Fix CVE-2023-51798 and CVE-2022-3109

2024-07-02 15:02:18 +08:00 · 2024-07-02 15:02:18 +08:00 · 9a7d15fe08
commit 9a7d15fe08
parent de82f4fe79
3 changed files with 81 additions and 9 deletions
--- a/CVE-2022-3109.patch
+++ b/CVE-2022-3109.patch
@ -0,0 +1,31 @@
+From ae0ca68362ee76165de00024e1454d2e3513eced Mon Sep 17 00:00:00 2001
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Date: Wed, 26 Jun 2024 17:54:07 +0800
+Subject: [PATCH] CVE-2022-3109
+
+---
+ libavcodec/vp3.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
+index a2bd2ef..0c62731 100644
+--- a/libavcodec/vp3.c
+++ b/libavcodec/vp3.c
+@@ -2740,8 +2740,13 @@ static int vp3_decode_frame(AVCodecContext *avctx,
+     if (ff_thread_get_buffer(avctx, &s->current_frame, AV_GET_BUFFER_FLAG_REF) < 0)
+         goto error;
+ 
+-    if (!s->edge_emu_buffer)
+    if (!s->edge_emu_buffer) {
+         s->edge_emu_buffer = av_malloc(9 * FFABS(s->current_frame.f->linesize[0]));
+	if (!s->edge_emu_buffer) {
+            ret = AVERROR(ENOMEM);
+            goto error;
+        }
+    }
+ 
+     if (s->keyframe) {
+         if (!s->theora) {
+-- 
+2.43.0
+
--- a/ffmpeg.spec
+++ b/ffmpeg.spec
@ -61,7 +61,7 @@ ExclusiveArch: armv7hnl
 Summary:        Digital VCR and streaming server
 Name:           ffmpeg%{?flavor}
 Version:        4.2.4
-Release:        9
+Release:        11
 License:        %{ffmpeg_license}
 URL:            http://ffmpeg.org/
 %if 0%{?date}
@ -77,9 +77,11 @@ Patch4:         CVE-2021-38114.patch
 Patch5:         CVE-2020-35964.patch
 Patch6:         CVE-2024-31578.patch
 Patch7:         CVE-2023-51794.patch
-Patch8:         CVE-2022-3341.patch
-Patch9:         fix-CVE-2023-51793.patch
-Patch10:        fix-CVE-2023-50010.patch
+Patch8:         fix-CVE-2023-51798.patch
+Patch9:         CVE-2022-3341.patch
+Patch10:        CVE-2022-3109.patch
+Patch11:        fix-CVE-2023-51793.patch
+Patch12:        fix-CVE-2023-50010.patch
 Requires:       %{name}-libs%{?_isa} = %{version}-%{release}
 %{?_with_cuda:BuildRequires: cuda-minimal-build-%{_cuda_version_rpm} cuda-drivers-devel}
 %{?_with_libnpp:BuildRequires: pkgconfig(nppc-%{_cuda_version})}
@ -412,22 +414,28 @@ install -pm755 tools/qt-faststart %{buildroot}%{_bindir}


 %changelog
-* Tue Jul 02 2024 happyworker <208suo@208suo.com> - 4.2.4-9
- Fix fix CVE-2023-50010
+* Tue Jul 02 2024 happyworker <208suo@208suo.com> - 4.2.4-11
+- Fix CVE-2023-50010

-* Tue Jul 02 2024 happyworker <208suo@208suo.com> - 4.2.4-8
+* Tue Jul 02 2024 happyworker <208suo@208suo.com> - 4.2.4-10
 - Fix CVE-2023-51793

-* Tue Jun 25 2024 happyworker <208suo@208suo.com> - 4.2.4-7
+* Wed Jun 26 2024 happyworker <208suo@208suo.com> - 4.2.4-9
+- Fix CVE-2022-3109
+
+* Tue Jun 25 2024 happyworker <208suo@208suo.com> - 4.2.4-8
 - Fix CVE-2022-3341

+* Tue Jun 25 2024 happyworker <208suo@208suo.com> - 4.2.4-7
+- Fix CVE-2023-51798
+
 * Wed Jun 19 2024 happyworker <208suo@208suo.com> - 4.2.4-6
 - Fix CVE-2023-51794

 * Wed May 01 2024 cenhuilin <cenhuilin@kylinos.cn> - 4.2.4-5
 - fix CVE-2024-31578

-* Tue May 24 2022 yangweidong <yangweidong9@huawei.com> - 4.2.4-4
+* Thu Jun 2 2022 yangweidong <yangweidong9@huawei.com> - 4.2.4-4
 - Fix CVE-2021-38114 and CVE-2020-35964

 * Sat Sep 04 2021 guoxiaoqi <guoxiaoqi2@huawei.com> - 4.2.4-3
--- a/fix-CVE-2023-51798.patch
+++ b/fix-CVE-2023-51798.patch
@ -0,0 +1,33 @@
+From faedf9f8ef5b657064ecf6af8d1ba767ada60bf4 Mon Sep 17 00:00:00 2001
+From: happyworker <208suo@208suo.com>
+Date: Tue, 25 Jun 2024 10:58:39 +0800
+Subject: [PATCH] fix-CVE-2023-51798
+
+---
+ libavfilter/vf_minterpolate.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/libavfilter/vf_minterpolate.c b/libavfilter/vf_minterpolate.c
+index b0bb238..745987c 100644
+--- a/libavfilter/vf_minterpolate.c
+++ b/libavfilter/vf_minterpolate.c
+@@ -1086,9 +1086,13 @@ static void interpolate(AVFilterLink *inlink, AVFrame *avf_out)
+     pts = av_rescale(avf_out->pts, (int64_t) ALPHA_MAX * outlink->time_base.num * inlink->time_base.den,
+                                    (int64_t)             outlink->time_base.den * inlink->time_base.num);
+ 
+-    alpha = (pts - mi_ctx->frames[1].avf->pts * ALPHA_MAX) / (mi_ctx->frames[2].avf->pts - mi_ctx->frames[1].avf->pts);
+-    alpha = av_clip(alpha, 0, ALPHA_MAX);
+-
+    if (mi_ctx->frames[2].avf->pts > mi_ctx->frames[1].avf->pts) {
+        alpha = (pts - mi_ctx->frames[1].avf->pts * ALPHA_MAX) / (mi_ctx->frames[2].avf->pts - mi_ctx->frames[1].avf->pts);
+        alpha = av_clip(alpha, 0, ALPHA_MAX);
+    } else {
+        av_log(ctx, AV_LOG_DEBUG, "duplicate input PTS detected\n");
+        alpha = 0;
+    }
+     if (alpha == 0 || alpha == ALPHA_MAX) {
+         av_frame_copy(avf_out, alpha ? mi_ctx->frames[2].avf : mi_ctx->frames[1].avf);
+         return;
+-- 
+2.43.0
+