ffmpeg: fix CVE-2025-1594

A vulnerability, which was classified as critical, was found in FFmpeg up to 7.1. This affects the function ff_aac_search_for_tns of the file libavcodec/aacenc_tns.c of the component AAC Encoder. The manipulation leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. (From OE-Core rev: 5a922eb95da7d373ee2bc3018065448fa128e69a) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Archana Polampalli <archana.polampalli@windriver.com> 2025-09-05 11:10:45 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-09-12 09:24:24 -0700
commit: 4f27d5ff829dbec6128cdb187ca76e621da13454 (patch)
tree: 482d0a119bd994bb89bb052c53ff25b571bf31f5
parent: e9b1bb75ffed3870c37aa83108f2dc5eb9f1894c (diff)
download: poky-4f27d5ff829dbec6128cdb187ca76e621da13454.tar.gz
2 files changed, 105 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-1594.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-1594.patch
new file mode 100644
index 0000000000..b8f0bc5781
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-1594.patch
@@ -0,0 +1,104 @@
+From bedfb6eca402037f5cbb115fa767d106b8c14f1c Mon Sep 17 00:00:00 2001
+From: Lynne <dev@lynne.ee>
+Date: Sat, 8 Feb 2025 04:35:31 +0100
+Subject: [PATCH] aacenc_tns: clamp filter direction energy measurement
+The issue is that:
+float en[2];
+...
+tns->n_filt[w] = is8 ? 1 : order != TNS_MAX_ORDER ? 2 : 3;
+for (g = 0; g < tns->n_filt[w]; g++) {
+    tns->direction[w][g] = slant != 2 ? slant : en[g] < en[!g];
+When using the AAC Main profile, n_filt = 3, and slant is by
+default 2 (normal long frames), g can go above 1.
+en is the evolution of energy in the frequency domain for every
+band at the given window. E.g. whether the energy is concentrated
+at the top of each band, or the bottom.
+For 2-pole filters, its straightforward.
+For 3-pole filters, we need more than 2 measurements.
+This commit properly implements support for 3-pole filters, by measuring
+the band energy across three areas.
+Do note that even xHE-AAC caps n_filt to 2, and only AAC Main allows
+n_filt == 3.
+Fixes https://trac.ffmpeg.org/ticket/11418
+CVE: CVE-2025-1594
+Upstream-Status: Backport [https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/bedfb6eca402037f5cbb115fa767d106b8c14f1c]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ libavcodec/aacenc_tns.c | 33 ++++++++++++++++++++++++---------
+ 1 file changed, 24 insertions(+), 9 deletions(-)
+diff --git a/libavcodec/aacenc_tns.c b/libavcodec/aacenc_tns.c
+index 8dc6dfc..9ea3506 100644
+--- a/libavcodec/aacenc_tns.c
+++ b/libavcodec/aacenc_tns.c
+@@ -172,6 +172,7 @@ void ff_aac_search_for_tns(AACEncContext *s, SingleChannelElement *sce)
+                       sce->ics.window_sequence[0] == LONG_START_SEQUENCE ? 0 : 2;
+     const int sfb_len = sfb_end - sfb_start;
+     const int coef_len = sce->ics.swb_offset[sfb_end] - sce->ics.swb_offset[sfb_start];
+    const int n_filt = is8 ? 1 : order != TNS_MAX_ORDER ? 2 : 3;
+     if (coef_len <= 0 || sfb_len <= 0) {
+         sce->tns.present = 0;
+@@ -179,16 +180,30 @@ void ff_aac_search_for_tns(AACEncContext *s, SingleChannelElement *sce)
+     }
+     for (w = 0; w < sce->ics.num_windows; w++) {
+-        float en[2] = {0.0f, 0.0f};
+       float en[4] = {0.0f, 0.0f, 0.0f, 0.0f};
+         int oc_start = 0, os_start = 0;
+         int coef_start = sce->ics.swb_offset[sfb_start];
+-        for (g = sfb_start; g < sce->ics.num_swb && g <= sfb_end; g++) {
+-            FFPsyBand *band = &s->psy.ch[s->cur_channel].psy_bands[w*16+g];
+-            if (g > sfb_start + (sfb_len/2))
+-                en[1] += band->energy;
+-            else
+-                en[0] += band->energy;
+       if (n_filt == 2) {
+            for (g = sfb_start; g < sce->ics.num_swb && g <= sfb_end; g++) {
+                FFPsyBand *band = &s->psy.ch[s->cur_channel].psy_bands[w*16+g];
+                    if (g > sfb_start + (sfb_len/2))
