new file mode 100644
@@ -0,0 +1,28 @@
+From a58cf881b820bfb4544995192fe5992ae010f1d7 Mon Sep 17 00:00:00 2001
+From: Fabian Greffrath <fabian@greffrath.com>
+Date: Mon, 17 Aug 2020 07:37:09 +0200
+Subject: [PATCH] mp4read.c: fix stack-buffer-overflow in stringin()/ftypin()
+
+Terminate the string read into the stack buffer,
+fixes #56.
+
+CVE: CVE-2021-32273
+Upstream-Status: Backport [https://github.com/knik0/faad2/commit/1073aeef823cafd844704389e9a497c257768e2f]
+
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ frontend/mp4read.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/frontend/mp4read.c b/frontend/mp4read.c
+index 5dc36b7..a978e62 100644
+--- a/frontend/mp4read.c
++++ b/frontend/mp4read.c
+@@ -91,6 +91,7 @@ static int stringin(char *txt, int sizemax)
+ if (!txt[size])
+ break;
+ }
++ txt[sizemax-1] = '\0';
+
+ return size;
+ }
@@ -9,6 +9,7 @@ LICENSE_FLAGS = "commercial"
SRC_URI = "${SOURCEFORGE_MIRROR}/faac/faad2-src/faad2-2.8.0/${BP}.tar.gz \
file://0001-fix-heap-buffer-overflow-in-mp4read.c.patch \
+ file://0001-mp4read.c-fix-stack-buffer-overflow-in-stringin-ftyp.patch \
"
SRC_URI[md5sum] = "28f6116efdbe9378269f8a6221767d1f"
SRC_URI[sha256sum] = "985c3fadb9789d2815e50f4ff714511c79c2710ac27a4aaaf5c0c2662141426d"
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-32273 Pick the patch that resolved the issue linked in the nvd report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> --- ...ack-buffer-overflow-in-stringin-ftyp.patch | 28 +++++++++++++++++++ .../recipes-multimedia/faad2/faad2_2.8.8.bb | 1 + 2 files changed, 29 insertions(+) create mode 100644 meta-oe/recipes-multimedia/faad2/faad2/0001-mp4read.c-fix-stack-buffer-overflow-in-stringin-ftyp.patch