Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package ffmpeg-6 for openSUSE:Factory checked in at 2024-07-30 11:53:19 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ffmpeg-6 (Old) and /work/SRC/openSUSE:Factory/.ffmpeg-6.new.1882 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "ffmpeg-6" Tue Jul 30 11:53:19 2024 rev:12 rq:1189878 version:6.1.1 Changes: -------- --- /work/SRC/openSUSE:Factory/ffmpeg-6/ffmpeg-6.changes 2024-04-26 23:26:12.034602408 +0200 +++ /work/SRC/openSUSE:Factory/.ffmpeg-6.new.1882/ffmpeg-6.changes 2024-07-30 11:53:36.595455426 +0200 @@ -1,0 +2,45 @@ +Fri Jul 26 14:28:59 UTC 2024 - Filip Kastl <filip.kastl@suse.com> + +- Add ffmpeg-c99.patch so that the package conforms to the C99 + standard and builds on i586 with GCC 14. + +------------------------------------------------------------------- +Tue Jul 2 12:26:28 UTC 2024 - Cliff Zhao <qzhao@suse.com> + +- Add ffmpeg-6-CVE-2024-32230.patch: + Backporting 96449cfe from upstream, Fix 1 line and one column images. + (CVE-2024-32230 bsc#1227296) + +------------------------------------------------------------------- +Tue Jul 2 11:57:01 UTC 2024 - Cliff Zhao <qzhao@suse.com> + +- Add ffmpeg-6-CVE-2024-32228.patch: + Backporting 45964876 from upstream, Fix segfault on invalid film + grain metadata. + (CVE-2024-32228, bsc#1227277) + +------------------------------------------------------------------- +Tue Jul 2 11:56:01 UTC 2024 - Cliff Zhao <qzhao@suse.com> + +- Add ffmpeg-6-CVE-2024-32228-shim-5d7f234e.patch: + Backporting 5d7f234e from upstream, document that there can be multiple + complex filtergraphs to prepare dependence code for CVE-2024-32228. + (CVE-2024-32228, bsc#1227277) + +------------------------------------------------------------------- +Tue Jul 2 11:55:01 UTC 2024 - Cliff Zhao <qzhao@suse.com> + +- Add ffmpeg-6-CVE-2024-32228-shim-f50382cb.patch: + Backporting f50382cb from upstream, implement AFGS1 parsing. + to prepare dependence code for CVE-2024-32228. + (CVE-2024-32228, bsc#1227277) + +------------------------------------------------------------------- +Tue Jul 2 11:54:01 UTC 2024 - Cliff Zhao <qzhao@suse.com> + +- Add ffmpeg-6-CVE-2024-32228-shim-1535d338.patch: + Backporting 1535d338 from upstream, add AOM film grain synthesis, + to prepare dependence code for CVE-2024-32228. + (CVE-2024-32228, bsc#1227277) + +------------------------------------------------------------------- New: ---- ffmpeg-6-CVE-2024-32228-shim-1535d338.patch ffmpeg-6-CVE-2024-32228-shim-5d7f234e.patch ffmpeg-6-CVE-2024-32228-shim-f50382cb.patch ffmpeg-6-CVE-2024-32228.patch ffmpeg-6-CVE-2024-32230.patch ffmpeg-c99.patch BETA DEBUG BEGIN: New: - Add ffmpeg-6-CVE-2024-32228-shim-1535d338.patch: Backporting 1535d338 from upstream, add AOM film grain synthesis, New: - Add ffmpeg-6-CVE-2024-32228-shim-5d7f234e.patch: Backporting 5d7f234e from upstream, document that there can be multiple New: - Add ffmpeg-6-CVE-2024-32228-shim-f50382cb.patch: Backporting f50382cb from upstream, implement AFGS1 parsing. New: - Add ffmpeg-6-CVE-2024-32228.patch: Backporting 45964876 from upstream, Fix segfault on invalid film New: - Add ffmpeg-6-CVE-2024-32230.patch: Backporting 96449cfe from upstream, Fix 1 line and one column images. New: - Add ffmpeg-c99.patch so that the package conforms to the C99 standard