+                        en[1] += band->energy; /* End */
+                    else
+                        en[0] += band->energy; /* Start */
+            }
+            en[2] = en[0];
+        } else {
+            for (g = sfb_start; g < sce->ics.num_swb && g <= sfb_end; g++) {
+                FFPsyBand *band = &s->psy.ch[s->cur_channel].psy_bands[w*16+g];
+                    if (g > sfb_start + (sfb_len/2) + (sfb_len/4))
+                        en[2] += band->energy; /* End */
+                    else if (g > sfb_start + (sfb_len/2) - (sfb_len/4))
+                        en[1] += band->energy; /* Middle */
+                    else
+                        en[0] += band->energy; /* Start */
+            }
+            en[3] = en[0];
+         }
+         /* LPC */
+@@ -198,9 +213,9 @@ void ff_aac_search_for_tns(AACEncContext *s, SingleChannelElement *sce)
+         if (!order || !isfinite(gain) || gain < TNS_GAIN_THRESHOLD_LOW || gain > TNS_GAIN_THRESHOLD_HIGH)
+             continue;
+-        tns->n_filt[w] = is8 ? 1 : order != TNS_MAX_ORDER ? 2 : 3;
+       tns->n_filt[w] = n_filt;
+         for (g = 0; g < tns->n_filt[w]; g++) {
+-            tns->direction[w][g] = slant != 2 ? slant : en[g] < en[!g];
+           tns->direction[w][g] = slant != 2 ? slant : en[g] < en[g + 1];
+             tns->order[w][g] = g < tns->n_filt[w] ? order/tns->n_filt[w] : order - oc_start;
+             tns->length[w][g] = g < tns->n_filt[w] ? sfb_len/tns->n_filt[w] : sfb_len - os_start;
+             quantize_coefs(&coefs[oc_start], tns->coef_idx[w][g], tns->coef[w][g],
+--
+2.40.0
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb
index 27a9a80e8c..a46cb3480a 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb
@@ -52,6 +52,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
           file://CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0001.patch \
           file://CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0002.patch \
           file://CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0003.patch \
+           file://CVE-2025-1594.patch \
          "
 SRC_URI[sha256sum] = "04c70c377de233a4b217c2fdf76b19aeb225a287daeb2348bccd978c47b1a1db"
author	Archana Polampalli <archana.polampalli@windriver.com>	2025-09-05 11:10:45 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-09-12 09:24:24 -0700
commit	4f27d5ff829dbec6128cdb187ca76e621da13454 (patch)
tree	482d0a119bd994bb89bb052c53ff25b571bf31f5
parent	e9b1bb75ffed3870c37aa83108f2dc5eb9f1894c (diff)
download	poky-4f27d5ff829dbec6128cdb187ca76e621da13454.tar.gz

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-1594.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-1594.patch new file mode 100644 index 0000000000..b8f0bc5781 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-1594.patch
@@ -0,0 +1,104 @@
		1	From bedfb6eca402037f5cbb115fa767d106b8c14f1c Mon Sep 17 00:00:00 2001
		2	From: Lynne <dev@lynne.ee>
		3	Date: Sat, 8 Feb 2025 04:35:31 +0100
		4	Subject: [PATCH] aacenc_tns: clamp filter direction energy measurement
		5
		6	The issue is that:
		7
		8	float en[2];
		9	...
		10	tns->n_filt[w] = is8 ? 1 : order != TNS_MAX_ORDER ? 2 : 3;
		11	for (g = 0; g < tns->n_filt[w]; g++) {
		12	tns->direction[w][g] = slant != 2 ? slant : en[g] < en[!g];
		13
		14	When using the AAC Main profile, n_filt = 3, and slant is by
		15	default 2 (normal long frames), g can go above 1.
		16
		17	en is the evolution of energy in the frequency domain for every
		18	band at the given window. E.g. whether the energy is concentrated
		19	at the top of each band, or the bottom.
		20
		21	For 2-pole filters, its straightforward.
		22	For 3-pole filters, we need more than 2 measurements.
		23
		24	This commit properly implements support for 3-pole filters, by measuring
		25	the band energy across three areas.
		26
		27	Do note that even xHE-AAC caps n_filt to 2, and only AAC Main allows
		28	n_filt == 3.
