avcodec/exr: More strictly check dc_count Fixes: out of array access Fixes: exr/deneme
Found-by: Burak Çarıkçı <[email protected]> Signed-off-by: Michael Niedermayer <[email protected]> CVE: CVE-2021-33815 Upstream-Status: Backport [26d3c81bc5ef2f8c3f09d45eaeacfb4b1139a777] Signed-off-by: Tony Tascioglu <[email protected]> --- .../ffmpeg/ffmpeg/fix-CVE-2021-33815.patch | 44 +++++++++++++++++++ meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb | 1 + 2 files changed, 45 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2021-33815.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2021-33815.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2021-33815.patch new file mode 100644 index 0000000000..51edb76389 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2021-33815.patch @@ -0,0 +1,44 @@ +From 26d3c81bc5ef2f8c3f09d45eaeacfb4b1139a777 Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer <[email protected]> +Date: Tue, 25 May 2021 19:29:18 +0200 +Subject: [PATCH] avcodec/exr: More strictly check dc_count +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: out of array access +Fixes: exr/deneme + +Found-by: Burak Çarıkçı <[email protected]> +Signed-off-by: Michael Niedermayer <[email protected]> + + +CVE: CVE-2021-33815 +Upstream-Status: Backport [26d3c81bc5ef2f8c3f09d45eaeacfb4b1139a777] + +Signed-off-by: Tony Tascioglu <[email protected]> +--- + libavcodec/exr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libavcodec/exr.c b/libavcodec/exr.c +index 9377a89169..4648ed7d62 100644 +--- a/libavcodec/exr.c ++++ b/libavcodec/exr.c +@@ -1059,11 +1059,11 @@ static int dwa_uncompress(EXRContext *s, const uint8_t *src, int compressed_size + bytestream2_skip(&gb, ac_size); + } + +- if (dc_size > 0) { ++ { + unsigned long dest_len = dc_count * 2LL; + GetByteContext agb = gb; + +- if (dc_count > (6LL * td->xsize * td->ysize + 63) / 64) ++ if (dc_count != dc_w * dc_h * 3) + return AVERROR_INVALIDDATA; + + av_fast_padded_malloc(&td->dc_data, &td->dc_size, FFALIGN(dest_len, 64) * 2); +-- +2.32.0 + diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb index 70b1513048..02af257d0f 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb @@ -30,6 +30,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://fix-CVE-2020-22015.patch \ file://fix-CVE-2020-22021.patch \ file://fix-CVE-2020-22033-CVE-2020-22019.patch \ + file://fix-CVE-2021-33815.patch \ " SRC_URI[sha256sum] = "06b10a183ce5371f915c6bb15b7b1fffbe046e8275099c96affc29e17645d909" -- 2.31.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#154192): https://lists.openembedded.org/g/openembedded-core/message/154192 Mute This Topic: https://lists.openembedded.org/mt/84494531/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
