new file mode 100644
@@ -0,0 +1,27 @@
+From d9c933e79109becdbc6be9ddf9fbe00be03d533e Mon Sep 17 00:00:00 2001
+From: DanisJiang <43723722+DanisJiang@users.noreply.github.com>
+Date: Fri, 18 Apr 2025 17:31:53 +0800
+Subject: [PATCH] Add integer overflow checks to makeRoom.
+
+CVE: CVE-2025-48174
+Upstream-Status: Backport [https://github.com/AOMediaCodec/libavif/commit/e5fdefe7d1776e6c4cf1703c163a8c0535599029]
+(cherry picked from commit e5fdefe7d1776e6c4cf1703c163a8c0535599029)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/stream.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/stream.c b/src/stream.c
+index c85ca31b..70e8bfaa 100644
+--- a/src/stream.c
++++ b/src/stream.c
+@@ -320,6 +320,9 @@ avifBool avifROStreamReadAndEnforceVersion(avifROStream * stream, uint8_t enforc
+ static avifResult makeRoom(avifRWStream * stream, size_t size)
+ {
+ size_t neededSize = stream->offset + size;
++ if (neededSize < stream->offset) {
++ return AVIF_RESULT_INVALID_ARGUMENT;
++ }
+ size_t newSize = stream->raw->size;
+ while (newSize < neededSize) {
+ newSize += AVIF_STREAM_BUFFER_INCREMENT;
new file mode 100644
@@ -0,0 +1,31 @@
+From 5bd6529e7e729718ac2d164859965771466c8410 Mon Sep 17 00:00:00 2001
+From: DanisJiang <43723722+DanisJiang@users.noreply.github.com>
+Date: Mon, 21 Apr 2025 10:45:59 +0800
+Subject: [PATCH] Add integer overflow check to makeRoom.
+
+CVE: CVE-2025-48174
+Upstream-Status: Backport [https://github.com/AOMediaCodec/libavif/commit/50a743062938a3828581d725facc9c2b92a1d109]
+(cherry picked from commit 50a743062938a3828581d725facc9c2b92a1d109)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/stream.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/stream.c b/src/stream.c
+index 70e8bfaa..893ba3f0 100644
+--- a/src/stream.c
++++ b/src/stream.c
+@@ -319,10 +319,10 @@ avifBool avifROStreamReadAndEnforceVersion(avifROStream * stream, uint8_t enforc
+ #define AVIF_STREAM_BUFFER_INCREMENT (1024 * 1024)
+ static avifResult makeRoom(avifRWStream * stream, size_t size)
+ {
+- size_t neededSize = stream->offset + size;
+- if (neededSize < stream->offset) {
+- return AVIF_RESULT_INVALID_ARGUMENT;
++ if (size > SIZE_MAX - stream->offset) {
++ return AVIF_RESULT_OUT_OF_MEMORY;
+ }
++ size_t neededSize = stream->offset + size;
+ size_t newSize = stream->raw->size;
+ while (newSize < neededSize) {
+ newSize += AVIF_STREAM_BUFFER_INCREMENT;
new file mode 100644
@@ -0,0 +1,27 @@
+From 0b0b88596f21821af605ed316e996739820d3b17 Mon Sep 17 00:00:00 2001
+From: "Danis Jiang (Yuhao Jiang)"
+ <43723722+DanisJiang@users.noreply.github.com>
+Date: Thu, 24 Apr 2025 10:39:19 +0800
+Subject: [PATCH] Fix format errors
+
+CVE: CVE-2025-48174
+Upstream-Status: Backport [https://github.com/AOMediaCodec/libavif/commit/c9f1bea437f21cb78f9919c332922a3b0ba65e11]
+(cherry picked from commit c9f1bea437f21cb78f9919c332922a3b0ba65e11)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/stream.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/stream.c b/src/stream.c
+index 893ba3f0..b38c93c6 100644
+--- a/src/stream.c
++++ b/src/stream.c
+@@ -320,7 +320,7 @@ avifBool avifROStreamReadAndEnforceVersion(avifROStream * stream, uint8_t enforc
+ static avifResult makeRoom(avifRWStream * stream, size_t size)
+ {
+ if (size > SIZE_MAX - stream->offset) {
+- return AVIF_RESULT_OUT_OF_MEMORY;
++ return AVIF_RESULT_OUT_OF_MEMORY;
+ }
+ size_t neededSize = stream->offset + size;
+ size_t newSize = stream->raw->size;
new file mode 100644
@@ -0,0 +1,72 @@
+From 083ce38f549183a3d74a0a6d2dc4d3f4b195867f Mon Sep 17 00:00:00 2001
+From: Wan-Teh Chang <wtc@google.com>
+Date: Sun, 27 Apr 2025 14:34:35 -0700
+Subject: [PATCH] Add another integer overflow check to makeRoom
+
+Replace the while loop with a formula in makeRoom.