		29
		30	Fixes https://trac.ffmpeg.org/ticket/11418
		31
		32	CVE: CVE-2025-1594
		33
		34	Upstream-Status: Backport [https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/bedfb6eca402037f5cbb115fa767d106b8c14f1c]
		35
		36	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		37	---
		38	libavcodec/aacenc_tns.c \| 33 ++++++++++++++++++++++++---------
		39	1 file changed, 24 insertions(+), 9 deletions(-)
		40
		41	diff --git a/libavcodec/aacenc_tns.c b/libavcodec/aacenc_tns.c
		42	index 8dc6dfc..9ea3506 100644
		43	--- a/libavcodec/aacenc_tns.c
		44	+++ b/libavcodec/aacenc_tns.c
		45	@@ -172,6 +172,7 @@ void ff_aac_search_for_tns(AACEncContext s, SingleChannelElement sce)
		46	sce->ics.window_sequence[0] == LONG_START_SEQUENCE ? 0 : 2;
		47	const int sfb_len = sfb_end - sfb_start;
		48	const int coef_len = sce->ics.swb_offset[sfb_end] - sce->ics.swb_offset[sfb_start];
		49	+ const int n_filt = is8 ? 1 : order != TNS_MAX_ORDER ? 2 : 3;
		50
		51	if (coef_len <= 0 \|\| sfb_len <= 0) {
		52	sce->tns.present = 0;
		53	@@ -179,16 +180,30 @@ void ff_aac_search_for_tns(AACEncContext s, SingleChannelElement sce)
		54	}
		55
		56	for (w = 0; w < sce->ics.num_windows; w++) {
		57	- float en[2] = {0.0f, 0.0f};
		58	+ float en[4] = {0.0f, 0.0f, 0.0f, 0.0f};
		59	int oc_start = 0, os_start = 0;
		60	int coef_start = sce->ics.swb_offset[sfb_start];
		61
		62	- for (g = sfb_start; g < sce->ics.num_swb && g <= sfb_end; g++) {
		63	- FFPsyBand band = &s->psy.ch[s->cur_channel].psy_bands[w16+g];
		64	- if (g > sfb_start + (sfb_len/2))
		65	- en[1] += band->energy;
		66	- else
		67	- en[0] += band->energy;
		68	+ if (n_filt == 2) {
		69	+ for (g = sfb_start; g < sce->ics.num_swb && g <= sfb_end; g++) {
		70	+ FFPsyBand band = &s->psy.ch[s->cur_channel].psy_bands[w16+g];
		71	+ if (g > sfb_start + (sfb_len/2))
		72	+ en[1] += band->energy; /* End */
		73	+ else
		74	+ en[0] += band->energy; /* Start */
		75	+ }
		76	+ en[2] = en[0];
		77	+ } else {
		78	+ for (g = sfb_start; g < sce->ics.num_swb && g <= sfb_end; g++) {
		79	+ FFPsyBand band = &s->psy.ch[s->cur_channel].psy_bands[w16+g];
		80	+ if (g > sfb_start + (sfb_len/2) + (sfb_len/4))
		81	+ en[2] += band->energy; /* End */
		82	+ else if (g > sfb_start + (sfb_len/2) - (sfb_len/4))
		83	+ en[1] += band->energy; /* Middle */
		84	+ else
		85	+ en[0] += band->energy; /* Start */
		86	+ }
		87	+ en[3] = en[0];
		88	}
		89
		90	/* LPC */
		91	@@ -198,9 +213,9 @@ void ff_aac_search_for_tns(AACEncContext s, SingleChannelElement sce)
		92	if (!order \|\| !isfinite(gain) \|\| gain < TNS_GAIN_THRESHOLD_LOW \|\| gain > TNS_GAIN_THRESHOLD_HIGH)
		93	continue;
		94
		95	- tns->n_filt[w] = is8 ? 1 : order != TNS_MAX_ORDER ? 2 : 3;
		96	+ tns->n_filt[w] = n_filt;
		97	for (g = 0; g < tns->n_filt[w]; g++) {
		98	- tns->direction[w][g] = slant != 2 ? slant : en[g] < en[!g];
		99	+ tns->direction[w][g] = slant != 2 ? slant : en[g] < en[g + 1];
		100	tns->order[w][g] = g < tns->n_filt[w] ? order/tns->n_filt[w] : order - oc_start;
		101	tns->length[w][g] = g < tns->n_filt[w] ? sfb_len/tns->n_filt[w] : sfb_len - os_start;
		102	quantize_coefs(&coefs[oc_start], tns->coef_idx[w][g], tns->coef[w][g],
		103	--
		104	2.40.0


diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb index 27a9a80e8c..a46cb3480a 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb
@@ -52,6 +52,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
52	file://CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0001.patch \	52	file://CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0001.patch \
53	file://CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0002.patch \	53	file://CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0002.patch \
54	file://CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0003.patch \	54	file://CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0003.patch \
		55	file://CVE-2025-1594.patch \
55	"	56	"
56		57
57	SRC_URI[sha256sum] = "04c70c377de233a4b217c2fdf76b19aeb225a287daeb2348bccd978c47b1a1db"	58	SRC_URI[sha256sum] = "04c70c377de233a4b217c2fdf76b19aeb225a287daeb2348bccd978c47b1a1db"