summaryrefslogtreecommitdiffstats
path: root/meta-multimedia/recipes-multimedia
diff options
context:
space:
mode:
Diffstat (limited to 'meta-multimedia/recipes-multimedia')
-rw-r--r--meta-multimedia/recipes-multimedia/libde265/libde265/CVE-2025-61147.patch84
-rw-r--r--meta-multimedia/recipes-multimedia/libde265/libde265_1.0.5.bb1
-rw-r--r--meta-multimedia/recipes-multimedia/streamripper/streamripper_1.64.6.bb3
-rw-r--r--meta-multimedia/recipes-multimedia/vlc/vlc_3.0.17.4.bb3
4 files changed, 91 insertions, 0 deletions
diff --git a/meta-multimedia/recipes-multimedia/libde265/libde265/CVE-2025-61147.patch b/meta-multimedia/recipes-multimedia/libde265/libde265/CVE-2025-61147.patch
new file mode 100644
index 0000000000..359e5f0866
--- /dev/null
+++ b/meta-multimedia/recipes-multimedia/libde265/libde265/CVE-2025-61147.patch
@@ -0,0 +1,84 @@
1From 3ca0ece7aac301be40e34c004d7182b9d701d6ae Mon Sep 17 00:00:00 2001
2From: Dirk Farin <dirk.farin@gmail.com>
3Date: Tue, 9 Sep 2025 15:14:05 +0200
4Subject: [PATCH] check for valid integer command line parameters (#484)
5
6OE comment:
7This is a partial backport of the below mentioned patch, without raising
8the required c++ standard.
9
10CVE: CVE-2025-61147
11Upstream-Status: Backport [https://github.com/strukturag/libde265/commit/8b17e0930f77db07f55e0b89399a8f054ddbecf7]
12Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
13---
14 dec265/dec265.cc | 35 ++++++++++++++++++++++++++++++++---
15 1 file changed, 32 insertions(+), 3 deletions(-)
16
17diff --git a/dec265/dec265.cc b/dec265/dec265.cc
18index 9309465..dcd0183 100644
19--- a/dec265/dec265.cc
20+++ b/dec265/dec265.cc
21@@ -27,6 +27,9 @@
22 #define DO_MEMORY_LOGGING 0
23
24 #include "de265.h"
25+#include <stdexcept>
26+#include <iostream>
27+
28 #ifdef HAVE_CONFIG_H
29 #include "config.h"
30 #endif
31@@ -557,6 +560,32 @@ void (*volatile __malloc_initialize_hook)(void) = init_my_hooks;
32 #endif
33 #endif
34
35+int parse_param(const char* arg, int lower_bound, const char* arg_name){
36+ int value;
37+
38+ try {
39+ size_t len;
40+ value = std::stoi(optarg, &len);
41+ if (arg[len] != 0) {
42+ std::cerr << "invalid argument to " << arg_name << "\n";
43+ exit(5);
44+ }
45+ } catch (std::invalid_argument const& ex) {
46+ std::cerr << "invalid argument to " << arg_name << "\n";
47+ exit(5);
48+ }
49+ catch (std::out_of_range const& ex) {
50+ std::cerr << "argument to -T is out of range\n";
51+ exit(5);
52+ }
53+
54+ if (value < lower_bound) {
55+ std::cerr << "argument to " << arg_name << " may not be smaller than " << lower_bound << "\n";
56+ exit(5);
57+ }
58+
59+ return value;
60+}
61
62 int main(int argc, char** argv)
63 {
64@@ -573,9 +602,9 @@ int main(int argc, char** argv)
65
66 switch (c) {
67 case 'q': quiet++; break;
68- case 't': nThreads=atoi(optarg); break;
69+ case 't': nThreads=parse_param(optarg, 0, "-t"); break;
70 case 'c': check_hash=true; break;
