Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package ffmpeg-5 for openSUSE:Factory checked in at 2024-05-08 11:39:10 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ffmpeg-5 (Old) and /work/SRC/openSUSE:Factory/.ffmpeg-5.new.1880 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ffmpeg-5" Wed May 8 11:39:10 2024 rev:25 rq:1172480 version:5.1.4 Changes: -------- --- /work/SRC/openSUSE:Factory/ffmpeg-5/ffmpeg-5.changes 2024-04-26 23:27:26.349317028 +0200 +++ /work/SRC/openSUSE:Factory/.ffmpeg-5.new.1880/ffmpeg-5.changes 2024-05-08 11:39:33.060374950 +0200 @@ -1,0 +2,23 @@ +Tue Apr 27 11:38:35 UTC 2024 - Cliff Zhao <[email protected]> + +- Add ffmpeg-CVE-2023-50010.patch: + Backporting e4d2666b from upstream, fixes the out of array access. + (CVE-2023-50010 bsc#1223256) + +------------------------------------------------------------------- +Tue Apr 26 12:18:26 UTC 2024 - Cliff Zhao <[email protected]> + +- Add ffmpeg-CVE-2023-50009.patch: + Backporting c443658d from upstream, Fix small inputs with + gaussian_blur(). + (CVE-2023-50009 bsc#1223255) + +------------------------------------------------------------------- +Tue Apr 24 10:48:32 UTC 2024 - Cliff Zhao <[email protected]> + +- Add ffmpeg-Templatify-ff_gaussian_blur-and-ff-function.patch: + Backporting cf1f5744 from upstream, Templatify function + ff_gaussian_blur and ff_sobel to prepare fix support for CVE-2023-50009. + (CVE-2023-50009 bsc#1223255) + +------------------------------------------------------------------- New: ---- ffmpeg-CVE-2023-50009.patch ffmpeg-CVE-2023-50010.patch ffmpeg-Templatify-ff_gaussian_blur-and-ff-function.patch BETA DEBUG BEGIN: New: - Add ffmpeg-CVE-2023-50009.patch: Backporting c443658d from upstream, Fix small inputs with New: - Add ffmpeg-CVE-2023-50010.patch: Backporting e4d2666b from upstream, fixes the out of array access. New: - Add ffmpeg-Templatify-ff_gaussian_blur-and-ff-function.patch: Backporting cf1f5744 from upstream, Templatify function BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ffmpeg-5.spec ++++++ --- /var/tmp/diff_new_pack.glJUCY/_old 2024-05-08 11:39:34.404423828 +0200 +++ /var/tmp/diff_new_pack.glJUCY/_new 2024-05-08 11:39:34.408423974 +0200 @@ -125,6 +125,9 @@ Patch95: ffmpeg-CVE-2023-50008.patch Patch96: ffmpeg-CVE-2023-49502.patch Patch97: ffmpeg-CVE-2023-51793.patch +Patch98: ffmpeg-Templatify-ff_gaussian_blur-and-ff-function.patch +Patch99: ffmpeg-CVE-2023-50009.patch +Patch100: ffmpeg-CVE-2023-50010.patch %if %{with amf_sdk} BuildRequires: AMF-devel %endif ++++++ ffmpeg-CVE-2023-50009.patch ++++++ commit c443658d26d2b8e19901f9507a890e0efca79056 (HEAD -> 20231222_CVE-2023-50009_c443658d26d2b8e19901f9507a890e0efca79056) Author: Michael Niedermayer <[email protected]> Date: Fri Dec 22 11:54:24 2023 +0100 References: CVE-2023-50009 References: https://bugzilla.opensuse.org/1172423 avfilter/edge_template: Fix small inputs with gaussian_blur() Fixes: out of array access Fixes: Ticket10699 Fixes: poc5ffmpeg Found-by: Zeng Yunxiang Signed-off-by: Michael Niedermayer <[email protected]> diff --git a/libavfilter/edge_template.c b/libavfilter/edge_template.c index 14635c25af..ce45e579db 100644 --- a/libavfilter/edge_template.c +++ b/libavfilter/edge_template.c @@ -74,6 +74,7 @@ void fn(gaussian_blur)(int