ffmpeg: fix CVE-2024-31578

FFmpeg version n6.1.1 was discovered to contain a heap use-after-free via the av_hwframe_ctx_init function. (From OE-Core rev: 072a5454fa6610fd751433c518f9beb5496851a1) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
2026-04-05 08:02:25 +02:00 · 2024-11-21 06:45:52 +00:00
parent 341f123331
commit 338d1840cd
2 changed files with 50 additions and 0 deletions
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-31578.patch
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-31578.patch
@@ -0,0 +1,49 @@
+From 3bb00c0a420c3ce83c6fafee30270d69622ccad7 Mon Sep 17 00:00:00 2001
+From: Zhao Zhili <zhilizhao@tencent.com>
+Date: Tue, 20 Feb 2024 20:08:55 +0800
+Subject: [PATCH] avutil/hwcontext: Don't assume frames_uninit is reentrant
+
+Fix heap use after free when vulkan_frames_init failed.
+
+Signed-off-by: Zhao Zhili <zhilizhao@tencent.com>
+
+CVE: CVE-2024-31578
+
+Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/3bb00c0a420c3ce83c6fafee30270d69622ccad7]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ libavutil/hwcontext.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/libavutil/hwcontext.c b/libavutil/hwcontext.c
+index 31c7840..2a4d9ed 100644
+--- a/libavutil/hwcontext.c
+++ b/libavutil/hwcontext.c
+@@ -362,7 +362,7 @@ int av_hwframe_ctx_init(AVBufferRef *ref)
+     if (ctx->internal->hw_type->frames_init) {
+         ret = ctx->internal->hw_type->frames_init(ctx);
+         if (ret < 0)
+-            goto fail;
+            return ret;
+     }
+
+     if (ctx->internal->pool_internal && !ctx->pool)
+@@ -372,14 +372,10 @@ int av_hwframe_ctx_init(AVBufferRef *ref)
+     if (ctx->initial_pool_size > 0) {
+         ret = hwframe_pool_prealloc(ref);
+         if (ret < 0)
+-            goto fail;
+            return ret;
+     }
+
+     return 0;
+-fail:
+-    if (ctx->internal->hw_type->frames_uninit)
+-        ctx->internal->hw_type->frames_uninit(ctx);
+-    return ret;
+ }
+
+ int av_hwframe_transfer_get_formats(AVBufferRef *hwframe_ref,
+--
+2.40.0
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
@@ -33,6 +33,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
           file://CVE-2023-51793.patch \
           file://CVE-2023-50008.patch \
           file://CVE-2024-31582.patch \
+           file://CVE-2024-31578.patch \
          "

 SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b"