Add fix for CVE-2023-44488
Resolves: RHEL-11621
This commit is contained in:
parent
37a868061f
commit
107fdd3003
127
CVE-2023-44488-libvpx.patch
Normal file
127
CVE-2023-44488-libvpx.patch
Normal file
@ -0,0 +1,127 @@
|
|||||||
|
From 263682c9a29395055f3b3afe2d97be1828a6223f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jerome Jiang <jianj@google.com>
|
||||||
|
Date: Thu, 30 Jun 2022 13:48:56 -0400
|
||||||
|
Subject: [PATCH] Fix bug with smaller width bigger size
|
||||||
|
|
||||||
|
Fixed previous patch that clusterfuzz failed on.
|
||||||
|
|
||||||
|
Bug: webm:1642
|
||||||
|
Change-Id: If0e08e72abd2e042efe4dcfac21e4cc51afdfdb9
|
||||||
|
---
|
||||||
|
test/resize_test.cc | 11 +++--------
|
||||||
|
vp9/common/vp9_alloccommon.c | 13 ++++++-------
|
||||||
|
vp9/encoder/vp9_encoder.c | 27 +++++++++++++++++++++++++--
|
||||||
|
3 files changed, 34 insertions(+), 17 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/test/resize_test.cc b/test/resize_test.cc
|
||||||
|
index fd1c2a92de6..20ad2229b46 100644
|
||||||
|
--- a/test/resize_test.cc
|
||||||
|
+++ b/test/resize_test.cc
|
||||||
|
@@ -102,11 +102,8 @@ void ScaleForFrameNumber(unsigned int frame, unsigned int initial_w,
|
||||||
|
if (frame < 30) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
- if (frame < 100) {
|
||||||
|
- *w = initial_w * 7 / 10;
|
||||||
|
- *h = initial_h * 16 / 10;
|
||||||
|
- return;
|
||||||
|
- }
|
||||||
|
+ *w = initial_w * 7 / 10;
|
||||||
|
+ *h = initial_h * 16 / 10;
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
if (frame < 10) {
|
||||||
|
@@ -559,9 +556,7 @@ TEST_P(ResizeRealtimeTest, TestExternalResizeWorks) {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
-// TODO(https://crbug.com/webm/1642): This causes a segfault in
|
||||||
|
-// init_encode_frame_mb_context().
|
||||||
|
-TEST_P(ResizeRealtimeTest, DISABLED_TestExternalResizeSmallerWidthBiggerSize) {
|
||||||
|
+TEST_P(ResizeRealtimeTest, TestExternalResizeSmallerWidthBiggerSize) {
|
||||||
|
ResizingVideoSource video;
|
||||||
|
video.flag_codec_ = true;
|
||||||
|
video.smaller_width_larger_size_ = true;
|
||||||
|
diff --git a/vp9/common/vp9_alloccommon.c b/vp9/common/vp9_alloccommon.c
|
||||||
|
index e53883f621d..9e73e40ea09 100644
|
||||||
|
--- a/vp9/common/vp9_alloccommon.c
|
||||||
|
+++ b/vp9/common/vp9_alloccommon.c
|
||||||
|
@@ -135,13 +135,6 @@ int vp9_alloc_context_buffers(VP9_COMMON *cm, int width, int height) {
|
||||||
|
cm->free_mi(cm);
|
||||||
|
if (cm->alloc_mi(cm, new_mi_size)) goto fail;
|
||||||
|
}
|
||||||
|
-
|
||||||
|
- if (cm->seg_map_alloc_size < cm->mi_rows * cm->mi_cols) {
|
||||||
|
- // Create the segmentation map structure and set to 0.
|
||||||
|
- free_seg_map(cm);
|
||||||
|
- if (alloc_seg_map(cm, cm->mi_rows * cm->mi_cols)) goto fail;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
if (cm->above_context_alloc_cols < cm->mi_cols) {
|
||||||
|
vpx_free(cm->above_context);
|
||||||
|
cm->above_context = (ENTROPY_CONTEXT *)vpx_calloc(
|
||||||
|
@@ -156,6 +149,12 @@ int vp9_alloc_context_buffers(VP9_COMMON *cm, int width, int height) {
|
||||||
|
cm->above_context_alloc_cols = cm->mi_cols;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (cm->seg_map_alloc_size < cm->mi_rows * cm->mi_cols) {
|
||||||
|
+ // Create the segmentation map structure and set to 0.
