openh264: patch CVE-2025-27091

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-27091 The advisory confirms that the bug was fixed in v2.6.0. When looking at the relevant Github advisory[1], it mentions the name of the implementer. Pick the patch that was included in this release, created by the mentioned Github account and isn't only a cosmetic or build-system change. [1]: https://github.com/cisco/openh264/security/advisories/GHSA-m99q-5j7x-7m9x Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
author: Gyorgy Sarvari <skandigraun@gmail.com> 2025-12-16 20:40:04 +0100
committer: Gyorgy Sarvari <skandigraun@gmail.com> 2025-12-17 15:37:59 +0100
commit: 5c3e0fc51613e6de2bf5bfeb7a83fb93dde3afde (patch)
tree: b6ec0ecab2127d6f97e8b60b27c5c3b461bd3e00 /meta-multimedia/recipes-multimedia
parent: 94f3cecaaedd02cbcfe665fce015dd52dc74ce19 (diff)
download: meta-openembedded-5c3e0fc51613e6de2bf5bfeb7a83fb93dde3afde.tar.gz
2 files changed, 28 insertions, 0 deletions
diff --git a/meta-multimedia/recipes-multimedia/openh264/openh264/CVE-2025-27091.patch b/meta-multimedia/recipes-multimedia/openh264/openh264/CVE-2025-27091.patch
new file mode 100644
index 0000000000..5a3c900e38
--- /dev/null
+++ b/meta-multimedia/recipes-multimedia/openh264/openh264/CVE-2025-27091.patch
@@ -0,0 +1,27 @@
+From 4e82ae10b594d87da2a7884c2de850857931c78f Mon Sep 17 00:00:00 2001
+From: BenzhengZhang <140143892+BenzhengZhang@users.noreply.github.com>
+Date: Thu, 19 Dec 2024 17:12:42 +0800
+Subject: [PATCH] Potential bug fix (#3818)
+CVE: CVE-2025-27091
+Upstream-Status: Backport [https://github.com/cisco/openh264/commit/63db555e30986e3a5f07871368dc90ae78c27449]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ codec/decoder/core/src/decoder.cpp | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/codec/decoder/core/src/decoder.cpp b/codec/decoder/core/src/decoder.cpp
+index 3b38032a..b971f12f 100644
+--- a/codec/decoder/core/src/decoder.cpp
+++ b/codec/decoder/core/src/decoder.cpp
+@@ -844,6 +844,10 @@ int32_t WelsDecodeBs (PWelsDecoderContext pCtx, const uint8_t* kpBsBuf, const in
+             return pCtx->iErrorCode;
+           }
+ 
+          if (pCtx->iErrorCode != ERR_NONE && !(pCtx->iErrorCode & dsDataErrorConcealed)) {
+              return pCtx->iErrorCode;
+          }
+
+           pDstNal += (iDstIdx + 4); //init, increase 4 reserved zero bytes, used to store the next NAL
+           if ((iSrcLength - iSrcConsumed + 4) > (pRawData->pEnd - pDstNal)) {
+             pDstNal = pRawData->pCurPos = pRawData->pHead;
diff --git a/meta-multimedia/recipes-multimedia/openh264/openh264_2.1.1.bb b/meta-multimedia/recipes-multimedia/openh264/openh264_2.1.1.bb
index aababb6684..113dbf1bba 100644
--- a/meta-multimedia/recipes-multimedia/openh264/openh264_2.1.1.bb
+++ b/meta-multimedia/recipes-multimedia/openh264/openh264_2.1.1.bb
@@ -15,6 +15,7 @@ SRCREV = "50a1fcf70fafe962c526749991cb4646406933ba"
 BRANCH = "openh264v2.1.1"
 SRC_URI = "git://github.com/cisco/openh264.git;protocol=https;branch=${BRANCH} \
           file://0001-Makefile-Use-cp-options-to-preserve-file-mode.patch \
+           file://CVE-2025-27091.patch \
           "
 COMPATIBLE_MACHINE:armv7a = "(.*)"
author	Gyorgy Sarvari <skandigraun@gmail.com>	2025-12-16 20:40:04 +0100
committer	Gyorgy Sarvari <skandigraun@gmail.com>	2025-12-17 15:37:59 +0100
commit	5c3e0fc51613e6de2bf5bfeb7a83fb93dde3afde (patch)
tree	b6ec0ecab2127d6f97e8b60b27c5c3b461bd3e00 /meta-multimedia/recipes-multimedia
parent	94f3cecaaedd02cbcfe665fce015dd52dc74ce19 (diff)
download	meta-openembedded-5c3e0fc51613e6de2bf5bfeb7a83fb93dde3afde.tar.gz

