!13 合入ffmpeg开源软件漏洞处理

Merge pull request !13 from starfish/master
This commit is contained in:
openharmony_ci
2021-08-04 01:08:22 +00:00
committed by Gitee
22 changed files with 133 additions and 58 deletions
+2
View File
@@ -515,6 +515,7 @@ static void ffmpeg_cleanup(int ret)
}
av_freep(&fg->inputs);
for (j = 0; j < fg->nb_outputs; j++) {
avfilter_inout_free(&fg->outputs[j]->out_tmp); // fix CVE-2020-22042
av_freep(&fg->outputs[j]->name);
av_freep(&fg->outputs[j]->formats);
av_freep(&fg->outputs[j]->channel_layouts);
@@ -567,6 +568,7 @@ static void ffmpeg_cleanup(int ret)
ost->audio_channels_mapped = 0;
av_dict_free(&ost->sws_dict);
av_dict_free(&ost->swr_opts); // fix CVE-2020-22054
avcodec_free_context(&ost->enc_ctx);
avcodec_parameters_free(&ost->ref_par);
+4 -3
View File
@@ -2050,8 +2050,9 @@ av_cold int ff_ac3_encode_close(AVCodecContext *avctx)
av_freep(&block->cpl_coord_exp);
av_freep(&block->cpl_coord_mant);
}
s->mdct_end(s);
// fix CVE-2020-22046
if (s->mdct_end)
s->mdct_end(s);
return 0;
}
@@ -2433,7 +2434,7 @@ av_cold int ff_ac3_encode_init(AVCodecContext *avctx)
ret = validate_options(s);
if (ret)
return ret;
goto init_fail; // fix CVE-2020-22046
avctx->frame_size = AC3_BLOCK_SIZE * s->num_blocks;
avctx->initial_padding = AC3_BLOCK_SIZE;
+11 -5
View File
@@ -312,6 +312,7 @@ static void v4l2_m2m_destroy_context(void *opaque, uint8_t *context)
sem_destroy(&s->refsync);
close(s->fd);
av_packet_unref(&s->buf_pkt); // fix CVE-2020-22038
av_free(s);
}
@@ -321,14 +322,19 @@ int ff_v4l2_m2m_codec_end(AVCodecContext *avctx)
V4L2m2mPriv *priv = avctx->priv_data;
V4L2m2mContext* s = priv->context;
int ret;
// fix CVE-2020-22038
if (!s)
return 0;
ret = ff_v4l2_context_set_status(&s->output, VIDIOC_STREAMOFF);
if (ret)
if (s->fd >= 0) {
ret = ff_v4l2_context_set_status(&s->output, VIDIOC_STREAMOFF);
if (ret)
av_log(avctx, AV_LOG_ERROR, "VIDIOC_STREAMOFF %s\n", s->output.name);
ret = ff_v4l2_context_set_status(&s->capture, VIDIOC_STREAMOFF);
if (ret)
av_log(avctx, AV_LOG_ERROR, "VIDIOC_STREAMOFF %s\n", s->capture.name);
ret = ff_v4l2_context_set_status(&s->capture, VIDIOC_STREAMOFF);
if (ret)
av_log(avctx, AV_LOG_ERROR, "VIDIOC_STREAMOFF %s\n", s->capture.name);
}
ff_v4l2_context_release(&s->output);
+3 -7
View File
@@ -187,12 +187,8 @@ static av_cold int v4l2_decode_init(AVCodecContext *avctx)
capture->av_pix_fmt = avctx->pix_fmt;
ret = ff_v4l2_m2m_codec_init(avctx);
if (ret) {
V4L2m2mPriv *priv = avctx->priv_data;
if (ret) { // fix CVE-2020-22038
av_log(avctx, AV_LOG_ERROR, "can't configure decoder\n");
s->self_ref = NULL;
av_buffer_unref(&priv->context_ref);
return ret;
}
@@ -228,8 +224,8 @@ AVCodec ff_ ## NAME ## _v4l2m2m_decoder = { \
.receive_frame = v4l2_receive_frame,\
.close = ff_v4l2_m2m_codec_end,\
.bsfs = bsf_name, \
.capabilities = AV_CODEC_CAP_HARDWARE | AV_CODEC_CAP_DELAY | \
AV_CODEC_CAP_AVOID_PROBING, \
.capabilities = AV_CODEC_CAP_HARDWARE | AV_CODEC_CAP_DELAY | AV_CODEC_CAP_AVOID_PROBING, \
