From 75c35352f20d41e2bde10d194282350f5f81f9d07744732f81ffb085f2ec4537 Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@inai.de>
Date: Mon, 22 Apr 2024 13:46:30 +0000
Subject: [PATCH] - address 1 bugzilla issue/CVE

OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/ffmpeg-4?expand=0&rev=209
---
 ...-Don-t-assume-frames_uninit-is-reent.patch | 44 +++++++++++++++++++
 ffmpeg-4.changes                              |  6 +++
 ffmpeg-4.spec                                 |  1 +
 3 files changed, 51 insertions(+)
 create mode 100644 0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch

diff --git a/0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch b/0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch
new file mode 100644
index 0000000..8700084
--- /dev/null
+++ b/0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch
@@ -0,0 +1,44 @@
+From 3bb00c0a420c3ce83c6fafee30270d69622ccad7 Mon Sep 17 00:00:00 2001
+From: Zhao Zhili <zhilizhao@tencent.com>
+Date: Tue, 20 Feb 2024 20:08:55 +0800
+Subject: [PATCH] avutil/hwcontext: Don't assume frames_uninit is reentrant
+
+Fix heap use after free when vulkan_frames_init failed.
+
+Signed-off-by: Zhao Zhili <zhilizhao@tencent.com>
+---
+ libavutil/hwcontext.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/libavutil/hwcontext.c b/libavutil/hwcontext.c
+index 1d2c2d7920..aa1329bf2b 100644
+--- a/libavutil/hwcontext.c
++++ b/libavutil/hwcontext.c
+@@ -359,7 +359,7 @@ int av_hwframe_ctx_init(AVBufferRef *ref)
+     if (ctx->internal->hw_type->frames_init) {
+         ret = ctx->internal->hw_type->frames_init(ctx);
+         if (ret < 0)
+-            goto fail;
++            return ret;
+     }
+ 
+     if (ctx->internal->pool_internal && !ctx->pool)
+@@ -369,14 +369,10 @@ int av_hwframe_ctx_init(AVBufferRef *ref)
+     if (ctx->initial_pool_size > 0) {
+         ret = hwframe_pool_prealloc(ref);
+         if (ret < 0)
+-            goto fail;
++            return ret;
+     }
+ 
+     return 0;
+-fail:
+-    if (ctx->internal->hw_type->frames_uninit)
+-        ctx->internal->hw_type->frames_uninit(ctx);
+-    return ret;
+ }
+ 
+ int av_hwframe_transfer_get_formats(AVBufferRef *hwframe_ref,
+-- 
+2.44.0
+
diff --git a/ffmpeg-4.changes b/ffmpeg-4.changes
index 6df94a3..ed86223 100644
--- a/ffmpeg-4.changes
+++ b/ffmpeg-4.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Mon Apr 22 12:41:55 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
+
+- Address boo#1223070/CVE-2024-31578: add patch
+  0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch
+
 -------------------------------------------------------------------
 Fri Feb  2 09:34:15 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>
 
diff --git a/ffmpeg-4.spec b/ffmpeg-4.spec
index 018c15b..ada5612 100644
--- a/ffmpeg-4.spec
+++ b/ffmpeg-4.spec
@@ -125,6 +125,7 @@ Patch11:        ffmpeg-libglslang-detection.patch
 Patch12:        0001-avcodec-libsvtav1-remove-compressed_ten_bit_format-a.patch
 Patch13:        0001-avcodec-x86-mathops-clip-constants-used-with-shift-i.patch
 Patch14:        ffmpeg-glslang-cxx17.patch
+Patch15:        0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch
 BuildRequires:  ladspa-devel
 BuildRequires:  libgsm-devel
 BuildRequires:  libmp3lame-devel