diff --git a/ffmpeg-CVE-2023-49528.patch b/ffmpeg-CVE-2023-49528.patch new file mode 100644 index 0000000..c42275c --- /dev/null +++ b/ffmpeg-CVE-2023-49528.patch @@ -0,0 +1,54 @@ +From 2d9ed64859c9887d0504cd71dbd5b2c15e14251a Mon Sep 17 00:00:00 2001 +From: Paul B Mahol +Date: Sat, 25 Nov 2023 12:54:28 +0100 +Subject: [PATCH] avfilter/af_dialoguenhance: fix overreads + +--- + libavfilter/af_dialoguenhance.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/libavfilter/af_dialoguenhance.c b/libavfilter/af_dialoguenhance.c +index 1762ea7cde..29c8ab10a7 100644 +--- a/libavfilter/af_dialoguenhance.c ++++ b/libavfilter/af_dialoguenhance.c +@@ -96,12 +96,12 @@ static int config_input(AVFilterLink *inlink) + if (!s->window) + return AVERROR(ENOMEM); + +- s->in_frame = ff_get_audio_buffer(inlink, s->fft_size * 4); +- s->center_frame = ff_get_audio_buffer(inlink, s->fft_size * 4); +- s->out_dist_frame = ff_get_audio_buffer(inlink, s->fft_size * 4); +- s->windowed_frame = ff_get_audio_buffer(inlink, s->fft_size * 4); +- s->windowed_out = ff_get_audio_buffer(inlink, s->fft_size * 4); +- s->windowed_prev = ff_get_audio_buffer(inlink, s->fft_size * 4); ++ s->in_frame = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2); ++ s->center_frame = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2); ++ s->out_dist_frame = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2); ++ s->windowed_frame = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2); ++ s->windowed_out = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2); ++ s->windowed_prev = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2); + if (!s->in_frame || !s->windowed_out || !s->windowed_prev || + !s->out_dist_frame || !s->windowed_frame || !s->center_frame) + return AVERROR(ENOMEM); +@@ -250,6 +250,7 @@ static int de_stereo(AVFilterContext *ctx, AVFrame *out) + float *right_osamples = (float *)out->extended_data[1]; + float *center_osamples = (float *)out->extended_data[2]; + const int offset = s->fft_size - s->overlap; ++ const int nb_samples = FFMIN(s->overlap, s->in->nb_samples); + float vad; + + // shift in/out buffers +@@ -258,8 +259,8 @@ static int de_stereo(AVFilterContext *ctx, AVFrame *out) + memmove(left_out, &left_out[s->overlap], offset * sizeof(float)); + memmove(right_out, &right_out[s->overlap], offset * sizeof(float)); + +- memcpy(&left_in[offset], left_samples, s->overlap * sizeof(float)); +- memcpy(&right_in[offset], right_samples, s->overlap * sizeof(float)); ++ memcpy(&left_in[offset], left_samples, nb_samples * sizeof(float)); ++ memcpy(&right_in[offset], right_samples, nb_samples * sizeof(float)); + memset(&left_out[offset], 0, s->overlap * sizeof(float)); + memset(&right_out[offset], 0, s->overlap * sizeof(float)); + +-- +2.25.1 + diff --git a/ffmpeg.spec b/ffmpeg.spec index b1173ab..26f389c 100644 --- a/ffmpeg.spec +++ b/ffmpeg.spec @@ -100,7 +100,7 @@ Name: ffmpeg %global pkg_name %{name}%{?pkg_suffix} Version: 6.1.1 -Release: 15%{?dist} +Release: 16%{?dist} Summary: A complete solution to record, convert and stream audio and video License: GPL-3.0-or-later URL: https://ffmpeg.org/ @@ -132,6 +132,8 @@ Patch5: ffmpeg-c99.patch Patch6: ffmpeg-gcc14.patch # Fix build with Vulkan headers >= 1.3.280.0 Patch7: ffmpeg-vulkan.patch +# Backport fix for CVE-2023-49528 +Patch8: https://git.ffmpeg.org/gitweb/ffmpeg.git/patch/2d9ed64859c9887d0504cd71dbd5b2c15e14251a#/ffmpeg-CVE-2023-49528.patch # Set up dlopen for openh264 Patch1001: ffmpeg-dlopen-openh264.patch @@ -878,6 +880,9 @@ rm -rf %{buildroot}%{_datadir}/%{name}/examples %{_mandir}/man3/libswscale.3* %changelog +* Wed Jun 19 2024 Dominik Mierzejewski - 6.1.1-16 +- Backport fix for CVE-2023-49528 + * Thu Jun 13 2024 Sandro Mani - 6.1.1-15 - Rebuild for tesseract-5.4.1