.caps_internal = FF_CODEC_CAP_SETS_PKT_DTS | FF_CODEC_CAP_INIT_CLEANUP, \
.wrapper_name = "v4l2m2m", \
};
+1
View File
@@ -342,6 +342,7 @@ AVCodec ff_ ## NAME ## _v4l2m2m_encoder = { \
.receive_packet = v4l2_receive_packet,\
.close = ff_v4l2_m2m_codec_end,\
.capabilities = AV_CODEC_CAP_HARDWARE | AV_CODEC_CAP_DELAY, \
.caps_internal = FF_CODEC_CAP_INIT_CLEANUP, \
.wrapper_name = "v4l2m2m", \
};
+1
View File
@@ -314,6 +314,7 @@ static av_cold void uninit(AVFilterContext *ctx)
int i;
av_freep(&s->splits);
av_frame_free(&s->xover); // fix CVE-2020-22056
for (i = 0; i < ctx->nb_outputs; i++)
av_freep(&ctx->output_pads[i].name);
+7 -4
View File
@@ -28,6 +28,7 @@ typedef struct TremoloContext {
double freq;
double depth;
double *table;
int table_size;
int index;
} TremoloContext;
@@ -72,7 +73,8 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in)
dst += channels;
src += channels;
s->index++;
if (s->index >= inlink->sample_rate / s->freq)
// fix CVE-2020-22026
if (s->index >= s->table_size)
s->index = 0;
}
@@ -124,12 +126,13 @@ static int config_input(AVFilterLink *inlink)
TremoloContext *s = ctx->priv;
const double offset = 1. - s->depth / 2.;
int i;
s->table = av_malloc_array(inlink->sample_rate / s->freq, sizeof(*s->table));
// fix CVE-2020-22026
s->table_size = lrint(inlink->sample_rate / s->freq + 0.5);
s->table = av_malloc_array(s->table_size, sizeof(*s->table));
if (!s->table)
return AVERROR(ENOMEM);
for (i = 0; i < inlink->sample_rate / s->freq; i++) {
for (i = 0; i < s->table_size; i++) {
double env = s->freq * i / inlink->sample_rate;
env = sin(2 * M_PI * fmod(env + 0.25, 1.0));
s->table[i] = env * (1 - fabs(offset)) + offset;
+7
View File
@@ -57,6 +57,11 @@ static av_cold int init(AVFilterContext *ctx)
static av_cold void uninit(AVFilterContext *ctx)
{
ReverseContext *s = ctx->priv;
// fix CVE-2020-22040
while (s->nb_frames > 0) {
av_frame_free(&s->frames[s->nb_frames - 1]);
s->nb_frames--;
}
av_freep(&s->pts);
av_freep(&s->frames);
@@ -103,6 +108,7 @@ static int request_frame(AVFilterLink *outlink)
AVFrame *out = s->frames[s->nb_frames - 1];
out->pts = s->pts[s->flush_idx++];
ret = ff_filter_frame(outlink, out);
s->frames[s->nb_frames - 1] = NULL; // fix CVE-2020-22040
s->nb_frames--;
}
@@ -262,6 +268,7 @@ static int areverse_request_frame(AVFilterLink *outlink)
else
reverse_samples_packed(out);
ret = ff_filter_frame(outlink, out);
s->frames[s->nb_frames - 1] = NULL; // fix CVE-2020-22040
s->nb_frames--;
}
+1 -1
View File
@@ -149,7 +149,7 @@ static int filter_vertically_##name(AVFilterContext *ctx, void *arg, int jobnr,
\
src = s->buffer + x; \
ptr = buffer + x; \
for (i = 0; i <= radius; i++) { \
for (i = 0; i + radius < height && i <= radius; i++) { /* fix CVE-2020-22028 */ \
acc += src[(i + radius) * width]; \
count++; \
ptr[i * linesize] = acc / count; \
+6 -5
View File
@@ -706,8 +706,9 @@ static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs)
const int plane = td->plane;
const int width = s->planewidth[plane];
const int height = s->planeheight[plane];
