Reword work-around-abi-break.patch

Reviewed-on: jengelh/ffmpeg-7#20

ffmpeg-7.changes

@@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Wed Jul 23 13:28:49 UTC 2025 - Hans-Peter Jansen <hp@urpla.net>
+
+- Add vvenc build conditional
+
+-------------------------------------------------------------------
+Wed Jul 23 07:01:22 UTC 2025 - SongChuan Kang <sckang@suse.com>
+
+- Add ffmpeg-CVE-2025-7700.patch: Add check for the return value
+  of av_malloc_array() and av_calloc() to avoid potential NULL
+  pointer dereference(CVE-2025-7700, bsc#1246790).
+
 -------------------------------------------------------------------
 Wed Jun 25 08:40:15 UTC 2025 - Yifan Jiang <yfjiang@suse.com>
 

ffmpeg-7.spec

@@ -60,6 +60,7 @@
 %bcond_with    fdk_aac_dlopen
 %bcond_with    opencore
 %bcond_with    smbclient
+%bcond_with    vvenc
 %bcond_with    x264
 %bcond_with    x265
 %bcond_with    xvid
@@ -122,11 +123,11 @@ Patch15:        11013-avcodec-decode-clean-up-if-get_hw_frames_parameters-.patch
 Patch18:        ffmpeg-7-CVE-2025-25473.patch
 Patch19:        ffmpeg-7-CVE-2025-22921.patch
 Patch20:        0001-avcodec-libsvtav1-unbreak-build-with-latest-svtav1.patch
+Patch21:        ffmpeg-CVE-2025-7700.patch
 BuildRequires:  ladspa-devel
 BuildRequires:  libgsm-devel
-BuildRequires:  libmp3lame-devel >= 3.98.3
 BuildRequires:  nasm
-BuildRequires:  pkgconfig
+BuildRequires:  pkg-config
 BuildRequires:  pkgconfig(alsa)
 BuildRequires:  pkgconfig(aom) >= 1.0.0
 BuildRequires:  pkgconfig(dav1d) >= 0.5.0
@@ -146,6 +147,7 @@ BuildRequires:  pkgconfig(libdc1394-2)
 BuildRequires:  pkgconfig(libdrm)
 BuildRequires:  pkgconfig(libgme)
 BuildRequires:  pkgconfig(libiec61883)
+BuildRequires:  pkgconfig(libmp3lame) >= 3.98.3
 BuildRequires:  pkgconfig(libopenjp2) >= 2.1.0
 BuildRequires:  pkgconfig(libopenmpt) >= 0.2.6557
 BuildRequires:  pkgconfig(libpng)
@@ -187,7 +189,7 @@ BuildRequires:  pkgconfig(zvbi-0.2) >= 0.2.28
 BuildRequires:  AMF-devel
 %endif
 %if %{with mysofa}
-BuildRequires:  libmysofa-devel
+BuildRequires:  pkgconfig(libmysofa)
 %endif
 %if %{with codec2}
 BuildRequires:  pkgconfig(codec2)
@@ -221,6 +223,9 @@ BuildRequires:  pkgconfig(opencore-amrnb)
 %if %{with amrwb}
 BuildRequires:  pkgconfig(vo-amrwbenc)
 %endif
+%if %{with vvenc}
+BuildRequires:  vvenc-devel
+%endif
 %if %{with x264}
 BuildRequires:  pkgconfig(x264)
 %endif
@@ -238,7 +243,7 @@ BuildRequires:  pkgconfig(SvtAv1Enc) >= 0.9.0
 %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150600
 BuildRequires:  pkgconfig(libplacebo) >= 6.292.0
 %else
-BuildRequires:  (pkgconfig(libplacebo) >= 4.192.0 with pkgconfig (libplacebo) < 6.292.0)
+BuildRequires:  (pkgconfig(libplacebo) >= 4.192.0 with pkgconfig(libplacebo) < 6.292.0)
 %endif
 BuildRequires:  pkgconfig(shaderc) >= 2019.1
 BuildRequires:  pkgconfig(vulkan) >= 1.3.255
@@ -661,6 +666,9 @@ LDFLAGS="%_lto_cflags" \
 %if %{with amrwb}
 	--enable-libvo-amrwbenc \
 %endif
+%if %{with vvenc}
+	--enable-libvvenc \
+%endif
 %if %{with x264}
 	--enable-libx264 \
 %endif

ffmpeg-CVE-2025-7700.patch

@@ -0,0 +1,45 @@
+From 35a6de137a39f274d5e01ed0e0e6c4f04d0aaf07 Mon Sep 17 00:00:00 2001
+From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+Date: Thu, 10 Jul 2025 16:26:39 +0000
+Subject: [PATCH] libavcodec/alsdec.c: Add check for av_malloc_array() and
+ av_calloc()
+
+Add check for the return value of av_malloc_array() and av_calloc()
+to avoid potential NULL pointer dereference.
+
+Fixes: dcfd24b10c ("avcodec/alsdec: Implement floating point sample data decoding")
+Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+---
+ libavcodec/alsdec.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c
+index 734eec8bf8..97b04a95f9 100644
+--- a/libavcodec/alsdec.c
++++ b/libavcodec/alsdec.c
+@@ -2119,8 +2119,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
+         ctx->nbits  = av_malloc_array(ctx->cur_frame_length, sizeof(*ctx->nbits));
+         ctx->mlz    = av_mallocz(sizeof(*ctx->mlz));
+ 
+-        if (!ctx->mlz || !ctx->acf || !ctx->shift_value || !ctx->last_shift_value
+-            || !ctx->last_acf_mantissa || !ctx->raw_mantissa) {
++        if (!ctx->larray || !ctx->nbits || !ctx->mlz || !ctx->acf || !ctx->shift_value
++            || !ctx->last_shift_value || !ctx->last_acf_mantissa || !ctx->raw_mantissa) {
+             av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n");
+             return AVERROR(ENOMEM);
+         }
+@@ -2132,6 +2132,10 @@ static av_cold int decode_init(AVCodecContext *avctx)
+ 
+         for (c = 0; c < channels; ++c) {
+             ctx->raw_mantissa[c] = av_calloc(ctx->cur_frame_length, sizeof(**ctx->raw_mantissa));
++            if (!ctx->raw_mantissa[c]) {
++                av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n");
++                return AVERROR(ENOMEM);
++            }
+         }
+     }
+ 
+-- 
+2.25.1
+

work-around-abi-break.patch

@@ -13,11 +13,12 @@ ffmpeg, which can cause inadvertent mixing of library versions on
 openSUSE, and precompiled Linux distributions in general.
 
 Upstream says "we only add new functions" - which is ok in its own
-right. verdefs, if you have them, *must*not* change under any
-circumstances, but that is what they broke: the set of symbols
-included in the "LIBAVFORMAT_59" verdef changed between 5.0 and 5.1.
+right. New symbols must be in a new verdef section though, existing
+sections *must*not* change under *any* circumstances, but that is
+what they broke: the set of symbols included in the "LIBAVFORMAT_59"
+verdef changed between 5.0 and 5.1.
 
-$ abidiff abidiff /usr/lib64/libavformat.so.59.16.100 usr/lib64/libavformat.so.59.27.100
+$ abidiff /usr/lib64/libavformat.so.59.16.100 usr/lib64/libavformat.so.59.27.100
 Functions changes summary: 0 Removed, 0 Changed, 0 Added function
 Variables changes summary: 0 Removed, 0 Changed, 0 Added variable
 Function symbols changes summary: 0 Removed, 1 Added function symbol not referenced by debug info