FFmpeg n7.0 is affected by a Double Free via the rkmpp_retrieve_frame
function within libavcodec/rkmppdec.c.
(From OE-Core rev: 53528caafa576a2f6417436cc0dba8be06e75048)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
FFmpeg n6.1.1 is Integer Overflow. The vulnerability exists in the parse_options
function of sbgdec.c within the libavformat module. When parsing certain options,
the software does not adequately validate the input. This allows for negative
duration values to be accepted without proper bounds checking.
(From OE-Core rev: a07bc254011736c0f0445607c56609be677ea8a7)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A vulnerability was found in FFmpeg up to 7.0.1. It has been classified as critical.
This affects the function pnm_decode_frame in the library /libavcodec/pnmdec.c.
The manipulation leads to heap-based buffer overflow. It is possible to initiate
the attack remotely. The exploit has been disclosed to the public and may be used.
Upgrading to version 7.0.2 is able to address this issue. It is recommended to
upgrade the affected component. The associated identifier of this vulnerability is VDB-273651.
(From OE-Core rev: 71a9c2d01ad8ed83f9da6e6b9541fcf1d9baed48)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Buffer Overflow vulnerability in FFmpeg version n6.1-3-g466799d4f5, allows a
local attacker to execute arbitrary code and cause a denial of service (DoS)
via the af_dialoguenhance.c:261:5 in the de_stereo component.
(From OE-Core rev: a5e0e1f8be3c6611c09158c80e26848ae3d4f4e7)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a local
attacker to execute arbitrary code via theav_samples_set_silence function
in the libavutil/samplefmt.c:260:9 component.
(From OE-Core rev: b63ba0bff9e5b5e73d50b2b3ff805418fa98d7e5)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a
local attacker to execute arbitrary code via the config_eq_output function
in the libavfilter/asrc_afirsrc.c:495:30 component.
(From OE-Core rev: 873025145d42ffe75d421884160ec299d85d21ef)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This is patched in gstreamer1.0-plugins-bad in 1.22 branch since 1.22.9
via [1].
cpe product is set to gstreamer, they share source git repository.
[1] 394d5066f8
(From OE-Core rev: 5ea630617daf0897e5a1edd7482f705e1e7997fe)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Currently, CVE_PRODUCT only detects vulnerabilities where the product is "ffmpeg".
However, there are also vulnerabilities where the product is "libswresample",
and "libavcodec" as shown below.
https://app.opencve.io/vendors/?vendor=ffmpeg
Therefore, add "libswresample libavcodec" to CVE_PRODUCT to detect vulnerabilities
where the product is "libswresample libavcodec" as well.
(From OE-Core rev: cebbbf76c029c5bf5563aca515b1c025c3644bf8)
Signed-off-by: aszh07 <mail2szahir@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The contents of the LICENSE.md file included in the current source
code package match those of libtiff license, which seems to have been
the case since 1999 commit
0ef31e1f62
where it was added with filename COPYRIGHT and was then changed to
LICENSE.md in 2022 commit
fa1d6d787f
(From OE-Core rev: 71d8e8b03349ab18dca558055c2b3a3687785ddf)
(From OE-Core rev: 5495cf45ce74e79be3b8d9b1195f65e253c62828)
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
FFmpeg 7.0 is vulnerable to Buffer Overflow. There is a negative-size-param bug at
libavcodec/mpegvideo_enc.c:1216:21 in load_input_picture in FFmpeg7.0
(From OE-Core rev: b78fd9322b80734ec54440a01a36323a9b1b83f1)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
There are three baseparser tests which are causing trouble on the AB,
so disable them as we've filed an upstream bug.
Also fix a typo when we were attempting to disable parser_pull_short_read
where a colon was used instead of a comma.
(From OE-Core rev: 90a510acd11fe342d01c62e3b247425836711c50)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 91dbe8d6c57805f38bd287f1b392759df066589b)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a local attacker
to execute arbitrary code via the av_malloc function in libavutil/mem.c:105:9 component.
(From OE-Core rev: e7aea9b5f66414afb6fefd9aad6123c42af94b4c)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
FFmpeg version n6.1.1 was discovered to contain a heap use-after-free via the av_hwframe_ctx_init function.
