several CVE fixes

Co-authored-by: Bjørn Lie <bjorn.lie@gmail.com>
Co-committed-by: Bjørn Lie <bjorn.lie@gmail.com>

ffmpeg-7.changes

@@ -312,7 +312,6 @@ Mon Jan 15 11:11:08 UTC 2024 - Enrico Belleri <kilgore.trout@idesmi.eu>
   * VAAPI AV1 encoder
   * ffprobe XML output schema changed to account for multiple variable-fields elements within the same parent element
   * ffprobe -output_format option added as an alias of -of
-  * avformat/hls: remove non standard hls extension. (CVE-2023-6601, bsc#1220545)
 - Remove patch6 0001-avfilter-vf_libplacebo-remove-deprecated-field.diff
 - Prefer libvpl to libmfx: the latter is deprecated
 - Delete ffmpeg-6-private-devel package as it is only needed to build libav-tools

ffmpeg-7.spec

@@ -122,6 +122,10 @@ Patch10:        ffmpeg-chromium.patch
 Patch15:        11013-avcodec-decode-clean-up-if-get_hw_frames_parameters-.patch
 Patch18:        ffmpeg-7-CVE-2025-25473.patch
 Patch19:        ffmpeg-7-CVE-2025-22921.patch
+Patch20:	ffmpeg-CVE-2025-59728.patch
+Patch21:	ffmpeg-CVE-2025-59731.patch
+Patch22:	ffmpeg-CVE-2025-59732.patch
+Patch23:	ffmpeg-CVE-2025-59733.patch
 BuildRequires:  ladspa-devel
 BuildRequires:  libgsm-devel
 BuildRequires:  nasm

ffmpeg-CVE-2025-59728.patch

@@ -0,0 +1,59 @@
+From ce0a655f85c1144d19a4acad59afbb92e4997e30 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Mon, 28 Jul 2025 23:41:56 +0200
+Subject: [PATCH] avformat/dashdec: Allocate space for appended "/"
+
+Fixes: writing 1 byte over the end of the array
+Fixes: BIGSLEEP-433502298/test.xml
+
+Found-by: Google Big Sleep
+
+A prettier solution is welcome!
+A testcase exists only for the baseurl case
+
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+---
+ libavformat/dashdec.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c
+index c3f3d7f3f8..278c70315d 100644
+--- a/libavformat/dashdec.c
++++ b/libavformat/dashdec.c
+@@ -735,7 +735,7 @@ static int resolve_content_path(AVFormatContext *s, const char *url, int *max_ur
+     }
+ 
+     tmp_max_url_size = aligned(tmp_max_url_size);
+-    text = av_mallocz(tmp_max_url_size);
++    text = av_mallocz(tmp_max_url_size + 1);
+     if (!text) {
+         updated = AVERROR(ENOMEM);
+         goto end;
+@@ -747,7 +747,7 @@ static int resolve_content_path(AVFormatContext *s, const char *url, int *max_ur
+     }
+     av_free(text);
+ 
+-    path = av_mallocz(tmp_max_url_size);
++    path = av_mallocz(tmp_max_url_size + 2);
+     tmp_str = av_mallocz(tmp_max_url_size);
+     if (!tmp_str || !path) {
+         updated = AVERROR(ENOMEM);
+@@ -769,6 +769,15 @@ static int resolve_content_path(AVFormatContext *s, const char *url, int *max_ur
+ 
+     node = baseurl_nodes[rootId];
+     baseurl = xmlNodeGetContent(node);
++    if (baseurl) {
++        size_t len = xmlStrlen(baseurl)+2;
++        char *tmp = xmlRealloc(baseurl, len);
++        if (!tmp) {
++            updated = AVERROR(ENOMEM);
++            goto end;
++        }
++        baseurl = tmp;
++    }
+     root_url = (av_strcasecmp(baseurl, "")) ? baseurl : path;
+     if (node) {
+         xmlNodeSetContent(node, root_url);
+-- 
+2.51.0
+

ffmpeg-CVE-2025-59731.patch

@@ -0,0 +1,79 @@
+From 0d9c003d76383e82b57b6d5aa33776709d0cda2c Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Wed, 6 Aug 2025 10:08:14 +0200
+Subject: [PATCH] avcodec/exr: Check rle_raw_data and surroundings
+
+Fixes: out of array read
+
+Fixes: BIGSLEEP-436510153/dwa_uncompress_read.exr
+
+Found-by: Google Big Sleep
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+---
+ libavcodec/exr.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/libavcodec/exr.c b/libavcodec/exr.c
+index 0a6aab662e..504fea0aac 100644
+--- a/libavcodec/exr.c
++++ b/libavcodec/exr.c
+@@ -996,6 +996,7 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse
+     const int dc_h = td->ysize >> 3;
+     GetByteContext gb, agb;
+     int skip, ret;
++    int have_rle = 0;
+ 
+     if (compressed_size <= 88)
+         return AVERROR_INVALIDDATA;
+@@ -1020,6 +1021,11 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse
+     )
+         return AVERROR_INVALIDDATA;
+ 
++    if ((uint64_t)rle_raw_size > INT_MAX) {
++        avpriv_request_sample(s->avctx, "Too big rle_raw_size");
++        return AVERROR_INVALIDDATA;
++    }
++
+     bytestream2_init(&gb, src + 88, compressed_size - 88);
+     skip = bytestream2_get_le16(&gb);
+     if (skip < 2)
+@@ -1090,6 +1096,9 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse
+     if (rle_raw_size > 0 && rle_csize > 0 && rle_usize > 0) {
+         unsigned long dest_len = rle_usize;
+ 
++        if (2LL * td->xsize * td->ysize > rle_raw_size)
++            return AVERROR_INVALIDDATA;
++
+         av_fast_padded_malloc(&td->rle_data, &td->rle_size, rle_usize);
+         if (!td->rle_data)
+             return AVERROR(ENOMEM);
+@@ -1106,6 +1115,8 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse
+         if (ret < 0)
+             return ret;
+         bytestream2_skip(&gb, rle_csize);
++
++        have_rle = 1;
+     }
+ 
+     bytestream2_init(&agb, td->ac_data, ac_count * 2);
+@@ -1187,7 +1198,7 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse
+         return 0;
+ 
+     if (s->pixel_type == EXR_HALF) {
+-        for (int y = 0; y < td->ysize && td->rle_raw_data; y++) {
++        for (int y = 0; y < td->ysize && have_rle; y++) {
+             uint16_t *ao = ((uint16_t *)td->uncompressed_data) + y * td->xsize * s->nb_channels;
+             uint8_t *ai0 = td->rle_raw_data + y * td->xsize;
+             uint8_t *ai1 = td->rle_raw_data + y * td->xsize + rle_raw_size / 2;
+@@ -1196,7 +1207,7 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse
+                 ao[x] = ai0[x] | (ai1[x] << 8);
+         }
+     } else {
+-        for (int y = 0; y < td->ysize && td->rle_raw_data; y++) {
++        for (int y = 0; y < td->ysize && have_rle; y++) {
+             uint32_t *ao = ((uint32_t *)td->uncompressed_data) + y * td->xsize * s->nb_channels;
+             uint8_t *ai0 = td->rle_raw_data + y * td->xsize;
+             uint8_t *ai1 = td->rle_raw_data + y * td->xsize + rle_raw_size / 2;
+-- 
+2.51.0
+

ffmpeg-CVE-2025-59732.patch

@@ -0,0 +1,52 @@
+From f45da79b2c336c5f8f3e563d72b8a22fecdcde0c Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Wed, 6 Aug 2025 10:35:15 +0200
+Subject: [PATCH] avcodec/exr: Dont access outside xsize/ysize
+
+Fixes: out of array access
+Fixes: BIGSLEEP-436510316/dwa_uncompress_write.exr
+
+Found-by: Google Big Sleep
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+---
+ libavcodec/exr.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/libavcodec/exr.c b/libavcodec/exr.c
+index 504fea0aac..dea612a42b 100644
+--- a/libavcodec/exr.c
++++ b/libavcodec/exr.c
+@@ -1127,6 +1127,8 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse
+             float *yb = td->block[0];
+             float *ub = td->block[1];
+             float *vb = td->block[2];
++            int bw = FFMIN(8, td->xsize - x);
++            int bh = FFMIN(8, td->ysize - y);
+ 
+             memset(td->block, 0, sizeof(td->block));
+ 
+@@ -1151,8 +1153,8 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse
+                 uint16_t *ro = ((uint16_t *)td->uncompressed_data) +
+                     y * td->xsize * s->nb_channels + td->xsize * (o + 2) + x;
+ 
+-                for (int yy = 0; yy < 8; yy++) {
+-                    for (int xx = 0; xx < 8; xx++) {
++                for (int yy = 0; yy < bh; yy++) {
++                    for (int xx = 0; xx < bw; xx++) {
+                         const int idx = xx + yy * 8;
+                         float b, g, r;
+ 
+@@ -1175,8 +1177,8 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse
+                 float *ro = ((float *)td->uncompressed_data) +
+                     y * td->xsize * s->nb_channels + td->xsize * (o + 2) + x;
+ 
+-                for (int yy = 0; yy < 8; yy++) {
+-                    for (int xx = 0; xx < 8; xx++) {
++                for (int yy = 0; yy < bh; yy++) {
++                    for (int xx = 0; xx < bw; xx++) {
+                         const int idx = xx + yy * 8;
+ 
+                         convert(yb[idx], ub[idx], vb[idx], &bo[xx], &go[xx], &ro[xx]);
+-- 
+2.51.0
+

ffmpeg-CVE-2025-59733.patch

@@ -0,0 +1,39 @@
+From 0469d68acb52081ca8385b844b9650398242be0f Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Sat, 9 Aug 2025 14:05:19 +0200
+Subject: [PATCH] avcodec/exr: Check for pixel type consistency in DWA
+
+Fixes: out of array access
+Fixes: BIGSLEEP-436511754/testcase.exr
+
+Found-by: Google Big Sleep
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+---
+ libavcodec/exr.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/libavcodec/exr.c b/libavcodec/exr.c
+index dea612a42b..67f971ff35 100644
+--- a/libavcodec/exr.c
++++ b/libavcodec/exr.c
+@@ -2086,6 +2086,17 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *picture,
+     if ((ret = decode_header(s, picture)) < 0)
+         return ret;
+ 
++    if (s->compression == EXR_DWAA ||
++        s->compression == EXR_DWAB) {
++        for (int i = 0; i<s->nb_channels; i++) {
++            EXRChannel *channel = &s->channels[i];
++            if (channel->pixel_type != s->pixel_type) {
++                avpriv_request_sample(s->avctx, "mixed pixel type DWA");
++                return AVERROR_PATCHWELCOME;
++            }
++        }
++    }
++
+     switch (s->pixel_type) {
+     case EXR_HALF:
+         if (s->channel_offsets[3] >= 0) {
+-- 
+2.51.0
+