[FFmpeg-trac] #9155(avcodec:new): Backporting of fixes for CVE-2020-35965/oss-fuzz issue 26532 to FFmpeg 4.3

Wed Mar 17 14:11:02 EET 2021

#9155: Backporting of fixes for CVE-2020-35965/oss-fuzz issue 26532 to FFmpeg 4.3
----------------------------------+---------------------------------------
             Reporter:  diabonas  |                     Type:  defect
               Status:  new       |                 Priority:  normal
            Component:  avcodec   |                  Version:  unspecified
             Keywords:            |               Blocked By:
             Blocking:            |  Reproduced by developer:  0
Analyzed by developer:  0         |
----------------------------------+---------------------------------------
 I have a question regarding the backporting of the fixes for
 [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35965
 CVE-2020-35965], also tracked as [https://bugs.chromium.org/p/oss-
 fuzz/issues/detail?id=26532 oss-fuzz issue 26532], to the FFmpeg 4.3
 branch.

 According to the CVE description and the oss-fuzz issue details, this
 vulnerability is fixed by two commits,
 [https://github.com/FFmpeg/FFmpeg/commit/b0a8b40294ea212c1938348ff112ef1b9bf16bb3
 b0a8b40294ea212c1938348ff112ef1b9bf16bb3 ("avcodec/exr: skip bottom
 clearing loop when its outside the image")] and
 [https://github.com/FFmpeg/FFmpeg/commit/3e5959b3457f7f1856d997261e6ac672bba49e8b
 3e5959b3457f7f1856d997261e6ac672bba49e8b ("avcodec/exr: Check ymin vs.
 h")].

 However, only the latter seems to have been backported to the release/4.3
 branch (as commit
 [https://github.com/FFmpeg/FFmpeg/commit/a53ffb15d8ae9bed14041b4cf62e436852e95431
 a53ffb15d8ae9bed14041b4cf62e436852e95431]) and thus has been included in
 the FFmpeg 4.3.2 release. Is this correct, or does the former commit need
 to be backported as well?

--
Ticket URL: <https://trac.ffmpeg.org/ticket/9155>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker