2 files changed, 53 insertions, 1 deletions
diff --git a/meta-multimedia/recipes-multimedia/libheif/libheif/CVE-2026-3949.patch b/meta-multimedia/recipes-multimedia/libheif/libheif/CVE-2026-3949.patch
new file mode 100644
index 0000000000..ef5d9c1ee4
--- /dev/null
+++ b/meta-multimedia/recipes-multimedia/libheif/libheif/CVE-2026-3949.patch
@@ -0,0 +1,50 @@
+From cba59e7671a36a78e31c0490efe74ec226918580 Mon Sep 17 00:00:00 2001
+From: Dirk Farin <dirk.farin@gmail.com>
+Date: Tue, 24 Feb 2026 00:32:48 +0100
+Subject: [PATCH] vvdec: check that NAL size does not exceed data size (#1712)
+CVE: CVE-2026-3949
+Upstream-Status: Backport [https://github.com/strukturag/libheif/commit/b97c8b5f198b27f375127cd597a35f2113544d03]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ libheif/plugins/decoder_vvdec.cc | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+diff --git a/libheif/plugins/decoder_vvdec.cc b/libheif/plugins/decoder_vvdec.cc
+index 09515720..14b3e9fd 100644
+--- a/libheif/plugins/decoder_vvdec.cc
+++ b/libheif/plugins/decoder_vvdec.cc
+@@ -55,6 +55,7 @@ struct vvdec_decoder
+   std::string error_message;
+ };
+ 
+static const char kEmptyString[] = "";
+ static const char kSuccess[] = "Success";
+ 
+ static const int VVDEC_PLUGIN_PRIORITY = 100;
+@@ -179,9 +180,25 @@ heif_error vvdec_push_data2(void* decoder_raw, const void* frame_data, size_t fr
+ 
+   const auto* data = (const uint8_t*) frame_data;
+ 
+  if (frame_size < 4) {
+    return {
+      heif_error_Decoder_plugin_error,
+      heif_suberror_End_of_data,
+      kEmptyString
+    };
+  }
+
+   for (;;) {
+     uint32_t size = four_bytes_to_uint32(data[0], data[1], data[2], data[3]);
+ 
+    if (frame_size < 4 + size) {
+      return {
+        heif_error_Decoder_plugin_error,
+        heif_suberror_End_of_data,
+        kEmptyString
+      };
+    }
+
+     data += 4;
+ 
+     std::vector<uint8_t> nalu;
diff --git a/meta-multimedia/recipes-multimedia/libheif/libheif_1.21.2.bb b/meta-multimedia/recipes-multimedia/libheif/libheif_1.21.2.bb
index 7ccac771dc..ab29fa3b02 100644
--- a/meta-multimedia/recipes-multimedia/libheif/libheif_1.21.2.bb
+++ b/meta-multimedia/recipes-multimedia/libheif/libheif_1.21.2.bb
@@ -6,7 +6,9 @@ LICENSE_FLAGS = "commercial"
 COMPATIBLE_MACHINE:powerpc64le = "null"
-SRC_URI = "git://github.com/strukturag/libheif.git;protocol=https;branch=master;tag=v${PV}"
+SRC_URI = "git://github.com/strukturag/libheif.git;protocol=https;branch=master;tag=v${PV} \
+           file://CVE-2026-3949.patch \
+           "
 SRCREV = "62f1b8c76ed4d8305071fdacbe74ef9717bacac5"

diff --git a/meta-multimedia/recipes-multimedia/libheif/libheif/CVE-2026-3949.patch b/meta-multimedia/recipes-multimedia/libheif/libheif/CVE-2026-3949.patch new file mode 100644 index 0000000000..ef5d9c1ee4 --- /dev/null +++ b/meta-multimedia/recipes-multimedia/libheif/libheif/CVE-2026-3949.patch
@@ -0,0 +1,50 @@
		1	From cba59e7671a36a78e31c0490efe74ec226918580 Mon Sep 17 00:00:00 2001
		2	From: Dirk Farin <dirk.farin@gmail.com>
		3	Date: Tue, 24 Feb 2026 00:32:48 +0100
		4	Subject: [PATCH] vvdec: check that NAL size does not exceed data size (#1712)
		5
		6	CVE: CVE-2026-3949
		7	Upstream-Status: Backport [https://github.com/strukturag/libheif/commit/b97c8b5f198b27f375127cd597a35f2113544d03]
		8	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		9	---
		10	libheif/plugins/decoder_vvdec.cc \| 17 +++++++++++++++++
		11	1 file changed, 17 insertions(+)
		12
		13	diff --git a/libheif/plugins/decoder_vvdec.cc b/libheif/plugins/decoder_vvdec.cc
		14	index 09515720..14b3e9fd 100644
		15	--- a/libheif/plugins/decoder_vvdec.cc
		16	+++ b/libheif/plugins/decoder_vvdec.cc
		17	@@ -55,6 +55,7 @@ struct vvdec_decoder
		18	std::string error_message;
		19	};
		20
		21	+static const char kEmptyString[] = "";
		22	static const char kSuccess[] = "Success";
		23
		24	static const int VVDEC_PLUGIN_PRIORITY = 100;
		25	@@ -179,9 +180,25 @@ heif_error vvdec_push_data2(void* decoder_raw, const void* frame_data, size_t fr
		26
		27	const auto* data = (const uint8_t*) frame_data;
		28
		29	+ if (frame_size < 4) {
		30	+ return {
		31	+ heif_error_Decoder_plugin_error,
		32	+ heif_suberror_End_of_data,
		33	+ kEmptyString
		34	+ };
		35	+ }
		36	+
		37	for (;;) {
		38	uint32_t size = four_bytes_to_uint32(data[0], data[1], data[2], data[3]);
		39
		40	+ if (frame_size < 4 + size) {
		41	+ return {
		42	+ heif_error_Decoder_plugin_error,
		43	+ heif_suberror_End_of_data,
		44	+ kEmptyString
		45	+ };
		46	+ }
		47	+
		48	data += 4;
		49
		50	std::vector<uint8_t> nalu;


diff --git a/meta-multimedia/recipes-multimedia/libheif/libheif_1.21.2.bb b/meta-multimedia/recipes-multimedia/libheif/libheif_1.21.2.bb index 7ccac771dc..ab29fa3b02 100644 --- a/meta-multimedia/recipes-multimedia/libheif/libheif_1.21.2.bb +++ b/meta-multimedia/recipes-multimedia/libheif/libheif_1.21.2.bb
@@ -6,7 +6,9 @@ LICENSE_FLAGS = "commercial"
6		6
7	COMPATIBLE_MACHINE:powerpc64le = "null"	7	COMPATIBLE_MACHINE:powerpc64le = "null"
8		8
9	SRC_URI = "git://github.com/strukturag/libheif.git;protocol=https;branch=master;tag=v${PV}"	9	SRC_URI = "git://github.com/strukturag/libheif.git;protocol=https;branch=master;tag=v${PV} \
		10	file://CVE-2026-3949.patch \
		11	"
10		12
11	SRCREV = "62f1b8c76ed4d8305071fdacbe74ef9717bacac5"	13	SRCREV = "62f1b8c76ed4d8305071fdacbe74ef9717bacac5"
12		14