71- case 'f': max_frames=atoi(optarg); break;
72+ case 'f': max_frames=parse_param(optarg, 1, "-f"); break;
73 case 'o': write_yuv=true; output_filename=optarg; break;
74 case 'h': show_help=true; break;
75 case 'd': dump_headers=true; break;
76@@ -587,7 +616,7 @@ int main(int argc, char** argv)
77 case 'm': measure_quality=true; reference_filename=optarg; break;
78 case 's': show_ssim_map=true; break;
79 case 'e': show_psnr_map=true; break;
80- case 'T': highestTID=atoi(optarg); break;
81+ case 'T': highestTID = parse_param(optarg, 0, "-T"); break;
82 case 'v': verbosity++; break;
83 }
84 }
diff --git a/meta-multimedia/recipes-multimedia/libde265/libde265_1.0.5.bb b/meta-multimedia/recipes-multimedia/libde265/libde265_1.0.5.bb
index a9d5523bb5..24190eed9b 100644
--- a/meta-multimedia/recipes-multimedia/libde265/libde265_1.0.5.bb
+++ b/meta-multimedia/recipes-multimedia/libde265/libde265_1.0.5.bb
@@ -10,6 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=695b556799abb2435c97a113cdca512f"
10 10
11SRC_URI = "https://github.com/strukturag/libde265/releases/download/v${PV}/${BPN}-${PV}.tar.gz \ 11SRC_URI = "https://github.com/strukturag/libde265/releases/download/v${PV}/${BPN}-${PV}.tar.gz \
12 file://CVE-2022-1253.patch \ 12 file://CVE-2022-1253.patch \
13 file://CVE-2025-61147.patch \
13 " 14 "
14SRC_URI[sha256sum] = "e3f277d8903408615a5cc34718b391b83c97c646faea4f41da93bac5ee08a87f" 15SRC_URI[sha256sum] = "e3f277d8903408615a5cc34718b391b83c97c646faea4f41da93bac5ee08a87f"
15 16
diff --git a/meta-multimedia/recipes-multimedia/streamripper/streamripper_1.64.6.bb b/meta-multimedia/recipes-multimedia/streamripper/streamripper_1.64.6.bb
index 6014326826..beea0c5795 100644
--- a/meta-multimedia/recipes-multimedia/streamripper/streamripper_1.64.6.bb
+++ b/meta-multimedia/recipes-multimedia/streamripper/streamripper_1.64.6.bb
@@ -30,3 +30,6 @@ EXTRA_OECONF += "\
30 30
31# the included argv library needs this 31# the included argv library needs this
32CPPFLAGS:append = " -DANSI_PROTOTYPES" 32CPPFLAGS:append = " -DANSI_PROTOTYPES"
33
34# cpe-incorrect: the vulnerability is about a Windows frontend, not the CLI
35CVE_CHECK_IGNORE = "CVE-2020-37065"
diff --git a/meta-multimedia/recipes-multimedia/vlc/vlc_3.0.17.4.bb b/meta-multimedia/recipes-multimedia/vlc/vlc_3.0.17.4.bb
index dfc838066b..8a49be72fb 100644
--- a/meta-multimedia/recipes-multimedia/vlc/vlc_3.0.17.4.bb
+++ b/meta-multimedia/recipes-multimedia/vlc/vlc_3.0.17.4.bb
@@ -130,3 +130,6 @@ FILES:${PN}-staticdev += "\
130INSANE_SKIP:${PN} = "dev-so" 130INSANE_SKIP:${PN} = "dev-so"
131 131
132EXCLUDE_FROM_WORLD = "${@bb.utils.contains("LICENSE_FLAGS_ACCEPTED", "commercial", "0", "1", d)}" 132EXCLUDE_FROM_WORLD = "${@bb.utils.contains("LICENSE_FLAGS_ACCEPTED", "commercial", "0", "1", d)}"
133
134# Android specific CVEs
135CVE_CHECK_IGNORE += "CVE-2026-26227 CVE-2026-26228"
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2026-04-22 23:09:13 +0000