From: "Anuj Mittal" <anuj.mittal@intel.com>
To: openembedded-core@lists.openembedded.org
Subject: [hardknott][PATCH 04/28] ffmpeg: fix CVE-2020-22021
Date: Wed, 25 Aug 2021 00:25:06 +0800 [thread overview]
Message-ID: <debc96860ce50f08451bc453d41a005b9d62a601.1629821028.git.anuj.mittal@intel.com> (raw)
In-Reply-To: <cover.1629821028.git.anuj.mittal@intel.com>
From: Tony Tascioglu <tony.tascioglu@windriver.com>
avfilter/vf_yadif: Fix handing of tiny images
Fixes: out of array access
Fixes: Ticket8240
Fixes: CVE-2020-22021
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
CVE: CVE-2020-22021
Upstream-Status: Backport [7971f62120a55c141ec437aa3f0bacc1c1a3526b]
Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
.../ffmpeg/ffmpeg/fix-CVE-2020-22021.patch | 87 +++++++++++++++++++
.../recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb | 1 +
2 files changed, 88 insertions(+)
create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22021.patch
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22021.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22021.patch
new file mode 100644
index 0000000000..05cba736ff
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22021.patch
@@ -0,0 +1,87 @@
+From 384177ca945395c8cf0ebbddd4b8b1eae64e900f Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Sat, 29 May 2021 11:17:35 +0200
+Subject: [PATCH 4/5] avfilter/vf_yadif: Fix handing of tiny images
+
+Fixes: out of array access
+Fixes: Ticket8240
+Fixes: CVE-2020-22021
+
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+
+CVE: CVE-2020-22021
+Upstream-Status: Backport [7971f62120a55c141ec437aa3f0bacc1c1a3526b]
+
+Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
+---
+ libavfilter/vf_yadif.c | 32 ++++++++++++++++++--------------
+ 1 file changed, 18 insertions(+), 14 deletions(-)
+
+diff --git a/libavfilter/vf_yadif.c b/libavfilter/vf_yadif.c
+index 43dea67add..06fd24ecfa 100644
+--- a/libavfilter/vf_yadif.c
++++ b/libavfilter/vf_yadif.c
+@@ -123,20 +123,22 @@ static void filter_edges(void *dst1, void *prev1, void *cur1, void *next1,
+ uint8_t *next2 = parity ? cur : next;
+
+ const int edge = MAX_ALIGN - 1;
++ int offset = FFMAX(w - edge, 3);
+
+ /* Only edge pixels need to be processed here. A constant value of false
+ * for is_not_edge should let the compiler ignore the whole branch. */
+- FILTER(0, 3, 0)
++ FILTER(0, FFMIN(3, w), 0)
+
+- dst = (uint8_t*)dst1 + w - edge;
+- prev = (uint8_t*)prev1 + w - edge;
+- cur = (uint8_t*)cur1 + w - edge;
+- next = (uint8_t*)next1 + w - edge;
++ dst = (uint8_t*)dst1 + offset;
++ prev = (uint8_t*)prev1 + offset;
++ cur = (uint8_t*)cur1 + offset;
++ next = (uint8_t*)next1 + offset;
+ prev2 = (uint8_t*)(parity ? prev : cur);
+ next2 = (uint8_t*)(parity ? cur : next);
+
+- FILTER(w - edge, w - 3, 1)
+- FILTER(w - 3, w, 0)
++ FILTER(offset, w - 3, 1)
++ offset = FFMAX(offset, w - 3);
++ FILTER(offset, w, 0)
+ }
+
+
+@@ -170,21 +172,23 @@ static void filter_edges_16bit(void *dst1, void *prev1, void *cur1, void *next1,
+ uint16_t *next2 = parity ? cur : next;
+
+ const int edge = MAX_ALIGN / 2 - 1;
++ int offset = FFMAX(w - edge, 3);
+
+ mrefs /= 2;
+ prefs /= 2;
+
+- FILTER(0, 3, 0)
++ FILTER(0, FFMIN(3, w), 0)
+
+- dst = (uint16_t*)dst1 + w - edge;
+- prev = (uint16_t*)prev1 + w - edge;
+- cur = (uint16_t*)cur1 + w - edge;
+- next = (uint16_t*)next1 + w - edge;
++ dst = (uint16_t*)dst1 + offset;
++ prev = (uint16_t*)prev1 + offset;
++ cur = (uint16_t*)cur1 + offset;
++ next = (uint16_t*)next1 + offset;
+ prev2 = (uint16_t*)(parity ? prev : cur);
+ next2 = (uint16_t*)(parity ? cur : next);
+
+- FILTER(w - edge, w - 3, 1)
