!67 [sync] PR-64: fix CVE-2023-51798

From: @openeuler-sync-bot 
Reviewed-by: @technology208 
Signed-off-by: @technology208

CVE-2020-35964.patch

@@ -0,0 +1,68 @@
+diff -Naru ffmpeg-4.2.4/libavformat/vividas.c ffmpeg-4.2.4-new/libavformat/vividas.c
+--- ffmpeg-4.2.4/libavformat/vividas.c	2022-05-24 10:57:25.967425000 +0800
++++ ffmpeg-4.2.4-new/libavformat/vividas.c	2022-05-24 11:07:17.698072000 +0800
+@@ -27,7 +27,7 @@
+  * @author Andrzej Szombierski [qq at kuku eu org] (2010-07)
+  * @sa http://wiki.multimedia.cx/index.php?title=Vividas_VIV
+  */
+-
++#include "libavutil/avassert.h"
+ #include "libavutil/intreadwrite.h"
+ #include "avio_internal.h"
+ #include "avformat.h"
+@@ -278,7 +278,7 @@
+ 
+ static int track_header(VividasDemuxContext *viv, AVFormatContext *s,  uint8_t *buf, int size)
+ {
+-    int i,j;
++    int i, j, ret;
+     int64_t off;
+     int val_1;
+     int num_video;
+@@ -372,7 +372,7 @@
+ 
+         if (avio_tell(pb) < off) {
+             int num_data;
+-            int xd_size = 0;
++            int xd_size = 1;
+             int data_len[256];
+             int offset = 1;
+             uint8_t *p;
+@@ -387,24 +387,19 @@
+                     return AVERROR_INVALIDDATA;
+                 }
+                 data_len[j] = len;
+-                xd_size += len;
++                xd_size += len + 1 + len/255;
+             }
+ 
+-            st->codecpar->extradata_size = 64 + xd_size + xd_size / 255;
+-            if (ff_alloc_extradata(st->codecpar, st->codecpar->extradata_size)) {
+-                av_free(pb);
+-                return AVERROR(ENOMEM);
+-            }
++            ret = ff_alloc_extradata(st->codecpar, xd_size);
++            if (ret < 0)
++                return ret;
+ 
+             p = st->codecpar->extradata;
+             p[0] = 2;
+ 
+             for (j = 0; j < num_data - 1; j++) {
+                 unsigned delta = av_xiphlacing(&p[offset], data_len[j]);
+-                if (delta > data_len[j]) {
+-                    av_free(pb);
+-                    return AVERROR_INVALIDDATA;
+-                }
++                av_assert0(delta <= xd_size - offset);
+                 offset += delta;
+             }
+ 
+@@ -415,6 +410,7 @@
+                     av_freep(&st->codecpar->extradata);
+                     break;
+                 }
++                av_assert0(data_len[j] <= xd_size - offset);
+                 offset += data_len[j];
+             }
+ 

CVE-2021-3566.patch

@@ -0,0 +1,56 @@
+From 3bce9e9b3ea35c54bacccc793d7da99ea5157532 Mon Sep 17 00:00:00 2001
+From: Paul B Mahol <onemda@gmail.com>
+Date: Mon, 27 Jan 2020 21:53:08 +0100
+Subject: [PATCH] avformat/tty: add probe function
+
+---
+ libavformat/tty.c | 21 ++++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/libavformat/tty.c b/libavformat/tty.c
+index 8d48f2c45c12..60f7e9f87ee7 100644
+--- a/libavformat/tty.c
++++ b/libavformat/tty.c
+@@ -34,6 +34,13 @@
+ #include "internal.h"
+ #include "sauce.h"
+ 
++static int isansicode(int x)
++{
++    return x == 0x1B || x == 0x0A || x == 0x0D || (x >= 0x20 && x < 0x7f);
++}
++
++static const char tty_extensions[31] = "ans,art,asc,diz,ice,nfo,txt,vt";
++
+ typedef struct TtyDemuxContext {
+     AVClass *class;
+     int chars_per_frame;
+@@ -42,6 +49,17 @@ typedef struct TtyDemuxContext {
+     AVRational framerate; /**< Set by a private option. */
+ } TtyDemuxContext;
+ 
++static int read_probe(const AVProbeData *p)
++{
++    int cnt = 0;
++
++    for (int i = 0; i < p->buf_size; i++)
++        cnt += !!isansicode(p->buf[i]);
++
++    return (cnt * 100LL / p->buf_size) * (cnt > 400) *
++        !!av_match_ext(p->filename, tty_extensions);
++}
++
+ /**
+  * Parse EFI header
+  */
+@@ -153,8 +171,9 @@ AVInputFormat ff_tty_demuxer = {
+     .name           = "tty",
+     .long_name      = NULL_IF_CONFIG_SMALL("Tele-typewriter"),
+     .priv_data_size = sizeof(TtyDemuxContext),
++    .read_probe     = read_probe,
+     .read_header    = read_header,
+     .read_packet    = read_packet,
+-    .extensions     = "ans,art,asc,diz,ice,nfo,txt,vt",
++    .extensions     = tty_extensions,
+     .priv_class     = &tty_demuxer_class,
+ };

