From 04a41df4b1467a193a79ace8b66dabf3778ed2c6 Mon Sep 17 00:00:00 2001 From: starfish002 Date: Tue, 3 Aug 2021 14:58:47 +0800 Subject: [PATCH] submit ffmpeg patch for version 4.2.2 Signed-off-by: starfish002 --- ffmpeg-y/fftools/ffmpeg.c | 2 ++ ffmpeg-y/libavcodec/ac3enc.c | 7 +++--- ffmpeg-y/libavcodec/v4l2_m2m.c | 16 +++++++++----- ffmpeg-y/libavcodec/v4l2_m2m_dec.c | 10 +++------ ffmpeg-y/libavcodec/v4l2_m2m_enc.c | 1 + ffmpeg-y/libavfilter/af_acrossover.c | 1 + ffmpeg-y/libavfilter/af_tremolo.c | 11 ++++++---- ffmpeg-y/libavfilter/f_reverse.c | 7 ++++++ ffmpeg-y/libavfilter/vf_avgblur.c | 2 +- ffmpeg-y/libavfilter/vf_bm3d.c | 11 +++++----- ffmpeg-y/libavfilter/vf_bwdif.c | 6 +++--- ffmpeg-y/libavfilter/vf_colorspace.c | 15 +++++++++++-- ffmpeg-y/libavfilter/vf_fieldmatch.c | 2 +- ffmpeg-y/libavfilter/vf_lagfun.c | 2 +- ffmpeg-y/libavfilter/vf_random.c | 10 +++++++++ ffmpeg-y/libavfilter/vf_tile.c | 1 + ffmpeg-y/libavfilter/vf_vmafmotion.c | 3 +++ ffmpeg-y/libavfilter/vf_yadif.c | 17 +++++++++------ ffmpeg-y/libavformat/avienc.c | 24 ++++++++++++++++----- ffmpeg-y/libavformat/mpegenc.c | 32 +++++++++++++++++----------- ffmpeg-y/libavformat/nutenc.c | 7 +++++- ffmpeg-y/libavformat/wtvdec.c | 4 +++- 22 files changed, 133 insertions(+), 58 deletions(-) diff --git a/ffmpeg-y/fftools/ffmpeg.c b/ffmpeg-y/fftools/ffmpeg.c index 01f04103cf..c8b6fde536 100755 --- a/ffmpeg-y/fftools/ffmpeg.c +++ b/ffmpeg-y/fftools/ffmpeg.c @@ -515,6 +515,7 @@ static void ffmpeg_cleanup(int ret) } av_freep(&fg->inputs); for (j = 0; j < fg->nb_outputs; j++) { + avfilter_inout_free(&fg->outputs[j]->out_tmp); // fix CVE-2020-22042 av_freep(&fg->outputs[j]->name); av_freep(&fg->outputs[j]->formats); av_freep(&fg->outputs[j]->channel_layouts); @@ -567,6 +568,7 @@ static void ffmpeg_cleanup(int ret) ost->audio_channels_mapped = 0; av_dict_free(&ost->sws_dict); + av_dict_free(&ost->swr_opts); // fix CVE-2020-22054 avcodec_free_context(&ost->enc_ctx); avcodec_parameters_free(&ost->ref_par); diff --git a/ffmpeg-y/libavcodec/ac3enc.c b/ffmpeg-y/libavcodec/ac3enc.c index f1c95ce877..1184db0013 100755 --- a/ffmpeg-y/libavcodec/ac3enc.c +++ b/ffmpeg-y/libavcodec/ac3enc.c @@ -2050,8 +2050,9 @@ av_cold int ff_ac3_encode_close(AVCodecContext *avctx) av_freep(&block->cpl_coord_exp); av_freep(&block->cpl_coord_mant); } - - s->mdct_end(s); + // fix CVE-2020-22046 + if (s->mdct_end) + s->mdct_end(s); return 0; } @@ -2433,7 +2434,7 @@ av_cold int ff_ac3_encode_init(AVCodecContext *avctx) ret = validate_options(s); if (ret) - return ret; + goto init_fail; // fix CVE-2020-22046 avctx->frame_size = AC3_BLOCK_SIZE * s->num_blocks; avctx->initial_padding = AC3_BLOCK_SIZE; diff --git a/ffmpeg-y/libavcodec/v4l2_m2m.c b/ffmpeg-y/libavcodec/v4l2_m2m.c index 427e165f58..7e4a1c4620 100755 --- a/ffmpeg-y/libavcodec/v4l2_m2m.c +++ b/ffmpeg-y/libavcodec/v4l2_m2m.c @@ -312,6 +312,7 @@ static void v4l2_m2m_destroy_context(void *opaque, uint8_t *context) sem_destroy(&s->refsync); close(s->fd); + av_packet_unref(&s->buf_pkt); // fix CVE-2020-22038 av_free(s); } @@ -321,14 +322,19 @@ int ff_v4l2_m2m_codec_end(AVCodecContext *avctx) V4L2m2mPriv *priv = avctx->priv_data; V4L2m2mContext* s = priv->context; int ret; + // fix CVE-2020-22038 + if (!s) + return 0; - ret = ff_v4l2_context_set_status(&s->output, VIDIOC_STREAMOFF); - if (ret) + if (s->fd >= 0) { + ret = ff_v4l2_context_set_status(&s->output, VIDIOC_STREAMOFF); + if (ret) av_log(avctx, AV_LOG_ERROR, "VIDIOC_STREAMOFF %s\n", s->output.name); - ret = ff_v4l2_context_set_status(&s->capture, VIDIOC_STREAMOFF); - if (ret) - av_log(avctx, AV_LOG_ERROR, "VIDIOC_STREAMOFF %s\n", s->capture.name); + ret = ff_v4l2_context_set_status(&s->capture, VIDIOC_STREAMOFF); + if (ret) + av_log(avctx, AV_LOG_ERROR, "VIDIOC_STREAMOFF %s\n", s->capture.name); + } ff_v4l2_context_release(&s->output); diff --git a/ffmpeg-y/libavcodec/v4l2_m2m_dec.c b/ffmpeg-y/libavcodec/v4l2_m2m_dec.c index d0601f0e2f..aeb3da1cb5 100755 --- a/ffmpeg-y/libavcodec/v4l2_m2m_dec.c +++ b/ffmpeg-y/libavcodec/v4l2_m2m_dec.c @@ -187,12 +187,8 @@ static av_cold int v4l2_decode_init(AVCodecContext *avctx) capture->av_pix_fmt = avctx->pix_fmt; ret = ff_v4l2_m2m_codec_init(avctx); - if (ret) { - V4L2m2mPriv *priv = avctx->priv_data; + if (ret) { // fix CVE-2020-22038 av_log(avctx, AV_LOG_ERROR, "can't configure decoder\n"); - s->self_ref = NULL; - av_buffer_unref(&priv->context_ref); - return ret; } @@ -228,8 +224,8 @@ AVCodec ff_ ## NAME ## _v4l2m2m_decoder = { \ .receive_frame = v4l2_receive_frame,\ .close = ff_v4l2_m2m_codec_end,\ .bsfs = bsf_name, \ - .capabilities = AV_CODEC_CAP_HARDWARE | AV_CODEC_CAP_DELAY | \ - AV_CODEC_CAP_AVOID_PROBING, \ + .capabilities = AV_CODEC_CAP_HARDWARE | AV_CODEC_CAP_DELAY | AV_CODEC_CAP_AVOID_PROBING, \ + .caps_internal = FF_CODEC_CAP_SETS_PKT_DTS | FF_CODEC_CAP_INIT_CLEANUP, \ .wrapper_name = "v4l2m2m", \ }; diff --git a/ffmpeg-y/libavcodec/v4l2_m2m_enc.c b/ffmpeg-y/libavcodec/v4l2_m2m_enc.c index 636e1a96dd..6758bcbcb7 100755 --- a/ffmpeg-y/libavcodec/v4l2_m2m_enc.c +++ b/ffmpeg-y/libavcodec/v4l2_m2m_enc.c @@ -342,6 +342,7 @@ AVCodec ff_ ## NAME ## _v4l2m2m_encoder = { \ .receive_packet = v4l2_receive_packet,\ .close = ff_v4l2_m2m_codec_end,\ .capabilities = AV_CODEC_CAP_HARDWARE | AV_CODEC_CAP_DELAY, \ + .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, \ .wrapper_name = "v4l2m2m", \ }; diff --git a/ffmpeg-y/libavfilter/af_acrossover.c b/ffmpeg-y/libavfilter/af_acrossover.c index 3ccc4d72f6..2ea211ec60 100755 --- a/ffmpeg-y/libavfilter/af_acrossover.c +++ b/ffmpeg-y/libavfilter/af_acrossover.c @@ -314,6 +314,7 @@ static av_cold void uninit(AVFilterContext *ctx) int i; av_freep(&s->splits); + av_frame_free(&s->xover); // fix CVE-2020-22056 for (i = 0; i < ctx->nb_outputs; i++) av_freep(&ctx->output_pads[i].name); diff --git