refresh patch:CVE-2020-35965.patch

References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35965

Signed-off-by: Wang Mingyu <wan...@cn.fujitsu.com>
---
 .../ffmpeg/ffmpeg/CVE-2020-35965.patch        | 64 ++++++++++++++-----
 1 file changed, 49 insertions(+), 15 deletions(-)

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35965.patch 
b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35965.patch
index ddab8e9aca..e865fa387d 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35965.patch
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35965.patch
@@ -1,35 +1,69 @@
-From 3e5959b3457f7f1856d997261e6ac672bba49e8b Mon Sep 17 00:00:00 2001
-From: Michael Niedermayer <mich...@niedermayer.cc>
-Date: Sat, 24 Oct 2020 22:21:48 +0200
-Subject: [PATCH] avcodec/exr: Check ymin vs. h
+Subject: [PATCH] CVE-2020-35965
+
+commit id:3e5959b3457f7f1856d997261e6ac672bba49e8b
+avcodec/exr: Check ymin vs. h:
 
 Fixes: out of array access
 Fixes: 
26532/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5613925708857344
 Fixes: 
27443/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5631239813595136
 
-Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
-Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
-
-Upstream-Status: Backport 
[https://github.com/FFmpeg/FFmpeg/commit/3e5959b3457f7f1856d997261e6ac672bba49e8b]
+commit id:b0a8b40294ea212c1938348ff112ef1b9bf16bb3
+avcodec/exr: skip bottom clearing loop when its outside the image:
 
-CVE: CVE-2020-35965
+Fixes: signed integer overflow: 1633771809 * 32960 cannot be represented in 
type 'int'
+Fixes: 
26532/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5613925708857344
 
+Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
 Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
-Signed-off-by: Khairul Rohaizzat Jamaluddin 
<khairul.rohaizzat.jamalud...@intel.com>
 ---
- libavcodec/exr.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
+ libavcodec/exr.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
 
 diff --git a/libavcodec/exr.c b/libavcodec/exr.c
-index e907c5c46401..8b701d1cd298 100644
+index 68d5bef..a933bbf 100644
 --- a/libavcodec/exr.c
 +++ b/libavcodec/exr.c
-@@ -1830,7 +1830,7 @@ static int decode_frame(AVCodecContext *avctx, void 
*data,
+@@ -1654,7 +1654,7 @@ static int decode_frame(AVCodecContext *avctx, void 
*data,
+     AVFrame *picture = data;
+     uint8_t *ptr;
+ 
+-    int i, y, ret;
++    int i, y, ret, ymax;
+     int planes;
+     int out_line_size;
+     int nb_blocks;   /* nb scanline or nb tile */
+@@ -1794,7 +1794,7 @@ static int decode_frame(AVCodecContext *avctx, void 
*data,
      // Zero out the start if ymin is not 0
      for (i = 0; i < planes; i++) {
          ptr = picture->data[i];
 -        for (y = 0; y < s->ymin; y++) {
-+        for (y = 0; y < FFMIN(s->ymin, s->h); y++) {
++      for (y = 0; y < FFMIN(s->ymin, s->h); y++) {
              memset(ptr, 0, out_line_size);
              ptr += picture->linesize[i];
          }
+@@ -1804,14 +1804,16 @@ static int decode_frame(AVCodecContext *avctx, void 
*data,
+ 
+     avctx->execute2(avctx, decode_block, s->thread_data, NULL, nb_blocks);
+ 
++    ymax = FFMAX(0, s->ymax + 1);
+     // Zero out the end if ymax+1 is not h
+-    for (i = 0; i < planes; i++) {
+-        ptr = picture->data[i] + ((s->ymax+1) * picture->linesize[i]);
+-        for (y = s->ymax + 1; y < avctx->height; y++) {
+-            memset(ptr, 0, out_line_size);
+-            ptr += picture->linesize[i];
++    if (ymax < avctx->height)
++        for (i = 0; i < planes; i++) {
++            ptr = picture->data[i] + (ymax * picture->linesize[i]);
++            for (y = ymax; y < avctx->height; y++) {
++                memset(ptr, 0, out_line_size);
++                ptr += picture->linesize[i];
++            }
+         }
+-    }
+ 
+     picture->pict_type = AV_PICTURE_TYPE_I;
+     *got_frame = 1;
+-- 
+2.25.1
+
-- 
2.25.1



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#146931): 
https://lists.openembedded.org/g/openembedded-core/message/146931
Mute This Topic: https://lists.openembedded.org/mt/79945501/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to