7 files changed, 401 insertions, 1 deletions
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-3566.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-3566.patch
new file mode 100644
index 0000000000..abfc024820
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-3566.patch
@@ -0,0 +1,61 @@
+From 3bce9e9b3ea35c54bacccc793d7da99ea5157532 Mon Sep 17 00:00:00 2001
+From: Paul B Mahol <onemda@gmail.com>
+Date: Mon, 27 Jan 2020 21:53:08 +0100
+Subject: [PATCH] avformat/tty: add probe function
+CVE: CVE-2021-3566
+Signed-off-by: Saloni Jain <salonij@kpit.com>
+Upstream-Status: Backport [http://git.videolan.org/?p=ffmpeg.git;a=patch;h=3bce9e9b3ea35c54bacccc793d7da99ea5157532]
+Comment: No changes/refreshing done.
+---
+ libavformat/tty.c | 21 ++++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+diff --git a/libavformat/tty.c b/libavformat/tty.c
+index 8d48f2c45c12..60f7e9f87ee7 100644
+--- a/libavformat/tty.c
+++ b/libavformat/tty.c
+@@ -34,6 +34,13 @@
+ #include "internal.h"
+ #include "sauce.h"
+ 
+static int isansicode(int x)
+{
+    return x == 0x1B || x == 0x0A || x == 0x0D || (x >= 0x20 && x < 0x7f);
+}
+
+static const char tty_extensions[31] = "ans,art,asc,diz,ice,nfo,txt,vt";
+
+ typedef struct TtyDemuxContext {
+     AVClass *class;
+     int chars_per_frame;
+@@ -42,6 +49,17 @@ typedef struct TtyDemuxContext {
+     AVRational framerate; /**< Set by a private option. */
+ } TtyDemuxContext;
+ 
+static int read_probe(const AVProbeData *p)
+{
+    int cnt = 0;
+
+    for (int i = 0; i < p->buf_size; i++)
+        cnt += !!isansicode(p->buf[i]);
+
+    return (cnt * 100LL / p->buf_size) * (cnt > 400) *
+        !!av_match_ext(p->filename, tty_extensions);
+}
+
+ /**
+  * Parse EFI header
+  */
+@@ -153,8 +171,9 @@ AVInputFormat ff_tty_demuxer = {
+     .name           = "tty",
+     .long_name      = NULL_IF_CONFIG_SMALL("Tele-typewriter"),
+     .priv_data_size = sizeof(TtyDemuxContext),
+    .read_probe     = read_probe,
+     .read_header    = read_header,
+     .read_packet    = read_packet,
+-    .extensions     = "ans,art,asc,diz,ice,nfo,txt,vt",
+    .extensions     = tty_extensions,
+     .priv_class     = &tty_demuxer_class,
+ };
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-38291.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-38291.patch
new file mode 100644
index 0000000000..e5be985fc3
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-38291.patch
@@ -0,0 +1,53 @@
+From e01d306c647b5827102260b885faa223b646d2d1 Mon Sep 17 00:00:00 2001
+From: James Almer <jamrial@gmail.com>
+Date: Wed, 21 Jul 2021 01:02:44 -0300
+Subject: [PATCH] avcodec/utils: don't return negative values in
+ av_get_audio_frame_duration()
+In some extrme cases, like with adpcm_ms samples with an extremely high channel
+count, get_audio_frame_duration() may return a negative frame duration value.
+Don't propagate it, and instead return 0, signaling that a duration could not
+be determined.
+CVE: CVE-2021-3566
+Fixes ticket #9312
+Signed-off-by: James Almer <jamrial@gmail.com>
+Signed-off-by: Saloni Jain <salonij@kpit.com>
+Upstream-Status: Backport [http://git.videolan.org/?p=ffmpeg.git;a=patch;h=e01d306c647b5827102260b885faa223b646d2d1]
+Comment: No changes/refreshing done.
