Fix BcntSync handling

* CVE-2024-12361
* CVE-2024-35365
* CVE-2024-36613
* CVE-2025-0518
* CVE-2025-22919
* CVE-2025-22920
* CVE-2025-22921
* CVE-2025-25473

0001-avcodec-libsvtav1-unbreak-build-with-latest-svtav1.patch

@@ -0,0 +1,33 @@
+From d1ed5c06e3edc5f2b5f3664c80121fa55b0baa95 Mon Sep 17 00:00:00 2001
+From: Gyan Doshi <ffmpeg@gyani.pro>
+Date: Sat, 22 Feb 2025 10:38:53 +0530
+Subject: [PATCH] avcodec/libsvtav1: unbreak build with latest svtav1
+
+SVT-AV1 made a change in their public API in 988e930c but without a
+version bump or any other accessible marker, thus breaking ffmpeg build
+with current versions of SVT-AV1.
+
+They have finally bumped versions a month later, so check added.
+---
+ libavcodec/libsvtav1.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/libavcodec/libsvtav1.c b/libavcodec/libsvtav1.c
+index 79b28eb4df..43fe531fde 100644
+--- a/libavcodec/libsvtav1.c
++++ b/libavcodec/libsvtav1.c
+@@ -435,7 +435,11 @@ static av_cold int eb_enc_init(AVCodecContext *avctx)
+ 
+     svt_enc->eos_flag = EOS_NOT_REACHED;
+ 
++#if SVT_AV1_CHECK_VERSION(3, 0, 0)
++    svt_ret = svt_av1_enc_init_handle(&svt_enc->svt_handle, &svt_enc->enc_params);
++#else
+     svt_ret = svt_av1_enc_init_handle(&svt_enc->svt_handle, svt_enc, &svt_enc->enc_params);
++#endif
+     if (svt_ret != EB_ErrorNone) {
+         return svt_print_error(avctx, svt_ret, "Error initializing encoder handle");
+     }
+-- 
+2.48.1
+

ffmpeg-7-CVE-2025-0518.patch

@@ -0,0 +1,29 @@
+From b5b6391d64807578ab872dc58fb8aa621dcfc38a Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Mon, 6 Jan 2025 22:01:39 +0100
+Subject: [PATCH] avfilter/af_pan: Fix sscanf() use
+
+Fixes: Memory Data Leak
+
+Found-by: Simcha Kosman <simcha.kosman@cyberark.com>
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+---
+ libavfilter/af_pan.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libavfilter/af_pan.c b/libavfilter/af_pan.c
+index 0d20b0307b..5feb2439c7 100644
+--- a/libavfilter/af_pan.c
++++ b/libavfilter/af_pan.c
+@@ -196,7 +196,7 @@ static av_cold int init(AVFilterContext *ctx)
+         sign = 1;
+         while (1) {
+             gain = 1;
+-            if (sscanf(arg, "%lf%n *%n", &gain, &len, &len))
++            if (sscanf(arg, "%lf%n *%n", &gain, &len, &len) >= 1)
+                 arg += len;
+             if (parse_channel_name(&arg, &in_ch_id, &named)){
+                 av_log(ctx, AV_LOG_ERROR,
+-- 
+2.44.0
+

ffmpeg-7-CVE-2025-1816.patch

@@ -0,0 +1,33 @@
+From 0526535cd58444dd264e810b2f3348b4d96cff3b Mon Sep 17 00:00:00 2001
+From: James Almer <jamrial@gmail.com>
+Date: Mon, 17 Feb 2025 11:41:24 -0300
+Subject: [PATCH] avformat/iamf_parse: add missing constrains for
+ num_parameters in audio_element_oub()
+
+Fixes ticket #11475.
+
+Signed-off-by: James Almer <jamrial@gmail.com>
+---
+ libavformat/iamf_parse.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c
+index 316093b35f..f71ea5315b 100644
+--- a/libavformat/iamf_parse.c
++++ b/libavformat/iamf_parse.c
+@@ -733,6 +733,12 @@ static int audio_element_obu(void *s, IAMFContext *c, AVIOContext *pb, int len)
+     }
+ 
+     num_parameters = ffio_read_leb(pbc);
++    if (num_parameters > 2 && audio_element_type == 0) {
++        av_log(s, AV_LOG_ERROR, "Audio Element parameter count %u is invalid"
++                                " for Channel representations\n", num_parameters);
++        ret = AVERROR_INVALIDDATA;
++        goto fail;
++    }
+     if (num_parameters && audio_element_type != 0) {
+         av_log(s, AV_LOG_ERROR, "Audio Element parameter count %u is invalid"
+                                 " for Scene representations\n", num_parameters);
+-- 
+2.41.0
+

