[notify] ffmpeg: CVE-2018-6621 closes FS#1581

2018-02-07 18:20:14 +11:00 · 2018-02-07 18:20:14 +11:00 · 91773e40ee
commit 91773e40ee
parent f5e44ed35b
4 changed files with 21 additions and 4 deletions
--- a/ffmpeg/.md5sum
+++ b/ffmpeg/.md5sum
@ -1,2 +1,3 @@
+5e0c5cca88620751af75ce7a219b5b09  CVE-2018-6621.patch
 bbf3fcded80c33968c91bf323a744286  ffmpeg-3.4.1.tar.bz2
 dae0c10c99399580c929fc100e79faef  ffmpeg-x264-10bit.sh
--- a/ffmpeg/.signature
+++ b/ffmpeg/.signature
@ -1,6 +1,7 @@
 untrusted comment: verify with /etc/ports/contrib.pub
-RWSagIOpLGJF3/q/HTqDYuPVkPLXCqSg5s0Xlw/0KBw1nBtA13pgd0SYJ9Icm5OCEuTto6+vnUetzQtYLbcvRbKdTowr0/tLLwI=
-SHA256 (Pkgfile) = 00461a23cccf3da23b382be6273ba844f794633976f2a3034d6059abc5e8d6bd
+RWSagIOpLGJF3wYh+oQIJbx0WSoQpCT6i1GSDkuKl7IZOamNm4WWhu0zaBE2I5NJJpNYrxHmn5duvTE7aAuBZEpOHWHDx5KjtQo=
+SHA256 (Pkgfile) = aef3aa9d55efc42256094b9d9c2fe6b8398910ee4f6d8387559f14fc85b85e9e
 SHA256 (.footprint) = 2b74837c5c830b52d0bb6f4258bdf7c2e4dd56982b9f9455248b8195b970d1cb
 SHA256 (ffmpeg-3.4.1.tar.bz2) = f3443e20154a590ab8a9eef7bc951e8731425efc75b44ff4bee31d8a7a574a2c
 SHA256 (ffmpeg-x264-10bit.sh) = dde9627c41800235fbcfe0f74d2181be96239a82cd2d0d277715dddb57eb9cb3
+SHA256 (CVE-2018-6621.patch) = e3b9aff1fe9aef2d7153d7517f9c349beef27c2859bf1fb01076eeab263a445e
--- a/ffmpeg/CVE-2018-6621.patch
+++ b/ffmpeg/CVE-2018-6621.patch
@ -0,0 +1,11 @@
+--- a/libavcodec/utvideodec.c	2017-12-11 05:35:09.000000000 +0800
+++ b/libavcodec/utvideodec.c	2018-02-06 15:54:54.872000000 +0800
+@@ -561,7 +561,7 @@ static int decode_frame(AVCodecContext *
+             for (j = 0; j < c->slices; j++) {
+                 slice_end   = bytestream2_get_le32u(&gb);
+                 if (slice_end < 0 || slice_end < slice_start ||
+-                    bytestream2_get_bytes_left(&gb) < slice_end) {
+                    bytestream2_get_bytes_left(&gb) < slice_end + 1024LL) {
+                     av_log(avctx, AV_LOG_ERROR, "Incorrect slice size\n");
+                     return AVERROR_INVALIDDATA;
+                 }
--- a/ffmpeg/Pkgfile
+++ b/ffmpeg/Pkgfile
@ -7,13 +7,17 @@

 name=ffmpeg
 version=3.4.1
-release=1
+release=2
 source=(https://ffmpeg.org/releases/$name-$version.tar.bz2
-	ffmpeg-x264-10bit.sh)
+	ffmpeg-x264-10bit.sh
+	CVE-2018-6621.patch)

 build() {
 	cd $name-$version

+	#https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6621
+	patch -p1 -i $SRC/CVE-2018-6621.patch
+
 [ -e '/usr/lib/pkgconfig/libwebp.pc' ] && PKGMK_FFMPEG+=' --enable-libwebp'
 [ -e '/usr/lib/pkgconfig/vdpau.pc' ] && PKGMK_FFMPEG+=' --enable-vdpau'
 [ -e '/usr/lib/pkgconfig/freetype2.pc' ] && PKGMK_FFMPEG+=' --enable-libfreetype'