const int block_pos_bottom = height - s->block_size;
const int block_pos_right = width - s->block_size;
// fix CVE-2020-22035
const int block_pos_bottom = FFMAX(0, height - s->block_size);
const int block_pos_right = FFMAX(0, width - s->block_size);
const int slice_start = (((height + block_step - 1) / block_step) * jobnr / nb_jobs) * block_step;
const int slice_end = (jobnr == nb_jobs - 1) ? block_pos_bottom + block_step :
(((height + block_step - 1) / block_step) * (jobnr + 1) / nb_jobs) * block_step;
@@ -795,9 +796,9 @@ static int config_input(AVFilterLink *inlink)
for (i = 0; i < s->nb_threads; i++) {
SliceContext *sc = &s->slices[i];
sc->num = av_calloc(s->planewidth[0] * s->planeheight[0], sizeof(FFTSample));
sc->den = av_calloc(s->planewidth[0] * s->planeheight[0], sizeof(FFTSample));
// fix CVE-2020-22035
sc->num = av_calloc(FFALIGN(s->planewidth[0], s->block_size) * FFALIGN(s->planeheight[0], s->block_size), sizeof(FFTSample));
sc->den = av_calloc(FFALIGN(s->planewidth[0], s->block_size) * FFALIGN(s->planeheight[0], s->block_size), sizeof(FFTSample));
if (!sc->num || !sc->den)
return AVERROR(ENOMEM);
+3 -3
View File
@@ -342,9 +342,9 @@ static int config_props(AVFilterLink *link)
if(yadif->mode&1)
link->frame_rate = av_mul_q(link->src->inputs[0]->frame_rate, (AVRational){2,1});
if (link->w < 3 || link->h < 3) {
av_log(ctx, AV_LOG_ERROR, "Video of less than 3 columns or lines is not supported\n");
// fix CVE-2020-22036
if (link->w < 3 || link->h < 4) {
av_log(ctx, AV_LOG_ERROR, "Video of less than 3 columns or 4 lines is not supported\n");
return AVERROR(EINVAL);
}
+13 -2
View File
@@ -780,6 +780,7 @@ static int filter_frame(AVFilterLink *link, AVFrame *in)
res = av_frame_copy_props(out, in);
if (res < 0) {
av_frame_free(&in);
av_frame_free(&out); // fix CVE-2020-22048
return res;
}
@@ -839,13 +840,19 @@ static int filter_frame(AVFilterLink *link, AVFrame *in)
!s->dither_scratch_base[1][0] || !s->dither_scratch_base[1][1] ||
!s->dither_scratch_base[2][0] || !s->dither_scratch_base[2][1]) {
uninit(ctx);
av_frame_free(&in); // fix CVE-2020-22048
av_frame_free(&out);
return AVERROR(ENOMEM);
}
s->rgb_sz = rgb_sz;
}
res = create_filtergraph(ctx, in, out);
if (res < 0)
// fix CVE-2020-22048
if (res < 0) {
av_frame_free(&in);
av_frame_free(&out);
return res;
}
s->rgb_stride = rgb_stride / sizeof(int16_t);
td.in = in;
td.out = out;
@@ -857,10 +864,14 @@ static int filter_frame(AVFilterLink *link, AVFrame *in)
td.out_linesize[2] = out->linesize[2];
td.in_ss_h = av_pix_fmt_desc_get(in->format)->log2_chroma_h;
td.out_ss_h = av_pix_fmt_desc_get(out->format)->log2_chroma_h;
// fix CVE-2020-22048
if (s->yuv2yuv_passthrough) {
res = av_frame_copy(out, in);
if (res < 0)
if (res < 0) {
av_frame_free(&in);
av_frame_free(&out);
return res;
}
} else {
ctx->internal->execute(ctx, convert, &td, NULL,
FFMIN((in->height + 1) >> 1, ff_filter_get_nb_threads(ctx)));
+1 -1
View File
@@ -938,7 +938,7 @@ static int config_input(AVFilterLink *inlink)
