From bdf0a9b75cdd2ec4b51fcca4dbf10a2206639b0ba7bf3934833fbb286fb59f3b Mon Sep 17 00:00:00 2001
From: ZhaoQiang <qzhao@suse.com>
Date: Sat, 1 Mar 2025 00:59:40 +0800
Subject: [PATCH] Add ffmpeg-4-CVE-2024-35368.patch to fix double-free on the
 AVFrame is unreferenced.

---
 ffmpeg-4-CVE-2024-35368.patch | 31 +++++++++++++++++++++++++++++++
 ffmpeg-4.changes              |  9 +++++++++
 ffmpeg-4.spec                 | 11 ++++++-----
 3 files changed, 46 insertions(+), 5 deletions(-)
 create mode 100644 ffmpeg-4-CVE-2024-35368.patch

diff --git a/ffmpeg-4-CVE-2024-35368.patch b/ffmpeg-4-CVE-2024-35368.patch
new file mode 100644
index 0000000..f256e8e
--- /dev/null
+++ b/ffmpeg-4-CVE-2024-35368.patch
@@ -0,0 +1,31 @@
+From 4513300989502090c4fd6560544dce399a8cd53c Mon Sep 17 00:00:00 2001
+From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
+Date: Sun, 24 Sep 2023 13:15:48 +0200
+Subject: [PATCH] avcodec/rkmppdec: Fix double-free on error
+
+After having created the AVBuffer that is put into frame->buf[0],
+ownership of several objects (namely an AVDRMFrameDescriptor,
+an MppFrame and some AVBufferRefs framecontextref and decoder_ref)
+has passed to the AVBuffer and therefore to the frame.
+Yet it has nevertheless been freed manually on error
+afterwards, which would lead to a double-free as soon
+as the AVFrame is unreferenced.
+
+Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
+---
+ libavcodec/rkmppdec.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/libavcodec/rkmppdec.c
++++ b/libavcodec/rkmppdec.c
+@@ -460,8 +460,8 @@
+ 
+             frame->hw_frames_ctx = av_buffer_ref(decoder->frames_ref);
+             if (!frame->hw_frames_ctx) {
+-                ret = AVERROR(ENOMEM);
+-                goto fail;
++                av_frame_unref(frame);
++                return AVERROR(ENOMEM);
+             }
+ 
+             return 0;
diff --git a/ffmpeg-4.changes b/ffmpeg-4.changes
index ae2b65c..1b8eab2 100644
--- a/ffmpeg-4.changes
+++ b/ffmpeg-4.changes
@@ -39,6 +39,15 @@ Fri Feb 19 01:48:22 UTC 2025 - Cliff Zhao <qzhao@suse.com>
   to avoid null pointer dereference if allocation fails.
   (CVE-2024-12361, bsc#1237358)
 
+-------------------------------------------------------------------
+Fri Feb 19 01:11:17 UTC 2025 - Cliff Zhao <qzhao@suse.com>
+
+- Add ffmpeg-4-CVE-2024-35368.patch:
+  Backporting 45133009 from upstream, After having created the
+  AVBuffer that is put into frame->buf[0], ownership of several
+  objects Fix double-free on the AVFrame is unreferenced.
+  (CVE-2024-35368, bsc#1234028)
+
 -------------------------------------------------------------------
 Mon Jan  6 11:53:32 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
 
diff --git a/ffmpeg-4.spec b/ffmpeg-4.spec
index 7d4ba54..35a96b2 100644
--- a/ffmpeg-4.spec
+++ b/ffmpeg-4.spec
@@ -137,11 +137,12 @@ Patch15:        0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch
 Patch17:        ffmpeg-CVE-2023-49502.patch
 Patch22:        ffmpeg-c99.patch
 Patch23:        0001-libavcodec-arm-mlpdsp_armv5te-fix-label-format-to-wo.patch
-Patch24:        ffmpeg-4-CVE-2024-12361.patch
-Patch25:        ffmpeg-4-CVE-2025-22919.patch
-Patch26:        ffmpeg-4-CVE-2025-0518.patch
-Patch27:        ffmpeg-4-CVE-2025-25473.patch
-Patch28:        ffmpeg-4-CVE-2025-22921.patch
+Patch24:        ffmpeg-4-CVE-2024-35368.patch
+Patch25:        ffmpeg-4-CVE-2024-12361.patch
+Patch26:        ffmpeg-4-CVE-2025-22919.patch
+Patch27:        ffmpeg-4-CVE-2025-0518.patch
+Patch28:        ffmpeg-4-CVE-2025-25473.patch
+Patch29:        ffmpeg-4-CVE-2025-22921.patch
 BuildRequires:  ladspa-devel
 BuildRequires:  libgsm-devel
 BuildRequires:  libmp3lame-devel