ffmpeg-7-CVE-2025-22919.patch

@@ -0,0 +1,34 @@
+From 1446e37d3d032e1452844778b3e6ba2c20f0c322 Mon Sep 17 00:00:00 2001
+From: James Almer <jamrial@gmail.com>
+Date: Mon, 30 Dec 2024 00:25:41 -0300
+Subject: [PATCH] avfilter/buffersrc: check for valid sample rate
+
+A sample rate <= 0 is invalid.
+
+Fixes an assert in ffmpeg_enc.c that assumed a valid sample rate would be set.
+Fixes ticket #11385.
+
+Signed-off-by: James Almer <jamrial@gmail.com>
+---
+ libavfilter/buffersrc.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/libavfilter/buffersrc.c b/libavfilter/buffersrc.c
+index bdf8b14451..c921803c67 100644
+--- a/libavfilter/buffersrc.c
++++ b/libavfilter/buffersrc.c
+@@ -421,6 +421,11 @@ static av_cold int init_audio(AVFilterContext *ctx)
+         av_channel_layout_describe(&s->ch_layout, buf, sizeof(buf));
+     }
+ 
++    if (s->sample_rate <= 0) {
++        av_log(ctx, AV_LOG_ERROR, "Sample rate not set\n");
++        return AVERROR(EINVAL);
++    }
++
+     if (!s->time_base.num)
+         s->time_base = (AVRational){1, s->sample_rate};
+ 
+-- 
+2.44.0
+

ffmpeg-7-CVE-2025-22921.patch

@@ -0,0 +1,29 @@
+From 7f9c7f9849a2155224711f0ff57ecdac6e4bfb57 Mon Sep 17 00:00:00 2001
+From: James Almer <jamrial@gmail.com>
+Date: Wed, 1 Jan 2025 23:58:39 -0300
+Subject: [PATCH] avcodec/jpeg2000dec: clear array length when freeing it
+
+Fixes NULL pointer dereferences.
+Fixes ticket #11393.
+
+Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
+Signed-off-by: James Almer <jamrial@gmail.com>
+---
+ libavcodec/jpeg2000dec.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
+index e5e897a29f..b82d85d5ee 100644
+--- a/libavcodec/jpeg2000dec.c
++++ b/libavcodec/jpeg2000dec.c
+@@ -1521,6 +1521,7 @@ static int jpeg2000_decode_packet(Jpeg2000DecoderContext *s, Jpeg2000Tile *tile,
+                 }
+             }
+             av_freep(&cblk->lengthinc);
++            cblk->nb_lengthinc = 0;
+         }
+     }
+     // Save state of stream
+-- 
+2.44.0
+

ffmpeg-7-CVE-2025-25473.patch

@@ -0,0 +1,26 @@
+From c08d300481b8ebb846cd43a473988fdbc6793d1b Mon Sep 17 00:00:00 2001
+From: James Almer <jamrial@gmail.com>
+Date: Fri, 17 Jan 2025 00:05:31 -0300
+Subject: [PATCH] avformat/avformat: also clear FFFormatContext packet queue
+ when closing a muxer
+
+packet_buffer is used in mux.c, and if a muxing process fails at a point where
+packets remained in said queue, they will leak.
+
+Fixes ticket #11419
+
+Signed-off-by: James Almer <jamrial@gmail.com>
+---
+ libavformat/avformat.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/libavformat/avformat.c
++++ b/libavformat/avformat.c
+@@ -184,6 +184,7 @@
+     av_dict_free(&si->id3v2_meta);
+     av_packet_free(&si->pkt);
+     av_packet_free(&si->parse_pkt);
++    avpriv_packet_list_free(&si->packet_buffer);
+     av_freep(&s->streams);
+     av_freep(&s->stream_groups);
+     ff_flush_packet_queue(s);

