From: Daniel Díaz <daniel.diaz@sonos.com>
Date: Wed, 23 Jul 2025 23:34:35 +0000 (-0600)
Subject: ffmpeg: Ignore two CVEs fixed in 5.0.3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=78aef4b1002c515aa2c1a64fea5bb013c9bc86a8;p=thirdparty%2Fopenembedded%2Fopenembedded-core-contrib.git

ffmpeg: Ignore two CVEs fixed in 5.0.3

These two CVEs were fixed via the 5.0.3 release, and the
backported patches that fixed them were subsequently left
behind (although not deleted) by dadb16481810 ("ffmpeg:
upgrade 5.0.1 -> 5.0.3")

* CVE-2022-3109: An issue was discovered in the FFmpeg
  package, where vp3_decode_frame in libavcodec/vp3.c lacks
  check of the return value of av_malloc() and will cause a
  null pointer dereference, impacting availability.

* CVE-2022-3341: A null pointer dereference issue was
  discovered in 'FFmpeg' in decode_main_header() function of
  libavformat/nutdec.c file. The flaw occurs because the
  function lacks check of the return value of
  avformat_new_stream() and triggers the null pointer
  dereference error, causing an application to crash.

`bitbake ffmpeg` reports these two as "Unpatched".

Ignore them for now, until the NVD updates the versions where
these do not affect anymore.

Signed-off-by: Daniel Díaz <daniel.diaz@sonos.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb
index 57bd4c5442..8da11f196d 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb
@@ -90,6 +90,12 @@ CVE_CHECK_IGNORE += "CVE-2025-1373"
 # bugfix: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/3bc28e9d1ab33627cea3c632dd6b0c33e22e93ba
 CVE_CHECK_IGNORE += "CVE-2022-48434"
 
+# These two vulnerabilities were fixed in 5.0.3
+# bugfix: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/2cdddcd6ec90c7a248ffe792d85faa4d89eab9f7
+CVE_CHECK_IGNORE += "CVE-2022-3109"
+# bugfix: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/481e81be1271ac9a0124ee615700390c2371bd89
+CVE_CHECK_IGNORE += "CVE-2022-3341"
+
 # Build fails when thumb is enabled: https://bugzilla.yoctoproject.org/show_bug.cgi?id=7717
 ARM_INSTRUCTION_SET:armv4 = "arm"
 ARM_INSTRUCTION_SET:armv5 = "arm"