (!s->edge_emu_buffer) {
> >> ++            ret = AVERROR(ENOMEM);
> >> ++            goto error;
> >> ++        }
> >> ++    }
> >> +
> >> +     if (s->keyframe) {
> >> +         if (!s->theora) {
> >> +--
> >> +2.34.1
> >> +
> >> diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
> b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
> >> index 95b4bf50ac..c5bebe9c2d 100644
> >> --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
> >> +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
> >> @@ -26,7 +26,8 @@ SRC_URI = "
> https://www.ffmpeg.org/releases/${BP}.tar.xz \
> >>
>  file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \
> >>
>  file://0001-avcodec-rpzaenc-stop-accessing-out-of-bounds-frame.patch \
> >>
>  file://0001-avcodec-smcenc-stop-accessing-out-of-bounds-frame.patch \
> >> -           "
> >> +
>  file://0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch \
> >> +          "
> >>
> >>  SRC_URI[sha256sum] =
> "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b"
> >>
> >> --
> >> 2.25.1
> >>
> >>
> >> -=-=-=-=-=-=-=-=-=-=-=-
> >> Links: You receive all messages sent to this group.
> >> View/Reply Online (#175776):
> https://lists.openembedded.org/g/openembedded-core/message/175776
> >> Mute This Topic: https://lists.openembedded.org/mt/96215555/3617156
> >> Group Owner: openembedded-core+owner@lists.openembedded.org
> >> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> Martin.Jansa@gmail.com]
> >> -=-=-=-=-=-=-=-=-=-=-=-
> >>
>
diff mbox series

Patch

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch
new file mode 100644
index 0000000000..94858a6cdd
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch
@@ -0,0 +1,44 @@ 
+From 656cb0450aeb73b25d7d26980af342b37ac4c568 Mon Sep 17 00:00:00 2001
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Date: Tue, 15 Feb 2022 17:58:08 +0800
+Subject: [PATCH] avcodec/vp3: Add missing check for av_malloc
+
+Since the av_malloc() may fail and return NULL pointer,
+it is needed that the 's->edge_emu_buffer' should be checked
+whether the new allocation is success.
+
+Fixes: d14723861b ("VP3: fix decoding of videos with stride > 2048")
+Reviewed-by: Peter Ross <pross@xvid.org>
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+CVE: CVE-2022-3109
+
+Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/656cb0450aeb73b25d7d26980af342b37ac4c568]
+
+Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
+---
+ libavcodec/vp3.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
+index e9ab54d736..e2418eb6fa 100644
+--- a/libavcodec/vp3.c
++++ b/libavcodec/vp3.c
+@@ -2679,8 +2679,13 @@ static int vp3_decode_frame(AVCodecContext *avctx,
+                                         AV_GET_BUFFER_FLAG_REF)) < 0)
+         goto error;
+ 
+-    if (!s->edge_emu_buffer)
++    if (!s->edge_emu_buffer) {
+         s->edge_emu_buffer = av_malloc(9 * FFABS(s->current_frame.f->linesize[0]));
++        if (!s->edge_emu_buffer) {
++            ret = AVERROR(ENOMEM);
++            goto error;
++        }
++    }
+ 
+     if (s->keyframe) {
+         if (!s->theora) {
+-- 
+2.34.1
+
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
index 95b4bf50ac..c5bebe9c2d 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
@@ -26,7 +26,8 @@  SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
            file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \
            file://0001-avcodec-rpzaenc-stop-accessing-out-of-bounds-frame.patch \
            file://0001-avcodec-smcenc-stop-accessing-out-of-bounds-frame.patch \
-           "
+           file://0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch \
+          "
 
 SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b"