mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-06-01 13:09:50 +00:00
Code Issues Projects Releases Wiki Activity

ffmpeg: fix CVE-2020-22015

Browse Source 
avformat/movenc: Check pal_size before use

Fixes: assertion failure
Fixes: out of array read
Fixes: Ticket8190
Fixes: CVE-2020-22015

(From OE-Core rev: 5953c24ecd2e540483443284111abc883fdb1a10)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

CVE: CVE-2020-22015
Upstream-Status: Backport [4c1afa292520329eecd1cc7631bc59a8cca95c46]

Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Tony Tascioglu
2021-07-27 16:20:44 -07:00
committed by Richard Purdie
parent e3adc62076
commit 92704af67d
2 changed files with 45 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-multimedia/ffmpeg/ffmpeg/fix-CVE-2020-22015.patch
+44
View File
@@ -0,0 +1,44 @@
From 4c1afa292520329eecd1cc7631bc59a8cca95c46 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sat, 29 May 2021 09:22:27 +0200
Subject: [PATCH] avformat/movenc: Check pal_size before use
Fixes: assertion failure
Fixes: out of array read
Fixes: Ticket8190
Fixes: CVE-2020-22015
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
CVE: CVE-2020-22015
Upstream-Status: Backport [4c1afa292520329eecd1cc7631bc59a8cca95c46]
Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
---
libavformat/movenc.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/libavformat/movenc.c b/libavformat/movenc.c
index 2ab507df15..7d839f447b 100644
--- a/libavformat/movenc.c
+++ b/libavformat/movenc.c
@@ -2160,11 +2160,13 @@ static int mov_write_video_tag(AVFormatContext *s, AVIOContext *pb, MOVMuxContex
avio_wb16(pb, 0x18); /* Reserved */
if (track->mode == MODE_MOV && track->par->format == AV_PIX_FMT_PAL8) {
- int pal_size = 1 << track->par->bits_per_coded_sample;
- int i;
+ int pal_size, i;
avio_wb16(pb, 0); /* Color table ID */
avio_wb32(pb, 0); /* Color table seed */
avio_wb16(pb, 0x8000); /* Color table flags */
+ if (track->par->bits_per_coded_sample < 0 || track->par->bits_per_coded_sample > 8)
+ return AVERROR(EINVAL);
+ pal_size = 1 << track->par->bits_per_coded_sample;
avio_wb16(pb, pal_size - 1); /* Color table size (zero-relative) */
for (i = 0; i < pal_size; i++) {
uint32_t rgb = track->palette[i];
--
2.32.0
meta/recipes-multimedia/ffmpeg/ffmpeg_4.4.bb
+1
View File
@@ -27,6 +27,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \ file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \
file://fix-CVE-2020-20446.patch \ file://fix-CVE-2020-20446.patch \
file://fix-CVE-2020-20453.patch \ file://fix-CVE-2020-20453.patch \
file://fix-CVE-2020-22015.patch \
" "
SRC_URI[sha256sum] = "06b10a183ce5371f915c6bb15b7b1fffbe046e8275099c96affc29e17645d909" SRC_URI[sha256sum] = "06b10a183ce5371f915c6bb15b7b1fffbe046e8275099c96affc29e17645d909"