Fix potential vulnerabilities in cloned code #300

Closed

manh-td wants to merge 9 commits from manh-td/kolibrios:the-rest into main

pull from: manh-td/kolibrios:the-rest

merge into: KolibriOS:main

KolibriOS:main

KolibriOS:reshare-tweak

KolibriOS:rewrite-piano

KolibriOS:add-license-file-header-to-guide

KolibriOS:blocks-add-models

KolibriOS:shell-improve-cpuid

KolibriOS:rewrite_ide_drv

KolibriOS:refactor/links

KolibriOS:add_usbother

KolibriOS:webview-3.91

KolibriOS:qrcodegen

KolibriOS:ci/update

KolibriOS:floppybird-window-fix

KolibriOS:laser-tank-fix-win-height

KolibriOS:improvement/commit-and-branch-styles

KolibriOS:docs/libs

Conversation 3 Commits 9 Files Changed 6 +12 -4

manh-td commented 2025-12-22 04:34:42 +00:00

Contributor

Copy Link

This PR combines all unmerged PRs and fixes a potential security vulnerability inherited from FFmpeg/FFmpeg that lacked a security patch.

Vulnerability Details:

#297

• Orignal Fix
• CVE-2018-1999011

#296

• Original Fix
• CVE-2017-7862

#295

• Original Fix
• CVE-2017-14055

#294

• Original Fix
• CVE-2018-1582

#293

• Original Fix
• CVE-2020-12652

Please review and merge this PR to ensure your repository is protected against this vulnerability.

This PR combines all unmerged PRs and fixes a potential security vulnerability inherited from `FFmpeg/FFmpeg` that lacked a security patch. **Vulnerability Details:** https://git.kolibrios.org/KolibriOS/kolibrios/pulls/297 * [Orignal Fix](https://github.com/FFmpeg/FFmpeg/commit/2b46ebdbff1d8dec7a3d8ea280a612b91a582869) * [CVE-2018-1999011](https://nvd.nist.gov/vuln/detail/CVE-2018-1999011) https://git.kolibrios.org/KolibriOS/kolibrios/pulls/296 * [Original Fix](https://github.com/FFmpeg/FFmpeg/commit/8c2ea3030af7b40a3c4275696fb5c76cdb80950a) * [CVE-2017-7862](https://nvd.nist.gov/vuln/detail/CVE-2017-7862) https://git.kolibrios.org/KolibriOS/kolibrios/pulls/295 * [Original Fix](https://github.com/FFmpeg/FFmpeg/commit/4f05e2e2dc1a89f38cd9f0960a6561083d714f1e) * [CVE-2017-14055](https://nvd.nist.gov/vuln/detail/CVE-2017-14055) https://git.kolibrios.org/KolibriOS/kolibrios/pulls/294 * [Original Fix](https://github.com/FFmpeg/FFmpeg/commit/6b67d7f05918f7a1ee8fc6ff21355d7e8736aa10) * [CVE-2018-1582](https://nvd.nist.gov/vuln/detail/CVE-2018-15822) https://git.kolibrios.org/KolibriOS/kolibrios/pulls/293 * [Original Fix](https://github.com/FFmpeg/FFmpeg/commit/1e42736b95065c69a7481d0cf55247024f54b660) * [CVE-2020-12652](https://nvd.nist.gov/vuln/detail/CVE-2020-12652) Please review and merge this PR to ensure your repository is protected against this vulnerability.

manh-td added 9 commits 2025-12-22 04:34:42 +00:00

Check format for BGR24 cb1d476932

Check audio packet size 2727f1a5bd

Fix DoS due to lack of eof check f1b4023d99

Fix logic error e128a90e62

Check size_bmp more fully ca6b0f142c

Merge branch 'decode_frame' into the-rest 7b8cdc8ecf

Merge branch 'mv_read_header' into the-rest b353027ffa

Merge branch 'flv_write_packet' into the-rest 6586ad1cf1

Merge branch 'cdxl_decode_frame' into the-rest e70aa31c2d

Burer commented 2025-12-23 07:36:20 +00:00

Owner

Copy Link

Hello!
Are you sure all these fixes are compatible with current version of ffmpeg, present in KolibriOS.
And are you going to add some more fixes in future?
Looks like it will be better to directly port latest compatible version of ffmpeg (should be 2.8.22), and fully close this topic.