(From OE-Core rev: bd9fe64c40f7f4e1d18b5d33a9a366e95c2ddd2d)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a local attacker
to execute arbitrary code via the ff_bwdif_filter_intra_c function in the
libavfilter/bwdifdsp.c:125:5 component.
(From OE-Core rev: 814a688d1dc3f22cf7d1b88bde6842b032c13d12)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The baseparse:parser_pull_short_read test is known to be unreliable,
according to the list of known bad tests in gst-devtools.
Also clean up an incorrect comment.
(From OE-Core rev: 5b00a8efdf0794af46e8240582799ea008172215)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit be58657b3ee32af5a00f6bfecb9264751915dabd)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Generated documentation (html) contain absolute paths cources
using buildpaths warnings.
Replace them with relative links.
The file with root path to sources is in my build
/usr/share/doc/flac/api/dir_c122f5d6544f32779f55e8358fb78605.html
which does not looks as stable name, so replace it in all files.
(From OE-Core rev: 860d4d6b54f61342f925ea522f9962555ae5d8ac)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c7d826c88933d53d550265f1cc382539c5c52994)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
On ARMv7 compilation of ffmpeg breaks if Vulkan support is enabled.
Backport a patch from the trunk to fix compilation issues:
| src/libavcodec/vulkan_av1.c: In function 'vk_av1_create_params':
| src/libavcodec/vulkan_av1.c:214:43: error: initialization of 'long long unsigned int' from 'void *' makes integer from pointer without a cast [-Wint-conversion]
| 214 | .videoSessionParametersTemplate = NULL,
| | ^~~~
| src/libavcodec/vulkan_av1.c:214:43: note: (near initialization for '(anonymous).videoSessionParametersTemplate')
| make: *** [/oe/build/tmp-rpb_wayland-glibc/work/armv7at2hf-neon-linaro-linux-gnueabi/ffmpeg/6.1.1/ffmpeg-6.1.1/ffbuild/common.mak:81: libavcodec/vulkan_av1.o] Error 1
| make: *** Waiting for unfinished jobs....
| src/libavcodec/vulkan_decode.c: In function 'ff_vk_decode_prepare_frame':
| src/libavcodec/vulkan_decode.c:191:26: error: assignment to 'VkImageView' {aka 'long long unsigned int'} from 'void *' makes integer from pointer without a cast [-Wint-conversion]
| 191 | vkpic->img_view_ref = NULL;
| | ^
| src/libavcodec/vulkan_decode.c:192:26: error: assignment to 'VkImageView' {aka 'long long unsigned int'} from 'void *' makes integer from pointer without a cast [-Wint-conversion]
| 192 | vkpic->img_view_out = NULL;
| | ^
| src/libavcodec/vulkan_decode.c:193:26: error: assignment to 'VkImageView' {aka 'long long unsigned int'} from 'void *' makes integer from pointer without a cast [-Wint-conversion]
| 193 | vkpic->img_view_dest = NULL;
| | ^
| make: *** [/oe/build/tmp-rpb_wayland-glibc/work/armv7at2hf-neon-linaro-linux-gnueabi/ffmpeg/6.1.1/ffmpeg-6.1.1/ffbuild/common.mak:81: libavcodec/vulkan_decode.o] Error 1
(From OE-Core rev: 6b3ca9f5745c438de74ef4e2e041ee95583b8dc6)
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 52001cabd021b7c856acf426b668b99a72561de0)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Backport two patches from ffmpeg git to fix compilation with the newest
Vulkan API.
(From OE-Core rev: 9dc5060abdc61e6a8a8a1ca44bb0aaf266d32271)
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a9393391613cd81643744daf930eaabf2ced79b7)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The qttools provide 'lrelease' tool, which is checked by recent
versions of meson build system. Unless the qttools are available
in sysroot, meson will fail to detect qt5 installation at build
time and the gstreamer build will fail. Fix this by including
the qttools-native.
(From OE-Core rev: 4e9274f2719eea91de3c98b9f88a7e2ebebcce90)
Signed-off-by: Marek Vasut <marex@denx.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ae2ca4af54695003638da38f8548aa8573d18201)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Changelog:
- build: Detect forced 64 bit offsets on a dual-mode system that used
to default to 32 bits and drop ambiguous suffix-less symbols in that
case.
