mirror of
https://git.yoctoproject.org/poky
synced 2026-01-29 21:08:42 +01:00
ffmpeg: fix CVE-2024-35367
FFmpeg n6.1.1 has an Out-of-bounds Read via libavcodec/ppc/vp8dsp_altivec.c, static const vec_s8 h_subpel_filters_outer (From OE-Core rev: 64d77d422d3c99d8a246ab03edfb54d9d185326e) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Archana Polampalli
committed by
Steve Sakoman
Steve Sakoman
parent
93dc7300c0
commit
3d0ff200b3
47
meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35367.patch
Normal file
47
meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35367.patch
Normal file
@@ -0,0 +1,47 @@
|
||||
From 09e6840cf7a3ee07a73c3ae88a020bf27ca1a667 Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
|
||||
Date: Wed, 13 Mar 2024 02:10:26 +0100
|
||||
Subject: [PATCH] avcodec/ppc/vp8dsp_altivec: Fix out-of-bounds access
|
||||
|
||||
h_subpel_filters_inner[i] and h_subpel_filters_outer[i / 2]
|
||||
belong together and the former allows the range 0..6,
|
||||
so the latter needs to support 0..3. But it has only three
|
||||
elements. Add another one.
|
||||
The value for the last element has been guesstimated
|
||||
from subpel_filters in libavcodec/vp8dsp.c.
|
||||
|
||||
This is also intended to fix FATE-failures with UBSan here:
|
||||
https://fate.ffmpeg.org/report.cgi?time=20240312011016&slot=ppc-linux-gcc-13.2-ubsan-altivec-qemu
|
||||
|
||||
Tested-by: Sean McGovern <gseanmcg@gmail.com>
|
||||
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
|
||||
|
||||
CVE: CVE-2024-35367
|
||||
|
||||
Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/09e6840cf7a3ee07a73c3ae88a020bf27ca1a667]
|
||||
|
||||
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
|
||||
---
|
||||
libavcodec/ppc/vp8dsp_altivec.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libavcodec/ppc/vp8dsp_altivec.c b/libavcodec/ppc/vp8dsp_altivec.c
|
||||
index 12dac8b..061914f 100644
|
||||
--- a/libavcodec/ppc/vp8dsp_altivec.c
|
||||
+++ b/libavcodec/ppc/vp8dsp_altivec.c
|
||||
@@ -50,11 +50,12 @@ static const vec_s8 h_subpel_filters_inner[7] =
|
||||
// for 6tap filters, these are the outer two taps
|
||||
// The zeros mask off pixels 4-7 when filtering 0-3
|
||||
// and vice-versa
|
||||
-static const vec_s8 h_subpel_filters_outer[3] =
|
||||
+static const vec_s8 h_subpel_filters_outer[4] =
|
||||
{
|
||||
REPT4(0, 0, 2, 1),
|
||||
REPT4(0, 0, 3, 3),
|
||||
REPT4(0, 0, 1, 2),
|
||||
+ REPT4(0, 0, 0, 0),
|
||||
};
|
||||
|
||||
#define LOAD_H_SUBPEL_FILTER(i) \
|
||||
--
|
||||
2.40.0
|
||||
@@ -38,6 +38,7 @@ SRC_URI = " \
|
||||
file://CVE-2023-49528.patch \
|
||||
file://CVE-2024-7055.patch \
|
||||
file://CVE-2024-35366.patch \
|
||||
file://CVE-2024-35367.patch \
|
||||
"
|
||||
|
||||
SRC_URI[sha256sum] = "8684f4b00f94b85461884c3719382f1261f0d9eb3d59640a1f4ac0873616f968"
|
||||
|
||||
Reference in New Issue
Block a user