From 89e163bf6bcae93629b5cfba63b9a8752e5a1394 Mon Sep 17 00:00:00 2001
From: fandeyuan <fandeyuan@kylinos.cn>
Date: Tue, 9 Sep 2025 16:48:41 +0800
Subject: [PATCH] Add check for av_malloc_array() and av_calloc()

---
 CVE-2025-7700.patch | 42 ++++++++++++++++++++++++++++++++++++++++++
 ffmpeg.spec         |  7 ++++++-
 2 files changed, 48 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2025-7700.patch

diff --git a/CVE-2025-7700.patch b/CVE-2025-7700.patch
new file mode 100644
index 0000000..7794b20
--- /dev/null
+++ b/CVE-2025-7700.patch
@@ -0,0 +1,42 @@
+libavcodec/alsdec.c: Add check for av_malloc_array() and av_calloc()
+
+Add check for the return value of av_malloc_array() and av_calloc()
+to avoid potential NULL pointer dereference.
+
+Fixes: dcfd24b10c ("avcodec/alsdec: Implement floating point sample data
+decoding")
+Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+---
+ libavcodec/alsdec.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c
+index 28f2079..3dbab0d 100644
+--- a/libavcodec/alsdec.c
++++ b/libavcodec/alsdec.c
+@@ -2119,8 +2119,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
+         ctx->nbits  = av_malloc_array(ctx->cur_frame_length, sizeof(*ctx->nbits));
+         ctx->mlz    = av_mallocz(sizeof(*ctx->mlz));
+ 
+-        if (!ctx->mlz || !ctx->acf || !ctx->shift_value || !ctx->last_shift_value
+-            || !ctx->last_acf_mantissa || !ctx->raw_mantissa) {
++        if (!ctx->larray || !ctx->nbits || !ctx->mlz || !ctx->acf || !ctx->shift_value
++            || !ctx->last_shift_value || !ctx->last_acf_mantissa || !ctx->raw_mantissa) {
+             av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n");
+             return AVERROR(ENOMEM);
+         }
+@@ -2132,6 +2132,10 @@ static av_cold int decode_init(AVCodecContext *avctx)
+ 
+         for (c = 0; c < channels; ++c) {
+             ctx->raw_mantissa[c] = av_calloc(ctx->cur_frame_length, sizeof(**ctx->raw_mantissa));
++            if (!ctx->raw_mantissa[c]) {
++                av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n");
++                return AVERROR(ENOMEM);
++            }
+         }
+     }
+ 
+-- 
+2.43.0
+
diff --git a/ffmpeg.spec b/ffmpeg.spec
index ce0588b..17a3cbb 100644
--- a/ffmpeg.spec
+++ b/ffmpeg.spec
@@ -73,7 +73,7 @@
 Summary:        Digital VCR and streaming server
 Name:           ffmpeg%{?flavor}
 Version:        7.1
-Release:        11
+Release:        12
 License:        GPL-3.0-or-later
 URL:            https://ffmpeg.org/
 Source0:        https://ffmpeg.org/releases/ffmpeg-%{version}.tar.xz
@@ -93,6 +93,8 @@ Patch12:        fix-CVE-2025-22919.patch
 Patch13:        backport-fix-h264idct-rvv.patch
 # https://github.com/FFmpeg/FFmpeg/commit/e29432e6bbb6184d3ff2c7d1e070e9424cb25fe6
 Patch14:        backport-riscv-fix-compilation-without-Vector-support.patch
+# https://github.com/FFmpeg/FFmpeg/commit/35a6de137a39f274d5e01ed0e0e6c4f04d0aaf07
+Patch15:        CVE-2025-7700.patch
 
 Requires:       %{name}-libs%{?_isa} = %{version}-%{release}
 %{?_with_cuda:BuildRequires: cuda-minimal-build-%{_cuda_version_rpm} cuda-drivers-devel}
@@ -416,6 +418,9 @@ install -pm755 tools/qt-faststart %{buildroot}%{_bindir}
 %{_libdir}/lib*.so
 
 %changelog
+* Tue Sep 09 2025 Deyuan Fan <fandeyuan@kylinos.cn> - 7.1-12
+- fix-CVE-2025-7700
+
 * Sun Aug 17 2025 yoo <sunyuechi@iscas.ac.cn> - 7.1-11
 - Fix: RISC-V compilation without Vector support
 
-- 
Gitee