From c6b74701eb790bb16eeab8a496fb42466097c01b Mon Sep 17 00:00:00 2001
From: lzq11122 <lzq02303433@alibaba-inc.com>
Date: Wed, 12 Nov 2025 10:30:31 +0800
Subject: [PATCH] Add patch to fix CVE-2025-22919 and CVE-2025-22921

---
 0006-add-patch-to-CVE-2025-22921.patch | 29 ++++++++++++++++++++++++++
 1000-add-patch-to-CVE-2025-22919.patch | 28 +++++++++++++++++++++++++
 ffmpeg.spec                            |  9 +++++++-
 3 files changed, 65 insertions(+), 1 deletion(-)
 create mode 100644 0006-add-patch-to-CVE-2025-22921.patch
 create mode 100644 1000-add-patch-to-CVE-2025-22919.patch

diff --git a/0006-add-patch-to-CVE-2025-22921.patch b/0006-add-patch-to-CVE-2025-22921.patch
new file mode 100644
index 0000000..d87c8a3
--- /dev/null
+++ b/0006-add-patch-to-CVE-2025-22921.patch
@@ -0,0 +1,29 @@
+From 7f9c7f9849a2155224711f0ff57ecdac6e4bfb57 Mon Sep 17 00:00:00 2001
+From: James Almer <jamrial@gmail.com>
+Date: Wed, 1 Jan 2025 23:58:39 -0300
+Subject: [PATCH] avcodec/jpeg2000dec: clear array length when freeing it
+
+Fixes NULL pointer dereferences.
+Fixes ticket #11393.
+
+Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
+Signed-off-by: James Almer <jamrial@gmail.com>
+---
+ libavcodec/jpeg2000dec.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
+index e5e897a29f..b82d85d5ee 100644
+--- a/libavcodec/jpeg2000dec.c
++++ b/libavcodec/jpeg2000dec.c
+@@ -1521,6 +1521,7 @@ static int jpeg2000_decode_packet(Jpeg2000DecoderContext *s, Jpeg2000Tile *tile,
+                 }
+             }
+             av_freep(&cblk->lengthinc);
++            cblk->nb_lengthinc = 0;
+         }
+     }
+     // Save state of stream
+-- 
+2.25.1
+
diff --git a/1000-add-patch-to-CVE-2025-22919.patch b/1000-add-patch-to-CVE-2025-22919.patch
new file mode 100644
index 0000000..9c5d711
--- /dev/null
+++ b/1000-add-patch-to-CVE-2025-22919.patch
@@ -0,0 +1,28 @@
+From 594e73a52f82ade9eb0eb781f7c4a65d8e722234 Mon Sep 17 00:00:00 2001
+From: lzq11122 <lzq02303433@alibaba-inc.com>
+Date: Tue, 11 Nov 2025 11:14:43 +0800
+Subject: [PATCH 1/1] add patch to CVE-2025-22919
+
+---
+ libavfilter/buffersrc.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/libavfilter/buffersrc.c b/libavfilter/buffersrc.c
+index 453fc0f..bc0e054 100644
+--- a/libavfilter/buffersrc.c
++++ b/libavfilter/buffersrc.c
+@@ -400,7 +400,10 @@ FF_ENABLE_DEPRECATION_WARNINGS
+         s->ch_layout = FF_COUNT2LAYOUT(s->channels);
+         av_channel_layout_describe(&s->ch_layout, buf, sizeof(buf));
+     }
+-
++    if (s->sample_rate <= 0) {
++	av_log(ctx, AV_LOG_ERROR, "Sample rate not set\n");
++	return AVERROR(EINVAL);
++    }
+     if (!s->time_base.num)
+         s->time_base = (AVRational){1, s->sample_rate};
+ 
+-- 
+2.43.5
+
diff --git a/ffmpeg.spec b/ffmpeg.spec
index 58bde38..70fa416 100644
--- a/ffmpeg.spec
+++ b/ffmpeg.spec
@@ -1,4 +1,4 @@
-%define anolis_release 7
+%define anolis_release 8
 
 %global av_codec_soversion 60
 %global av_device_soversion 60
@@ -28,6 +28,10 @@ Patch0003:      0003-fix-CVE-2023-49501.patch
 Patch0004:      0004-fix-CVE-2024-31578.patch
 # https://github.com/ffmpeg/ffmpeg/commit/99debe5f823f45a482e1dc08de35879aa9c74bd2
 Patch0005:      0005-fix-CVE-2024-31582.patch
+# https://git.ffmpeg.org/gitweb/ffmpeg.git/patch/7f9c7f9849a2155224711f0ff57ecdac6e4bfb57
+Patch0006:      0006-add-patch-to-CVE-2025-22921.patch      
+# https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/a01eaecf6325cefab5b26e0d905df6662db37be1
+Patch1000:      1000-add-patch-to-CVE-2025-22919.patch
 
 BuildRequires: lame-devel >= 3.98.3
 BuildRequires: libtool
@@ -412,6 +416,9 @@ rm -rf %{buildroot}%{_datadir}/%{name}/examples
 
 
 %changelog
+* Wed Nov 12 2025 lzq11122 <lzq02303433@alibaba-inc.com> - 6.1.1-8
+- Add patch to fix CVE-2025-22919 and CVE-2025-22921
+
 * Thu Jul 3 2025 lzq11122 <lzq02303433@alibaba-inc.com> - 6.1.1-7
 - Rebuild for dav1d 1.4.0
 
-- 
Gitee