From 81ed9fd47b3949f86d0fb5a4ba3106628b8c86db Mon Sep 17 00:00:00 2001
From: Izorkin <izorkin@elven.pw>
Date: Mon, 5 Jul 2021 13:59:30 +0300
Subject: [PATCH 1/4] ffmpeg_4: fix incorrect segment length in hls

(cherry picked from commit ae8dd3c149b4d49e683f1414d417801b80b283e2)
---
 pkgs/development/libraries/ffmpeg/4.nix | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/pkgs/development/libraries/ffmpeg/4.nix b/pkgs/development/libraries/ffmpeg/4.nix
index df3d0732393..d557c87ebdf 100644
--- a/pkgs/development/libraries/ffmpeg/4.nix
+++ b/pkgs/development/libraries/ffmpeg/4.nix
@@ -2,6 +2,7 @@
 # Darwin frameworks
 , Cocoa, CoreMedia, VideoToolbox
 , stdenv, lib
+, fetchpatch
 , ...
 }@args:
 
@@ -11,7 +12,18 @@ callPackage ./generic.nix (rec {
   sha256 = "03kxc29y8190k4y8s8qdpsghlbpmchv1m8iqygq2qn0vfm4ka2a2";
   darwinFrameworks = [ Cocoa CoreMedia VideoToolbox ];
 
-  /* Work around https://trac.ffmpeg.org/ticket/9242 */
-  patches = lib.optional stdenv.isDarwin
-    ./v2-0001-avcodec-videotoolboxenc-define-TARGET_CPU_ARM64-t.patch;
+  patches = [
+    # Fix incorrect segment length in HLS child playlist with fmp4 segment format
+    # FIXME remove in version 4.5
+    # https://trac.ffmpeg.org/ticket/9193
+    # https://trac.ffmpeg.org/ticket/9205
+    (fetchpatch {
+      name = "ffmpeg_fix_incorrect_segment_length_in_hls.patch";
+      url = "https://git.videolan.org/?p=ffmpeg.git;a=commitdiff_plain;h=59032494e81a1a65c0b960aaae7ec4c2cc9db35a";
+      sha256 = "03zz1lw51kkc3g3vh47xa5hfiz3g3g1rbrll3kcnslvwylmrqmy3";
+    })
+  ] ++ lib.optionals stdenv.isDarwin [
+    # Work around https://trac.ffmpeg.org/ticket/9242
+    ./v2-0001-avcodec-videotoolboxenc-define-TARGET_CPU_ARM64-t.patch
+  ];
 } // args)

From 568b939c3eb38fc1e211a105c2adf188de8867c1 Mon Sep 17 00:00:00 2001
From: TredwellGit <tredwell@tutanota.com>
Date: Tue, 17 Aug 2021 02:31:11 +0000
Subject: [PATCH 2/4] ffmpeg: patch CVE-2021-33815 and CVE-2021-38114

https://nvd.nist.gov/vuln/detail/CVE-2021-33815
https://nvd.nist.gov/vuln/detail/CVE-2021-38114
(cherry picked from commit a83f82576b578531eb2894e0d7b279b59af23cd6)
---
 pkgs/development/libraries/ffmpeg-full/default.nix |  2 +-
 pkgs/development/libraries/ffmpeg/4.nix            | 10 ++++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/pkgs/development/libraries/ffmpeg-full/default.nix b/pkgs/development/libraries/ffmpeg-full/default.nix
index dcd1388143d..2186c154f80 100644
--- a/pkgs/development/libraries/ffmpeg-full/default.nix
+++ b/pkgs/development/libraries/ffmpeg-full/default.nix
@@ -243,7 +243,7 @@ assert opensslExtlib -> gnutls == null && openssl != null && nonfreeLicensing;
 
 stdenv.mkDerivation rec {
   pname = "ffmpeg-full";
-  inherit (ffmpeg) src version;
+  inherit (ffmpeg) src version patches;
 
   prePatch = ''
     patchShebangs .
diff --git a/pkgs/development/libraries/ffmpeg/4.nix b/pkgs/development/libraries/ffmpeg/4.nix
index d557c87ebdf..f3758ca5392 100644
--- a/pkgs/development/libraries/ffmpeg/4.nix
+++ b/pkgs/development/libraries/ffmpeg/4.nix
@@ -13,6 +13,16 @@ callPackage ./generic.nix (rec {
   darwinFrameworks = [ Cocoa CoreMedia VideoToolbox ];
 
   patches = [
+    (fetchpatch {
+      name = "CVE-2021-33815.patch";
+      url = "https://github.com/FFmpeg/FFmpeg/commit/26d3c81bc5ef2f8c3f09d45eaeacfb4b1139a777.patch";
+      sha256 = "0l8dqga5845f7d3wdbvd05i23saldq4pm2cyfdgszbr0c18sxagf";
+    })
+    (fetchpatch {
+      name = "CVE-2021-38114.patch";
+      url = "https://github.com/FFmpeg/FFmpeg/commit/7150f9575671f898382c370acae35f9087a30ba1.patch";
+      sha256 = "0gwkc7v1wsh4j0am2nnskhsca1b5aqzhcfd41sd9mh2swsdyf27i";
+    })
     # Fix incorrect segment length in HLS child playlist with fmp4 segment format
     # FIXME remove in version 4.5
     # https://trac.ffmpeg.org/ticket/9193