fm->tpitchy = FFALIGN(w, 16);
fm->tpitchuv = FFALIGN(w >> 1, 16);
fm->tbuffer = av_malloc(h/2 * fm->tpitchy);
fm->tbuffer = av_calloc((h/2 + 4) * fm->tpitchy, sizeof(*fm->tbuffer)); // fix CVE-2020-22020
fm->c_array = av_malloc((((w + fm->blockx/2)/fm->blockx)+1) *
(((h + fm->blocky/2)/fm->blocky)+1) *
4 * sizeof(*fm->c_array));
+1 -1
View File
@@ -137,7 +137,7 @@ static int lagfun_frame16(AVFilterContext *ctx, void *arg, int jobnr, int nb_job
}
for (int y = slice_start; y < slice_end; y++) {
for (int x = 0; x < s->linesize[p]; x++)
for (int x = 0; x < s->linesize[p] / 2; x++)
dst[x] = FFMAX(src[x], osrc[x] * decay);
src += in->linesize[p] / 2;
+10
View File
@@ -108,6 +108,15 @@ static int request_frame(AVFilterLink *outlink)
return ret;
}
// fix CVE-2020-22041
static av_cold void uninit(AVFilterContext *ctx)
{
RandomContext *s = ctx->priv;
for (int i = 0; i < s->nb_frames; i++)
av_frame_free(&s->frames[i]);
}
static const AVFilterPad random_inputs[] = {
{
.name = "default",
@@ -132,6 +141,7 @@ AVFilter ff_vf_random = {
.priv_size = sizeof(RandomContext),
.priv_class = &random_class,
.init = init,
.uninit = uninit, // fix CVE-2020-22041
.inputs = random_inputs,
.outputs = random_outputs,
};
+1
View File
@@ -262,6 +262,7 @@ static av_cold void uninit(AVFilterContext *ctx)
{
TileContext *tile = ctx->priv;
av_frame_free(&tile->out_ref); // fix CVE-2020-22051
av_frame_free(&tile->prev_out_ref);
}
+3
View File
@@ -237,6 +237,9 @@ int ff_vmafmotion_init(VMAFMotionData *s,
size_t data_sz;
int i;
const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(fmt);
// fix CVE-2020-22019
if (w < 3 || h < 3)
return AVERROR(EINVAL);
s->width = w;
s->height = h;
+10 -7
View File
@@ -111,6 +111,7 @@ static void filter_line_c(void *dst1,
}
#define MAX_ALIGN 8
// fix CVE-2020-22021
static void filter_edges(void *dst1, void *prev1, void *cur1, void *next1,
int w, int prefs, int mrefs, int parity, int mode)
{
@@ -123,20 +124,22 @@ static void filter_edges(void *dst1, void *prev1, void *cur1, void *next1,
uint8_t *next2 = parity ? cur : next;
const int edge = MAX_ALIGN - 1;
int offset = FFMAX(w - edge, 3);
/* Only edge pixels need to be processed here. A constant value of false
* for is_not_edge should let the compiler ignore the whole branch. */
FILTER(0, 3, 0)
FILTER(0, FFMIN(3, w), 0)
dst = (uint8_t*)dst1 + w - edge;
prev = (uint8_t*)prev1 + w - edge;
cur = (uint8_t*)cur1 + w - edge;
next = (uint8_t*)next1 + w - edge;
dst = (uint8_t*)dst1 + offset;
prev = (uint8_t*)prev1 + offset;
cur = (uint8_t*)cur1 + offset;
next = (uint8_t*)next1 + offset;
prev2 = (uint8_t*)(parity ? prev : cur);
next2 = (uint8_t*)(parity ? cur : next);
FILTER(w - edge, w - 3, 1)
FILTER(w - 3, w, 0)
FILTER(offset, w - 3, 1)
offset = FFMAX(offset, w - 3);
FILTER(offset, w, 0)
}
+19 -5
View File
@@ -909,7 +909,7 @@ static int avi_write_trailer(AVFormatContext *s)
AVIContext *avi = s->priv_data;
AVIOContext *pb = s->pb;
int res = 0;
int i, j, n, nb_frames;
int i, n, nb_frames;
