From e17ddd0fafb562ed7ebe7708dac9bcef2d6cecc1 Mon Sep 17 00:00:00 2001 From: Narpat Mali Date: Thu, 19 Jan 2023 17:16:57 +0000 Subject: ffmpeg: fix for CVE-2022-3341 avformat/nutdec: Add check for avformat_new_stream Check for failure of avformat_new_stream() and propagate the error code. Signed-off-by: Narpat Mali Signed-off-by: Steve Sakoman --- ...-nutdec-Add-check-for-avformat_new_stream.patch | 67 ++++++++++++++++++++++ meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 3 +- 2 files changed, 69 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avformat-nutdec-Add-check-for-avformat_new_stream.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avformat-nutdec-Add-check-for-avformat_new_stream.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avformat-nutdec-Add-check-for-avformat_new_stream.patch new file mode 100644 index 0000000000..41d5884f88 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avformat-nutdec-Add-check-for-avformat_new_stream.patch @@ -0,0 +1,67 @@ +From 9cf652cef49d74afe3d454f27d49eb1a1394951e Mon Sep 17 00:00:00 2001 +From: Jiasheng Jiang +Date: Wed, 23 Feb 2022 10:31:59 +0800 +Subject: [PATCH] avformat/nutdec: Add check for avformat_new_stream + +Check for failure of avformat_new_stream() and propagate +the error code. + +Signed-off-by: Michael Niedermayer + +CVE: CVE-2022-3341 + +Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/9cf652cef49d74afe3d454f27d49eb1a1394951e] + +Signed-off-by: Narpat Mali +--- + libavformat/nutdec.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c +index 0a8a700acf..f9ad2c0af1 100644 +--- a/libavformat/nutdec.c ++++ b/libavformat/nutdec.c +@@ -351,8 +351,12 @@ static int decode_main_header(NUTContext *nut) + ret = AVERROR(ENOMEM); + goto fail; + } +- for (i = 0; i < stream_count; i++) +- avformat_new_stream(s, NULL); ++ for (i = 0; i < stream_count; i++) { ++ if (!avformat_new_stream(s, NULL)) { ++ ret = AVERROR(ENOMEM); ++ goto fail; ++ } ++ } + + return 0; + fail: +@@ -800,19 +804,23 @@ static int nut_read_header(AVFormatContext *s) + NUTContext *nut = s->priv_data; + AVIOContext *bc = s->pb; + int64_t pos; +- int initialized_stream_count; ++ int initialized_stream_count, ret; + + nut->avf = s; + + /* main header */ + pos = 0; ++ ret = 0; + do { ++ if (ret == AVERROR(ENOMEM)) ++ return ret; ++ + pos = find_startcode(bc, MAIN_STARTCODE, pos) + 1; + if (pos < 0 + 1) { + av_log(s, AV_LOG_ERROR, "No main startcode found.\n"); + return AVERROR_INVALIDDATA; + } +- } while (decode_main_header(nut) < 0); ++ } while ((ret = decode_main_header(nut)) < 0); + + /* stream headers */ + pos = 0; +-- +2.34.1 + diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb index c5bebe9c2d..4bcbda9976 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb @@ -27,7 +27,8 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://0001-avcodec-rpzaenc-stop-accessing-out-of-bounds-frame.patch \ file://0001-avcodec-smcenc-stop-accessing-out-of-bounds-frame.patch \ file://0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch \ - " + file://0001-avformat-nutdec-Add-check-for-avformat_new_stream.patch \ + " SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b" -- cgit 1.2.3-korg