2 files changed, 105 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-1594.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-1594.patch
new file mode 100644
index 0000000000..b8f0bc5781
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-1594.patch
@@ -0,0 +1,104 @@
+From bedfb6eca402037f5cbb115fa767d106b8c14f1c Mon Sep 17 00:00:00 2001
+From: Lynne <dev@lynne.ee>
+Date: Sat, 8 Feb 2025 04:35:31 +0100
+Subject: [PATCH] aacenc_tns: clamp filter direction energy measurement
+The issue is that:
+float en[2];
+...
+tns->n_filt[w] = is8 ? 1 : order != TNS_MAX_ORDER ? 2 : 3;
+for (g = 0; g < tns->n_filt[w]; g++) {
+    tns->direction[w][g] = slant != 2 ? slant : en[g] < en[!g];
+When using the AAC Main profile, n_filt = 3, and slant is by
+default 2 (normal long frames), g can go above 1.
+en is the evolution of energy in the frequency domain for every
+band at the given window. E.g. whether the energy is concentrated
+at the top of each band, or the bottom.
+For 2-pole filters, its straightforward.
+For 3-pole filters, we need more than 2 measurements.
+This commit properly implements support for 3-pole filters, by measuring
+the band energy across three areas.
+Do note that even xHE-AAC caps n_filt to 2, and only AAC Main allows
+n_filt == 3.
+Fixes https://trac.ffmpeg.org/ticket/11418
+CVE: CVE-2025-1594
+Upstream-Status: Backport [https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/bedfb6eca402037f5cbb115fa767d106b8c14f1c]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ libavcodec/aacenc_tns.c | 33 ++++++++++++++++++++++++---------
+ 1 file changed, 24 insertions(+), 9 deletions(-)
+diff --git a/libavcodec/aacenc_tns.c b/libavcodec/aacenc_tns.c
+index 8dc6dfc..9ea3506 100644
+--- a/libavcodec/aacenc_tns.c
+++ b/libavcodec/aacenc_tns.c
+@@ -172,6 +172,7 @@ void ff_aac_search_for_tns(AACEncContext *s, SingleChannelElement *sce)
+                       sce->ics.window_sequence[0] == LONG_START_SEQUENCE ? 0 : 2;
+     const int sfb_len = sfb_end - sfb_start;
+     const int coef_len = sce->ics.swb_offset[sfb_end] - sce->ics.swb_offset[sfb_start];
+    const int n_filt = is8 ? 1 : order != TNS_MAX_ORDER ? 2 : 3;
+     if (coef_len <= 0 || sfb_len <= 0) {
+         sce->tns.present = 0;
+@@ -179,16 +180,30 @@ void ff_aac_search_for_tns(AACEncContext *s, SingleChannelElement *sce)
+     }
+     for (w = 0; w < sce->ics.num_windows; w++) {
+-        float en[2] = {0.0f, 0.0f};
+       float en[4] = {0.0f, 0.0f, 0.0f, 0.0f};
+         int oc_start = 0, os_start = 0;
+         int coef_start = sce->ics.swb_offset[sfb_start];
+-        for (g = sfb_start; g < sce->ics.num_swb && g <= sfb_end; g++) {
+-            FFPsyBand *band = &s->psy.ch[s->cur_channel].psy_bands[w*16+g];
+-            if (g > sfb_start + (sfb_len/2))
+-                en[1] += band->energy;
+-            else
+-                en[0] += band->energy;
+       if (n_filt == 2) {
+            for (g = sfb_start; g < sce->ics.num_swb && g <= sfb_end; g++) {
+                FFPsyBand *band = &s->psy.ch[s->cur_channel].psy_bands[w*16+g];
+                    if (g > sfb_start + (sfb_len/2))
+                        en[1] += band->energy; /* End */
+                    else
+                        en[0] += band->energy; /* Start */
+            }
+            en[2] = en[0];
+        } else {