+---
+ libavcodec/utils.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+diff --git a/libavcodec/utils.c b/libavcodec/utils.c
+index 5fad782f5a..cfc07cbcb8 100644
+--- a/libavcodec/utils.c
+++ b/libavcodec/utils.c
+@@ -810,20 +810,22 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba,
+ 
+ int av_get_audio_frame_duration(AVCodecContext *avctx, int frame_bytes)
+ {
+-    return get_audio_frame_duration(avctx->codec_id, avctx->sample_rate,
+    int duration = get_audio_frame_duration(avctx->codec_id, avctx->sample_rate,
+                                     avctx->channels, avctx->block_align,
+                                     avctx->codec_tag, avctx->bits_per_coded_sample,
+                                     avctx->bit_rate, avctx->extradata, avctx->frame_size,
+                                     frame_bytes);
+    return FFMAX(0, duration);
+ }
+ 
+ int av_get_audio_frame_duration2(AVCodecParameters *par, int frame_bytes)
+ {
+-    return get_audio_frame_duration(par->codec_id, par->sample_rate,
+    int duration = get_audio_frame_duration(par->codec_id, par->sample_rate,
+                                     par->channels, par->block_align,
+                                     par->codec_tag, par->bits_per_coded_sample,
+                                     par->bit_rate, par->extradata, par->frame_size,
+                                     frame_bytes);
+    return FFMAX(0, duration);
+ }
+ 
+ #if !HAVE_THREADS
+-- 
+2.20.1
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-1475.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-1475.patch
new file mode 100644
index 0000000000..bd8a08a216
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-1475.patch
@@ -0,0 +1,36 @@
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Sun, 27 Feb 2022 14:43:04 +0100
+Subject: [PATCH] avcodec/g729_parser: Check channels
+Fixes: signed integer overflow: 10 * 808464428 cannot be represented in type 'int'
+Fixes: assertion failure
+Fixes: ticket9651
+Reviewed-by: Paul B Mahol <onemda@gmail.com>
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+(cherry picked from commit 757da974b21833529cc41bdcc9684c29660cdfa8)
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+CVE: CVE-2022-1475
+Upstream-Status: Backport [https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=e9e2ddbc6c78cc18b76093617f82c920e58a8d1f]
+Comment: Patch is refreshed as per ffmpeg codebase
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+---
+ libavcodec/g729_parser.c | 3 +++
+ 1 file changed, 3 insertions(+)
+Index: ffmpeg-4.2.2/libavcodec/g729_parser.c
+===================================================================
+--- a/libavcodec/g729_parser.c
+++ b/libavcodec/g729_parser.c
+@@ -48,6 +48,9 @@ static int g729_parse(AVCodecParserConte
+         av_assert1(avctx->codec_id == AV_CODEC_ID_G729);
+         /* FIXME: replace this heuristic block_size with more precise estimate */
+         s->block_size = (avctx->bit_rate < 8000) ? G729D_6K4_BLOCK_SIZE : G729_8K_BLOCK_SIZE;
+        // channels > 2 is invalid, we pass the packet on unchanged
+        if (avctx->channels > 2)
+            s->block_size = 0;
+         s->block_size *= avctx->channels;
+         s->duration   = avctx->frame_size;
+     }
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-3109.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-3109.patch
new file mode 100644
index 0000000000..febf49cff2
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-3109.patch
@@ -0,0 +1,41 @@
+From 656cb0450aeb73b25d7d26980af342b37ac4c568 Mon Sep 17 00:00:00 2001
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Date: Tue, 15 Feb 2022 17:58:08 +0800
+Subject: [PATCH] avcodec/vp3: Add missing check for av_malloc
+Since the av_malloc() may fail and return NULL pointer,
+it is needed that the 's->edge_emu_buffer' should be checked
+whether the new allocation is success.
+Fixes: d14723861b ("VP3: fix decoding of videos with stride > 2048")
+CVE: CVE-2022-3109
+Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/656cb0450aeb73b25d7d26980af342b37ac4c568]
+Comments: Refreshed hunk
+Reviewed-by: Peter Ross <pross@xvid.org>
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ libavcodec/vp3.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
+index e9ab54d73677..e2418eb6fa04 100644
+--- a/libavcodec/vp3.c
+++ b/libavcodec/vp3.c
+@@ -2740,8 +2740,13 @@
+     if (ff_thread_get_buffer(avctx, &s->current_frame, AV_GET_BUFFER_FLAG_REF) < 0)
+         goto error;
+ 
+-    if (!s->edge_emu_buffer)
+    if (!s->edge_emu_buffer) {
+         s->edge_emu_buffer = av_malloc(9 * FFABS(s->current_frame.f->linesize[0]));
+        if (!s->edge_emu_buffer) {
+            ret = AVERROR(ENOMEM);
+            goto error;
+        }
+    }
+ 
+     if (s->keyframe) {
+         if (!s->theora) {
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-3341.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-3341.patch
new file mode 100644
index 0000000000..fcbd9b3e1b
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-3341.patch
@@ -0,0 +1,67 @@
+From 9cf652cef49d74afe3d454f27d49eb1a1394951e Mon Sep 17 00:00:00 2001
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Date: Wed, 23 Feb 2022 10:31:59 +0800
+Subject: [PATCH] avformat/nutdec: Add check for avformat_new_stream
+Check for failure of avformat_new_stream() and propagate
+the error code.
