Details: https://nvd.nist.gov/vuln/detail/CVE-2020-24994
Backport the commit that is referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../libass/libass/CVE-2020-24994.patch | 48 +++++++++++++++++++ .../libass/libass_0.14.0.bb | 4 +- 2 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 meta-oe/recipes-multimedia/libass/libass/CVE-2020-24994.patch diff --git a/meta-oe/recipes-multimedia/libass/libass/CVE-2020-24994.patch b/meta-oe/recipes-multimedia/libass/libass/CVE-2020-24994.patch new file mode 100644 index 0000000000..b0fc9297d8 --- /dev/null +++ b/meta-oe/recipes-multimedia/libass/libass/CVE-2020-24994.patch @@ -0,0 +1,48 @@ +From 99eaa60314c4e28c2f0c295e165daf22c5601cc3 Mon Sep 17 00:00:00 2001 +From: Oleg Oshmyan <[email protected]> +Date: Thu, 4 Jan 2018 02:42:09 +0200 +Subject: [PATCH] parse_tags: don't recurse for nested \t() + +This fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4892 +(stack overflow on deeply nested \t()). + +This is possible because parentheses do not nest and the first ')' +terminates the whole tag. Thus something like \t(\t(\t(\t(\t() can be +read in a simple loop with no recursion required. Recursion is also +not required if the ')' is missing entirely and the outermost \t(... +never ends. + +See https://github.com/libass/libass/pull/296 for more backstory. + +CVE: CVE-2020-24994 +Upstream-Status: Backport [https://github.com/libass/libass/commit/6835731c2fe4164a0c50bc91d12c43b2a2b4e] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + libass/ass_parse.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/libass/ass_parse.c b/libass/ass_parse.c +index c83634a..991d1b6 100644 +--- a/libass/ass_parse.c ++++ b/libass/ass_parse.c +@@ -650,8 +650,18 @@ char *parse_tag(ASS_Renderer *render_priv, char *p, char *end, double pwr) + k = pow(((double) (t - t1)) / delta_t, accel); + } + p = args[cnt].start; +- while (p < args[cnt].end) +- p = parse_tag(render_priv, p, args[cnt].end, k); // maybe k*pwr ? no, specs forbid nested \t's ++ if (args[cnt].end < end) { ++ while (p < args[cnt].end) ++ p = parse_tag(render_priv, p, args[cnt].end, k); // maybe k*pwr ? no, specs forbid nested \t's ++ } else { ++ assert(q == end); ++ // No other tags can possibly follow this \t tag, ++ // so we don't need to restore pwr after parsing \t. ++ // The recursive call is now essentially a tail call, ++ // so optimize it away. ++ pwr = k; ++ q = p; ++ } + } else if (complex_tag("clip")) { + if (nargs == 4) { + int x0, y0, x1, y1; diff --git a/meta-oe/recipes-multimedia/libass/libass_0.14.0.bb b/meta-oe/recipes-multimedia/libass/libass_0.14.0.bb index 0e62307363..f0579ba25f 100644 --- a/meta-oe/recipes-multimedia/libass/libass_0.14.0.bb +++ b/meta-oe/recipes-multimedia/libass/libass_0.14.0.bb @@ -7,7 +7,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=a42532a0684420bdb15556c3cdd49a75" DEPENDS = "enca fontconfig freetype libpng fribidi" -SRC_URI = "git://github.com/libass/libass.git;branch=master;protocol=https" +SRC_URI = "git://github.com/libass/libass.git;branch=master;protocol=https \ + file://CVE-2020-24994.patch \ + " SRCREV = "73284b676b12b47e17af2ef1b430527299e10c17" S = "${WORKDIR}/git"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#123982): https://lists.openembedded.org/g/openembedded-devel/message/123982 Mute This Topic: https://lists.openembedded.org/mt/117522701/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
