Add ffmpeg-4-CVE-2024-35368.patch to fix double-free on the AVFrame is unreferenced.

2025-03-01 00:59:40 +08:00
3 changed files with 51 additions and 10 deletions
--- a/ffmpeg-4-CVE-2024-35368.patch
+++ b/ffmpeg-4-CVE-2024-35368.patch
@ -0,0 +1,31 @@
 From 4513300989502090c4fd6560544dce399a8cd53c Mon Sep 17 00:00:00 2001
 From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 Date: Sun, 24 Sep 2023 13:15:48 +0200
 Subject: [PATCH] avcodec/rkmppdec: Fix double-free on error
 After having created the AVBuffer that is put into frame->buf[0],
 ownership of several objects (namely an AVDRMFrameDescriptor,
 an MppFrame and some AVBufferRefs framecontextref and decoder_ref)
 has passed to the AVBuffer and therefore to the frame.
 Yet it has nevertheless been freed manually on error
 afterwards, which would lead to a double-free as soon
 as the AVFrame is unreferenced.
 Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 ---
 libavcodec/rkmppdec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 --- a/libavcodec/rkmppdec.c
 +++ b/libavcodec/rkmppdec.c
@@ -460,8 +460,8 @@
             frame->hw_frames_ctx = av_buffer_ref(decoder->frames_ref);
             if (!frame->hw_frames_ctx) {
 -                ret = AVERROR(ENOMEM);
 -                goto fail;
 +                av_frame_unref(frame);
 +                return AVERROR(ENOMEM);
             }
             return 0;
--- a/ffmpeg-4.changes
+++ b/ffmpeg-4.changes
@ -39,6 +39,20 @@ Fri Feb 19 01:48:22 UTC 2025 - Cliff Zhao <qzhao@suse.com>
  to avoid null pointer dereference if allocation fails.
  (CVE-2024-12361, bsc#1237358)
 -------------------------------------------------------------------
 Fri Feb 19 01:11:17 UTC 2025 - Cliff Zhao <qzhao@suse.com>
 - Add ffmpeg-4-CVE-2024-35368.patch:
  Backporting 45133009 from upstream, After having created the
  AVBuffer that is put into frame->buf[0], ownership of several
  objects Fix double-free on the AVFrame is unreferenced.
  (CVE-2024-35368, bsc#1234028)
 -------------------------------------------------------------------
 Tue Oct 15 08:18:54 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
 - Adjust bconds to build the package in SLFO without xvidcore.
 -------------------------------------------------------------------
 Mon Jan  6 11:53:32 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
@ -57,11 +71,6 @@ Mon Jan  6 11:53:32 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
  ffmpeg-4-CVE-2024-32230.patch
  ffmpeg-4-CVE-2024-7055.patch (all merged)
 -------------------------------------------------------------------
 Tue Oct 15 08:18:54 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
 - Adjust bconds to build the package in SLFO without xvidcore.
 -------------------------------------------------------------------
 Fri Sep  6 15:06:21 UTC 2024 - Cliff Zhao <qzhao@suse.com>
--- a/ffmpeg-4.spec
+++ b/ffmpeg-4.spec
@ -137,11 +137,12 @@ Patch15:        0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch
 Patch17:        ffmpeg-CVE-2023-49502.patch
 Patch22:        ffmpeg-c99.patch
 Patch23:        0001-libavcodec-arm-mlpdsp_armv5te-fix-label-format-to-wo.patch
-Patch24:        ffmpeg-4-CVE-2024-12361.patch
+Patch24:        ffmpeg-4-CVE-2024-35368.patch
-Patch25:        ffmpeg-4-CVE-2025-22919.patch
+Patch25:        ffmpeg-4-CVE-2024-12361.patch
-Patch26:        ffmpeg-4-CVE-2025-0518.patch
+Patch26:        ffmpeg-4-CVE-2025-22919.patch
-Patch27:        ffmpeg-4-CVE-2025-25473.patch
+Patch27:        ffmpeg-4-CVE-2025-0518.patch
-Patch28:        ffmpeg-4-CVE-2025-22921.patch
+Patch28:        ffmpeg-4-CVE-2025-25473.patch
 Patch29:        ffmpeg-4-CVE-2025-22921.patch
 BuildRequires:  ladspa-devel
 BuildRequires:  libgsm-devel
 BuildRequires:  libmp3lame-devel