!191 fix CVE-2024-36613

From: @changtao615 Reviewed-by: @technology208 Signed-off-by: @technology208
fix CVE-2024-36613
2025-01-13 03:40:22 +00:00 · 2025-01-05 20:57:34 +08:00 · 2024-12-14 09:14:03 +00:00 · 2024-12-13 18:26:07 +08:00 · 2024-12-05 09:20:57 +00:00 · 2024-12-02 03:54:06 +00:00
9 changed files with 284 additions and 1 deletions
--- a/CVE-2020-35965.patch
+++ b/CVE-2020-35965.patch
@ -0,0 +1,25 @@
+From 1672c855be7edde17571f98fa603c4fc5270e516 Mon Sep 17 00:00:00 2001
+From: happyworker <208suo@208suo.com>
+Date: Wed, 18 Sep 2024 15:57:22 +0800
+Subject: [PATCH] CVE-2020-35965
+
+---
+ libavcodec/exr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libavcodec/exr.c b/libavcodec/exr.c
+index ba6e3fd..5558d55 100644
+--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
+@@ -1791,7 +1791,7 @@ static int decode_frame(AVCodecContext *avctx, void *data,
+     ptr         = picture->data[0];
+ 
+     // Zero out the start if ymin is not 0
+-    for (y = 0; y < s->ymin; y++) {
+    for (y = 0; y < FFMIN(s->ymin, s->h); y++) {
+         memset(ptr, 0, out_line_size);
+         ptr += picture->linesize[0];
+     }
+-- 
+2.27.0
+
--- a/backport-CVE-2024-35366.patch
+++ b/backport-CVE-2024-35366.patch
@ -0,0 +1,29 @@
+From 0bed22d597b78999151e3bde0768b7fe763fc2a6 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Tue, 26 Mar 2024 00:39:49 +0100
+Subject: [PATCH] avformat/sbgdec: Check for negative duration
+
+Fixes: signed integer overflow: 9223372036854775807 - -8000000 cannot be represented in type 'long'
+Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-5133181743136768
+
+Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+---
+ libavformat/sbgdec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c
+index bc2469afd1..e60eb1481e 100644
+--- a/libavformat/sbgdec.c
+++ b/libavformat/sbgdec.c
+@@ -387,7 +387,7 @@ static int parse_options(struct sbg_parser *p)
+                 case 'L':
+                     FORWARD_ERROR(parse_optarg(p, opt, &oarg));
+                     r = str_to_time(oarg.s, &p->scs.opt_duration);
+-                    if (oarg.e != oarg.s + r) {
+                    if (oarg.e != oarg.s + r || p->scs.opt_duration < 0) {
+                         snprintf(p->err_msg, sizeof(p->err_msg),
+                                  "syntax error for option -L");
+                         return AVERROR_INVALIDDATA;
+-- 
+2.33.0
--- a/backport-CVE-2024-35367.patch
+++ b/backport-CVE-2024-35367.patch
@ -0,0 +1,41 @@
+From 09e6840cf7a3ee07a73c3ae88a020bf27ca1a667 Mon Sep 17 00:00:00 2001
+From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
+Date: Wed, 13 Mar 2024 02:10:26 +0100
+Subject: [PATCH] avcodec/ppc/vp8dsp_altivec: Fix out-of-bounds access
+
+h_subpel_filters_inner[i] and h_subpel_filters_outer[i / 2]
+belong together and the former allows the range 0..6,
+so the latter needs to support 0..3. But it has only three
+elements. Add another one.
+The value for the last element has been guesstimated
+from subpel_filters in libavcodec/vp8dsp.c.