CVE-2021-38114.patch

@@ -0,0 +1,45 @@
+diff -Naru ffmpeg-4.2.4/libavcodec/dnxhddec.c ffmpeg-4.2.4-new/libavcodec/dnxhddec.c
+--- ffmpeg-4.2.4/libavcodec/dnxhddec.c	2022-05-24 10:57:19.937425000 +0800
++++ ffmpeg-4.2.4-new/libavcodec/dnxhddec.c	2022-05-24 10:59:49.141810000 +0800
+@@ -111,6 +111,7 @@
+ 
+ static int dnxhd_init_vlc(DNXHDContext *ctx, uint32_t cid, int bitdepth)
+ {
++    int ret;
+     if (cid != ctx->cid) {
+         int index;
+ 
+@@ -130,19 +131,26 @@
+         ff_free_vlc(&ctx->dc_vlc);
+         ff_free_vlc(&ctx->run_vlc);
+ 
+-        init_vlc(&ctx->ac_vlc, DNXHD_VLC_BITS, 257,
++        if ((ret = init_vlc(&ctx->ac_vlc, DNXHD_VLC_BITS, 257,
+                  ctx->cid_table->ac_bits, 1, 1,
+-                 ctx->cid_table->ac_codes, 2, 2, 0);
+-        init_vlc(&ctx->dc_vlc, DNXHD_DC_VLC_BITS, bitdepth > 8 ? 14 : 12,
++                 ctx->cid_table->ac_codes, 2, 2, 0)) < 0)
++            goto out;
++        if ((ret = init_vlc(&ctx->dc_vlc, DNXHD_DC_VLC_BITS, bitdepth > 8 ? 14 : 12,
+                  ctx->cid_table->dc_bits, 1, 1,
+-                 ctx->cid_table->dc_codes, 1, 1, 0);
+-        init_vlc(&ctx->run_vlc, DNXHD_VLC_BITS, 62,
++                 ctx->cid_table->dc_codes, 1, 1, 0)) < 0)
++            goto out;
++        if ((ret = init_vlc(&ctx->run_vlc, DNXHD_VLC_BITS, 62,
+                  ctx->cid_table->run_bits, 1, 1,
+-                 ctx->cid_table->run_codes, 2, 2, 0);
++                 ctx->cid_table->run_codes, 2, 2, 0)) < 0)
++            goto out;
+ 
+         ctx->cid = cid;
+     }
+-    return 0;
++    ret = 0;
++out:
++    if (ret < 0)
++        av_log(ctx->avctx, AV_LOG_ERROR, "init_vlc failed\n");
++    return ret;
+ }
+ 
+ static av_cold int dnxhd_decode_init_thread_copy(AVCodecContext *avctx)

CVE-2021-38291.patch

@@ -0,0 +1,50 @@
+From e01d306c647b5827102260b885faa223b646d2d1 Mon Sep 17 00:00:00 2001
+From: James Almer <jamrial@gmail.com>
+Date: Wed, 21 Jul 2021 01:02:44 -0300
+Subject: [PATCH] avcodec/utils: don't return negative values in
+ av_get_audio_frame_duration()
+
+In some extrme cases, like with adpcm_ms samples with an extremely high channel
+count, get_audio_frame_duration() may return a negative frame duration value.
+Don't propagate it, and instead return 0, signaling that a duration could not
+be determined.
+
+Fixes ticket #9312
+
+Signed-off-by: James Almer <jamrial@gmail.com>
+---
+ libavcodec/utils.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/libavcodec/utils.c b/libavcodec/utils.c
+index 5fad782f5a..cfc07cbcb8 100644
+--- a/libavcodec/utils.c
++++ b/libavcodec/utils.c
+@@ -810,20 +810,22 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba,
+ 
+ int av_get_audio_frame_duration(AVCodecContext *avctx, int frame_bytes)
+ {
+-    return get_audio_frame_duration(avctx->codec_id, avctx->sample_rate,
++    int duration = get_audio_frame_duration(avctx->codec_id, avctx->sample_rate,
+                                     avctx->channels, avctx->block_align,
+                                     avctx->codec_tag, avctx->bits_per_coded_sample,
+                                     avctx->bit_rate, avctx->extradata, avctx->frame_size,
+                                     frame_bytes);
++    return FFMAX(0, duration);
+ }
+ 
+ int av_get_audio_frame_duration2(AVCodecParameters *par, int frame_bytes)
+ {
+-    return get_audio_frame_duration(par->codec_id, par->sample_rate,
++    int duration = get_audio_frame_duration(par->codec_id, par->sample_rate,
+                                     par->channels, par->block_align,
+                                     par->codec_tag, par->bits_per_coded_sample,
+                                     par->bit_rate, par->extradata, par->frame_size,
+                                     frame_bytes);
++    return FFMAX(0, duration);
+ }
+ 
+ #if !HAVE_THREADS
+-- 
+2.20.1
+

