File ffmpeg-5-CVE-2024-7272.patch of Package ffmpeg-5

From 9903ba28c28ab18dc7b7b6fb8571cc8b5caae1a6 Mon Sep 17 00:00:00 2001
From: James Almer <jamrial@gmail.com>
Date: Thu, 8 Sep 2022 19:43:03 -0300
Subject: [PATCH] swsresample/swresample: error out on invalid layouts
References: CVE-2024-7272
References: bsc#1229261
Upstream: Backport from upstream

If it's unsupported or invalid, then there's no point trying to rebuild it
using a value that may have been derived from the same layout to begin with.

Move the checks before the attempts at copying the layout while at it.

Fixes ticket #9908.

Signed-off-by: James Almer <jamrial@gmail.com>
---
 libswresample/swresample.c | 48 +++++++++++++++++++++++++-------------
 1 file changed, 32 insertions(+), 16 deletions(-)

diff --git a/libswresample/swresample.c b/libswresample/swresample.c
index 6f04d130d3..5884f8d533 100644
--- a/libswresample/swresample.c
+++ b/libswresample/swresample.c
@@ -227,7 +227,7 @@ av_cold int swr_init(struct SwrContext *s){
             s->in_ch_layout.order       = AV_CHANNEL_ORDER_UNSPEC;
             s->in_ch_layout.nb_channels = s->user_in_ch_count;
         }
-    } else
+    } else if (av_channel_layout_check(&s->user_in_chlayout))
         av_channel_layout_copy(&s->in_ch_layout, &s->user_in_chlayout);
 
     if ((s->user_out_ch_count && s->user_out_ch_count != s->user_out_chlayout.nb_channels) ||
@@ -240,17 +240,45 @@ av_cold int swr_init(struct SwrContext *s){
             s->out_ch_layout.order       = AV_CHANNEL_ORDER_UNSPEC;
             s->out_ch_layout.nb_channels = s->user_out_ch_count;
         }
-    } else
+    } else if (av_channel_layout_check(&s->user_out_chlayout))
         av_channel_layout_copy(&s->out_ch_layout, &s->user_out_chlayout);
 
     if (!s->out.ch_count && !s->user_out_ch_layout)
         s->out.ch_count  = s->out_ch_layout.nb_channels;
     if (!s-> in.ch_count && !s-> user_in_ch_layout)
         s-> in.ch_count  = s->in_ch_layout.nb_channels;
+
+    if (!(ret = av_channel_layout_check(&s->in_ch_layout)) || s->in_ch_layout.nb_channels > SWR_CH_MAX) {
+        if (ret)
+            av_channel_layout_describe(&s->in_ch_layout, l1, sizeof(l1));
+        av_log(s, AV_LOG_WARNING, "Input channel layout \"%s\" is invalid or unsupported.\n", ret ? l1 : "");
+        return AVERROR(EINVAL);
+    }
+
+    if (!(ret = av_channel_layout_check(&s->out_ch_layout)) || s->out_ch_layout.nb_channels > SWR_CH_MAX) {
+        if (ret)
+            av_channel_layout_describe(&s->out_ch_layout, l2, sizeof(l2));
+        av_log(s, AV_LOG_WARNING, "Output channel layout \"%s\" is invalid or unsupported.\n", ret ? l2 : "");
+        return AVERROR(EINVAL);
+    }
 #else
     s->out.ch_count  = s-> user_out_chlayout.nb_channels;
     s-> in.ch_count  = s->  user_in_chlayout.nb_channels;
 
+    if (!(ret = av_channel_layout_check(&s->user_in_chlayout)) || s->user_in_chlayout.nb_channels > SWR_CH_MAX) {
+        if (ret)
+            av_channel_layout_describe(&s->user_in_chlayout, l1, sizeof(l1));
+        av_log(s, AV_LOG_WARNING, "Input channel layout \"%s\" is invalid or unsupported.\n", ret ? l1 : "");
+        return AVERROR(EINVAL);
+    }
+
+    if (!(ret = av_channel_layout_check(&s->user_out_chlayout)) || s->user_out_chlayout.nb_channels > SWR_CH_MAX) {
+        if (ret)
+            av_channel_layout_describe(&s->user_out_chlayout, l2, sizeof(l2));
+        av_log(s, AV_LOG_WARNING, "Output channel layout \"%s\" is invalid or unsupported.\n", ret ? l2 : "");
+        return AVERROR(EINVAL);
+    }
+
     ret  = av_channel_layout_copy(&s->in_ch_layout, &s->user_in_chlayout);
     ret |= av_channel_layout_copy(&s->out_ch_layout, &s->user_out_chlayout);
     if (ret < 0)
@@ -261,18 +289,6 @@ av_cold int swr_init(struct SwrContext *s){
 
     s->dither.method = s->user_dither_method;
 
-    if (!av_channel_layout_check(&s->in_ch_layout) || s->in_ch_layout.nb_channels > SWR_CH_MAX) {
-        av_channel_layout_describe(&s->in_ch_layout, l1, sizeof(l1));
-        av_log(s, AV_LOG_WARNING, "Input channel layout \"%s\" is invalid or unsupported.\n", l1);
-        av_channel_layout_uninit(&s->in_ch_layout);
-    }
-
-    if (!av_channel_layout_check(&s->out_ch_layout) || s->out_ch_layout.nb_channels > SWR_CH_MAX) {
-        av_channel_layout_describe(&s->out_ch_layout, l2, sizeof(l2));
-        av_log(s, AV_LOG_WARNING, "Output channel layout \"%s\" is invalid or unsupported.\n", l2);
-        av_channel_layout_uninit(&s->out_ch_layout);
-    }
-
     switch(s->engine){
 #if CONFIG_LIBSOXR
         case SWR_ENGINE_SOXR: s->resampler = &swri_soxr_resampler; break;
@@ -291,9 +307,9 @@ av_cold int swr_init(struct SwrContext *s){
         av_channel_layout_uninit(&s->in_ch_layout);
     }
 
-    if (!s->in_ch_layout.nb_channels || s->in_ch_layout.order == AV_CHANNEL_ORDER_UNSPEC)
+    if (s->in_ch_layout.order == AV_CHANNEL_ORDER_UNSPEC)
         av_channel_layout_default(&s->in_ch_layout, s->used_ch_count);
-    if (!s->out_ch_layout.nb_channels || s->out_ch_layout.order == AV_CHANNEL_ORDER_UNSPEC)
+    if (s->out_ch_layout.order == AV_CHANNEL_ORDER_UNSPEC)
         av_channel_layout_default(&s->out_ch_layout, s->out.ch_count);
 
     s->rematrix = av_channel_layout_compare(&s->out_ch_layout, &s->in_ch_layout) ||
-- 
2.41.0

openSUSE Build Service is sponsored by