ffmpeg-7.changes

@@ -1,3 +1,60 @@
+-------------------------------------------------------------------
+Tue Mar 25 11:48:21 UTC 2025 - Adrian Schröter <adrian@suse.de>
+
+- Move BcntSync tag to the %else part where the mini package gets defined
+
+-------------------------------------------------------------------
+Sun Mar 23 23:21:26 UTC 2025 - Mia Herkt <mia@0x0.st>
+
+- Build with OpenVINO support in libavfilter
+
+-------------------------------------------------------------------
+Fri Mar 21 15:28:30 UTC 2025 - Cliff Zhao <qzhao@suse.com>
+
+- Add ffmpeg-7-CVE-2025-1816.patch:
+  Backporting 0526535c from upstream, add missing constrains for
+  num_parameters in audio_element_oub().
+  (CVE-2025-1816, bsc#1238728)
+
+-------------------------------------------------------------------
+Wed Mar  5 09:46:09 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
+
+- Add 0001-avcodec-libsvtav1-unbreak-build-with-latest-svtav1.patch
+  to build with SVT-AV1 3.0.0.
+
+-------------------------------------------------------------------
+Fri Feb 19 05:17:22 UTC 2025 - Cliff Zhao <qzhao@suse.com>
+
+- Add ffmpeg-7-CVE-2025-22921.patch:
+  Backporting 7f9c7f98 from upstream, clear array length when
+  freeing it.
+  (CVE-2025-22921, bsc#1237382)
+
+-------------------------------------------------------------------
+Fri Feb 19 04:27:06 UTC 2025 - Cliff Zhao <qzhao@suse.com>
+
+- Add ffmpeg-7-CVE-2025-25473.patch:
+  Backporting c08d3004 from upstream, clear FFFormatContext packet.
+  When packet_buffer is used in mux.c, and if a muxing process fails
+  at a point where packets remained in said queue.
+  (CVE-2025-25473, bsc#1237351)
+
+-------------------------------------------------------------------
+Fri Feb 19 03:18:02 UTC 2025 - Cliff Zhao <qzhao@suse.com>
+
+- Add ffmpeg-7-CVE-2025-0518.patch:
+  Backporting b5b6391d from upstream, fixes memory data leak when
+  use sscanf().
+  (CVE-2025-0518, bsc#1236007)
+
+-------------------------------------------------------------------
+Fri Feb 19 02:58:01 UTC 2025 - Cliff Zhao <qzhao@suse.com>
+
+- Add ffmpeg-7-CVE-2025-22919.patch:
+  Backporting 1446e37d from upstream, check for valid sample rate
+  As the sample rate <= 0 is invalid.
+  (CVE-2025-22919, bsc#1237371)
+
 -------------------------------------------------------------------
 Tue Oct 15 08:18:54 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
 
@@ -22,6 +79,9 @@ Wed Oct  2 08:20:18 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
     disposition
   * LCEVC enhancement data exporting in H.26x and MP4/ISOBMFF
   * LCEVC filter
+  * avcodec/mpegvideo_enc: Add check for av_packet_new_side_data (CVE-2024-12361, bsc#1237358)
+  * avformat/dump: print only the actual streams in a tile grid group (CVE-2025-22920, bsc#1237380)
+  * avcodec/rkmppdec: Fix double-free on error (CVE-2024-35368, bsc#1234028)
 - Delete patches/ffmpeg-7-fix-crashes.patch,
   0001-libavcodec-arm-mlpdsp_armv5te-fix-label-format-to-wo.patch (merged)
 
@@ -36,7 +96,16 @@ Mon Sep 30 12:34:56 UTC 2024 - olaf@aepfle.de
 Thu Sep 26 10:02:20 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>
 
 - no longer build against libmfx; build also 15.5 against libvpl
- (boo#1230983)
+ (boo#1230983, boo#1219494)
+
+- dropping support for libmfx below covers:
+  * libmfx: improper input validation (CVE-2023-48368, bsc#1226897)
+  * libmfx: improper buffer restrictions (CVE-2023-45221, bsc#1226898)
+  * libmfx: out-of-bounds read (CVE-2023-22656, bsc#1226899)
+  * libmfx: out-of-bounds write (CVE-2023-47282, bsc#1226900)
+  * libmfx: improper buffer restrictions (CVE-2023-47169, bsc#1226901)
+  * Multiple vulnerabilities in the Intel Media SDK (libmfx1) (bsc#1226892)
+  * Drop libmfx dependency from our product (jira #PED-10024)
 