int64_t file_size;
for (i = 0; i < s->nb_streams; i++) {
@@ -962,10 +962,6 @@ static int avi_write_trailer(AVFormatContext *s)
for (i = 0; i < s->nb_streams; i++) {
AVIStream *avist = s->streams[i]->priv_data;
for (j = 0; j < avist->indexes.ents_allocated / AVI_INDEX_CLUSTER_SIZE; j++)
av_freep(&avist->indexes.cluster[j]);
av_freep(&avist->indexes.cluster);
avist->indexes.ents_allocated = avist->indexes.entry = 0;
if (pb->seekable & AVIO_SEEKABLE_NORMAL) {
avio_seek(pb, avist->frames_hdr_strm + 4, SEEK_SET);
avio_wl32(pb, avist->max_size);
@@ -974,6 +970,23 @@ static int avi_write_trailer(AVFormatContext *s)
return res;
}
// fix CVE-2020-22039
static void avi_deinit(AVFormatContext *s)
{
AVIContext *avi = s->priv_data;
av_packet_free(&avi->empty_packet);
for (int i = 0; i < s->nb_streams; i++) {
AVIStream *avist = s->streams[i]->priv_data;
if (!avist)
continue;
for (int j = 0; j < avist->indexes.ents_allocated / AVI_INDEX_CLUSTER_SIZE; j++)
av_freep(&avist->indexes.cluster[j]);
av_freep(&avist->indexes.cluster);
avist->indexes.ents_allocated = avist->indexes.entry = 0;
}
}
#define OFFSET(x) offsetof(AVIContext, x)
#define ENC AV_OPT_FLAG_ENCODING_PARAM
@@ -999,6 +1012,7 @@ AVOutputFormat ff_avi_muxer = {
.audio_codec = CONFIG_LIBMP3LAME ? AV_CODEC_ID_MP3 : AV_CODEC_ID_AC3,
.video_codec = AV_CODEC_ID_MPEG4,
.init = avi_init,
.deinit = avi_deinit, // fix CVE-2020-22039
.write_header = avi_write_header,
.write_packet = avi_write_packet,
.write_trailer = avi_write_trailer,
+20 -12
View File
@@ -315,7 +315,7 @@ static av_cold int mpeg_mux_init(AVFormatContext *ctx)
if (ctx->packet_size < 20 || ctx->packet_size > (1 << 23) + 10) {
av_log(ctx, AV_LOG_ERROR, "Invalid packet size %d\n",
ctx->packet_size);
goto fail;
return AVERROR(EINVAL); // fix CVE-2020-22043
}
s->packet_size = ctx->packet_size;
} else
@@ -343,7 +343,7 @@ static av_cold int mpeg_mux_init(AVFormatContext *ctx)
st = ctx->streams[i];
stream = av_mallocz(sizeof(StreamInfo));
if (!stream)
goto fail;
return AVERROR(ENOMEM); // fix CVE-2020-22043
st->priv_data = stream;
avpriv_set_pts_info(st, 64, 1, 90000);
@@ -377,11 +377,11 @@ static av_cold int mpeg_mux_init(AVFormatContext *ctx)
for (sr = 0; sr < 4; sr++)
av_log(ctx, AV_LOG_INFO, " %d", lpcm_freq_tab[sr]);
av_log(ctx, AV_LOG_INFO, "\n");
goto fail;
return AVERROR(EINVAL); // fix CVE-2020-22043
}
if (st->codecpar->channels > 8) {
av_log(ctx, AV_LOG_ERROR, "At most 8 channels allowed for LPCM streams.\n");
goto fail;
return AVERROR(EINVAL); // fix CVE-2020-22043
}
stream->lpcm_header[0] = 0x0c;
stream->lpcm_header[1] = (st->codecpar->channels - 1) | (j << 4);
@@ -416,7 +416,7 @@ static av_cold int mpeg_mux_init(AVFormatContext *ctx)
st->codecpar->codec_id != AV_CODEC_ID_MP2 &&
st->codecpar->codec_id != AV_CODEC_ID_MP3) {
av_log(ctx, AV_LOG_ERROR, "Unsupported audio codec. Must be one of mp1, mp2, mp3, 16-bit pcm_dvd, pcm_s16be, ac3 or dts.\n");
goto fail;
return AVERROR(EINVAL); // fix CVE-2020-22043
} else {
stream->id = mpa_id++;
}