+
+Test the integer overflow checks in makeRoom.
+
+See https://github.com/AOMediaCodec/libavif/pull/2768.
+
+CVE: CVE-2025-48174
+Upstream-Status: Backport [https://github.com/AOMediaCodec/libavif/commit/32eae7c5c1e72d9999cb31d02e333b6a76029bad]
+(cherry picked from commit 32eae7c5c1e72d9999cb31d02e333b6a76029bad)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/stream.c | 16 +++++++++-------
+ tests/gtest/avifstreamtest.cc | 13 +++++++++++++
+ 2 files changed, 22 insertions(+), 7 deletions(-)
+
+diff --git a/src/stream.c b/src/stream.c
+index b38c93c6..e79e9691 100644
+--- a/src/stream.c
++++ b/src/stream.c
+@@ -319,14 +319,16 @@ avifBool avifROStreamReadAndEnforceVersion(avifROStream * stream, uint8_t enforc
+ #define AVIF_STREAM_BUFFER_INCREMENT (1024 * 1024)
+ static avifResult makeRoom(avifRWStream * stream, size_t size)
+ {
+- if (size > SIZE_MAX - stream->offset) {
+- return AVIF_RESULT_OUT_OF_MEMORY;
+- }
+- size_t neededSize = stream->offset + size;
+- size_t newSize = stream->raw->size;
+- while (newSize < neededSize) {
+- newSize += AVIF_STREAM_BUFFER_INCREMENT;
++ AVIF_CHECKERR(size <= SIZE_MAX - stream->offset, AVIF_RESULT_OUT_OF_MEMORY);
++ size_t newSize = stream->offset + size;
++ if (newSize <= stream->raw->size) {
++ return AVIF_RESULT_OK;
+ }
++ // Make newSize a multiple of AVIF_STREAM_BUFFER_INCREMENT.
++ size_t rem = newSize % AVIF_STREAM_BUFFER_INCREMENT;
++ size_t padding = (rem == 0) ? 0 : AVIF_STREAM_BUFFER_INCREMENT - rem;
++ AVIF_CHECKERR(newSize <= SIZE_MAX - padding, AVIF_RESULT_OUT_OF_MEMORY);
++ newSize += padding;
+ return avifRWDataRealloc(stream->raw, newSize);
+ }
+
+diff --git a/tests/gtest/avifstreamtest.cc b/tests/gtest/avifstreamtest.cc
+index af94bb82..e768939b 100644
+--- a/tests/gtest/avifstreamtest.cc
++++ b/tests/gtest/avifstreamtest.cc
+@@ -204,6 +204,19 @@ TEST(StreamTest, Roundtrip) {
+ EXPECT_FALSE(avifROStreamSkip(&ro_stream, /*byteCount=*/1));
+ }
+
++// Test the overflow checks in the makeRoom() function in src/stream.c.
++TEST(StreamTest, OverflowChecksInMakeRoom) {
++ testutil::AvifRwData rw_data;
++ avifRWStream rw_stream;
++ avifRWStreamStart(&rw_stream, &rw_data);
++ const char ten_bytes[10] = {0};
++ EXPECT_EQ(avifRWStreamWrite(&rw_stream, ten_bytes, 10), AVIF_RESULT_OK);
++ EXPECT_EQ(avifRWStreamWrite(&rw_stream, ten_bytes, SIZE_MAX - 9),
++ AVIF_RESULT_OUT_OF_MEMORY);
++ EXPECT_EQ(avifRWStreamWrite(&rw_stream, ten_bytes, SIZE_MAX - 10),
++ AVIF_RESULT_OUT_OF_MEMORY);
++}
++
+ //------------------------------------------------------------------------------
+
+ } // namespace
@@ -4,7 +4,12 @@ SECTION = "libs"
LICENSE = "BSD-2-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=c528b75b07425b5c1d2e34de98c397b5"
-SRC_URI = "git://github.com/AOMediaCodec/libavif.git;protocol=https;branch=v1.0.x"
+SRC_URI = "git://github.com/AOMediaCodec/libavif.git;protocol=https;branch=v1.0.x \
+ file://CVE-2025-48174_1.patch \
+ file://CVE-2025-48174_2.patch \
+ file://CVE-2025-48174_3.patch \
+ file://CVE-2025-48174_4.patch \
+"
S = "${WORKDIR}/git"
SRCREV = "d1c26facaf5a8a97919ceee06814d05d10e25622"