+
+This is also intended to fix FATE-failures with UBSan here:
+https://fate.ffmpeg.org/report.cgi?time=20240312011016&slot=ppc-linux-gcc-13.2-ubsan-altivec-qemu
+
+Tested-by: Sean McGovern <gseanmcg@gmail.com>
+Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
+---
+ libavcodec/ppc/vp8dsp_altivec.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libavcodec/ppc/vp8dsp_altivec.c b/libavcodec/ppc/vp8dsp_altivec.c
+index 12dac8b0a8..061914fc38 100644
+--- a/libavcodec/ppc/vp8dsp_altivec.c
+++ b/libavcodec/ppc/vp8dsp_altivec.c
+@@ -50,11 +50,12 @@ static const vec_s8 h_subpel_filters_inner[7] =
+ // for 6tap filters, these are the outer two taps
+ // The zeros mask off pixels 4-7 when filtering 0-3
+ // and vice-versa
+-static const vec_s8 h_subpel_filters_outer[3] =
+static const vec_s8 h_subpel_filters_outer[4] =
+ {
+     REPT4(0, 0, 2, 1),
+     REPT4(0, 0, 3, 3),
+     REPT4(0, 0, 1, 2),
+    REPT4(0, 0, 0, 0),
+ };
+ 
+ #define LOAD_H_SUBPEL_FILTER(i) \
+-- 
+2.33.0
--- a/backport-CVE-2024-35368.patch
+++ b/backport-CVE-2024-35368.patch
@ -0,0 +1,35 @@
+From 4513300989502090c4fd6560544dce399a8cd53c Mon Sep 17 00:00:00 2001
+From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
+Date: Sun, 24 Sep 2023 13:15:48 +0200
+Subject: [PATCH] avcodec/rkmppdec: Fix double-free on error
+
+After having created the AVBuffer that is put into frame->buf[0],
+ownership of several objects (namely an AVDRMFrameDescriptor,
+an MppFrame and some AVBufferRefs framecontextref and decoder_ref)
+has passed to the AVBuffer and therefore to the frame.
+Yet it has nevertheless been freed manually on error
+afterwards, which would lead to a double-free as soon
+as the AVFrame is unreferenced.
+
+Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
+---
+ libavcodec/rkmppdec.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libavcodec/rkmppdec.c b/libavcodec/rkmppdec.c
+index 7665098c6a..6889545b20 100644
+--- a/libavcodec/rkmppdec.c
+++ b/libavcodec/rkmppdec.c
+@@ -463,8 +463,8 @@ static int rkmpp_retrieve_frame(AVCodecContext *avctx, AVFrame *frame)
+ 
+             frame->hw_frames_ctx = av_buffer_ref(decoder->frames_ref);
+             if (!frame->hw_frames_ctx) {
+-                ret = AVERROR(ENOMEM);
+-                goto fail;
+                av_frame_unref(frame);
+                return AVERROR(ENOMEM);
+             }
+ 
+             return 0;
+-- 
+2.33.0
--- a/backport-CVE-2024-36613.patch
+++ b/backport-CVE-2024-36613.patch
@ -0,0 +1,36 @@
+From 1f6fcc64179377114b4ecc3b9f63bd5774a64edf Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Sat, 30 Sep 2023 00:51:29 +0200
+Subject: [PATCH] avformat/dxa: Adjust order of operations around block
+align
+
+Fixes:
+51896/clusterfuzz-testcase-minimized-ffmpeg_dem_DXA_fuzzer-5730576523198464
+Fixes: signed integer overflow: 2147483566 + 82 cannot be represented in
+type 'int'
+
+Found-by: continuous fuzzing process
+https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+(cherry picked from commit 50d8e4f27398fd5778485a827d7a2817921f8540)
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+---
+ libavformat/dxa.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libavformat/dxa.c b/libavformat/dxa.c
+index 298cda0..e46c9b0 100644
+--- a/libavformat/dxa.c
+++ b/libavformat/dxa.c
+@@ -120,7 +120,7 @@ static int dxa_read_header(AVFormatContext *s)
+         }
+         c->bpc = (fsize + c->frames - 1) / c->frames;
+         if(ast->codecpar->block_align)
