From 93dc7300c09d2cf340d03d9bbb833f9bf8b28de9 Mon Sep 17 00:00:00 2001 From: Archana Polampalli Date: Fri, 13 Dec 2024 10:11:21 +0000 Subject: [PATCH] ffmpeg: fix CVE-2024-35366 FFmpeg n6.1.1 is Integer Overflow. The vulnerability exists in the parse_options function of sbgdec.c within the libavformat module. When parsing certain options, the software does not adequately validate the input. This allows for negative duration values to be accepted without proper bounds checking. (From OE-Core rev: a07bc254011736c0f0445607c56609be677ea8a7) Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../ffmpeg/ffmpeg/CVE-2024-35366.patch | 35 +++++++++++++++++++ .../recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb | 1 + 2 files changed, 36 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35366.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35366.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35366.patch new file mode 100644 index 0000000000..f7f16a5b92 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35366.patch @@ -0,0 +1,35 @@ +From 0bed22d597b78999151e3bde0768b7fe763fc2a6 Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer +Date: Tue, 26 Mar 2024 00:39:49 +0100 +Subject: [PATCH] avformat/sbgdec: Check for negative duration + +Fixes: signed integer overflow: 9223372036854775807 - -8000000 cannot be represented in type 'long' +Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-5133181743136768 + +Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg +Signed-off-by: Michael Niedermayer + +CVE: CVE-2024-35366 + +Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/0bed22d597b78999151e3bde0768b7fe763fc2a6] + +Signed-off-by: Archana Polampalli +--- + libavformat/sbgdec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c +index b2662ea..281fe62 100644 +--- a/libavformat/sbgdec.c ++++ b/libavformat/sbgdec.c +@@ -386,7 +386,7 @@ static int parse_options(struct sbg_parser *p) + case 'L': + FORWARD_ERROR(parse_optarg(p, opt, &oarg)); + r = str_to_time(oarg.s, &p->scs.opt_duration); +- if (oarg.e != oarg.s + r) { ++ if (oarg.e != oarg.s + r || p->scs.opt_duration < 0) { + snprintf(p->err_msg, sizeof(p->err_msg), + "syntax error for option -L"); + return AVERROR_INVALIDDATA; +-- +2.40.0 diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb index 8f4a8d34c0..dd95629648 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb @@ -37,6 +37,7 @@ SRC_URI = " \ file://CVE-2023-50007.patch \ file://CVE-2023-49528.patch \ file://CVE-2024-7055.patch \ + file://CVE-2024-35366.patch \ " SRC_URI[sha256sum] = "8684f4b00f94b85461884c3719382f1261f0d9eb3d59640a1f4ac0873616f968"