a/ffmpeg-y/libavfilter/af_tremolo.c b/ffmpeg-y/libavfilter/af_tremolo.c index 8cbc79892d..574ec36c25 100755 --- a/ffmpeg-y/libavfilter/af_tremolo.c +++ b/ffmpeg-y/libavfilter/af_tremolo.c @@ -28,6 +28,7 @@ typedef struct TremoloContext { double freq; double depth; double *table; + int table_size; int index; } TremoloContext; @@ -72,7 +73,8 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) dst += channels; src += channels; s->index++; - if (s->index >= inlink->sample_rate / s->freq) + // fix CVE-2020-22026 + if (s->index >= s->table_size) s->index = 0; } @@ -124,12 +126,13 @@ static int config_input(AVFilterLink *inlink) TremoloContext *s = ctx->priv; const double offset = 1. - s->depth / 2.; int i; - - s->table = av_malloc_array(inlink->sample_rate / s->freq, sizeof(*s->table)); + // fix CVE-2020-22026 + s->table_size = lrint(inlink->sample_rate / s->freq + 0.5); + s->table = av_malloc_array(s->table_size, sizeof(*s->table)); if (!s->table) return AVERROR(ENOMEM); - for (i = 0; i < inlink->sample_rate / s->freq; i++) { + for (i = 0; i < s->table_size; i++) { double env = s->freq * i / inlink->sample_rate; env = sin(2 * M_PI * fmod(env + 0.25, 1.0)); s->table[i] = env * (1 - fabs(offset)) + offset; diff --git a/ffmpeg-y/libavfilter/f_reverse.c b/ffmpeg-y/libavfilter/f_reverse.c index 5f27927075..a254141e4f 100755 --- a/ffmpeg-y/libavfilter/f_reverse.c +++ b/ffmpeg-y/libavfilter/f_reverse.c @@ -57,6 +57,11 @@ static av_cold int init(AVFilterContext *ctx) static av_cold void uninit(AVFilterContext *ctx) { ReverseContext *s = ctx->priv; + // fix CVE-2020-22040 + while (s->nb_frames > 0) { + av_frame_free(&s->frames[s->nb_frames - 1]); + s->nb_frames--; + } av_freep(&s->pts); av_freep(&s->frames); @@ -103,6 +108,7 @@ static int request_frame(AVFilterLink *outlink) AVFrame *out = s->frames[s->nb_frames - 1]; out->pts = s->pts[s->flush_idx++]; ret = ff_filter_frame(outlink, out); + s->frames[s->nb_frames - 1] = NULL; // fix CVE-2020-22040 s->nb_frames--; } @@ -262,6 +268,7 @@ static int areverse_request_frame(AVFilterLink *outlink) else reverse_samples_packed(out); ret = ff_filter_frame(outlink, out); + s->frames[s->nb_frames - 1] = NULL; // fix CVE-2020-22040 s->nb_frames--; } diff --git a/ffmpeg-y/libavfilter/vf_avgblur.c b/ffmpeg-y/libavfilter/vf_avgblur.c index c7b88427fd..f0406fa47b 100755 --- a/ffmpeg-y/libavfilter/vf_avgblur.c +++ b/ffmpeg-y/libavfilter/vf_avgblur.c @@ -149,7 +149,7 @@ static int filter_vertically_##name(AVFilterContext *ctx, void *arg, int jobnr, \ src = s->buffer + x; \ ptr = buffer + x; \ - for (i = 0; i <= radius; i++) { \ + for (i = 0; i + radius < height && i <= radius; i++) { /* fix CVE-2020-22028 */ \ acc += src[(i + radius) * width]; \ count++; \ ptr[i * linesize] = acc / count; \ diff --git a/ffmpeg-y/libavfilter/vf_bm3d.c b/ffmpeg-y/libavfilter/vf_bm3d.c index 75c356728e..dfe92e0c0b 100755 --- a/ffmpeg-y/libavfilter/vf_bm3d.c +++ b/ffmpeg-y/libavfilter/vf_bm3d.c @@ -706,8 +706,9 @@ static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs) const int plane = td->plane; const int width = s->planewidth[plane]; const int height = s->planeheight[plane]; - const int block_pos_bottom = height - s->block_size; - const int block_pos_right = width - s->block_size; + // fix CVE-2020-22035 + const int block_pos_bottom = FFMAX(0, height - s->block_size); + const int block_pos_right = FFMAX(0, width - s->block_size); const int slice_start = (((height + block_step - 1) / block_step) * jobnr / nb_jobs) * block_step; const int slice_end = (jobnr == nb_jobs - 1) ? block_pos_bottom + block_step : (((height + block_step - 1) / block_step) * (jobnr + 1) / nb_jobs) * block_step; @@ -795,9 +796,9 @@ static int config_input(AVFilterLink *inlink) for (i = 0; i < s->nb_threads; i++) { SliceContext *sc = &s->slices[i]; - - sc->num = av_calloc(s->planewidth[0] * s->planeheight[0], sizeof(FFTSample)); - sc->den = av_calloc(s->planewidth[0] * s->planeheight[0], sizeof(FFTSample)); + // fix CVE-2020-22035 + sc->num = av_calloc(FFALIGN(s->planewidth[0], s->block_size) * FFALIGN(s->planeheight[0], s->block_size), sizeof(FFTSample)); + sc->den = av_calloc(FFALIGN(s->planewidth[0], s->block_size) * FFALIGN(s->planeheight[0], s->block_size), sizeof(FFTSample)); if (!sc->num || !sc->den) return AVERROR(ENOMEM); diff --git a/ffmpeg-y/libavfilter/vf_bwdif.c b/ffmpeg-y/libavfilter/vf_bwdif.c index 37165584cf..009ae23fff 100755 --- a/ffmpeg-y/libavfilter/vf_bwdif.c +++ b/ffmpeg-y/libavfilter/vf_bwdif.c @@ -342,9 +342,9 @@ static int config_props(AVFilterLink *link) if(yadif->mode&1) link->frame_rate = av_mul_q(link->src->inputs[0]->frame_rate, (AVRational){2,1}); - - if (link->w < 3 || link->h < 3) { - av_log(ctx, AV_LOG_ERROR, "Video of less than 3 columns or lines is not supported\n"); + // fix CVE-2020-22036 + if (link->w < 3 || link->h < 4) { + av_log(ctx, AV_LOG_ERROR, "Video of less than 3 columns or 4 lines is not supported\n"); return AVERROR(EINVAL); } diff --git a/ffmpeg-y/libavfilter/vf_colorspace.c b/ffmpeg-y/libavfilter/vf_colorspace.c index df6efffb3d..34ad48453d 100755 --- a/ffmpeg-y/libavfilter/vf_colorspace.c +++ b/ffmpeg-y/libavfilter/vf_colorspace.c @@ -780,6 +780,7 @@ static int filter_frame(AVFilterLink *link, AVFrame *in) res = av_frame_copy_props(out, in); if (res < 0) { av_frame_free(&in); + av_frame_free(&out); // fix CVE-2020-22048 return res; } @@ -839,13 +840,19 @@ static int filter_frame(AVFilterLink *link, AVFrame *in) !s->dither_scratch_base[1][0] || !s->dither_scratch_base[1][1] || !s->dither_scratch_base[2][0] || !s->dither_scratch_base[2][1]) { uninit(ctx); + av_frame_free(&in); // fix CVE-2020-22048 + av_frame_free(&out); return AVERROR(ENOMEM); } s->rgb_sz = rgb_sz; } res = create_filtergraph(ctx, in, out); - if (res < 0) + // fix CVE-2020-22048 + if (res < 0) { + av_frame_free(&in); + av_frame_free(&out); return