jengelh/ffmpeg-7
SHA256
2
1
Fork 13
forked from pool/ffmpeg-7
Code Pull Requests Activity

Compare commits

base: jengelh:master
Branches Tags
jengelh:master jonathankang:cve-fixes jonathankang:CVE-2025-7700 jonathankang:master jonathankang:factory pool:slfo-main pool:factory pool:slfo-1.2
..
compare: jonathankang:cve-fixes
Branches Tags
jonathankang:cve-fixes jonathankang:CVE-2025-7700 jonathankang:master jonathankang:factory jengelh:master pool:slfo-main pool:factory pool:slfo-1.2

1 Commits
master ... cve-fixes

Author SHA256 Message Date
Jonathan Kang
4577d2a47b several CVE fixes 2025-10-14 11:00:23 +08:00
11 changed files with 277 additions and 29 deletions
Expand all files Collapse all files

26
ffmpeg-7-CVE-2025-25473.patch Normal file
View File

@@ -0,0 +1,26 @@
From c08d300481b8ebb846cd43a473988fdbc6793d1b Mon Sep 17 00:00:00 2001
From: James Almer <jamrial@gmail.com>
Date: Fri, 17 Jan 2025 00:05:31 -0300
Subject: [PATCH] avformat/avformat: also clear FFFormatContext packet queue
when closing a muxer
packet_buffer is used in mux.c, and if a muxing process fails at a point where
packets remained in said queue, they will leak.
Fixes ticket #11419
Signed-off-by: James Almer <jamrial@gmail.com>
---
libavformat/avformat.c | 1 +
1 file changed, 1 insertion(+)
--- a/libavformat/avformat.c
+++ b/libavformat/avformat.c
@@ -184,6 +184,7 @@
av_dict_free(&si->id3v2_meta);
av_packet_free(&si->pkt);
av_packet_free(&si->parse_pkt);
+ avpriv_packet_list_free(&si->packet_buffer);
av_freep(&s->streams);
av_freep(&s->stream_groups);
ff_flush_packet_queue(s);

BIN
ffmpeg-7.1.2.tar.xz LFS Normal file
View File

Binary file not shown.

11
ffmpeg-7.1.2.tar.xz.asc Normal file
View File

@@ -0,0 +1,11 @@
-----BEGIN PGP SIGNATURE-----
iQFMBAABCgA2FiEE/PmG6hXm4pOlZE8QtDIvBNZ2WNgFAmjHGF0YHGZmbXBlZy1k
ZXZlbEBmZm1wZWcub3JnAAoJELQyLwTWdljYY+0IAI4Haqz3h9AMEPwppJTY/R+A
3FKY3HqPZXfCiF5V7q6R76ejk4ZheiEmNWw/FGq9mrvhEBDBmfYWHastaizo2ER6
8ckOv+u/cA7YUYYdxvw7RQZqSGTrnpO9g3A/z84bjmCKW4DvSsM0Epg50E8oJsQo
xojOwk5EVmEOnyNbroUHAOKXDux2C8QpxFkKP6HLHme1SlTQTfVZn2G38tN4KmaN
T/p7HaR/nnLMnWC6IYWd0ss70AbRBNaIOdjPu7scA67HSS8Vb6WLOmcMjA9umrbI
MftDxyx771uKc/pLMfEFFc6Pq1Ajy/qhrVesjTzXVyp9IUwP6wbjCDW7aKvkGKQ=
=ew1G
-----END PGP SIGNATURE-----

BIN
ffmpeg-7.1.3.tar.xz LFS
View File

Binary file not shown.