and builds on i586 with GCC 14. BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ffmpeg-6.spec ++++++ --- /var/tmp/diff_new_pack.zhzs7u/_old 2024-07-30 11:53:38.123517015 +0200 +++ /var/tmp/diff_new_pack.zhzs7u/_new 2024-07-30 11:53:38.127517176 +0200 @@ -17,9 +17,6 @@ %define flavor @BUILD_FLAVOR@%nil -# -# preamble is present twice, watch out -# %if "%flavor" != "ffmpeg-6-mini" # Create proper conflicts to make sure we require all from one version @@ -122,6 +119,15 @@ Patch91: ffmpeg-dlopen-openh264.patch Patch92: ffmpeg-CVE-2023-50007.patch Patch93: ffmpeg-CVE-2023-50008.patch +Patch94: ffmpeg-6-CVE-2024-32228-shim-1535d338.patch +Patch95: ffmpeg-6-CVE-2024-32228-shim-f50382cb.patch +Patch96: ffmpeg-6-CVE-2024-32228-shim-5d7f234e.patch +Patch97: ffmpeg-6-CVE-2024-32228.patch +Patch98: ffmpeg-6-CVE-2024-32230.patch +Patch99: ffmpeg-c99.patch +# +# preamble is present twice, watch out +# BuildRequires: ladspa-devel BuildRequires: libgsm-devel BuildRequires: libmp3lame-devel >= 3.98.3 @@ -844,6 +850,12 @@ Patch91: ffmpeg-dlopen-openh264.patch Patch92: ffmpeg-CVE-2023-50007.patch Patch93: ffmpeg-CVE-2023-50008.patch +Patch94: ffmpeg-6-CVE-2024-32228-shim-1535d338.patch +Patch95: ffmpeg-6-CVE-2024-32228-shim-f50382cb.patch +Patch96: ffmpeg-6-CVE-2024-32228-shim-5d7f234e.patch +Patch97: ffmpeg-6-CVE-2024-32228.patch +Patch98: ffmpeg-6-CVE-2024-32230.patch +Patch99: ffmpeg-c99.patch BuildRequires: c_compiler Requires: this-is-only-for-build-envs ++++++ ffmpeg-6-CVE-2024-32228-shim-1535d338.patch ++++++ ++++ 971 lines (skipped) ++++++ ffmpeg-6-CVE-2024-32228-shim-5d7f234e.patch ++++++ From 5d7f234e7ec45ccc385dca8c5fbe3b887af1c2c6 Mon Sep 17 00:00:00 2001 Author: Niklas Haas <git@haasn.dev> Date: Wed, 4 Oct 2023 14:05:24 +0200 Subject: [PATCH] avcodec/hevcdec: apply AOM film grain synthesis References: CVE-2024-32228 References: bsc#1227277 Upstream: Backport from upstream Following the usual logic for H.274 film grain. diff --git a/libavcodec/Makefile b/libavcodec/Makefile index 824845276a..7ef2e03ca6 10064 --- a/libavcodec/Makefile +++ b/libavcodec/Makefile @@ -432,7 +432,7 @@ OBJS-$(CONFIG_HDR_ENCODER) += hdrenc.o OBJS-$(CONFIG_HEVC_DECODER) += hevcdec.o hevc_mvs.o \ hevc_cabac.o hevc_refs.o hevcpred.o \ hevcdsp.o hevc_filter.o hevc_data.o \ - h274.o + h274.o aom_film_grain.o OBJS-$(CONFIG_HEVC_AMF_ENCODER) += amfenc_hevc.o OBJS-$(CONFIG_HEVC_CUVID_DECODER) += cuviddec.o OBJS-$(CONFIG_HEVC_MEDIACODEC_DECODER) += mediacodecdec.o diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index 76aa6b4588..575836e340 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -35,6 +35,7 @@ #include "libavutil/pixdesc.h" #include "libavutil/timecode.h" +#include "aom_film_grain.h" #include "bswapdsp.h" #include "cabac_functions.h" #include "codec_internal.h" @@ -388,7 +389,8 @@ static int export_stream_params_from_sei(HEVCContext *s) avctx->color_trc = s->sei.common.alternative_transfer.preferred_transfer_characteristics; } - if (s->sei.common.film_grain_characteristics.present) + if (s->sei.common.film_grain_characteristics.present || + s->sei.common.aom_film_grain.enable) avctx->properties |= FF_CODEC_PROPERTY_FILM_GRAIN; return 0; @@ -2885,11 +2887,13 @@ static int hevc_frame_start(HEVCContext *s) else s->ref->frame->flags &= ~AV_FRAME_FLAG_KEY; - s->ref->needs_fg = s->sei.common.film_grain_characteristics.present && + s->ref->needs_fg = (s->sei.common.film_grain_characteristics.present || + s->sei.common.aom_film_grain.enable) && !