mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-05-01 15:32:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

ffmpeg: fix CVE-2021-33815

Browse Source 
avcodec/exr: More strictly check dc_count

Fixes: out of array access
Fixes: exr/deneme

Found-by: Burak Çarıkçı <burakcarikci@crypttech.com>
(From OE-Core rev: e03fda4df5d2865d5ac516f45aa120e2caf7de47)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

CVE: CVE-2021-33815
Upstream-Status: Backport [26d3c81bc5ef2f8c3f09d45eaeacfb4b1139a777]

Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Tony Tascioglu
2021-07-27 16:20:47 -07:00
committed by Richard Purdie
parent d6044c86b0
commit 9da5e45c73
2 changed files with 45 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2021-33815.patch Normal file
View File

@@ -0,0 +1,44 @@
From 26d3c81bc5ef2f8c3f09d45eaeacfb4b1139a777 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Tue, 25 May 2021 19:29:18 +0200
Subject: [PATCH] avcodec/exr: More strictly check dc_count
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes: out of array access
Fixes: exr/deneme
Found-by: Burak Çarıı <burakcarikci@crypttech.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
CVE: CVE-2021-33815
Upstream-Status: Backport [26d3c81bc5ef2f8c3f09d45eaeacfb4b1139a777]
Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
---
libavcodec/exr.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 9377a89169..4648ed7d62 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1059,11 +1059,11 @@ static int dwa_uncompress(EXRContext *s, const uint8_t *src, int compressed_size
bytestream2_skip(&gb, ac_size);
}
- if (dc_size > 0) {
+ {
unsigned long dest_len = dc_count * 2LL;
GetByteContext agb = gb;
- if (dc_count > (6LL * td->xsize * td->ysize + 63) / 64)
+ if (dc_count != dc_w * dc_h * 3)
return AVERROR_INVALIDDATA;
av_fast_padded_malloc(&td->dc_data, &td->dc_size, FFALIGN(dest_len, 64) * 2);
--
2.32.0

1
meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb
View File

@@ -30,6 +30,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
file://fix-CVE-2020-22015.patch \
file://fix-CVE-2020-22021.patch \
file://fix-CVE-2020-22033-CVE-2020-22019.patch \
file://fix-CVE-2021-33815.patch \
"
SRC_URI[sha256sum] = "06b10a183ce5371f915c6bb15b7b1fffbe046e8275099c96affc29e17645d909"