11
ffmpeg-7.1.3.tar.xz.asc
View File

@@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQFMBAABCgA2FiEE/PmG6hXm4pOlZE8QtDIvBNZ2WNgFAmkfva4YHGZmbXBlZy1k
ZXZlbEBmZm1wZWcub3JnAAoJELQyLwTWdljY2wAH/RdHMcvBOVNv/KTz6ANTAIdf
2Kuc2aiR8bsIPEGElv5udmwD9B/L6a1PuZ02alLjZEgfjzrAmauMc/gKMA6qQLYH
JN8S7dMSZXN8FmBcTZ+1aPLQG9TA1f952rUOFV/yj2LDxGP22DrBmwIgEk/leeAh
EHcS7NBA51XJOgLkqmvhqbAakiL9C2DrPlvvdHMs9klni7fQoHcr0bJuuGrzx/PQ
0ygV0V2Arbi6SkZHrrWQNV3cgqMYyKkUMwYqQf65RcwZan7fYXLxGB+4B9cz4zcx
BTfmB+7IelSw/KQ7YsSsGtPX2/oXuJdqf8jX7CFtFWYOBgx9RsfZP65PeIQmq5k=
=oOOV
-----END PGP SIGNATURE-----

12
ffmpeg-7.changes
View File

@@ -1,14 +1,3 @@
-------------------------------------------------------------------
Sat Jan 10 19:44:19 UTC 2026 - Jan Engelhardt <jengelh@inai.de>
- Update to release 7.1.3
* No release notes were provided
* lavc/aarch64: Fix addp overflow in ff_pred16x16_plane_neon_10
* swscale/output: Fix integer overflow in yuv2ya16_X_c_template()
* avformat/avformat: clear FFFormatContext packet queue when
closing a muxer
- Delete ffmpeg-7-CVE-2025-25473.patch (merged)
-------------------------------------------------------------------
Fri Sep 19 18:44:35 UTC 2025 - Bjørn Lie <bjorn.lie@gmail.com>
@@ -323,7 +312,6 @@ Mon Jan 15 11:11:08 UTC 2024 - Enrico Belleri <kilgore.trout@idesmi.eu>
* VAAPI AV1 encoder
* ffprobe XML output schema changed to account for multiple variable-fields elements within the same parent element
* ffprobe -output_format option added as an alias of -of
* avformat/hls: remove non standard hls extension. (CVE-2023-6601, bsc#1220545)
- Remove patch6 0001-avfilter-vf_libplacebo-remove-deprecated-field.diff
- Prefer libvpl to libmfx: the latter is deprecated
- Delete ffmpeg-6-private-devel package as it is only needed to build libav-tools

11
ffmpeg-7.spec
View File

@@ -1,7 +1,7 @@
#
# spec file for package ffmpeg-7
#
# Copyright (c) 2026 SUSE LLC and contributors
# Copyright (c) 2025 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -97,7 +97,7 @@
%define _major_expected 8
Name: ffmpeg-7
Version: 7.1.3
Version: 7.1.2
Release: 0
Summary: Set of libraries for working with various multimedia formats
License: GPL-3.0-or-later
@@ -120,7 +120,12 @@ Patch4: ffmpeg-4.2-dlopen-fdk_aac.patch
Patch5: work-around-abi-break.patch
Patch10: ffmpeg-chromium.patch
Patch15: 11013-avcodec-decode-clean-up-if-get_hw_frames_parameters-.patch
Patch18: ffmpeg-7-CVE-2025-25473.patch
Patch19: ffmpeg-7-CVE-2025-22921.patch
Patch20: ffmpeg-CVE-2025-59728.patch
Patch21: ffmpeg-CVE-2025-59731.patch
Patch22: ffmpeg-CVE-2025-59732.patch
Patch23: ffmpeg-CVE-2025-59733.patch
BuildRequires: ladspa-devel
BuildRequires: libgsm-devel
BuildRequires: nasm
@@ -825,7 +830,7 @@ done
#
#!BcntSyncTag: ffmpeg-7
Name: ffmpeg-7-mini
Version: 7.1.3
Version: 7.1.2
Release: 0
Summary: Set of libraries for working with various multimedia formats
License: GPL-3.0-or-later

