From: Archana Polampalli <archana.polampa...@windriver.com> Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker to execute arbitrary code via a floating point exception (FPE) error at libavfilter/vf_minterpolate.c:1078:60 in interpolate.
Signed-off-by: Archana Polampalli <archana.polampa...@windriver.com> Signed-off-by: Steve Sakoman <st...@sakoman.com> --- .../ffmpeg/ffmpeg/CVE-2023-51798.patch | 45 +++++++++++++++++++ .../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 1 + 2 files changed, 46 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-51798.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-51798.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-51798.patch new file mode 100644 index 0000000000..6250486c05 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-51798.patch @@ -0,0 +1,45 @@ +From c9e6162554cc7d04a56e2edd1f6f1479c6f8b62f Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer <mich...@niedermayer.cc> +Date: Sat, 30 Dec 2023 02:51:32 +0100 +Subject: [PATCH] avfilter/vf_minterpolate: Check pts before division + +Fixes: FPE +Fixes: tickets/10758/poc20ffmpeg + +Discovered by Zeng Yunxiang + +Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> +(cherry picked from commit 68146f06f852078866b3ef1564556e3a272920c7) +Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> + +CVE: CVE-2023-51798 + +Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/c9e6162554cc7d04a56e2edd1f6f1479c6f8b62f] + +Signed-off-by: Archana Polampalli <archana.polampa...@windriver.com> +--- + libavfilter/vf_minterpolate.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/libavfilter/vf_minterpolate.c b/libavfilter/vf_minterpolate.c +index 97d0e96..9296e67 100644 +--- a/libavfilter/vf_minterpolate.c ++++ b/libavfilter/vf_minterpolate.c +@@ -1078,8 +1078,13 @@ static void interpolate(AVFilterLink *inlink, AVFrame *avf_out) + pts = av_rescale(avf_out->pts, (int64_t) ALPHA_MAX * outlink->time_base.num * inlink->time_base.den, + (int64_t) outlink->time_base.den * inlink->time_base.num); + +- alpha = (pts - mi_ctx->frames[1].avf->pts * ALPHA_MAX) / (mi_ctx->frames[2].avf->pts - mi_ctx->frames[1].avf->pts); +- alpha = av_clip(alpha, 0, ALPHA_MAX); ++ if (mi_ctx->frames[2].avf->pts > mi_ctx->frames[1].avf->pts) { ++ alpha = (pts - mi_ctx->frames[1].avf->pts * ALPHA_MAX) / (mi_ctx->frames[2].avf->pts - mi_ctx->frames[1].avf->pts); ++ alpha = av_clip(alpha, 0, ALPHA_MAX); ++ } else { ++ av_log(ctx, AV_LOG_DEBUG, "duplicate input PTS detected\n"); ++ alpha = 0; ++ } + + if (alpha == 0 || alpha == ALPHA_MAX) { + av_frame_copy(avf_out, alpha ? mi_ctx->frames[2].avf : mi_ctx->frames[1].avf); +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb index 80a4e5b96f..b8bd77972b 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb @@ -35,6 +35,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://CVE-2024-31582.patch \ file://CVE-2024-31578.patch \ file://CVE-2023-51794.patch \ + file://CVE-2023-51798.patch \ " SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b" -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#207947): https://lists.openembedded.org/g/openembedded-core/message/207947 Mute This Topic: https://lists.openembedded.org/mt/109811163/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
