[meta-oe,kirkstone,1/4] faad2: patch CVE-221-32272

Message ID	20251016092917.1946972-1-skandigraun@gmail.com
State	New
Headers	show Return-Path: <skandigraun@gmail.com> ip: 209.85.128.54, mailfrom: skandigraun@gmail.com) From: Gyorgy Sarvari <skandigraun@gmail.com> To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 1/4] faad2: patch CVE-221-32272 Date: Thu, 16 Oct 2025 11:29:14 +0200 Message-ID: <20251016092917.1946972-1-skandigraun@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[meta-oe,kirkstone,1/4] faad2: patch CVE-221-32272 \| expand [meta-oe,kirkstone,1/4] faad2: patch CVE-221-32272 [meta-oe,kirkstone,2/4] faad2: patch CVE-2021-32273 [meta-oe,kirkstone,3/4] faad2: patch CVE-2021-32274 and CVE-2021-32277 [meta-oe,kirkstone,4/4] faad2: patch CVE-2021-32278

Message ID

20251016092917.1946972-1-skandigraun@gmail.com

State

New

Headers

From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][kirkstone][PATCH 1/4] faad2: patch CVE-221-32272
Date: Thu, 16 Oct 2025 11:29:14 +0200
Message-ID: <20251016092917.1946972-1-skandigraun@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[meta-oe,kirkstone,1/4] faad2: patch CVE-221-32272 | expand

Commit Message

Gyorgy Sarvari Oct. 16, 2025, 9:29 a.m. UTC

Details: https://nvd.nist.gov/vuln/detail/CVE-2021-32272

Pick the patch that is mentioned in the ncv report.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 ...ix-heap-buffer-overflow-in-mp4read.c.patch | 37 +++++++++++++++++++
 .../recipes-multimedia/faad2/faad2_2.8.8.bb   |  4 +-
 2 files changed, 40 insertions(+), 1 deletion(-)
 create mode 100644 meta-oe/recipes-multimedia/faad2/faad2/0001-fix-heap-buffer-overflow-in-mp4read.c.patch

diff --git a/meta-oe/recipes-multimedia/faad2/faad2/0001-fix-heap-buffer-overflow-in-mp4read.c.patch b/meta-oe/recipes-multimedia/faad2/faad2/0001-fix-heap-buffer-overflow-in-mp4read.c.patch
new file mode 100644
index 0000000000..c739e82fb0
--- /dev/null
+++ b/meta-oe/recipes-multimedia/faad2/faad2/0001-fix-heap-buffer-overflow-in-mp4read.c.patch
@@ -0,0 +1,37 @@ 
+From 57850acf9d40fc2898ded492b9ce942110d0c426 Mon Sep 17 00:00:00 2001
+From: Fabian Greffrath <fabian@greffrath.com>
+Date: Mon, 31 Aug 2020 10:00:37 +0200
+Subject: [PATCH] fix heap-buffer-overflow in mp4read.c
+
+This originated from an integer overflow: If mp4config.frame.ents
+would be read-in with a value of (uint32t)(-1), it would overflow to 0
+in the size calculation for the allocation in the next line. The
+malloc() function would then successfully return a pointer to a memory
+region of size 0, which will cause a segfault when written to.
+
+Fixes #57.
+
+CVE: CVE-2021-32272
+Upstream-Status: Backport [https://github.com/knik0/faad2/commit/1b71a6ba963d131375f5e489b3b25e36f19f3f24]
+
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ frontend/mp4read.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/frontend/mp4read.c b/frontend/mp4read.c
+index 9767383..5dc36b7 100644
+--- a/frontend/mp4read.c
++++ b/frontend/mp4read.c
+@@ -340,7 +340,10 @@ static int stszin(int size)
+     // Number of entries
+     mp4config.frame.ents = u32in();
+     // fixme error checking
+-    // fixme: check atom size
++
++    if (!(mp4config.frame.ents + 1))
++        return ERR_FAIL;
++
+     mp4config.frame.data = malloc(sizeof(*mp4config.frame.data)
+                                   * (mp4config.frame.ents + 1));
+     ofs = 0;
diff --git a/meta-oe/recipes-multimedia/faad2/faad2_2.8.8.bb b/meta-oe/recipes-multimedia/faad2/faad2_2.8.8.bb
index 56d5e1201e..d70c18f43d 100644
--- a/meta-oe/recipes-multimedia/faad2/faad2_2.8.8.bb
+++ b/meta-oe/recipes-multimedia/faad2/faad2_2.8.8.bb
@@ -7,7 +7,9 @@  LIC_FILES_CHKSUM = "file://COPYING;md5=381c8cbe277a7bc1ee2ae6083a04c958"
 
 LICENSE_FLAGS = "commercial"
 
-SRC_URI = "${SOURCEFORGE_MIRROR}/faac/faad2-src/faad2-2.8.0/${BP}.tar.gz"
+SRC_URI = "${SOURCEFORGE_MIRROR}/faac/faad2-src/faad2-2.8.0/${BP}.tar.gz \
+           file://0001-fix-heap-buffer-overflow-in-mp4read.c.patch \
+           "
 SRC_URI[md5sum] = "28f6116efdbe9378269f8a6221767d1f"
 SRC_URI[sha256sum] = "985c3fadb9789d2815e50f4ff714511c79c2710ac27a4aaaf5c0c2662141426d"

[meta-oe,kirkstone,1/4] faad2: patch CVE-221-32272

Commit Message

Patch