Skip to content

Commit

Permalink
Fix ffmpeg cve and Secure compilation
Browse files Browse the repository at this point in the history
  • Loading branch information
shenwei41 committed Jun 26, 2024
1 parent e38d127 commit ea477d1
Show file tree
Hide file tree
Showing 4 changed files with 194 additions and 2 deletions.
21 changes: 19 additions & 2 deletions cmake/external_libs/ffmpeg.cmake
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
set(FFMPEG_FLAGS
if(CMAKE_SYSTEM_NAME MATCHES "Linux")
set(FFMPEG_FLAGS
--disable-programs
--disable-doc
--disable-postproc
Expand All @@ -8,7 +9,20 @@ set(FFMPEG_FLAGS
--disable-static
--enable-shared
--disable-x86asm
)
--extra-cflags="-D_FORTIFY_SOURCE=2 -fstack-protector-all"
--extra-ldflags="-Wl,-z,relro,-z,now")
else()
set(FFMPEG_FLAGS
--disable-programs
--disable-doc
--disable-postproc
--disable-decoder=av1
--disable-libxcb
--disable-hwaccels
--disable-static
--enable-shared
--disable-x86asm)
endif()

set(REQ_URL "https://ffmpeg.org/releases/ffmpeg-5.1.2.tar.gz")
set(SHA256 "87fe8defa37ce5f7449e36047171fed5e4c3f4bb73eaccea8c954ee81393581c")
Expand Down Expand Up @@ -36,6 +50,9 @@ else()
LIBS avcodec avdevice avfilter avformat avutil swresample swscale
URL ${REQ_URL}
SHA256 ${SHA256}
PATCHES ${TOP_DIR}/third_party/patch/ffmpeg/CVE-2022-3964.patch
PATCHES ${TOP_DIR}/third_party/patch/ffmpeg/CVE-2022-3965.patch
PATCHES ${TOP_DIR}/third_party/patch/ffmpeg/CVE-2023-47342.patch
CONFIGURE_COMMAND ./configure ${FFMPEG_FLAGS}
)

Expand Down
72 changes: 72 additions & 0 deletions third_party/patch/ffmpeg/CVE-2022-3964.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
diff -Npur ffmpeg-5.1.2/libavcodec/rpzaenc.c ffmpeg-5.1.2-change/libavcodec/rpzaenc.c
--- ffmpeg-5.1.2/libavcodec/rpzaenc.c 2022-07-23 01:58:39.000000000 +0800
+++ ffmpeg-5.1.2-change/libavcodec/rpzaenc.c 2024-06-25 15:56:07.594394836 +0800
@@ -205,7 +205,7 @@ static void get_max_component_diff(Block

// loop thru and compare pixels
for (y = 0; y < bi->block_height; y++) {
- for (x = 0; x < bi->block_width; x++){
+ for (x = 0; x < bi->block_width; x++) {
// TODO: optimize
min_r = FFMIN(R(block_ptr[x]), min_r);
min_g = FFMIN(G(block_ptr[x]), min_g);
@@ -277,7 +277,7 @@ static int leastsquares(uint16_t *block_
return -1;

for (i = 0; i < bi->block_height; i++) {
- for (j = 0; j < bi->block_width; j++){
+ for (j = 0; j < bi->block_width; j++) {
x = GET_CHAN(block_ptr[j], xchannel);
y = GET_CHAN(block_ptr[j], ychannel);
sumx += x;
@@ -324,7 +324,7 @@ static int calc_lsq_max_fit_error(uint16
int max_err = 0;

for (i = 0; i < bi->block_height; i++) {
- for (j = 0; j < bi->block_width; j++){
+ for (j = 0; j < bi->block_width; j++) {
int x_inc, lin_y, lin_x;
x = GET_CHAN(block_ptr[j], xchannel);
y = GET_CHAN(block_ptr[j], ychannel);
@@ -419,7 +419,9 @@ static void update_block_in_prev_frame(c
uint16_t *dest_pixels,
const BlockInfo *bi, int block_counter)
{
- for (int y = 0; y < 4; y++) {
+ const int y_size = FFMIN(4, bi->image_height - bi->row * 4);
+
+ for (int y = 0; y < y_size; y++) {
memcpy(dest_pixels, src_pixels, 8);
dest_pixels += bi->rowstride;
src_pixels += bi->rowstride;
@@ -729,14 +731,15 @@ post_skip :

if (err > s->sixteen_color_thresh) { // DO SIXTEEN COLOR BLOCK
uint16_t *row_ptr;
- int rgb555;
+ int y_size, rgb555;

block_offset = get_block_info(&bi, block_counter);

row_ptr = &src_pixels[block_offset];
+ y_size = FFMIN(4, bi.image_height - bi.row * 4);

- for (int y = 0; y < 4; y++) {
- for (int x = 0; x < 4; x++){
+ for (int y = 0; y < y_size; y++) {
+ for (int x = 0; x < 4; x++) {
rgb555 = row_ptr[x] & ~0x8000;

put_bits(&s->pb, 16, rgb555);
@@ -744,6 +747,11 @@ post_skip :
row_ptr += bi.rowstride;
}

