Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package ffmpeg-5 for openSUSE:Factory checked in at 2024-04-23 18:56:17 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ffmpeg-5 (Old) and /work/SRC/openSUSE:Factory/.ffmpeg-5.new.27645 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ffmpeg-5" Tue Apr 23 18:56:17 2024 rev:23 rq:1169772 version:5.1.4 Changes: -------- --- /work/SRC/openSUSE:Factory/ffmpeg-5/ffmpeg-5.changes 2024-02-04 19:07:37.793210439 +0100 +++ /work/SRC/openSUSE:Factory/.ffmpeg-5.new.27645/ffmpeg-5.changes 2024-04-23 18:56:45.555946601 +0200 @@ -1,0 +2,21 @@ +Mon Apr 22 23:10:31 UTC 2024 - Jan Engelhardt <[email protected]> + +- Address boo#1223274/CVE-2023-51796: add patch + 0001-avfilter-f_reverse-Apply-PTS-compensation-only-when-.patch + +------------------------------------------------------------------- +Mon Apr 22 12:41:55 UTC 2024 - Jan Engelhardt <[email protected]> + +- Address boo#1222730/CVE-2023-49528: add patches + 0001-avfilter-af_dialoguenhance-fix-overreads.patch, + 0001-avfilter-af_dialoguenhance-simplify-channels-copy.patch, + 0001-avfilter-af_dialoguenhance-do-output-scaling-once.patch +- Address boo#1223070/CVE-2024-31578: add patch + 0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch +- Address boo#1223085/CVE-2024-31582: add patch + 0001-avfilter-vf_codecview-fix-heap-buffer-overflow.patch +- Address boo#1223087/CVE-2024-31585, boo#1223273/CVE-2023-51795: + add patch + 0001-avfilter-avf_showspectrum-fix-off-by-1-error.patch + +------------------------------------------------------------------- New: ---- 0001-avfilter-af_dialoguenhance-do-output-scaling-once.patch 0001-avfilter-af_dialoguenhance-fix-overreads.patch 0001-avfilter-af_dialoguenhance-simplify-channels-copy.patch 0001-avfilter-avf_showspectrum-fix-off-by-1-error.patch 0001-avfilter-f_reverse-Apply-PTS-compensation-only-when-.patch 0001-avfilter-vf_codecview-fix-heap-buffer-overflow.patch 0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch BETA DEBUG BEGIN: New: 0001-avfilter-af_dialoguenhance-simplify-channels-copy.patch, 0001-avfilter-af_dialoguenhance-do-output-scaling-once.patch - Address boo#1223070/CVE-2024-31578: add patch New:- Address boo#1222730/CVE-2023-49528: add patches 0001-avfilter-af_dialoguenhance-fix-overreads.patch, 0001-avfilter-af_dialoguenhance-simplify-channels-copy.patch, New: 0001-avfilter-af_dialoguenhance-fix-overreads.patch, 0001-avfilter-af_dialoguenhance-simplify-channels-copy.patch, 0001-avfilter-af_dialoguenhance-do-output-scaling-once.patch New: add patch 0001-avfilter-avf_showspectrum-fix-off-by-1-error.patch New:- Address boo#1223274/CVE-2023-51796: add patch 0001-avfilter-f_reverse-Apply-PTS-compensation-only-when-.patch New:- Address boo#1223085/CVE-2024-31582: add patch 0001-avfilter-vf_codecview-fix-heap-buffer-overflow.patch - Address boo#1223087/CVE-2024-31585, boo#1223273/CVE-2023-51795: New:- Address boo#1223070/CVE-2024-31578: add patch 0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch - Address boo#1223085/CVE-2024-31582: add patch BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ffmpeg-5.spec ++++++ --- /var/tmp/diff_new_pack.ZpA11t/_old 2024-04-23 18:56:46.295973339 +0200 +++ /var/tmp/diff_new_pack.ZpA11t/_new 2024-04-23 18:56:46.295973339 +0200 @@ -111,7 +111,14 @@ Patch4: ffmpeg-4.2-dlopen-fdk_aac.patch