A vulnerability, which was classified as critical, was found in FFmpeg up to 7.1.
This affects the function ff_aac_search_for_tns of the file libavcodec/aacenc_tns.c
of the component AAC Encoder. The manipulation leads to stack-based buffer overflow.
It is possible to initiate the attack remotely. The exploit has been disclosed to
the public and may be used.
(From OE-Core rev: 5a922eb95da7d373ee2bc3018065448fa128e69a)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
CVE-2023-6605:
A flaw was found in FFmpeg's DASH playlist support. This vulnerability allows arbitrary HTTP GET
requests to be made on behalf of the machine running FFmpeg via a crafted DASH playlist containing malicious URLs.
CVE-2023-6604:
A flaw was found in FFmpeg. This vulnerability allows unexpected additional CPU load
and storage consumption, potentially leading to degraded performance or denial of service
via the demuxing of arbitrary data as XBIN-formatted data without proper format validation.
CVE-2023-6602:
flaw was found in FFmpeg's TTY Demuxer. This vulnerability allows possible data exfiltration
via improper parsing of non-TTY-compliant input files in HLS playlists.
(From OE-Core rev: aa68992ddc5744bb4fdbb3a3cd0636b303449be2)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
These two CVEs were fixed via the 5.0.3 release, and the
backported patches that fixed them were subsequently left
behind (although not deleted) by dadb16481810 ("ffmpeg:
upgrade 5.0.1 -> 5.0.3")
* CVE-2022-3109: An issue was discovered in the FFmpeg
package, where vp3_decode_frame in libavcodec/vp3.c lacks
check of the return value of av_malloc() and will cause a
null pointer dereference, impacting availability.
* CVE-2022-3341: A null pointer dereference issue was
discovered in 'FFmpeg' in decode_main_header() function of
libavformat/nutdec.c file. The flaw occurs because the
function lacks check of the return value of
avformat_new_stream() and triggers the null pointer
dereference error, causing an application to crash.
`bitbake ffmpeg` reports these two as "Unpatched".
Ignore them for now, until the NVD updates the versions where
these do not affect anymore.
(From OE-Core rev: 78aef4b1002c515aa2c1a64fea5bb013c9bc86a8)
Signed-off-by: Daniel Díaz <daniel.diaz@sonos.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The patch for CVE-2022-48434 was removed when ffmpeg was updated to
5.0.3. The CVE was fixed in 5.0.2, but NVD has not updated the affected
versions yet. Added an ignore for this CVE to mark as fixed.
(From OE-Core rev: a8c6e2da68c9fc6c692b41c7370ec937680f788c)
Signed-off-by: Colin Pinnell McAllister <colin.mcallister@garmin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Currently, CVE_PRODUCT only detects vulnerabilities where the product is "ffmpeg".
However, there are also vulnerabilities where the product is "libswresample",
and "libavcodec" as shown below.
https://app.opencve.io/vendors/?vendor=ffmpeg
Therefore, add "libswresample libavcodec" to CVE_PRODUCT to detect vulnerabilities
where the product is "libswresample libavcodec" as well.
(From OE-Core rev: 9684eba5c543de229108008e29afd1dd021a9799)
(From OE-Core rev: 34df694e0cdf4c1e3dfc99502a9e615b8c802cdb)
Signed-off-by: aszh07 <mail2szahir@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Naman Jain <namanj1@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
CVE-2025-1373 does not appear to affect ffmpeg 5.0.3. The CVE has been
added to the ignore list.
(From OE-Core rev: 99cda92e387ca071c4235c14a137510a4fb481c2)
Signed-off-by: Colin Pinnell McAllister <colin.mcallister@garmin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
FFmpeg git-master,N-113007-g8d24a28d06 was discovered to contain a segmentation
violation via the component /libavcodec/jpeg2000dec.c.
(From OE-Core rev: 948e3fe6d4a0762bcd56e1cc04c4100c46915669)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A reachable assertion in FFmpeg git-master commit N-113007-g8d24a28d06 allows
attackers to cause a Denial of Service (DoS) via opening a crafted AAC file.
