From: Peter Marko Date: Mon, 27 Oct 2025 21:38:00 +0000 (+0100) Subject: lz4: patch CVE-2025-62813 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=02ddc794e2378dae2dbc9fc9f371739cd07937ac;p=thirdparty%2Fopenembedded%2Fopenembedded-core-contrib.git lz4: patch CVE-2025-62813 Pick commit mentioned in NVD report. Signed-off-by: Peter Marko Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie --- diff --git a/meta/recipes-support/lz4/lz4/CVE-2025-62813.patch b/meta/recipes-support/lz4/lz4/CVE-2025-62813.patch new file mode 100644 index 00000000000..4fa0373ff77 --- /dev/null +++ b/meta/recipes-support/lz4/lz4/CVE-2025-62813.patch @@ -0,0 +1,69 @@ +From f64efec011c058bd70348576438abac222fe6c82 Mon Sep 17 00:00:00 2001 +From: louislafosse +Date: Mon, 31 Mar 2025 20:48:52 +0200 +Subject: [PATCH] fix(null) : improve error handlings when passing a null + pointer to some functions from lz4frame + +CVE: CVE-2025-62813 +Upstream-Status: Backport [https://github.com/lz4/lz4/commit/f64efec011c058bd70348576438abac222fe6c82] +Signed-off-by: Peter Marko +--- + lib/lz4frame.c | 15 +++++++++++++-- + tests/frametest.c | 9 ++++++--- + 2 files changed, 19 insertions(+), 5 deletions(-) + +diff --git a/lib/lz4frame.c b/lib/lz4frame.c +index 85daca7b..c9e4a3cf 100644 +--- a/lib/lz4frame.c ++++ b/lib/lz4frame.c +@@ -539,9 +539,16 @@ LZ4F_CDict* + LZ4F_createCDict_advanced(LZ4F_CustomMem cmem, const void* dictBuffer, size_t dictSize) + { + const char* dictStart = (const char*)dictBuffer; +- LZ4F_CDict* const cdict = (LZ4F_CDict*)LZ4F_malloc(sizeof(*cdict), cmem); ++ LZ4F_CDict* cdict = NULL; ++ + DEBUGLOG(4, "LZ4F_createCDict_advanced"); +- if (!cdict) return NULL; ++ ++ if (!dictStart) ++ return NULL; ++ cdict = (LZ4F_CDict*)LZ4F_malloc(sizeof(*cdict), cmem); ++ if (!cdict) ++ return NULL; ++ + cdict->cmem = cmem; + if (dictSize > 64 KB) { + dictStart += dictSize - 64 KB; +@@ -1486,6 +1493,10 @@ LZ4F_errorCode_t LZ4F_getFrameInfo(LZ4F_dctx* dctx, + LZ4F_frameInfo_t* frameInfoPtr, + const void* srcBuffer, size_t* srcSizePtr) + { ++ assert(dctx != NULL); ++ RETURN_ERROR_IF(frameInfoPtr == NULL, parameter_null); ++ RETURN_ERROR_IF(srcSizePtr == NULL, parameter_null); ++ + LZ4F_STATIC_ASSERT(dstage_getFrameHeader < dstage_storeFrameHeader); + if (dctx->dStage > dstage_storeFrameHeader) { + /* frameInfo already decoded */ +diff --git a/tests/frametest.c b/tests/frametest.c +index de0fe643..90247547 100644 +--- a/tests/frametest.c ++++ b/tests/frametest.c +@@ -714,10 +714,13 @@ static int unitTests(U32 seed, double compressibility) + size_t const srcSize = 65 KB; /* must be > 64 KB to avoid short-size optimizations */ + size_t const dstCapacity = LZ4F_compressFrameBound(srcSize, NULL); + size_t cSizeNoDict, cSizeWithDict; +- LZ4F_CDict* const cdict = LZ4F_createCDict(CNBuffer, dictSize); +- if (cdict == NULL) goto _output_error; +- CHECK( LZ4F_createCompressionContext(&cctx, LZ4F_VERSION) ); ++ LZ4F_CDict* cdict = NULL; + ++ CHECK( LZ4F_createCompressionContext(&cctx, LZ4F_VERSION) ); ++ cdict = LZ4F_createCDict(CNBuffer, dictSize); ++ if (cdict == NULL) ++ goto _output_error; ++ + DISPLAYLEVEL(3, "Testing LZ4F_createCDict_advanced : "); + { LZ4F_CDict* const cda = LZ4F_createCDict_advanced(lz4f_cmem_test, CNBuffer, dictSize); + if (cda == NULL) goto _output_error; diff --git a/meta/recipes-support/lz4/lz4_1.10.0.bb b/meta/recipes-support/lz4/lz4_1.10.0.bb index 9bd3cfc27be..f2a86036b56 100644 --- a/meta/recipes-support/lz4/lz4_1.10.0.bb +++ b/meta/recipes-support/lz4/lz4_1.10.0.bb @@ -14,7 +14,9 @@ SRCREV = "ebb370ca83af193212df4dcbadcc5d87bc0de2f0" SRC_URI = "git://github.com/lz4/lz4.git;branch=release;protocol=https \ file://reproducibility.patch \ - file://run-ptest" + file://run-ptest \ + file://CVE-2025-62813.patch \ +" UPSTREAM_CHECK_GITTAGREGEX = "v(?P.*)" inherit ptest