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+CVE: CVE-2022-3341
+Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/9cf652cef49d74afe3d454f27d49eb1a1394951e]
+Comments: Refreshed Hunk
+Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
+Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+---
+ libavformat/nutdec.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c
+index 0a8a700acf..f9ad2c0af1 100644
+--- a/libavformat/nutdec.c
+++ b/libavformat/nutdec.c
+@@ -351,8 +351,12 @@ static int decode_main_header(NUTContext *nut)
+         ret = AVERROR(ENOMEM);
+         goto fail;
+     }
+-    for (i = 0; i < stream_count; i++)
+-        avformat_new_stream(s, NULL);
+    for (i = 0; i < stream_count; i++) {
+        if (!avformat_new_stream(s, NULL)) {
+            ret = AVERROR(ENOMEM);
+            goto fail;
+        }
+    }
+ 
+     return 0;
+ fail:
+@@ -793,19 +793,23 @@
+     NUTContext *nut = s->priv_data;
+     AVIOContext *bc = s->pb;
+     int64_t pos;
+-    int initialized_stream_count;
+    int initialized_stream_count, ret;
+ 
+     nut->avf = s;
+ 
+     /* main header */
+     pos = 0;
+    ret = 0;
+     do {
+        if (ret == AVERROR(ENOMEM))
+            return ret;
+
+         pos = find_startcode(bc, MAIN_STARTCODE, pos) + 1;
+         if (pos < 0 + 1) {
+             av_log(s, AV_LOG_ERROR, "No main startcode found.\n");
+             goto fail;
+         }
+-    } while (decode_main_header(nut) < 0);
+    } while ((ret = decode_main_header(nut)) < 0);
+ 
+     /* stream headers */
+     pos = 0;
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch
new file mode 100644
index 0000000000..707073709a
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch
@@ -0,0 +1,136 @@
+From d4b7b3c03ee2baf0166ce49dff17ec9beff684db Mon Sep 17 00:00:00 2001
+From: Anton Khirnov <anton@khirnov.net>
+Date: Fri, 2 Sep 2022 22:21:27 +0200
+Subject: [PATCH] lavc/pthread_frame: avoid leaving stale hwaccel state in
+ worker threads
+This state is not refcounted, so make sure it always has a well-defined
+owner.
+Remove the block added in 091341f2ab5bd35ca1a2aae90503adc74f8d3523, as
+this commit also solves that issue in a more general way.
+(cherry picked from commit cc867f2c09d2b69cee8a0eccd62aff002cbbfe11)
+Signed-off-by: Anton Khirnov <anton@khirnov.net>
+(cherry picked from commit 35aa7e70e7ec350319e7634a30d8d8aa1e6ecdda)
+Signed-off-by: Anton Khirnov <anton@khirnov.net>
+(cherry picked from commit 3bc28e9d1ab33627cea3c632dd6b0c33e22e93ba)
+Signed-off-by: Anton Khirnov <anton@khirnov.net>
+CVE: CVE-2022-48434
+Upstream-Status: Backport [https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/d4b7b3c03ee2baf0166ce49dff17ec9beff684db]
+Signed-off-by: Ranjitsinh Rathod ranjitsinh.rathod@kpit.com
+Comment: Hunk#6 refreshed to backport changes and other to remove patch-fuzz warnings
+---
+ libavcodec/pthread_frame.c | 46 +++++++++++++++++++++++++++++---------
+ 1 file changed, 35 insertions(+), 11 deletions(-)
+diff --git a/libavcodec/pthread_frame.c b/libavcodec/pthread_frame.c
+index 36ac0ac..bbc5ba6 100644
+--- a/libavcodec/pthread_frame.c
+++ b/libavcodec/pthread_frame.c
+@@ -135,6 +135,12 @@ typedef struct FrameThreadContext {
+                                     * Set for the first N packets, where N is the number of threads.
+                                     * While it is set, ff_thread_en/decode_frame won't return any results.
+                                     */
+
+    /* hwaccel state is temporarily stored here in order to transfer its ownership
+     * to the next decoding thread without the need for extra synchronization */
+    const AVHWAccel *stash_hwaccel;
+    void            *stash_hwaccel_context;
+    void            *stash_hwaccel_priv;
+ } FrameThreadContext;
+ 
+ #define THREAD_SAFE_CALLBACKS(avctx) \
+@@ -211,9 +217,17 @@ static attribute_align_arg void *frame_worker_thread(void *arg)
+             ff_thread_finish_setup(avctx);
+ 
+         if (p->hwaccel_serializing) {
+            /* wipe hwaccel state to avoid stale pointers lying around;
+             * the state was transferred to FrameThreadContext in
+             * ff_thread_finish_setup(), so nothing is leaked */
+            avctx->hwaccel                     = NULL;
+            avctx->hwaccel_context             = NULL;
+            avctx->internal->hwaccel_priv_data = NULL;
+
+             p->hwaccel_serializing = 0;
+             pthread_mutex_unlock(&p->parent->hwaccel_mutex);
+         }
+        av_assert0(!avctx->hwaccel);
+ 
+         if (p->async_serializing) {
+             p->async_serializing = 0;
