From: Ankur Tyagi <[email protected]> Details https://nvd.nist.gov/vuln/detail/CVE-2025-48174
Signed-off-by: Ankur Tyagi <[email protected]> --- .../libavif/libavif/CVE-2025-48174_1.patch | 27 +++++++ .../libavif/libavif/CVE-2025-48174_2.patch | 31 ++++++++ .../libavif/libavif/CVE-2025-48174_3.patch | 27 +++++++ .../libavif/libavif/CVE-2025-48174_4.patch | 72 +++++++++++++++++++ .../libavif/libavif_1.0.1.bb | 7 +- 5 files changed, 163 insertions(+), 1 deletion(-) create mode 100644 meta-multimedia/recipes-multimedia/libavif/libavif/CVE-2025-48174_1.patch create mode 100644 meta-multimedia/recipes-multimedia/libavif/libavif/CVE-2025-48174_2.patch create mode 100644 meta-multimedia/recipes-multimedia/libavif/libavif/CVE-2025-48174_3.patch create mode 100644 meta-multimedia/recipes-multimedia/libavif/libavif/CVE-2025-48174_4.patch diff --git a/meta-multimedia/recipes-multimedia/libavif/libavif/CVE-2025-48174_1.patch b/meta-multimedia/recipes-multimedia/libavif/libavif/CVE-2025-48174_1.patch new file mode 100644 index 0000000000..c9bee6c62a --- /dev/null +++ b/meta-multimedia/recipes-multimedia/libavif/libavif/CVE-2025-48174_1.patch @@ -0,0 +1,27 @@ +From d9c933e79109becdbc6be9ddf9fbe00be03d533e Mon Sep 17 00:00:00 2001 +From: DanisJiang <[email protected]> +Date: Fri, 18 Apr 2025 17:31:53 +0800 +Subject: [PATCH] Add integer overflow checks to makeRoom. + +CVE: CVE-2025-48174 +Upstream-Status: Backport [https://github.com/AOMediaCodec/libavif/commit/e5fdefe7d1776e6c4cf1703c163a8c0535599029] +(cherry picked from commit e5fdefe7d1776e6c4cf1703c163a8c0535599029) +Signed-off-by: Ankur Tyagi <[email protected]> +--- + src/stream.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/stream.c b/src/stream.c +index c85ca31b..70e8bfaa 100644 +--- a/src/stream.c ++++ b/src/stream.c +@@ -320,6 +320,9 @@ avifBool avifROStreamReadAndEnforceVersion(avifROStream * stream, uint8_t enforc + static avifResult makeRoom(avifRWStream * stream, size_t size) + { + size_t neededSize = stream->offset + size; ++ if (neededSize < stream->offset) { ++ return AVIF_RESULT_INVALID_ARGUMENT; ++ } + size_t newSize = stream->raw->size; + while (newSize < neededSize) { + newSize += AVIF_STREAM_BUFFER_INCREMENT; diff --git a/meta-multimedia/recipes-multimedia/libavif/libavif/CVE-2025-48174_2.patch b/meta-multimedia/recipes-multimedia/libavif/libavif/CVE-2025-48174_2.patch new file mode 100644 index 0000000000..4ba27d5a57 --- /dev/null +++ b/meta-multimedia/recipes-multimedia/libavif/libavif/CVE-2025-48174_2.patch @@ -0,0 +1,31 @@ +From 5bd6529e7e729718ac2d164859965771466c8410 Mon Sep 17 00:00:00 2001 +From: DanisJiang <[email protected]> +Date: Mon, 21 Apr 2025 10:45:59 +0800 +Subject: [PATCH] Add integer overflow check to makeRoom. + +CVE: CVE-2025-48174 +Upstream-Status: Backport [https://github.com/AOMediaCodec/libavif/commit/50a743062938a3828581d725facc9c2b92a1d109] +(cherry picked from commit 50a743062938a3828581d725facc9c2b92a1d109) +Signed-off-by: Ankur Tyagi <[email protected]> +--- + src/stream.