(s->avctx->export_side_data & AV_CODEC_EXPORT_DATA_FILM_GRAIN) && !s->avctx->hwaccel; if (s->ref->needs_fg && + s->sei.common.film_grain_characteristics.present && !ff_h274_film_grain_params_supported(s->sei.common.film_grain_characteristics.model_id, s->ref->frame->format)) { av_log_once(s->avctx, AV_LOG_WARNING, AV_LOG_DEBUG, &s->film_grain_warning_shown, @@ -2934,14 +2938,24 @@ fail: static int hevc_frame_end(HEVCContext *s) { HEVCFrame *out = s->ref; - const AVFrameSideData *sd; + const AVFilmGrainParams *fgp; av_unused int ret; if (out->needs_fg) { - sd = av_frame_get_side_data(out->frame, AV_FRAME_DATA_FILM_GRAIN_PARAMS); - av_assert0(out->frame_grain->buf[0] && sd); - ret = ff_h274_apply_film_grain(out->frame_grain, out->frame, &s->h274db, - (AVFilmGrainParams *) sd->data); + av_assert0(out->frame_grain->buf[0]); + fgp = av_film_grain_params_select(out->frame); + switch (fgp->type) { + case AV_FILM_GRAIN_PARAMS_NONE: + av_assert0(0); + return AVERROR_BUG; + case AV_FILM_GRAIN_PARAMS_H274: + ret = ff_h274_apply_film_grain(out->frame_grain, out->frame, + &s->h274db, fgp); + break; + case AV_FILM_GRAIN_PARAMS_AV1: + ret = ff_aom_apply_film_grain(out->frame_grain, out->frame, fgp); + break; + } av_assert1(ret >= 0); } @@ -3596,6 +3610,7 @@ static int hevc_update_thread_context(AVCodecContext *dst, s->sei.common.alternative_transfer = s0->sei.common.alternative_transfer; s->sei.common.mastering_display = s0->sei.common.mastering_display; s->sei.common.content_light = s0->sei.common.content_light; + s->sei.common.aom_film_grain = s0->sei.common.aom_film_grain; ret = export_stream_params_from_sei(s); if (ret < 0) -- 2.41.0 ++++++ ffmpeg-6-CVE-2024-32228-shim-f50382cb.patch ++++++ From f50382cba60d106440f1ad83396ff7bed586a5ac Mon Sep 17 00:00:00 2001 Author: Niklas Haas <git@haasn.dev> Date: Mon, 26 Feb 2024 14:12:53 +0100 Subject: [PATCH] avcodec/aom_film_grain: implement AFGS1 parsing References: CVE-2024-32228 References: bsc#1227277 Upstream: Backport from upstream Based on the AOMedia Film Grain Synthesis 1 (AFGS1) spec: https://aomediacodec.github.io/afgs1-spec/ The parsing has been changed substantially relative to the AV1 film grain OBU. In particular: 1. There is the possibility of maintaining multiple independent film grain parameter sets, and decoders/players are recommended to pick the one most appropriate for the intended display resolution. This could also be used to e.g. switch between different grain profiles without having to re-signal the appropriate coefficients. 2. Supporting this, it's possible to *predict* the grain coefficients from previously signalled parameter sets, transmitting only the residual. 3. When not predicting, the parameter sets are now stored as a series of increments, rather than being directly transmitted. 4. There are several new AFGS1-exclusive fields. I placed this parser in its own file, rather than h2645_sei.c, since nothing in the generic AFGS1 film grain payload is specific to T.35, and to compartmentalize the code base. diff --git a/libavcodec/aom_film_grain.c b/libavcodec/aom_film_grain.c index ffcd71b584..e302567ba5 100644 --- a/libavcodec/aom_film_grain.c +++ b/libavcodec/aom_film_grain.c @@ -29,6 +29,7 @@ #include "libavutil/imgutils.h" #include "aom_film_grain.h" +#include "get_bits.h" // Common/shared helpers (not dependent on BIT_DEPTH) static inline int get_random_number(const int bits, unsigned *const state) { @@ -118,6 +119,243 @@ int ff_aom_apply_film_grain(AVFrame *out, const AVFrame *in, return AVERROR_INVALIDDATA; } +int ff_aom_parse_film_grain_sets(AVFilmGrainAFGS1Params *s, + const uint8_t *payload, int payload_size) +{ + GetBitContext gbc, *gb = &gbc; + AVFilmGrainAOMParams *aom; + AVFilmGrainParams *fgp, *ref = NULL; + int ret, num_sets, n, i, uv, num_y_coeffs, update_grain, luma_only; + + ret = init_get_bits8(gb, payload, payload_size); + if (ret < 0) + return ret; + + s->enable = get_bits1(gb); + if (!s->enable) + return 0; + + skip_bits(gb, 4); // reserved + num_sets = get_bits(gb, 3) + 1; + for (n = 0; n < num_sets; n++) { + int payload_4byte, payload_size, set_idx, apply_units_log2, vsc_flag; + int predict_scaling, predict_y_scaling, predict_uv_scaling[2]; + int payload_bits, start_position; + + start_position = get_bits_count(gb); + payload_4byte = get_bits1(gb); + payload_size = get_bits(gb, payload_4byte ? 2 : 8); + set_idx = get_bits(gb, 3); + fgp = &s->sets[set_idx]; + aom = &fgp->codec.aom; + + fgp->type = get_bits1(gb) ? AV_FILM_GRAIN_PARAMS_AV1 : AV_FILM_GRAIN_PARAMS_NONE; + if (!fgp->type) + continue; + + fgp->seed = get_bits(gb, 16); + update_grain = get_bits1(gb); + if (!update_grain) + continue; + + apply_units_log2 = get_bits(gb, 4); + fgp->width = get_bits(gb, 12) << apply_units_log2; + fgp->height = get_bits(gb, 12) << apply_units_log2; + luma_only = get_bits1(gb); + if (luma_only) { + fgp->subsampling_x = fgp->subsampling_y = 0; + } else { + fgp->subsampling_x = get_bits1(gb); + fgp->subsampling_y = get_bits1(gb); + } + + fgp->bit_depth_luma = fgp->bit_depth_chroma = 0; + fgp->color_primaries = AVCOL_PRI_UNSPECIFIED; + fgp->color_trc = AVCOL_TRC_UNSPECIFIED; + fgp->color_space = AVCOL_SPC_UNSPECIFIED; + fgp->color_range = AVCOL_RANGE_UNSPECIFIED; + + vsc_flag = get_bits1(gb); // video_signal_characteristics_flag + if (vsc_flag) { + int cicp_flag; + fgp->bit_depth_luma = get_bits(gb, 3) + 8; + if (!luma_only) + fgp->bit_depth_chroma = fgp->bit_depth_luma; + cicp_flag = get_bits1(gb); + if (cicp_flag) { + fgp->color_primaries = get_bits(gb, 8); + fgp->color_trc = get_bits(gb, 8); + fgp->color_space = get_bits(gb, 8); + fgp->color_range = get_bits1(gb) ? AVCOL_RANGE_JPEG : AVCOL_RANGE_MPEG; + if (fgp->color_primaries > AVCOL_PRI_NB || + fgp->color_primaries == AVCOL_PRI_RESERVED || + fgp->color_primaries == AVCOL_PRI_RESERVED0 || + fgp->color_trc > AVCOL_TRC_NB || + fgp->color_trc == AVCOL_TRC_RESERVED || + fgp->color_trc == AVCOL_TRC_RESERVED0 || + fgp->color_space > AVCOL_SPC_NB || + fgp->color_space == AVCOL_SPC_RESERVED) + goto error; + } + } + + predict_scaling = get_bits1(gb); + if (predict_scaling && (!ref || ref == fgp)) + goto error; // prediction must be from valid, different set + + predict_y_scaling = predict_scaling ? get_bits1(gb) : 0; + if (predict_y_scaling) { + int y_scale, y_offset, bits_res; + y_scale = get_bits(gb, 9) - 256; + y_offset = get_bits(gb, 9) - 256; + bits_res = get_bits(gb, 3); + if (bits_res) { + int res[14], pred, granularity; + aom->num_y_points = ref->codec.aom.num_y_points; + for (i = 0; i < aom->num_y_points; i++) + res[i] = get_bits(gb, bits_res); + granularity = get_bits(gb, 3); + for (i = 0; i < aom->num_y_points; i++) { + pred = ref->codec.aom.y_points[i][1]; + pred = ((pred * y_scale + 8) >> 4) + y_offset; + pred += (res[i] - (1 << (bits_res - 1))) * granularity; + aom->y_points[i][0] = ref->codec.aom.y_points[i][0]; + aom->y_points[i][1] = av_clip_uint8(pred); + } + } + } else { + aom->num_y_points = get_bits(gb, 4); + if (aom->num_y_points > 14) { + goto error; + } else if (aom->num_y_points) { + int bits_inc, bits_scaling; + int y_value = 0; + bits_inc = get_bits(gb, 3) + 1; + bits_scaling = get_bits(gb, 2) + 5; + for (i = 0; i < aom->num_y_points; i++) { + y_value += get_bits(gb, bits_inc); + if (y_value > UINT8_MAX) + goto error; + aom->y_points[i][0] = y_value; + aom->y_points[i][1] = get_bits(gb, bits_scaling); + } + } + } + + if (luma_only) { + aom->chroma_scaling_from_luma = 0; + aom->num_uv_points[0] = aom->num_uv_points[1] = 0; + } else { + aom->chroma_scaling_from_luma = get_bits1(gb); + if (aom->chroma_scaling_from_luma) { + aom->num_uv_points[0] = aom->num_uv_points[1] = 0; + } else { + for (uv = 0; uv < 2; uv++) { + predict_uv_scaling[uv] = predict_scaling ? get_bits1(gb) : 0; + if (predict_uv_scaling[uv]) { + int uv_scale, uv_offset, bits_res; + uv_scale = get_bits(gb, 9) - 256; + uv_offset = get_bits(gb, 9) - 256; + bits_res = get_bits(gb, 3); + aom->uv_mult[uv] = ref->codec.aom.uv_mult[uv]; + aom->uv_mult_luma[uv] = ref->codec.aom.uv_mult_luma[uv]; + aom->uv_offset[uv] = ref->codec.aom.uv_offset[uv]; + if (bits_res) { + int res[10], pred, granularity; + aom->num_uv_points[uv] = ref->codec.aom.num_uv_points[uv]; + for (i = 0; i < aom->num_uv_points[uv]; i++) + res[i] = get_bits(gb, bits_res); + granularity = get_bits(gb, 3); + for (i = 0; i < aom->num_uv_points[uv]; i++) { + pred = ref->codec.aom.uv_points[uv][i][1]; + pred = ((pred * uv_scale + 8) >> 4) + uv_offset; + pred += (res[i] - (1 << (bits_res - 1))) * granularity; + aom->uv_points[uv][i][0] = ref->codec.aom.uv_points[uv][i][0]; + aom->uv_points[uv][i][1] = av_clip_uint8(pred); + } + } + } else { + int bits_inc, bits_scaling, uv_offset; + int uv_value = 0; + aom->num_uv_points[uv] = get_bits(gb, 4); + if (aom->num_uv_points[uv] > 10) + goto error; + bits_inc = get_bits(gb, 3) + 1; + bits_scaling = get_bits(gb, 2) + 5; + uv_offset = get_bits(gb, 8); + for (i = 0; i < aom->num_uv_points[uv]; i++) { + uv_value += get_bits(gb, bits_inc); + if (uv_value > UINT8_MAX) + goto error; + aom->uv_points[uv][i][0] = uv_value; + aom->uv_points[uv][i][1] = get_bits(gb, bits_scaling) + uv_offset; + } + } + } + } + } + + aom->scaling_shift = get_bits(gb, 2) + 8; + aom->ar_coeff_lag = get_bits(gb, 2); + num_y_coeffs = 2 * aom->ar_coeff_lag * (aom->ar_coeff_lag + 1); + if (aom->num_y_points) { + int ar_bits = get_bits(gb, 2) + 5; + for (i = 0; i < num_y_coeffs; i++) + aom->ar_coeffs_y[i] = get_bits(gb, ar_bits) - (1 << (ar_bits - 1)); + } + for (uv = 0; uv < 2; uv++) { + if (aom->chroma_scaling_from_luma || aom->num_uv_points[uv]) { + int ar_bits = get_bits(gb, 2) + 5; + for (i = 0; i < num_y_coeffs + !!aom->num_y_points; i++) + aom->ar_coeffs_uv[uv][i] = get_bits(gb, ar_bits) - (1 << (ar_bits - 1)); + } + } + aom->ar_coeff_shift = get_bits(gb, 2) + 6; + aom->grain_scale_shift = get_bits(gb, 2); + for (uv = 0; uv < 2; uv++) { + if (aom->num_uv_points[uv] && !predict_uv_scaling[uv]) { + aom->uv_mult[uv] = get_bits(gb, 8) - 128; + aom->uv_mult_luma[uv] = get_bits(gb, 8) - 128; + aom->uv_offset[uv] = get_bits(gb, 9) - 256; + } + } + aom->overlap_flag = get_bits1(gb); + aom->limit_output_range = get_bits1(gb); + + // use first set as reference only if it was fully transmitted + if (n == 0) + ref = fgp; + + payload_bits = get_bits_count(gb) - start_position; + if (payload_bits > payload_size * 8) + goto error; + skip_bits(gb, payload_size * 8 - payload_bits); + } + return 0; + +error: + memset(s, 0, sizeof(*s)); + return AVERROR_INVALIDDATA; +} + +int ff_aom_attach_film_grain_sets(const AVFilmGrainAFGS1Params *s, AVFrame *frame) +{ + AVFilmGrainParams *fgp; + if (!s->enable) + return 0; + + for (int i = 0; i < FF_ARRAY_ELEMS(s->sets); i++) { + if (s->sets[i].type != AV_FILM_GRAIN_PARAMS_AV1) + continue; + fgp = av_film_grain_params_create_side_data(frame); + if (!fgp) + return AVERROR(ENOMEM); + memcpy(fgp, &s->sets[i], sizeof(*fgp)); + } + + return 0; +} + // Taken from the AV1 spec. Range is [-2048, 2047], mean is 0 and stddev is 512 static const int16_t gaussian_sequence[2048] = { 56, 568, -180, 172, 124, -84, 172, -64, -900, 24, 820, diff --git a/libavcodec/aom_film_grain.h b/libavcodec/aom_film_grain.h index 5d772bd7d1..1f8c78f657 100644 --- a/libavcodec/aom_film_grain.h +++ b/libavcodec/aom_film_grain.h @@ -30,9 +30,22 @@ #include "libavutil/film_grain_params.h" +typedef struct AVFilmGrainAFGS1Params { + int enable; + AVFilmGrainParams sets[8]; +} AVFilmGrainAFGS1Params; + // Synthesizes film grain on top of `in` and stores the result to `out`. `out` // must already have been allocated and set to the same size and format as `in`. int ff_aom_apply_film_grain(AVFrame *out, const AVFrame *in, const AVFilmGrainParams *params); +// Parse AFGS1 parameter sets from an ITU-T T.35 payload. Returns 0 on success, +// or a negative error code. +int ff_aom_parse_film_grain_sets(AVFilmGrainAFGS1Params *s, + const uint8_t *payload, int payload_size); + +// Attach all valid film grain param sets to `frame`. +int ff_aom_attach_film_grain_sets(const AVFilmGrainAFGS1Params *s, AVFrame *frame); + #endif /* AVCODEC_AOM_FILM_GRAIN_H */ -- 2.41.0 ++++++ ffmpeg-6-CVE-2024-32228.patch ++++++ From 459648761f5412acdc3317d5bac982ceaa257584 Mon Sep 17 00:00:00 2001 Author: Niklas Haas <git@haasn.dev> Date: Sat Apr 6 13:11:09 2024 +0200 Subject: avcodec/hevcdec: fix segfault on invalid film grain metadata References: CVE-2024-32228 References: bsc#1227277 Upstream: Backport from upstream Invalid input files may contain film grain metadata which survives ff_h274_film_grain_params_supported() but does not pass av_film_grain_params_select(), leading to a SIGSEGV on hevc_frame_end(). Fix this by duplicating the av_film_grain_params_select() check at frame init time. An alternative solution here would be to defer the incompatibility check to hevc_frame_end(), but this has the downside of allocating a film grain buffer even when we already know we can't apply film grain. Fixes: https://trac.ffmpeg.org/ticket/10951 diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index 727b02f0f4..d3b668af00 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -2893,10 +2893,15 @@ static int hevc_frame_start(HEVCContext *s) !(s->avctx->export_side_data & AV_CODEC_EXPORT_DATA_FILM_GRAIN) && !s->avctx->hwaccel; + ret = set_side_data(s); + if (ret < 0) + goto fail; + if (s->ref->needs_fg && - s->sei.common.film_grain_characteristics.present && - !ff_h274_film_grain_params_supported(s->sei.common.film_grain_characteristics.model_id, - s->ref->frame->format)) { + ( s->sei.common.film_grain_characteristics.present && + !ff_h274_film_grain_params_supported(s->sei.common.film_grain_characteristics.model_id, + s->ref->frame->format)) + || !av_film_grain_params_select(s->ref->frame)) { av_log_once(s->avctx, AV_LOG_WARNING, AV_LOG_DEBUG, &s->film_grain_warning_shown, "Unsupported film grain parameters. Ignoring film grain.\n"); s->ref->needs_fg = 0; @@ -2910,10 +2915,6 @@ static int hevc_frame_start(HEVCContext *s) goto fail; } - ret = set_side_data(s); - if (ret < 0) - goto fail; - s->frame->pict_type = 3 - s->sh.slice_type; if (!IS_IRAP(s)) -- 2.41.0 ++++++ ffmpeg-6-CVE-2024-32230.patch ++++++ From 96449cfeaeb95fcfd7a2b8d9ccf7719e97471ed1 Author: Michael Niedermayer <michael@niedermayer.cc> Date: Mon Apr 8 18:38:42 2024 +0200 Subject: avcodec/mpegvideo_enc: Fix 1 line and one column images References: CVE-2024-32230 References: bsc#1227296 Upstream: Backport from upstream Fixes: Ticket10952 Fixes: poc21ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- ffmpeg-6.1.1/libavcodec/mpegvideo_enc.c 2023-12-31 08:07:26.000000000 +0800 +++ ffmpeg-6.1.1_new/libavcodec/mpegvideo_enc.c 2024-07-05 18:08:49.827035281 +0800 @@ -1198,8 +1198,8 @@ int dst_stride = i ? s->uvlinesize : s->linesize; int h_shift = i ? s->chroma_x_shift : 0; int v_shift = i ? s->chroma_y_shift : 0; - int w = s->width >> h_shift; - int h = s->height >> v_shift; + int w = AV_CEIL_RSHIFT(s->width , h_shift); + int h = AV_CEIL_RSHIFT(s->height, v_shift); const uint8_t *src = pic_arg->data[i]; uint8_t *dst = pic->f->data[i]; int vpad = 16; ++++++ ffmpeg-c99.patch ++++++ From: Filip Kastl <fkastl@opensuse.org> Date: Fri, 26 Jul 2024 14:39:42 +0000 I based the package patch on this bug report (there's a patch in the comments) https://bugs.gentoo.org/936433 and on these patches https://ffmpeg.org/pipermail/ffmpeg-devel/2023-December/318685.html http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=5860a966d2fffbbda1af001... Index: ffmpeg-6.1.1/libavfilter/vsrc_testsrc_vulkan.c =================================================================== --- ffmpeg-6.1.1.orig/libavfilter/vsrc_testsrc_vulkan.c +++ ffmpeg-6.1.1/libavfilter/vsrc_testsrc_vulkan.c @@ -231,7 +231,7 @@ static int testsrc_vulkan_activate(AVFil return AVERROR(ENOMEM); err = ff_vk_filter_process_simple(&s->vkctx, &s->e, &s->pl, s->picref, NULL, - NULL, &s->opts, sizeof(s->opts)); + VK_NULL_HANDLE, &s->opts, sizeof(s->opts)); if (err < 0) return err; } @@ -250,7 +250,7 @@ static int testsrc_vulkan_activate(AVFil frame->sample_aspect_ratio = s->sar; if (!s->draw_once) { err = ff_vk_filter_process_simple(&s->vkctx, &s->e, &s->pl, frame, NULL, - NULL, &s->opts, sizeof(s->opts)); + VK_NULL_HANDLE, &s->opts, sizeof(s->opts)); if (err < 0) { av_frame_free(&frame); return err; Index: ffmpeg-6.1.1/libavutil/hwcontext_vaapi.c =================================================================== --- ffmpeg-6.1.1.orig/libavutil/hwcontext_vaapi.c +++ ffmpeg-6.1.1/libavutil/hwcontext_vaapi.c @@ -1086,7 +1086,7 @@ static int vaapi_map_from_drm(AVHWFrames int err, i, j; #if !VA_CHECK_VERSION(1, 1, 0) - unsigned long buffer_handle; + uintptr_t buffer_handle; VASurfaceAttribExternalBuffers buffer_desc; VASurfaceAttrib attrs[2] = { { @@ -1203,7 +1203,7 @@ static int vaapi_map_from_drm(AVHWFrames if (!use_prime2 || vas != VA_STATUS_SUCCESS) { int k; - unsigned long buffer_handle; + uintptr_t buffer_handle; VASurfaceAttribExternalBuffers buffer_desc; VASurfaceAttrib buffer_attrs[2] = { { Index: ffmpeg-6.1.1/libavcodec/vulkan_av1.c =================================================================== --- ffmpeg-6.1.1.orig/libavcodec/vulkan_av1.c +++ ffmpeg-6.1.1/libavcodec/vulkan_av1.c @@ -180,7 +180,7 @@ static int vk_av1_create_params(AVCodecC .sType = VK_STRUCTURE_TYPE_VIDEO_SESSION_PARAMETERS_CREATE_INFO_KHR, .pNext = &av1_params, .videoSession = ctx->common.session, - .videoSessionParametersTemplate = NULL, + .videoSessionParametersTemplate = VK_NULL_HANDLE, }; err = ff_vk_decode_create_params(buf, avctx, ctx, &session_params_create); Index: ffmpeg-6.1.1/libavcodec/vulkan_decode.c =================================================================== --- ffmpeg-6.1.1.orig/libavcodec/vulkan_decode.c +++ ffmpeg-6.1.1/libavcodec/vulkan_decode.c @@ -187,10 +187,10 @@ int ff_vk_decode_prepare_frame(FFVulkanD if (vkpic->img_view_ref) return 0; - vkpic->dpb_frame = NULL; - vkpic->img_view_ref = NULL; - vkpic->img_view_out = NULL; - vkpic->img_view_dest = NULL; + vkpic->dpb_frame = VK_NULL_HANDLE; + vkpic->img_view_ref = VK_NULL_HANDLE; + vkpic->img_view_out = VK_NULL_HANDLE; + vkpic->img_view_dest = VK_NULL_HANDLE; vkpic->destroy_image_view = vk->DestroyImageView; vkpic->wait_semaphores = vk->WaitSemaphores; Index: ffmpeg-6.1.1/libavcodec/vulkan_h264.c =================================================================== --- ffmpeg-6.1.1.orig/libavcodec/vulkan_h264.c +++ ffmpeg-6.1.1/libavcodec/vulkan_h264.c @@ -315,7 +315,7 @@ static int vk_h264_create_params(AVCodec .sType = VK_STRUCTURE_TYPE_VIDEO_SESSION_PARAMETERS_CREATE_INFO_KHR, .pNext = &h264_params, .videoSession = ctx->common.session, - .videoSessionParametersTemplate = NULL, + .videoSessionParametersTemplate = VK_NULL_HANDLE, }; /* SPS list */ Index: ffmpeg-6.1.1/libavcodec/vulkan_hevc.c =================================================================== --- ffmpeg-6.1.1.orig/libavcodec/vulkan_hevc.c +++ ffmpeg-6.1.1/libavcodec/vulkan_hevc.c @@ -653,7 +653,7 @@ static int vk_hevc_create_params(AVCodec .sType = VK_STRUCTURE_TYPE_VIDEO_SESSION_PARAMETERS_CREATE_INFO_KHR, .pNext = &h265_params, .videoSession = ctx->common.session, - .videoSessionParametersTemplate = NULL, + .videoSessionParametersTemplate = VK_NULL_HANDLE, }; HEVCHeaderSet *hdr; Index: ffmpeg-6.1.1/libavcodec/vulkan_video.c =================================================================== --- ffmpeg-6.1.1.orig/libavcodec/vulkan_video.c +++ ffmpeg-6.1.1/libavcodec/vulkan_video.c @@ -287,7 +287,7 @@ av_cold void ff_vk_video_common_uninit(F if (common->session) { vk->DestroyVideoSessionKHR(s->hwctx->act_dev, common->session, s->hwctx->alloc); - common->session = NULL; + common->session = VK_NULL_HANDLE; } if (common->nb_mem && common->mem)