+@@ -275,14 +289,10 @@ static int update_context_from_thread(AVCodecContext *dst, AVCodecContext *src,
+         dst->color_range = src->color_range;
+         dst->chroma_sample_location = src->chroma_sample_location;
+ 
+-        dst->hwaccel = src->hwaccel;
+-        dst->hwaccel_context = src->hwaccel_context;
+-
+         dst->channels       = src->channels;
+         dst->sample_rate    = src->sample_rate;
+         dst->sample_fmt     = src->sample_fmt;
+         dst->channel_layout = src->channel_layout;
+-        dst->internal->hwaccel_priv_data = src->internal->hwaccel_priv_data;
+ 
+         if (!!dst->hw_frames_ctx != !!src->hw_frames_ctx ||
+             (dst->hw_frames_ctx && dst->hw_frames_ctx->data != src->hw_frames_ctx->data)) {
+@@ -415,6 +425,12 @@ static int submit_packet(PerThreadContext *p, AVCodecContext *user_avctx,
+             pthread_mutex_unlock(&p->mutex);
+             return err;
+         }
+
+        /* transfer hwaccel state stashed from previous thread, if any */
+        av_assert0(!p->avctx->hwaccel);
+        FFSWAP(const AVHWAccel*, p->avctx->hwaccel,                     fctx->stash_hwaccel);
+        FFSWAP(void*,            p->avctx->hwaccel_context,             fctx->stash_hwaccel_context);
+        FFSWAP(void*,            p->avctx->internal->hwaccel_priv_data, fctx->stash_hwaccel_priv);
+     }
+ 
+     av_packet_unref(&p->avpkt);
+@@ -616,6 +632,14 @@ void ff_thread_finish_setup(AVCodecContext *avctx) {
+         async_lock(p->parent);
+     }
+ 
+    /* save hwaccel state for passing to the next thread;
+     * this is done here so that this worker thread can wipe its own hwaccel
+     * state after decoding, without requiring synchronization */
+    av_assert0(!p->parent->stash_hwaccel);
+    p->parent->stash_hwaccel         = avctx->hwaccel;
+    p->parent->stash_hwaccel_context = avctx->hwaccel_context;
+    p->parent->stash_hwaccel_priv    = avctx->internal->hwaccel_priv_data;
+
+     pthread_mutex_lock(&p->progress_mutex);
+     if(atomic_load(&p->state) == STATE_SETUP_FINISHED){
+         av_log(avctx, AV_LOG_WARNING, "Multiple ff_thread_finish_setup() calls\n");
+@@ -657,13 +681,6 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count)
+ 
+     park_frame_worker_threads(fctx, thread_count);
+ 
+-    if (fctx->prev_thread && fctx->prev_thread != fctx->threads)
+-        if (update_context_from_thread(fctx->threads->avctx, fctx->prev_thread->avctx, 0) < 0) {
+-            av_log(avctx, AV_LOG_ERROR, "Final thread update failed\n");
+-            fctx->prev_thread->avctx->internal->is_copy = fctx->threads->avctx->internal->is_copy;
+-            fctx->threads->avctx->internal->is_copy = 1;
+-        }
+-
+     for (i = 0; i < thread_count; i++) {
+         PerThreadContext *p = &fctx->threads[i];
+ 
+@@ -713,6 +730,13 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count)
+     pthread_mutex_destroy(&fctx->async_mutex);
+     pthread_cond_destroy(&fctx->async_cond);
+ 
+    /* if we have stashed hwaccel state, move it to the user-facing context,
+     * so it will be freed in avcodec_close() */
+    av_assert0(!avctx->hwaccel);
+    FFSWAP(const AVHWAccel*, avctx->hwaccel,                     fctx->stash_hwaccel);
+    FFSWAP(void*,            avctx->hwaccel_context,             fctx->stash_hwaccel_context);
+    FFSWAP(void*,            avctx->internal->hwaccel_priv_data, fctx->stash_hwaccel_priv);
+
+     av_freep(&avctx->internal->thread_ctx);
+ 
+     if (avctx->priv_data && avctx->codec && avctx->codec->priv_class)
+-- 
+2.25.1
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb
index 0e359848fa..f12052548f 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb
@@ -27,7 +27,13 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
           file://mips64_cpu_detection.patch \
           file://CVE-2020-12284.patch \
           file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \
-           "
+           file://CVE-2021-3566.patch \
+           file://CVE-2021-38291.patch \
+           file://CVE-2022-1475.patch \
+           file://CVE-2022-3109.patch \
+           file://CVE-2022-3341.patch \
+           file://CVE-2022-48434.patch \
+          "
 SRC_URI[md5sum] = "348956fc2faa57a2f79bbb84ded9fbc3"
 SRC_URI[sha256sum] = "cb754255ab0ee2ea5f66f8850e1bd6ad5cac1cd855d0a2f4990fb8c668b0d29c"

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-3566.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-3566.patch new file mode 100644 index 0000000000..abfc024820 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-3566.patch
