[ffmpeg/f29] Patch to fix CVE-2019-9718 and CVE-2019-9721

Tuesday, 19 March 2019

commit ef0722abaf01a9d9feb509269e182939c2aff589
Author: Leigh Scott <leigh123linux(a)googlemail.com&gt;
Date:   Tue Mar 19 16:22:35 2019 +0000

    Patch to fix CVE-2019-9718 and CVE-2019-9721

 ...lsubtitles-Fixes-denial-of-service-due-to.patch | 65 ++++++++++++++++++++++
 ...lsubtitles-Fixes-denial-of-service-due-to.patch | 64 +++++++++++++++++++++
 ffmpeg.spec                                        | 13 ++++-
 3 files changed, 141 insertions(+), 1 deletion(-)
---

diff --git a/0001-avcodec-htmlsubtitles-Fixes-denial-of-service-due-to.patch
b/0001-avcodec-htmlsubtitles-Fixes-denial-of-service-due-to.patch
new file mode 100644
index 0000000..472703c
--- /dev/null
+++ b/0001-avcodec-htmlsubtitles-Fixes-denial-of-service-due-to.patch
@@ -0,0 +1,65 @@
+From a9896ec11780ce78ec4cfe8f5ff534b6e0d06737 Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse via RT <security-reports(a)semmle.com&gt;
+Date: Wed, 6 Feb 2019 11:29:22 +0000
+Subject: [PATCH 1/2] avcodec/htmlsubtitles: Fixes denial of service due to use
+ of sscanf in inner loop for tag scaning
+
+Fixes: [Semmle Security Reports #19438]
+Fixes: dos_sscanf1.mkv
+
+Signed-off-by: Michael Niedermayer <michael(a)niedermayer.cc&gt;
+---
+ libavcodec/htmlsubtitles.c | 30 +++++++++++++++++++++++++++++-
+ 1 file changed, 29 insertions(+), 1 deletion(-)
+
+diff --git a/libavcodec/htmlsubtitles.c b/libavcodec/htmlsubtitles.c
+index fb9f900422..c0cfccfb16 100644
+--- a/libavcodec/htmlsubtitles.c
++++ b/libavcodec/htmlsubtitles.c
+@@ -74,6 +74,34 @@ struct font_tag {
+     uint32_t color;
+ };
+ 
++/*
++ * Fast code for scanning the rest of a tag. Functionally equivalent to
++ * this sscanf call:
++ *
++ * sscanf(in, "%127[^<>]>%n", buffer, lenp) == 2
++ */
++static int scantag(const char* in, char* buffer, int* lenp) {
++    int len;
++
++    for (len = 0; len < 128; len++) {
++        const char c = *in++;
++        switch (c) {
++        case '\0':
++            return 0;
++        case '<':
++            return 0;
++        case '>':
++            buffer[len] = '\0';
++            *lenp = len+1;
++            return 1;
++        default:
++            break;
++        }
++        buffer[len] = c;
++    }
++    return 0;
++}
++
+ /*
+  * The general politic of the convert is to mask unsupported tags or formatting
+  * errors (but still alert the user/subtitles writer with an error/warning)
+@@ -155,7 +183,7 @@ int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char
*in)
+ 
+             len = 0;
+ 
+-            if (sscanf(in+tag_close+1, "%127[^<>]>%n", buffer,
&len) >= 1 && len > 0) {
++            if (scantag(in+tag_close+1, buffer, &len) && len > 0) {
+                 const int skip = len + tag_close;
+                 const char *tagname = buffer;
+                 while (*tagname == ' ') {
+-- 
+2.21.0
+
diff --git a/0002-avcodec-htmlsubtitles-Fixes-denial-of-service-due-to.patch
b/0002-avcodec-htmlsubtitles-Fixes-denial-of-service-due-to.patch
new file mode 100644
index 0000000..7790b19
--- /dev/null
+++ b/0002-avcodec-htmlsubtitles-Fixes-denial-of-service-due-to.patch
@@ -0,0 +1,64 @@
+From 8074a9457936ccd989a61799530f0c1fb463a486 Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse via RT <security-reports(a)semmle.com&gt;
+Date: Wed, 6 Feb 2019 12:56:01 +0000
+Subject: [PATCH 2/2] avcodec/htmlsubtitles: Fixes denial of service due to use
+ of sscanf in inner loop for handling braces
+
+Fixes: [Semmle Security Reports #19439]
+Fixes: dos_sscanf2.mkv
+
+Signed-off-by: Michael Niedermayer <michael(a)niedermayer.cc&gt;
+---