Patch5: work-around-abi-break.patch Patch9: ffmpeg-4.4-CVE-2020-22046.patch -Patch10: ffmpeg-chromium.patch +Patch10: 0001-avfilter-af_dialoguenhance-fix-overreads.patch +Patch11: 0001-avfilter-af_dialoguenhance-simplify-channels-copy.patch +Patch12: 0001-avfilter-af_dialoguenhance-do-output-scaling-once.patch +Patch13: 0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch +Patch14: 0001-avfilter-avf_showspectrum-fix-off-by-1-error.patch +Patch15: 0001-avfilter-vf_codecview-fix-heap-buffer-overflow.patch +Patch16: 0001-avfilter-f_reverse-Apply-PTS-compensation-only-when-.patch +Patch90: ffmpeg-chromium.patch Patch91: ffmpeg-dlopen-openh264.patch Patch93: soname.diff @@ -831,7 +838,14 @@ Patch4: ffmpeg-4.2-dlopen-fdk_aac.patch Patch5: work-around-abi-break.patch Patch9: ffmpeg-4.4-CVE-2020-22046.patch -Patch10: ffmpeg-chromium.patch +Patch10: 0001-avfilter-af_dialoguenhance-fix-overreads.patch +Patch11: 0001-avfilter-af_dialoguenhance-simplify-channels-copy.patch +Patch12: 0001-avfilter-af_dialoguenhance-do-output-scaling-once.patch +Patch13: 0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch +Patch14: 0001-avfilter-avf_showspectrum-fix-off-by-1-error.patch +Patch15: 0001-avfilter-vf_codecview-fix-heap-buffer-overflow.patch +Patch16: 0001-avfilter-f_reverse-Apply-PTS-compensation-only-when-.patch +Patch90: ffmpeg-chromium.patch Patch91: ffmpeg-dlopen-openh264.patch Patch93: soname.diff BuildRequires: c_compiler ++++++ 0001-avfilter-af_dialoguenhance-do-output-scaling-once.patch ++++++ >From f1f973313b6edc460339c2dfa4675dd3ad72fe98 Mon Sep 17 00:00:00 2001 From: Paul B Mahol <[email protected]> Date: Mon, 27 Nov 2023 11:52:37 +0100 Subject: [PATCH] avfilter/af_dialoguenhance: do output scaling once References: https://bugzilla.opensuse.org/1222730 References: CVE-2023-49528 --- libavfilter/af_dialoguenhance.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/libavfilter/af_dialoguenhance.c b/libavfilter/af_dialoguenhance.c index 5c8614c185..2674313f5c 100644 --- a/libavfilter/af_dialoguenhance.c +++ b/libavfilter/af_dialoguenhance.c @@ -108,7 +108,7 @@ static int config_input(AVFilterLink *inlink) generate_window_func(s->window, s->fft_size, WFUNC_SINE, &overlap); - iscale = 1.f / s->fft_size; + iscale = 1.f / (s->fft_size * 1.5f); ret = av_tx_init(&s->tx_ctx[0], &s->tx_fn, AV_TX_FLOAT_RDFT, 0, s->fft_size, &scale, 0); if (ret < 0) @@ -296,13 +296,10 @@ static int de_stereo(AVFilterContext *ctx, AVFrame *out) memcpy(left_osamples, left_in, overlap * sizeof(float)); memcpy(right_osamples, right_in, overlap * sizeof(float)); - // 4 times overlap with squared hanning window results in 1.5 time increase in amplitude - if (!ctx->is_disabled) { - for (int i = 0; i < overlap; i++) - center_osamples[i] = left_out[i] / 1.5f; - } else { + if (ctx->is_disabled) memset(center_osamples, 0, overlap * sizeof(float)); - } + else + memcpy(center_osamples, left_out, overlap * sizeof(float)); return 0; } -- 2.44.0 ++++++ 0001-avfilter-af_dialoguenhance-fix-overreads.patch ++++++ >From 2d9ed64859c9887d0504cd71dbd5b2c15e14251a Mon Sep 17 00:00:00 2001 From: Paul B Mahol <[email protected]> Date: Sat, 25 Nov 2023 12:54:28 +0100 Subject: [PATCH] avfilter/af_dialoguenhance: fix overreads References: https://bugzilla.opensuse.org/1222730 References: CVE-2023-49528 --- libavfilter/af_dialoguenhance.