@@ -0,0 +1,61 @@
		1	From 3bce9e9b3ea35c54bacccc793d7da99ea5157532 Mon Sep 17 00:00:00 2001
		2	From: Paul B Mahol <onemda@gmail.com>
		3	Date: Mon, 27 Jan 2020 21:53:08 +0100
		4	Subject: [PATCH] avformat/tty: add probe function
		5
		6	CVE: CVE-2021-3566
		7	Signed-off-by: Saloni Jain <salonij@kpit.com>
		8
		9	Upstream-Status: Backport [http://git.videolan.org/?p=ffmpeg.git;a=patch;h=3bce9e9b3ea35c54bacccc793d7da99ea5157532]
		10	Comment: No changes/refreshing done.
		11	---
		12	libavformat/tty.c \| 21 ++++++++++++++++++++-
		13	1 file changed, 20 insertions(+), 1 deletion(-)
		14
		15	diff --git a/libavformat/tty.c b/libavformat/tty.c
		16	index 8d48f2c45c12..60f7e9f87ee7 100644
		17	--- a/libavformat/tty.c
		18	+++ b/libavformat/tty.c
		19	@@ -34,6 +34,13 @@
		20	#include "internal.h"
		21	#include "sauce.h"
		22
		23	+static int isansicode(int x)
		24	+{
		25	+ return x == 0x1B \|\| x == 0x0A \|\| x == 0x0D \|\| (x >= 0x20 && x < 0x7f);
		26	+}
		27	+
		28	+static const char tty_extensions[31] = "ans,art,asc,diz,ice,nfo,txt,vt";
		29	+
		30	typedef struct TtyDemuxContext {
		31	AVClass *class;
		32	int chars_per_frame;
		33	@@ -42,6 +49,17 @@ typedef struct TtyDemuxContext {
		34	AVRational framerate; /*< Set by a private option. /
		35	} TtyDemuxContext;
		36
		37	+static int read_probe(const AVProbeData *p)
		38	+{
		39	+ int cnt = 0;
		40	+
		41	+ for (int i = 0; i < p->buf_size; i++)
		42	+ cnt += !!isansicode(p->buf[i]);
		43	+
		44	+ return (cnt * 100LL / p->buf_size) * (cnt > 400) *
		45	+ !!av_match_ext(p->filename, tty_extensions);
		46	+}
		47	+
		48	/**
		49	* Parse EFI header
		50	*/
		51	@@ -153,8 +171,9 @@ AVInputFormat ff_tty_demuxer = {
		52	.name = "tty",
		53	.long_name = NULL_IF_CONFIG_SMALL("Tele-typewriter"),
		54	.priv_data_size = sizeof(TtyDemuxContext),
		55	+ .read_probe = read_probe,
		56	.read_header = read_header,
		57	.read_packet = read_packet,
		58	- .extensions = "ans,art,asc,diz,ice,nfo,txt,vt",
		59	+ .extensions = tty_extensions,
		60	.priv_class = &tty_demuxer_class,
		61	};


diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-38291.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-38291.patch new file mode 100644 index 0000000000..e5be985fc3 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-38291.patch
@@ -0,0 +1,53 @@
		1	From e01d306c647b5827102260b885faa223b646d2d1 Mon Sep 17 00:00:00 2001
		2	From: James Almer <jamrial@gmail.com>
		3	Date: Wed, 21 Jul 2021 01:02:44 -0300
		4	Subject: [PATCH] avcodec/utils: don't return negative values in
		5	av_get_audio_frame_duration()
		6
		7	In some extrme cases, like with adpcm_ms samples with an extremely high channel
		8	count, get_audio_frame_duration() may return a negative frame duration value.
		9	Don't propagate it, and instead return 0, signaling that a duration could not
		10	be determined.
		11
		12	CVE: CVE-2021-3566
		13	Fixes ticket #9312
		14	Signed-off-by: James Almer <jamrial@gmail.com>
		15	Signed-off-by: Saloni Jain <salonij@kpit.com>
		16
		17	Upstream-Status: Backport [http://git.videolan.org/?p=ffmpeg.git;a=patch;h=e01d306c647b5827102260b885faa223b646d2d1]
		18	Comment: No changes/refreshing done.
		19	---
		20	libavcodec/utils.c \| 6 ++++--
		21	1 file changed, 4 insertions(+), 2 deletions(-)
		22
		23	diff --git a/libavcodec/utils.c b/libavcodec/utils.c
		24	index 5fad782f5a..cfc07cbcb8 100644
		25	--- a/libavcodec/utils.c
		26	+++ b/libavcodec/utils.c
		27	@@ -810,20 +810,22 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba,
		28
		29	int av_get_audio_frame_duration(AVCodecContext *avctx, int frame_bytes)
		30	{
		31	- return get_audio_frame_duration(avctx->codec_id, avctx->sample_rate,
		32	+ int duration = get_audio_frame_duration(avctx->codec_id, avctx->sample_rate,
		33	avctx->channels, avctx->block_align,
		34	avctx->codec_tag, avctx->bits_per_coded_sample,
		35	avctx->bit_rate, avctx->extradata, avctx->frame_size,
		36	frame_bytes);
		37	+ return FFMAX(0, duration);
		38	}
		39
		40	int av_get_audio_frame_duration2(AVCodecParameters *par, int frame_bytes)
		41	{
		42	- return get_audio_frame_duration(par->codec_id, par->sample_rate,
		43	+ int duration = get_audio_frame_duration(par->codec_id, par->sample_rate,
		44	par->channels, par->block_align,
		45	par->codec_tag, par->bits_per_coded_sample,
		46	par->bit_rate, par->extradata, par->frame_size,
