diff mbox series

[meta-multimedia,scarthgap,1/5] libde265: patch CVE-2023-43887

Message ID 20260109234346.3098858-1-ankur.tyagi85@gmail.com
State New
Headers show
Series [meta-multimedia,scarthgap,1/5] libde265: patch CVE-2023-43887 | expand

Commit Message

Ankur Tyagi Jan. 9, 2026, 11:43 p.m. UTC 
From: Ankur Tyagi <ankur.tyagi85@gmail.com>

Details: https://nvd.nist.gov/vuln/detail/CVE-2023-43887

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../libde265/libde265/CVE-2023-43887.patch    | 39 +++++++++++++++++++
 .../libde265/libde265_1.0.12.bb               |  4 +-
 2 files changed, 42 insertions(+), 1 deletion(-)
 create mode 100644 meta-multimedia/recipes-multimedia/libde265/libde265/CVE-2023-43887.patch
diff mbox series

Patch

diff --git a/meta-multimedia/recipes-multimedia/libde265/libde265/CVE-2023-43887.patch b/meta-multimedia/recipes-multimedia/libde265/libde265/CVE-2023-43887.patch
new file mode 100644
index 0000000000..f8ab0e1e40
--- /dev/null
+++ b/meta-multimedia/recipes-multimedia/libde265/libde265/CVE-2023-43887.patch
@@ -0,0 +1,39 @@ 
+From e31a5389f2a4967b9ca298a3435d1af2f9a04cda Mon Sep 17 00:00:00 2001
+From: Dirk Farin <dirk.farin@gmail.com>
+Date: Fri, 1 Sep 2023 21:18:48 +0200
+Subject: [PATCH] fix #418
+
+CVE: CVE-2023-43887
+Upstream-Status: Backport [https://github.com/strukturag/libde265/commit/63b596c915977f038eafd7647d1db25488a8c133]
+(cherry picked from commit 63b596c915977f038eafd7647d1db25488a8c133)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ libde265/decctx.cc | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/libde265/decctx.cc b/libde265/decctx.cc
+index 223a6aaf..350f7e7a 100644
+--- a/libde265/decctx.cc
++++ b/libde265/decctx.cc
+@@ -582,16 +582,17 @@ de265_error decoder_context::read_pps_NAL(bitreader& reader)
+   std::shared_ptr<pic_parameter_set> new_pps = std::make_shared<pic_parameter_set>();
+ 
+   bool success = new_pps->read(&reader,this);
++  if (!success) {
++    return DE265_WARNING_PPS_HEADER_INVALID;
++  }
+ 
+   if (param_pps_headers_fd>=0) {
+     new_pps->dump(param_pps_headers_fd);
+   }
+ 
+-  if (success) {
+-    pps[ (int)new_pps->pic_parameter_set_id ] = new_pps;
+-  }
++  pps[ (int)new_pps->pic_parameter_set_id ] = new_pps;
+ 
+-  return success ? DE265_OK : DE265_WARNING_PPS_HEADER_INVALID;
++  return DE265_OK;
+ }
+ 
+ de265_error decoder_context::read_sei_NAL(bitreader& reader, bool suffix)
diff --git a/meta-multimedia/recipes-multimedia/libde265/libde265_1.0.12.bb b/meta-multimedia/recipes-multimedia/libde265/libde265_1.0.12.bb
index 3c9f899491..3466d37317 100644
--- a/meta-multimedia/recipes-multimedia/libde265/libde265_1.0.12.bb
+++ b/meta-multimedia/recipes-multimedia/libde265/libde265_1.0.12.bb
@@ -8,7 +8,9 @@  LICENSE = "LGPL-3.0-only & MIT"
 LICENSE_FLAGS = "commercial"
 LIC_FILES_CHKSUM = "file://COPYING;md5=695b556799abb2435c97a113cdca512f"
 
-SRC_URI = "git://github.com/strukturag/libde265.git;branch=master;protocol=https"
+SRC_URI = "git://github.com/strukturag/libde265.git;branch=master;protocol=https \
+           file://CVE-2023-43887.patch \
+"
 SRCREV = "a267c84707ab264928fa9b86de2ee749c48c318c"
 
 S = "${WORKDIR}/git"