From b6eb0b884ca54dda8ba83afe386a286e17677be3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E6=96=87=E9=91=AB?= <wx02272781@alibaba-inc.com>
Date: Mon, 9 Jun 2025 17:13:55 +0800
Subject: [PATCH] Fix CVE-2023-49501 CVE-2024-31582 CVE-2024-31578

---
 0003-fix-CVE-2023-49501.patch | 25 +++++++++++++++++++++
 0004-fix-CVE-2024-31578.patch | 42 +++++++++++++++++++++++++++++++++++
 0005-fix-CVE-2024-31582.patch | 27 ++++++++++++++++++++++
 ffmpeg.spec                   | 11 ++++++++-
 4 files changed, 104 insertions(+), 1 deletion(-)
 create mode 100644 0003-fix-CVE-2023-49501.patch
 create mode 100644 0004-fix-CVE-2024-31578.patch
 create mode 100644 0005-fix-CVE-2024-31582.patch

diff --git a/0003-fix-CVE-2023-49501.patch b/0003-fix-CVE-2023-49501.patch
new file mode 100644
index 0000000..72fef65
--- /dev/null
+++ b/0003-fix-CVE-2023-49501.patch
@@ -0,0 +1,25 @@
+From b45cc9297e567f76ccd39d9670eed521f2036d2c Mon Sep 17 00:00:00 2001
+From: happyworker <208suo@208suo.com>
+Date: Wed, 18 Sep 2024 15:24:00 +0800
+Subject: [PATCH] createpatch
+
+---
+ libavfilter/asrc_afirsrc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libavfilter/asrc_afirsrc.c b/libavfilter/asrc_afirsrc.c
+index e2359c1..ea04c35 100644
+--- a/libavfilter/asrc_afirsrc.c
++++ b/libavfilter/asrc_afirsrc.c
+@@ -480,7 +480,7 @@ static av_cold int config_eq_output(AVFilterLink *outlink)
+         if (ret < 0)
+             return ret;
+ 
+-        s->magnitude = av_calloc(s->nb_magnitude, sizeof(*s->magnitude));
++        s->magnitude = av_calloc(s->nb_magnitude + 1, sizeof(*s->magnitude));
+         if (!s->magnitude)
+             return AVERROR(ENOMEM);
+         memcpy(s->magnitude, eq_presets[s->preset].gains, sizeof(*s->magnitude) * s->nb_magnitude);
+-- 
+2.27.0
+
diff --git a/0004-fix-CVE-2024-31578.patch b/0004-fix-CVE-2024-31578.patch
new file mode 100644
index 0000000..649cb91
--- /dev/null
+++ b/0004-fix-CVE-2024-31578.patch
@@ -0,0 +1,42 @@
+From 3bb00c0a420c3ce83c6fafee30270d69622ccad7 Mon Sep 17 00:00:00 2001
+From: Zhao Zhili <zhilizhao@tencent.com>
+Date: Mon, 29 Apr 2024 17:02:47 +0800
+Subject: [PATCH]  avutil/hwcontext: Don't assume frames_uninit is reentrant.
+Fix heap use after free when vulkan_frames_init failed.
+
+Signed-off-by: Zhao Zhili <zhilizhao@tencent.com>
+---
+ libavutil/hwcontext.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/libavutil/hwcontext.c b/libavutil/hwcontext.c
+index 3650d46..0ef3479 100644
+--- a/libavutil/hwcontext.c
++++ b/libavutil/hwcontext.c
+@@ -363,7 +363,7 @@ int av_hwframe_ctx_init(AVBufferRef *ref)
+     if (ctx->internal->hw_type->frames_init) {
+         ret = ctx->internal->hw_type->frames_init(ctx);
+         if (ret < 0)
+-            goto fail;
++            return ret;
+     }
+ 
+     if (ctx->internal->pool_internal && !ctx->pool)
+@@ -373,14 +373,10 @@ int av_hwframe_ctx_init(AVBufferRef *ref)
+     if (ctx->initial_pool_size > 0) {
+         ret = hwframe_pool_prealloc(ref);
+         if (ret < 0)
+-            goto fail;
++            return ret;
+     }
+ 
+     return 0;
+-fail:
+-    if (ctx->internal->hw_type->frames_uninit)
+-        ctx->internal->hw_type->frames_uninit(ctx);
+-    return ret;
+ }
+ 
+ int av_hwframe_transfer_get_formats(AVBufferRef *hwframe_ref,
+-- 
+2.27.0
diff --git a/0005-fix-CVE-2024-31582.patch b/0005-fix-CVE-2024-31582.patch
new file mode 100644
index 0000000..d4b08ad
--- /dev/null
+++ b/0005-fix-CVE-2024-31582.patch
@@ -0,0 +1,27 @@
+From 99debe5f823f45a482e1dc08de35879aa9c74bd2 Mon Sep 17 00:00:00 2001
+From: Zhao Zhili <zhilizhao@tencent.com>
+Date: Mon, 29 Apr 2024 17:42:23 +0800
+Subject: [PATCH] avfilter/vf_codecview: fix heap buffer overflow.
+And improve the performance by a little bit.
+
+Signed-off-by: Zhao Zhili <zhilizhao@tencent.com>
+---
+ libavfilter/vf_codecview.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/libavfilter/vf_codecview.c b/libavfilter/vf_codecview.c
+index 55d9c8c..f65ccbd 100644
+--- a/libavfilter/vf_codecview.c
++++ b/libavfilter/vf_codecview.c
+@@ -216,9 +216,6 @@ static void draw_block_rectangle(uint8_t *buf, int sx, int sy, int w, int h, ptr
+         buf[sx + w - 1] = color;
+         buf += stride;
+     }
+-
+-    for (int x = sx; x < sx + w; x++)
+-        buf[x] = color;
+ }
+ 
+ static int filter_frame(AVFilterLink *inlink, AVFrame *frame)
+-- 
+2.27.0
diff --git a/ffmpeg.spec b/ffmpeg.spec
index 5137cc2..24da947 100644
--- a/ffmpeg.spec
+++ b/ffmpeg.spec
@@ -1,4 +1,4 @@
-%define anolis_release 5
+%define anolis_release 6
 