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/stream.c b/src/stream.c +index 70e8bfaa..893ba3f0 100644 +--- a/src/stream.c ++++ b/src/stream.c +@@ -319,10 +319,10 @@ avifBool avifROStreamReadAndEnforceVersion(avifROStream * stream, uint8_t enforc + #define AVIF_STREAM_BUFFER_INCREMENT (1024 * 1024) + static avifResult makeRoom(avifRWStream * stream, size_t size) + { +- size_t neededSize = stream->offset + size; +- if (neededSize < stream->offset) { +- return AVIF_RESULT_INVALID_ARGUMENT; ++ if (size > SIZE_MAX - stream->offset) { ++ return AVIF_RESULT_OUT_OF_MEMORY; + } ++ size_t neededSize = stream->offset + size; + size_t newSize = stream->raw->size; + while (newSize < neededSize) { + newSize += AVIF_STREAM_BUFFER_INCREMENT; diff --git a/meta-multimedia/recipes-multimedia/libavif/libavif/CVE-2025-48174_3.patch b/meta-multimedia/recipes-multimedia/libavif/libavif/CVE-2025-48174_3.patch new file mode 100644 index 0000000000..2fddbeeb81 --- /dev/null +++ b/meta-multimedia/recipes-multimedia/libavif/libavif/CVE-2025-48174_3.patch @@ -0,0 +1,27 @@ +From 0b0b88596f21821af605ed316e996739820d3b17 Mon Sep 17 00:00:00 2001 +From: "Danis Jiang (Yuhao Jiang)" + <[email protected]> +Date: Thu, 24 Apr 2025 10:39:19 +0800 +Subject: [PATCH] Fix format errors + +CVE: CVE-2025-48174 +Upstream-Status: Backport [https://github.com/AOMediaCodec/libavif/commit/c9f1bea437f21cb78f9919c332922a3b0ba65e11] +(cherry picked from commit c9f1bea437f21cb78f9919c332922a3b0ba65e11) +Signed-off-by: Ankur Tyagi <[email protected]> +--- + src/stream.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/stream.c b/src/stream.c +index 893ba3f0..b38c93c6 100644 +--- a/src/stream.c ++++ b/src/stream.c +@@ -320,7 +320,7 @@ avifBool avifROStreamReadAndEnforceVersion(avifROStream * stream, uint8_t enforc + static avifResult makeRoom(avifRWStream * stream, size_t size) + { + if (size > SIZE_MAX - stream->offset) { +- return AVIF_RESULT_OUT_OF_MEMORY; ++ return AVIF_RESULT_OUT_OF_MEMORY; + } + size_t neededSize = stream->offset + size; + size_t newSize = stream->raw->size; diff --git a/meta-multimedia/recipes-multimedia/libavif/libavif/CVE-2025-48174_4.patch b/meta-multimedia/recipes-multimedia/libavif/libavif/CVE-2025-48174_4.patch new file mode 100644 index 0000000000..ecdef9e5bc --- /dev/null +++ b/meta-multimedia/recipes-multimedia/libavif/libavif/CVE-2025-48174_4.patch @@ -0,0 +1,72 @@ +From 083ce38f549183a3d74a0a6d2dc4d3f4b195867f Mon Sep 17 00:00:00 2001 +From: Wan-Teh Chang <[email protected]> +Date: Sun, 27 Apr 2025 14:34:35 -0700 +Subject: [PATCH] Add another integer overflow check to makeRoom + +Replace the while loop with a formula in makeRoom. + +Test the integer overflow checks in makeRoom. + +See https://github.com/AOMediaCodec/libavif/pull/2768. + +CVE: CVE-2025-48174 +Upstream-Status: Backport [https://github.com/AOMediaCodec/libavif/commit/32eae7c5c1e72d9999cb31d02e333b6a76029bad] +(cherry picked from commit 32eae7c5c1e72d9999cb31d02e333b6a76029bad) +Signed-off-by: Ankur Tyagi <[email protected]> +--- + src/stream.c | 16 +++++++++------- + tests/gtest/avifstreamtest.cc | 13 +++++++++++++ + 2 files changed, 22 insertions(+), 7 deletions(-) + +diff --git