(From OE-Core rev: e38a0f1a5e515651173b1aa21d38f2b3924de8b2)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5e76967536191ac42fdd0c016e92a273dc4908e2)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Changelog:
https://gstreamer.freedesktop.org/releases/1.22/#1.22.11
Change the Upstream-Status URL for patch:
0002-ssaparse-enhance-SSA-text-lines-parsing.patch
since the bug tracker moved but the bug is not yet resolved.
"gstreamer 1.22.9 and 1.22.10 contain a regression that cause the audio
output to freeze when muting. this regression has been fixed in 1.22.11"
[YOCTO #15456]
(From OE-Core rev: cad5d53e13093ac2fc6f5ba1d0e26fb16e3d88f7)
Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
First, libcheck has the ability to increase all test timeouts by an arbitrary
multiplier. Because we run our tests on loaded build machines,
increase all timeouts by 10x to reduce the chance of load causing failures.
Second, use GST_CHECKS_IGNORE to list test cases that should be skipped.
Drop skip-aggregator-test.patch as this is now redundant, and also skip
gstnetclientclock.c:test_functioning as this is very sensitive to load.
[ YOCTO #14808 ]
(From OE-Core rev: 669d0df81f651f7c033c8cb7872cac5bfe670a4f)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Currently we're hitting permanent redirects on the urls. Tweak them
to avoid that overhead/noise/inefficiency.
(From OE-Core rev: 6b81db486e760483cf373559dc0b5ee71e410b09)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
============
- build:
-- CMake port uses CFLAGS for pulse/jack/tinyalsa properly now (bug 366).
-- CMake port links libsyn123 with libm now (bug 370).
- libmpg123:
-- Fix --enable-portable (no usage of LFS_WRAP_NONE, bug 368).
-- Fix dct36 wrapper usage for x86-64 and NEON. Stupid (bug 367) and
also avoid returning void.
-- Make ARM builds work with nagging (missing feature macros for std=c99)
(From OE-Core rev: 038313876c68b4b2c71f869f09c0f831cebf2d29)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
Fixed the implementation of the macro function png_check_sig().
(From OE-Core rev: b92fb50237f394cae663e4e88b1b85f30693439e)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The aggregator testcase test_infinite_seek_50_src_live is known upstream
to be flaky[1] and when this fails in their CI they just ignore it.
It's failing often on our autobuilder, so disable the test case for now
until upstream have resolved this issue.
[ YOCTO #15054 ]
[1] https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/410
(From OE-Core rev: c2c9cbc107e5428122ad26b5c478602f0c8c0fbe)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Set CVE_STATUS as none of the issues apply against the versions
used in the recipes.
(From OE-Core rev: cea8c8bf73e84133f566d1c2ca0637494f2d7afe)
Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE_STATUS was set for those components, but meanwhile databases are updated
with corrected information, so setting the CVE_STATUS is not needed anymore.
(From OE-Core rev: 5ec6057cfa66ceeb33bec013e320f8e3fa7d7ecf)
Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
===========
- Added SIMD-optimized code for the Loongarch LSX hardware.
- Fixed the run-time discovery of MIPS MSA hardware.
- Fixed an off-by-one error in the function 'png_do_check_palette_indexes',
which failed to recognize errors that might have existed in the first
column of a broken palette-encoded image. This was a benign regression
accidentally introduced in libpng-1.6.33. No pixel was harmed.
- Fixed, improved and modernized the contrib/pngminus programs, i.e.,
png2pnm.c and pnm2png.c
- Removed old and peculiar portability hacks that were meant to silence
warnings issued by gcc version 7.1 alone.
- Fixed and modernized the CMake file, and raised the minimum required
CMake version from 3.1 to 3.6.
- Allowed the configure script to disable the building of auxiliary tools
and tests, thus catching up with the CMake file.
- Fixed a build issue on Mac.
- Moved the Autoconf macro files to scripts/autoconf.
- Moved the CMake files (except for the main CMakeLists.txt) to
scripts/cmake and moved the list of their contributing authors to
scripts/cmake/AUTHORS.md
- Updated the CI configurations and scripts.
- Relicensed the CI scripts to the MIT License.
- Improved the test coverage.
License-Update: Copyright year updated to 2024.
(From OE-Core rev: 4e0ec5769416938a22f64dc4767480acf76fd247)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
