refresh patch:CVE-2020-35965.patch
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35965
Signed-off-by: Wang Mingyu
---
.../ffmpeg/ffmpeg/CVE-2020-35965.patch| 64 ++-
1 file changed, 49 insertions(+), 15 deletions(-)
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35965.patch
b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35965.patch
index ddab8e9aca..e865fa387d 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35965.patch
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35965.patch
@@ -1,35 +1,69 @@
-From 3e5959b3457f7f1856d997261e6ac672bba49e8b Mon Sep 17 00:00:00 2001
-From: Michael Niedermayer
-Date: Sat, 24 Oct 2020 22:21:48 +0200
-Subject: [PATCH] avcodec/exr: Check ymin vs. h
+Subject: [PATCH] CVE-2020-35965
+
+commit id:3e5959b3457f7f1856d997261e6ac672bba49e8b
+avcodec/exr: Check ymin vs. h:
Fixes: out of array access
Fixes:
26532/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5613925708857344
Fixes:
27443/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5631239813595136
-Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
-Signed-off-by: Michael Niedermayer
-
-Upstream-Status: Backport
[https://github.com/FFmpeg/FFmpeg/commit/3e5959b3457f7f1856d997261e6ac672bba49e8b]
+commit id:b0a8b40294ea212c1938348ff112ef1b9bf16bb3
+avcodec/exr: skip bottom clearing loop when its outside the image:
-CVE: CVE-2020-35965
+Fixes: signed integer overflow: 1633771809 * 32960 cannot be represented in
type 'int'
+Fixes:
26532/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5613925708857344
+Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
-Signed-off-by: Khairul Rohaizzat Jamaluddin
---
- libavcodec/exr.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
+ libavcodec/exr.c | 18 ++
+ 1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
-index e907c5c46401..8b701d1cd298 100644
+index 68d5bef..a933bbf 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
-@@ -1830,7 +1830,7 @@ static int decode_frame(AVCodecContext *avctx, void
*data,
+@@ -1654,7 +1654,7 @@ static int decode_frame(AVCodecContext *avctx, void
*data,
+ AVFrame *picture = data;
+ uint8_t *ptr;
+
+-int i, y, ret;
++int i, y, ret, ymax;
+ int planes;
+ int out_line_size;
+ int nb_blocks; /* nb scanline or nb tile */
+@@ -1794,7 +1794,7 @@ static int decode_frame(AVCodecContext *avctx, void
*data,
// Zero out the start if ymin is not 0
for (i = 0; i < planes; i++) {
ptr = picture->data[i];
-for (y = 0; y < s->ymin; y++) {
-+for (y = 0; y < FFMIN(s->ymin, s->h); y++) {
++ for (y = 0; y < FFMIN(s->ymin, s->h); y++) {
memset(ptr, 0, out_line_size);
ptr += picture->linesize[i];
}
+@@ -1804,14 +1804,16 @@ static int decode_frame(AVCodecContext *avctx, void
*data,
+
+ avctx->execute2(avctx, decode_block, s->thread_data, NULL, nb_blocks);
+
++ymax = FFMAX(0, s->ymax + 1);
+ // Zero out the end if ymax+1 is not h
+-for (i = 0; i < planes; i++) {
+-ptr = picture->data[i] + ((s->ymax+1) * picture->linesize[i]);
+-for (y = s->ymax + 1; y < avctx->height; y++) {
+-memset(ptr, 0, out_line_size);
+-ptr += picture->linesize[i];
++if (ymax < avctx->height)
++for (i = 0; i < planes; i++) {
++ptr = picture->data[i] + (ymax * picture->linesize[i]);
++for (y = ymax; y < avctx->height; y++) {
++memset(ptr, 0, out_line_size);
++ptr += picture->linesize[i];
++}
+ }
+-}
+
+ picture->pict_type = AV_PICTURE_TYPE_I;
+ *got_frame = 1;
+--
+2.25.1
+
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#146931):
https://lists.openembedded.org/g/openembedded-core/message/146931
Mute This Topic: https://lists.openembedded.org/mt/79945501/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
