From 0dee8f3b1c4cf5eb52892dad00a6489361b7778f Mon Sep 17 00:00:00 2001
From: wh02252983 <wh02252983@alibaba-inc.com>
Date: Fri, 19 Sep 2025 13:25:34 +0800
Subject: [PATCH] [CVE] add patch to fix CVE-2025-48174 To # N/A add patch to
 fix CVE-2025-48174 Project: TC2024080204 Signed-off-by: wh02252983
 <wh02252983@alibaba-inc.com>

---
 fix-cve-2025-48174.patch | 52 ++++++++++++++++++++++++++++++++++++++++
 libavif.spec             |  6 ++++-
 2 files changed, 57 insertions(+), 1 deletion(-)
 create mode 100644 fix-cve-2025-48174.patch

diff --git a/fix-cve-2025-48174.patch b/fix-cve-2025-48174.patch
new file mode 100644
index 0000000..3280340
--- /dev/null
+++ b/fix-cve-2025-48174.patch
@@ -0,0 +1,52 @@
+From: DanisJiang <43723722+DanisJiang@users.noreply.github.com>
+Subject: Add integer overflow checks to makeRoom (CVE-2025-48174)
+Origin: backport, https://github.com/AOMediaCodec/libavif/commit/e5fdefe7d1776e6c4cf1703c163a8c053559902,
+ https://github.com/AOMediaCodec/libavif/commit/50a743062938a3828581d725facc9c2b92a1d109,
+ https://github.com/AOMediaCodec/libavif/commit/c9f1bea437f21cb78f9919c332922a3b0ba65e11
+Bug: https://github.com/AOMediaCodec/libavif/pull/2768
+Bug-Debian: https://bugs.debian.org/1105885
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-48174
+
+Instead of backporting requsites for the patches from
+https://github.com/AOMediaCodec/libavif/pull/2768 make the overflow check and
+abort() instead. Use abort() to be consistent with avifAlloc() in libavif
+v0.11.1 (in src/mem.c):
+
+	void * avifAlloc(size_t size)
+	{
+	    void * out = malloc(size);
+	    if (out == NULL) {
+		abort();
+	    }
+	    return out;
+	}
+
+Include <stdlib.h> for abort().
+
+Thanks: Wan-Teh Chang <wtc@google.com>
+---
+ src/stream.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/src/stream.c
++++ b/src/stream.c
+@@ -6,6 +6,7 @@
+ #include <assert.h>
+ #include <inttypes.h>
+ #include <stdint.h>
++#include <stdlib.h>
+ #include <string.h>
+ 
+ // ---------------------------------------------------------------------------
+@@ -234,6 +235,9 @@ avifBool avifROStreamReadAndEnforceVersi
+ #define AVIF_STREAM_BUFFER_INCREMENT (1024 * 1024)
+ static void makeRoom(avifRWStream * stream, size_t size)
+ {
++    if (size > SIZE_MAX - stream->offset) {
++        abort();
++    }
+     size_t neededSize = stream->offset + size;
+     size_t newSize = stream->raw->size;
+     while (newSize < neededSize) {
+-- 
+2.49.0
diff --git a/libavif.spec b/libavif.spec
index 7fa47b4..6265034 100644
--- a/libavif.spec
+++ b/libavif.spec
@@ -1,4 +1,4 @@
-%define anolis_release 3
+%define anolis_release 4
 # Build without aom
 %bcond_with aom
 # Build without SVT-AV1
@@ -15,6 +15,7 @@ URL:            https://github.com/AOMediaCodec/libavif
 Source0:        %{url}/archive/v%{version}/%{name}-%{version}.tar.gz
 
 Patch0001:      fix-cve-2025-48175.patch
+Patch0002:      fix-cve-2025-48174.patch
 BuildRequires:  cmake
 BuildRequires:  gcc-c++
 %{?with_check:BuildRequires:  gtest-devel}
@@ -121,6 +122,9 @@ The %{name}-doc package contains documentation files for %{name}.
 %doc CHANGELOG.md README.md
 
 %changelog
+* Fri Sep 19 2025 wh02252983 <wh02252983@alibaba-inc.com> - 0.11.1-4
+- add patch to fix CVE-2025-48174
+
 * Thu Jul 31 2025 mgb01105731 <mgb01105731@alibaba-inc.com> - 0.11.1-3
 - Rebuild with dav1d 1.4.0
 
-- 
Gitee