		47	frame_bytes);
		48	+ return FFMAX(0, duration);
		49	}
		50
		51	#if !HAVE_THREADS
		52	--
		53	2.20.1


diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-1475.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-1475.patch new file mode 100644 index 0000000000..bd8a08a216 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-1475.patch
@@ -0,0 +1,36 @@
		1	From: Michael Niedermayer <michael@niedermayer.cc>
		2	Date: Sun, 27 Feb 2022 14:43:04 +0100
		3	Subject: [PATCH] avcodec/g729_parser: Check channels
		4
		5	Fixes: signed integer overflow: 10 * 808464428 cannot be represented in type 'int'
		6	Fixes: assertion failure
		7	Fixes: ticket9651
		8
		9	Reviewed-by: Paul B Mahol <onemda@gmail.com>
		10	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
		11	(cherry picked from commit 757da974b21833529cc41bdcc9684c29660cdfa8)
		12	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
		13
		14	CVE: CVE-2022-1475
		15	Upstream-Status: Backport [https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=e9e2ddbc6c78cc18b76093617f82c920e58a8d1f]
		16	Comment: Patch is refreshed as per ffmpeg codebase
		17	Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
		18
		19	---
		20	libavcodec/g729_parser.c \| 3 +++
		21	1 file changed, 3 insertions(+)
		22
		23	Index: ffmpeg-4.2.2/libavcodec/g729_parser.c
		24	===================================================================
		25	--- a/libavcodec/g729_parser.c
		26	+++ b/libavcodec/g729_parser.c
		27	@@ -48,6 +48,9 @@ static int g729_parse(AVCodecParserConte
		28	av_assert1(avctx->codec_id == AV_CODEC_ID_G729);
		29	/* FIXME: replace this heuristic block_size with more precise estimate */
		30	s->block_size = (avctx->bit_rate < 8000) ? G729D_6K4_BLOCK_SIZE : G729_8K_BLOCK_SIZE;
		31	+ // channels > 2 is invalid, we pass the packet on unchanged
		32	+ if (avctx->channels > 2)
		33	+ s->block_size = 0;
		34	s->block_size *= avctx->channels;
		35	s->duration = avctx->frame_size;
		36	}


diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-3109.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-3109.patch new file mode 100644 index 0000000000..febf49cff2 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-3109.patch
@@ -0,0 +1,41 @@
		1	From 656cb0450aeb73b25d7d26980af342b37ac4c568 Mon Sep 17 00:00:00 2001
		2	From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
		3	Date: Tue, 15 Feb 2022 17:58:08 +0800
		4	Subject: [PATCH] avcodec/vp3: Add missing check for av_malloc
		5
		6	Since the av_malloc() may fail and return NULL pointer,
		7	it is needed that the 's->edge_emu_buffer' should be checked
		8	whether the new allocation is success.
		9
		10	Fixes: d14723861b ("VP3: fix decoding of videos with stride > 2048")
		11
		12	CVE: CVE-2022-3109
		13	Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/656cb0450aeb73b25d7d26980af342b37ac4c568]
		14	Comments: Refreshed hunk
		15
		16	Reviewed-by: Peter Ross <pross@xvid.org>
		17	Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
		18	Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
		19	---
		20	libavcodec/vp3.c \| 7 ++++++-
		21	1 file changed, 6 insertions(+), 1 deletion(-)
		22
		23	diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
		24	index e9ab54d73677..e2418eb6fa04 100644
		25	--- a/libavcodec/vp3.c
		26	+++ b/libavcodec/vp3.c
		27	@@ -2740,8 +2740,13 @@
		28	if (ff_thread_get_buffer(avctx, &s->current_frame, AV_GET_BUFFER_FLAG_REF) < 0)
		29	goto error;
		30
		31	- if (!s->edge_emu_buffer)
		32	+ if (!s->edge_emu_buffer) {
		33	s->edge_emu_buffer = av_malloc(9 * FFABS(s->current_frame.f->linesize[0]));
		34	+ if (!s->edge_emu_buffer) {
		35	+ ret = AVERROR(ENOMEM);
		36	+ goto error;
		37	+ }
		38	+ }
		39
		40	if (s->keyframe) {
		41	if (!s->theora) {


diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-3341.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-3341.patch new file mode 100644 index 0000000000..fcbd9b3e1b --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-3341.patch
@@ -0,0 +1,67 @@
		1	From 9cf652cef49d74afe3d454f27d49eb1a1394951e Mon Sep 17 00:00:00 2001
		2	From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
		3	Date: Wed, 23 Feb 2022 10:31:59 +0800
		4	Subject: [PATCH] avformat/nutdec: Add check for avformat_new_stream
		5
		6	Check for failure of avformat_new_stream() and propagate
		7	the error code.
