From 5a4b7fca4eaaf81ab0f945d45fd55f21076db0fc Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Thu, 5 Mar 2026 12:00:29 +0100
Subject: [PATCH] Add patch for superframe index full

  Resolves: RHEL-150334
---
 ...ame_index-return-0-if-buffer-is-full.patch | 92 +++++++++++++++++++
 libvpx.spec                                   |  8 +-
 2 files changed, 99 insertions(+), 1 deletion(-)
 create mode 100644 0001-write_superframe_index-return-0-if-buffer-is-full.patch

diff --git a/0001-write_superframe_index-return-0-if-buffer-is-full.patch b/0001-write_superframe_index-return-0-if-buffer-is-full.patch
new file mode 100644
index 0000000..bfaae0d
--- /dev/null
+++ b/0001-write_superframe_index-return-0-if-buffer-is-full.patch
@@ -0,0 +1,92 @@
+From 2b11b418cccd708394730c078c94525a3856d541 Mon Sep 17 00:00:00 2001
+From: Wan-Teh Chang <wtc@google.com>
+Date: Wed, 21 Jan 2026 18:03:55 -0800
+Subject: [PATCH] write_superframe_index: return 0 if buffer is full
+
+write_superframe_index() should return the number of bytes written to
+ctx->pending_cx_data. If ctx->pending_cx_data is full,
+write_superframe_index() doesn't write the optional superframe index, so
+it should return 0 in this case. Add an assertion that would have
+detected this bug. Add and clarify comments for code related to this
+bug.
+
+Also fix the buffer full check. The check should not assume that
+ctx->pending_cx_data is equal to ctx->cx_data, and the check had an
+off-by-one error.
+
+The bug was introduced when write_superframe_index() was added in the
+following CLs:
+https://chromium-review.googlesource.com/c/webm/libvpx/+/44659
+https://chromium-review.googlesource.com/c/webm/libvpx/+/45268
+
+Bug: oss-fuzz:476466137
+Change-Id: Ie113568cf25acc73f8af640a3c51cfdb5b900613
+---
+ vp9/vp9_cx_iface.c | 22 ++++++++++++++++++----
+ 1 file changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/vp9/vp9_cx_iface.c b/vp9/vp9_cx_iface.c
+index 881caae78..38aa30f75 100644
+--- a/vp9/vp9_cx_iface.c
++++ b/vp9/vp9_cx_iface.c
+@@ -8,6 +8,10 @@
+  *  be found in the AUTHORS file in the root of the source tree.
+  */
+ 
++#include <assert.h>
++#include <limits.h>
++#include <stddef.h>
++#include <stdint.h>
+ #include <stdlib.h>
+ #include <string.h>
+ 
+@@ -96,6 +100,7 @@ struct vpx_codec_alg_priv {
+   VP9_COMP *cpi;
+   unsigned char *cx_data;
+   size_t cx_data_sz;
++  // pending_cx_data either is a null pointer or points into the cx_data buffer.
+   unsigned char *pending_cx_data;
+   size_t pending_cx_data_sz;
+   int pending_frame_count;
+@@ -1015,8 +1020,12 @@ static int write_superframe_index(vpx_codec_alg_priv_t *ctx) {
+ 
+   // Write the index
+   index_sz = 2 + (mag + 1) * ctx->pending_frame_count;
+-  if (ctx->pending_cx_data_sz + index_sz < ctx->cx_data_sz) {
+-    uint8_t *x = ctx->pending_cx_data + ctx->pending_cx_data_sz;
++  unsigned char *cx_data_end = ctx->cx_data + ctx->cx_data_sz;
++  unsigned char *pending_cx_data_end =
++      ctx->pending_cx_data + ctx->pending_cx_data_sz;
++  ptrdiff_t space_remaining = cx_data_end - pending_cx_data_end;
++  if (index_sz <= space_remaining) {
++    uint8_t *x = pending_cx_data_end;
+     int i, j;
+ #ifdef TEST_SUPPLEMENTAL_SUPERFRAME_DATA
+     uint8_t marker_test = 0xc0;
+@@ -1047,6 +1056,8 @@ static int write_superframe_index(vpx_codec_alg_priv_t *ctx) {
+ #ifdef TEST_SUPPLEMENTAL_SUPERFRAME_DATA
+     index_sz += index_sz_test;
+ #endif
++  } else {
++    index_sz = 0;
+   }
+   return index_sz;
+ }
+@@ -1265,9 +1276,12 @@ static vpx_codec_err_t encoder_encode(vpx_codec_alg_priv_t *ctx,
+           ctx->pending_frame_sizes[ctx->pending_frame_count++] = size;
+           ctx->pending_frame_magnitude |= size;
+           ctx->pending_cx_data_sz += size;
+-          // write the superframe only for the case when
+-          if (!ctx->output_cx_pkt_cb.output_cx_pkt)
++          // write the superframe only for the case when the callback function
++          // for getting per-layer packets is not registered.
++          if (!ctx->output_cx_pkt_cb.output_cx_pkt) {
+             size += write_superframe_index(ctx);
++            assert(size <= cx_data_sz);
++          }
+           pkt.data.frame.buf = ctx->pending_cx_data;
+           pkt.data.frame.sz = ctx->pending_cx_data_sz;
+           ctx->pending_cx_data = NULL;
+-- 
+2.53.0
+
diff --git a/libvpx.spec b/libvpx.spec
index 94ab6f5..2479e6d 100644
--- a/libvpx.spec
+++ b/libvpx.spec
@@ -6,7 +6,7 @@
 Name:			libvpx
 Summary:		VP8/VP9 Video Codec SDK
 Version:		1.7.0
-Release:		12%{?dist}
+Release:		13%{?dist}
 License:		BSD
 Group:			System Environment/Libraries
 #Source0:		http://downloads.webmproject.org/releases/webm/%{name}-%{version}.tar.bz2
@@ -32,6 +32,7 @@ Patch8:			0002-Apply-stride_align-to-byte-count-not-pixel-count.patch
 Patch9:			0003-Fix-a-bug-in-alloc_size-for-high-bit-depths.patch
 Patch10:		include-limits.patch
 Patch11:		0001-vpx_codec_enc_init_multi-fix-double-free-on-init-fai.patch
+Patch12:		0001-write_superframe_index-return-0-if-buffer-is-full.patch
 
 %description
 libvpx provides the VP8/VP9 SDK, which allows you to integrate your applications 
@@ -70,6 +71,7 @@ and decoder.
 %patch9 -p1 -b .0009
 %patch10 -p1 -b .0010
 %patch11 -p1 -b .0011
+%patch12 -p1 -b .0012
 
 %build
 %ifarch %{ix86}
@@ -259,6 +261,10 @@ rm -rf %{buildroot}%{_prefix}/src
 %{_bindir}/*
 
 %changelog
+* Thu Mar 05 2026 Wim Taymans <wtaymans@redhat.com> - 1.7.0-13
+- Add patch for superframe index full
+  Resolves: RHEL-150334
+
 * Tue Jun 03 2025 Wim Taymans <wtaymans@redhat.com> - 1.7.0-12
 - Add patch for double free
   Resolves: RHEL-93914