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/libavfilter/af_dialoguenhance.c b/libavfilter/af_dialoguenhance.c index 1762ea7cde..29c8ab10a7 100644 --- a/libavfilter/af_dialoguenhance.c +++ b/libavfilter/af_dialoguenhance.c @@ -96,12 +96,12 @@ static int config_input(AVFilterLink *inlink) if (!s->window) return AVERROR(ENOMEM); - s->in_frame = ff_get_audio_buffer(inlink, s->fft_size * 4); - s->center_frame = ff_get_audio_buffer(inlink, s->fft_size * 4); - s->out_dist_frame = ff_get_audio_buffer(inlink, s->fft_size * 4); - s->windowed_frame = ff_get_audio_buffer(inlink, s->fft_size * 4); - s->windowed_out = ff_get_audio_buffer(inlink, s->fft_size * 4); - s->windowed_prev = ff_get_audio_buffer(inlink, s->fft_size * 4); + s->in_frame = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2); + s->center_frame = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2); + s->out_dist_frame = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2); + s->windowed_frame = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2); + s->windowed_out = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2); + s->windowed_prev = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2); if (!s->in_frame || !s->windowed_out || !s->windowed_prev || !s->out_dist_frame || !s->windowed_frame || !s->center_frame) return AVERROR(ENOMEM); @@ -250,6 +250,7 @@ static int de_stereo(AVFilterContext *ctx, AVFrame *out) float *right_osamples = (float *)out->extended_data[1]; float *center_osamples = (float *)out->extended_data[2]; const int offset = s->fft_size - s->overlap; + const int nb_samples = FFMIN(s->overlap, s->in->nb_samples); float vad; // shift in/out buffers @@ -258,8 +259,8 @@ static int de_stereo(AVFilterContext *ctx, AVFrame *out) memmove(left_out, &left_out[s->overlap], offset * sizeof(float)); memmove(right_out, &right_out[s->overlap], offset * sizeof(float)); - memcpy(&left_in[offset], left_samples, s->overlap * sizeof(float)); - memcpy(&right_in[offset], right_samples, s->overlap * sizeof(float)); + memcpy(&left_in[offset], left_samples, nb_samples * sizeof(float)); + memcpy(&right_in[offset], right_samples, nb_samples * sizeof(float)); memset(&left_out[offset], 0, s->overlap * sizeof(float)); memset(&right_out[offset], 0, s->overlap * sizeof(float)); -- 2.44.0 ++++++ 0001-avfilter-af_dialoguenhance-simplify-channels-copy.patch ++++++ >From 4671fb7dfb8e72b228e04f3b81da7f2003c62240 Mon Sep 17 00:00:00 2001 From: Paul B Mahol <[email protected]> Date: Mon, 27 Nov 2023 00:38:56 +0100 Subject: [PATCH] avfilter/af_dialoguenhance: simplify channels copy References: https://bugzilla.opensuse.org/1222730 References: CVE-2023-49528 --- libavfilter/af_dialoguenhance.c | 32 +++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/libavfilter/af_dialoguenhance.c b/libavfilter/af_dialoguenhance.c index 29c8ab10a7..5c8614c185 100644 --- a/libavfilter/af_dialoguenhance.c +++ b/libavfilter/af_dialoguenhance.c @@ -249,20 +249,21 @@ static int de_stereo(AVFilterContext *ctx, AVFrame *out) float *left_osamples = (float *)out->extended_data[0]; float *right_osamples = (float *)out->extended_data[1]; float *center_osamples = (float *)out->extended_data[2]; - const int offset = s->fft_size - s->overlap; - const int nb_samples = FFMIN(s->overlap, s->in->nb_samples); + const int overlap = s->overlap; + const int