From: Archana Polampalli <archana.polampa...@windriver.com> Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker to execute arbitrary code via the libavfilter/f_reverse.c:269:26 in areverse_request_frame.
Signed-off-by: Archana Polampalli <archana.polampa...@windriver.com> Signed-off-by: Steve Sakoman <st...@sakoman.com> --- .../ffmpeg/ffmpeg/CVE-2023-51796.patch | 39 +++++++++++++++++++ .../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 1 + 2 files changed, 40 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-51796.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-51796.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-51796.patch new file mode 100644 index 0000000000..4ec0aa5aee --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-51796.patch @@ -0,0 +1,39 @@ +From 61e73851a33f0b4cb7662f8578a4695e77bd3c19 Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer <mich...@niedermayer.cc> +Date: Sat, 23 Dec 2023 18:04:32 +0100 +Subject: [PATCH 3/4] avfilter/f_reverse: Apply PTS compensation only when pts + is available + +Fixes: out of array access +Fixes: tickets/10753/poc16ffmpeg + +Regression since: 45dc668aea0edac34969b5a1ff76cf9ad3a09be1 +Found-by: Zeng Yunxiang +Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> + +CVE: CVE-2023-51796 + +Upstream-Status: Backport [https://github.com/ffmpeg/FFmpeg/commit/61e73851a33f0b4cb7662f8578a4695e77bd3c19] + +Signed-off-by: Archana Polampalli <archana.polampa...@windriver.com> +--- + libavfilter/f_reverse.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/libavfilter/f_reverse.c b/libavfilter/f_reverse.c +index f7a7e71..7b919d6 100644 +--- a/libavfilter/f_reverse.c ++++ b/libavfilter/f_reverse.c +@@ -251,7 +251,9 @@ static int areverse_request_frame(AVFilterLink *outlink) + if (ret == AVERROR_EOF && s->nb_frames > 0) { + AVFrame *out = s->frames[s->nb_frames - 1]; + out->pts = s->pts[s->flush_idx++] - s->nb_samples; +- s->nb_samples += s->pts[s->flush_idx] - s->pts[s->flush_idx - 1] - out->nb_samples; ++ if (s->nb_frames > 1) ++ s->nb_samples += s->pts[s->flush_idx] - s->pts[s->flush_idx - 1] - out->nb_samples; ++ + + if (av_sample_fmt_is_planar(out->format)) + reverse_samples_planar(out); +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb index ee13081e4d..8e0fc090ac 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb @@ -38,6 +38,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://CVE-2023-51798.patch \ file://CVE-2023-47342.patch \ file://CVE-2023-50007.patch \ + file://CVE-2023-51796.patch \ " SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b" -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#207950): https://lists.openembedded.org/g/openembedded-core/message/207950 Mute This Topic: https://lists.openembedded.org/mt/109811167/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
