libavif: patch CVE-2025-48174

Details https://nvd.nist.gov/vuln/detail/CVE-2025-48174 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-06-13 17:39:57 +00:00 · 2025-12-09 08:02:33 +13:00
parent b7fd86557f
commit 91ea5aa570
5 changed files with 163 additions and 1 deletions
@@ -0,0 +1,27 @@
+From d9c933e79109becdbc6be9ddf9fbe00be03d533e Mon Sep 17 00:00:00 2001
+From: DanisJiang <43723722+DanisJiang@users.noreply.github.com>
+Date: Fri, 18 Apr 2025 17:31:53 +0800
+Subject: [PATCH] Add integer overflow checks to makeRoom.
+
+CVE: CVE-2025-48174
+Upstream-Status: Backport [https://github.com/AOMediaCodec/libavif/commit/e5fdefe7d1776e6c4cf1703c163a8c0535599029]
+(cherry picked from commit e5fdefe7d1776e6c4cf1703c163a8c0535599029)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/stream.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/stream.c b/src/stream.c
+index c85ca31b..70e8bfaa 100644
+--- a/src/stream.c
+++ b/src/stream.c
+@@ -320,6 +320,9 @@ avifBool avifROStreamReadAndEnforceVersion(avifROStream * stream, uint8_t enforc
+ static avifResult makeRoom(avifRWStream * stream, size_t size)
+ {
+     size_t neededSize = stream->offset + size;
+    if (neededSize < stream->offset) {
+        return AVIF_RESULT_INVALID_ARGUMENT;
+    }
+     size_t newSize = stream->raw->size;
+     while (newSize < neededSize) {
+         newSize += AVIF_STREAM_BUFFER_INCREMENT;
@@ -0,0 +1,31 @@
+From 5bd6529e7e729718ac2d164859965771466c8410 Mon Sep 17 00:00:00 2001
+From: DanisJiang <43723722+DanisJiang@users.noreply.github.com>
+Date: Mon, 21 Apr 2025 10:45:59 +0800
+Subject: [PATCH] Add integer overflow check to makeRoom.
+
+CVE: CVE-2025-48174
+Upstream-Status: Backport [https://github.com/AOMediaCodec/libavif/commit/50a743062938a3828581d725facc9c2b92a1d109]
+(cherry picked from commit 50a743062938a3828581d725facc9c2b92a1d109)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/stream.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/stream.c b/src/stream.c
+index 70e8bfaa..893ba3f0 100644
+--- a/src/stream.c
+++ b/src/stream.c
+@@ -319,10 +319,10 @@ avifBool avifROStreamReadAndEnforceVersion(avifROStream * stream, uint8_t enforc
+ #define AVIF_STREAM_BUFFER_INCREMENT (1024 * 1024)
+ static avifResult makeRoom(avifRWStream * stream, size_t size)
+ {
+-    size_t neededSize = stream->offset + size;
+-    if (neededSize < stream->offset) {
+-        return AVIF_RESULT_INVALID_ARGUMENT;
+    if (size > SIZE_MAX - stream->offset) {
+        return  AVIF_RESULT_OUT_OF_MEMORY;
+     }
+    size_t neededSize = stream->offset + size;
+     size_t newSize = stream->raw->size;
+     while (newSize < neededSize) {
+         newSize += AVIF_STREAM_BUFFER_INCREMENT;
@@ -0,0 +1,27 @@
+From 0b0b88596f21821af605ed316e996739820d3b17 Mon Sep 17 00:00:00 2001
+From: "Danis Jiang (Yuhao Jiang)"
+ <43723722+DanisJiang@users.noreply.github.com>
+Date: Thu, 24 Apr 2025 10:39:19 +0800
+Subject: [PATCH] Fix format errors
+
+CVE: CVE-2025-48174
+Upstream-Status: Backport [https://github.com/AOMediaCodec/libavif/commit/c9f1bea437f21cb78f9919c332922a3b0ba65e11]
+(cherry picked from commit c9f1bea437f21cb78f9919c332922a3b0ba65e11)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/stream.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/stream.c b/src/stream.c
+index 893ba3f0..b38c93c6 100644
+--- a/src/stream.c
+++ b/src/stream.c
+@@ -320,7 +320,7 @@ avifBool avifROStreamReadAndEnforceVersion(avifROStream * stream, uint8_t enforc
+ static avifResult makeRoom(avifRWStream * stream, size_t size)
+ {
+     if (size > SIZE_MAX - stream->offset) {
+-        return  AVIF_RESULT_OUT_OF_MEMORY;