offset = s->fft_size - overlap; + const int nb_samples = FFMIN(overlap, s->in->nb_samples); float vad; // shift in/out buffers - memmove(left_in, &left_in[s->overlap], offset * sizeof(float)); - memmove(right_in, &right_in[s->overlap], offset * sizeof(float)); - memmove(left_out, &left_out[s->overlap], offset * sizeof(float)); - memmove(right_out, &right_out[s->overlap], offset * sizeof(float)); + memmove(left_in, &left_in[overlap], offset * sizeof(float)); + memmove(right_in, &right_in[overlap], offset * sizeof(float)); + memmove(left_out, &left_out[overlap], offset * sizeof(float)); + memmove(right_out, &right_out[overlap], offset * sizeof(float)); memcpy(&left_in[offset], left_samples, nb_samples * sizeof(float)); memcpy(&right_in[offset], right_samples, nb_samples * sizeof(float)); - memset(&left_out[offset], 0, s->overlap * sizeof(float)); - memset(&right_out[offset], 0, s->overlap * sizeof(float)); + memset(&left_out[offset], 0, overlap * sizeof(float)); + memset(&right_out[offset], 0, overlap * sizeof(float)); apply_window(s, left_in, windowed_left, 0); apply_window(s, right_in, windowed_right, 0); @@ -292,14 +293,15 @@ static int de_stereo(AVFilterContext *ctx, AVFrame *out) apply_window(s, windowed_oleft, left_out, 1); - for (int i = 0; i < s->overlap; i++) { - // 4 times overlap with squared hanning window results in 1.5 time increase in amplitude - if (!ctx->is_disabled) + memcpy(left_osamples, left_in, overlap * sizeof(float)); + memcpy(right_osamples, right_in, overlap * sizeof(float)); + + // 4 times overlap with squared hanning window results in 1.5 time increase in amplitude + if (!ctx->is_disabled) { + for (int i = 0; i < overlap; i++) center_osamples[i] = left_out[i] / 1.5f; - else - center_osamples[i] = 0.f; - left_osamples[i] = left_in[i]; - right_osamples[i] = right_in[i]; + } else { + memset(center_osamples, 0, overlap * sizeof(float)); } return 0; -- 2.44.0 ++++++ 0001-avfilter-avf_showspectrum-fix-off-by-1-error.patch ++++++ >From ab0fdaedd1e7224f7e84ea22fcbfaa4ca75a6c06 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Sun, 24 Dec 2023 20:31:02 +0100 Subject: [PATCH] avfilter/avf_showspectrum: fix off by 1 error References: https://bugzilla.opensuse.org/1223087 References: CVE-2024-31585 References: https://bugzilla.opensuse.org/1223273 References: CVE-2023-51795 Fixes: out of array access Fixes: tickets/10749/poc15ffmpeg Regression since: 81df787b53eb5c6433731f6eaaf7f2a94d8a8c80 Found-by: Zeng Yunxiang Signed-off-by: Michael Niedermayer <[email protected]> --- libavfilter/avf_showspectrum.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/avf_showspectrum.c b/libavfilter/avf_showspectrum.c index 8cf73fce70..99a5c33d09 100644 --- a/libavfilter/avf_showspectrum.c +++ b/libavfilter/avf_showspectrum.c @@ -1784,7 +1784,7 @@ static int showspectrumpic_request_frame(AVFilterLink *outlink) int acc_samples = 0; int dst_offset = 0; - while (nb_frame <= s->nb_frames) { + while (nb_frame < s->nb_frames) { AVFrame *cur_frame = s->frames[nb_frame]; int cur_frame_samples = cur_frame->nb_samples; int nb_samples = 0; -- 2.44.0 ++++++ 0001-avfilter-f_reverse-Apply-PTS-compensation-only-when-.patch ++++++ >From 61e73851a33f0b4cb7662f8578a4695e77bd3c19 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Sat, 23 Dec 2023 18:04:32 +0100 Subject: [PATCH] avfilter/f_reverse: Apply PTS compensation only when pts is available References: https://bugzilla.opensuse.org/1223274 References: CVE-2023-51796 Fixes: out of array access Fixes: tickets/10753/poc16ffmpeg Regression since: 45dc668aea0edac34969b5a1ff76cf9ad3a09be1 Found-by: Zeng Yunxiang Signed-off-by: Michael Niedermayer <[email protected]> --- libavfilter/f_reverse.