res; + } s->rgb_stride = rgb_stride / sizeof(int16_t); td.in = in; td.out = out; @@ -857,10 +864,14 @@ static int filter_frame(AVFilterLink *link, AVFrame *in) td.out_linesize[2] = out->linesize[2]; td.in_ss_h = av_pix_fmt_desc_get(in->format)->log2_chroma_h; td.out_ss_h = av_pix_fmt_desc_get(out->format)->log2_chroma_h; + // fix CVE-2020-22048 if (s->yuv2yuv_passthrough) { res = av_frame_copy(out, in); - if (res < 0) + if (res < 0) { + av_frame_free(&in); + av_frame_free(&out); return res; + } } else { ctx->internal->execute(ctx, convert, &td, NULL, FFMIN((in->height + 1) >> 1, ff_filter_get_nb_threads(ctx))); diff --git a/ffmpeg-y/libavfilter/vf_fieldmatch.c b/ffmpeg-y/libavfilter/vf_fieldmatch.c index 5a73eb43b8..69292ef2a1 100755 --- a/ffmpeg-y/libavfilter/vf_fieldmatch.c +++ b/ffmpeg-y/libavfilter/vf_fieldmatch.c @@ -938,7 +938,7 @@ static int config_input(AVFilterLink *inlink) fm->tpitchy = FFALIGN(w, 16); fm->tpitchuv = FFALIGN(w >> 1, 16); - fm->tbuffer = av_malloc(h/2 * fm->tpitchy); + fm->tbuffer = av_calloc((h/2 + 4) * fm->tpitchy, sizeof(*fm->tbuffer)); // fix CVE-2020-22020 fm->c_array = av_malloc((((w + fm->blockx/2)/fm->blockx)+1) * (((h + fm->blocky/2)/fm->blocky)+1) * 4 * sizeof(*fm->c_array)); diff --git a/ffmpeg-y/libavfilter/vf_lagfun.c b/ffmpeg-y/libavfilter/vf_lagfun.c index 329c7465e1..1fbc889e35 100755 --- a/ffmpeg-y/libavfilter/vf_lagfun.c +++ b/ffmpeg-y/libavfilter/vf_lagfun.c @@ -137,7 +137,7 @@ static int lagfun_frame16(AVFilterContext *ctx, void *arg, int jobnr, int nb_job } for (int y = slice_start; y < slice_end; y++) { - for (int x = 0; x < s->linesize[p]; x++) + for (int x = 0; x < s->linesize[p] / 2; x++) dst[x] = FFMAX(src[x], osrc[x] * decay); src += in->linesize[p] / 2; diff --git a/ffmpeg-y/libavfilter/vf_random.c b/ffmpeg-y/libavfilter/vf_random.c index 373a7db053..29996bdcb8 100755 --- a/ffmpeg-y/libavfilter/vf_random.c +++ b/ffmpeg-y/libavfilter/vf_random.c @@ -108,6 +108,15 @@ static int request_frame(AVFilterLink *outlink) return ret; } +// fix CVE-2020-22041 +static av_cold void uninit(AVFilterContext *ctx) +{ + RandomContext *s = ctx->priv; + + for (int i = 0; i < s->nb_frames; i++) + av_frame_free(&s->frames[i]); +} + static const AVFilterPad random_inputs[] = { { .name = "default", @@ -132,6 +141,7 @@ AVFilter ff_vf_random = { .priv_size = sizeof(RandomContext), .priv_class = &random_class, .init = init, + .uninit = uninit, // fix CVE-2020-22041 .inputs = random_inputs, .outputs = random_outputs, }; diff --git a/ffmpeg-y/libavfilter/vf_tile.c b/ffmpeg-y/libavfilter/vf_tile.c index 439689a14d..fc0d5bfb22 100755 --- a/ffmpeg-y/libavfilter/vf_tile.c +++ b/ffmpeg-y/libavfilter/vf_tile.c @@ -262,6 +262,7 @@ static av_cold void uninit(AVFilterContext *ctx) { TileContext *tile = ctx->priv; + av_frame_free(&tile->out_ref); // fix CVE-2020-22051 av_frame_free(&tile->prev_out_ref); } diff --git