mirror of
https://git.yoctoproject.org/poky
synced 2026-05-30 12:29:55 +00:00
ffmpeg: fix CVE-2024-31578
FFmpeg version n6.1.1 was discovered to contain a heap use-after-free via the av_hwframe_ctx_init function. (From OE-Core rev: 072a5454fa6610fd751433c518f9beb5496851a1) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Archana Polampalli
committed by
Steve Sakoman
Steve Sakoman
parent
341f123331
commit
338d1840cd
@@ -0,0 +1,49 @@
|
|||||||
|
From 3bb00c0a420c3ce83c6fafee30270d69622ccad7 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Zhao Zhili <zhilizhao@tencent.com>
|
||||||
|
Date: Tue, 20 Feb 2024 20:08:55 +0800
|
||||||
|
Subject: [PATCH] avutil/hwcontext: Don't assume frames_uninit is reentrant
|
||||||
|
|
||||||
|
Fix heap use after free when vulkan_frames_init failed.
|
||||||
|
|
||||||
|
Signed-off-by: Zhao Zhili <zhilizhao@tencent.com>
|
||||||
|
|
||||||
|
CVE: CVE-2024-31578
|
||||||
|
|
||||||
|
Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/3bb00c0a420c3ce83c6fafee30270d69622ccad7]
|
||||||
|
|
||||||
|
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
|
||||||
|
---
|
||||||
|
libavutil/hwcontext.c | 8 ++------
|
||||||
|
1 file changed, 2 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/libavutil/hwcontext.c b/libavutil/hwcontext.c
|
||||||
|
index 31c7840..2a4d9ed 100644
|
||||||
|
--- a/libavutil/hwcontext.c
|
||||||
|
+++ b/libavutil/hwcontext.c
|
||||||
|
@@ -362,7 +362,7 @@ int av_hwframe_ctx_init(AVBufferRef *ref)
|
||||||
|
if (ctx->internal->hw_type->frames_init) {
|
||||||
|
ret = ctx->internal->hw_type->frames_init(ctx);
|
||||||
|
if (ret < 0)
|
||||||
|
- goto fail;
|
||||||
|
+ return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (ctx->internal->pool_internal && !ctx->pool)
|
||||||
|
@@ -372,14 +372,10 @@ int av_hwframe_ctx_init(AVBufferRef *ref)
|
||||||
|
if (ctx->initial_pool_size > 0) {
|
||||||
|
ret = hwframe_pool_prealloc(ref);
|
||||||
|
if (ret < 0)
|
||||||
|
- goto fail;
|
||||||
|
+ return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
-fail:
|
||||||
|
- if (ctx->internal->hw_type->frames_uninit)
|
||||||
|
- ctx->internal->hw_type->frames_uninit(ctx);
|
||||||
|
- return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
int av_hwframe_transfer_get_formats(AVBufferRef *hwframe_ref,
|
||||||
|
--
|
||||||
|
2.40.0
|
||||||
@@ -33,6 +33,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
|
|||||||
file://CVE-2023-51793.patch \
|
file://CVE-2023-51793.patch \
|
||||||
file://CVE-2023-50008.patch \
|
file://CVE-2023-50008.patch \
|
||||||
file://CVE-2024-31582.patch \
|
file://CVE-2024-31582.patch \
|
||||||
|
file://CVE-2024-31578.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b"
|
SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b"
|
||||||
|
|||||||
Reference in New Issue
Block a user