Merge #32126: ffmpeg-3.4: fix CVE CVE-2017-16840

NixOS · Nov 28, 2017 · c917950 · c917950
2 parents c06c2cd + 64d8cc7
commit c917950
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 2 deletions.
diff --git a/pkgs/development/libraries/ffmpeg-full/default.nix b/pkgs/development/libraries/ffmpeg-full/default.nix
@@ -238,7 +238,15 @@ stdenv.mkDerivation rec {
     sha256 = "1vzvpx8ixy8m44f8qwp833hv253hpghybgzbc4n8b3div3j0dvmf";
   };
 
-  patchPhase = ''patchShebangs .
+  patchPhase = let
+    cve_2017_16840_patch = (fetchurl{
+      name = "CVE-2017-16840.patch";
+      url = "http://git.videolan.org/?p=ffmpeg.git;a=patch;h=a94cb36ab2ad99d3a1331c9f91831ef593d94f74";
+      sha256 = "1rjr9lc71cyy43wsa2zxb9ygya292h9jflvr5wk61nf0vp97gjg3";
+    });
+  in
+  '' patch -p1 < ${cve_2017_16840_patch}
+     patchShebangs .
   '' + stdenv.lib.optionalString stdenv.isDarwin ''
     sed -i 's/#ifndef __MAC_10_11/#if 1/' ./libavcodec/audiotoolboxdec.c
   '' + stdenv.lib.optionalString (frei0r != null) ''

diff --git a/pkgs/development/libraries/ffmpeg/3.4.nix b/pkgs/development/libraries/ffmpeg/3.4.nix
@@ -1,4 +1,4 @@
-{ stdenv, callPackage
+{ stdenv, callPackage, fetchpatch
 # Darwin frameworks
 , Cocoa, CoreMedia
 , ...
@@ -9,4 +9,13 @@ callPackage ./generic.nix (args // rec {
   branch = "3.4";
   sha256 = "0pn8g3ab937ahslqd41crk0g4j4fh7kwimsrlfc0rl0pc3z132ax";
   darwinFrameworks = [ Cocoa CoreMedia ];
+
+  patches = [
+    (fetchpatch{
+      name = "CVE-2017-16840.patch";
+      url = "http://git.videolan.org/?p=ffmpeg.git;a=patch;h=a94cb36ab2ad99d3a1331c9f91831ef593d94f74";
+      sha256 = "1rjr9lc71cyy43wsa2zxb9ygya292h9jflvr5wk61nf0vp97gjg3";
+    })
+  ];
+
 })