w, int h, uint8_t *dst, int dst_linesize, const uint8_t *src, int src_linesize, int src_stride) { + int j; pixel *srcp = (pixel *)src; pixel *dstp = (pixel *)dst; @@ -81,12 +82,17 @@ void fn(gaussian_blur)(int w, int h, src_linesize /= sizeof(pixel); dst_linesize /= sizeof(pixel); - memcpy(dstp, srcp, w*sizeof(pixel)); dstp += dst_linesize; srcp += src_linesize; - memcpy(dstp, srcp, w*sizeof(pixel)); dstp += dst_linesize; srcp += src_linesize; - for (int j = 2; j < h - 2; j++) { - dstp[0] = srcp[(0)*src_stride]; - dstp[1] = srcp[(1)*src_stride]; - for (int i = 2; i < w - 2; i++) { + for (j = 0; j < FFMIN(h, 2); j++) { + memcpy(dstp, srcp, w*sizeof(pixel)); + dstp += dst_linesize; + srcp += src_linesize; + } + + for (; j < h - 2; j++) { + int i; + for (i = 0; i < FFMIN(w, 2); i++) + dstp[i] = srcp[i*src_stride]; + for (; i < w - 2; i++) { /* Gaussian mask of size 5x5 with sigma = 1.4 */ dstp[i] = ((srcp[-2*src_linesize + (i-2)*src_stride] + srcp[2*src_linesize + (i-2)*src_stride]) * 2 + (srcp[-2*src_linesize + (i-1)*src_stride] + srcp[2*src_linesize + (i-1)*src_stride]) * 4 @@ -106,12 +112,15 @@ void fn(gaussian_blur)(int w, int h, + srcp[(i+1)*src_stride] * 12 + srcp[(i+2)*src_stride] * 5) / 159; } - dstp[w - 2] = srcp[(w - 2)*src_stride]; - dstp[w - 1] = srcp[(w - 1)*src_stride]; + for (; i < w; i++) + dstp[i] = srcp[i*src_stride]; dstp += dst_linesize; srcp += src_linesize; } - memcpy(dstp, srcp, w*sizeof(pixel)); dstp += dst_linesize; srcp += src_linesize; - memcpy(dstp, srcp, w*sizeof(pixel)); + for (; j < h; j++) { + memcpy(dstp, srcp, w*sizeof(pixel)); + dstp += dst_linesize; + srcp += src_linesize; + } } -- 2.41.0 ++++++ ffmpeg-CVE-2023-50010.patch ++++++ commit e4d2666bdc3dbd177a81bbf428654a5f2fa3787a (20231224_CVE-2023-50010_e4d2666bdc3dbd177a81bbf428654a5f2fa3787a) Author: Michael Niedermayer <[email protected]> Date: Sun Dec 24 20:50:51 2023 +0100 References: CVE-2023-50009 References: https://bugzilla.opensuse.org/1172423 avfilter/vf_gradfun: Do not overread last line The code works in steps of 2 lines and lacks support for odd height Implementing odd height support is better but for now this fixes the out of array access Fixes: out of array access Fixes: tickets/10702/poc6ffmpe Found-by: Zeng Yunxiang Signed-off-by: Michael Niedermayer <[email protected]> diff -Nura ffmpeg-5.1.4/libavfilter/vf_gradfun.c ffmpeg-5.1.4_new/libavfilter/vf_gradfun.c --- ffmpeg-5.1.4/libavfilter/vf_gradfun.c 2023-11-10 07:38:51.000000000 +0800 +++ ffmpeg-5.1.4_new/libavfilter/vf_gradfun.c 2024-05-07 19:36:59.563277057 +0800 @@ -92,7 +92,7 @@ for (y = 0; y < r; y++) ctx->blur_line(dc, buf + y * bstride, buf + (y - 1) * bstride, src + 2 * y * src_linesize, src_linesize, width / 2); for (;;) { - if (y < height - r) { + if (y + 1 < height - r) { int mod = ((y + r) / 2) % r; uint16_t *buf0 = buf + mod * bstride; uint16_t *buf1 = buf + (mod ? mod - 1 : r - 1) * bstride; ++++++ ffmpeg-Templatify-ff_gaussian_blur-and-ff-function.patch ++++++ commit cf1f57443158bcbe84a213e8dc631a302993f9a2 Author: Thilo Borgmann <[email protected]> Date: Mon Jul 18 16:09:46 2022 +0200 References: CVE-2023-50009 References: https://bugzilla.opensuse.org/1172423 lavfi/edge_common: Templatify ff_gaussian_blur and ff_sobel [Backport cf1f5744 from upstream, Templatify