(From OE-Core rev: 2494f863a163d13967d927618a101078f6980538)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Refreshed CVE-2024-36613.patch against to the current version
Removed below patches since already fixed in this version
0001-avcodec-rpzaenc-stop-accessing-out-of-bounds-frame.patch [1]
0001-avcodec-smcenc-stop-accessing-out-of-bounds-frame.patch [2]
0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch [3]
0001-avformat-nutdec-Add-check-for-avformat_new_stream.patch [4]
CVE-2022-48434.patch [5]
[1] 1eb002596e
[2] 293dc39bca
[3] 2cdddcd6ec
[4] 481e81be12
[5] 3bc28e9d1a
(From OE-Core rev: dadb16481810ebda8091b36e3ee03713c90b5e7e)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
FFmpeg git master before commit c08d30 was discovered to contain a NULL pointer
dereference via the component libavformat/mov.c.
(From OE-Core rev: 599ee3f195bc66d57797c121fa0b73a901d6edfa)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
In FFmpeg version n6.1.1, specifically within the avcodec/speexdec.c module,
a potential security vulnerability exists due to insufficient validation of
certain parameters when parsing Speex codec extradata. This vulnerability
could lead to integer overflow conditions, potentially resulting in undefined
behavior or crashes during the decoding process.
(From OE-Core rev: 3efef582892a5a9286041837098b80aa59d1b688)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
FFmpeg n6.1.1 has a vulnerability in the AVI demuxer of the libavformat library
which allows for an integer overflow, potentially resulting in a denial-of-service (DoS) condition.
(From OE-Core rev: 46680bed23ef6f529c7e554b5611a7c098fce8a9)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This vulnerability was introduced in 5.1, so 5.0.1 is not affected.
(From OE-Core rev: ea6e581067cafd5f367c68871bc312d3ba11b4da)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
There is no release which is vulnerable to these CVEs.
These vulnerabilities are in new features being developed and were fixed
before release.
NVD most likely does not accept CVE rejection from a non-maintainer and
non-reporter, so ignoring this CVE should be acceptable solution.
(From OE-Core rev: 220a05e27913bf838881c3f22a17d0409c5154a9)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
FFmpeg n6.1.1 has an integer overflow vulnerability in the FFmpeg CAF decoder.
(From OE-Core rev: aec2ad743893d72d46c79701a0dac982931e3171)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
An integer overflow in the component /libavformat/westwood_vqa.c of FFmpeg n6.1.1
allows attackers to cause a denial of service in the application via a crafted VQA file.
(From OE-Core rev: 93a1e2fd2bb42977339510ef7d71288a88a34ab8)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
FFmpeg n6.1.1 has a vulnerability in the DXA demuxer of the libavformat library
allowing for an integer overflow, potentially resulting in a denial-of-service (DoS)
condition or other undefined behavior.
(From OE-Core rev: 1af53c8dd20662e720ac4dad31833a9d776b795a)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
FFmpeg n7.0 is affected by a Double Free via the rkmpp_retrieve_frame
function within libavcodec/rkmppdec.c.
(From OE-Core rev: bc73c3ef68826ffbb6de960b7bfa4b784e289ea8)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
FFmpeg n6.1.1 is Integer Overflow. The vulnerability exists in the parse_options
function of sbgdec.c within the libavformat module. When parsing certain options,
the software does not adequately validate the input. This allows for negative
duration values to be accepted without proper bounds checking.
(From OE-Core rev: 9acfc54b2707bf04922f153d06ae27ff552fbe23)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A vulnerability was found in FFmpeg up to 7.0.1. It has been classified as critical.
This affects the function pnm_decode_frame in the library /libavcodec/pnmdec.c.
The manipulation leads to heap-based buffer overflow. It is possible to initiate
the attack remotely. The exploit has been disclosed to the public and may be used.
Upgrading to version 7.0.2 is able to address this issue. It is recommended to upgrade
the affected component. The associated identifier of this vulnerability is VDB-273651.
(From OE-Core rev: 7335a81112673616240f010d4930b4982b10c355)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local
attacker to execute arbitrary code via the libavfilter/f_reverse.c:269:26
in areverse_request_frame.
(From OE-Core rev: ec7301d63376197ed3e89282545109f046d63888)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a local attacker
to execute arbitrary code via theav_samples_set_silence function in the
libavutil/samplefmt.c:260:9 component.
(From OE-Core rev: 88a1fc5a6445e72e6cc78c39a6feff3aa96beea6)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker
to execute arbitrary code via a floating point exception (FPE) error at
libavfilter/vf_minterpolate.c:1078:60 in interpolate.
