diff options
Diffstat (limited to 'meta/recipes-multimedia/ffmpeg')
9 files changed, 416 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-20446.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-20446.patch new file mode 100644 index 0000000000..4fe80cffa1 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-20446.patch @@ -0,0 +1,35 @@ +From 073bad2fcae5be78c11a1623a20319107dfae9f8 Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer <michael@niedermayer.cc> +Date: Fri, 28 May 2021 20:18:25 +0200 +Subject: [PATCH 1/5] avcodec/aacpsy: Avoid floating point division by 0 of + norm_fac + +Fixes: Ticket7995 +Fixes: CVE-2020-20446 + +Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> + +CVE: CVE-2020-20446 +Upstream-Status: Backport [223b5e8ac9f6461bb13ed365419ec485c5b2b002] + +Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com> +--- + libavcodec/aacpsy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libavcodec/aacpsy.c b/libavcodec/aacpsy.c +index fca692cb15..bd444fecdc 100644 +--- a/libavcodec/aacpsy.c ++++ b/libavcodec/aacpsy.c +@@ -794,7 +794,7 @@ static void psy_3gpp_analyze_channel(FFPsyContext *ctx, int channel, + + if (pe < 1.15f * desired_pe) { + /* 6.6.1.3.6 "Final threshold modification by linearization" */ +- norm_fac = 1.0f / norm_fac; ++ norm_fac = norm_fac ? 1.0f / norm_fac : 0; + for (w = 0; w < wi->num_windows*16; w += 16) { + for (g = 0; g < num_bands; g++) { + AacPsyBand *band = &pch->band[w+g]; +-- +2.32.0 + diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-20453.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-20453.patch new file mode 100644 index 0000000000..4e430726b0 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-20453.patch @@ -0,0 +1,42 @@ +From 80f9cbee46757430af0769ec999ca702be652f7f Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer <michael@niedermayer.cc> +Date: Fri, 28 May 2021 21:37:26 +0200 +Subject: [PATCH 2/5] avcodec/aacenc: Avoid 0 lambda + +Fixes: Ticket8003 +Fixes: CVE-2020-20453 + +Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> + +CVE: CVE-2020-20453 +Upstream-Status: Backport [a7a7f32c8ad0179a1a85d0a8cff35924e6d90be8] + +Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com> +--- + libavcodec/aacenc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c +index db11e0ca29..9c6cb75be4 100644 +--- a/libavcodec/aacenc.c ++++ b/libavcodec/aacenc.c +@@ -28,6 +28,7 @@ + * TODOs: + * add sane pulse detection + ***********************************/ ++#include <float.h> + + #include "libavutil/libm.h" + #include "libavutil/thread.h" +@@ -856,7 +857,7 @@ static int aac_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, + /* Not so fast though */ + ratio = sqrtf(ratio); + } +- s->lambda = FFMIN(s->lambda * ratio, 65536.f); ++ s->lambda = av_clipf(s->lambda * ratio, FLT_MIN, 65536.f); + + /* Keep iterating if we must reduce and lambda is in the sky */ + if (ratio > 0.9f && ratio < 1.1f) { +-- +2.32.0 + diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22015.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22015.patch new file mode 100644 index 0000000000..1fdb31de7d --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22015.patch @@ -0,0 +1,44 @@ +From dce5d2c2ee991f8cd96ab74d51a2d1a134a1a645 Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer <michael@niedermayer.cc> +Date: Sat, 29 May 2021 09:22:27 +0200 +Subject: [PATCH 3/5] avformat/movenc: Check pal_size before use + +Fixes: assertion failure +Fixes: out of array read +Fixes: Ticket8190 +Fixes: CVE-2020-22015 + +Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> + + +CVE: CVE-2020-22015 +Upstream-Status: Backport [4c1afa292520329eecd1cc7631bc59a8cca95c46] + +Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com> +--- + libavformat/movenc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/libavformat/movenc.c b/libavformat/movenc.c +index c34d86522a..9603704083 100644 +--- a/libavformat/movenc.c ++++ b/libavformat/movenc.c +@@ -2094,11 +2094,13 @@ static int mov_write_video_tag(AVFormatContext *s, AVIOContext *pb, MOVMuxContex + avio_wb16(pb, 0x18); /* Reserved */ + + if (track->mode == MODE_MOV && track->par->format == AV_PIX_FMT_PAL8) { +- int pal_size = 1 << track->par->bits_per_coded_sample; +- int i; ++ int pal_size, i; + avio_wb16(pb, 0); /* Color table ID */ + avio_wb32(pb, 0); /* Color table seed */ + avio_wb16(pb, 0x8000); /* Color table flags */ ++ if (track->par->bits_per_coded_sample < 0 || track->par->bits_per_coded_sample > 8) ++ return AVERROR(EINVAL); ++ pal_size = 1 << track->par->bits_per_coded_sample; + avio_wb16(pb, pal_size - 1); /* Color table size (zero-relative) */ + for (i = 0; i < pal_size; i++) { + uint32_t rgb = track->palette[i]; +-- +2.32.0 + diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22021.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22021.patch new file mode 100644 index 0000000000..05cba736ff --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22021.patch @@ -0,0 +1,87 @@ +From 384177ca945395c8cf0ebbddd4b8b1eae64e900f Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer <michael@niedermayer.cc> +Date: Sat, 29 May 2021 11:17:35 +0200 +Subject: [PATCH 4/5] avfilter/vf_yadif: Fix handing of tiny images + +Fixes: out of array access +Fixes: Ticket8240 +Fixes: CVE-2020-22021 + +Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> + +CVE: CVE-2020-22021 +Upstream-Status: Backport [7971f62120a55c141ec437aa3f0bacc1c1a3526b] + +Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com> +--- + libavfilter/vf_yadif.c | 32 ++++++++++++++++++-------------- + 1 file changed, 18 insertions(+), 14 deletions(-) + +diff --git a/libavfilter/vf_yadif.c b/libavfilter/vf_yadif.c +index 43dea67add..06fd24ecfa 100644 +--- a/libavfilter/vf_yadif.c ++++ b/libavfilter/vf_yadif.c +@@ -123,20 +123,22 @@ static void filter_edges(void *dst1, void *prev1, void *cur1, void *next1, + uint8_t *next2 = parity ? cur : next; + + const int edge = MAX_ALIGN - 1; ++ int offset = FFMAX(w - edge, 3); + + /* Only edge pixels need to be processed here. A constant value of false + * for is_not_edge should let the compiler ignore the whole branch. */ +- FILTER(0, 3, 0) ++ FILTER(0, FFMIN(3, w), 0) + +- dst = (uint8_t*)dst1 + w - edge; +- prev = (uint8_t*)prev1 + w - edge; +- cur = (uint8_t*)cur1 + w - edge; +- next = (uint8_t*)next1 + w - edge; ++ dst = (uint8_t*)dst1 + offset; ++ prev = (uint8_t*)prev1 + offset; ++ cur = (uint8_t*)cur1 + offset; ++ next = (uint8_t*)next1 + offset; + prev2 = (uint8_t*)(parity ? prev : cur); + next2 = (uint8_t*)(parity ? cur : next); + +- FILTER(w - edge, w - 3, 1) +- FILTER(w - 3, w, 0) ++ FILTER(offset, w - 3, 1) ++ offset = FFMAX(offset, w - 3); ++ FILTER(offset, w, 0) + } + + +@@ -170,21 +172,23 @@ static void filter_edges_16bit(void *dst1, void *prev1, void *cur1, void *next1, + uint16_t *next2 = parity ? cur : next; + + const int edge = MAX_ALIGN / 2 - 1; ++ int offset = FFMAX(w - edge, 3); + + mrefs /= 2; + prefs /= 2; + +- FILTER(0, 3, 0) ++ FILTER(0, FFMIN(3, w), 0) + +- dst = (uint16_t*)dst1 + w - edge; +- prev = (uint16_t*)prev1 + w - edge; +- cur = (uint16_t*)cur1 + w - edge; +- next = (uint16_t*)next1 + w - edge; ++ dst = (uint16_t*)dst1 + offset; ++ prev = (uint16_t*)prev1 + offset; ++ cur = (uint16_t*)cur1 + offset; ++ next = (uint16_t*)next1 + offset; + prev2 = (uint16_t*)(parity ? prev : cur); + next2 = (uint16_t*)(parity ? cur : next); + +- FILTER(w - edge, w - 3, 1) +- FILTER(w - 3, w, 0) ++ FILTER(offset, w - 3, 1) ++ offset = FFMAX(offset, w - 3); ++ FILTER(offset, w, 0) + } + + static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs) +-- +2.32.0 + diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22033-CVE-2020-22019.