+-            c->bpc = ((c->bpc + ast->codecpar->block_align - 1) / ast->codecpar->block_align) * ast->codecpar->block_align;
+	    c->bpc = ((c->bpc - 1 + ast->codecpar->block_align) / ast->codecpar->block_align) * ast->codecpar->block_align;
+         c->bytes_left = fsize;
+         c->wavpos = avio_tell(pb);
+         avio_seek(pb, c->vidpos, SEEK_SET);
+-- 
+2.41.0
+
--- a/backport-CVE-2024-36616.patch
+++ b/backport-CVE-2024-36616.patch
@ -0,0 +1,29 @@
+From 86f73277bf014e2ce36dd2594f1e0fb8b3bd6661 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Tue, 26 Mar 2024 01:00:13 +0100
+Subject: [PATCH] avformat/westwood_vqa: Fix 2g packets
+
+Fixes: signed integer overflow: 2147483424 * 2 cannot be represented in type 'int'
+Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_WSVQA_fuzzer-4576211411795968
+
+Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+---
+ libavformat/westwood_vqa.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libavformat/westwood_vqa.c b/libavformat/westwood_vqa.c
+index 954710a6f0..3a31e3f5e8 100644
+--- a/libavformat/westwood_vqa.c
+++ b/libavformat/westwood_vqa.c
+@@ -262,7 +262,7 @@ static int wsvqa_read_packet(AVFormatContext *s,
+                     break;
+                 case SND2_TAG:
+                     /* 2 samples/byte, 1 or 2 samples per frame depending on stereo */
+-                    pkt->duration = (chunk_size * 2) / wsvqa->channels;
+                    pkt->duration = (chunk_size * 2LL) / wsvqa->channels;
+                     break;
+                 }
+                 break;
+-- 
+2.33.0
--- a/backport-CVE-2024-36617.patch
+++ b/backport-CVE-2024-36617.patch
@ -0,0 +1,31 @@
+From d973fcbcc2f944752ff10e6a76b0b2d9329937a7 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Sat, 30 Sep 2023 00:38:17 +0200
+Subject: [PATCH] avformat/cafdec: dont seek beyond 64bit
+
+Fixes: signed integer overflow: 64 + 9223372036854775807 cannot be represented in type 'long long'
+Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6418242730328064
+Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6418242730328064
+
+Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+---
+ libavformat/cafdec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c
+index 8622859..f5c62a8 100644
+--- a/libavformat/cafdec.c
+++ b/libavformat/cafdec.c
+@@ -209,7 +209,7 @@ static int read_pakt_chunk(AVFormatContext *s, int64_t size)
+         st->duration += caf->frames_per_packet ? caf->frames_per_packet : ff_mp4_read_descr_len(pb);
+     }
+ 
+-    if (avio_tell(pb) - ccount > size) {
+    if (avio_tell(pb) - ccount > size || size > INT64_MAX - ccount) {
+         av_log(s, AV_LOG_ERROR, "error reading packet table\n");
+         return AVERROR_INVALIDDATA;
+     }
+-- 
+2.43.0
+
--- a/backport-CVE-2024-36618.patch
+++ b/backport-CVE-2024-36618.patch
@ -0,0 +1,31 @@
+From 7a089ed8e049e3bfcb22de1250b86f2106060857 Mon Sep 17 00:00:00 2001
+From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
+Date: Tue, 12 Mar 2024 23:23:17 +0100
+Subject: [PATCH] avformat/avidec: Fix integer overflow iff ULONG_MAX <
+ INT64_MAX
+
+Affects many FATE-tests, see
+https://fate.ffmpeg.org/report.cgi?time=20240312011016&slot=ppc-linux-gcc-13.2-ubsan-altivec-qemu
+
+Reviewed-by: James Almer <jamrial@gmail.com>
+Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
+---
+ libavformat/avidec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libavformat/avidec.c b/libavformat/avidec.c
