rpms/libvpx
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Add patch for CVE-2023-44488

Browse Source 
Resolves: RHEL-11615
This commit is contained in:
Wim Taymans 2023-10-03 10:05:48 +02:00
parent d2b1ed4b5e
commit 63846fa856
2 changed files with 110 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

103
0001-Fix-bug-with-smaller-width-bigger-size.patch Normal file
View File

@ -0,0 +1,103 @@
From 0b9c2b782ae87f820aa34a19be7be6268f258172 Mon Sep 17 00:00:00 2001
From: Jerome Jiang <jianj@google.com>
Date: Thu, 30 Jun 2022 13:48:56 -0400
Subject: [PATCH] Fix bug with smaller width bigger size
Fixed previous patch that clusterfuzz failed on.
Local fuzzing passing overnight.
Bug: webm:1642
Change-Id: If0e08e72abd2e042efe4dcfac21e4cc51afdfdb9
(cherry picked from commit 263682c9a29395055f3b3afe2d97be1828a6223f)
---
vp9/common/vp9_alloccommon.c | 13 ++++++-------
vp9/encoder/vp9_encoder.c | 27 +++++++++++++++++++++++++--
2 files changed, 31 insertions(+), 9 deletions(-)
diff --git a/vp9/common/vp9_alloccommon.c b/vp9/common/vp9_alloccommon.c
index 7345e259b..2989ee015 100644
--- a/vp9/common/vp9_alloccommon.c
+++ b/vp9/common/vp9_alloccommon.c
@@ -122,13 +122,6 @@ int vp9_alloc_context_buffers(VP9_COMMON *cm, int width, int height) {
cm->free_mi(cm);
if (cm->alloc_mi(cm, new_mi_size)) goto fail;
}
-
- if (cm->seg_map_alloc_size < cm->mi_rows * cm->mi_cols) {
- // Create the segmentation map structure and set to 0.
- free_seg_map(cm);
- if (alloc_seg_map(cm, cm->mi_rows * cm->mi_cols)) goto fail;
- }
-
if (cm->above_context_alloc_cols < cm->mi_cols) {
vpx_free(cm->above_context);
cm->above_context = (ENTROPY_CONTEXT *)vpx_calloc(
@@ -143,6 +136,12 @@ int vp9_alloc_context_buffers(VP9_COMMON *cm, int width, int height) {
cm->above_context_alloc_cols = cm->mi_cols;
}
+ if (cm->seg_map_alloc_size < cm->mi_rows * cm->mi_cols) {
+ // Create the segmentation map structure and set to 0.
+ free_seg_map(cm);
+ if (alloc_seg_map(cm, cm->mi_rows * cm->mi_cols)) goto fail;
+ }
+
if (vp9_alloc_loop_filter(cm)) goto fail;
return 0;
diff --git a/vp9/encoder/vp9_encoder.c b/vp9/encoder/vp9_encoder.c
index 2ae59dd98..01a6d907b 100644
--- a/vp9/encoder/vp9_encoder.c
+++ b/vp9/encoder/vp9_encoder.c
@@ -1751,6 +1751,17 @@ static void alloc_copy_partition_data(VP9_COMP *cpi) {
}
}
+static void free_copy_partition_data(VP9_COMP *cpi) {
+ vpx_free(cpi->prev_partition);
+ cpi->prev_partition = NULL;
+ vpx_free(cpi->prev_segment_id);
+ cpi->prev_segment_id = NULL;
+ vpx_free(cpi->prev_variance_low);
+ cpi->prev_variance_low = NULL;
+ vpx_free(cpi->copied_frame_cnt);
+ cpi->copied_frame_cnt = NULL;
+}
+
void vp9_change_config(struct VP9_COMP *cpi, const VP9EncoderConfig *oxcf) {
VP9_COMMON *const cm = &cpi->common;
RATE_CONTROL *const rc = &cpi->rc;
@@ -1834,6 +1845,8 @@ void vp9_change_config(struct VP9_COMP *cpi, const VP9EncoderConfig *oxcf) {
new_mi_size = cm->mi_stride * calc_mi_size(cm->mi_rows);
if (cm->mi_alloc_size < new_mi_size) {
vp9_free_context_buffers(cm);
+ vp9_free_pc_tree(&cpi->td);
+ vpx_free(cpi->mbmi_ext_base);
alloc_compressor_data(cpi);
realloc_segmentation_maps(cpi);
cpi->initial_width = cpi->initial_height = 0;
@@ -1849,8 +1862,18 @@ void vp9_change_config(struct VP9_COMP *cpi, const VP9EncoderConfig *oxcf) {
update_frame_size(cpi);
if (last_w != cpi->oxcf.width || last_h != cpi->oxcf.height) {
- memset(cpi->consec_zero_mv, 0,
- cm->mi_rows * cm->mi_cols * sizeof(*cpi->consec_zero_mv));
+ vpx_free(cpi->consec_zero_mv);
+ CHECK_MEM_ERROR(
+ cm, cpi->consec_zero_mv,
+ vpx_calloc(cm->mi_rows * cm->mi_cols, sizeof(*cpi->consec_zero_mv)));
+
+ vpx_free(cpi->skin_map);
+ CHECK_MEM_ERROR(
+ cm, cpi->skin_map,
+ vpx_calloc(cm->mi_rows * cm->mi_cols, sizeof(cpi->skin_map[0])));
+
+ free_copy_partition_data(cpi);
+ alloc_copy_partition_data(cpi);
if (cpi->oxcf.aq_mode == CYCLIC_REFRESH_AQ)
vp9_cyclic_refresh_reset_resize(cpi);
rc->rc_1_frame = 0;
--
2.41.0

