Import from CS git

SOURCES/0001-vpx_codec_enc_init_multi-fix-double-free-on-init-fai.patch

@@ -0,0 +1,63 @@
+From 0af0dc1997cc3f2e78f72616a665ed7b6353189c Mon Sep 17 00:00:00 2001
+From: James Zern <jzern@google.com>
+Date: Wed, 30 Apr 2025 19:28:48 -0700
+Subject: [PATCH] vpx_codec_enc_init_multi: fix double free on init failure
+
+In `vp8e_init()`, the encoder would take ownership of
+`mr_cfg.mr_low_res_mode_info` even if `vp8_create_compressor()` failed.
+This caused confusion at the call site as other failures in
+`vp8e_init()` did not result in ownership transfer and the caller would
+free the memory. In the case of `vp8_create_compressor()` failure both
+the caller and `vpx_codec_destroy()` would free the memory, causing a
+crash. `mr_*` related variables are now cleared on failure to prevent
+this situation.
+
+Bug: webm:413411335
+Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1962421
+Change-Id: Ie951d42b9029a586bf9059b650bd8863db9f9ffc
+(cherry picked from commit 1c758781c428c0e895645b95b8ff1512b6bdcecb)
+---
+ vp8/vp8_cx_iface.c    | 12 +++++++++++-
+ vpx/src/vpx_encoder.c |  3 +++
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/vp8/vp8_cx_iface.c b/vp8/vp8_cx_iface.c
+index af6689fd9..ab74e360a 100644
+--- a/vp8/vp8_cx_iface.c
++++ b/vp8/vp8_cx_iface.c
+@@ -657,7 +657,17 @@ static vpx_codec_err_t vp8e_init(vpx_codec_ctx_t *ctx,
+     if (!res) {
+       set_vp8e_config(&priv->oxcf, priv->cfg, priv->vp8_cfg, mr_cfg);
+       priv->cpi = vp8_create_compressor(&priv->oxcf);
+-      if (!priv->cpi) res = VPX_CODEC_MEM_ERROR;
++      if (!priv->cpi) {
++#if CONFIG_MULTI_RES_ENCODING
++        // Release ownership of mr_cfg->mr_low_res_mode_info on failure. This
++        // prevents ownership confusion with the caller and avoids a double
++        // free when vpx_codec_destroy() is called on this instance.
++        priv->oxcf.mr_total_resolutions = 0;
++        priv->oxcf.mr_encoder_id = 0;
++        priv->oxcf.mr_low_res_mode_info = NULL;
++#endif
++        res = VPX_CODEC_MEM_ERROR;
++      }
+     }
+   }
+ 
+diff --git a/vpx/src/vpx_encoder.c b/vpx/src/vpx_encoder.c
+index 1cf2dca69..4427efa2a 100644
+--- a/vpx/src/vpx_encoder.c
++++ b/vpx/src/vpx_encoder.c
+@@ -112,6 +112,9 @@ vpx_codec_err_t vpx_codec_enc_init_multi_ver(
+           ctx->priv = NULL;
+           ctx->init_flags = flags;
+           ctx->config.enc = cfg;
++          // ctx takes ownership of mr_cfg.mr_low_res_mode_info if and only if
++          // this call succeeds. The first ctx entry in the array is
++          // responsible for freeing the memory.
+           res = ctx->iface->init(ctx, &mr_cfg);
+         }
+ 
+-- 
+2.49.0
+

SPECS/libvpx.spec

@@ -6,7 +6,7 @@
 Name:			libvpx
 Summary:		VP8/VP9 Video Codec SDK
 Version:		1.7.0
-Release:		11%{?dist}
+Release:		12%{?dist}
 License:		BSD
 Group:			System Environment/Libraries
 #Source0:		http://downloads.webmproject.org/releases/webm/%{name}-%{version}.tar.bz2
@@ -31,6 +31,7 @@ Patch7:			0001-Fix-integer-overflows-in-calc-of-stride_in_bytes.patch
 Patch8:			0002-Apply-stride_align-to-byte-count-not-pixel-count.patch
 Patch9:			0003-Fix-a-bug-in-alloc_size-for-high-bit-depths.patch
 Patch10:		include-limits.patch
+Patch11:		0001-vpx_codec_enc_init_multi-fix-double-free-on-init-fai.patch
 
 %description
 libvpx provides the VP8/VP9 SDK, which allows you to integrate your applications 
@@ -68,6 +69,7 @@ and decoder.
 %patch8 -p1 -b .0008
 %patch9 -p1 -b .0009
 %patch10 -p1 -b .0010
+%patch11 -p1 -b .0011
 
 %build
 %ifarch %{ix86}
@@ -257,6 +259,10 @@ rm -rf %{buildroot}%{_prefix}/src
 %{_bindir}/*
 
 %changelog
+* Tue Jun 03 2025 Wim Taymans <wtaymans@redhat.com> - 1.7.0-12
+- Add patch for double free
+  Resolves: RHEL-93914
+
 * Fri Jul 5 2024 Wim Taymans <wtaymans@redhat.com> - 1.7.0-11
 - Add patch to fix integer overflows.
 - Fix compilation by including limits.h