+index 59c06ea..81e904d 100644
+--- a/libavformat/avidec.c
+++ b/libavformat/avidec.c
+@@ -1645,7 +1645,7 @@ static int check_stream_max_drift(AVFormatContext *s)
+     int *idx = av_mallocz_array(s->nb_streams, sizeof(*idx));
+     if (!idx)
+         return AVERROR(ENOMEM);
+-    for (min_pos = pos = 0; min_pos != INT64_MAX; pos = min_pos + 1LU) {
+    for (min_pos = pos = 0; min_pos != INT64_MAX; pos = min_pos + 1ULL) {
+         int64_t max_dts = INT64_MIN / 2;
+         int64_t min_dts = INT64_MAX / 2;
+         int64_t max_buffer = 0;
+-- 
+2.43.0
+
--- a/ffmpeg.spec
+++ b/ffmpeg.spec
@ -60,7 +60,7 @@
 Summary:        Digital VCR and streaming server
 Name:           ffmpeg%{?flavor}
 Version:        4.2.4
-Release:        17
+Release:        22
 License:        %{ffmpeg_license}
 URL:            http://ffmpeg.org/
 %if 0%{?date}
@ -86,6 +86,14 @@ Patch14:        CVE-2021-28429.patch
 Patch15:        fix-CVE-2024-32230.patch  
 Patch16:        CVE-2022-1475.patch
 Patch17:        CVE-2022-48434.patch
+Patch18:        CVE-2020-35965.patch
+Patch19:        backport-CVE-2024-35366.patch
+Patch20:        backport-CVE-2024-35367.patch
+Patch21:        backport-CVE-2024-35368.patch
+Patch22:        backport-CVE-2024-36616.patch
+Patch23:        backport-CVE-2024-36618.patch
+Patch24:        backport-CVE-2024-36617.patch
+Patch25:        backport-CVE-2024-36613.patch

 Requires:       %{name}-libs%{?_isa} = %{version}-%{release}
 %{?_with_cuda:BuildRequires: cuda-minimal-build-%{_cuda_version_rpm} cuda-drivers-devel}
@ -419,6 +427,24 @@ install -pm755 tools/qt-faststart %{buildroot}%{_bindir}


 %changelog
+* Sun Jan 5 2025 changtao <changtao@kylinos.cn> - 4.2.4-22
+- Type: CVE
+- CVE: CVE-2024-36613
+- SUG: NA
+- DESC: fix CVE-2024-36613
+
+* Fri Dec 13 2024 liningjie <liningjie@xfusion.com> - 4.2.4-21
+- fix CVE-2024-36617 CVE-2024-36618
+
+* Mon Dec 02 2024 liningjie <liningjie@xfusion.com> - 4.2.4-20
+- fix CVE-2024-35368 CVE-2024-36616
+
+* Sat Nov 30 2024 liningjie <liningjie@xfusion.com> - 4.2.4-19
+- fix CVE-2024-35366 CVE-2024-35367
+
+* Wed Sep 18 2024 happyworker <208suo@208suo.com> - 4.2.4-18
+- Fix CVE-2020-35965.patch
+
 * Mon Jul 15 2024 happyworker <208suo@208suo.com> - 4.2.4-17
 - Fix CVE-2022-48434
Author	SHA1	Message	Date
openeuler-ci-bot	e215281bfe	!191 fix CVE-2024-36613 From: @changtao615 Reviewed-by: @technology208 Signed-off-by: @technology208	2025-01-13 03:40:22 +00:00
changtao	8ce5f487bb	fix CVE-2024-36613	2025-01-05 20:57:34 +08:00
openeuler-ci-bot	31a7e5a850	!180 fix CVE-2024-36617 CVE-2024-36618 From: @li_ning_jie Reviewed-by: @t_feng Signed-off-by: @t_feng	2024-12-14 09:14:03 +00:00
liningjie	49d0c89410	fix CVE-2024-36617 CVE-2024-36618	2024-12-13 18:26:07 +08:00
openeuler-ci-bot	9073b8d363	!169 fix CVE-2024-35368 CVE-2024-36616 From: @li_ning_jie Reviewed-by: @open-bot Signed-off-by: @open-bot	2024-12-05 09:20:57 +00:00
李宁杰	b9c9e8836a	fix CVE-2024-35368 CVE-2024-36616	2024-12-02 03:54:06 +00:00
openeuler-ci-bot	16270664a3	!165 fix CVE-2024-35366 CVE-2024-35367 From: @li_ning_jie Reviewed-by: @open-bot Signed-off-by: @open-bot	2024-12-02 00:36:41 +00:00
李宁杰	12a50eaf99	fix CVE-2024-35366 CVE-2024-35367	2024-11-30 04:13:52 +00:00
openeuler-ci-bot	1e63295350	!159 fix CVE-2020-35965 From: @happyworker Reviewed-by: @technology208 Signed-off-by: @technology208	2024-09-18 08:37:13 +00:00
happyworker	d6bc20d681	fix CVE-2020-35965.patch	2024-09-18 16:00:22 +08:00