CVE-2023-51794.patch

@@ -0,0 +1,25 @@
+From a80f53d91fc1d3c523b4660a4f7ca3ede82f0bd8 Mon Sep 17 00:00:00 2001
+From: happyworker <208suo@208suo.com>
+Date: Wed, 19 Jun 2024 14:48:11 +0800
+Subject: [PATCH] Fix CVE-2023-51794
+
+---
+ libavfilter/af_stereowiden.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libavfilter/af_stereowiden.c b/libavfilter/af_stereowiden.c
+index d23c8db..3d7b5bb 100644
+--- a/libavfilter/af_stereowiden.c
++++ b/libavfilter/af_stereowiden.c
+@@ -74,6 +74,8 @@ static int config_input(AVFilterLink *inlink)
+ 
+     s->length = s->delay * inlink->sample_rate / 1000;
+     s->length *= 2;
++    if (s->length == 0)
++	return AVERROR(EINVAL);
+     s->buffer = av_calloc(s->length, sizeof(*s->buffer));
+     if (!s->buffer)
+         return AVERROR(ENOMEM);
+-- 
+2.43.0
+

CVE-2024-31578.patch

@@ -0,0 +1,43 @@
+From 3bb00c0a420c3ce83c6fafee30270d69622ccad7 Mon Sep 17 00:00:00 2001
+From: Zhao Zhili <zhilizhao@tencent.com>
+Date: Wed, 1 May 2024 18:08:51 +0800
+Subject: [PATCH]  avutil/hwcontext: Don't assume frames_uninit is reentrant.
+Fix heap use after free when vulkan_frames_init failed.
+
+Signed-off-by: Zhao Zhili <zhilizhao@tencent.com>
+---
+ libavutil/hwcontext.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/libavutil/hwcontext.c b/libavutil/hwcontext.c
+index f1e404a..3b99b8a 100644
+--- a/libavutil/hwcontext.c
++++ b/libavutil/hwcontext.c
+@@ -358,7 +358,7 @@ int av_hwframe_ctx_init(AVBufferRef *ref)
+     if (ctx->internal->hw_type->frames_init) {
+         ret = ctx->internal->hw_type->frames_init(ctx);
+         if (ret < 0)
+-            goto fail;
++            return ret;
+     }
+ 
+     if (ctx->internal->pool_internal && !ctx->pool)
+@@ -368,14 +368,10 @@ int av_hwframe_ctx_init(AVBufferRef *ref)
+     if (ctx->initial_pool_size > 0) {
+         ret = hwframe_pool_prealloc(ref);
+         if (ret < 0)
+-            goto fail;
++            return ret;
+     }
+ 
+     return 0;
+-fail:
+-    if (ctx->internal->hw_type->frames_uninit)
+-        ctx->internal->hw_type->frames_uninit(ctx);
+-    return ret;
+ }
+ 
+ int av_hwframe_transfer_get_formats(AVBufferRef *hwframe_ref,
+-- 
+2.23.0
+