		8
		9	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
		10
		11	CVE: CVE-2022-3341
		12
		13	Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/9cf652cef49d74afe3d454f27d49eb1a1394951e]
		14
		15	Comments: Refreshed Hunk
		16	Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
		17	Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
		18	---
		19	libavformat/nutdec.c \| 16 ++++++++++++----
		20	1 file changed, 12 insertions(+), 4 deletions(-)
		21
		22	diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c
		23	index 0a8a700acf..f9ad2c0af1 100644
		24	--- a/libavformat/nutdec.c
		25	+++ b/libavformat/nutdec.c
		26	@@ -351,8 +351,12 @@ static int decode_main_header(NUTContext *nut)
		27	ret = AVERROR(ENOMEM);
		28	goto fail;
		29	}
		30	- for (i = 0; i < stream_count; i++)
		31	- avformat_new_stream(s, NULL);
		32	+ for (i = 0; i < stream_count; i++) {
		33	+ if (!avformat_new_stream(s, NULL)) {
		34	+ ret = AVERROR(ENOMEM);
		35	+ goto fail;
		36	+ }
		37	+ }
		38
		39	return 0;
		40	fail:
		41	@@ -793,19 +793,23 @@
		42	NUTContext *nut = s->priv_data;
		43	AVIOContext *bc = s->pb;
		44	int64_t pos;
		45	- int initialized_stream_count;
		46	+ int initialized_stream_count, ret;
		47
		48	nut->avf = s;
		49
		50	/* main header */
		51	pos = 0;
		52	+ ret = 0;
		53	do {
		54	+ if (ret == AVERROR(ENOMEM))
		55	+ return ret;
		56	+
		57	pos = find_startcode(bc, MAIN_STARTCODE, pos) + 1;
		58	if (pos < 0 + 1) {
		59	av_log(s, AV_LOG_ERROR, "No main startcode found.\n");
		60	goto fail;
		61	}
		62	- } while (decode_main_header(nut) < 0);
		63	+ } while ((ret = decode_main_header(nut)) < 0);
		64
		65	/* stream headers */
		66	pos = 0;
		67


diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch new file mode 100644 index 0000000000..707073709a --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch
@@ -0,0 +1,136 @@
		1	From d4b7b3c03ee2baf0166ce49dff17ec9beff684db Mon Sep 17 00:00:00 2001
		2	From: Anton Khirnov <anton@khirnov.net>
		3	Date: Fri, 2 Sep 2022 22:21:27 +0200
		4	Subject: [PATCH] lavc/pthread_frame: avoid leaving stale hwaccel state in
		5	worker threads
		6
		7	This state is not refcounted, so make sure it always has a well-defined
		8	owner.
		9
		10	Remove the block added in 091341f2ab5bd35ca1a2aae90503adc74f8d3523, as
		11	this commit also solves that issue in a more general way.
		12
		13	(cherry picked from commit cc867f2c09d2b69cee8a0eccd62aff002cbbfe11)
		14	Signed-off-by: Anton Khirnov <anton@khirnov.net>
		15	(cherry picked from commit 35aa7e70e7ec350319e7634a30d8d8aa1e6ecdda)
		16	Signed-off-by: Anton Khirnov <anton@khirnov.net>
		17	(cherry picked from commit 3bc28e9d1ab33627cea3c632dd6b0c33e22e93ba)
		18	Signed-off-by: Anton Khirnov <anton@khirnov.net>
		19
		20	CVE: CVE-2022-48434
		21	Upstream-Status: Backport [https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/d4b7b3c03ee2baf0166ce49dff17ec9beff684db]
		22	Signed-off-by: Ranjitsinh Rathod ranjitsinh.rathod@kpit.com
		23	Comment: Hunk#6 refreshed to backport changes and other to remove patch-fuzz warnings
		24	---
		25	libavcodec/pthread_frame.c \| 46 +++++++++++++++++++++++++++++---------
		26	1 file changed, 35 insertions(+), 11 deletions(-)
		27
		28	diff --git a/libavcodec/pthread_frame.c b/libavcodec/pthread_frame.c
		29	index 36ac0ac..bbc5ba6 100644
		30	--- a/libavcodec/pthread_frame.c
		31	+++ b/libavcodec/pthread_frame.c
		32	@@ -135,6 +135,12 @@ typedef struct FrameThreadContext {
		33	* Set for the first N packets, where N is the number of threads.
		34	* While it is set, ff_thread_en/decode_frame won't return any results.
		35	*/
		36	+
		37	+ /* hwaccel state is temporarily stored here in order to transfer its ownership
		38	+ * to the next decoding thread without the need for extra synchronization */
		39	+ const AVHWAccel *stash_hwaccel;
		40	+ void *stash_hwaccel_context;
		41	+ void *stash_hwaccel_priv;
		42	} FrameThreadContext;
		43
		44	#define THREAD_SAFE_CALLBACKS(avctx) \
		45	@@ -211,9 +217,17 @@ static attribute_align_arg void frame_worker_thread(void arg)
		46	ff_thread_finish_setup(avctx);
		47
		48	if (p->hwaccel_serializing) {
		49	+ /* wipe hwaccel state to avoid stale pointers lying around;
		50	+ * the state was transferred to FrameThreadContext in
		51	+ * ff_thread_finish_setup(), so nothing is leaked */
		52	+ avctx->hwaccel = NULL;
		53	+ avctx->hwaccel_context = NULL;
		54	+ avctx->internal->hwaccel_priv_data = NULL;
		55	+
		56	p->hwaccel_serializing = 0;
		57	pthread_mutex_unlock(&p->parent->hwaccel_mutex);
