Patch for CVE-2023-5217

2023-09-28 19:41:52 +05:30 · 2023-09-28 19:41:52 +05:30 · c73424d366
commit c73424d366
parent 00c2f94ce1
3 changed files with 133 additions and 2 deletions
--- a/VP8-disallow-thread-count-changes.patch
+++ b/VP8-disallow-thread-count-changes.patch
@ -0,0 +1,33 @@
+From 4b07ef193504671e989463d190410ea9f3b5a810 Mon Sep 17 00:00:00 2001
+From: James Zern <jzern@google.com>
+Date: Mon, 25 Sep 2023 18:55:59 -0700
+Subject: [PATCH] VP8: disallow thread count changes
+
+Currently allocations are done at encoder creation time. Going from
+threaded to non-threaded would cause a crash.
+
+Bug: chromium:1486441
+Change-Id: Ie301c2a70847dff2f0daae408fbef1e4d42e73d4
+---
+ vp8/encoder/onyx_if.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/vp8/encoder/onyx_if.c b/vp8/encoder/onyx_if.c
+index 4bbeadef0..148a16cc4 100644
+--- a/vp8/encoder/onyx_if.c
+++ b/vp8/encoder/onyx_if.c
+@@ -1443,6 +1443,11 @@ void vp8_change_config(VP8_COMP *cpi, VP8_CONFIG *oxcf) {
+   last_h = cpi->oxcf.Height;
+   prev_number_of_layers = cpi->oxcf.number_of_layers;
+ 
+  if (cpi->initial_width) {
+    // TODO(https://crbug.com/1486441): Allow changing thread counts; the
+    // allocation is done once in vp8_create_compressor().
+    oxcf->multi_threaded = cpi->oxcf.multi_threaded;
+  }
+   cpi->oxcf = *oxcf;
+ 
+   switch (cpi->oxcf.Mode) {
+-- 
+2.41.0
+
--- a/libvpx.spec
+++ b/libvpx.spec
@ -6,7 +6,7 @@
 Name:			libvpx
 Summary:		VP8/VP9 Video Codec SDK
 Version:		1.13.0
-Release:		3%{?dist}
+Release:		4%{?dist}
 License:		BSD
 Source0:		https://github.com/webmproject/libvpx/archive/v%{version}.tar.gz
 Source1:		vpx_config.h
@ -22,6 +22,8 @@ BuildRequires:		yasm
 BuildRequires:		doxygen, php-cli, perl(Getopt::Long)
 # Do not disable FORTIFY_SOURCE=2
 Patch0:     libvpx-1.7.0-leave-fortify-source-on.patch
+Patch1:     update-thread-counts.patch
+Patch2:     VP8-disallow-thread-count-changes.patch

 %description
 libvpx provides the VP8/VP9 SDK, which allows you to integrate your applications 
@ -47,6 +49,8 @@ and decoder.
 %prep
 %setup -q -n libvpx-%{version}
 %patch0 -p1 -b .leave-fs-on
+%patch1 -p1
+%patch2 -p1

 %build

@ -199,6 +203,9 @@ rm -rf %{buildroot}%{_prefix}/src
 %{_bindir}/*

 %changelog
+* Thu Sep 28 2023 Boudhayan Bhattacharya <bbhtt.zn0i8@slmail.me> - 1.13.0-4
+- Patch for CVE-2023-5217
+
 * Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.13.0-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild

@ -474,3 +481,4 @@ rm -rf %{buildroot}%{_prefix}/src

 * Wed May 19 2010 Tom "spot" Callaway <tcallawa@redhat.com> 0.9.0-1
 - Initial package for Fedora
+
--- a/update-thread-counts.patch
+++ b/update-thread-counts.patch
@ -0,0 +1,90 @@
+From af6dedd715f4307669366944cca6e0417b290282 Mon Sep 17 00:00:00 2001
+From: James Zern <jzern@google.com>
+Date: Mon, 25 Sep 2023 18:53:41 -0700
+Subject: [PATCH] encode_api_test: add ConfigResizeChangeThreadCount
+
+Update thread counts and resolution to ensure allocations are updated
+correctly. VP8 is disabled to avoid a crash.
+
+Bug: chromium:1486441
+Change-Id: Ie89776d9818d27dc351eff298a44c699e850761b
+---
+ test/encode_api_test.cc | 50 ++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 49 insertions(+), 1 deletion(-)
+
+diff --git a/test/encode_api_test.cc b/test/encode_api_test.cc
+index ecdf92834..02aedc057 100644
+--- a/test/encode_api_test.cc
+++ b/test/encode_api_test.cc
+@@ -304,7 +304,6 @@ TEST(EncodeAPI, SetRoi) {
+
+ void InitCodec(const vpx_codec_iface_t &iface, int width, int height,
+                vpx_codec_ctx_t *enc, vpx_codec_enc_cfg_t *cfg) {
+-  ASSERT_EQ(vpx_codec_enc_config_default(&iface, cfg, 0), VPX_CODEC_OK);
+   cfg->g_w = width;
+   cfg->g_h = height;
+   cfg->g_lag_in_frames = 0;
+@@ -342,6 +341,7 @@ TEST(EncodeAPI, ConfigChangeThreadCount) {
+         vpx_codec_ctx_t ctx = {};
+       } enc;
+
+      ASSERT_EQ(vpx_codec_enc_config_default(iface, &cfg, 0), VPX_CODEC_OK);
+       EXPECT_NO_FATAL_FAILURE(
+           InitCodec(*iface, kWidth, kHeight, &enc.ctx, &cfg));
+       if (IsVP9(iface)) {
+@@ -360,4 +360,52 @@ TEST(EncodeAPI, ConfigChangeThreadCount) {
+   }
+ }
+
+TEST(EncodeAPI, ConfigResizeChangeThreadCount) {
+  constexpr int kInitWidth = 1024;
+  constexpr int kInitHeight = 1024;
+
+  for (const auto *iface : kCodecIfaces) {
+    SCOPED_TRACE(vpx_codec_iface_name(iface));
+    if (!IsVP9(iface)) {
+      GTEST_SKIP() << "TODO(https://crbug.com/1486441) remove this condition "
+                      "after VP8 is fixed.";
+    }
+    for (int i = 0; i < (IsVP9(iface) ? 2 : 1); ++i) {
+      vpx_codec_enc_cfg_t cfg = {};
+      struct Encoder {
+        ~Encoder() { EXPECT_EQ(vpx_codec_destroy(&ctx), VPX_CODEC_OK); }
+        vpx_codec_ctx_t ctx = {};
+      } enc;
+
+      ASSERT_EQ(vpx_codec_enc_config_default(iface, &cfg, 0), VPX_CODEC_OK);
+      // Start in threaded mode to ensure resolution and thread related
+      // allocations are updated correctly across changes in resolution and
+      // thread counts. See https://crbug.com/1486441.
+      cfg.g_threads = 4;
+      EXPECT_NO_FATAL_FAILURE(
+          InitCodec(*iface, kInitWidth, kInitHeight, &enc.ctx, &cfg));
+      if (IsVP9(iface)) {
+        EXPECT_EQ(vpx_codec_control_(&enc.ctx, VP9E_SET_TILE_COLUMNS, 6),
+                  VPX_CODEC_OK);
+        EXPECT_EQ(vpx_codec_control_(&enc.ctx, VP9E_SET_ROW_MT, i),
+                  VPX_CODEC_OK);
+      }
+
+      cfg.g_w = 1000;
+      cfg.g_h = 608;
+      EXPECT_EQ(vpx_codec_enc_config_set(&enc.ctx, &cfg), VPX_CODEC_OK)
+          << vpx_codec_error_detail(&enc.ctx);
+
+      cfg.g_w = 16;
+      cfg.g_h = 720;
+
+      for (const auto threads : { 1, 4, 8, 6, 2, 1 }) {
+        cfg.g_threads = threads;
+        EXPECT_NO_FATAL_FAILURE(EncodeWithConfig(cfg, &enc.ctx))
+            << "iteration: " << i << " threads: " << threads;
+      }
+    }
+  }
+}
+
+ }  // namespace
+--
+2.41.0
+