a/ffmpeg-y/libavfilter/vf_vmafmotion.c b/ffmpeg-y/libavfilter/vf_vmafmotion.c index 5c2a974538..2468c2cb9f 100755 --- a/ffmpeg-y/libavfilter/vf_vmafmotion.c +++ b/ffmpeg-y/libavfilter/vf_vmafmotion.c @@ -237,6 +237,9 @@ int ff_vmafmotion_init(VMAFMotionData *s, size_t data_sz; int i; const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(fmt); + // fix CVE-2020-22019 + if (w < 3 || h < 3) + return AVERROR(EINVAL); s->width = w; s->height = h; diff --git a/ffmpeg-y/libavfilter/vf_yadif.c b/ffmpeg-y/libavfilter/vf_yadif.c index 3107924932..671db01c8e 100755 --- a/ffmpeg-y/libavfilter/vf_yadif.c +++ b/ffmpeg-y/libavfilter/vf_yadif.c @@ -111,6 +111,7 @@ static void filter_line_c(void *dst1, } #define MAX_ALIGN 8 +// fix CVE-2020-22021 static void filter_edges(void *dst1, void *prev1, void *cur1, void *next1, int w, int prefs, int mrefs, int parity, int mode) { @@ -123,20 +124,22 @@ static void filter_edges(void *dst1, void *prev1, void *cur1, void *next1, uint8_t *next2 = parity ? cur : next; const int edge = MAX_ALIGN - 1; + int offset = FFMAX(w - edge, 3); /* Only edge pixels need to be processed here. A constant value of false * for is_not_edge should let the compiler ignore the whole branch. */ - FILTER(0, 3, 0) + FILTER(0, FFMIN(3, w), 0) - dst = (uint8_t*)dst1 + w - edge; - prev = (uint8_t*)prev1 + w - edge; - cur = (uint8_t*)cur1 + w - edge; - next = (uint8_t*)next1 + w - edge; + dst = (uint8_t*)dst1 + offset; + prev = (uint8_t*)prev1 + offset; + cur = (uint8_t*)cur1 + offset; + next = (uint8_t*)next1 + offset; prev2 = (uint8_t*)(parity ? prev : cur); next2 = (uint8_t*)(parity ? cur : next); - FILTER(w - edge, w - 3, 1) - FILTER(w - 3, w, 0) + FILTER(offset, w - 3, 1) + offset = FFMAX(offset, w - 3); + FILTER(offset, w, 0) } diff --git a/ffmpeg-y/libavformat/avienc.c b/ffmpeg-y/libavformat/avienc.c index ac0f04c354..17753050df 100755 --- a/ffmpeg-y/libavformat/avienc.c +++ b/ffmpeg-y/libavformat/avienc.c @@ -909,7 +909,7 @@ static int avi_write_trailer(AVFormatContext *s) AVIContext *avi = s->priv_data; AVIOContext *pb = s->pb; int res = 0; - int i, j, n, nb_frames; + int i, n, nb_frames; int64_t file_size; for (i = 0; i < s->nb_streams; i++) { @@ -962,10 +962,6 @@ static int avi_write_trailer(AVFormatContext *s) for (i = 0; i < s->nb_streams; i++) { AVIStream *avist = s->streams[i]->priv_data; - for (j = 0; j < avist->indexes.ents_allocated / AVI_INDEX_CLUSTER_SIZE; j++) - av_freep(&avist->indexes.cluster[j]); - av_freep(&avist->indexes.cluster); - avist->indexes.ents_allocated = avist->indexes.entry = 0; if (pb->seekable & AVIO_SEEKABLE_NORMAL) { avio_seek(pb, avist->frames_hdr_strm + 4, SEEK_SET); avio_wl32(pb, avist->max_size); @@ -974,6 +970,23 @@ static int avi_write_trailer(AVFormatContext *s) return res; } +// fix CVE-2020-22039 +static void avi_deinit(AVFormatContext *s) +{ + AVIContext *avi = s->priv_data; + + av_packet_free(&avi->empty_packet); + + for (int i = 0; i < s->nb_streams; i++) { + AVIStream *avist = s->streams[i]->priv_data; + if (!avist) + continue; + for (int j = 0; j < avist->indexes.ents_allocated / AVI_INDEX_CLUSTER_SIZE; j++) + av_freep(&avist->indexes.cluster[j]); + av_freep(&avist->indexes.cluster); + avist->indexes.ents_allocated = avist->indexes.entry = 0; + } +} #define OFFSET(x) offsetof(AVIContext, x) #define ENC AV_OPT_FLAG_ENCODING_PARAM @@ -999,6 +1012,7 @@ AVOutputFormat ff_avi_muxer = { .audio_codec = CONFIG_LIBMP3LAME ? AV_CODEC_ID_MP3 : AV_CODEC_ID_AC3, .video_codec = AV_CODEC_ID_MPEG4, .init = avi_init, + .deinit = avi_deinit, // fix CVE-2020-22039 .write_header = avi_write_header, .write_packet = avi_write_packet, .write_trailer = avi_write_trailer, diff --git a/ffmpeg-y/libavformat/mpegenc.c b/ffmpeg-y/libavformat/mpegenc.c index 43ebc46e0e..836026a5f2 100755 --- a/ffmpeg-y/libavformat/mpegenc.c +++ b/ffmpeg-y/libavformat/mpegenc.c @@ -315,7 +315,7 @@ static av_cold int mpeg_mux_init(AVFormatContext *ctx) if (ctx->packet_size < 20 || ctx->packet_size > (1 << 23) + 10) { av_log(ctx, AV_LOG_ERROR, "Invalid packet size %d\n", ctx->packet_size); - goto fail; + return AVERROR(EINVAL); // fix CVE-2020-22043 } s->packet_size = ctx->packet_size; } else @@ -343,7 +343,7 @@ static av_cold int mpeg_mux_init(AVFormatContext *ctx) st = ctx->streams[i]; stream = av_mallocz(sizeof(StreamInfo)); if (!stream) - goto fail; + return AVERROR(ENOMEM); // fix CVE-2020-22043 st->priv_data = stream; avpriv_set_pts_info(st, 64, 1, 90000); @@ -377,11 +377,11 @@ static av_cold int mpeg_mux_init(AVFormatContext *ctx) for (sr = 0; sr < 4; sr++) av_log(ctx, AV_LOG_INFO, " %d", lpcm_freq_tab[sr]); av_log(ctx, AV_LOG_INFO, "\n"); - goto fail; + return AVERROR(EINVAL); // fix CVE-2020-22043 } if (st->codecpar->channels > 8) { av_log(ctx, AV_LOG_ERROR, "At most 8 channels allowed for LPCM streams.\n"); - goto fail; + return AVERROR(EINVAL); // fix CVE-2020-22043 } stream->lpcm_header[0] = 0x0c; stream->lpcm_header[1] = (st->codecpar->channels - 1) | (j << 4); @@ -416,7 +416,7 @@ static av_cold int mpeg_mux_init(AVFormatContext *ctx) st->codecpar->codec_id != AV_CODEC_ID_MP2 && st->codecpar->codec_id != AV_CODEC_ID_MP3) { av_log(ctx, AV_LOG_ERROR, "Unsupported audio codec. Must be one of mp1, mp2, mp3, 16-bit pcm_dvd, pcm_s16be, ac3 or dts.\n"); - goto fail; + return AVERROR(EINVAL); // fix CVE-2020-22043 } else { stream->id = mpa_id++; } @@ -460,7 +460,7 @@ static av_cold int mpeg_mux_init(AVFormatContext *ctx) } stream->fifo = av_fifo_alloc(16); if (!stream->fifo) - goto fail; + return AVERROR(ENOMEM); // fix CVE-2020-22043 } bitrate = 0; audio_bitrate = 0; @@ -560,11 +560,6 @@ static av_cold int mpeg_mux_init(AVFormatContext *ctx) s->system_header_size = get_system_header_size(ctx); s->last_scr = AV_NOPTS_VALUE; return 0; - -fail: - for (i = 0; i < ctx->nb_streams; i++) - av_freep(&ctx->streams[i]->priv_data); - return