2 files changed, 40 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-51796.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-51796.patch
new file mode 100644
index 0000000000..4ec0aa5aee
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-51796.patch
@@ -0,0 +1,39 @@
+From 61e73851a33f0b4cb7662f8578a4695e77bd3c19 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Sat, 23 Dec 2023 18:04:32 +0100
+Subject: [PATCH 3/4] avfilter/f_reverse: Apply PTS compensation only when pts
+ is  available
+Fixes: out of array access
+Fixes: tickets/10753/poc16ffmpeg
+Regression since: 45dc668aea0edac34969b5a1ff76cf9ad3a09be1
+Found-by: Zeng Yunxiang
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+CVE: CVE-2023-51796
+Upstream-Status: Backport [https://github.com/ffmpeg/FFmpeg/commit/61e73851a33f0b4cb7662f8578a4695e77bd3c19]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ libavfilter/f_reverse.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+diff --git a/libavfilter/f_reverse.c b/libavfilter/f_reverse.c
+index f7a7e71..7b919d6 100644
+--- a/libavfilter/f_reverse.c
+++ b/libavfilter/f_reverse.c
+@@ -251,7 +251,9 @@ static int areverse_request_frame(AVFilterLink *outlink)
+     if (ret == AVERROR_EOF && s->nb_frames > 0) {
+         AVFrame *out = s->frames[s->nb_frames - 1];
+         out->pts     = s->pts[s->flush_idx++] - s->nb_samples;
+-        s->nb_samples += s->pts[s->flush_idx] - s->pts[s->flush_idx - 1] - out->nb_samples;
+        if (s->nb_frames > 1)
+            s->nb_samples += s->pts[s->flush_idx] - s->pts[s->flush_idx - 1] - out->nb_samples;
+
+         if (av_sample_fmt_is_planar(out->format))
+             reverse_samples_planar(out);
+--
+2.40.0
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
index ee13081e4d..8e0fc090ac 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
@@ -38,6 +38,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
           file://CVE-2023-51798.patch \
           file://CVE-2023-47342.patch \
           file://CVE-2023-50007.patch \
+           file://CVE-2023-51796.patch \
          "
 SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b"

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-51796.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-51796.patch new file mode 100644 index 0000000000..4ec0aa5aee --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2023-51796.patch
@@ -0,0 +1,39 @@
		1	From 61e73851a33f0b4cb7662f8578a4695e77bd3c19 Mon Sep 17 00:00:00 2001
		2	From: Michael Niedermayer <michael@niedermayer.cc>
		3	Date: Sat, 23 Dec 2023 18:04:32 +0100
		4	Subject: [PATCH 3/4] avfilter/f_reverse: Apply PTS compensation only when pts
		5	is available
		6
		7	Fixes: out of array access
		8	Fixes: tickets/10753/poc16ffmpeg
		9
		10	Regression since: 45dc668aea0edac34969b5a1ff76cf9ad3a09be1
		11	Found-by: Zeng Yunxiang
		12	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
		13
		14	CVE: CVE-2023-51796
		15
		16	Upstream-Status: Backport [https://github.com/ffmpeg/FFmpeg/commit/61e73851a33f0b4cb7662f8578a4695e77bd3c19]
		17
		18	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		19	---
		20	libavfilter/f_reverse.c \| 4 +++-
		21	1 file changed, 3 insertions(+), 1 deletion(-)
		22
		23	diff --git a/libavfilter/f_reverse.c b/libavfilter/f_reverse.c
		24	index f7a7e71..7b919d6 100644
		25	--- a/libavfilter/f_reverse.c
		26	+++ b/libavfilter/f_reverse.c
		27	@@ -251,7 +251,9 @@ static int areverse_request_frame(AVFilterLink *outlink)
		28	if (ret == AVERROR_EOF && s->nb_frames > 0) {
		29	AVFrame *out = s->frames[s->nb_frames - 1];
		30	out->pts = s->pts[s->flush_idx++] - s->nb_samples;
		31	- s->nb_samples += s->pts[s->flush_idx] - s->pts[s->flush_idx - 1] - out->nb_samples;
		32	+ if (s->nb_frames > 1)
		33	+ s->nb_samples += s->pts[s->flush_idx] - s->pts[s->flush_idx - 1] - out->nb_samples;
		34	+
		35
		36	if (av_sample_fmt_is_planar(out->format))
		37	reverse_samples_planar(out);
		38	--
		39	2.40.0


diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb index ee13081e4d..8e0fc090ac 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
@@ -38,6 +38,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
38	file://CVE-2023-51798.patch \	38	file://CVE-2023-51798.patch \
39	file://CVE-2023-47342.patch \	39	file://CVE-2023-47342.patch \
40	file://CVE-2023-50007.patch \	40	file://CVE-2023-50007.patch \
		41	file://CVE-2023-51796.patch \
41	"	42	"
42		43
43	SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b"	44	SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b"