ffmpeg: fix CVE-2023-50007

Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a local attacker to execute arbitrary code via theav_samples_set_silence function in the libavutil/samplefmt.c:260:9 component. (From OE-Core rev: b63ba0bff9e5b5e73d50b2b3ff805418fa98d7e5) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
2026-04-16 15:32:13 +02:00 · 2024-12-06 13:11:46 +00:00
parent 34611ec3cb
commit 9edd744fd8
2 changed files with 79 additions and 0 deletions
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-50007.patch
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-50007.patch
@@ -0,0 +1,78 @@
+From b1942734c7cbcdc9034034373abcc9ecb9644c47 Mon Sep 17 00:00:00 2001
+From: Paul B Mahol <onemda@gmail.com>
+Date: Mon, 27 Nov 2023 11:45:34 +0100
+Subject: [PATCH 2/3] avfilter/af_afwtdn: fix crash with EOF handling
+
+CVE: CVE-2023-50007
+
+Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/b1942734c7cbcdc9034034373abcc9ecb9644c47]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ libavfilter/af_afwtdn.c | 34 +++++++++++++++++++---------------
+ 1 file changed, 19 insertions(+), 15 deletions(-)
+
+diff --git a/libavfilter/af_afwtdn.c b/libavfilter/af_afwtdn.c
+index 0fcfa77..63b7f5f 100644
+--- a/libavfilter/af_afwtdn.c
+++ b/libavfilter/af_afwtdn.c
+@@ -408,6 +408,7 @@ typedef struct AudioFWTDNContext {
+
+     uint64_t sn;
+     int64_t eof_pts;
+    int eof;
+
+     int wavelet_type;
+     int channels;
+@@ -1069,7 +1070,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in)
+         s->drop_samples = 0;
+     } else {
+         if (s->padd_samples < 0 && eof) {
+-            out->nb_samples += s->padd_samples;
+            out->nb_samples = FFMAX(0, out->nb_samples + s->padd_samples);
+             s->padd_samples = 0;
+         }
+         if (!eof)
+@@ -1208,23 +1209,26 @@ static int activate(AVFilterContext *ctx)
+
+     FF_FILTER_FORWARD_STATUS_BACK(outlink, inlink);
+
+-    ret = ff_inlink_consume_samples(inlink, s->nb_samples, s->nb_samples, &in);
+-    if (ret < 0)
+-        return ret;
+-    if (ret > 0)
+-        return filter_frame(inlink, in);
+    if (!s->eof) {
+        ret = ff_inlink_consume_samples(inlink, s->nb_samples, s->nb_samples, &in);
+        if (ret < 0)
+            return ret;
+        if (ret > 0)
+            return filter_frame(inlink, in);
+    }
+
+     if (ff_inlink_acknowledge_status(inlink, &status, &pts)) {
+-        if (status == AVERROR_EOF) {
+-            while (s->padd_samples != 0) {
+-                ret = filter_frame(inlink, NULL);
+-                if (ret < 0)
+-                    return ret;
+-            }
+-            ff_outlink_set_status(outlink, status, pts);
+-            return ret;
+-        }
+        if (status == AVERROR_EOF)
+            s->eof = 1;
+     }
+
+    if (s->eof && s->padd_samples != 0) {
+        return filter_frame(inlink, NULL);
+    } else if (s->eof) {
+        ff_outlink_set_status(outlink, AVERROR_EOF, s->eof_pts);
+        return 0;
+    }
+
+     FF_FILTER_FORWARD_WANTED(outlink, inlink);
+
+     return FFERROR_NOT_READY;
+--
+2.40.0
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb
@@ -34,6 +34,7 @@ SRC_URI = " \
    file://CVE-2024-32230.patch \
    file://CVE-2023-49501.patch \
    file://CVE-2024-28661.patch \
+    file://CVE-2023-50007.patch \
 "

 SRC_URI[sha256sum] = "8684f4b00f94b85461884c3719382f1261f0d9eb3d59640a1f4ac0873616f968"