AVERROR(ENOMEM); } static inline void put_timestamp(AVIOContext *pb, int id, int64_t timestamp) @@ -1255,11 +1250,19 @@ static int mpeg_mux_end(AVFormatContext *ctx) stream = ctx->streams[i]->priv_data; av_assert0(av_fifo_size(stream->fifo) == 0); - av_fifo_freep(&stream->fifo); } return 0; } +// fix CVE-2020-22043 +static void mpeg_mux_deinit(AVFormatContext *ctx) +{ + for (int i = 0; i < ctx->nb_streams; i++) { + StreamInfo *stream = ctx->streams[i]->priv_data; + av_fifo_freep(&stream->fifo); + } +} + #define OFFSET(x) offsetof(MpegMuxContext, x) #define E AV_OPT_FLAG_ENCODING_PARAM static const AVOption options[] = { @@ -1289,6 +1292,7 @@ AVOutputFormat ff_mpeg1system_muxer = { .write_header = mpeg_mux_init, .write_packet = mpeg_mux_write_packet, .write_trailer = mpeg_mux_end, + .deinit = mpeg_mux_deinit, .priv_class = &mpeg_class, }; #endif @@ -1305,6 +1309,7 @@ AVOutputFormat ff_mpeg1vcd_muxer = { .write_header = mpeg_mux_init, .write_packet = mpeg_mux_write_packet, .write_trailer = mpeg_mux_end, + .deinit = mpeg_mux_deinit, .priv_class = &vcd_class, }; #endif @@ -1322,6 +1327,7 @@ AVOutputFormat ff_mpeg2vob_muxer = { .write_header = mpeg_mux_init, .write_packet = mpeg_mux_write_packet, .write_trailer = mpeg_mux_end, + .deinit = mpeg_mux_deinit, .priv_class = &vob_class, }; #endif @@ -1340,6 +1346,7 @@ AVOutputFormat ff_mpeg2svcd_muxer = { .write_header = mpeg_mux_init, .write_packet = mpeg_mux_write_packet, .write_trailer = mpeg_mux_end, + .deinit = mpeg_mux_deinit, .priv_class = &svcd_class, }; #endif @@ -1358,6 +1365,7 @@ AVOutputFormat ff_mpeg2dvd_muxer = { .write_header = mpeg_mux_init, .write_packet = mpeg_mux_write_packet, .write_trailer = mpeg_mux_end, + .deinit = mpeg_mux_deinit, .priv_class = &dvd_class, }; #endif diff --git a/ffmpeg-y/libavformat/nutenc.c b/ffmpeg-y/libavformat/nutenc.c index 2c2334a69c..93cd0c3367 100755 --- a/ffmpeg-y/libavformat/nutenc.c +++ b/ffmpeg-y/libavformat/nutenc.c @@ -1171,8 +1171,13 @@ static int nut_write_trailer(AVFormatContext *s) while (nut->header_count < 3) write_headers(s, bc); + // fix CVE-2020-22044 + if (!nut->sp_count) + return 0; + ret = avio_open_dyn_buf(&dyn_bc); - if (ret >= 0 && nut->sp_count) { + // fix CVE-2020-22044 + if (ret >= 0) { av_assert1(nut->write_index); // sp_count should be 0 if no index is going to be written write_index(nut, dyn_bc); put_packet(nut, bc, dyn_bc, 1, INDEX_STARTCODE); diff --git a/ffmpeg-y/libavformat/wtvdec.c b/ffmpeg-y/libavformat/wtvdec.c index 706e8ca38d..67ec9994b9 100755 --- a/ffmpeg-y/libavformat/wtvdec.c +++ b/ffmpeg-y/libavformat/wtvdec.c @@ -993,8 +993,10 @@ static int read_header(AVFormatContext *s) } ret = parse_chunks(s, SEEK_TO_DATA, 0, 0); - if (ret < 0) + if (ret < 0) { // fix CVE-2020-22049 + wtvfile_close(wtv->pb); return ret; + } avio_seek(wtv->pb, -32, SEEK_CUR); timeline_pos = avio_tell(s->pb); // save before opening another file