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) Index: ffmpeg-5.1.4/libavfilter/f_reverse.c =================================================================== --- ffmpeg-5.1.4.orig/libavfilter/f_reverse.c +++ ffmpeg-5.1.4/libavfilter/f_reverse.c @@ -253,7 +253,8 @@ static int areverse_request_frame(AVFilt if (ret == AVERROR_EOF && s->nb_frames > 0) { AVFrame *out = s->frames[s->nb_frames - 1]; out->pts = s->pts[s->flush_idx++] - s->nb_samples; - s->nb_samples += s->pts[s->flush_idx] - s->pts[s->flush_idx - 1] - out->nb_samples; + if (s->nb_frames > 1) + s->nb_samples += s->pts[s->flush_idx] - s->pts[s->flush_idx - 1] - out->nb_samples; if (av_sample_fmt_is_planar(out->format)) reverse_samples_planar(out); ++++++ 0001-avfilter-vf_codecview-fix-heap-buffer-overflow.patch ++++++ >From 99debe5f823f45a482e1dc08de35879aa9c74bd2 Mon Sep 17 00:00:00 2001 From: Zhao Zhili <[email protected]> Date: Fri, 29 Dec 2023 05:56:43 +0800 Subject: [PATCH] avfilter/vf_codecview: fix heap buffer overflow References: https://bugzilla.opensuse.org/1223085 References: CVE-2024-31582 And improve the performance by a little bit. Signed-off-by: Zhao Zhili <[email protected]> --- libavfilter/vf_codecview.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/libavfilter/vf_codecview.c b/libavfilter/vf_codecview.c index 55d9c8c04f..f65ccbda70 100644 --- a/libavfilter/vf_codecview.c +++ b/libavfilter/vf_codecview.c @@ -216,9 +216,6 @@ static void draw_block_rectangle(uint8_t *buf, int sx, int sy, int w, int h, ptr buf[sx + w - 1] = color; buf += stride; } - - for (int x = sx; x < sx + w; x++) - buf[x] = color; } static int filter_frame(AVFilterLink *inlink, AVFrame *frame) -- 2.44.0 ++++++ 0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch ++++++ >From 3bb00c0a420c3ce83c6fafee30270d69622ccad7 Mon Sep 17 00:00:00 2001 From: Zhao Zhili <[email protected]> Date: Tue, 20 Feb 2024 20:08:55 +0800 Subject: [PATCH] avutil/hwcontext: Don't assume frames_uninit is reentrant References: https://bugzilla.opensuse.org/1223070 References: CVE-2024-31578 Fix heap use after free when vulkan_frames_init failed. Signed-off-by: Zhao Zhili <[email protected]> --- libavutil/hwcontext.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/libavutil/hwcontext.c b/libavutil/hwcontext.c index 1d2c2d7920..aa1329bf2b 100644 --- a/libavutil/hwcontext.c +++ b/libavutil/hwcontext.c @@ -359,7 +359,7 @@ int av_hwframe_ctx_init(AVBufferRef *ref) if (ctx->internal->hw_type->frames_init) { ret = ctx->internal->hw_type->frames_init(ctx); if (ret < 0) - goto fail; + return ret; } if (ctx->internal->pool_internal && !ctx->pool) @@ -369,14 +369,10 @@ int av_hwframe_ctx_init(AVBufferRef *ref) if (ctx->initial_pool_size > 0) { ret = hwframe_pool_prealloc(ref); if (ret < 0) - goto fail; + return ret; } return 0; -fail: - if (ctx->internal->hw_type->frames_uninit) - ctx->internal->hw_type->frames_uninit(ctx); - return ret; } int av_hwframe_transfer_get_formats(AVBufferRef *hwframe_ref, -- 2.44.0
