mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-05-30 12:29:55 +00:00
Code Issues Projects Releases Wiki Activity

ffmpeg: fix CVE-2024-35368

Browse Source 
FFmpeg n7.0 is affected by a Double Free via the rkmpp_retrieve_frame
function within libavcodec/rkmppdec.c.

(From OE-Core rev: 53528caafa576a2f6417436cc0dba8be06e75048)

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Archana Polampalli
2024-12-13 10:11:23 +00:00
committed by Steve Sakoman
parent 3d0ff200b3
commit 59a2ca0cfe
2 changed files with 42 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35368.patch
+41
View File
@@ -0,0 +1,41 @@
From 4513300989502090c4fd6560544dce399a8cd53c Mon Sep 17 00:00:00 2001
From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Date: Sun, 24 Sep 2023 13:15:48 +0200
Subject: [PATCH] avcodec/rkmppdec: Fix double-free on error
After having created the AVBuffer that is put into frame->buf[0],
ownership of several objects (namely an AVDRMFrameDescriptor,
an MppFrame and some AVBufferRefs framecontextref and decoder_ref)
has passed to the AVBuffer and therefore to the frame.
Yet it has nevertheless been freed manually on error
afterwards, which would lead to a double-free as soon
as the AVFrame is unreferenced.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
CVE: CVE-2024-35368
Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/4513300989502090c4fd6560544dce399a8cd53c]
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
libavcodec/rkmppdec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/rkmppdec.c b/libavcodec/rkmppdec.c
index 5768568..2ca368e 100644
--- a/libavcodec/rkmppdec.c
+++ b/libavcodec/rkmppdec.c
@@ -462,8 +462,8 @@ static int rkmpp_retrieve_frame(AVCodecContext *avctx, AVFrame *frame)
frame->hw_frames_ctx = av_buffer_ref(decoder->frames_ref);
if (!frame->hw_frames_ctx) {
- ret = AVERROR(ENOMEM);
- goto fail;
+ av_frame_unref(frame);
+ return AVERROR(ENOMEM);
}
return 0;
--
2.40.0
meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb
+1
View File
@@ -39,6 +39,7 @@ SRC_URI = " \
file://CVE-2024-7055.patch \ file://CVE-2024-7055.patch \
file://CVE-2024-35366.patch \ file://CVE-2024-35366.patch \
file://CVE-2024-35367.patch \ file://CVE-2024-35367.patch \
file://CVE-2024-35368.patch \
" "
SRC_URI[sha256sum] = "8684f4b00f94b85461884c3719382f1261f0d9eb3d59640a1f4ac0873616f968" SRC_URI[sha256sum] = "8684f4b00f94b85461884c3719382f1261f0d9eb3d59640a1f4ac0873616f968"