59
ffmpeg-CVE-2025-59728.patch Normal file
View File

@@ -0,0 +1,59 @@
From ce0a655f85c1144d19a4acad59afbb92e4997e30 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Mon, 28 Jul 2025 23:41:56 +0200
Subject: [PATCH] avformat/dashdec: Allocate space for appended "/"
Fixes: writing 1 byte over the end of the array
Fixes: BIGSLEEP-433502298/test.xml
Found-by: Google Big Sleep
A prettier solution is welcome!
A testcase exists only for the baseurl case
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavformat/dashdec.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c
index c3f3d7f3f8..278c70315d 100644
--- a/libavformat/dashdec.c
+++ b/libavformat/dashdec.c
@@ -735,7 +735,7 @@ static int resolve_content_path(AVFormatContext *s, const char *url, int *max_ur
}
tmp_max_url_size = aligned(tmp_max_url_size);
- text = av_mallocz(tmp_max_url_size);
+ text = av_mallocz(tmp_max_url_size + 1);
if (!text) {
updated = AVERROR(ENOMEM);
goto end;
@@ -747,7 +747,7 @@ static int resolve_content_path(AVFormatContext *s, const char *url, int *max_ur
}
av_free(text);
- path = av_mallocz(tmp_max_url_size);
+ path = av_mallocz(tmp_max_url_size + 2);
tmp_str = av_mallocz(tmp_max_url_size);
if (!tmp_str || !path) {
updated = AVERROR(ENOMEM);
@@ -769,6 +769,15 @@ static int resolve_content_path(AVFormatContext *s, const char *url, int *max_ur
node = baseurl_nodes[rootId];
baseurl = xmlNodeGetContent(node);
+ if (baseurl) {
+ size_t len = xmlStrlen(baseurl)+2;
+ char *tmp = xmlRealloc(baseurl, len);
+ if (!tmp) {
+ updated = AVERROR(ENOMEM);
+ goto end;
+ }
+ baseurl = tmp;
+ }
root_url = (av_strcasecmp(baseurl, "")) ? baseurl : path;
if (node) {
xmlNodeSetContent(node, root_url);
--
2.51.0

79
ffmpeg-CVE-2025-59731.patch Normal file
View File

@@ -0,0 +1,79 @@
From 0d9c003d76383e82b57b6d5aa33776709d0cda2c Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Wed, 6 Aug 2025 10:08:14 +0200
Subject: [PATCH] avcodec/exr: Check rle_raw_data and surroundings
Fixes: out of array read
Fixes: BIGSLEEP-436510153/dwa_uncompress_read.exr
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/exr.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 0a6aab662e..504fea0aac 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -996,6 +996,7 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse
const int dc_h = td->ysize >> 3;
GetByteContext gb, agb;
int skip, ret;
+ int have_rle = 0;
if (compressed_size <= 88)
return AVERROR_INVALIDDATA;
@@ -1020,6 +1021,11 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse
)
return AVERROR_INVALIDDATA;
+ if ((uint64_t)rle_raw_size > INT_MAX) {
+ avpriv_request_sample(s->avctx, "Too big rle_raw_size");
+ return AVERROR_INVALIDDATA;
+ }
+
bytestream2_init(&gb, src + 88, compressed_size - 88);
skip = bytestream2_get_le16(&gb);
if (skip < 2)
@@ -1090,6 +1096,9 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse
if (rle_raw_size > 0 && rle_csize > 0 && rle_usize > 0) {
unsigned long dest_len = rle_usize;
+ if (2LL * td->xsize * td->ysize > rle_raw_size)
+ return AVERROR_INVALIDDATA;
+
av_fast_padded_malloc(&td->rle_data, &td->rle_size, rle_usize);
if (!td->rle_data)
return AVERROR(ENOMEM);
@@ -1106,6 +1115,8 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse
if (ret < 0)
return ret;
bytestream2_skip(&gb, rle_csize);
+
+ have_rle = 1;
}
bytestream2_init(&agb, td->ac_data, ac_count * 2);
@@ -1187,7 +1198,7 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse
return 0;
if (s->pixel_type == EXR_HALF) {
- for (int y = 0; y < td->ysize && td->rle_raw_data; y++) {
+ for (int y = 0; y < td->ysize && have_rle; y++) {
uint16_t *ao = ((uint16_t *)td->uncompressed_data) + y * td->xsize * s->nb_channels;
uint8_t *ai0 = td->rle_raw_data + y * td->xsize;
uint8_t *ai1 = td->rle_raw_data + y * td->xsize + rle_raw_size / 2;
@@ -1196,7 +1207,7 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse
ao[x] = ai0[x] | (ai1[x] << 8);
}
} else {
- for (int y = 0; y < td->ysize && td->rle_raw_data; y++) {
+ for (int y = 0; y < td->ysize && have_rle; y++) {
uint32_t *ao = ((uint32_t *)td->uncompressed_data) + y * td->xsize * s->nb_channels;
uint8_t *ai0 = td->rle_raw_data + y * td->xsize;
uint8_t *ai1 = td->rle_raw_data + y * td->xsize + rle_raw_size / 2;
--
2.51.0