diff --git a/meta-multimedia/recipes-multimedia/openh264/openh264/CVE-2025-27091.patch b/meta-multimedia/recipes-multimedia/openh264/openh264/CVE-2025-27091.patch new file mode 100644 index 0000000000..5a3c900e38 --- /dev/null +++ b/meta-multimedia/recipes-multimedia/openh264/openh264/CVE-2025-27091.patch
@@ -0,0 +1,27 @@
		1	From 4e82ae10b594d87da2a7884c2de850857931c78f Mon Sep 17 00:00:00 2001
		2	From: BenzhengZhang <140143892+BenzhengZhang@users.noreply.github.com>
		3	Date: Thu, 19 Dec 2024 17:12:42 +0800
		4	Subject: [PATCH] Potential bug fix (#3818)
		5
		6	CVE: CVE-2025-27091
		7	Upstream-Status: Backport [https://github.com/cisco/openh264/commit/63db555e30986e3a5f07871368dc90ae78c27449]
		8	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		9	---
		10	codec/decoder/core/src/decoder.cpp \| 4 ++++
		11	1 file changed, 4 insertions(+)
		12
		13	diff --git a/codec/decoder/core/src/decoder.cpp b/codec/decoder/core/src/decoder.cpp
		14	index 3b38032a..b971f12f 100644
		15	--- a/codec/decoder/core/src/decoder.cpp
		16	+++ b/codec/decoder/core/src/decoder.cpp
		17	@@ -844,6 +844,10 @@ int32_t WelsDecodeBs (PWelsDecoderContext pCtx, const uint8_t* kpBsBuf, const in
		18	return pCtx->iErrorCode;
		19	}
		20
		21	+ if (pCtx->iErrorCode != ERR_NONE && !(pCtx->iErrorCode & dsDataErrorConcealed)) {
		22	+ return pCtx->iErrorCode;
		23	+ }
		24	+
		25	pDstNal += (iDstIdx + 4); //init, increase 4 reserved zero bytes, used to store the next NAL
		26	if ((iSrcLength - iSrcConsumed + 4) > (pRawData->pEnd - pDstNal)) {
		27	pDstNal = pRawData->pCurPos = pRawData->pHead;


diff --git a/meta-multimedia/recipes-multimedia/openh264/openh264_2.1.1.bb b/meta-multimedia/recipes-multimedia/openh264/openh264_2.1.1.bb index aababb6684..113dbf1bba 100644 --- a/meta-multimedia/recipes-multimedia/openh264/openh264_2.1.1.bb +++ b/meta-multimedia/recipes-multimedia/openh264/openh264_2.1.1.bb
@@ -15,6 +15,7 @@ SRCREV = "50a1fcf70fafe962c526749991cb4646406933ba"
15	BRANCH = "openh264v2.1.1"	15	BRANCH = "openh264v2.1.1"
16	SRC_URI = "git://github.com/cisco/openh264.git;protocol=https;branch=${BRANCH} \	16	SRC_URI = "git://github.com/cisco/openh264.git;protocol=https;branch=${BRANCH} \
17	file://0001-Makefile-Use-cp-options-to-preserve-file-mode.patch \	17	file://0001-Makefile-Use-cp-options-to-preserve-file-mode.patch \
		18	file://CVE-2025-27091.patch \
18	"	19	"
19		20
20	COMPATIBLE_MACHINE:armv7a = "(.*)"	21	COMPATIBLE_MACHINE:armv7a = "(.*)"