diff --git a/CVE-2023-49528.patch b/CVE-2023-49528.patch new file mode 100644 index 0000000000000000000000000000000000000000..a71f55c63a67dc065d09cd571f74a2cf2dbc369f --- /dev/null +++ b/CVE-2023-49528.patch @@ -0,0 +1,57 @@ +From ffae3ca84f646530fe9236b0966b663aebb06717 Mon Sep 17 00:00:00 2001 +From: Paul B Mahol +Date: Thu, 6 Jun 2024 17:45:43 +0800 +Subject: [PATCH] Fix CVE-2023-49528 + +Conflict:NA +Reference:2d9ed64859c9887d0504cd71dbd5b2c15e14251a +--- + libavfilter/af_dialoguenhance.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/libavfilter/af_dialoguenhance.c b/libavfilter/af_dialoguenhance.c +index 1762ea7..0924c3e 100644 +--- a/libavfilter/af_dialoguenhance.c ++++ b/libavfilter/af_dialoguenhance.c +@@ -96,12 +96,13 @@ static int config_input(AVFilterLink *inlink) + if (!s->window) + return AVERROR(ENOMEM); + +- s->in_frame = ff_get_audio_buffer(inlink, s->fft_size * 4); +- s->center_frame = ff_get_audio_buffer(inlink, s->fft_size * 4); +- s->out_dist_frame = ff_get_audio_buffer(inlink, s->fft_size * 4); +- s->windowed_frame = ff_get_audio_buffer(inlink, s->fft_size * 4); +- s->windowed_out = ff_get_audio_buffer(inlink, s->fft_size * 4); +- s->windowed_prev = ff_get_audio_buffer(inlink, s->fft_size * 4); ++ s->in_frame = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2); ++ s->center_frame = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2); ++ s->out_dist_frame = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2); ++ s->windowed_frame = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2); ++ s->windowed_out = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2); ++ s->windowed_prev = ff_get_audio_buffer(inlink, (s->fft_size + 2) * 2); ++ + if (!s->in_frame || !s->windowed_out || !s->windowed_prev || + !s->out_dist_frame || !s->windowed_frame || !s->center_frame) + return AVERROR(ENOMEM); +@@ -250,6 +251,7 @@ static int de_stereo(AVFilterContext *ctx, AVFrame *out) + float *right_osamples = (float *)out->extended_data[1]; + float *center_osamples = (float *)out->extended_data[2]; + const int offset = s->fft_size - s->overlap; ++ const int nb_samples = FFMIN(s->overlap, s->in->nb_samples); + float vad; + + // shift in/out buffers +@@ -258,8 +260,8 @@ static int de_stereo(AVFilterContext *ctx, AVFrame *out) + memmove(left_out, &left_out[s->overlap], offset * sizeof(float)); + memmove(right_out, &right_out[s->overlap], offset * sizeof(float)); + +- memcpy(&left_in[offset], left_samples, s->overlap * sizeof(float)); +- memcpy(&right_in[offset], right_samples, s->overlap * sizeof(float)); ++ memcpy(&left_in[offset], left_samples, nb_samples * sizeof(float)); ++ memcpy(&right_in[offset], right_samples, nb_samples * sizeof(float)); + memset(&left_out[offset], 0, s->overlap * sizeof(float)); + memset(&right_out[offset], 0, s->overlap * sizeof(float)); + +-- +2.33.0 + diff --git a/ffmpeg.spec b/ffmpeg.spec index 6fe7247bbd01a576b9ccf761601ef9070da98eab..d1d72f062db840d3240f9724ac51aa8d9fe40d5f 100644 --- a/ffmpeg.spec +++ b/ffmpeg.spec @@ -59,7 +59,7 @@ ExclusiveArch: armv7hnl Summary: Digital VCR and streaming server Name: ffmpeg%{?flavor} Version: 6.1.1 -Release: 3 +Release: 6 License: GPL-3.0-or-later URL: http://ffmpeg.org/ Source0: http://ffmpeg.org/releases/ffmpeg-%{version}.tar.xz @@ -67,9 +67,12 @@ Source0: http://ffmpeg.org/releases/ffmpeg-%{version}.tar.xz # Special patch for building chromium on riscv64 Patch0: avformat-get_first_dts.patch %endif - -Patch1: 0001-fix-CVE-2024-31578.patch -Patch2: 0002-fix-CVE-2024-31582.patch +Patch1: fix-CVE-2023-50007.patch +Patch2: fix-CVE-2023-50008.patch +Patch3: fix-CVE-2024-31578.patch +Patch4: fix-CVE-2024-31582.patch +Patch5: fix_libsvgdec_compile_error.patch +Patch6: CVE-2023-49528.patch Requires: %{name}-libs%{?_isa} = %{version}-%{release} %{?_with_cuda:BuildRequires: cuda-minimal-build-%{_cuda_version_rpm} cuda-drivers-devel} @@ -398,8 +401,19 @@ install -pm755 tools/qt-faststart %{buildroot}%{_bindir} %changelog -* Mon Apr 29 2024 cenhuilin - 6.1.1-3 -- fix CVE-2024-31578 CVE-2024-31582 +* Tue Jun 18 2024 happyworker <208suo@208suo.com> - 6.1.1-6 +- fix bug CVE-2023-49528.patch + +* Wed Jun 12 2024 technology208 - 6.1.1-5 +- Add patch to fix libsvdec compile error + +* Fri Jun 07 2024 xuchenchen - 6.1.1-4 +- fix CVE-2024-31578.patch +- fix CVE-2024-31582.patch + +* Fri May 31 2024 xuchenchen - 6.1.1-3 +- fix CVE-2023-50007.patch +- fix CVE-2023-50008.patch * Wed Apr 03 2024 misaka00251 - 6.1.1-2 - Add patch to fix chromium build on riscv64 & Cleanup patches diff --git a/fix-CVE-2023-50007.patch b/fix-CVE-2023-50007.patch new file mode 100644 index 0000000000000000000000000000000000000000..617dff04e61ac9a9ad69a5c6dace2e33b1b46181 --- /dev/null +++ b/fix-CVE-2023-50007.patch @@ -0,0 +1,74 @@ +From b1942734c7cbcdc9034034373abcc9ecb9644c47 Mon Sep 17 00:00:00 2001 +From: Paul B Mahol +Date: Mon, 27 Nov 2023 11:45:34 +0100 +Subject: [PATCH] avfilter/af_afwtdn: fix crash with EOF handling + +--- + libavfilter/af_afwtdn.c | 34 +++++++++++++++++++--------------- + 1 file changed, 19 insertions(+), 15 deletions(-) + +diff --git a/libavfilter/af_afwtdn.c b/libavfilter/af_afwtdn.c +index 0fcfa77..63b7f5f 100644 +--- a/libavfilter/af_afwtdn.c ++++ b/libavfilter/af_afwtdn.c +@@ -408,6 +408,7 @@ typedef struct AudioFWTDNContext { + + uint64_t sn; + int64_t eof_pts; ++ int eof; + + int wavelet_type; + int channels; +@@ -1069,7 +1070,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) + s->drop_samples = 0; + } else { + if (s->padd_samples < 0 && eof) { +- out->nb_samples += s->padd_samples; ++ out->nb_samples = FFMAX(0, out->nb_samples + s->padd_samples); + s->padd_samples = 0; + } + if (!eof) +@@ -1208,23 +1209,26 @@ static int activate(AVFilterContext *ctx) + + FF_FILTER_FORWARD_STATUS_BACK(outlink, inlink); + +- ret = ff_inlink_consume_samples(inlink, s->nb_samples, s->nb_samples, &in); +- if (ret < 0) +- return ret; +- if (ret > 0) +- return filter_frame(inlink, in); ++ if (!s->eof) { ++ ret = ff_inlink_consume_samples(inlink, s->nb_samples, s->nb_samples, &in); ++ if (ret < 0) ++ return ret; ++ if (ret > 0) ++ return filter_frame(inlink, in); ++ } + + if (ff_inlink_acknowledge_status(inlink, &status, &pts)) { +- if (status == AVERROR_EOF) { +- while (s->padd_samples != 0) { +- ret = filter_frame(inlink, NULL); +- if (ret < 0) +- return ret; +- } +- ff_outlink_set_status(outlink, status, pts); +- return ret; +- } ++ if (status == AVERROR_EOF) ++ s->eof = 1; + } ++ ++ if (s->eof && s->padd_samples != 0) { ++ return filter_frame(inlink, NULL); ++ } else if (s->eof) { ++ ff_outlink_set_status(outlink, AVERROR_EOF, s->eof_pts); ++ return 0; ++ } ++ + FF_FILTER_FORWARD_WANTED(outlink, inlink); + + return FFERROR_NOT_READY; +-- +2.27.0 + diff --git a/fix-CVE-2023-50008.patch b/fix-CVE-2023-50008.patch new file mode 100644 index 0000000000000000000000000000000000000000..d0ab2747274e01a993b3ccc0e75c2a55910c0738 --- /dev/null +++ b/fix-CVE-2023-50008.patch @@ -0,0 +1,25 @@ +From 5f87a68cf70dafeab2fb89b42e41a4c29053b89b Mon Sep 17 00:00:00 2001 +From: Paul B Mahol +Date: Mon, 27 Nov 2023 12:08:20 +0100 +Subject: [PATCH] avfilter/vf_colorcorrect: fix memory leaks + +--- + libavfilter/vf_colorcorrect.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libavfilter/vf_colorcorrect.c b/libavfilter/vf_colorcorrect.c +index 1c4dea5..6bdec2c 100644 +--- a/libavfilter/vf_colorcorrect.c ++++ b/libavfilter/vf_colorcorrect.c +@@ -497,6 +497,8 @@ static av_cold void uninit(AVFilterContext *ctx) + ColorCorrectContext *s = ctx->priv; + + av_freep(&s->analyzeret); ++ av_freep(&s->uhistogram); ++ av_freep(&s->vhistogram); + } + + static const AVFilterPad colorcorrect_inputs[] = { +-- +2.27.0 + diff --git a/0001-fix-CVE-2024-31578.patch b/fix-CVE-2024-31578.patch similarity index 99% rename from 0001-fix-CVE-2024-31578.patch rename to fix-CVE-2024-31578.patch index 14a799f00cdc41c32419005ead2bc6a3e5e1fe8f..649cb912ff830c633e57203184f08fed3d94f354 100644 --- a/0001-fix-CVE-2024-31578.patch +++ b/fix-CVE-2024-31578.patch @@ -40,4 +40,3 @@ index 3650d46..0ef3479 100644 int av_hwframe_transfer_get_formats(AVBufferRef *hwframe_ref, -- 2.27.0 - diff --git a/0002-fix-CVE-2024-31582.patch b/fix-CVE-2024-31582.patch similarity index 99% rename from 0002-fix-CVE-2024-31582.patch rename to fix-CVE-2024-31582.patch index f460af281fbab04d87810405572e1799adee7926..d4b08ad06b3595861d2fc21f468c250e85e35bbe 100644 --- a/0002-fix-CVE-2024-31582.patch +++ b/fix-CVE-2024-31582.patch @@ -25,4 +25,3 @@ index 55d9c8c..f65ccbd 100644 static int filter_frame(AVFilterLink *inlink, AVFrame *frame) -- 2.27.0 - diff --git a/fix_libsvgdec_compile_error.patch b/fix_libsvgdec_compile_error.patch new file mode 100644 index 0000000000000000000000000000000000000000..156066863b9e704d5226c6e887a09bd0dd3587c8 --- /dev/null +++ b/fix_libsvgdec_compile_error.patch @@ -0,0 +1,27 @@ +From a414e25b60b8d11e30479d4f33fb9a94719dae8e Mon Sep 17 00:00:00 2001 +From: technology208 +Date: Tue, 4 Jun 2024 10:44:30 +0800 +Subject: [PATCH] fix_libsvgdec_compile_error.patch + +--- + libavcodec/librsvgdec.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libavcodec/librsvgdec.c b/libavcodec/librsvgdec.c +index c328fbc..756c26d 100644 +--- a/libavcodec/librsvgdec.c ++++ b/libavcodec/librsvgdec.c +@@ -90,8 +90,10 @@ static int librsvg_decode_frame(AVCodecContext *avctx, AVFrame *frame, + goto end; + + avctx->pix_fmt = AV_PIX_FMT_RGB32; ++#if LIBRSVG_MAJOR_VERSION > 2 || LIBRSVG_MAJOR_VERSION == 2 && LIBRSVG_MINOR_VERSION >= 52 + viewport.width = dimensions.width; + viewport.height = dimensions.height; ++#endif + + ret = ff_get_buffer(avctx, frame, 0); + if (ret < 0) +-- +2.33.0 +