diff --git a/backport-CVE-2024-35369.patch b/backport-CVE-2024-35369.patch new file mode 100644 index 0000000000000000000000000000000000000000..3feb3c8abd2e27b898384e3b14e2e1a363167e8b --- /dev/null +++ b/backport-CVE-2024-35369.patch @@ -0,0 +1,31 @@ +From 0895ef0d6d6406ee6cd158fc4d47d80f201b8e9c Mon Sep 17 00:00:00 2001 +From: James Almer +Date: Sat, 17 Feb 2024 09:45:57 -0300 +Subject: [PATCH] avcodec/speexdec: further check for sane frame_size values + +Prevent potential integer overflows. + +Signed-off-by: James Almer +--- + libavcodec/speexdec.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/libavcodec/speexdec.c b/libavcodec/speexdec.c +index 08c7e77..46d2587 100644 +--- a/libavcodec/speexdec.c ++++ b/libavcodec/speexdec.c +@@ -1420,8 +1420,10 @@ static int parse_speex_extradata(AVCodecContext *avctx, + return AVERROR_INVALIDDATA; + s->bitrate = bytestream_get_le32(&buf); + s->frame_size = bytestream_get_le32(&buf); +- if (s->frame_size < NB_FRAME_SIZE << s->mode) ++ if (s->frame_size < NB_FRAME_SIZE << s->mode || ++ s->frame_size > INT32_MAX >> s->mode) + return AVERROR_INVALIDDATA; ++ s->frame_size <<= s->mode; + s->vbr = bytestream_get_le32(&buf); + s->frames_per_packet = bytestream_get_le32(&buf); + if (s->frames_per_packet <= 0 || +-- +2.33.0 + diff --git a/backport-CVE-2024-36619.patch b/backport-CVE-2024-36619.patch new file mode 100644 index 0000000000000000000000000000000000000000..c18b7c408c10ddccd2a00ed211356a8df4840103 --- /dev/null +++ b/backport-CVE-2024-36619.patch @@ -0,0 +1,31 @@ +From 28c7094b25b689185155a6833caf2747b94774a4 Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer +Date: Thu, 4 Apr 2024 00:15:27 +0200 +Subject: [PATCH] avcodec/wavarc: fix signed integer overflow in block type + 6/19 + +Fixes: signed integer overflow: -2088796289 + -91276551 cannot be represented in type 'int' +Fixes: 67772/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-6533568953122816 + +Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg +Signed-off-by: Michael Niedermayer +--- + libavcodec/wavarc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libavcodec/wavarc.c b/libavcodec/wavarc.c +index 7083494cd8..b4b26958e6 100644 +--- a/libavcodec/wavarc.c ++++ b/libavcodec/wavarc.c +@@ -647,7 +647,7 @@ static int decode_5elp(AVCodecContext *avctx, + for (int o = 0; o < order; o++) + sum += s->filter[ch][o] * (unsigned)samples[n + 70 - o - 1]; + +- samples[n + 70] += ac_out[n] + (sum >> 4); ++ samples[n + 70] += ac_out[n] + (unsigned)(sum >> 4); + } + + for (int n = 0; n < 70; n++) +-- +2.33.0 + diff --git a/ffmpeg.spec b/ffmpeg.spec index 4a89a8a1123c67e4ffb8dcb8b65f081bb41a636c..d1f05a1c4aea06ff618d97ae1fb9a7dfc6077053 100644 --- a/ffmpeg.spec +++ b/ffmpeg.spec @@ -62,7 +62,7 @@ Summary: Digital VCR and streaming server Name: ffmpeg%{?flavor} Version: 6.1.1 -Release: 17 +Release: 18 License: GPL-3.0-or-later URL: http://ffmpeg.org/ Source0: http://ffmpeg.org/releases/ffmpeg-%{version}.tar.xz @@ -84,6 +84,8 @@ Patch13: backport-CVE-2024-35368.patch Patch14: backport-CVE-2024-36616.patch Patch15: backport-CVE-2024-36618.patch Patch16: backport-CVE-2024-36617.patch +Patch17: backport-CVE-2024-36619.patch +Patch18: backport-CVE-2024-35369.patch Requires: %{name}-libs%{?_isa} = %{version}-%{release} %{?_with_cuda:BuildRequires: cuda-minimal-build-%{_cuda_version_rpm} cuda-drivers-devel} @@ -413,6 +415,9 @@ install -pm755 tools/qt-faststart %{buildroot}%{_bindir} %changelog +* Tue Dec 17 2024 liningjie - 6.1.1-18 +- fix CVE-2024-36619 CVE-2024-35369 + * Fri Dec 13 2024 liningjie - 6.1.1-17 - fix CVE-2024-36617 CVE-2024-36618