fluidsynth: patch CVE-2025-56225

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-56225 Pick the PR content referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
author: Gyorgy Sarvari <skandigraun@gmail.com> 2026-01-19 19:43:43 +0100
committer: Gyorgy Sarvari <skandigraun@gmail.com> 2026-01-30 18:59:28 +0100
commit: 680570c8b69097d3de0b162b76f0f889c57ab09f (patch)
tree: 74eadbb17af1a73a8a0fadb268f62b82972c95a2 /meta-multimedia/recipes-multimedia
parent: f1cfd1ec5daa1148166fed8c8d83f0b731e18edd (diff)
download: meta-openembedded-680570c8b69097d3de0b162b76f0f889c57ab09f.tar.gz
2 files changed, 28 insertions, 1 deletions
diff --git a/meta-multimedia/recipes-multimedia/fluidsynth/fluidsynth.inc b/meta-multimedia/recipes-multimedia/fluidsynth/fluidsynth.inc
index a4590d61a9..17439e570a 100644
--- a/meta-multimedia/recipes-multimedia/fluidsynth/fluidsynth.inc
+++ b/meta-multimedia/recipes-multimedia/fluidsynth/fluidsynth.inc
@@ -4,7 +4,9 @@ SECTION = "libs/multimedia"
 LICENSE = "LGPL-2.1-only"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=fc178bcd425090939a8b634d1d6a9594"
-SRC_URI = "git://github.com/FluidSynth/fluidsynth.git;branch=master;protocol=https"
+SRC_URI = "git://github.com/FluidSynth/fluidsynth.git;branch=master;protocol=https \
+           file://CVE-2025-56225.patch \
+"
 SRCREV = "8b00644751578ba67b709a827cbe5133d849d339"
 S = "${WORKDIR}/git"
 PV = "2.2.6"
diff --git a/meta-multimedia/recipes-multimedia/fluidsynth/fluidsynth/CVE-2025-56225.patch b/meta-multimedia/recipes-multimedia/fluidsynth/fluidsynth/CVE-2025-56225.patch
new file mode 100644
index 0000000000..a1de14ca19
--- /dev/null
+++ b/meta-multimedia/recipes-multimedia/fluidsynth/fluidsynth/CVE-2025-56225.patch
@@ -0,0 +1,25 @@
+From 18ab31c1dad215188edf2bedc78be98a32492ec9 Mon Sep 17 00:00:00 2001
+From: "Tom M." <tom.mbrt@googlemail.com>
+Date: Mon, 14 Jul 2025 18:13:38 +0200
+Subject: [PATCH] Fix a nullpointer dereference during legato mode (#1607)
+CVE: CVE-2025-56225
+Upstream-Status: Backport [https://github.com/FluidSynth/fluidsynth/commit/45f2a79f4265dcc4f98cfbafdb10727fb1c0d411]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/synth/fluid_synth_monopoly.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/src/synth/fluid_synth_monopoly.c b/src/synth/fluid_synth_monopoly.c
+index d1de1319..6e6e2a90 100644
+--- a/src/synth/fluid_synth_monopoly.c
+++ b/src/synth/fluid_synth_monopoly.c
+@@ -410,7 +410,7 @@ int fluid_synth_noteoff_mono_LOCAL(fluid_synth_t *synth, int chan, int key)
+                 fluid_channel_breath_msb(channel))
+         {
+             /* legato playing detection */
+-            if(channel->mode  & FLUID_CHANNEL_LEGATO_PLAYING)
+            if (channel->mode & FLUID_CHANNEL_LEGATO_PLAYING && channel->preset != NULL)
+             {
+                 /* the list contains others notes */
+                 if(i_prev >= 0)
author	Gyorgy Sarvari <skandigraun@gmail.com>	2026-01-19 19:43:43 +0100
committer	Gyorgy Sarvari <skandigraun@gmail.com>	2026-01-30 18:59:28 +0100
commit	680570c8b69097d3de0b162b76f0f889c57ab09f (patch)
tree	74eadbb17af1a73a8a0fadb268f62b82972c95a2 /meta-multimedia/recipes-multimedia
parent	f1cfd1ec5daa1148166fed8c8d83f0b731e18edd (diff)
download	meta-openembedded-680570c8b69097d3de0b162b76f0f889c57ab09f.tar.gz

