From a84d3730851c391aa7fdb02eadd129395ca54060 Mon Sep 17 00:00:00 2001
From: Gyorgy Sarvari <skandigraun@gmail.com>
Date: Thu, 16 Oct 2025 11:32:39 +0200
Subject: [PATCH] faad2: patch CVE-2021-32272

Details: https://nvd.nist.gov/vuln/detail/CVE-2021-32272

Pick the patch that is mentioned in the ncv report.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 ...ix-heap-buffer-overflow-in-mp4read.c.patch | 37 +++++++++++++++++++
 .../recipes-multimedia/faad2/faad2_2.8.8.bb   |  4 +-
 2 files changed, 40 insertions(+), 1 deletion(-)
 create mode 100644 meta-oe/recipes-multimedia/faad2/faad2/0001-fix-heap-buffer-overflow-in-mp4read.c.patch

diff --git a/meta-oe/recipes-multimedia/faad2/faad2/0001-fix-heap-buffer-overflow-in-mp4read.c.patch b/meta-oe/recipes-multimedia/faad2/faad2/0001-fix-heap-buffer-overflow-in-mp4read.c.patch
new file mode 100644
index 0000000000..c739e82fb0
--- /dev/null
+++ b/meta-oe/recipes-multimedia/faad2/faad2/0001-fix-heap-buffer-overflow-in-mp4read.c.patch
@@ -0,0 +1,37 @@
+From 57850acf9d40fc2898ded492b9ce942110d0c426 Mon Sep 17 00:00:00 2001
+From: Fabian Greffrath <fabian@greffrath.com>
+Date: Mon, 31 Aug 2020 10:00:37 +0200
+Subject: [PATCH] fix heap-buffer-overflow in mp4read.c
+
+This originated from an integer overflow: If mp4config.frame.ents
+would be read-in with a value of (uint32t)(-1), it would overflow to 0
+in the size calculation for the allocation in the next line. The
+malloc() function would then successfully return a pointer to a memory
+region of size 0, which will cause a segfault when written to.
+
+Fixes #57.
+
+CVE: CVE-2021-32272
+Upstream-Status: Backport [https://github.com/knik0/faad2/commit/1b71a6ba963d131375f5e489b3b25e36f19f3f24]
+
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ frontend/mp4read.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/frontend/mp4read.c b/frontend/mp4read.c
+index 9767383..5dc36b7 100644
+--- a/frontend/mp4read.c
++++ b/frontend/mp4read.c
+@@ -340,7 +340,10 @@ static int stszin(int size)
+     // Number of entries
+     mp4config.frame.ents = u32in();
+     // fixme error checking
+-    // fixme: check atom size
++
++    if (!(mp4config.frame.ents + 1))
++        return ERR_FAIL;
++
+     mp4config.frame.data = malloc(sizeof(*mp4config.frame.data)
+                                   * (mp4config.frame.ents + 1));
+     ofs = 0;
diff --git a/meta-oe/recipes-multimedia/faad2/faad2_2.8.8.bb b/meta-oe/recipes-multimedia/faad2/faad2_2.8.8.bb
index 56d5e1201e..d70c18f43d 100644
--- a/meta-oe/recipes-multimedia/faad2/faad2_2.8.8.bb
+++ b/meta-oe/recipes-multimedia/faad2/faad2_2.8.8.bb
@@ -7,7 +7,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=381c8cbe277a7bc1ee2ae6083a04c958"
 
 LICENSE_FLAGS = "commercial"
 
-SRC_URI = "${SOURCEFORGE_MIRROR}/faac/faad2-src/faad2-2.8.0/${BP}.tar.gz"
+SRC_URI = "${SOURCEFORGE_MIRROR}/faac/faad2-src/faad2-2.8.0/${BP}.tar.gz \
+           file://0001-fix-heap-buffer-overflow-in-mp4read.c.patch \
+           "
 SRC_URI[md5sum] = "28f6116efdbe9378269f8a6221767d1f"
 SRC_URI[sha256sum] = "985c3fadb9789d2815e50f4ff714511c79c2710ac27a4aaaf5c0c2662141426d"