From: Ankur Tyagi <[email protected]> Details: https://nvd.nist.gov/vuln/detail/CVE-2024-46461
Backport the patch mentioned in the news[1] that fixes this vulnerabililty. https://code.videolan.org/videolan/vlc/-/blob/3.0.21/NEWS?ref_type=tags#L44 Signed-off-by: Ankur Tyagi <[email protected]> --- .../vlc/vlc/CVE-2024-46461.patch | 44 +++++++++++++++++++ .../recipes-multimedia/vlc/vlc_3.0.20.bb | 1 + 2 files changed, 45 insertions(+) create mode 100644 meta-multimedia/recipes-multimedia/vlc/vlc/CVE-2024-46461.patch diff --git a/meta-multimedia/recipes-multimedia/vlc/vlc/CVE-2024-46461.patch b/meta-multimedia/recipes-multimedia/vlc/vlc/CVE-2024-46461.patch new file mode 100644 index 0000000000..868eb89cac --- /dev/null +++ b/meta-multimedia/recipes-multimedia/vlc/vlc/CVE-2024-46461.patch @@ -0,0 +1,44 @@ +From aafb226321a525169fd68bf4708e7c6f15e4307a Mon Sep 17 00:00:00 2001 +From: Thomas Guillem <[email protected]> +Date: Tue, 9 Jan 2024 06:58:39 +0100 +Subject: [PATCH] mms: fix potential integer overflow + +That could lead to a heap buffer overflow. + +Thanks Andreas Fobian for the security report. + +(cherry picked from commit 467b24dd0f9b0b3d8ba11dd813b393892f7f1ed2) +Signed-off-by: Jean-Baptiste Kempf <[email protected]> + +CVE: CVE-2024-46461 +Upstream-Status: Backport [https://code.videolan.org/videolan/vlc/-/commit/e7f98f3632d793c3921bfe72595721af191e670e] +(cherry picked from commit e7f98f3632d793c3921bfe72595721af191e670e) +Signed-off-by: Ankur Tyagi <[email protected]> +--- + modules/access/mms/mmstu.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/modules/access/mms/mmstu.c b/modules/access/mms/mmstu.c +index f795b0bd43..f10e38cd43 100644 +--- a/modules/access/mms/mmstu.c ++++ b/modules/access/mms/mmstu.c +@@ -1316,14 +1316,16 @@ static int mms_ParsePacket( stream_t *p_access, + + if( i_packet_id == p_sys->i_header_packet_id_type ) + { +- uint8_t *p_reaced = realloc( p_sys->p_header, +- p_sys->i_header + i_packet_length - 8 ); ++ size_t new_header_size; ++ if( add_overflow( p_sys->i_header, i_packet_length, &new_header_size ) ) ++ return -1; ++ uint8_t *p_reaced = realloc( p_sys->p_header, new_header_size ); + if( !p_reaced ) + return VLC_ENOMEM; + + memcpy( &p_reaced[p_sys->i_header], p_data + 8, i_packet_length - 8 ); + p_sys->p_header = p_reaced; +- p_sys->i_header += i_packet_length - 8; ++ p_sys->i_header = new_header_size; + + /* msg_Dbg( p_access, + "receive header packet (%d bytes)", diff --git a/meta-multimedia/recipes-multimedia/vlc/vlc_3.0.20.bb b/meta-multimedia/recipes-multimedia/vlc/vlc_3.0.20.bb index 21bc408f6d..bf34146e0a 100644 --- a/meta-multimedia/recipes-multimedia/vlc/vlc_3.0.20.bb +++ b/meta-multimedia/recipes-multimedia/vlc/vlc_3.0.20.bb @@ -25,6 +25,7 @@ SRC_URI = "https://get.videolan.org/${BPN}/${PV}/${BP}.tar.xz \ file://0006-configure-Disable-incompatible-function-pointer-type.patch \ file://taglib-2.patch \ file://0001-taglib-Fix-build-on-x86-32-bit.patch \ + file://CVE-2024-46461.patch \ " SRC_URI[sha256sum] = "adc7285b4d2721cddf40eb5270cada2aaa10a334cb546fd55a06353447ba29b5"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#123316): https://lists.openembedded.org/g/openembedded-devel/message/123316 Mute This Topic: https://lists.openembedded.org/mt/117184753/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
