apply upstream change to resolve CVE-2010-4203
This commit is contained in:
Tom "spot" Callaway
parent
7e747aa4ae
commit
805bf5e328
73
libvpx-0.9.5-I6266aba7.patch
Normal file
73
libvpx-0.9.5-I6266aba7.patch
Normal file
@ -0,0 +1,73 @@
|
|||||||
|
From 9fb80f7170ec48e23c3c7b477149eeb37081c699 Mon Sep 17 00:00:00 2001
|
||||||
|
From: John Koleszar <jkoleszar@google.com>
|
||||||
|
Date: Thu, 4 Nov 2010 16:59:26 -0400
|
||||||
|
Subject: [PATCH] fix integer promotion bug in partition size check
|
||||||
|
|
||||||
|
The check '(user_data_end - partition < partition_size)' must be
|
||||||
|
evaluated as a signed comparison, but because partition_size was
|
||||||
|
unsigned, the LHS was promoted to unsigned, causing an incorrect
|
||||||
|
result on 32-bit. Instead, check the upper and lower bounds of
|
||||||
|
the segment separately.
|
||||||
|
|
||||||
|
Change-Id: I6266aba7fd7de084268712a3d2a81424ead7aa06
|
||||||
|
---
|
||||||
|
vp8/decoder/decodframe.c | 6 ++++--
|
||||||
|
vp8/vp8_dx_iface.c | 10 ++++++++--
|
||||||
|
2 files changed, 12 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/vp8/decoder/decodframe.c b/vp8/decoder/decodframe.c
|
||||||
|
index 2d81d61..f5e49a1 100644
|
||||||
|
--- a/vp8/decoder/decodframe.c
|
||||||
|
+++ b/vp8/decoder/decodframe.c
|
||||||
|
@@ -462,7 +462,8 @@ static void setup_token_decoder(VP8D_COMP *pbi,
|
||||||
|
partition_size = user_data_end - partition;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (user_data_end - partition < partition_size)
|
||||||
|
+ if (partition + partition_size > user_data_end
|
||||||
|
+ || partition + partition_size < partition)
|
||||||
|
vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
|
||||||
|
"Truncated packet or corrupt partition "
|
||||||
|
"%d length", i + 1);
|
||||||
|
@@ -580,7 +581,8 @@ int vp8_decode_frame(VP8D_COMP *pbi)
|
||||||
|
(data[0] | (data[1] << 8) | (data[2] << 16)) >> 5;
|
||||||
|
data += 3;
|
||||||
|
|
||||||
|
- if (data_end - data < first_partition_length_in_bytes)
|
||||||
|
+ if (data + first_partition_length_in_bytes > data_end
|
||||||
|
+ || data + first_partition_length_in_bytes < data)
|
||||||
|
vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
|
||||||
|
"Truncated packet or corrupt partition 0 length");
|
||||||
|
vp8_setup_version(pc);
|
||||||
|
diff --git a/vp8/vp8_dx_iface.c b/vp8/vp8_dx_iface.c
|
||||||
|
index e7e5356..f0adf5b 100644
|
||||||
|
--- a/vp8/vp8_dx_iface.c
|
||||||
|
+++ b/vp8/vp8_dx_iface.c
|
||||||
|
@@ -253,8 +253,11 @@ static vpx_codec_err_t vp8_peek_si(const uint8_t *data,
|
||||||
|
unsigned int data_sz,
|
||||||
|
vpx_codec_stream_info_t *si)
|
||||||
|
{
|
||||||
|
-
|
||||||
|
vpx_codec_err_t res = VPX_CODEC_OK;
|
||||||
|
+
|
||||||
|
+ if(data + data_sz <= data)
|
||||||
|
+ res = VPX_CODEC_INVALID_PARAM;
|
||||||
|
+ else
|
||||||
|
{
|
||||||
|
/* Parse uncompresssed part of key frame header.
|
||||||
|
* 3 bytes:- including version, frame type and an offset
|
||||||
|
@@ -331,7 +334,10 @@ static vpx_codec_err_t vp8_decode(vpx_codec_alg_priv_t *ctx,
|
||||||
|
|
||||||
|
ctx->img_avail = 0;
|
||||||
|
|
||||||
|
- /* Determine the stream parameters */
|
||||||
|
+ /* Determine the stream parameters. Note that we rely on peek_si to
|
||||||
|
+ * validate that we have a buffer that does not wrap around the top
|
||||||
|
+ * of the heap.
|
||||||
|
+ */
|
||||||
|
if (!ctx->si.h)
|
||||||
|
res = ctx->base.iface->dec.peek_si(data, data_sz, &ctx->si);
|
||||||
|
|
||||||
|
--
|
||||||
|
1.7.3.1
|
||||||
|
|
||||||
@ -1,7 +1,7 @@
|
|||||||
Name: libvpx
|
Name: libvpx
|
||||||
Summary: VP8 Video Codec SDK
|
Summary: VP8 Video Codec SDK
|
||||||
Version: 0.9.5
|
Version: 0.9.5
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
License: BSD
|
License: BSD
|
||||||
Group: System Environment/Libraries
|
Group: System Environment/Libraries
|
||||||
Source0: http://webm.googlecode.com/files/%{name}-v%{version}.tar.bz2
|
Source0: http://webm.googlecode.com/files/%{name}-v%{version}.tar.bz2
|
||||||
@ -9,6 +9,9 @@ Source1: libvpx.pc
|
|||||||
# Thanks to debian.
|
# Thanks to debian.
|
||||||
Source2: libvpx.ver
|
Source2: libvpx.ver
|
||||||
Patch0: libvpx-0.9.0-no-explicit-dep-on-static-lib.patch
|
Patch0: libvpx-0.9.0-no-explicit-dep-on-static-lib.patch
|
||||||
|
# From http://review.webmproject.org/#change,1098
|
||||||
|
# Should resolve CVE-2010-4203
|
||||||
|
Patch1: libvpx-0.9.5-I6266aba7.patch
|
||||||
URL: http://www.webmproject.org/tools/vp8-sdk/
|
URL: http://www.webmproject.org/tools/vp8-sdk/
|
||||||
%ifarch %{ix86} x86_64
|
%ifarch %{ix86} x86_64
|
||||||
BuildRequires: yasm
|
BuildRequires: yasm
|
||||||
@ -41,6 +44,7 @@ and decoder.
|
|||||||
%prep
|
%prep
|
||||||
%setup -q -n %{name}-v%{version}
|
%setup -q -n %{name}-v%{version}
|
||||||
%patch0 -p1 -b .no-static-lib
|
%patch0 -p1 -b .no-static-lib
|
||||||
|
%patch1 -p1 -b .I6266aba7
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%ifarch %{ix86}
|
%ifarch %{ix86}
|
||||||
@ -157,6 +161,9 @@ rm -rf %{buildroot}
|
|||||||
%{_bindir}/*
|
%{_bindir}/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Nov 17 2010 Tom "spot" Callaway <tcallawa@redhat.com> 0.9.5-2
|
||||||
|
- apply patch from upstream git (Change I6266aba7), should resolve CVE-2010-4203
|
||||||
|
|
||||||
* Mon Nov 1 2010 Tom "spot" Callaway <tcallawa@redhat.com> 0.9.5-1
|
* Mon Nov 1 2010 Tom "spot" Callaway <tcallawa@redhat.com> 0.9.5-1
|
||||||
- update to 0.9.5
|
- update to 0.9.5
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user