 %global av_codec_soversion 60
 %global av_device_soversion 60
@@ -22,6 +22,12 @@ URL:            https://ffmpeg.org
 Source0:        https://ffmpeg.org/releases/%{name}-%{version}.tar.xz
 Patch0001:      0001-avfilter-af_afwtdn-fix-crash-with-EOF-handling.patch
 Patch0002:      0002-avfilter-vf_colorcorrect-fix-memory-leaks.patch
+# https://github.com/FFmpeg/FFmpeg/commit/4adb93dff05dd947878c67784d98c9a4e13b57a7
+Patch0003:      0003-fix-CVE-2023-49501.patch
+# https://github.com/ffmpeg/ffmpeg/commit/3bb00c0a420c3ce83c6fafee30270d69622ccad7
+Patch0004:      0004-fix-CVE-2024-31578.patch
+# https://github.com/ffmpeg/ffmpeg/commit/99debe5f823f45a482e1dc08de35879aa9c74bd2
+Patch0005:      0005-fix-CVE-2024-31582.patch
 
 BuildRequires: lame-devel >= 3.98.3
 BuildRequires: libtool
@@ -406,6 +412,9 @@ rm -rf %{buildroot}%{_datadir}/%{name}/examples
 
 
 %changelog
+* Mon Jun 09 2025 wenxin <wx02272781@alibaba-inc.com> - 6.1.1-6
+- Fix CVE-2023-49501 CVE-2024-31582 CVE-2024-31578
+
 * Tue Apr 29 2025 zjl02254423 <zjl02254423@alibaba-inc.com> - 6.1.1-5
 - Rebuild for libtheora 1.2.0
 
-- 
Gitee