fix CVE-2021-38114 CVE-2020-35964

(cherry picked from commit 6ee873138691521c281babf0daf900f2a5a6f45b)
2022-06-02 16:57:03 +08:00 · 2022-06-02 16:57:03 +08:00 · 27cf41fbb6
commit 27cf41fbb6
parent 4bddf13fc1
3 changed files with 119 additions and 1 deletions
--- a/CVE-2020-35964.patch
+++ b/CVE-2020-35964.patch
@ -0,0 +1,68 @@
+diff -Naru ffmpeg-4.2.4/libavformat/vividas.c ffmpeg-4.2.4-new/libavformat/vividas.c
+--- ffmpeg-4.2.4/libavformat/vividas.c	2022-05-24 10:57:25.967425000 +0800
+++ ffmpeg-4.2.4-new/libavformat/vividas.c	2022-05-24 11:07:17.698072000 +0800
+@@ -27,7 +27,7 @@
+  * @author Andrzej Szombierski [qq at kuku eu org] (2010-07)
+  * @sa http://wiki.multimedia.cx/index.php?title=Vividas_VIV
+  */
+-
+#include "libavutil/avassert.h"
+ #include "libavutil/intreadwrite.h"
+ #include "avio_internal.h"
+ #include "avformat.h"
+@@ -278,7 +278,7 @@
+ 
+ static int track_header(VividasDemuxContext *viv, AVFormatContext *s,  uint8_t *buf, int size)
+ {
+-    int i,j;
+    int i, j, ret;
+     int64_t off;
+     int val_1;
+     int num_video;
+@@ -372,7 +372,7 @@
+ 
+         if (avio_tell(pb) < off) {
+             int num_data;
+-            int xd_size = 0;
+            int xd_size = 1;
+             int data_len[256];
+             int offset = 1;
+             uint8_t *p;
+@@ -387,24 +387,19 @@
+                     return AVERROR_INVALIDDATA;
+                 }
+                 data_len[j] = len;
+-                xd_size += len;
+                xd_size += len + 1 + len/255;
+             }
+ 
+-            st->codecpar->extradata_size = 64 + xd_size + xd_size / 255;
+-            if (ff_alloc_extradata(st->codecpar, st->codecpar->extradata_size)) {
+-                av_free(pb);
+-                return AVERROR(ENOMEM);
+-            }
+            ret = ff_alloc_extradata(st->codecpar, xd_size);
+            if (ret < 0)
+                return ret;
+ 
+             p = st->codecpar->extradata;
+             p[0] = 2;
+ 
+             for (j = 0; j < num_data - 1; j++) {
+                 unsigned delta = av_xiphlacing(&p[offset], data_len[j]);
+-                if (delta > data_len[j]) {
+-                    av_free(pb);
+-                    return AVERROR_INVALIDDATA;
+-                }
+                av_assert0(delta <= xd_size - offset);
+                 offset += delta;
+             }
+ 
+@@ -415,6 +410,7 @@
+                     av_freep(&st->codecpar->extradata);
+                     break;
+                 }
+                av_assert0(data_len[j] <= xd_size - offset);
+                 offset += data_len[j];
+             }
+ 
--- a/CVE-2021-38114.patch
+++ b/CVE-2021-38114.patch
@ -0,0 +1,45 @@
+diff -Naru ffmpeg-4.2.4/libavcodec/dnxhddec.c ffmpeg-4.2.4-new/libavcodec/dnxhddec.c
+--- ffmpeg-4.2.4/libavcodec/dnxhddec.c	2022-05-24 10:57:19.937425000 +0800
+++ ffmpeg-4.2.4-new/libavcodec/dnxhddec.c	2022-05-24 10:59:49.141810000 +0800
+@@ -111,6 +111,7 @@
+ 
+ static int dnxhd_init_vlc(DNXHDContext *ctx, uint32_t cid, int bitdepth)
+ {
+    int ret;
+     if (cid != ctx->cid) {
+         int index;
+ 
+@@ -130,19 +131,26 @@
+         ff_free_vlc(&ctx->dc_vlc);
+         ff_free_vlc(&ctx->run_vlc);
+ 
+-        init_vlc(&ctx->ac_vlc, DNXHD_VLC_BITS, 257,
+        if ((ret = init_vlc(&ctx->ac_vlc, DNXHD_VLC_BITS, 257,
+                  ctx->cid_table->ac_bits, 1, 1,
+-                 ctx->cid_table->ac_codes, 2, 2, 0);
+-        init_vlc(&ctx->dc_vlc, DNXHD_DC_VLC_BITS, bitdepth > 8 ? 14 : 12,
+                 ctx->cid_table->ac_codes, 2, 2, 0)) < 0)
+            goto out;
+        if ((ret = init_vlc(&ctx->dc_vlc, DNXHD_DC_VLC_BITS, bitdepth > 8 ? 14 : 12,
+                  ctx->cid_table->dc_bits, 1, 1,
+-                 ctx->cid_table->dc_codes, 1, 1, 0);
+-        init_vlc(&ctx->run_vlc, DNXHD_VLC_BITS, 62,
+                 ctx->cid_table->dc_codes, 1, 1, 0)) < 0)
+            goto out;
+        if ((ret = init_vlc(&ctx->run_vlc, DNXHD_VLC_BITS, 62,
+                  ctx->cid_table->run_bits, 1, 1,
+-                 ctx->cid_table->run_codes, 2, 2, 0);
+                 ctx->cid_table->run_codes, 2, 2, 0)) < 0)
+            goto out;
+ 
+         ctx->cid = cid;
+     }
+-    return 0;
+    ret = 0;
+out:
+    if (ret < 0)
+        av_log(ctx->avctx, AV_LOG_ERROR, "init_vlc failed\n");
+    return ret;
+ }
+ 
+ static av_cold int dnxhd_decode_init_thread_copy(AVCodecContext *avctx)
--- a/ffmpeg.spec
+++ b/ffmpeg.spec
@ -61,7 +61,7 @@ ExclusiveArch: armv7hnl
 Summary:        Digital VCR and streaming server
 Name:           ffmpeg%{?flavor}
 Version:        4.2.4
-Release:        3
+Release:        4
 License:        %{ffmpeg_license}
 URL:            http://ffmpeg.org/
 %if 0%{?date}
@ -73,6 +73,8 @@ Patch0:         fix_ppc_build.patch
 Patch1:         fix-vmaf-model-path.patch
 Patch2:         CVE-2021-3566.patch
 Patch3:         CVE-2021-38291.patch
+Patch4:         CVE-2021-38114.patch
+Patch5:         CVE-2020-35964.patch
 Requires:       %{name}-libs%{?_isa} = %{version}-%{release}
 %{?_with_cuda:BuildRequires: cuda-minimal-build-%{_cuda_version_rpm} cuda-drivers-devel}
 %{?_with_libnpp:BuildRequires: pkgconfig(nppc-%{_cuda_version})}
@ -405,6 +407,9 @@ install -pm755 tools/qt-faststart %{buildroot}%{_bindir}


 %changelog
+* Thu Jun 2 2022 yangweidong <yangweidong9@huawei.com> - 4.2.4-4
+- Fix CVE-2021-38114 and CVE-2020-35964
+
 * Sat Sep 04 2021 guoxiaoqi <guoxiaoqi2@huawei.com> - 4.2.4-3
 - Fix CVE-2021-3566 and CVE-2021-38291