Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package ffmpeg-4 for openSUSE:Factory checked in at 2026-05-13 17:53:34 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ffmpeg-4 (Old) and /work/SRC/openSUSE:Factory/.ffmpeg-4.new.1966 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ffmpeg-4" Wed May 13 17:53:34 2026 rev:92 rq:1353058 version:4.4.6 Changes: -------- --- /work/SRC/openSUSE:Factory/ffmpeg-4/ffmpeg-4.changes 2026-01-15 16:49:41.688773662 +0100 +++ /work/SRC/openSUSE:Factory/.ffmpeg-4.new.1966/ffmpeg-4.changes 2026-05-13 17:53:52.500828651 +0200 @@ -1,0 +2,6 @@ +Wed May 13 07:37:57 UTC 2026 - Alynx Zhou <[email protected]> + +- Add ffmpeg-4-CVE-2026-40962.patch: Use 64bit in CENC subsample + bounds checks. (CVE-2026-40962, bsc#1262237) + +------------------------------------------------------------------- New: ---- ffmpeg-4-CVE-2026-40962.patch ----------(New B)---------- New: - Add ffmpeg-4-CVE-2026-40962.patch: Use 64bit in CENC subsample bounds checks. (CVE-2026-40962, bsc#1262237) ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ffmpeg-4.spec ++++++ --- /var/tmp/diff_new_pack.vcKinf/_old 2026-05-13 17:53:56.188980516 +0200 +++ /var/tmp/diff_new_pack.vcKinf/_new 2026-05-13 17:53:56.200981010 +0200 @@ -151,6 +151,7 @@ Patch38: ffmpeg-4-CVE-2023-6601-shim04-5b630743.patch Patch39: ffmpeg-4-CVE-2023-6601.patch Patch40: ffmpeg-4-CVE-2025-63757.patch +Patch41: ffmpeg-4-CVE-2026-40962.patch BuildRequires: ladspa-devel BuildRequires: libgsm-devel BuildRequires: libmp3lame-devel ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.vcKinf/_old 2026-05-13 17:53:56.384988585 +0200 +++ /var/tmp/diff_new_pack.vcKinf/_new 2026-05-13 17:53:56.388988749 +0200 @@ -1,5 +1,5 @@ -mtime: 1768462791 -commit: 3f758ae79df3a0234432bf29100827d6c06909777b20b5e322105ae439094b2b +mtime: 1778657914 +commit: 2f865d8c49a5060c640bcbaba799b8dc096ccd11f49e10d578beb5a1b69fa295 url: https://src.opensuse.org/jengelh/ffmpeg-4 revision: master ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-05-13 09:38:34.000000000 +0200 @@ -0,0 +1 @@ +.osc ++++++ ffmpeg-4-CVE-2026-40962.patch ++++++ diff --unified --recursive --text --new-file --color ffmpeg-4.4.6.old/libavformat/mov.c ffmpeg-4.4.6/libavformat/mov.c --- ffmpeg-4.4.6.old/libavformat/mov.c 2025-05-17 21:52:39.000000000 +0800 +++ ffmpeg-4.4.6/libavformat/mov.c 2026-05-13 15:36:57.296425644 +0800 @@ -6735,7 +6735,7 @@ } for (i = 0; i < sample->subsample_count; i++) { - if (sample->subsamples[i].bytes_of_clear_data + sample->subsamples[i].bytes_of_protected_data > size) { + if (sample->subsamples[i].bytes_of_clear_data + (int64_t)sample->subsamples[i].bytes_of_protected_data > size) { av_log(c->fc, AV_LOG_ERROR, "subsample size exceeds the packet size left\n"); return AVERROR_INVALIDDATA; }