From 7361aaeb5ed2e301018ec33a3a18f0865cd384b2 Mon Sep 17 00:00:00 2001
From: Robert Scott <code@humanleg.org.uk>
Date: Tue, 17 Aug 2021 22:55:39 +0100
Subject: [PATCH 3/4] ffmpeg: enable basic tests

(cherry picked from commit 649f0ed1a88f6e4cf00705b1cb2f1fbdf1fb780c)
---
 pkgs/development/libraries/ffmpeg/2.8.nix     |  1 +
 pkgs/development/libraries/ffmpeg/generic.nix | 11 +++++++++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/libraries/ffmpeg/2.8.nix b/pkgs/development/libraries/ffmpeg/2.8.nix
index 6d94c2e9974..0df810ff10b 100644
--- a/pkgs/development/libraries/ffmpeg/2.8.nix
+++ b/pkgs/development/libraries/ffmpeg/2.8.nix
@@ -7,4 +7,5 @@ callPackage ./generic.nix (rec {
   knownVulnerabilities = [
     "CVE-2021-30123"
   ];
+  doCheck = false;
 } // args)
diff --git a/pkgs/development/libraries/ffmpeg/generic.nix b/pkgs/development/libraries/ffmpeg/generic.nix
index 7e4a6a08098..083210b1fef 100644
--- a/pkgs/development/libraries/ffmpeg/generic.nix
+++ b/pkgs/development/libraries/ffmpeg/generic.nix
@@ -17,7 +17,8 @@
 # Darwin frameworks
 , Cocoa, darwinFrameworks ? [ Cocoa ]
 # Inherit generics
-, branch, sha256, version, patches ? [], knownVulnerabilities ? [], ...
+, branch, sha256, version, patches ? [], knownVulnerabilities ? []
+, doCheck ? true, ...
 }:
 
 /* Maintainer notes:
@@ -187,7 +188,13 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  doCheck = false; # fails
+  inherit doCheck;
+  checkPhase = let
+    ldLibraryPathEnv = if stdenv.isDarwin then "DYLD_LIBRARY_PATH" else "LD_LIBRARY_PATH";
+  in ''
+    ${ldLibraryPathEnv}="libavcodec:libavdevice:libavfilter:libavformat:libavresample:libavutil:libpostproc:libswresample:libswscale:''${${ldLibraryPathEnv}}" \
+      make check -j$NIX_BUILD_CORES
+  '';
 
   # ffmpeg 3+ generates pkg-config (.pc) files that don't have the
   # form automatically handled by the multiple-outputs hooks.

From 1c8ff5cfc7046e5eb85e3cd5cb2f40e1073b23a7 Mon Sep 17 00:00:00 2001
From: Robert Scott <code@humanleg.org.uk>
Date: Tue, 17 Aug 2021 22:55:48 +0100
Subject: [PATCH 4/4] ffmpeg-full: enable basic tests

(cherry picked from commit 4b658eda801752204f8be29a8f8db343d12572dc)
---
 pkgs/development/libraries/ffmpeg-full/default.nix | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/pkgs/development/libraries/ffmpeg-full/default.nix b/pkgs/development/libraries/ffmpeg-full/default.nix
index 2186c154f80..ddcc81f8930 100644
--- a/pkgs/development/libraries/ffmpeg-full/default.nix
+++ b/pkgs/development/libraries/ffmpeg-full/default.nix
@@ -443,6 +443,14 @@ stdenv.mkDerivation rec {
   buildFlags = [ "all" ]
     ++ optional qtFaststartProgram "tools/qt-faststart"; # Build qt-faststart executable
 
+  doCheck = true;
+  checkPhase = let
+    ldLibraryPathEnv = if stdenv.isDarwin then "DYLD_LIBRARY_PATH" else "LD_LIBRARY_PATH";
+  in ''
+    ${ldLibraryPathEnv}="libavcodec:libavdevice:libavfilter:libavformat:libavresample:libavutil:libpostproc:libswresample:libswscale:''${${ldLibraryPathEnv}}" \
+      make check -j$NIX_BUILD_CORES
+  '';
+
   # Hacky framework patching technique borrowed from the phantomjs2 package
   postInstall = optionalString qtFaststartProgram ''
     cp -a tools/qt-faststart $out/bin/