+            for (g = sfb_start; g < sce->ics.num_swb && g <= sfb_end; g++) {
+                FFPsyBand *band = &s->psy.ch[s->cur_channel].psy_bands[w*16+g];
+                    if (g > sfb_start + (sfb_len/2) + (sfb_len/4))
+                        en[2] += band->energy; /* End */
+                    else if (g > sfb_start + (sfb_len/2) - (sfb_len/4))
+                        en[1] += band->energy; /* Middle */
+                    else
+                        en[0] += band->energy; /* Start */
+            }
+            en[3] = en[0];
+         }
+         /* LPC */
+@@ -198,9 +213,9 @@ void ff_aac_search_for_tns(AACEncContext *s, SingleChannelElement *sce)
+         if (!order || !isfinite(gain) || gain < TNS_GAIN_THRESHOLD_LOW || gain > TNS_GAIN_THRESHOLD_HIGH)
+             continue;
+-        tns->n_filt[w] = is8 ? 1 : order != TNS_MAX_ORDER ? 2 : 3;
+       tns->n_filt[w] = n_filt;
+         for (g = 0; g < tns->n_filt[w]; g++) {
+-            tns->direction[w][g] = slant != 2 ? slant : en[g] < en[!g];
+           tns->direction[w][g] = slant != 2 ? slant : en[g] < en[g + 1];
+             tns->order[w][g] = g < tns->n_filt[w] ? order/tns->n_filt[w] : order - oc_start;
+             tns->length[w][g] = g < tns->n_filt[w] ? sfb_len/tns->n_filt[w] : sfb_len - os_start;
+             quantize_coefs(&coefs[oc_start], tns->coef_idx[w][g], tns->coef[w][g],
+--
+2.40.0
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb
index 27a9a80e8c..a46cb3480a 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb
@@ -52,6 +52,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
           file://CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0001.patch \
           file://CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0002.patch \
           file://CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0003.patch \
+           file://CVE-2025-1594.patch \
          "
 SRC_URI[sha256sum] = "04c70c377de233a4b217c2fdf76b19aeb225a287daeb2348bccd978c47b1a1db"

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-1594.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-1594.patch new file mode 100644 index 0000000000..b8f0bc5781 --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-1594.patch
@@ -0,0 +1,104 @@
		1	From bedfb6eca402037f5cbb115fa767d106b8c14f1c Mon Sep 17 00:00:00 2001
		2	From: Lynne <dev@lynne.ee>
		3	Date: Sat, 8 Feb 2025 04:35:31 +0100
		4	Subject: [PATCH] aacenc_tns: clamp filter direction energy measurement
		5
		6	The issue is that:
		7
		8	float en[2];
		9	...
		10	tns->n_filt[w] = is8 ? 1 : order != TNS_MAX_ORDER ? 2 : 3;
		11	for (g = 0; g < tns->n_filt[w]; g++) {
		12	tns->direction[w][g] = slant != 2 ? slant : en[g] < en[!g];
		13
		14	When using the AAC Main profile, n_filt = 3, and slant is by
		15	default 2 (normal long frames), g can go above 1.
		16
		17	en is the evolution of energy in the frequency domain for every
		18	band at the given window. E.g. whether the energy is concentrated
		19	at the top of each band, or the bottom.
		20
		21	For 2-pole filters, its straightforward.
		22	For 3-pole filters, we need more than 2 measurements.
		23
		24	This commit properly implements support for 3-pole filters, by measuring
		25	the band energy across three areas.
		26
		27	Do note that even xHE-AAC caps n_filt to 2, and only AAC Main allows
		28	n_filt == 3.