 -------------------------------------------------------------------
 Wed Aug 21 09:58:42 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
@@ -70,6 +139,13 @@ Wed Aug  7 07:37:24 UTC 2024 - Cliff Zhao <qzhao@suse.com>
   * avfilter/vf_tiltandshift: fix buffer offset for yuv422p input (CVE-2024-32229, bsc#1227295)
   * avcodec/mpegvideo_enc: Fix 1 line and one column images (CVE-2024-32230, bsc#1227296)
   * avcodec/pnmdec: Use 64bit for input size check (CVE-2024-7055, bsc#1229026)
+  * fftools/ffmpeg_mux_init: Fix double-free on error (CVE-2024-35365, bsc#1235091)
+  * avformat/dxa: Adjust order of operations around block align (CVE-2024-36613, bsc#1235092)
+  * avfilter/vf_minterpolate: Check pts before division (CVE-2023-51798, bsc#1223304)
+  * avfilter/vf_weave: Fix odd height handling (CVE-2023-51793, bsc#1223272)
+  * avfilter/vf_gradfun: Do not overread last line (CVE-2023-50010, bsc#1223256)
+  * avfilter/af_stereowiden: Check length (CVE-2023-51794, bsc#1223437)
+  * avutil/hwcontext: Don't assume frames_uninit is reentrant (CVE-2024-31578, bsc#1223070)
 - Drop ffmpeg-7-CVE-2024-32228.patch:
   The fix has been merged.
 - Drop ffmpeg-7-CVE-2024-32229.patch:

ffmpeg-7.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package ffmpeg-7
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -63,6 +63,7 @@
 %bcond_with    x264
 %bcond_with    x265
 %bcond_with    xvid
+%bcond_with    openvino
 
 %if 0%{?suse_version} > 1600
 %bcond_without mysofa
@@ -73,6 +74,9 @@
 %bcond_without amrwb
 %bcond_without opencore
 %bcond_without xvid
+%ifnarch %ix86 %arm32
+%bcond_without openvino
+%endif
 %else
 %if 0%{?suse_version} > 1500
 %bcond_without mysofa
@@ -120,6 +124,12 @@ Patch5:         work-around-abi-break.patch
 Patch10:        ffmpeg-chromium.patch
 Patch91:        ffmpeg-dlopen-openh264.patch
 Patch15:        11013-avcodec-decode-clean-up-if-get_hw_frames_parameters-.patch
+Patch16:        ffmpeg-7-CVE-2025-22919.patch
+Patch17:        ffmpeg-7-CVE-2025-0518.patch
+Patch18:        ffmpeg-7-CVE-2025-25473.patch
+Patch19:        ffmpeg-7-CVE-2025-22921.patch
+Patch20:        0001-avcodec-libsvtav1-unbreak-build-with-latest-svtav1.patch
+Patch21:        ffmpeg-7-CVE-2025-1816.patch
 BuildRequires:  ladspa-devel
 BuildRequires:  libgsm-devel
 BuildRequires:  libmp3lame-devel >= 3.98.3
@@ -222,6 +232,9 @@ BuildRequires:  pkgconfig(x264)
 %if %{with x265}
 BuildRequires:  pkgconfig(x265)
 %endif
+%if %{with openvino}
+BuildRequires:	pkgconfig(openvino)
+%endif
 
 %ifarch x86_64 %x86_64 aarch64
 %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150500
@@ -664,6 +677,9 @@ LDFLAGS="%_lto_cflags" \
 %if %{with xvid}
 	--enable-libxvid \
 %endif
+%if %{with openvino}
+	--enable-libopenvino \
+%endif
 %if !0%{?BUILD_ORIG}
 	--enable-muxers \
 	--enable-demuxers \
@@ -807,6 +823,12 @@ done
 
 %else
 %define _name ffmpeg
+# Patches may subtly change internal APIs, so we're sticking %%release in
+# Requires lines. It also conveniently blocks openSUSE libav* being combined
+# with Packman libav*, due to PM's unique %%release numbers.
+# This use of %%release with %flavor however requires bcnt synchro:
+#
+#!BcntSyncTag:  ffmpeg-7
 Name:           ffmpeg-7-mini
 Version:        7.1
 Release:        0