ffmpeg-7-CVE-2025-1816.patch

@@ -0,0 +1,33 @@
+From 0526535cd58444dd264e810b2f3348b4d96cff3b Mon Sep 17 00:00:00 2001
+From: James Almer <jamrial@gmail.com>
+Date: Mon, 17 Feb 2025 11:41:24 -0300
+Subject: [PATCH] avformat/iamf_parse: add missing constrains for
+ num_parameters in audio_element_oub()
+
+Fixes ticket #11475.
+
+Signed-off-by: James Almer <jamrial@gmail.com>
+---
+ libavformat/iamf_parse.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c
+index 316093b35f..f71ea5315b 100644
+--- a/libavformat/iamf_parse.c
++++ b/libavformat/iamf_parse.c
+@@ -733,6 +733,12 @@ static int audio_element_obu(void *s, IAMFContext *c, AVIOContext *pb, int len)
+     }
+ 
+     num_parameters = ffio_read_leb(pbc);
++    if (num_parameters > 2 && audio_element_type == 0) {
++        av_log(s, AV_LOG_ERROR, "Audio Element parameter count %u is invalid"
++                                " for Channel representations\n", num_parameters);
++        ret = AVERROR_INVALIDDATA;
++        goto fail;
++    }
+     if (num_parameters && audio_element_type != 0) {
+         av_log(s, AV_LOG_ERROR, "Audio Element parameter count %u is invalid"
+                                 " for Scene representations\n", num_parameters);
+-- 
+2.41.0
+

ffmpeg-7.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Fri Mar 21 15:28:30 UTC 2025 - Cliff Zhao <qzhao@suse.com>
+
+- Add ffmpeg-7-CVE-2025-1816.patch:
+  Backporting 0526535c from upstream, add missing constrains for
+  num_parameters in audio_element_oub().
+  (CVE-2025-1816, bsc#1238728)
+
 -------------------------------------------------------------------
 Wed Mar  5 09:46:09 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
 
@@ -78,7 +86,16 @@ Mon Sep 30 12:34:56 UTC 2024 - olaf@aepfle.de
 Thu Sep 26 10:02:20 UTC 2024 - Stefan Dirsch <sndirsch@suse.com>
 
 - no longer build against libmfx; build also 15.5 against libvpl
- (boo#1230983)
+ (boo#1230983, boo#1219494)
+
+- dropping support for libmfx below covers:
+  * libmfx: improper input validation (CVE-2023-48368, bsc#1226897)
+  * libmfx: improper buffer restrictions (CVE-2023-45221, bsc#1226898)
+  * libmfx: out-of-bounds read (CVE-2023-22656, bsc#1226899)
+  * libmfx: out-of-bounds write (CVE-2023-47282, bsc#1226900)
+  * libmfx: improper buffer restrictions (CVE-2023-47169, bsc#1226901)
+  * Multiple vulnerabilities in the Intel Media SDK (libmfx1) (bsc#1226892)
+  * Drop libmfx dependency from our product (jira #PED-10024)
 
 -------------------------------------------------------------------
 Wed Aug 21 09:58:42 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
@@ -114,6 +131,11 @@ Wed Aug  7 07:37:24 UTC 2024 - Cliff Zhao <qzhao@suse.com>
   * avcodec/pnmdec: Use 64bit for input size check (CVE-2024-7055, bsc#1229026)
   * fftools/ffmpeg_mux_init: Fix double-free on error (CVE-2024-35365, bsc#1235091)
   * avformat/dxa: Adjust order of operations around block align (CVE-2024-36613, bsc#1235092)
+  * avfilter/vf_minterpolate: Check pts before division (CVE-2023-51798, bsc#1223304)
+  * avfilter/vf_weave: Fix odd height handling (CVE-2023-51793, bsc#1223272)
+  * avfilter/vf_gradfun: Do not overread last line (CVE-2023-50010, bsc#1223256)
+  * avfilter/af_stereowiden: Check length (CVE-2023-51794, bsc#1223437)
+  * avutil/hwcontext: Don't assume frames_uninit is reentrant (CVE-2024-31578, bsc#1223070)
 - Drop ffmpeg-7-CVE-2024-32228.patch:
   The fix has been merged.
 - Drop ffmpeg-7-CVE-2024-32229.patch:

ffmpeg-7.spec

@@ -125,6 +125,7 @@ Patch17:        ffmpeg-7-CVE-2025-0518.patch
 Patch18:        ffmpeg-7-CVE-2025-25473.patch
 Patch19:        ffmpeg-7-CVE-2025-22921.patch
 Patch20:        0001-avcodec-libsvtav1-unbreak-build-with-latest-svtav1.patch
+Patch21:        ffmpeg-7-CVE-2025-1816.patch
 BuildRequires:  ladspa-devel
 BuildRequires:  libgsm-devel
 BuildRequires:  libmp3lame-devel >= 3.98.3