mirror of
https://git.yoctoproject.org/poky
synced 2026-04-17 00:32:13 +02:00
ffmpeg: fix CVE-2024-35368
FFmpeg n7.0 is affected by a Double Free via the rkmpp_retrieve_frame function within libavcodec/rkmppdec.c. (From OE-Core rev: bc73c3ef68826ffbb6de960b7bfa4b784e289ea8) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Archana Polampalli
committed by
Steve Sakoman
Steve Sakoman
parent
d078ab7577
commit
ffff345e4a
41
meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35368.patch
Normal file
41
meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35368.patch
Normal file
@@ -0,0 +1,41 @@
|
||||
From 4513300989502090c4fd6560544dce399a8cd53c Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
|
||||
Date: Sun, 24 Sep 2023 13:15:48 +0200
|
||||
Subject: [PATCH] avcodec/rkmppdec: Fix double-free on error
|
||||
|
||||
After having created the AVBuffer that is put into frame->buf[0],
|
||||
ownership of several objects (namely an AVDRMFrameDescriptor,
|
||||
an MppFrame and some AVBufferRefs framecontextref and decoder_ref)
|
||||
has passed to the AVBuffer and therefore to the frame.
|
||||
Yet it has nevertheless been freed manually on error
|
||||
afterwards, which would lead to a double-free as soon
|
||||
as the AVFrame is unreferenced.
|
||||
|
||||
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
|
||||
|
||||
CVE: CVE-2024-35368
|
||||
|
||||
Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/4513300989502090c4fd6560544dce399a8cd53c]
|
||||
|
||||
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
|
||||
---
|
||||
libavcodec/rkmppdec.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/libavcodec/rkmppdec.c b/libavcodec/rkmppdec.c
|
||||
index 7665098c6a..6889545b20 100644
|
||||
--- a/libavcodec/rkmppdec.c
|
||||
+++ b/libavcodec/rkmppdec.c
|
||||
@@ -463,8 +463,8 @@ static int rkmpp_retrieve_frame(AVCodecContext *avctx, AVFrame *frame)
|
||||
|
||||
frame->hw_frames_ctx = av_buffer_ref(decoder->frames_ref);
|
||||
if (!frame->hw_frames_ctx) {
|
||||
- ret = AVERROR(ENOMEM);
|
||||
- goto fail;
|
||||
+ av_frame_unref(frame);
|
||||
+ return AVERROR(ENOMEM);
|
||||
}
|
||||
|
||||
return 0;
|
||||
--
|
||||
2.40.0
|
||||
@@ -42,6 +42,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
|
||||
file://CVE-2024-7055.patch \
|
||||
file://CVE-2024-35366.patch \
|
||||
file://CVE-2024-35367.patch \
|
||||
file://CVE-2024-35368.patch \
|
||||
"
|
||||
|
||||
SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b"
|
||||
|
||||
Reference in New Issue
Block a user