@@ -460,7 +460,7 @@ static av_cold int mpeg_mux_init(AVFormatContext *ctx)
}
stream->fifo = av_fifo_alloc(16);
if (!stream->fifo)
goto fail;
return AVERROR(ENOMEM); // fix CVE-2020-22043
}
bitrate = 0;
audio_bitrate = 0;
@@ -560,11 +560,6 @@ static av_cold int mpeg_mux_init(AVFormatContext *ctx)
s->system_header_size = get_system_header_size(ctx);
s->last_scr = AV_NOPTS_VALUE;
return 0;
fail:
for (i = 0; i < ctx->nb_streams; i++)
av_freep(&ctx->streams[i]->priv_data);
return AVERROR(ENOMEM);
}
static inline void put_timestamp(AVIOContext *pb, int id, int64_t timestamp)
@@ -1255,11 +1250,19 @@ static int mpeg_mux_end(AVFormatContext *ctx)
stream = ctx->streams[i]->priv_data;
av_assert0(av_fifo_size(stream->fifo) == 0);
av_fifo_freep(&stream->fifo);
}
return 0;
}
// fix CVE-2020-22043
static void mpeg_mux_deinit(AVFormatContext *ctx)
{
for (int i = 0; i < ctx->nb_streams; i++) {
StreamInfo *stream = ctx->streams[i]->priv_data;
av_fifo_freep(&stream->fifo);
}
}
#define OFFSET(x) offsetof(MpegMuxContext, x)
#define E AV_OPT_FLAG_ENCODING_PARAM
static const AVOption options[] = {
@@ -1289,6 +1292,7 @@ AVOutputFormat ff_mpeg1system_muxer = {
.write_header = mpeg_mux_init,
.write_packet = mpeg_mux_write_packet,
.write_trailer = mpeg_mux_end,
.deinit = mpeg_mux_deinit,
.priv_class = &mpeg_class,
};
#endif
@@ -1305,6 +1309,7 @@ AVOutputFormat ff_mpeg1vcd_muxer = {
.write_header = mpeg_mux_init,
.write_packet = mpeg_mux_write_packet,
.write_trailer = mpeg_mux_end,
.deinit = mpeg_mux_deinit,
.priv_class = &vcd_class,
};
#endif
@@ -1322,6 +1327,7 @@ AVOutputFormat ff_mpeg2vob_muxer = {
.write_header = mpeg_mux_init,
.write_packet = mpeg_mux_write_packet,
.write_trailer = mpeg_mux_end,
.deinit = mpeg_mux_deinit,
.priv_class = &vob_class,
};
#endif
@@ -1340,6 +1346,7 @@ AVOutputFormat ff_mpeg2svcd_muxer = {
.write_header = mpeg_mux_init,
.write_packet = mpeg_mux_write_packet,
.write_trailer = mpeg_mux_end,
.deinit = mpeg_mux_deinit,
.priv_class = &svcd_class,
};
#endif
@@ -1358,6 +1365,7 @@ AVOutputFormat ff_mpeg2dvd_muxer = {
.write_header = mpeg_mux_init,
.write_packet = mpeg_mux_write_packet,
.write_trailer = mpeg_mux_end,
.deinit = mpeg_mux_deinit,
.priv_class = &dvd_class,
};
#endif
+6 -1
View File
@@ -1171,8 +1171,13 @@ static int nut_write_trailer(AVFormatContext *s)
while (nut->header_count < 3)
write_headers(s, bc);
// fix CVE-2020-22044
if (!nut->sp_count)
return 0;
ret = avio_open_dyn_buf(&dyn_bc);
if (ret >= 0 && nut->sp_count) {
// fix CVE-2020-22044
if (ret >= 0) {
av_assert1(nut->write_index); // sp_count should be 0 if no index is going to be written
write_index(nut, dyn_bc);
put_packet(nut, bc, dyn_bc, 1, INDEX_STARTCODE);
+3 -1
View File
@@ -993,8 +993,10 @@ static int read_header(AVFormatContext *s)
}
ret = parse_chunks(s, SEEK_TO_DATA, 0, 0);
if (ret < 0)
if (ret < 0) { // fix CVE-2020-22049
wtvfile_close(wtv->pb);
return ret;
}
avio_seek(wtv->pb, -32, SEEK_CUR);
timeline_pos = avio_tell(s->pb); // save before opening another file