From cf581fa7db14ab8810d3d9de43ba214503dcc006 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E6=9D=8E=E5=AE=81=E6=9D=B0?= <liningjie@xfusion.com>
Date: Mon, 2 Dec 2024 03:49:16 +0000
Subject: [PATCH] fix CVE-2024-35368 CVE-2024-36616

(cherry picked from commit 1c70296ee875b695c8bc39d055c0e1112d53e0c0)
---
 backport-CVE-2024-35368.patch | 35 +++++++++++++++++++++++++++++++++++
 backport-CVE-2024-36616.patch | 29 +++++++++++++++++++++++++++++
 ffmpeg.spec                   |  7 ++++++-
 3 files changed, 70 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2024-35368.patch
 create mode 100644 backport-CVE-2024-36616.patch

diff --git a/backport-CVE-2024-35368.patch b/backport-CVE-2024-35368.patch
new file mode 100644
index 0000000..cce8aa4
--- /dev/null
+++ b/backport-CVE-2024-35368.patch
@@ -0,0 +1,35 @@
+From 4513300989502090c4fd6560544dce399a8cd53c Mon Sep 17 00:00:00 2001
+From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
+Date: Sun, 24 Sep 2023 13:15:48 +0200
+Subject: [PATCH] avcodec/rkmppdec: Fix double-free on error
+
+After having created the AVBuffer that is put into frame->buf[0],
+ownership of several objects (namely an AVDRMFrameDescriptor,
+an MppFrame and some AVBufferRefs framecontextref and decoder_ref)
+has passed to the AVBuffer and therefore to the frame.
+Yet it has nevertheless been freed manually on error
+afterwards, which would lead to a double-free as soon
+as the AVFrame is unreferenced.
+
+Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
+---
+ libavcodec/rkmppdec.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libavcodec/rkmppdec.c b/libavcodec/rkmppdec.c
+index 7665098c6a..6889545b20 100644
+--- a/libavcodec/rkmppdec.c
++++ b/libavcodec/rkmppdec.c
+@@ -463,8 +463,8 @@ static int rkmpp_retrieve_frame(AVCodecContext *avctx, AVFrame *frame)
+ 
+             frame->hw_frames_ctx = av_buffer_ref(decoder->frames_ref);
+             if (!frame->hw_frames_ctx) {
+-                ret = AVERROR(ENOMEM);
+-                goto fail;
++                av_frame_unref(frame);
++                return AVERROR(ENOMEM);
+             }
+ 
+             return 0;
+-- 
+2.33.0
diff --git a/backport-CVE-2024-36616.patch b/backport-CVE-2024-36616.patch
new file mode 100644
index 0000000..6668a08
--- /dev/null
+++ b/backport-CVE-2024-36616.patch
@@ -0,0 +1,29 @@
+From 86f73277bf014e2ce36dd2594f1e0fb8b3bd6661 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Tue, 26 Mar 2024 01:00:13 +0100
+Subject: [PATCH] avformat/westwood_vqa: Fix 2g packets
+
+Fixes: signed integer overflow: 2147483424 * 2 cannot be represented in type 'int'
+Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_WSVQA_fuzzer-4576211411795968
+
+Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+---
+ libavformat/westwood_vqa.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libavformat/westwood_vqa.c b/libavformat/westwood_vqa.c
+index 954710a6f0..3a31e3f5e8 100644
+--- a/libavformat/westwood_vqa.c
++++ b/libavformat/westwood_vqa.c
+@@ -262,7 +262,7 @@ static int wsvqa_read_packet(AVFormatContext *s,
+                     break;
+                 case SND2_TAG:
+                     /* 2 samples/byte, 1 or 2 samples per frame depending on stereo */
+-                    pkt->duration = (chunk_size * 2) / wsvqa->channels;
++                    pkt->duration = (chunk_size * 2LL) / wsvqa->channels;
+                     break;
+                 }
+                 break;
+-- 
+2.33.0
diff --git a/ffmpeg.spec b/ffmpeg.spec
index a8254db..8ce1d9a 100644
--- a/ffmpeg.spec
+++ b/ffmpeg.spec
@@ -62,7 +62,7 @@
 Summary:        Digital VCR and streaming server
 Name:           ffmpeg%{?flavor}
 Version:        6.1.1
-Release:        15
+Release:        16
 License:        GPL-3.0-or-later
 URL:            http://ffmpeg.org/
 Source0:        http://ffmpeg.org/releases/ffmpeg-%{version}.tar.xz
@@ -80,6 +80,8 @@ Patch9:         CVE-2024-7055.patch
 Patch10:        CVE-2023-49501.patch
 Patch11:        backport-CVE-2024-35366.patch
 Patch12:        backport-CVE-2024-35367.patch
+Patch13:        backport-CVE-2024-35368.patch
+Patch14:        backport-CVE-2024-36616.patch
 
 Requires:       %{name}-libs%{?_isa} = %{version}-%{release}
 %{?_with_cuda:BuildRequires: cuda-minimal-build-%{_cuda_version_rpm} cuda-drivers-devel}
@@ -409,6 +411,9 @@ install -pm755 tools/qt-faststart %{buildroot}%{_bindir}
 
 
 %changelog
+* Mon Dec 02 2024 liningjie <liningjie@xfusion.com> - 6.1.1-16
+- fix CVE-2024-35368 CVE-2024-36616
+
 * Sat Nov 30 2024 liningjie <liningjie@xfusion.com> - 6.1.1-15
 - fix CVE-2024-35366 CVE-2024-35367