52
ffmpeg-CVE-2025-59732.patch Normal file
View File

@@ -0,0 +1,52 @@
From f45da79b2c336c5f8f3e563d72b8a22fecdcde0c Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Wed, 6 Aug 2025 10:35:15 +0200
Subject: [PATCH] avcodec/exr: Dont access outside xsize/ysize
Fixes: out of array access
Fixes: BIGSLEEP-436510316/dwa_uncompress_write.exr
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/exr.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 504fea0aac..dea612a42b 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1127,6 +1127,8 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse
float *yb = td->block[0];
float *ub = td->block[1];
float *vb = td->block[2];
+ int bw = FFMIN(8, td->xsize - x);
+ int bh = FFMIN(8, td->ysize - y);
memset(td->block, 0, sizeof(td->block));
@@ -1151,8 +1153,8 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse
uint16_t *ro = ((uint16_t *)td->uncompressed_data) +
y * td->xsize * s->nb_channels + td->xsize * (o + 2) + x;
- for (int yy = 0; yy < 8; yy++) {
- for (int xx = 0; xx < 8; xx++) {
+ for (int yy = 0; yy < bh; yy++) {
+ for (int xx = 0; xx < bw; xx++) {
const int idx = xx + yy * 8;
float b, g, r;
@@ -1175,8 +1177,8 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse
float *ro = ((float *)td->uncompressed_data) +
y * td->xsize * s->nb_channels + td->xsize * (o + 2) + x;
- for (int yy = 0; yy < 8; yy++) {
- for (int xx = 0; xx < 8; xx++) {
+ for (int yy = 0; yy < bh; yy++) {
+ for (int xx = 0; xx < bw; xx++) {
const int idx = xx + yy * 8;
convert(yb[idx], ub[idx], vb[idx], &bo[xx], &go[xx], &ro[xx]);
--
2.51.0

39
ffmpeg-CVE-2025-59733.patch Normal file
View File

@@ -0,0 +1,39 @@
From 0469d68acb52081ca8385b844b9650398242be0f Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sat, 9 Aug 2025 14:05:19 +0200
Subject: [PATCH] avcodec/exr: Check for pixel type consistency in DWA
Fixes: out of array access
Fixes: BIGSLEEP-436511754/testcase.exr
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/exr.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index dea612a42b..67f971ff35 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -2086,6 +2086,17 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *picture,
if ((ret = decode_header(s, picture)) < 0)
return ret;
+ if (s->compression == EXR_DWAA ||
+ s->compression == EXR_DWAB) {
+ for (int i = 0; i<s->nb_channels; i++) {
+ EXRChannel *channel = &s->channels[i];
+ if (channel->pixel_type != s->pixel_type) {
+ avpriv_request_sample(s->avctx, "mixed pixel type DWA");
+ return AVERROR_PATCHWELCOME;
+ }
+ }
+ }
+
switch (s->pixel_type) {
case EXR_HALF:
if (s->channel_offsets[3] >= 0) {
--
2.51.0