+- FILTER(w - 3, w, 0)
++ FILTER(offset, w - 3, 1)
++ offset = FFMAX(offset, w - 3);
++ FILTER(offset, w, 0)
+ }
+
+ static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs)
+--
+2.32.0
+
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb
index c9c82b0398..e68589d4c3 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.3.2.bb
@@ -29,6 +29,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
file://fix-CVE-2020-20446.patch \
file://fix-CVE-2020-20453.patch \
file://fix-CVE-2020-22015.patch \
+ file://fix-CVE-2020-22021.patch \
"
SRC_URI[sha256sum] = "46e4e64f1dd0233cbc0934b9f1c0da676008cad34725113fb7f802cfa84ccddb"
--
2.31.1
next prev parent reply other threads:[~2021-08-24 16:25 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-24 16:25 [hardknott][PATCH 00/28] Review request Anuj Mittal
2021-08-24 16:25 ` [hardknott][PATCH 01/28] ffmpeg: fix CVE-2020-20446 Anuj Mittal
2021-08-24 16:25 ` [hardknott][PATCH 02/28] ffmpeg: fix CVE-2020-20453 Anuj Mittal
2021-08-24 16:25 ` [hardknott][PATCH 03/28] ffmpeg: fix CVE-2020-22015 Anuj Mittal
2021-08-24 16:25 ` Anuj Mittal [this message]
2021-08-24 16:25 ` [hardknott][PATCH 05/28] ffmpeg: fix CVE-2020-22019 and CVE-2020-22033 Anuj Mittal
2021-08-24 16:25 ` [hardknott][PATCH 06/28] go: upgrade 1.16.5 -> 1.16.7 Anuj Mittal
2021-08-24 16:25 ` [hardknott][PATCH 07/28] linux-firmware: add more Qualcomm firmware packages Anuj Mittal
2021-08-24 16:25 ` [hardknott][PATCH 08/28] sstate.bbclass: fix error handling when sstate mirrors is ro Anuj Mittal
2021-08-24 16:25 ` [hardknott][PATCH 09/28] pixman: re-disable iwmmxt Anuj Mittal
2021-08-24 16:25 ` [hardknott][PATCH 10/28] kmod: use nonarch_base_libdir for depmod.d and modprobe.d Anuj Mittal
2021-08-24 16:25 ` [hardknott][PATCH 11/28] oeqa/runtime/cases: make date.DateTest.test_date more reliable Anuj Mittal
2021-08-24 16:25 ` [hardknott][PATCH 12/28] terminal.bbclass: force bash for devshell Anuj Mittal
2021-08-24 16:25 ` [hardknott][PATCH 13/28] tar: ignore node-tar CVEs Anuj Mittal
2021-08-24 16:25 ` [hardknott][PATCH 14/28] linux-yocto/5.10: update to v5.10.55 Anuj Mittal
2021-08-24 16:25 ` [hardknott][PATCH 15/28] linux-yocto/5.4: update to v5.4.137 Anuj Mittal
2021-08-24 16:25 ` [hardknott][PATCH 16/28] linux-yocto/5.4: update to v5.4.139 Anuj Mittal
2021-08-24 16:25 ` [hardknott][PATCH 17/28] linux-yocto/5.10: update to v5.10.57 Anuj Mittal
2021-08-24 16:25 ` [hardknott][PATCH 18/28] uninative: Improve glob to handle glibc 2.34 Anuj Mittal
2021-08-24 16:25 ` [hardknott][PATCH 19/28] uninative: Upgrade to 3.3, support " Anuj Mittal
2021-08-24 16:25 ` [hardknott][PATCH 20/28] kernel-devsrc: 5.14+ updates Anuj Mittal
2021-08-24 16:25 ` [hardknott][PATCH 21/28] kernel-devsrc: fix 5.14+ objtool compilation Anuj Mittal
2021-08-24 16:25 ` [hardknott][PATCH 22/28] lzo: add CVE_PRODUCT Anuj Mittal
2021-08-24 16:25 ` [hardknott][PATCH 23/28] utils: Reduce the number of calls to the "dirname" command Anuj Mittal
2021-08-24 16:25 ` [hardknott][PATCH 24/28] e2fsprogs: ensure small images have 256-byte inodes Anuj Mittal
2021-08-24 16:25 ` [hardknott][PATCH 25/28] wic: don't forcibly pass -T default Anuj Mittal
2021-08-24 16:25 ` [hardknott][PATCH 26/28] sdk: fix relocate symlink failed Anuj Mittal
2021-08-24 16:25 ` [hardknott][PATCH 27/28] sdk: Enable do_populate_sdk with multilibs Anuj Mittal
2021-08-24 16:25 ` [hardknott][PATCH 28/28] glibc: Fix CVE-2021-38604 Anuj Mittal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=debc96860ce50f08451bc453d41a005b9d62a601.1629821028.git.anuj.mittal@intel.com \
--to=anuj.mittal@intel.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox