Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package ffmpeg-5 for openSUSE:Factory checked in at 2024-04-26 23:27:12 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ffmpeg-5 (Old) and /work/SRC/openSUSE:Factory/.ffmpeg-5.new.1880 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ffmpeg-5" Fri Apr 26 23:27:12 2024 rev:24 rq:1170214 version:5.1.4 Changes: -------- --- /work/SRC/openSUSE:Factory/ffmpeg-5/ffmpeg-5.changes 2024-04-23 18:56:45.555946601 +0200 +++ /work/SRC/openSUSE:Factory/.ffmpeg-5.new.1880/ffmpeg-5.changes 2024-04-26 23:27:26.349317028 +0200 @@ -1,0 +2,29 @@ +Thu Apr 23 16:14:18 UTC 2024 - Cliff Zhao <[email protected]> + +- Add ffmpeg-CVE-2023-51793.patch: + Backporting 0ecc1f0e from upstream, Fix odd height handling. + (CVE-2023-51793 bsc#1223272) + +------------------------------------------------------------------- +Thu Apr 23 15:35:32 UTC 2024 - Cliff Zhao <[email protected]> + +- Add ffmpeg-CVE-2023-49502.patch: + Backporting 737ede40 from upstream, account for chroma sub-sampling + in min size calculation. + (CVE-2023-49502 bsc#1223235) + +------------------------------------------------------------------- +Thu Apr 23 14:05:28 UTC 2024 - Cliff Zhao <[email protected]> + +- Add ffmpeg-CVE-2023-50008.patch: + Backporting 5f87a68c from upstream, Fix memory leaks. + (CVE-2023-50008 bsc#1223254) + +------------------------------------------------------------------- +Thu Apr 23 12:22:53 UTC 2024 - Cliff Zhao <[email protected]> + +- Add ffmpeg-CVE-2023-50007.patch: + Backporting b1942734 from upstream, Fix crash with EOF handling. + (CVE-2023-50007 bsc#1223253) + +------------------------------------------------------------------- New: ---- ffmpeg-CVE-2023-49502.patch ffmpeg-CVE-2023-50007.patch ffmpeg-CVE-2023-50008.patch ffmpeg-CVE-2023-51793.patch BETA DEBUG BEGIN: New: - Add ffmpeg-CVE-2023-49502.patch: Backporting 737ede40 from upstream, account for chroma sub-sampling New: - Add ffmpeg-CVE-2023-50007.patch: Backporting b1942734 from upstream, Fix crash with EOF handling. New: - Add ffmpeg-CVE-2023-50008.patch: Backporting 5f87a68c from upstream, Fix memory leaks. New: - Add ffmpeg-CVE-2023-51793.patch: Backporting 0ecc1f0e from upstream, Fix odd height handling. BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ffmpeg-5.spec ++++++ --- /var/tmp/diff_new_pack.AsBZlB/_old 2024-04-26 23:27:27.197348027 +0200 +++ /var/tmp/diff_new_pack.AsBZlB/_new 2024-04-26 23:27:27.201348174 +0200 @@ -121,7 +121,10 @@ Patch90: ffmpeg-chromium.patch Patch91: ffmpeg-dlopen-openh264.patch Patch93: soname.diff - +Patch94: ffmpeg-CVE-2023-50007.patch +Patch95: ffmpeg-CVE-2023-50008.patch +Patch96: ffmpeg-CVE-2023-49502.patch +Patch97: ffmpeg-CVE-2023-51793.patch %if %{with amf_sdk} BuildRequires: AMF-devel %endif @@ -817,7 +820,7 @@ %files private-devel %_includedir/ffmpeg/private/ -%else # "flavor" == "ffmpeg-5-mini" +%else %define _name ffmpeg @@ -848,6 +851,14 @@ Patch90: ffmpeg-chromium.patch Patch91: ffmpeg-dlopen-openh264.patch Patch93: soname.diff +# PATCH-FIX-UPSTREAM ffmpeg-CVE-2023-50007.patch CVE-2023-50007 bsc#1223253 [email protected] -- Fix crash with EOF handling. +Patch94: ffmpeg-CVE-2023-50007.patch +# PATCH-FIX-UPSTREAM ffmpeg-CVE-2023-50008.patch CVE-2023-50008 bsc#1223254 [email protected] -- Fix memory leaks. +Patch95: ffmpeg-CVE-2023-50008.patch +# PATCH-FIX-UPSTREAM ffmpeg-CVE-2023-49502.patch CVE-2023-49502 bsc#1223235 [email protected] -- Account for chroma sub-sampling in min size calculation. +Patch96: ffmpeg-CVE-2023-49502.patch +# PATCH-FIX-UPSTREAM ffmpeg-CVE-2023-51793.patch CVE-2023-51793 bsc#1223272 [email protected] -- Fix odd height handling. +Patch97: ffmpeg-CVE-2023-51793.patch BuildRequires: c_compiler Requires: this-is-only-for-build-envs @@ -946,5 +957,5 @@ %_libdir/pkgconfig/*.pc %_includedir/ffmpeg/ -%endif # "flavor" == "ffmpeg-5-mini" +%endif ++++++ ffmpeg-CVE-2023-49502.patch ++++++ >From 737ede405b11a37fdd61d19cf25df296a0cb0b75 From: Cosmin Stejerean <[email protected]> Date: Wed Dec 6 18:39:32 2023 +0800 Subject: avfilter/bwdif: account for chroma sub-sampling in min size calculation References: https://bugzilla.opensuse.org/1223235 References: CVE-2023-49502 The current logic for detecting frames that are too small for the algorithm does not account for chroma sub-sampling, and so a sample where the luma plane is large enough, but the chroma planes are not will not be rejected. In that event, a heap overflow will occur. This change adjusts the logic to consider the chroma planes and makes the change to all three bwdif implementations. Fixes #10688 Signed-off-by: Cosmin Stejerean <[email protected]> Reviewed-by: Thomas Mundt <[email protected]> Signed-off-by: Philip Langdale <[email protected]> diff -Nura ffmpeg-5.1.4/libavfilter/vf_bwdif.c ffmpeg-5.1.4_new/libavfilter/vf_bwdif.c --- ffmpeg-5.1.4/libavfilter/vf_bwdif.c 2023-11-10 07:38:51.000000000 +0800 +++ ffmpeg-5.1.4_new/libavfilter/vf_bwdif.c 2024-04-26 01:26:15.539021242 +0800 @@ -333,13 +333,14 @@ if(yadif->mode&1) link->frame_rate = av_mul_q(link->src->inputs[0]->frame_rate, (AVRational){2,1}); - if (link->w < 3 || link->h < 4) { - av_log(ctx, AV_LOG_ERROR, "Video of less than 3 columns or 4 lines is not supported\n"); + yadif->csp = av_pix_fmt_desc_get(link->format); + yadif->filter = filter; + + if (AV_CEIL_RSHIFT(link->w, yadif->csp->log2_chroma_w) < 3 || AV_CEIL_RSHIFT(link->h, yadif->csp->log2_chroma_h) < 4) { + av_log(ctx, AV_LOG_ERROR, "Video with planes less than 3 columns or 4 lines is not supported\n"); return AVERROR(EINVAL); } - yadif->csp = av_pix_fmt_desc_get(link->format); - yadif->filter = filter; if (yadif->csp->comp[0].depth > 8) { s->filter_intra = filter_intra_16bit; s->filter_line = filter_line_c_16bit; ++++++ ffmpeg-CVE-2023-50007.patch ++++++ >From b1942734c7cbcdc9034034373abcc9ecb9644c47 From: Paul B Mahol <[email protected]> Date: Mon Nov 27 11:45:34 2023 +0100 Subject: avfilter/af_afwtdn: fix crash with EOF handling References: https://bugzilla.opensuse.org/1223253 References: CVE-2023-50007 diff -Nura ffmpeg-5.1.4/libavfilter/af_afwtdn.c ffmpeg-5.1.4_new/libavfilter/af_afwtdn.c --- ffmpeg-5.1.4/libavfilter/af_afwtdn.c 2023-11-10 07:38:51.000000000 +0800 +++ ffmpeg-5.1.4_new/libavfilter/af_afwtdn.c 2024-04-25 16:14:12.016919074 +0800 @@ -410,6 +410,7 @@ uint64_t sn; int64_t eof_pts; + int eof; int wavelet_type; int channels; @@ -1071,7 +1072,7 @@ s->drop_samples = 0; } else { if (s->padd_samples < 0 && eof) { - out->nb_samples += s->padd_samples; + out->nb_samples = FFMAX(0, out->nb_samples + s->padd_samples); s->padd_samples = 0; } if (!eof) @@ -1210,23 +1211,26 @@ FF_FILTER_FORWARD_STATUS_BACK(outlink, inlink); - ret = ff_inlink_consume_samples(inlink, s->nb_samples, s->nb_samples, &in); - if (ret < 0) - return ret; - if (ret > 0) - return filter_frame(inlink, in); + if (!s->eof) { + ret = ff_inlink_consume_samples(inlink, s->nb_samples, s->nb_samples, &in); + if (ret < 0) + return ret; + if (ret > 0) + return filter_frame(inlink, in); + } if (ff_inlink_acknowledge_status(inlink, &status, &pts)) { - if (status == AVERROR_EOF) { - while (s->padd_samples != 0) { - ret = filter_frame(inlink, NULL); - if (ret < 0) - return ret; - } - ff_outlink_set_status(outlink, status, pts); - return ret; - } + if (status == AVERROR_EOF) + s->eof = 1; } + + if (s->eof && s->padd_samples != 0) { + return filter_frame(inlink, NULL); + } else if (s->eof) { + ff_outlink_set_status(outlink, AVERROR_EOF, s->eof_pts); + return 0; + } + FF_FILTER_FORWARD_WANTED(outlink, inlink); return FFERROR_NOT_READY; ++++++ ffmpeg-CVE-2023-50008.patch ++++++ >From 5f87a68cf70dafeab2fb89b42e41a4c29053b89b From: Paul B Mahol <[email protected]> Date: Mon Nov 27 12:08:20 2023 +0100 Subject: avfilter/vf_colorcorrect: fix memory leaks References: https://bugzilla.opensuse.org/1223254 References: CVE-2023-50008 diff -Nura ffmpeg-5.1.4/libavfilter/vf_colorcorrect.c ffmpeg-5.1.4_new/libavfilter/vf_colorcorrect.c --- ffmpeg-5.1.4/libavfilter/vf_colorcorrect.c 2023-11-10 07:38:51.000000000 +0800 +++ ffmpeg-5.1.4_new/libavfilter/vf_colorcorrect.c 2024-04-25 16:21:53.290363296 +0800 @@ -498,6 +498,8 @@ ColorCorrectContext *s = ctx->priv; av_freep(&s->analyzeret); + av_freep(&s->uhistogram); + av_freep(&s->vhistogram); } static const AVFilterPad colorcorrect_inputs[] = { ++++++ ffmpeg-CVE-2023-51793.patch ++++++ >From 0ecc1f0e48930723d7a467761b66850811c23e62 From: Michael Niedermayer <[email protected]> Date: Fri Dec 22 12:31:35 2023 +0100 Subject: avfilter/vf_weave: Fix odd height handling References: https://bugzilla.opensuse.org/1223272 References: CVE-2023-51793 Fixes: out of array access Fixes: tickets/10743/poc10ffmpeg Found-by: Zeng Yunxiang and Li Zeyuan Signed-off-by: Michael Niedermayer <[email protected]> diff -Nura ffmpeg-5.1.4/libavfilter/vf_weave.c ffmpeg-5.1.4_new/libavfilter/vf_weave.c --- ffmpeg-5.1.4/libavfilter/vf_weave.c 2023-11-10 07:38:51.000000000 +0800 +++ ffmpeg-5.1.4_new/libavfilter/vf_weave.c 2024-04-26 01:39:00.742700759 +0800 @@ -30,6 +30,7 @@ int double_weave; int nb_planes; int planeheight[4]; + int outheight[4]; int linesize[4]; AVFrame *prev; @@ -79,6 +80,9 @@ s->planeheight[1] = s->planeheight[2] = AV_CEIL_RSHIFT(inlink->h, desc->log2_chroma_h); s->planeheight[0] = s->planeheight[3] = inlink->h; + s->outheight[1] = s->outheight[2] = AV_CEIL_RSHIFT(2*inlink->h, desc->log2_chroma_h); + s->outheight[0] = s->outheight[3] = 2*inlink->h; + s->nb_planes = av_pix_fmt_count_planes(inlink->format); return 0; @@ -104,19 +108,20 @@ const int height = s->planeheight[i]; const int start = (height * jobnr) / nb_jobs; const int end = (height * (jobnr+1)) / nb_jobs; + const int compensation = 2*end > s->outheight[i]; av_image_copy_plane(out->data[i] + out->linesize[i] * field1 + out->linesize[i] * start * 2, out->linesize[i] * 2, in->data[i] + start * in->linesize[i], in->linesize[i], - s->linesize[i], end - start); + s->linesize[i], end - start - compensation * field1); av_image_copy_plane(out->data[i] + out->linesize[i] * field2 + out->linesize[i] * start * 2, out->linesize[i] * 2, s->prev->data[i] + start * s->prev->linesize[i], s->prev->linesize[i], - s->linesize[i], end - start); + s->linesize[i], end - start - compensation * field2); } return 0;
