From: Archana Polampalli <archana.polampa...@windriver.com> FFmpeg version n6.1.1 was discovered to contain a heap use-after-free via the av_hwframe_ctx_init function.
Signed-off-by: Archana Polampalli <archana.polampa...@windriver.com> --- .../ffmpeg/ffmpeg/CVE-2024-31578.patch | 49 +++++++++++++++++++ .../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 1 + 2 files changed, 50 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-31578.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-31578.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-31578.patch new file mode 100644 index 0000000000..e67f4777f7 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-31578.patch @@ -0,0 +1,49 @@ +From 3bb00c0a420c3ce83c6fafee30270d69622ccad7 Mon Sep 17 00:00:00 2001 +From: Zhao Zhili <zhiliz...@tencent.com> +Date: Tue, 20 Feb 2024 20:08:55 +0800 +Subject: [PATCH] avutil/hwcontext: Don't assume frames_uninit is reentrant + +Fix heap use after free when vulkan_frames_init failed. + +Signed-off-by: Zhao Zhili <zhiliz...@tencent.com> + +CVE: CVE-2024-31578 + +Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/3bb00c0a420c3ce83c6fafee30270d69622ccad7] + +Signed-off-by: Archana Polampalli <archana.polampa...@windriver.com> +--- + libavutil/hwcontext.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/libavutil/hwcontext.c b/libavutil/hwcontext.c +index 31c7840..2a4d9ed 100644 +--- a/libavutil/hwcontext.c ++++ b/libavutil/hwcontext.c +@@ -362,7 +362,7 @@ int av_hwframe_ctx_init(AVBufferRef *ref) + if (ctx->internal->hw_type->frames_init) { + ret = ctx->internal->hw_type->frames_init(ctx); + if (ret < 0) +- goto fail; ++ return ret; + } + + if (ctx->internal->pool_internal && !ctx->pool) +@@ -372,14 +372,10 @@ int av_hwframe_ctx_init(AVBufferRef *ref) + if (ctx->initial_pool_size > 0) { + ret = hwframe_pool_prealloc(ref); + if (ret < 0) +- goto fail; ++ return ret; + } + + return 0; +-fail: +- if (ctx->internal->hw_type->frames_uninit) +- ctx->internal->hw_type->frames_uninit(ctx); +- return ret; + } + + int av_hwframe_transfer_get_formats(AVBufferRef *hwframe_ref, +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb index 4a743c6dd7..ae02310af8 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb @@ -33,6 +33,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://CVE-2023-51793.patch \ file://CVE-2023-50008.patch \ file://CVE-2024-31582.patch \ + file://CVE-2024-31578.patch \ " SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b" -- 2.40.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#207516): https://lists.openembedded.org/g/openembedded-core/message/207516 Mute This Topic: https://lists.openembedded.org/mt/109699771/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