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22033-CVE-2020-22019.patch new file mode 100644 index 0000000000..e98ddaaede --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22033-CVE-2020-22019.patch @@ -0,0 +1,39 @@ +From 2f3bf456fa641edf154a99c4586d7bf52c02a495 Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer <michael@niedermayer.cc> +Date: Sat, 29 May 2021 09:58:31 +0200 +Subject: [PATCH 5/5] avfilter/vf_vmafmotion: Check dimensions + +Fixes: out of array access +Fixes: Ticket8241 +Fixes: Ticket8246 +Fixes: CVE-2020-22019 +Fixes: CVE-2020-22033 + +Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> + +CVE: CVE-2020-22033 +CVE: CVE-2020-22019 +Upstream-Status: Backport [82ad1b76751bcfad5005440db48c46a4de5d6f02] + +Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com> +--- + libavfilter/vf_vmafmotion.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/libavfilter/vf_vmafmotion.c b/libavfilter/vf_vmafmotion.c +index 88d0b35095..0730147e7d 100644 +--- a/libavfilter/vf_vmafmotion.c ++++ b/libavfilter/vf_vmafmotion.c +@@ -238,6 +238,9 @@ int ff_vmafmotion_init(VMAFMotionData *s, + int i; + const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(fmt); + ++ if (w < 3 || h < 3) ++ return AVERROR(EINVAL); ++ + s->width = w; + s->height = h; + s->stride = FFALIGN(w * sizeof(uint16_t), 32); +-- +2.32.0 + diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2021-38114.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2021-38114.patch new file mode 100644 index 0000000000..3de7cf7e0f --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2021-38114.patch @@ -0,0 +1,67 @@ +CVE: CVE-2021-38114 +Upstream-Status: Backport +Signed-off-by: Kiran Surendran <kiran.surendran@windriver.com> + +From 662aef4aacf23b4be4c1cfaebd837e225b357e51 Mon Sep 17 00:00:00 2001 +From: maryam ebr <me22bee@outlook.com> +Date: Tue, 3 Aug 2021 01:05:47 -0400 +Subject: [PATCH] avcodec/dnxhddec: check and propagate function return value + +Similar to CVE-2013-0868, here return value check for 'init_vlc' is needed. +crafted DNxHD data can cause unspecified impact. + +Reviewed-by: Paul B Mahol <onemda@gmail.com> +Signed-off-by: James Almer <jamrial@gmail.com> +--- + libavcodec/dnxhddec.c | 22 +++++++++++++++------- + 1 file changed, 15 insertions(+), 7 deletions(-) + +diff --git a/libavcodec/dnxhddec.c b/libavcodec/dnxhddec.c +index e5d01e2e71..54f894f81b 100644 +--- a/libavcodec/dnxhddec.c ++++ b/libavcodec/dnxhddec.c +@@ -110,6 +110,7 @@ static av_cold int dnxhd_decode_init(AVCodecContext *avctx) + + static int dnxhd_init_vlc(DNXHDContext *ctx, uint32_t cid, int bitdepth) + { ++ int ret; + if (cid != ctx->cid) { + int index; + +@@ -129,19 +130,26 @@ static int dnxhd_init_vlc(DNXHDContext *ctx, uint32_t cid, int bitdepth) + ff_free_vlc(&ctx->dc_vlc); + ff_free_vlc(&ctx->run_vlc); + +- init_vlc(&ctx->ac_vlc, DNXHD_VLC_BITS, 257, ++ if ((ret = init_vlc(&ctx->ac_vlc, DNXHD_VLC_BITS, 257, + ctx->cid_table->ac_bits, 1, 1, +- ctx->cid_table->ac_codes, 2, 2, 0); +- init_vlc(&ctx->dc_vlc, DNXHD_DC_VLC_BITS, bitdepth > 8 ? 14 : 12, ++ ctx->cid_table->ac_codes, 2, 2, 0)) < 0) ++ goto out; ++ if ((ret = init_vlc(&ctx->dc_vlc, DNXHD_DC_VLC_BITS, bitdepth > 8 ? 14 : 12, + ctx->cid_table->dc_bits, 1, 1, +- ctx->cid_table->dc_codes, 1, 1, 0); +- init_vlc(&ctx->run_vlc, DNXHD_VLC_BITS, 62, ++ ctx->cid_table->dc_codes, 1, 1, 0)) < 0) ++ goto out; ++ if ((ret = init_vlc(&ctx->run_vlc, DNXHD_VLC_BITS, 62, + ctx->cid_table->run_bits, 1, 1, +- ctx->cid_table->run_codes, 2, 2, 0); ++ ctx->cid_table->run_codes, 2, 2, 0)) < 0) ++ goto out; + + ctx->cid = cid; + } +- return 0; ++ ret = 0; ++out: ++ if (ret < 0) ++ av_log(ctx->avctx, AV_LOG_ERROR, "init_vlc failed\n"); ++ return ret; + } + + static int dnxhd_get_profile(int cid) +-- +2.31.1 + diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2021-38171.