ffmpeg: Add fix for CVEs

Add fix for below CVE:
CVE-2021-3566
Link: [http://git.videolan.org/?p=ffmpeg.git;a=patch;h=3bce9e9b3ea35c54bacccc793d7da99ea5157532]

CVE-2021-38291
Link: [http://git.videolan.org/?p=ffmpeg.git;a=patch;h=e01d306c647b5827102260b885faa223b646d2d1]

Signed-off-by: Saloni Jain <jainsaloni0918@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

3 files changed, 117 insertions, 1 deletions

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-3566.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-3566.patch
new file mode 100644
index 0000000000..abfc024820
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-3566.patch
@@ -0,0 +1,61 @@
+From 3bce9e9b3ea35c54bacccc793d7da99ea5157532 Mon Sep 17 00:00:00 2001
+From: Paul B Mahol <onemda@gmail.com>
+Date: Mon, 27 Jan 2020 21:53:08 +0100
+Subject: [PATCH] avformat/tty: add probe function
+
+CVE: CVE-2021-3566
+Signed-off-by: Saloni Jain <salonij@kpit.com>
+
+Upstream-Status: Backport [http://git.videolan.org/?p=ffmpeg.git;a=patch;h=3bce9e9b3ea35c54bacccc793d7da99ea5157532]
+Comment: No changes/refreshing done.
+---
+ libavformat/tty.c | 21 ++++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/libavformat/tty.c b/libavformat/tty.c
+index 8d48f2c45c12..60f7e9f87ee7 100644
+--- a/libavformat/tty.c
++++ b/libavformat/tty.c
+@@ -34,6 +34,13 @@
+ #include "internal.h"
+ #include "sauce.h"
+ 
++static int isansicode(int x)
++{
++    return x == 0x1B || x == 0x0A || x == 0x0D || (x >= 0x20 && x < 0x7f);
++}
++
++static const char tty_extensions[31] = "ans,art,asc,diz,ice,nfo,txt,vt";
++
+ typedef struct TtyDemuxContext {
+     AVClass *class;
+     int chars_per_frame;
+@@ -42,6 +49,17 @@ typedef struct TtyDemuxContext {
+     AVRational framerate; /**< Set by a private option. */
+ } TtyDemuxContext;
+ 
++static int read_probe(const AVProbeData *p)
++{
++    int cnt = 0;
++
++    for (int i = 0; i < p->buf_size; i++)
++        cnt += !!isansicode(p->buf[i]);
++
++    return (cnt * 100LL / p->buf_size) * (cnt > 400) *
++        !!av_match_ext(p->filename, tty_extensions);
++}
++
+ /**
+  * Parse EFI header
+  */
+@@ -153,8 +171,9 @@ AVInputFormat ff_tty_demuxer = {
+     .name           = "tty",
+     .long_name      = NULL_IF_CONFIG_SMALL("Tele-typewriter"),
+     .priv_data_size = sizeof(TtyDemuxContext),
++    .read_probe     = read_probe,
+     .read_header    = read_header,
+     .read_packet    = read_packet,
+-    .extensions     = "ans,art,asc,diz,ice,nfo,txt,vt",
++    .extensions     = tty_extensions,
+     .priv_class     = &tty_demuxer_class,
+ };
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-38291.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-38291.patch
new file mode 100644
index 0000000000..e5be985fc3
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2021-38291.patch
@@ -0,0 +1,53 @@
+From e01d306c647b5827102260b885faa223b646d2d1 Mon Sep 17 00:00:00 2001
+From: James Almer <jamrial@gmail.com>
+Date: Wed, 21 Jul 2021 01:02:44 -0300
+Subject: [PATCH] avcodec/utils: don't return negative values in
+ av_get_audio_frame_duration()
+
+In some extrme cases, like with adpcm_ms samples with an extremely high channel
+count, get_audio_frame_duration() may return a negative frame duration value.
+Don't propagate it, and instead return 0, signaling that a duration could not
+be determined.
+
+CVE: CVE-2021-3566
+Fixes ticket #9312
+Signed-off-by: James Almer <jamrial@gmail.com>
+Signed-off-by: Saloni Jain <salonij@kpit.com>
+
+Upstream-Status: Backport [http://git.videolan.org/?p=ffmpeg.git;a=patch;h=e01d306c647b5827102260b885faa223b646d2d1]
+Comment: No changes/refreshing done.
+---
+ libavcodec/utils.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/libavcodec/utils.c b/libavcodec/utils.c
+index 5fad782f5a..cfc07cbcb8 100644
+--- a/libavcodec/utils.c
++++ b/libavcodec/utils.c
+@@ -810,20 +810,22 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba,
+ 
+ int av_get_audio_frame_duration(AVCodecContext *avctx, int frame_bytes)
+ {
+-    return get_audio_frame_duration(avctx->codec_id, avctx->sample_rate,
++    int duration = get_audio_frame_duration(avctx->codec_id, avctx->sample_rate,
+                                     avctx->channels, avctx->block_align,
+                                     avctx->codec_tag, avctx->bits_per_coded_sample,
+                                     avctx->bit_rate, avctx->extradata, avctx->frame_size,
+                                     frame_bytes);
++    return FFMAX(0, duration);
+ }
+ 
+ int av_get_audio_frame_duration2(AVCodecParameters *par, int frame_bytes)
+ {
+-    return get_audio_frame_duration(par->codec_id, par->sample_rate,
++    int duration = get_audio_frame_duration(par->codec_id, par->sample_rate,
+                                     par->channels, par->block_align,
+                                     par->codec_tag, par->bits_per_coded_sample,
+                                     par->bit_rate, par->extradata, par->frame_size,
+                                     frame_bytes);
++    return FFMAX(0, duration);
+ }
+ 
+ #if !HAVE_THREADS
+-- 
+2.20.1
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb
index 0e359848fa..1d6f2e528b 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb
@@ -27,7 +27,9 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
            file://mips64_cpu_detection.patch \
            file://CVE-2020-12284.patch \
            file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \
-           "
+           file://CVE-2021-3566.patch \
+           file://CVE-2021-38291.patch \
+          "
 SRC_URI[md5sum] = "348956fc2faa57a2f79bbb84ded9fbc3"
 SRC_URI[sha256sum] = "cb754255ab0ee2ea5f66f8850e1bd6ad5cac1cd855d0a2f4990fb8c668b0d29c"