		58	}
		59	+ av_assert0(!avctx->hwaccel);
		60
		61	if (p->async_serializing) {
		62	p->async_serializing = 0;
		63	@@ -275,14 +289,10 @@ static int update_context_from_thread(AVCodecContext dst, AVCodecContext src,
		64	dst->color_range = src->color_range;
		65	dst->chroma_sample_location = src->chroma_sample_location;
		66
		67	- dst->hwaccel = src->hwaccel;
		68	- dst->hwaccel_context = src->hwaccel_context;
		69	-
		70	dst->channels = src->channels;
		71	dst->sample_rate = src->sample_rate;
		72	dst->sample_fmt = src->sample_fmt;
		73	dst->channel_layout = src->channel_layout;
		74	- dst->internal->hwaccel_priv_data = src->internal->hwaccel_priv_data;
		75
		76	if (!!dst->hw_frames_ctx != !!src->hw_frames_ctx \|\|
		77	(dst->hw_frames_ctx && dst->hw_frames_ctx->data != src->hw_frames_ctx->data)) {
		78	@@ -415,6 +425,12 @@ static int submit_packet(PerThreadContext p, AVCodecContext user_avctx,
		79	pthread_mutex_unlock(&p->mutex);
		80	return err;
		81	}
		82	+
		83	+ /* transfer hwaccel state stashed from previous thread, if any */
		84	+ av_assert0(!p->avctx->hwaccel);
		85	+ FFSWAP(const AVHWAccel*, p->avctx->hwaccel, fctx->stash_hwaccel);
		86	+ FFSWAP(void*, p->avctx->hwaccel_context, fctx->stash_hwaccel_context);
		87	+ FFSWAP(void*, p->avctx->internal->hwaccel_priv_data, fctx->stash_hwaccel_priv);
		88	}
		89
		90	av_packet_unref(&p->avpkt);
		91	@@ -616,6 +632,14 @@ void ff_thread_finish_setup(AVCodecContext *avctx) {
		92	async_lock(p->parent);
		93	}
		94
		95	+ /* save hwaccel state for passing to the next thread;
		96	+ * this is done here so that this worker thread can wipe its own hwaccel
		97	+ * state after decoding, without requiring synchronization */
		98	+ av_assert0(!p->parent->stash_hwaccel);
		99	+ p->parent->stash_hwaccel = avctx->hwaccel;
		100	+ p->parent->stash_hwaccel_context = avctx->hwaccel_context;
		101	+ p->parent->stash_hwaccel_priv = avctx->internal->hwaccel_priv_data;
		102	+
		103	pthread_mutex_lock(&p->progress_mutex);
		104	if(atomic_load(&p->state) == STATE_SETUP_FINISHED){
		105	av_log(avctx, AV_LOG_WARNING, "Multiple ff_thread_finish_setup() calls\n");
		106	@@ -657,13 +681,6 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count)
		107
		108	park_frame_worker_threads(fctx, thread_count);
		109
		110	- if (fctx->prev_thread && fctx->prev_thread != fctx->threads)
		111	- if (update_context_from_thread(fctx->threads->avctx, fctx->prev_thread->avctx, 0) < 0) {
		112	- av_log(avctx, AV_LOG_ERROR, "Final thread update failed\n");
		113	- fctx->prev_thread->avctx->internal->is_copy = fctx->threads->avctx->internal->is_copy;
		114	- fctx->threads->avctx->internal->is_copy = 1;
		115	- }
		116	-
		117	for (i = 0; i < thread_count; i++) {
		118	PerThreadContext *p = &fctx->threads[i];
		119
		120	@@ -713,6 +730,13 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count)
		121	pthread_mutex_destroy(&fctx->async_mutex);
		122	pthread_cond_destroy(&fctx->async_cond);
		123
		124	+ /* if we have stashed hwaccel state, move it to the user-facing context,
		125	+ * so it will be freed in avcodec_close() */
		126	+ av_assert0(!avctx->hwaccel);
		127	+ FFSWAP(const AVHWAccel*, avctx->hwaccel, fctx->stash_hwaccel);
		128	+ FFSWAP(void*, avctx->hwaccel_context, fctx->stash_hwaccel_context);
		129	+ FFSWAP(void*, avctx->internal->hwaccel_priv_data, fctx->stash_hwaccel_priv);
		130	+
		131	av_freep(&avctx->internal->thread_ctx);
		132
		133	if (avctx->priv_data && avctx->codec && avctx->codec->priv_class)
		134	--
		135	2.25.1
		136


diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb index 0e359848fa..f12052548f 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb
@@ -27,7 +27,13 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
27	file://mips64_cpu_detection.patch \	27	file://mips64_cpu_detection.patch \
28	file://CVE-2020-12284.patch \	28	file://CVE-2020-12284.patch \
29	file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \	29	file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \
30	"	30	file://CVE-2021-3566.patch \
		31	file://CVE-2021-38291.patch \
		32	file://CVE-2022-1475.patch \
		33	file://CVE-2022-3109.patch \
		34	file://CVE-2022-3341.patch \
		35	file://CVE-2022-48434.patch \
		36	"
31	SRC_URI[md5sum] = "348956fc2faa57a2f79bbb84ded9fbc3"	37	SRC_URI[md5sum] = "348956fc2faa57a2f79bbb84ded9fbc3"
32	SRC_URI[sha256sum] = "cb754255ab0ee2ea5f66f8850e1bd6ad5cac1cd855d0a2f4990fb8c668b0d29c"	38	SRC_URI[sha256sum] = "cb754255ab0ee2ea5f66f8850e1bd6ad5cac1cd855d0a2f4990fb8c668b0d29c"
33		39