		29
		30	Fixes https://trac.ffmpeg.org/ticket/11418
		31
		32	CVE: CVE-2025-1594
		33
		34	Upstream-Status: Backport [https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/bedfb6eca402037f5cbb115fa767d106b8c14f1c]
		35
		36	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		37	---
		38	libavcodec/aacenc_tns.c \| 33 ++++++++++++++++++++++++---------
		39	1 file changed, 24 insertions(+), 9 deletions(-)
		40
		41	diff --git a/libavcodec/aacenc_tns.c b/libavcodec/aacenc_tns.c
		42	index 8dc6dfc..9ea3506 100644
		43	--- a/libavcodec/aacenc_tns.c
		44	+++ b/libavcodec/aacenc_tns.c
		45	@@ -172,6 +172,7 @@ void ff_aac_search_for_tns(AACEncContext s, SingleChannelElement sce)
		46	sce->ics.window_sequence[0] == LONG_START_SEQUENCE ? 0 : 2;
		47	const int sfb_len = sfb_end - sfb_start;
		48	const int coef_len = sce->ics.swb_offset[sfb_end] - sce->ics.swb_offset[sfb_start];
		49	+ const int n_filt = is8 ? 1 : order != TNS_MAX_ORDER ? 2 : 3;
		50
		51	if (coef_len <= 0 \|\| sfb_len <= 0) {
		52	sce->tns.present = 0;
		53	@@ -179,16 +180,30 @@ void ff_aac_search_for_tns(AACEncContext s, SingleChannelElement sce)
		54	}
		55
		56	for (w = 0; w < sce->ics.num_windows; w++) {
		57	- float en[2] = {0.0f, 0.0f};
		58	+ float en[4] = {0.0f, 0.0f, 0.0f, 0.0f};
		59	int oc_start = 0, os_start = 0;
		60	int coef_start = sce->ics.swb_offset[sfb_start];
		61
		62	- for (g = sfb_start; g < sce->ics.num_swb && g <= sfb_end; g++) {
		63	- FFPsyBand band = &s->psy.ch[s->cur_channel].psy_bands[w16+g];
		64	- if (g > sfb_start + (sfb_len/2))
		65	- en[1] += band->energy;
		66	- else
		67	- en[0] += band->energy;
		68	+ if (n_filt == 2) {
		69	+ for (g = sfb_start; g < sce->ics.num_swb && g <= sfb_end; g++) {
		70	+ FFPsyBand band = &s->psy.ch[s->cur_channel].psy_bands[w16+g];
		71	+ if (g > sfb_start + (sfb_len/2))
		72	+ en[1] += band->energy; /* End */
		73	+ else
		74	+ en[0] += band->energy; /* Start */
		75	+ }
		76	+ en[2] = en[0];
		77	+ } else {
		78	+ for (g = sfb_start; g < sce->ics.num_swb && g <= sfb_end; g++) {
		79	+ FFPsyBand band = &s->psy.ch[s->cur_channel].psy_bands[w16+g];
		80	+ if (g > sfb_start + (sfb_len/2) + (sfb_len/4))
		81	+ en[2] += band->energy; /* End */
		82	+ else if (g > sfb_start + (sfb_len/2) - (sfb_len/4))
		83	+ en[1] += band->energy; /* Middle */
		84	+ else
		85	+ en[0] += band->energy; /* Start */
		86	+ }
		87	+ en[3] = en[0];
		88	}
		89
		90	/* LPC */
		91	@@ -198,9 +213,9 @@ void ff_aac_search_for_tns(AACEncContext s, SingleChannelElement sce)
		92	if (!order \|\| !isfinite(gain) \|\| gain < TNS_GAIN_THRESHOLD_LOW \|\| gain > TNS_GAIN_THRESHOLD_HIGH)
		93	continue;
		94
		95	- tns->n_filt[w] = is8 ? 1 : order != TNS_MAX_ORDER ? 2 : 3;
		96	+ tns->n_filt[w] = n_filt;
		97	for (g = 0; g < tns->n_filt[w]; g++) {
		98	- tns->direction[w][g] = slant != 2 ? slant : en[g] < en[!g];
		99	+ tns->direction[w][g] = slant != 2 ? slant : en[g] < en[g + 1];
		100	tns->order[w][g] = g < tns->n_filt[w] ? order/tns->n_filt[w] : order - oc_start;
		101	tns->length[w][g] = g < tns->n_filt[w] ? sfb_len/tns->n_filt[w] : sfb_len - os_start;
		102	quantize_coefs(&coefs[oc_start], tns->coef_idx[w][g], tns->coef[w][g],
		103	--
		104	2.40.0


diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb index 27a9a80e8c..a46cb3480a 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb
@@ -52,6 +52,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
52	file://CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0001.patch \	52	file://CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0001.patch \
53	file://CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0002.patch \	53	file://CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0002.patch \
54	file://CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0003.patch \	54	file://CVE-2023-6602-CVE-2023-6604-CVE-2023-6605-0003.patch \
		55	file://CVE-2025-1594.patch \
55	"	56	"
56		57
57	SRC_URI[sha256sum] = "04c70c377de233a4b217c2fdf76b19aeb225a287daeb2348bccd978c47b1a1db"	58	SRC_URI[sha256sum] = "04c70c377de233a4b217c2fdf76b19aeb225a287daeb2348bccd978c47b1a1db"