[ffmpeg/el7] Patch to fix CVE-2019-9718 and CVE-2019-9721

Tuesday, 19 March 2019

commit bb506dff859ba56b6fb095375ec9f9760d3b27aa
Author: Leigh Scott <leigh123linux(a)googlemail.com&gt;
Date:   Tue Mar 19 16:30:32 2019 +0000

    Patch to fix CVE-2019-9718 and CVE-2019-9721

 ...lsubtitles-Fixes-denial-of-service-due-to.patch | 65 ++++++++++++++++++++++
 ...lsubtitles-Fixes-denial-of-service-due-to.patch | 64 +++++++++++++++++++++
 ffmpeg.spec                                        | 13 ++++-
 3 files changed, 141 insertions(+), 1 deletion(-)
---

diff --git a/0001-avcodec-htmlsubtitles-Fixes-denial-of-service-due-to.patch
b/0001-avcodec-htmlsubtitles-Fixes-denial-of-service-due-to.patch
new file mode 100644
index 0000000..99c2399
--- /dev/null
+++ b/0001-avcodec-htmlsubtitles-Fixes-denial-of-service-due-to.patch
@@ -0,0 +1,65 @@
+From 196ddaec4efa01ba7787e74864b6c6cc4d3389ff Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse via RT <security-reports(a)semmle.com&gt;
+Date: Wed, 6 Feb 2019 11:29:22 +0000
+Subject: [PATCH 1/2] avcodec/htmlsubtitles: Fixes denial of service due to use
+ of sscanf in inner loop for tag scaning
+
+Fixes: [Semmle Security Reports #19438]
+Fixes: dos_sscanf1.mkv
+
+Signed-off-by: Michael Niedermayer <michael(a)niedermayer.cc&gt;
+---
+ libavcodec/htmlsubtitles.c | 30 +++++++++++++++++++++++++++++-
+ 1 file changed, 29 insertions(+), 1 deletion(-)
+
+diff --git a/libavcodec/htmlsubtitles.c b/libavcodec/htmlsubtitles.c
+index fb9f900422..c0cfccfb16 100644
+--- a/libavcodec/htmlsubtitles.c
++++ b/libavcodec/htmlsubtitles.c
+@@ -74,6 +74,34 @@ struct font_tag {
+     uint32_t color;
+ };
+ 
++/*
++ * Fast code for scanning the rest of a tag. Functionally equivalent to
++ * this sscanf call:
++ *
++ * sscanf(in, "%127[^<>]>%n", buffer, lenp) == 2
++ */
++static int scantag(const char* in, char* buffer, int* lenp) {
++    int len;
++
++    for (len = 0; len < 128; len++) {
++        const char c = *in++;
++        switch (c) {
++        case '\0':
++            return 0;
++        case '<':
++            return 0;
++        case '>':
++            buffer[len] = '\0';
++            *lenp = len+1;
++            return 1;
++        default:
++            break;
++        }
++        buffer[len] = c;
++    }
++    return 0;
++}
++
+ /*
+  * The general politic of the convert is to mask unsupported tags or formatting
+  * errors (but still alert the user/subtitles writer with an error/warning)
+@@ -155,7 +183,7 @@ int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char
*in)
+ 
+             len = 0;
+ 
+-            if (sscanf(in+tag_close+1, "%127[^<>]>%n", buffer,
&len) >= 1 && len > 0) {
++            if (scantag(in+tag_close+1, buffer, &len) && len > 0) {
+                 const int skip = len + tag_close;
+                 const char *tagname = buffer;
+                 while (*tagname == ' ') {
+-- 
+2.21.0
+
diff --git a/0002-avcodec-htmlsubtitles-Fixes-denial-of-service-due-to.patch
b/0002-avcodec-htmlsubtitles-Fixes-denial-of-service-due-to.patch
new file mode 100644
index 0000000..4345ee2
--- /dev/null
+++ b/0002-avcodec-htmlsubtitles-Fixes-denial-of-service-due-to.patch
@@ -0,0 +1,64 @@
+From 783c8679887eb0a7b1c5f4df8fd92d936e475db9 Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse via RT <security-reports(a)semmle.com&gt;
+Date: Wed, 6 Feb 2019 12:56:01 +0000
+Subject: [PATCH 2/2] avcodec/htmlsubtitles: Fixes denial of service due to use
+ of sscanf in inner loop for handling braces
+
+Fixes: [Semmle Security Reports #19439]
+Fixes: dos_sscanf2.mkv
+
+Signed-off-by: Michael Niedermayer <michael(a)niedermayer.cc&gt;
+---
+ libavcodec/htmlsubtitles.c | 23 +++++++++++++++++++++--