+ libavcodec/htmlsubtitles.c | 23 +++++++++++++++++++++--
+ 1 file changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/libavcodec/htmlsubtitles.c b/libavcodec/htmlsubtitles.c
+index c0cfccfb16..d9221ba16b 100644
+--- a/libavcodec/htmlsubtitles.c
++++ b/libavcodec/htmlsubtitles.c
+@@ -24,6 +24,7 @@
+ #include "libavutil/common.h"
+ #include "libavutil/parseutils.h"
+ #include "htmlsubtitles.h"
++#include <ctype.h>
+ 
+ static int html_color_parse(void *log_ctx, const char *str)
+ {
+@@ -44,14 +45,32 @@ static void rstrip_spaces_buf(AVBPrint *buf)
+             buf->str[--buf->len] = 0;
+ }
+ 
++/*
++ * Fast code for scanning text enclosed in braces. Functionally
++ * equivalent to this sscanf call:
++ *
++ * sscanf(in, "{\\an%*1u}%n", &len) >= 0 && len > 0
++ */
++static int scanbraces(const char* in) {
++    if (strncmp(in, "{\\an", 4) != 0) {
++        return 0;
++    }
++    if (!isdigit(in[4])) {
++        return 0;
++    }
++    if (in[5] != '}') {
++        return 0;
++    }
++    return 1;
++}
++
+ /* skip all {\xxx} substrings except for {\an%d}
+    and all microdvd like styles such as {Y:xxx} */
+ static void handle_open_brace(AVBPrint *dst, const char **inp, int *an, int
*closing_brace_missing)
+ {
+-    int len = 0;
+     const char *in = *inp;
+ 
+-    *an += sscanf(in, "{\\an%*1u}%n", &len) >= 0 && len >
0;
++    *an += scanbraces(in);
+ 
+     if (!*closing_brace_missing) {
+         if (   (*an != 1 && in[1] == '\\')
+-- 
+2.21.0
+
diff --git a/ffmpeg.spec b/ffmpeg.spec
index f883962..f226dc3 100644
--- a/ffmpeg.spec
+++ b/ffmpeg.spec
@@ -89,7 +89,7 @@ ExclusiveArch: armv7hnl
 Summary:        Digital VCR and streaming server
 Name:           ffmpeg%{?flavor}
 Version:        4.0.3
-Release:        3%{?date}%{?date:git}%{?rel}%{?dist}
+Release:        4%{?date}%{?date:git}%{?rel}%{?dist}
 License:        %{ffmpeg_license}
 URL:            http://ffmpeg.org/
 %if 0%{?date}
@@ -102,6 +102,12 @@ Source0:        http://ffmpeg.org/releases/ffmpeg-%{version}.tar.xz
 Patch0:         avcodec-libaomenc-remove-AVOption-related-to-frame-p.patch
 # Backport from master to allow vmaf 1.3.9
 Patch1:         87cc7e8d4ef8fa643d8d4822525b9c95cc9e7307.patch
+# https://nvd.nist.gov/vuln/detail/CVE-2019-9718
+#
https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/1f00c97bc3475c477f3c468cf...
+Patch2:         0001-avcodec-htmlsubtitles-Fixes-denial-of-service-due-to.patch
+# https://nvd.nist.gov/vuln/detail/CVE-2019-9721
+#
https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/894995c41e0795c7a44f81adc...
+Patch3:         0002-avcodec-htmlsubtitles-Fixes-denial-of-service-due-to.patch
 Requires:       %{name}-libs%{?_isa} = %{version}-%{release}
 %{?_with_cuda:BuildRequires: cuda-minimal-build-%{_cuda_version_rpm} cuda-drivers-devel}
 %{?_with_libnpp:BuildRequires: pkgconfig(nppc-%{_cuda_version})}
@@ -328,6 +334,8 @@ echo "git-snapshot-%{?branch}%{date}-rpmfusion" >
VERSION
 %endif
 %patch0 -p1 -b .aom_build_fix
 %patch1 -p1 -b .vmaf_build
+%patch2 -p1 -b .CVE-2019-9718
+%patch3 -p1 -b .CVE-2019-9721
 # fix -O3 -g in host_cflags
 sed -i "s|check_host_cflags -O3|check_host_cflags %{optflags}|" configure
 mkdir -p _doc/examples
@@ -434,6 +442,9 @@ install -pm755 tools/qt-faststart %{buildroot}%{_bindir}
 
 
 %changelog
+* Tue Mar 19 2019 Leigh Scott <leigh123linux(a)googlemail.com&gt; - 4.0.3-4
+- Patch to fix CVE-2019-9718 and CVE-2019-9721
+
 * Fri Jan 25 2019 Dominik Mierzejewski <rpm(a)greysector.net&gt; - 4.0.3-3
 - Enable libssh support by default (rfbz#5135)
 
    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

[ffmpeg/f29] Patch to fix CVE-2019-9718 and CVE-2019-9721