From fb4ebd12001257d4ba0d88173c6bc5887e974f9b Mon Sep 17 00:00:00 2001
From: Hitendra Prajapati <hprajapati@mvista.com>
Date: Tue, 5 May 2026 17:54:31 +0530
Subject: [PATCH] wireshark: fix for CVE-2025-13946

Pick patch from [1] also mentioned at NVD report in [2]

[1] https://gitlab.com/wireshark/wireshark/-/issues/20884
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-13946
[3] https://security-tracker.debian.org/tracker/CVE-2025-13946

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
---
 .../wireshark/files/CVE-2025-13946.patch      | 51 +++++++++++++++++++
 .../wireshark/wireshark_4.2.14.bb             |  1 +
 2 files changed, 52 insertions(+)
 create mode 100644 meta-networking/recipes-support/wireshark/files/CVE-2025-13946.patch

diff --git a/meta-networking/recipes-support/wireshark/files/CVE-2025-13946.patch b/meta-networking/recipes-support/wireshark/files/CVE-2025-13946.patch
new file mode 100644
index 0000000000..40f5d316ad
--- /dev/null
+++ b/meta-networking/recipes-support/wireshark/files/CVE-2025-13946.patch
@@ -0,0 +1,51 @@
+From aba1fbe6266beb6bf9b887b6eab008e4f4841c9b Mon Sep 17 00:00:00 2001
+From: AndersBroman <a.broman58@gmail.com>
+Date: Mon, 1 Dec 2025 08:41:55 +0100
+Subject: MEGACO: Handle tvb_get_uint8 returning -1
+
+When dissecting a media descriptor, handle tvb_get_uint8 returning
+-1 when searching for a left or right bracket and not finding it
+by setting the bracket offset to the end offset so that the loop
+will exit. Leaving it at -1 can cause going backwards and at worst
+infinite loops.
+
+Fix #20884
+
+(cherry picked from commit aba1fbe6266beb6bf9b887b6eab008e4f4841c9b)
+
+Co-authored-by: John Thacker <johnthacker@gmail.com>
+origin: https://gitlab.com/wireshark/wireshark/-/merge_requests/22553
+
+
+CVE: CVE-2025-13946
+Upstream-Status: Backport [https://gitlab.com/wireshark/wireshark/-/commit/aba1fbe6266beb6bf9b887b6eab008e4f4841c9b]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ epan/dissectors/packet-megaco.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/epan/dissectors/packet-megaco.c b/epan/dissectors/packet-megaco.c
+index 327b849..abf2078 100644
+--- a/epan/dissectors/packet-megaco.c
++++ b/epan/dissectors/packet-megaco.c
+@@ -1775,8 +1775,15 @@ dissect_megaco_mediadescriptor(tvbuff_t *tvb, proto_tree *megaco_tree_command_li
+         mediaParm = find_megaco_mediaParm_names(tvb, tvb_current_offset, tokenlen);
+ 
+         tvb_LBRKT = tvb_find_guint8(tvb, tvb_next_offset , tvb_last_RBRKT, '{');
+-        tvb_next_offset = tvb_find_guint8(tvb, tvb_current_offset+1 , tvb_last_RBRKT, '}');
+-        tvb_RBRKT = tvb_next_offset;
++        if (tvb_LBRKT == -1) {
++            // Not found, use the end offset.
++            tvb_LBRKT = tvb_last_RBRKT;
++        }
++        tvb_RBRKT = tvb_find_guint8(tvb, tvb_current_offset+1 , tvb_last_RBRKT, '}');
++        if (tvb_RBRKT == -1) {
++            // Not found, use the end offset.
++            tvb_RBRKT = tvb_last_RBRKT;
++        }
+ 
+         switch ( mediaParm ){
+         case MEGACO_LOCAL_TOKEN:
+-- 
+2.50.1
+
diff --git a/meta-networking/recipes-support/wireshark/wireshark_4.2.14.bb b/meta-networking/recipes-support/wireshark/wireshark_4.2.14.bb
index 559dd75fe0..1185804282 100644
--- a/meta-networking/recipes-support/wireshark/wireshark_4.2.14.bb
+++ b/meta-networking/recipes-support/wireshark/wireshark_4.2.14.bb
@@ -19,6 +19,7 @@ SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz
            file://CVE-2026-0962.patch \
            file://CVE-2026-3201.patch \
            file://CVE-2026-0960.patch \
+           file://CVE-2025-13946.patch \
            "
 
 UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src/all-versions"