ffmpeg: fix CVE-2025-7700

NULL Pointer Dereference in FFmpeg ALS Decoder (libavcodec/alsdec.c) (From OE-Core rev: a8344e051e4c705df69f4787726a9eca5c780eff) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Archana Polampalli <archana.polampalli@windriver.com> 2025-09-05 11:10:43 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-09-12 09:24:24 -0700
commit: 4415ab156050df66020ac4c79ec99b42cbc3b102 (patch)
tree: 3242c9b5f1bcf24b12df8be365031e98371d38aa
parent: 69d52fa539d7b0f0c62379c010c846d40c09d4ee (diff)
download: poky-4415ab156050df66020ac4c79ec99b42cbc3b102.tar.gz
2 files changed, 53 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-7700.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-7700.patch
new file mode 100644
index 0000000000..758e38a0b1
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-7700.patch
@@ -0,0 +1,52 @@
+From aad4b59cfee1f0a3cf02f5e2b1f291ce013bf27e Mon Sep 17 00:00:00 2001
+From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+Date: Thu, 10 Jul 2025 16:26:39 +0000
+Subject: [PATCH] libavcodec/alsdec.c: Add check for av_malloc_array() and
+ av_calloc()
+Add check for the return value of av_malloc_array() and av_calloc()
+to avoid potential NULL pointer dereference.
+Fixes: dcfd24b10c ("avcodec/alsdec: Implement floating point sample data decoding")
+Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+(cherry picked from commit 35a6de137a39f274d5e01ed0e0e6c4f04d0aaf07)
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+CVE: CVE-2025-7700
+Upstream-Status: Backport [https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/aad4b59cfee1f0a3cf02f5e2b1f291ce013bf27e]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ libavcodec/alsdec.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c
+index 9c3be4e..ba85973 100644
+--- a/libavcodec/alsdec.c
+++ b/libavcodec/alsdec.c
+@@ -2115,8 +2115,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
+         ctx->nbits  = av_malloc_array(ctx->cur_frame_length, sizeof(*ctx->nbits));
+         ctx->mlz    = av_mallocz(sizeof(*ctx->mlz));
+-        if (!ctx->mlz || !ctx->acf || !ctx->shift_value || !ctx->last_shift_value
+-            || !ctx->last_acf_mantissa || !ctx->raw_mantissa) {
+        if (!ctx->larray || !ctx->nbits || !ctx->mlz || !ctx->acf || !ctx->shift_value
+            || !ctx->last_shift_value || !ctx->last_acf_mantissa || !ctx->raw_mantissa) {
+             av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n");
+             ret = AVERROR(ENOMEM);
+             goto fail;
+@@ -2127,6 +2127,10 @@ static av_cold int decode_init(AVCodecContext *avctx)
+         for (c = 0; c < avctx->channels; ++c) {
+             ctx->raw_mantissa[c] = av_calloc(ctx->cur_frame_length, sizeof(**ctx->raw_mantissa));
+            if (!ctx->raw_mantissa[c]) {
+                av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n");
+                return AVERROR(ENOMEM);
+           }
+         }
+     }
+--
+2.40.0
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb
index 8da11f196d..f205c4a5db 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb
@@ -48,6 +48,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
           file://CVE-2025-25473.patch \
           file://CVE-2025-22919.patch \
           file://CVE-2025-22921.patch \
+           file://CVE-2025-7700.patch \
          "
 SRC_URI[sha256sum] = "04c70c377de233a4b217c2fdf76b19aeb225a287daeb2348bccd978c47b1a1db"
author	Archana Polampalli <archana.polampalli@windriver.com>	2025-09-05 11:10:43 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-09-12 09:24:24 -0700
commit	4415ab156050df66020ac4c79ec99b42cbc3b102 (patch)
tree	3242c9b5f1bcf24b12df8be365031e98371d38aa
parent	69d52fa539d7b0f0c62379c010c846d40c09d4ee (diff)
download	poky-4415ab156050df66020ac4c79ec99b42cbc3b102.tar.gz

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-7700.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-7700.patch new file mode 100644 index 0000000000..758e38a0b1 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-7700.patch
@@ -0,0 +1,52 @@
		1	From aad4b59cfee1f0a3cf02f5e2b1f291ce013bf27e Mon Sep 17 00:00:00 2001
		2	From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
		3	Date: Thu, 10 Jul 2025 16:26:39 +0000
		4	Subject: [PATCH] libavcodec/alsdec.c: Add check for av_malloc_array() and
		5	av_calloc()
		6
		7	Add check for the return value of av_malloc_array() and av_calloc()
		8	to avoid potential NULL pointer dereference.
		9
		10	Fixes: dcfd24b10c ("avcodec/alsdec: Implement floating point sample data decoding")
		11	Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
		12	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
		13	(cherry picked from commit 35a6de137a39f274d5e01ed0e0e6c4f04d0aaf07)
		14	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
		15
		16	CVE: CVE-2025-7700
		17
		18	Upstream-Status: Backport [https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/aad4b59cfee1f0a3cf02f5e2b1f291ce013bf27e]
		19
		20	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		21	---
		22	libavcodec/alsdec.c \| 8 ++++++--
		23	1 file changed, 6 insertions(+), 2 deletions(-)
		24
		25	diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c
		26	index 9c3be4e..ba85973 100644
		27	--- a/libavcodec/alsdec.c
		28	+++ b/libavcodec/alsdec.c
		29	@@ -2115,8 +2115,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
		30	ctx->nbits = av_malloc_array(ctx->cur_frame_length, sizeof(*ctx->nbits));
		31	ctx->mlz = av_mallocz(sizeof(*ctx->mlz));
		32
		33	- if (!ctx->mlz \|\| !ctx->acf \|\| !ctx->shift_value \|\| !ctx->last_shift_value
		34	- \|\| !ctx->last_acf_mantissa \|\| !ctx->raw_mantissa) {
		35	+ if (!ctx->larray \|\| !ctx->nbits \|\| !ctx->mlz \|\| !ctx->acf \|\| !ctx->shift_value
		36	+ \|\| !ctx->last_shift_value \|\| !ctx->last_acf_mantissa \|\| !ctx->raw_mantissa) {
		37	av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n");
		38	ret = AVERROR(ENOMEM);
		39	goto fail;
		40	@@ -2127,6 +2127,10 @@ static av_cold int decode_init(AVCodecContext *avctx)
		41
		42	for (c = 0; c < avctx->channels; ++c) {
		43	ctx->raw_mantissa[c] = av_calloc(ctx->cur_frame_length, sizeof(**ctx->raw_mantissa));
		44	+ if (!ctx->raw_mantissa[c]) {
		45	+ av_log(avctx, AV_LOG_ERROR, "Allocating buffer memory failed.\n");
		46	+ return AVERROR(ENOMEM);
		47	+ }
		48	}
		49	}
		50
		51	--
		52	2.40.0


diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb index 8da11f196d..f205c4a5db 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb
@@ -48,6 +48,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
48	file://CVE-2025-25473.patch \	48	file://CVE-2025-25473.patch \
49	file://CVE-2025-22919.patch \	49	file://CVE-2025-22919.patch \
50	file://CVE-2025-22921.patch \	50	file://CVE-2025-22921.patch \
		51	file://CVE-2025-7700.patch \
51	"	52	"
52		53
53	SRC_URI[sha256sum] = "04c70c377de233a4b217c2fdf76b19aeb225a287daeb2348bccd978c47b1a1db"	54	SRC_URI[sha256sum] = "04c70c377de233a4b217c2fdf76b19aeb225a287daeb2348bccd978c47b1a1db"