a/src/stream.c b/src/stream.c +index b38c93c6..e79e9691 100644 +--- a/src/stream.c ++++ b/src/stream.c +@@ -319,14 +319,16 @@ avifBool avifROStreamReadAndEnforceVersion(avifROStream * stream, uint8_t enforc + #define AVIF_STREAM_BUFFER_INCREMENT (1024 * 1024) + static avifResult makeRoom(avifRWStream * stream, size_t size) + { +- if (size > SIZE_MAX - stream->offset) { +- return AVIF_RESULT_OUT_OF_MEMORY; +- } +- size_t neededSize = stream->offset + size; +- size_t newSize = stream->raw->size; +- while (newSize < neededSize) { +- newSize += AVIF_STREAM_BUFFER_INCREMENT; ++ AVIF_CHECKERR(size <= SIZE_MAX - stream->offset, AVIF_RESULT_OUT_OF_MEMORY); ++ size_t newSize = stream->offset + size; ++ if (newSize <= stream->raw->size) { ++ return AVIF_RESULT_OK; + } ++ // Make newSize a multiple of AVIF_STREAM_BUFFER_INCREMENT. ++ size_t rem = newSize % AVIF_STREAM_BUFFER_INCREMENT; ++ size_t padding = (rem == 0) ? 0 : AVIF_STREAM_BUFFER_INCREMENT - rem; ++ AVIF_CHECKERR(newSize <= SIZE_MAX - padding, AVIF_RESULT_OUT_OF_MEMORY); ++ newSize += padding; + return avifRWDataRealloc(stream->raw, newSize); + } + +diff --git a/tests/gtest/avifstreamtest.cc b/tests/gtest/avifstreamtest.cc +index af94bb82..e768939b 100644 +--- a/tests/gtest/avifstreamtest.cc ++++ b/tests/gtest/avifstreamtest.cc +@@ -204,6 +204,19 @@ TEST(StreamTest, Roundtrip) { + EXPECT_FALSE(avifROStreamSkip(&ro_stream, /*byteCount=*/1)); + } + ++// Test the overflow checks in the makeRoom() function in src/stream.c. ++TEST(StreamTest, OverflowChecksInMakeRoom) { ++ testutil::AvifRwData rw_data; ++ avifRWStream rw_stream; ++ avifRWStreamStart(&rw_stream, &rw_data); ++ const char ten_bytes[10] = {0}; ++ EXPECT_EQ(avifRWStreamWrite(&rw_stream, ten_bytes, 10), AVIF_RESULT_OK); ++ EXPECT_EQ(avifRWStreamWrite(&rw_stream, ten_bytes, SIZE_MAX - 9), ++ AVIF_RESULT_OUT_OF_MEMORY); ++ EXPECT_EQ(avifRWStreamWrite(&rw_stream, ten_bytes, SIZE_MAX - 10), ++ AVIF_RESULT_OUT_OF_MEMORY); ++} ++ + //------------------------------------------------------------------------------ + + } // namespace diff --git a/meta-multimedia/recipes-multimedia/libavif/libavif_1.0.1.bb b/meta-multimedia/recipes-multimedia/libavif/libavif_1.0.1.bb index 8ddd16ee2a..bca6e40409 100644 --- a/meta-multimedia/recipes-multimedia/libavif/libavif_1.0.1.bb +++ b/meta-multimedia/recipes-multimedia/libavif/libavif_1.0.1.bb @@ -4,7 +4,12 @@ SECTION = "libs" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=c528b75b07425b5c1d2e34de98c397b5" -SRC_URI = "git://github.com/AOMediaCodec/libavif.git;protocol=https;branch=v1.0.x" +SRC_URI = "git://github.com/AOMediaCodec/libavif.git;protocol=https;branch=v1.0.x \ + file://CVE-2025-48174_1.patch \ + file://CVE-2025-48174_2.patch \ + file://CVE-2025-48174_3.patch \ + file://CVE-2025-48174_4.patch \ +" S = "${WORKDIR}/git" SRCREV = "d1c26facaf5a8a97919ceee06814d05d10e25622"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#122388): https://lists.openembedded.org/g/openembedded-devel/message/122388 Mute This Topic: https://lists.openembedded.org/mt/116681474/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