+ for (int y = y_size; y < 4; y++) {
+ for (int x = 0; x < 4; x++)
+ put_bits(&s->pb, 16, 0);
+ }
+
block_counter++;
} else { // FOUR COLOR BLOCK
block_counter += encode_four_color_block(min_color, max_color,
91 changes: 91 additions & 0 deletions third_party/patch/ffmpeg/CVE-2022-3965.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
diff -Npur ffmpeg-5.1.2/libavcodec/smcenc.c ffmpeg-5.1.2-change/libavcodec/smcenc.c
--- ffmpeg-5.1.2/libavcodec/smcenc.c 2022-07-23 01:58:39.000000000 +0800
+++ ffmpeg-5.1.2-change/libavcodec/smcenc.c 2024-06-25 17:07:00.100640653 +0800
@@ -61,6 +61,7 @@ typedef struct SMCContext {
{ \
row_ptr += stride * 4; \
pixel_ptr = row_ptr; \
+ cur_y += 4; \
} \
} \
}
@@ -117,6 +118,7 @@ static void smc_encode_stream(SMCContext
const uint8_t *prev_pixels = (const uint8_t *)s->prev_frame->data[0];
uint8_t *distinct_values = s->distinct_values;
const uint8_t *pixel_ptr, *row_ptr;
+ const int height = frame->height;
const int width = frame->width;
uint8_t block_values[16];
int block_counter = 0;
@@ -125,13 +127,14 @@ static void smc_encode_stream(SMCContext
int color_octet_index = 0;
int color_table_index; /* indexes to color pair, quad, or octet tables */
int total_blocks;
+ int cur_y = 0;

memset(s->color_pairs, 0, sizeof(s->color_pairs));
memset(s->color_quads, 0, sizeof(s->color_quads));
memset(s->color_octets, 0, sizeof(s->color_octets));

/* Number of 4x4 blocks in frame. */
- total_blocks = ((frame->width + 3) / 4) * ((frame->height + 3) / 4);
+ total_blocks = ((width + 3) / 4) * ((height + 3) / 4);

pixel_ptr = row_ptr = src_pixels;

@@ -145,11 +148,13 @@ static void smc_encode_stream(SMCContext
int cache_index;
int distinct = 0;
int blocks = 0;
+ int frame_y = cur_y;

while (prev_pixels && s->key_frame == 0 && block_counter + inter_skip_blocks < total_blocks) {
+ const int y_size = FFMIN(4, height - cur_y);
int compare = 0;

- for (int y = 0; y < 4; y++) {
+ for (int y = 0; y < y_size; y++) {
const ptrdiff_t offset = pixel_ptr - src_pixels;
const uint8_t *prev_pixel_ptr = prev_pixels + offset;

@@ -170,8 +175,10 @@ static void smc_encode_stream(SMCContext

pixel_ptr = xpixel_ptr;
row_ptr = xrow_ptr;
+ cur_y = frame_y;

while (block_counter > 0 && block_counter + intra_skip_blocks < total_blocks) {
+ const int y_size = FFMIN(4, height - cur_y);
const ptrdiff_t offset = pixel_ptr - src_pixels;
const int sy = offset / stride;
const int sx = offset % stride;
@@ -180,7 +187,7 @@ static void smc_encode_stream(SMCContext
const uint8_t *old_pixel_ptr = src_pixels + nx + ny * stride;
int compare = 0;

- for (int y = 0; y < 4; y++) {
+ for (int y = 0; y < y_size; y++) {
compare |= memcmp(old_pixel_ptr + y * stride, pixel_ptr + y * stride, 4);
if (compare)
break;
@@ -197,9 +204,11 @@ static void smc_encode_stream(SMCContext

pixel_ptr = xpixel_ptr;
row_ptr = xrow_ptr;
+ cur_y = frame_y;

while (block_counter + coded_blocks < total_blocks && coded_blocks < 256) {
- for (int y = 0; y < 4; y++)
+ const int y_size = FFMIN(4, height - cur_y);
+ for (int y = 0; y < y_size; y++)
memcpy(block_values + y * 4, pixel_ptr + y * stride, 4);

qsort(block_values, 16, sizeof(block_values[0]), smc_cmp_values);
@@ -224,6 +233,7 @@ static void smc_encode_stream(SMCContext

pixel_ptr = xpixel_ptr;
row_ptr = xrow_ptr;
+ cur_y = frame_y;

blocks = coded_blocks;
distinct = coded_distinct;
12 changes: 12 additions & 0 deletions third_party/patch/ffmpeg/CVE-2023-47342.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
diff -Npur ffmpeg-5.1.2/libavformat/rtsp.c ffmpeg-5.1.2-change/libavformat/rtsp.c
--- ffmpeg-5.1.2/libavformat/rtsp.c 2022-07-23 01:58:39.000000000 +0800
+++ ffmpeg-5.1.2-change/libavformat/rtsp.c 2024-06-25 16:37:03.333689422 +0800
@@ -409,7 +409,7 @@ static void parse_fmtp(AVFormatContext *
if (rtsp_st->sdp_payload_type == payload_type &&
rtsp_st->dynamic_handler &&
rtsp_st->dynamic_handler->parse_sdp_a_line) {
- rtsp_st->dynamic_handler->parse_sdp_a_line(s, i,
+ rtsp_st->dynamic_handler->parse_sdp_a_line(s, rtsp_st->stream_index,
rtsp_st->dynamic_protocol_context, line);
}
}

0 comments on commit ea477d1

Please sign in to comment.