Hello! Are you sure all these fixes are compatible with current version of **ffmpeg**, present in **KolibriOS**. And are you going to add some more fixes in future? Looks like it will be better to directly port latest compatible version of **ffmpeg** (should be **2.8.22**), and fully close this topic.

Sweetbread requested changes 2025-12-23 08:52:30 +00:00

Sweetbread left a comment

Owner

Copy Link

Merge commits are prohibited

Merge commits are [prohibited](https://git.kolibrios.org/KolibriOS/kolibrios/src/branch/main/CONTRIBUTING.md#merge-commits)

mxlgv commented 2026-01-07 01:27:47 +00:00

Owner

Copy Link

All these security fixes make no sense for such a toy OS as KolbiriOS. By updating the ports of these libraries, all of these "security issues" will be resolved.

All these security fixes make no sense for such a toy OS as KolbiriOS. By updating the ports of these libraries, all of these "security issues" will be resolved.

mxlgv closed this pull request 2026-01-07 01:27:47 +00:00

mxlgv added the

Reviewed

Won't Fix

label 2026-01-07 01:28:37 +00:00

mxlgv referenced this pull request 2026-01-07 01:29:13 +00:00

Fix potential vulnerable cloned function #299

mxlgv referenced this pull request 2026-01-07 01:30:10 +00:00

Fix potential vulnerability in cloned code #297

mxlgv removed the

Reviewed

Won't Fix

label 2026-01-07 01:31:49 +00:00

mxlgv referenced this pull request 2026-01-07 01:32:31 +00:00

Fix potential vulnerability in cloned code #296

mxlgv referenced this pull request 2026-01-07 01:32:45 +00:00

Fix potential vulnerability in cloned code #295

mxlgv referenced this pull request 2026-01-07 01:32:59 +00:00

Fix potential vulnerability in cloned code #294

mxlgv referenced this pull request 2026-01-07 01:33:17 +00:00

Fix potential vulnerability in cloned code #293

mxlgv referenced this pull request 2026-01-07 01:35:42 +00:00

Remove offset pointer optimization in `inftrees.c` #292

All checks were successful

Hide all checks

Build system / Check kernel codestyle (pull_request) Successful in 2m24s

Required

Details

Build system / Build (pull_request) Successful in 16m46s

Required

Details

Pull request closed

Please reopen this pull request to perform a merge.

Sign in to join this conversation.

Reviewers

No Reviewers

Sweetbread

Labels

Clear labels

C

Category/Applications

Category/Drivers

Category/General

Category/Kernel

Category/Libraries

Eolite

FASM

FS

GSoC

This issue in GSoC program

HardwareTested

HLL

Influence/Settings

Influence/Text/TYPO

IRCC

Kernel

Kind

Breaking

Breaking change that won't be backward compatible

Kind

Bug

Something is not working

Kind

Build

Kind

Documentation

Documentation changes

Kind

Enhancement

Improve existing functionality

Kind

Feature

New functionality

Kind

Security

This is security issue

Kind

Testing

Issue or pull request related to testing

Pay for the code

Paid task

PR

Conflicts

PR conflicts with main

PR

Dependent

This PR is dependent on another PR

Priority

Critical

The priority is critical

Priority

High

The priority is high

Priority

Low

The priority is low

Priority

Medium

The priority is medium

PR

Ready to merge

Pull request is ready for merge

PR

Request changes

Changes requested in pull request

PR

Review required

Reviewed

Confirmed

Issue has been confirmed

Reviewed

Duplicate

This issue or pull request already exists

Reviewed

Invalid

Invalid issue

Reviewed

Won't Fix

This issue won't be fixed

Status

Abandoned

Somebody has started to work on this but abandoned work

Status

Blocked

Something is blocking this issue or pull request

Status

Need More Info

Feedback is required to reproduce issue or to continue work

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

ace-dent Burer Doczom dunkaist IgorA Leency mxlgv ramenu rgimad sdongles Sweetbread

No Assignees

4 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: KolibriOS/kolibrios#300

Allow edits from maintainers