(From OE-Core rev: b6c00d2c64036b2b851cdbb3b6efd60bc839fa5b)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a
local attacker to execute arbitrary code via the libavfilter/af_stereowiden.c:120:69.
(From OE-Core rev: 248dc3b20971fb95f0ceb2a34959f857c89ae008)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
FFmpeg version n6.1.1 was discovered to contain a heap use-after-free via
the av_hwframe_ctx_init function.
(From OE-Core rev: 072a5454fa6610fd751433c518f9beb5496851a1)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
FFmpeg version n6.1 was discovered to contain a heap buffer overflow vulnerability
in the draw_block_rectangle function of libavfilter/vf_codecview.c. This vulnerability
allows attackers to cause undefined behavior or a Denial of Service (DoS) via crafted input.
(From OE-Core rev: d675ceadf5844524e9f77c2c9b76b9ca42e699fc)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a local attacker
to execute arbitrary code via the av_malloc function in libavutil/mem.c:105:9 component.
(From OE-Core rev: 433c84c528bb9920399abfe9e9461d26a929bc7a)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local
attacker to execute arbitrary code via the libavutil/imgutils.c:353:9 in image_copy_plane.
(From OE-Core rev: be875832526636638a034680f837241c16e2b26d)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
FFmpeg 7.0 is vulnerable to Buffer Overflow. There is a negative-size-param
bug at libavcodec/mpegvideo_enc.c:1216:21 in load_input_picture in FFmpeg7.0
(From OE-Core rev: 6eb7dc3eecbbe115f95864d587fb3d5557321973)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Without a CVE tag, It will be recognised as Unpatched by cve_check task.
(From OE-Core rev: afc21d7fe86d26bf62e56fc611750f89fe73aa1a)
Signed-off-by: mark.yang <mark.yang@lge.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Without a CVE tag, It will be recognised as Unpatched by cve_check task.
(From OE-Core rev: ce4ac3d167496d2f3a3029ef83dc418a0794c2fb)
Signed-off-by: mark.yang <mark.yang@lge.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
libavcodec/pthread_frame.c in FFmpeg before 5.1.2, as used in VLC and
other products, leaves stale hwaccel state in worker threads, which
allows attackers to trigger a use-after-free and execute arbitrary
code in some circumstances (e.g., hardware re-initialization upon a
mid-video SPS change when Direct3D11 is used).
(From OE-Core rev: 392f984ffd95bcd3ce4c364b40425e7808ca7719)
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
avformat/nutdec: Add check for avformat_new_stream
Check for failure of avformat_new_stream() and propagate
the error code.
(From OE-Core rev: e17ddd0fafb562ed7ebe7708dac9bcef2d6cecc1)
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
An issue was discovered in the FFmpeg package, where vp3_decode_frame in libavcodec/vp3.c lacks check of
the return value of av_malloc() and will cause a null pointer dereference, impacting availability.
CVE: CVE-2022-3109
Upstream-Status: Backport [656cb0450a]
(From OE-Core rev: 874b72fe259cd3a23f4613fccfe2e9cc3f79cd6a)
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
A vulnerability classified as problematic was found in ffmpeg. This vulnerability affects the function
smc_encode_stream of the file libavcodec/smcenc.c of the component QuickTime Graphics Video Encoder. The
manipulation of the argument y_size leads to out-of-bounds read. The attack can be initiated remotely.
The name of the patch is 13c13109759090b7f7182480d075e13b36ed8edd. It is recommended to apply a patch to
fix this issue. The identifier of this vulnerability is VDB-213544.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-3965
Upstream Fix:
13c1310975
(From OE-Core rev: c1f1ab29b5e2911a15b072e7feb0133320bad976)
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
A vulnerability classified as problematic has been found in ffmpeg. This affects an unknown part of the file
libavcodec/rpzaenc.c of the component QuickTime RPZA Video Encoder. The manipulation of the argument y_size
leads to out-of-bounds read. It is possible to initiate the attack remotely. The name of the patch is
92f9b28ed84a77138105475beba16c146bdaf984. It is recommended to apply a patch to fix this issue. The associated
identifier of this vulnerability is VDB-213543.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-3964
Upstream Fix:
92f9b28ed8
(From OE-Core rev: 40a1c9d3c839df6479582ac27264fac851a0d4c3)
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
version 5.0.1:
- avcodec/exr: Avoid signed overflow in displayWindow
- avcodec/diracdec: avoid signed integer overflow in global mv
- avcodec/takdsp: Fix integer overflow in decorrelate_sf()
- avcodec/apedec: fix a integer overflow in long_filter_high_3800()
- avdevice/dshow: fix regression
- avfilter/vf_subtitles: pass storage size to libass
- avcodec/vp9_superframe_split_bsf: Don't read inexistent data
- avcodec/vp9_superframe_split_bsf: Discard invalid zero-sized frames
- avcodec/vp9_superframe_bsf: Check for existence of data before reading it
- avcodec/vp9_raw_reorder_bsf: Check for existence of data before reading it
- avformat/imf: fix packet pts, dts and muxing
- avformat/imf: open resources only when first needed
- avformat/imf: cosmetics
- avformat/imf_cpl: do not use filesize when reading XML file
- avformat/imfdec: Use proper logcontext
- avformat/imfdec: do not use filesize when reading XML file
- doc/utils: add missing 22.2 layout entry
- avcodec/av1: only set the private context pix_fmt field if get_pixel_format() succeeds
- avformat/aqtitledec: Skip unrepresentable durations
- avformat/cafdec: Do not store empty keys in read_info_chunk()
- avformat/mxfdec: Do not clear array in mxf_read_strong_ref_array() before writing
- avformat/mxfdec: Check for avio_read() failure in mxf_read_strong_ref_array()
- avformat/mxfdec: Check count in mxf_read_strong_ref_array()
- avformat/hls: Check target_duration
- avcodec/pixlet: Avoid signed integer overflow in scaling in filterfn()
- avformat/matroskadec: Check pre_ns
- avcodec/sonic: Use unsigned for predictor_k to avoid undefined behavior
- avcodec/libuavs3d: Check ff_set_dimensions() for failure
- avcodec/speexdec: Align some comments
- avcodec/speexdec: Use correct doxygen comments
- avcodec/mjpegbdec: Set buf_size
- avformat/matroskadec: Use rounded down duration in get_cue_desc() check
- avcodec/argo: Check packet size
- avcodec/g729_parser: Check channels
- avformat/avidec: Check height
- avformat/rmdec: Better duplicate tags check
- avformat/mov: Disallow empty sidx
- avformat/argo_cvg:: Fix order of operations in error check in argo_cvg_write_trailer()
- avformat/argo_asf: Fix order of operations in error check in argo_asf_write_trailer()
- avcodec/movtextdec: add () to CMP() macro to avoid unexpected behavior
- avformat/matroskadec: Check duration
- avformat/mov: Corner case encryption error cleanup in mov_read_senc()
- avcodec/jpeglsdec: Fix if( code style
- avcodec/jpeglsdec: Check get_ur_golomb_jpegls() for error
- avcodec/motion_est: fix indention of ff_get_best_fcode()
- avcodec/motion_est: Fix xy indexing on range violation in ff_get_best_fcode()
- avformat/hls: Use unsigned for iv computation
- avcodec/jpeglsdec: Increase range for N in ls_get_code_runterm() by using unsigned
- avformat/matroskadec: Check desc_bytes
- avformat/utils: Fix invalid NULL pointer operation in ff_parse_key_value()
- avformat/matroskadec: Fix infinite loop with bz decompression
- avformat/utils: keep chapter monotonicity on chapter updates
- avformat/mov: Check size before subtraction
- avcodec/cfhd: Avoid signed integer overflow in coeff
- avcodec/libdav1d: free the Dav1dData packet on dav1d_send_data() failure
- avcodec/h264_parser: don't alter decoder private data
- configure: link to libatomic when it's present
- fate/ffmpeg: add missing samples dependency to fate-shortest
(From OE-Core rev: ccb87ec2f13b72c1f43a2ad96cd446533da4a666)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 90f35ceb209a51dfe0cd29e1d8646fcc501b7269)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
An automated conversion using scripts/contrib/convert-spdx-licenses.py to
convert to use the standard SPDX license identifiers. Two recipes in meta-selftest
were not converted as they're that way specifically for testing. A change in
linux-firmware was also skipped and may need a more manual tweak.
(From OE-Core rev: ceda3238cdbf1beb216ae9ddb242470d5dfc25e0)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
libavresample has been removed; libswresample is the replacement.
(From OE-Core rev: 5555bca01750024a786a1f78d573d02f12b45686)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
