From 628bfe878e0d9468b231369064d41000979a374d Mon Sep 17 00:00:00 2001 From: technology208 Date: Wed, 12 Jun 2024 14:02:29 +0800 Subject: [PATCH] fix CVE-2021-30145 --- CVE-2021-30145.patch | 75 ++++++++++++++++++++++++++++++++++++++++++++ mpv.spec | 6 +++- 2 files changed, 80 insertions(+), 1 deletion(-) create mode 100644 CVE-2021-30145.patch diff --git a/CVE-2021-30145.patch b/CVE-2021-30145.patch new file mode 100644 index 0000000..907ea1e --- /dev/null +++ b/CVE-2021-30145.patch @@ -0,0 +1,75 @@ +From 150cceeb8e242367b53b16faf3974c74d8bea94b Mon Sep 17 00:00:00 2001 +From: Stefan Schiller +Date: Wed, 12 Jun 2024 13:56:55 +0800 +Subject: [PATCH] demux_mf: improve format string processing + +Conflict:NA +Reference:https://github.com/mpv-player/mpv/commit/d0c530919d8cd4d7a774e38ab064e0fabdae34e6 + +--- + demux/demux_mf.c | 39 +++++++++++++++++++++++++++++++++++++-- + 1 file changed, 37 insertions(+), 2 deletions(-) + +diff --git a/demux/demux_mf.c b/demux/demux_mf.c +index ef5a513..7148862 100644 +--- a/demux/demux_mf.c ++++ b/demux/demux_mf.c +@@ -121,7 +121,8 @@ static mf_t *open_mf_pattern(void *talloc_ctx, struct demuxer *d, char *filename + goto exit_mf; + } + +- char *fname = talloc_size(mf, strlen(filename) + 32); ++ size_t fname_avail = strlen(filename) + 32; ++ char *fname = talloc_size(mf, fname_avail); + + #if HAVE_GLOB + if (!strchr(filename, '%')) { +@@ -148,10 +149,44 @@ static mf_t *open_mf_pattern(void *talloc_ctx, struct demuxer *d, char *filename + } + #endif + ++ // We're using arbitrary user input as printf format with 1 int argument. ++ // Any format which uses exactly 1 int argument would be valid, but for ++ // simplicity we reject all conversion specifiers except %% and simple ++ // integer specifier: %[.][NUM]d where NUM is 1-3 digits (%.d is valid) ++ const char *f = filename; ++ int MAXDIGS = 3, nspec = 0, bad_spec = 0, c; ++ ++ while (nspec < 2 && (c = *f++)) { ++ if (c != '%') ++ continue; ++ if (*f != '%') { ++ nspec++; // conversion specifier which isn't %% ++ if (*f == '.') ++ f++; ++ for (int ndig = 0; mp_isdigit(*f) && ndig < MAXDIGS; ndig++, f++) ++ /* no-op */; ++ if (*f != 'd') { ++ bad_spec++; // not int, or beyond our validation capacity ++ break; ++ } ++ } ++ // *f is '%' or 'd' ++ f++; ++ } ++ ++ // nspec==0 (zero specifiers) is rejected because fname wouldn't advance. ++ if (bad_spec || nspec != 1) { ++ mp_err(log, "unsupported expr format: '%s'\n", filename); ++ goto exit_mf; ++ } ++ + mp_info(log, "search expr: %s\n", filename); + + while (error_count < 5) { +- sprintf(fname, filename, count++); ++ if (snprintf(fname, fname_avail, filename, count++) >= fname_avail) { ++ mp_err(log, "format result too long: '%s'\n", filename); ++ goto exit_mf; ++ } + if (!mp_path_exists(fname)) { + error_count++; + mp_verbose(log, "file not found: '%s'\n", fname); +-- +2.33.0 + diff --git a/mpv.spec b/mpv.spec index 704fb44..38a8c86 100644 --- a/mpv.spec +++ b/mpv.spec @@ -1,6 +1,6 @@ Name: mpv Version: 0.32.0 -Release: 2 +Release: 3 Summary: Movie player playing most video formats and DVDs License: GPLv2+ and LGPLv2+ URL: http://mpv.io/ @@ -14,6 +14,7 @@ Patch0: %{name}-config.patch Patch1: ppc_fix.patch # Fix pause conflicting Patch2: mpv-rename-local-function-conflicting-with-pause.patch +Patch3: CVE-2021-30145.patch BuildRequires: pkgconfig(alsa) BuildRequires: desktop-file-utils @@ -162,6 +163,9 @@ install -Dpm 644 README.md etc/input.conf etc/mpv.conf -t %{buildroot}%{_docdir} %{_libdir}/pkgconfig/mpv.pc %changelog +* Wed Jun 12 2024 technology208 - 0.32.0-3 +- fix CVE-2021-30145 + * Tue Aug 10 2021 weidong - 0.32.0-2 - rename local function conflicting with pause -- Gitee