8
libvpx.spec
View File

@ -6,7 +6,7 @@
Name: libvpx Name: libvpx
Summary: VP8/VP9 Video Codec SDK Summary: VP8/VP9 Video Codec SDK
Version: 1.7.0 Version: 1.7.0
Release: 8%{?dist} Release: 9%{?dist}
License: BSD License: BSD
Group: System Environment/Libraries Group: System Environment/Libraries
#Source0: http://downloads.webmproject.org/releases/webm/%{name}-%{version}.tar.bz2 #Source0: http://downloads.webmproject.org/releases/webm/%{name}-%{version}.tar.bz2
@ -25,6 +25,7 @@ Patch1: 0001-CVE-2019-9232-Fix-OOB-memory-access-on-fuzzed-data.patch
Patch2: 0002-CVE-2019-9433-VP8-Fix-use-after-free-in-postproc.patch Patch2: 0002-CVE-2019-9433-VP8-Fix-use-after-free-in-postproc.patch
Patch3: 0003-CVE-2019-9371-update-libwebm.patch Patch3: 0003-CVE-2019-9371-update-libwebm.patch
Patch4: 0004-CVE-2019-2126-update-libwebm-to-libwebm-1.0.0.27-361.patch Patch4: 0004-CVE-2019-2126-update-libwebm-to-libwebm-1.0.0.27-361.patch
Patch5: 0001-Fix-bug-with-smaller-width-bigger-size.patch
%description %description
libvpx provides the VP8/VP9 SDK, which allows you to integrate your applications libvpx provides the VP8/VP9 SDK, which allows you to integrate your applications
@ -56,6 +57,7 @@ and decoder.
%patch2 -p1 -b .0002 %patch2 -p1 -b .0002
%patch3 -p1 -b .0003 %patch3 -p1 -b .0003
%patch4 -p1 -b .0004 %patch4 -p1 -b .0004
%patch5 -p1 -b .0005
%build %build
%ifarch %{ix86} %ifarch %{ix86}
@ -245,6 +247,10 @@ rm -rf %{buildroot}%{_prefix}/src
%{_bindir}/* %{_bindir}/*
%changelog %changelog
* Tue Oct 3 2023 Wim Taymans <wtaymans@redhat.com> - 1.7.0-9
- Add patch for CVE-2023-44488
- Resolves: RHEL-11615
* Wed Apr 1 2020 Wim Taymans <wtaymans@redhat.com> - 1.7.0-8 * Wed Apr 1 2020 Wim Taymans <wtaymans@redhat.com> - 1.7.0-8
- Resolves: rhbz#1796086, rhbz#1796100, rhbz#1796448, rhbz#1796454 - Resolves: rhbz#1796086, rhbz#1796100, rhbz#1796448, rhbz#1796454
- Enable webm-io explicitly - Enable webm-io explicitly