+        return AVIF_RESULT_OUT_OF_MEMORY;
+     }
+     size_t neededSize = stream->offset + size;
+     size_t newSize = stream->raw->size;
@@ -0,0 +1,72 @@
+From 083ce38f549183a3d74a0a6d2dc4d3f4b195867f Mon Sep 17 00:00:00 2001
+From: Wan-Teh Chang <wtc@google.com>
+Date: Sun, 27 Apr 2025 14:34:35 -0700
+Subject: [PATCH] Add another integer overflow check to makeRoom
+
+Replace the while loop with a formula in makeRoom.
+
+Test the integer overflow checks in makeRoom.
+
+See https://github.com/AOMediaCodec/libavif/pull/2768.
+
+CVE: CVE-2025-48174
+Upstream-Status: Backport [https://github.com/AOMediaCodec/libavif/commit/32eae7c5c1e72d9999cb31d02e333b6a76029bad]
+(cherry picked from commit 32eae7c5c1e72d9999cb31d02e333b6a76029bad)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/stream.c                  | 16 +++++++++-------
+ tests/gtest/avifstreamtest.cc | 13 +++++++++++++
+ 2 files changed, 22 insertions(+), 7 deletions(-)
+
+diff --git a/src/stream.c b/src/stream.c
+index b38c93c6..e79e9691 100644
+--- a/src/stream.c
+++ b/src/stream.c
+@@ -319,14 +319,16 @@ avifBool avifROStreamReadAndEnforceVersion(avifROStream * stream, uint8_t enforc
+ #define AVIF_STREAM_BUFFER_INCREMENT (1024 * 1024)
+ static avifResult makeRoom(avifRWStream * stream, size_t size)
+ {
+-    if (size > SIZE_MAX - stream->offset) {
+-        return AVIF_RESULT_OUT_OF_MEMORY;
+-    }
+-    size_t neededSize = stream->offset + size;
+-    size_t newSize = stream->raw->size;
+-    while (newSize < neededSize) {
+-        newSize += AVIF_STREAM_BUFFER_INCREMENT;
+    AVIF_CHECKERR(size <= SIZE_MAX - stream->offset, AVIF_RESULT_OUT_OF_MEMORY);
+    size_t newSize = stream->offset + size;
+    if (newSize <= stream->raw->size) {
+        return AVIF_RESULT_OK;
+     }
+    // Make newSize a multiple of AVIF_STREAM_BUFFER_INCREMENT.
+    size_t rem = newSize % AVIF_STREAM_BUFFER_INCREMENT;
+    size_t padding = (rem == 0) ? 0 : AVIF_STREAM_BUFFER_INCREMENT - rem;
+    AVIF_CHECKERR(newSize <= SIZE_MAX - padding, AVIF_RESULT_OUT_OF_MEMORY);
+    newSize += padding;
+     return avifRWDataRealloc(stream->raw, newSize);
+ }
+ 
+diff --git a/tests/gtest/avifstreamtest.cc b/tests/gtest/avifstreamtest.cc
+index af94bb82..e768939b 100644
+--- a/tests/gtest/avifstreamtest.cc
+++ b/tests/gtest/avifstreamtest.cc
+@@ -204,6 +204,19 @@ TEST(StreamTest, Roundtrip) {
+   EXPECT_FALSE(avifROStreamSkip(&ro_stream, /*byteCount=*/1));
+ }
+ 
+// Test the overflow checks in the makeRoom() function in src/stream.c.
+TEST(StreamTest, OverflowChecksInMakeRoom) {
+  testutil::AvifRwData rw_data;
+  avifRWStream rw_stream;
+  avifRWStreamStart(&rw_stream, &rw_data);
+  const char ten_bytes[10] = {0};
+  EXPECT_EQ(avifRWStreamWrite(&rw_stream, ten_bytes, 10), AVIF_RESULT_OK);
+  EXPECT_EQ(avifRWStreamWrite(&rw_stream, ten_bytes, SIZE_MAX - 9),
+            AVIF_RESULT_OUT_OF_MEMORY);
+  EXPECT_EQ(avifRWStreamWrite(&rw_stream, ten_bytes, SIZE_MAX - 10),
+            AVIF_RESULT_OUT_OF_MEMORY);
+}
+
+ //------------------------------------------------------------------------------
+ 
+ }  // namespace
@@ -4,7 +4,12 @@ SECTION = "libs"
 LICENSE = "BSD-2-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=c528b75b07425b5c1d2e34de98c397b5"

-SRC_URI = "git://github.com/AOMediaCodec/libavif.git;protocol=https;branch=v1.0.x"
+SRC_URI = "git://github.com/AOMediaCodec/libavif.git;protocol=https;branch=v1.0.x \
+           file://CVE-2025-48174_1.patch \
+           file://CVE-2025-48174_2.patch \
+           file://CVE-2025-48174_3.patch \
+           file://CVE-2025-48174_4.patch \
+"

 S = "${WORKDIR}/git"
 SRCREV = "d1c26facaf5a8a97919ceee06814d05d10e25622"