File ffmpeg-CVE-2023-51793.patch of Package ffmpeg-5

Overview Repositories Revisions Requests Users Attributes Meta

File ffmpeg-CVE-2023-51793.patch of Package ffmpeg-5 (Revision 3fdf3066d751eedc63662073e3c9f927)

Currently displaying revision 3fdf3066d751eedc63662073e3c9f927 , Show latest

From 0ecc1f0e48930723d7a467761b66850811c23e62
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Fri Dec 22 12:31:35 2023 +0100
Subject: avfilter/vf_weave: Fix odd height handling
References: https://bugzilla.opensuse.org/1223272
References: CVE-2023-51793
    
Fixes: out of array access
Fixes: tickets/10743/poc10ffmpeg

Found-by: Zeng Yunxiang and Li Zeyuan
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

diff -Nura ffmpeg-5.1.4/libavfilter/vf_weave.c ffmpeg-5.1.4_new/libavfilter/vf_weave.c
--- ffmpeg-5.1.4/libavfilter/vf_weave.c	2023-11-10 07:38:51.000000000 +0800
+++ ffmpeg-5.1.4_new/libavfilter/vf_weave.c	2024-04-26 01:39:00.742700759 +0800
@@ -30,6 +30,7 @@
     int double_weave;
     int nb_planes;
     int planeheight[4];
+    int outheight[4];
     int linesize[4];
 
     AVFrame *prev;
@@ -79,6 +80,9 @@
     s->planeheight[1] = s->planeheight[2] = AV_CEIL_RSHIFT(inlink->h, desc->log2_chroma_h);
     s->planeheight[0] = s->planeheight[3] = inlink->h;
 
+    s->outheight[1] = s->outheight[2] = AV_CEIL_RSHIFT(2*inlink->h, desc->log2_chroma_h);
+    s->outheight[0] = s->outheight[3] = 2*inlink->h;
+
     s->nb_planes = av_pix_fmt_count_planes(inlink->format);
 
     return 0;
@@ -104,19 +108,20 @@
         const int height = s->planeheight[i];
         const int start = (height * jobnr) / nb_jobs;
         const int end = (height * (jobnr+1)) / nb_jobs;
+        const int compensation = 2*end > s->outheight[i];
 
         av_image_copy_plane(out->data[i] + out->linesize[i] * field1 +
                             out->linesize[i] * start * 2,
                             out->linesize[i] * 2,
                             in->data[i] + start * in->linesize[i],
                             in->linesize[i],
-                            s->linesize[i], end - start);
+                            s->linesize[i], end - start - compensation * field1);
         av_image_copy_plane(out->data[i] + out->linesize[i] * field2 +
                             out->linesize[i] * start * 2,
                             out->linesize[i] * 2,
                             s->prev->data[i] + start * s->prev->linesize[i],
                             s->prev->linesize[i],
-                            s->linesize[i], end - start);
+                            s->linesize[i], end - start - compensation * field2);
     }
 
     return 0;

Places

File ffmpeg-CVE-2023-51793.patch of Package ffmpeg-5 (Revision 3fdf3066d751eedc63662073e3c9f927)

Places