diff options
Diffstat (limited to 'poky/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35965.patch')
-rw-r--r-- | poky/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35965.patch | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35965.patch b/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35965.patch new file mode 100644 index 000000000..ddab8e9ac --- /dev/null +++ b/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2020-35965.patch @@ -0,0 +1,35 @@ +From 3e5959b3457f7f1856d997261e6ac672bba49e8b Mon Sep 17 00:00:00 2001 +From: Michael Niedermayer <michael@niedermayer.cc> +Date: Sat, 24 Oct 2020 22:21:48 +0200 +Subject: [PATCH] avcodec/exr: Check ymin vs. h + +Fixes: out of array access +Fixes: 26532/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5613925708857344 +Fixes: 27443/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5631239813595136 + +Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg +Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> + +Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/3e5959b3457f7f1856d997261e6ac672bba49e8b] + +CVE: CVE-2020-35965 + +Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> +Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com> +--- + libavcodec/exr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libavcodec/exr.c b/libavcodec/exr.c +index e907c5c46401..8b701d1cd298 100644 +--- a/libavcodec/exr.c ++++ b/libavcodec/exr.c +@@ -1830,7 +1830,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, + // Zero out the start if ymin is not 0 + for (i = 0; i < planes; i++) { + ptr = picture->data[i]; +- for (y = 0; y < s->ymin; y++) { ++ for (y = 0; y < FFMIN(s->ymin, s->h); y++) { + memset(ptr, 0, out_line_size); + ptr += picture->linesize[i]; + } |