function ff_gaussian_blur and ff_sobel to prepare fix support for CVE-2023-50009. -qzhao] diff --git a/libavfilter/edge_common.c b/libavfilter/edge_common.c index d72e8521cd..ebd47d7c53 100644 --- a/libavfilter/edge_common.c +++ b/libavfilter/edge_common.c @@ -46,33 +46,13 @@ static int get_rounded_direction(int gx, int gy) return DIRECTION_VERTICAL; } -// Simple sobel operator to get rounded gradients -void ff_sobel(int w, int h, - uint16_t *dst, int dst_linesize, - int8_t *dir, int dir_linesize, - const uint8_t *src, int src_linesize) -{ - int i, j; - - for (j = 1; j < h - 1; j++) { - dst += dst_linesize; - dir += dir_linesize; - src += src_linesize; - for (i = 1; i < w - 1; i++) { - const int gx = - -1*src[-src_linesize + i-1] + 1*src[-src_linesize + i+1] - -2*src[ i-1] + 2*src[ i+1] - -1*src[ src_linesize + i-1] + 1*src[ src_linesize + i+1]; - const int gy = - -1*src[-src_linesize + i-1] + 1*src[ src_linesize + i-1] - -2*src[-src_linesize + i ] + 2*src[ src_linesize + i ] - -1*src[-src_linesize + i+1] + 1*src[ src_linesize + i+1]; +#undef DEPTH +#define DEPTH 8 +#include "edge_template.c" - dst[i] = FFABS(gx) + FFABS(gy); - dir[i] = get_rounded_direction(gx, gy); - } - } -} +#undef DEPTH +#define DEPTH 16 +#include "edge_template.c" // Filters rounded gradients to drop all non-maxima // Expects gradients generated by ff_sobel() @@ -137,45 +117,3 @@ void ff_double_threshold(int low, int high, int w, int h, src += src_linesize; } } - -// Applies gaussian blur, using 5x5 kernels, sigma = 1.4 -void ff_gaussian_blur(int w, int h, - uint8_t *dst, int dst_linesize, - const uint8_t *src, int src_linesize) -{ - int i, j; - - memcpy(dst, src, w); dst += dst_linesize; src += src_linesize; - memcpy(dst, src, w); dst += dst_linesize; src += src_linesize; - for (j = 2; j < h - 2; j++) { - dst[0] = src[0]; - dst[1] = src[1]; - for (i = 2; i < w - 2; i++) { - /* Gaussian mask of size 5x5 with sigma = 1.4 */ - dst[i] = ((src[-2*src_linesize + i-2] + src[2*src_linesize + i-2]) * 2 - + (src[-2*src_linesize + i-1] + src[2*src_linesize + i-1]) * 4 - + (src[-2*src_linesize + i ] + src[2*src_linesize + i ]) * 5 - + (src[-2*src_linesize + i+1] + src[2*src_linesize + i+1]) * 4 - + (src[-2*src_linesize + i+2] + src[2*src_linesize + i+2]) * 2 - - + (src[ -src_linesize + i-2] + src[ src_linesize + i-2]) * 4 - + (src[ -src_linesize + i-1] + src[ src_linesize + i-1]) * 9 - + (src[ -src_linesize + i ] + src[ src_linesize + i ]) * 12 - + (src[ -src_linesize + i+1] + src[ src_linesize + i+1]) * 9 - + (src[ -src_linesize + i+2] + src[ src_linesize + i+2]) * 4 - - + src[i-2] * 5 - + src[i-1] * 12 - + src[i ] * 15 - + src[i+1] * 12 - + src[i+2] * 5) / 159; - } - dst[i ] = src[i ]; - dst[i + 1] = src[i + 1]; - - dst += dst_linesize; - src += src_linesize; - } - memcpy(dst, src, w); dst += dst_linesize; src += src_linesize; - memcpy(dst, src, w); -} diff --git a/libavfilter/edge_common.h b/libavfilter/edge_common.h index 87c143f2b8..cff4febd70 100644 --- a/libavfilter/edge_common.h +++ b/libavfilter/edge_common.h @@ -48,10 +48,14 @@ enum AVRoundedDirection { * @param src data pointers to source image * @param src_linesize linesizes for the source image */ -void ff_sobel(int w, int h, - uint16_t *dst, int dst_linesize, - int8_t *dir, int dir_linesize, - const