+ 1 file changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/libavcodec/htmlsubtitles.c b/libavcodec/htmlsubtitles.c
+index c0cfccfb16..d9221ba16b 100644
+--- a/libavcodec/htmlsubtitles.c
++++ b/libavcodec/htmlsubtitles.c
+@@ -24,6 +24,7 @@
+ #include "libavutil/common.h"
+ #include "libavutil/parseutils.h"
+ #include "htmlsubtitles.h"
++#include <ctype.h>
+ 
+ static int html_color_parse(void *log_ctx, const char *str)
+ {
+@@ -44,14 +45,32 @@ static void rstrip_spaces_buf(AVBPrint *buf)
+             buf->str[--buf->len] = 0;
+ }
+ 
++/*
++ * Fast code for scanning text enclosed in braces. Functionally
++ * equivalent to this sscanf call:
++ *
++ * sscanf(in, "{\\an%*1u}%n", &len) >= 0 && len > 0
++ */
++static int scanbraces(const char* in) {
++    if (strncmp(in, "{\\an", 4) != 0) {
++        return 0;
++    }
++    if (!isdigit(in[4])) {
++        return 0;
++    }
++    if (in[5] != '}') {
++        return 0;
++    }
++    return 1;
++}
++
+ /* skip all {\xxx} substrings except for {\an%d}
+    and all microdvd like styles such as {Y:xxx} */
+ static void handle_open_brace(AVBPrint *dst, const char **inp, int *an, int
*closing_brace_missing)
+ {
+-    int len = 0;
+     const char *in = *inp;
+ 
+-    *an += sscanf(in, "{\\an%*1u}%n", &len) >= 0 && len >
0;
++    *an += scanbraces(in);
+ 
+     if (!*closing_brace_missing) {
+         if (   (*an != 1 && in[1] == '\\')
+-- 
+2.21.0
+
diff --git a/ffmpeg.spec b/ffmpeg.spec
index 13400a8..d2f3a0f 100644
--- a/ffmpeg.spec
+++ b/ffmpeg.spec
@@ -68,7 +68,7 @@
 Summary:        Digital VCR and streaming server
 Name:           ffmpeg%{?flavor}
 Version:        3.4.5
-Release:        2%{?date}%{?date:git}%{?rel}%{?dist}
+Release:        3%{?date}%{?date:git}%{?rel}%{?dist}
 License:        %{ffmpeg_license}
 URL:            http://ffmpeg.org/
 %if 0%{?date}
@@ -78,6 +78,12 @@ Source0:        http://ffmpeg.org/releases/ffmpeg-%{version}.tar.xz
 %endif
 #Backport patch for arm neon
 Patch0:         0001-arm-Fix-SIGBUS-on-ARM-when-compiled-with-binutils-2..patch
+# https://nvd.nist.gov/vuln/detail/CVE-2019-9718
+#
https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/1f00c97bc3475c477f3c468cf...
+Patch1:         0001-avcodec-htmlsubtitles-Fixes-denial-of-service-due-to.patch
+# https://nvd.nist.gov/vuln/detail/CVE-2019-9721
+#
https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/894995c41e0795c7a44f81adc...
+Patch2:         0002-avcodec-htmlsubtitles-Fixes-denial-of-service-due-to.patch
 Requires:       %{name}-libs%{?_isa} = %{version}-%{release}
 %{?_with_cuda:BuildRequires: cuda-driver-dev-%{_cuda_rpm_version}
cuda-misc-headers-%{_cuda_rpm_version} cuda-drivers-devel%{_isa}}
 %{?_with_libnpp:BuildRequires: cuda-cudart-dev-%{_cuda_rpm_version}
cuda-nvcc-%{_cuda_rpm_version} cuda-misc-headers-%{_cuda_rpm_version}
cuda-npp-dev-%{_cuda_rpm_version}}
@@ -296,6 +302,8 @@ echo "git-snapshot-%{?branch}%{date}-rpmfusion" >
VERSION
 %endif
 # backport patch for arm neon
 %patch0 -p1
+%patch1 -p1 -b .CVE-2019-9718
+%patch2 -p1 -b .CVE-2019-9721
 # fix -O3 -g in host_cflags
 sed -i "s|check_host_cflags -O3|check_host_cflags %{optflags}|" configure
 mkdir -p _doc/examples
@@ -402,6 +410,9 @@ install -pm755 tools/qt-faststart %{buildroot}%{_bindir}
 
 
 %changelog
+* Tue Mar 19 2019 Leigh Scott <leigh123linux(a)googlemail.com&gt; - 3.4.5-3
+- Patch to fix CVE-2019-9718 and CVE-2019-9721
+
 * Thu Jan 24 2019 Nicolas Chauvet <kwizart(a)gmail.com&gt; - 3.4.5-2
 - Enable libopus but disable encoder - rhbz#5147
 - Backport various fixes from newer branches
    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

[ffmpeg/el7] Patch to fix CVE-2019-9718 and CVE-2019-9721