ffmpeg.spec

@@ -1,24 +1,5 @@
 # Cuda and others are only available on some arches
 %global cuda_arches x86_64
-
-%if 0%{?el7}
-%global _without_aom      1
-%global _without_dav1d    1
-%global _without_frei0r   1
-%global _without_opus     1
-%global _without_srt      1
-%global _without_vpx      1
-%endif
-
-%if 0%{?fedora} || 0%{?rhel} > 7
-%if 0%{?rhel} > 7
-%ifarch x86_64 i686
-%endif
-%endif
-%ifarch x86_64
-%endif
-%endif
-
 # flavor nonfree
 %if 0%{?_with_cuda:1}
 %global debug_package %{nil}
@@ -80,7 +61,7 @@ ExclusiveArch: armv7hnl
 Summary:        Digital VCR and streaming server
 Name:           ffmpeg%{?flavor}
 Version:        4.2.4
-Release:        1
+Release:        7
 License:        %{ffmpeg_license}
 URL:            http://ffmpeg.org/
 %if 0%{?date}
@@ -90,6 +71,13 @@ Source0:        http://ffmpeg.org/releases/ffmpeg-%{version}.tar.xz
 %endif
 Patch0:         fix_ppc_build.patch
 Patch1:         fix-vmaf-model-path.patch
+Patch2:         CVE-2021-3566.patch
+Patch3:         CVE-2021-38291.patch
+Patch4:         CVE-2021-38114.patch
+Patch5:         CVE-2020-35964.patch
+Patch6:         CVE-2024-31578.patch
+Patch7:         CVE-2023-51794.patch
+Patch8:         fix-CVE-2023-51798.patch
 Requires:       %{name}-libs%{?_isa} = %{version}-%{release}
 %{?_with_cuda:BuildRequires: cuda-minimal-build-%{_cuda_version_rpm} cuda-drivers-devel}
 %{?_with_libnpp:BuildRequires: pkgconfig(nppc-%{_cuda_version})}
@@ -196,6 +184,7 @@ This package contains the libraries for %{name}
 %package     -n libavdevice%{?flavor}
 Summary:        Special devices muxing/demuxing library
 Requires:       %{name}-libs%{_isa} = %{version}-%{release}
+Requires:	jack-audio-connection-kit
 
 %description -n libavdevice%{?flavor}
 Libavdevice is a complementary library to libavf "libavformat". It provides
@@ -421,5 +410,23 @@ install -pm755 tools/qt-faststart %{buildroot}%{_bindir}
 
 
 %changelog
+* Tue Jun 25 2024 happyworker <208suo@208suo.com> - 4.2.4-7
+- Fix CVE-2023-51798
+
+* Wed Jun 19 2024 happyworker <208suo@208suo.com> - 4.2.4-6
+- Fix CVE-2023-51794
+
+* Wed May 01 2024 cenhuilin <cenhuilin@kylinos.cn> - 4.2.4-5
+- fix CVE-2024-31578
+
+* Thu Jun 2 2022 yangweidong <yangweidong9@huawei.com> - 4.2.4-4
+- Fix CVE-2021-38114 and CVE-2020-35964
+
+* Sat Sep 04 2021 guoxiaoqi <guoxiaoqi2@huawei.com> - 4.2.4-3
+- Fix CVE-2021-3566 and CVE-2021-38291
+
+* Tue Jul 20 2021 weidong <weidong@uniontech.com> - 4.2.4-2
+- Fix requires conflict
+
 * Fri May 07 2021 weidong <weidong@uniontech.com> - 4.2.4-1
 - Initial package.

fix-CVE-2023-51798.patch

@@ -0,0 +1,33 @@
+From faedf9f8ef5b657064ecf6af8d1ba767ada60bf4 Mon Sep 17 00:00:00 2001
+From: happyworker <208suo@208suo.com>
+Date: Tue, 25 Jun 2024 10:58:39 +0800
+Subject: [PATCH] fix-CVE-2023-51798
+
+---
+ libavfilter/vf_minterpolate.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/libavfilter/vf_minterpolate.c b/libavfilter/vf_minterpolate.c
+index b0bb238..745987c 100644
+--- a/libavfilter/vf_minterpolate.c
++++ b/libavfilter/vf_minterpolate.c
+@@ -1086,9 +1086,13 @@ static void interpolate(AVFilterLink *inlink, AVFrame *avf_out)
+     pts = av_rescale(avf_out->pts, (int64_t) ALPHA_MAX * outlink->time_base.num * inlink->time_base.den,
+                                    (int64_t)             outlink->time_base.den * inlink->time_base.num);
+ 
+-    alpha = (pts - mi_ctx->frames[1].avf->pts * ALPHA_MAX) / (mi_ctx->frames[2].avf->pts - mi_ctx->frames[1].avf->pts);
+-    alpha = av_clip(alpha, 0, ALPHA_MAX);
+-
++    if (mi_ctx->frames[2].avf->pts > mi_ctx->frames[1].avf->pts) {
++        alpha = (pts - mi_ctx->frames[1].avf->pts * ALPHA_MAX) / (mi_ctx->frames[2].avf->pts - mi_ctx->frames[1].avf->pts);
++        alpha = av_clip(alpha, 0, ALPHA_MAX);
++    } else {
++        av_log(ctx, AV_LOG_DEBUG, "duplicate input PTS detected\n");
++        alpha = 0;
++    }
+     if (alpha == 0 || alpha == ALPHA_MAX) {
+         av_frame_copy(avf_out, alpha ? mi_ctx->frames[2].avf : mi_ctx->frames[1].avf);
+         return;
+-- 
+2.43.0
+