diff --git a/meta-multimedia/recipes-multimedia/fluidsynth/fluidsynth.inc b/meta-multimedia/recipes-multimedia/fluidsynth/fluidsynth.inc index a4590d61a9..17439e570a 100644 --- a/meta-multimedia/recipes-multimedia/fluidsynth/fluidsynth.inc +++ b/meta-multimedia/recipes-multimedia/fluidsynth/fluidsynth.inc
@@ -4,7 +4,9 @@ SECTION = "libs/multimedia"
4	LICENSE = "LGPL-2.1-only"	4	LICENSE = "LGPL-2.1-only"
5	LIC_FILES_CHKSUM = "file://LICENSE;md5=fc178bcd425090939a8b634d1d6a9594"	5	LIC_FILES_CHKSUM = "file://LICENSE;md5=fc178bcd425090939a8b634d1d6a9594"
6		6
7	SRC_URI = "git://github.com/FluidSynth/fluidsynth.git;branch=master;protocol=https"	7	SRC_URI = "git://github.com/FluidSynth/fluidsynth.git;branch=master;protocol=https \
		8	file://CVE-2025-56225.patch \
		9	"
8	SRCREV = "8b00644751578ba67b709a827cbe5133d849d339"	10	SRCREV = "8b00644751578ba67b709a827cbe5133d849d339"
9	S = "${WORKDIR}/git"	11	S = "${WORKDIR}/git"
10	PV = "2.2.6"	12	PV = "2.2.6"


diff --git a/meta-multimedia/recipes-multimedia/fluidsynth/fluidsynth/CVE-2025-56225.patch b/meta-multimedia/recipes-multimedia/fluidsynth/fluidsynth/CVE-2025-56225.patch new file mode 100644 index 0000000000..a1de14ca19 --- /dev/null +++ b/meta-multimedia/recipes-multimedia/fluidsynth/fluidsynth/CVE-2025-56225.patch
@@ -0,0 +1,25 @@
		1	From 18ab31c1dad215188edf2bedc78be98a32492ec9 Mon Sep 17 00:00:00 2001
		2	From: "Tom M." <tom.mbrt@googlemail.com>
		3	Date: Mon, 14 Jul 2025 18:13:38 +0200
		4	Subject: [PATCH] Fix a nullpointer dereference during legato mode (#1607)
		5
		6	CVE: CVE-2025-56225
		7	Upstream-Status: Backport [https://github.com/FluidSynth/fluidsynth/commit/45f2a79f4265dcc4f98cfbafdb10727fb1c0d411]
		8	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		9	---
		10	src/synth/fluid_synth_monopoly.c \| 2 +-
		11	1 file changed, 1 insertion(+), 1 deletion(-)
		12
		13	diff --git a/src/synth/fluid_synth_monopoly.c b/src/synth/fluid_synth_monopoly.c
		14	index d1de1319..6e6e2a90 100644
		15	--- a/src/synth/fluid_synth_monopoly.c
		16	+++ b/src/synth/fluid_synth_monopoly.c
		17	@@ -410,7 +410,7 @@ int fluid_synth_noteoff_mono_LOCAL(fluid_synth_t *synth, int chan, int key)
		18	fluid_channel_breath_msb(channel))
		19	{
		20	/* legato playing detection */
		21	- if(channel->mode & FLUID_CHANNEL_LEGATO_PLAYING)
		22	+ if (channel->mode & FLUID_CHANNEL_LEGATO_PLAYING && channel->preset != NULL)
		23	{
		24	/* the list contains others notes */
		25	if(i_prev >= 0)