uint8_t *src, int src_linesize); +#define PROTO_SOBEL(depth) \ +void ff_sobel_##depth(int w, int h, \ + uint16_t *dst, int dst_linesize, \ + int8_t *dir, int dir_linesize, \ + const uint8_t *src, int src_linesize, int src_stride); + +PROTO_SOBEL(8) +PROTO_SOBEL(16) /** * Filters rounded gradients to drop all non-maxima pixels in the magnitude image @@ -100,8 +104,12 @@ void ff_double_threshold(int low, int high, int w, int h, * @param src data pointers to source image * @param src_linesize linesizes for the source image */ -void ff_gaussian_blur(int w, int h, - uint8_t *dst, int dst_linesize, - const uint8_t *src, int src_linesize); +#define PROTO_GAUSSIAN_BLUR(depth) \ +void ff_gaussian_blur_##depth(int w, int h, \ + uint8_t *dst, int dst_linesize, \ + const uint8_t *src, int src_linesize, int src_stride); + +PROTO_GAUSSIAN_BLUR(8) +PROTO_GAUSSIAN_BLUR(16) #endif diff --git a/libavfilter/edge_template.c b/libavfilter/edge_template.c new file mode 100644 index 0000000000..af33c178af --- /dev/null +++ b/libavfilter/edge_template.c @@ -0,0 +1,118 @@ +/* + * Copyright (c) 2022 Thilo Borgmann <thilo.borgmann _at_ mail.de> + * + * This file is part of FFmpeg. + * + * FFmpeg is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * FFmpeg is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with FFmpeg; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + * Redistribution and use in source and binary forms, with or without modification, + * are permitted provided that the following conditions are met: + */ + +#include "libavutil/avassert.h" +#include "avfilter.h" +#include "formats.h" +#include "internal.h" +#include "video.h" + +#undef pixel +#if DEPTH == 8 +#define pixel uint8_t +#else +#define pixel uint16_t +#endif + +#undef fn +#undef fn2 +#undef fn3 +#define fn3(a,b) ff_##a##_##b +#define fn2(a,b) fn3(a,b) +#define fn(a) fn2(a, DEPTH) + +void fn(sobel)(int w, int h, + uint16_t *dst, int dst_linesize, + int8_t *dir, int dir_linesize, + const uint8_t *src, int src_linesize, int src_stride) +{ + pixel *srcp = (pixel *)src; + + src_stride /= sizeof(pixel); + src_linesize /= sizeof(pixel); + dst_linesize /= sizeof(pixel); + + for (int j = 1; j < h - 1; j++) { + dst += dst_linesize; + dir += dir_linesize; + srcp += src_linesize; + for (int i = 1; i < w - 1; i++) { + const int gx = + -1*srcp[-src_linesize + (i-1)*src_stride] + 1*srcp[-src_linesize + (i+1)*src_stride] + -2*srcp[ (i-1)*src_stride] + 2*srcp[ (i+1)*src_stride] + -1*srcp[ src_linesize + (i-1)*src_stride] + 1*srcp[ src_linesize + (i+1)*src_stride]; + const int gy = + -1*srcp[-src_linesize + (i-1)*src_stride] + 1*srcp[ src_linesize + (i-1)*src_stride] + -2*srcp[-src_linesize + (i )*src_stride] + 2*srcp[ src_linesize + (i )*src_stride] + -1*srcp[-src_linesize + (i+1)*src_stride] + 1*srcp[ src_linesize + (i+1)*src_stride]; + + dst[i] = FFABS(gx) + FFABS(gy); + dir[i] = get_rounded_direction(gx, gy); + } + } +} + +void fn(gaussian_blur)(int w, int h, + uint8_t *dst, int dst_linesize, + const uint8_t *src, int src_linesize, int src_stride) +{ + pixel *srcp = (pixel *)src; + pixel *dstp = (pixel *)dst; + + src_stride /= sizeof(pixel); + src_linesize /= sizeof(pixel); + dst_linesize /= sizeof(pixel); + + memcpy(dstp, srcp, w*sizeof(pixel)); dstp += dst_linesize; srcp += src_linesize; + memcpy(dstp, srcp, w*sizeof(pixel)); dstp += dst_linesize; srcp += src_linesize; + for (int j = 2; j < h - 2; j++) { + dstp[0] = srcp[(0)*src_stride]; + dstp[1] = srcp[(1)*src_stride]; + for (int i = 2; i < w - 2; i++) { + /* Gaussian mask of size 5x5 with sigma = 1.4 */ + dstp[i] = ((srcp[-2*src_linesize + (i-2)*src_stride] + srcp[2*src_linesize + (i-2)*src_stride]) * 2 + + (srcp[-2*src_linesize + (i-1)*src_stride] + srcp[2*src_linesize + (i-1)*src_stride]) * 4 + + (srcp[-2*src_linesize + (i )*src_stride] + srcp[2*src_linesize + (i )*src_stride]) * 5 + + (srcp[-2*src_linesize + (i+1)*src_stride] + srcp[2*src_linesize + (i+1)*src_stride]) * 4 + + (srcp[-2*src_linesize + (i+2)*src_stride] + srcp[2*src_linesize + (i+2)*src_stride]) * 2 + + + (srcp[ -src_linesize + (i-2)*src_stride] + srcp[ src_linesize + (i-2)*src_stride]) * 4 + + (srcp[ -src_linesize + (i-1)*src_stride] + srcp[ src_linesize + (i-1)*src_stride]) * 9 + + (srcp[ -src_linesize + (i )*src_stride] + srcp[ src_linesize + (i )*src_stride]) * 12 + + (srcp[ -src_linesize + (i+1)*src_stride] + srcp[ src_linesize + (i+1)*src_stride]) * 9 + + (srcp[ -src_linesize + (i+2)*src_stride] + srcp[ src_linesize + (i+2)*src_stride]) * 4 + + + srcp[(i-2)*src_stride] * 5 + + srcp[(i-1)*src_stride] * 12 + + srcp[(i )*src_stride] * 15 + + srcp[(i+1)*src_stride] * 12 + + srcp[(i+2)*src_stride] * 5) / 159; + } + dstp[w - 2] = srcp[(w - 2)*src_stride]; + dstp[w - 1] = srcp[(w - 1)*src_stride]; + + dstp += dst_linesize; + srcp += src_linesize; + } + memcpy(dstp, srcp, w*sizeof(pixel)); dstp += dst_linesize; srcp += src_linesize; + memcpy(dstp, srcp, w*sizeof(pixel)); +} diff --git a/libavfilter/vf_blurdetect.c b/libavfilter/vf_blurdetect.c index 0e08ba96de..db06efcce7 100644 --- a/libavfilter/vf_blurdetect.c +++ b/libavfilter/vf_blurdetect.c @@ -283,12 +283,12 @@ static int blurdetect_filter_frame(AVFilterLink *inlink, AVFrame *in) nplanes++; // gaussian filter to reduce noise - ff_gaussian_blur(w, h, - filterbuf, w, - in->data[plane], in->linesize[plane]); + ff_gaussian_blur_8(w, h, + filterbuf, w, + in->data[plane], in->linesize[plane], 1); // compute the 16-bits gradients and directions for the next step - ff_sobel(w, h, gradients, w, directions, w, filterbuf, w); + ff_sobel_8(w, h, gradients, w, directions, w, filterbuf, w, 1); // non_maximum_suppression() will actually keep & clip what's necessary and // ignore the rest, so we need a clean output buffer diff --git a/libavfilter/vf_edgedetect.c b/libavfilter/vf_edgedetect.c index 90390ceb3e..603f06f141 100644 --- a/libavfilter/vf_edgedetect.c +++ b/libavfilter/vf_edgedetect.c @@ -191,15 +191,15 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) } /* gaussian filter to reduce noise */ - ff_gaussian_blur(width, height, - tmpbuf, width, - in->data[p], in->linesize[p]); + ff_gaussian_blur_8(width, height, + tmpbuf, width, + in->data[p], in->linesize[p], 1); /* compute the 16-bits gradients and directions for the next step */ - ff_sobel(width, height, - gradients, width, - directions,width, - tmpbuf, width); + ff_sobel_8(width, height, + gradients, width, + directions,width, + tmpbuf, width, 1); /* non_maximum_suppression() will actually keep & clip what's necessary and * ignore the rest, so we need a clean output buffer */ -- 2.41.0
