libde265: patch CVE-2022-1253

Details: https://nvd.nist.gov/vuln/detail/CVE-2022-1253 Pick the patch from the nvd report. The patch is only partially backported, because part of the vulnerable code was introuced only in a later version. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
2026-04-20 11:38:34 +00:00 · 2025-11-28 21:18:32 +01:00
parent 7965aa0704
commit 91c15953c0
2 changed files with 37 additions and 1 deletions
--- a/meta-multimedia/recipes-multimedia/libde265/libde265/CVE-2022-1253.patch
+++ b/meta-multimedia/recipes-multimedia/libde265/libde265/CVE-2022-1253.patch
@@ -0,0 +1,34 @@
+From 4dcc28a63e12a6cc8b99bc8e96c5c764fc7a8f1d Mon Sep 17 00:00:00 2001
+From: Dirk Farin <dirk.farin@gmail.com>
+Date: Tue, 5 Apr 2022 09:52:57 +0200
+Subject: [PATCH] error on out-of-range cpb_cnt_minus1 (oss-fuzz issue 27590)
+
+CVE: CVE-2022-1253
+Upstream-Status: Backport [https://github.com/strukturag/libde265/commit/8e89fe0e175d2870c39486fdd09250b230ec10b8]
+
+This is a partial backport of the linked commit. The vulnerability impacted
+two parts of the code, however one part, which deals with HRD parameters
+was only introduced in a later version (1.0.8), and is not present in
+the Kirkstone version yet (1.0.5).
+
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ libde265/sps.cc | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/libde265/sps.cc b/libde265/sps.cc
+index 476cdbb..37bde7b 100644
+--- a/libde265/sps.cc
+++ b/libde265/sps.cc
+@@ -425,7 +425,10 @@ de265_error seq_parameter_set::read(error_queue* errqueue, bitreader* br)
+ 
+   vui_parameters_present_flag = get_bits(br,1);
+   if (vui_parameters_present_flag) {
+-    vui.read(errqueue, br, this);
+    de265_error err = vui.read(errqueue, br, this);
+    if (err) {
+      return err;
+    }
+   }
+ 
+ 
--- a/meta-multimedia/recipes-multimedia/libde265/libde265_1.0.5.bb
+++ b/meta-multimedia/recipes-multimedia/libde265/libde265_1.0.5.bb
@@ -8,7 +8,9 @@ LICENSE = "LGPL-3.0-only & MIT"
 LICENSE_FLAGS = "commercial"
 LIC_FILES_CHKSUM = "file://COPYING;md5=695b556799abb2435c97a113cdca512f"

-SRC_URI = "https://github.com/strukturag/libde265/releases/download/v${PV}/${BPN}-${PV}.tar.gz"
+SRC_URI = "https://github.com/strukturag/libde265/releases/download/v${PV}/${BPN}-${PV}.tar.gz \
+           file://CVE-2022-1253.patch \
+           "
 SRC_URI[sha256sum] = "e3f277d8903408615a5cc34718b391b83c97c646faea4f41da93bac5ee08a87f"

 EXTRA_OECONF = "--disable-sherlock265 --disable-dec265"