mirror of
https://git.yoctoproject.org/poky
synced 2026-03-19 13:49:41 +01:00
ffmpeg: fix CVE-2025-7700
NULL Pointer Dereference in FFmpeg ALS Decoder (libavcodec/alsdec.c) (From OE-Core rev: a8344e051e4c705df69f4787726a9eca5c780eff) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Archana Polampalli
committed by
Steve Sakoman
Steve Sakoman
parent
69d52fa539
commit
4415ab1560
52
meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-7700.patch
Normal file
52
meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-7700.patch
Normal file
@@ -0,0 +1,52 @@
|
||||
From aad4b59cfee1f0a3cf02f5e2b1f291ce013bf27e Mon Sep 17 00:00:00 2001
|
||||
From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
|
||||
Date: Thu, 10 Jul 2025 16:26:39 +0000
|
||||
Subject: [PATCH] libavcodec/alsdec.c: Add check for av_malloc_array() and
|
||||
av_calloc()
|
||||
|
||||
Add check for the return value of av_malloc_array() and av_calloc()
|
||||
to avoid potential NULL pointer dereference.
|
||||
|
||||
Fixes: dcfd24b10c ("avcodec/alsdec: Implement floating point sample data decoding")
|
||||
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
|
||||
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
||||
(cherry picked from commit 35a6de137a39f274d5e01ed0e0e6c4f04d0aaf07)
|
||||
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
||||
|
||||
CVE: CVE-2025-7700
|
||||
|
||||
Upstream-Status: Backport [https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/aad4b59cfee1f0a3cf02f5e2b1f291ce013bf27e]
|
||||
|
||||
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
|
||||
---
|
||||
libavcodec/alsdec.c | 8 ++++++--
|
||||
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c
|
||||
index 9c3be4e..ba85973 100644
|
||||
--- a/libavcodec/alsdec.c
|
||||
+++ b/libavcodec/alsdec.c
|
||||
@@ -2115,8 +2115,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
|
||||
ctx->nbits = av_malloc_array(ctx->cur_frame_length, sizeof(*ctx->nbits));
|
||||
ctx->mlz = av_mallocz(sizeof(*ctx->mlz));
|
||||
|
||||
- if (!ctx->mlz || !ctx->acf || !ctx->shift_value || !ctx->last_shift_value
|
||||
- || !ctx->last_acf_mantissa || !ctx->raw_mantissa) {
|
||||
+ if (!ctx->larray || !ctx->nbits || !ctx->mlz || !ctx->acf || !ctx->shift_value
|
||||
+ || !ctx->last_shift_value || !ctx->last_acf_mantissa || !ctx->raw_mantissa) {
|
||||
av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n");
|
||||
ret = AVERROR(ENOMEM);
|
||||
goto fail;
|
||||
@@ -2127,6 +2127,10 @@ static av_cold int decode_init(AVCodecContext *avctx)
|
||||
|
||||
for (c = 0; c < avctx->channels; ++c) {
|
||||
ctx->raw_mantissa[c] = av_calloc(ctx->cur_frame_length, sizeof(**ctx->raw_mantissa));
|
||||
+ if (!ctx->raw_mantissa[c]) {
|
||||
+ av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n");
|
||||
+ return AVERROR(ENOMEM);
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
2.40.0
|
||||
@@ -48,6 +48,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
|
||||
file://CVE-2025-25473.patch \
|
||||
file://CVE-2025-22919.patch \
|
||||
file://CVE-2025-22921.patch \
|
||||
file://CVE-2025-7700.patch \
|
||||
"
|
||||
|
||||
SRC_URI[sha256sum] = "04c70c377de233a4b217c2fdf76b19aeb225a287daeb2348bccd978c47b1a1db"
|
||||
|
||||
Reference in New Issue
Block a user