diff mbox series

[meta-multimedia,7/7] libheif: CVE-2026-3949

Message ID 20260317172346.2862459-7-skandigraun@gmail.com
State Under Review
Headers show
Series [meta-oe,1/7] libsodium: mark CVE-2025-69277 patched | expand

Commit Message

Gyorgy Sarvari March 17, 2026, 5:23 p.m. UTC 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-3949

Backport the patch that is referenced by the NVD report (in the description)

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../libheif/libheif/CVE-2026-3949.patch       | 50 +++++++++++++++++++
 .../libheif/libheif_1.21.2.bb                 |  4 +-
 2 files changed, 53 insertions(+), 1 deletion(-)
 create mode 100644 meta-multimedia/recipes-multimedia/libheif/libheif/CVE-2026-3949.patch
diff mbox series

Patch

diff --git a/meta-multimedia/recipes-multimedia/libheif/libheif/CVE-2026-3949.patch b/meta-multimedia/recipes-multimedia/libheif/libheif/CVE-2026-3949.patch
new file mode 100644
index 0000000000..ef5d9c1ee4
--- /dev/null
+++ b/meta-multimedia/recipes-multimedia/libheif/libheif/CVE-2026-3949.patch
@@ -0,0 +1,50 @@ 
+From cba59e7671a36a78e31c0490efe74ec226918580 Mon Sep 17 00:00:00 2001
+From: Dirk Farin <dirk.farin@gmail.com>
+Date: Tue, 24 Feb 2026 00:32:48 +0100
+Subject: [PATCH] vvdec: check that NAL size does not exceed data size (#1712)
+
+CVE: CVE-2026-3949
+Upstream-Status: Backport [https://github.com/strukturag/libheif/commit/b97c8b5f198b27f375127cd597a35f2113544d03]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ libheif/plugins/decoder_vvdec.cc | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/libheif/plugins/decoder_vvdec.cc b/libheif/plugins/decoder_vvdec.cc
+index 09515720..14b3e9fd 100644
+--- a/libheif/plugins/decoder_vvdec.cc
++++ b/libheif/plugins/decoder_vvdec.cc
+@@ -55,6 +55,7 @@ struct vvdec_decoder
+   std::string error_message;
+ };
+ 
++static const char kEmptyString[] = "";
+ static const char kSuccess[] = "Success";
+ 
+ static const int VVDEC_PLUGIN_PRIORITY = 100;
+@@ -179,9 +180,25 @@ heif_error vvdec_push_data2(void* decoder_raw, const void* frame_data, size_t fr
+ 
+   const auto* data = (const uint8_t*) frame_data;
+ 
++  if (frame_size < 4) {
++    return {
++      heif_error_Decoder_plugin_error,
++      heif_suberror_End_of_data,
++      kEmptyString
++    };
++  }
++
+   for (;;) {
+     uint32_t size = four_bytes_to_uint32(data[0], data[1], data[2], data[3]);
+ 
++    if (frame_size < 4 + size) {
++      return {
++        heif_error_Decoder_plugin_error,
++        heif_suberror_End_of_data,
++        kEmptyString
++      };
++    }
++
+     data += 4;
+ 
+     std::vector<uint8_t> nalu;
diff --git a/meta-multimedia/recipes-multimedia/libheif/libheif_1.21.2.bb b/meta-multimedia/recipes-multimedia/libheif/libheif_1.21.2.bb
index 7ccac771dc..ab29fa3b02 100644
--- a/meta-multimedia/recipes-multimedia/libheif/libheif_1.21.2.bb
+++ b/meta-multimedia/recipes-multimedia/libheif/libheif_1.21.2.bb
@@ -6,7 +6,9 @@  LICENSE_FLAGS = "commercial"
 
 COMPATIBLE_MACHINE:powerpc64le = "null"
 
-SRC_URI = "git://github.com/strukturag/libheif.git;protocol=https;branch=master;tag=v${PV}"
+SRC_URI = "git://github.com/strukturag/libheif.git;protocol=https;branch=master;tag=v${PV} \
+           file://CVE-2026-3949.patch \
+           "
 
 SRCREV = "62f1b8c76ed4d8305071fdacbe74ef9717bacac5"