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2021-38171.patch new file mode 100644 index 0000000000..8775acd8c5 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2021-38171.patch @@ -0,0 +1,40 @@ +CVE: CVE-2021-38171 +Upstream-Status: Backport +Signed-off-by: Kiran Surendran <kiran.surendran@windriver.com> + +From d5373a9efb10c1fa87698ee41370fb04dc2e410b Mon Sep 17 00:00:00 2001 +From: maryam ebrahimzadeh <me22bee@outlook.com> +Date: Wed, 4 Aug 2021 16:15:18 -0400 +Subject: [PATCH] avformat/adtsenc: return value check for init_get_bits in + adts_decode_extradata + +As the second argument for init_get_bits (buf) can be crafted, a return value check for this function call is necessary. +'buf' is part of 'AVPacket pkt'. +replace init_get_bits with init_get_bits8. + +Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> +--- + libavformat/adtsenc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/libavformat/adtsenc.c b/libavformat/adtsenc.c +index d937e2bea9..a1593515e1 100644 +--- a/libavformat/adtsenc.c ++++ b/libavformat/adtsenc.c +@@ -50,9 +50,11 @@ static int adts_decode_extradata(AVFormatContext *s, ADTSContext *adts, const ui + GetBitContext gb; + PutBitContext pb; + MPEG4AudioConfig m4ac; +- int off; ++ int off, ret; + +- init_get_bits(&gb, buf, size * 8); ++ ret = init_get_bits8(&gb, buf, size); ++ if (ret < 0) ++ return ret; + off = avpriv_mpeg4audio_get_config2(&m4ac, buf, size, 1, s); + if (off < 0) + return off; +-- +2.31.1 + diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2021-38291.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2021-38291.patch new file mode 100644 index 0000000000..ef1c760286 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2021-38291.patch @@ -0,0 +1,54 @@ +CVE: CVE-2021-38291 +Upstream-Status: Backport +Signed-off-by: Kiran Surendran <kiran.surendran@windriver.com> + +From e908bdb157fa493be2b50e2a11055d19c5254a15 Mon Sep 17 00:00:00 2001 +From: James Almer <jamrial@gmail.com> +Date: Wed, 21 Jul 2021 01:02:44 -0300 +Subject: [PATCH] avcodec/utils: don't return negative values in + av_get_audio_frame_duration() + +In some extrme cases, like with adpcm_ms samples with an extremely high channel +count, get_audio_frame_duration() may return a negative frame duration value. +Don't propagate it, and instead return 0, signaling that a duration could not +be determined. + +Fixes ticket #9312 + +Signed-off-by: James Almer <jamrial@gmail.com> +--- + libavcodec/utils.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/libavcodec/utils.c b/libavcodec/utils.c +index 81e34254e8..5fdb10fe09 100644 +--- a/libavcodec/utils.c ++++ b/libavcodec/utils.c +@@ -1776,20 +1776,22 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, + + int av_get_audio_frame_duration(AVCodecContext *avctx, int frame_bytes) + { +- return get_audio_frame_duration(avctx->codec_id, avctx->sample_rate, ++ int duration = get_audio_frame_duration(avctx->codec_id, avctx->sample_rate, + avctx->channels, avctx->block_align, + avctx->codec_tag, avctx->bits_per_coded_sample, + avctx->bit_rate, avctx->extradata, avctx->frame_size, + frame_bytes); ++ return FFMAX(0, duration); + } + + int av_get_audio_frame_duration2(AVCodecParameters *par, int frame_bytes) + { +- return get_audio_frame_duration(par->codec_id, par->sample_rate, ++ int duration = get_audio_frame_duration(par->codec_id, par->sample_rate, + par->channels, par->block_align, + par->codec_tag, par->bits_per_coded_sample, + par->bit_rate, par->extradata, par->frame_size, + frame_bytes); ++ return FFMAX(0, duration); + } + + #if !HAVE_THREADS +-- +2.25.1 + diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb index 08be38ca50..2df8fc45cf 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb @@ -26,6 +26,14 @@ LIC_FILES_CHKSUM = "file://COPYING.GPLv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://mips64_cpu_detection.patch \ file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \ + file://fix-CVE-2020-20446.patch \ + file://fix-CVE-2020-20453.patch \ + file://fix-CVE-2020-22015.patch \ + file://fix-CVE-2020-22021.patch \ + file://fix-CVE-2020-22033-CVE-2020-22019.patch \ + file://fix-CVE-2021-38291.patch \ + file://fix-CVE-2021-38171.patch \ + file://fix-CVE-2021-38114.patch \ " SRC_URI[sha256sum] = "46e4e64f1dd0233cbc0934b9f1c0da676008cad34725113fb7f802cfa84ccddb" |