|
||||||
|
+ free_seg_map(cm);
|
||||||
|
+ if (alloc_seg_map(cm, cm->mi_rows * cm->mi_cols)) goto fail;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (vp9_alloc_loop_filter(cm)) goto fail;
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
diff --git a/vp9/encoder/vp9_encoder.c b/vp9/encoder/vp9_encoder.c
|
||||||
|
index 69a4e3c314f..e3ba294c32f 100644
|
||||||
|
--- a/vp9/encoder/vp9_encoder.c
|
||||||
|
+++ b/vp9/encoder/vp9_encoder.c
|
||||||
|
@@ -2047,6 +2047,17 @@ static void alloc_copy_partition_data(VP9_COMP *cpi) {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+static void free_copy_partition_data(VP9_COMP *cpi) {
|
||||||
|
+ vpx_free(cpi->prev_partition);
|
||||||
|
+ cpi->prev_partition = NULL;
|
||||||
|
+ vpx_free(cpi->prev_segment_id);
|
||||||
|
+ cpi->prev_segment_id = NULL;
|
||||||
|
+ vpx_free(cpi->prev_variance_low);
|
||||||
|
+ cpi->prev_variance_low = NULL;
|
||||||
|
+ vpx_free(cpi->copied_frame_cnt);
|
||||||
|
+ cpi->copied_frame_cnt = NULL;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
void vp9_change_config(struct VP9_COMP *cpi, const VP9EncoderConfig *oxcf) {
|
||||||
|
VP9_COMMON *const cm = &cpi->common;
|
||||||
|
RATE_CONTROL *const rc = &cpi->rc;
|
||||||
|
@@ -2126,6 +2137,8 @@ void vp9_change_config(struct VP9_COMP *cpi, const VP9EncoderConfig *oxcf) {
|
||||||
|
new_mi_size = cm->mi_stride * calc_mi_size(cm->mi_rows);
|
||||||
|
if (cm->mi_alloc_size < new_mi_size) {
|
||||||
|
vp9_free_context_buffers(cm);
|
||||||
|
+ vp9_free_pc_tree(&cpi->td);
|
||||||
|
+ vpx_free(cpi->mbmi_ext_base);
|
||||||
|
alloc_compressor_data(cpi);
|
||||||
|
realloc_segmentation_maps(cpi);
|
||||||
|
cpi->initial_width = cpi->initial_height = 0;
|
||||||
|
@@ -2144,8 +2157,18 @@ void vp9_change_config(struct VP9_COMP *cpi, const VP9EncoderConfig *oxcf) {
|
||||||
|
update_frame_size(cpi);
|
||||||
|
|
||||||
|
if (last_w != cpi->oxcf.width || last_h != cpi->oxcf.height) {
|
||||||
|
- memset(cpi->consec_zero_mv, 0,
|
||||||
|
- cm->mi_rows * cm->mi_cols * sizeof(*cpi->consec_zero_mv));
|
||||||
|
+ vpx_free(cpi->consec_zero_mv);
|
||||||
|
+ CHECK_MEM_ERROR(
|
||||||
|
+ &cm->error, cpi->consec_zero_mv,
|
||||||
|
+ vpx_calloc(cm->mi_rows * cm->mi_cols, sizeof(*cpi->consec_zero_mv)));
|
||||||
|
+
|
||||||
|
+ vpx_free(cpi->skin_map);
|
||||||
|
+ CHECK_MEM_ERROR(
|
||||||
|
+ &cm->error, cpi->skin_map,
|
||||||
|
+ vpx_calloc(cm->mi_rows * cm->mi_cols, sizeof(cpi->skin_map[0])));
|
||||||
|
+
|
||||||
|
+ free_copy_partition_data(cpi);
|
||||||
|
+ alloc_copy_partition_data(cpi);
|
||||||
|
if (cpi->oxcf.aq_mode == CYCLIC_REFRESH_AQ)
|
||||||
|
vp9_cyclic_refresh_reset_resize(cpi);
|
||||||
|
rc->rc_1_frame = 0;
|
@ -213,6 +213,9 @@ Patch154: firefox-nss-addon-hack.patch
|
|||||||
# ARM run-time patch
|
# ARM run-time patch
|
||||||
Patch155: rhbz-1354671.patch
|
Patch155: rhbz-1354671.patch
|
||||||
|
|
||||||
|
# ---- Security patches ----
|
||||||
|
Patch301: CVE-2023-44488-libvpx.patch
|
||||||
|
|
||||||
# BUILD REQURES/REQUIRES
|
# BUILD REQURES/REQUIRES
|
||||||
%if %{?system_nss} && !0%{?bundle_nss}
|
%if %{?system_nss} && !0%{?bundle_nss}
|
||||||
BuildRequires: pkgconfig(nspr) >= %{nspr_version}
|
BuildRequires: pkgconfig(nspr) >= %{nspr_version}
|
||||||
@ -945,6 +948,11 @@ echo "--------------------------------------------"
|
|||||||
%patch -P155 -p1 -b .rhbz-1354671
|
%patch -P155 -p1 -b .rhbz-1354671
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
# ---- Security patches ----
|
||||||
|
cd media/libvpx/libvpx
|
||||||
|
%patch -P301 -p1 -b .CVE-2023-44488-libvpx
|
||||||
|
cd -
|
||||||
|
|
||||||
%{__rm} -f .mozconfig
|
%{__rm} -f .mozconfig
|
||||||
%{__cp} %{SOURCE10} .mozconfig
|
%{__cp} %{SOURCE10} .mozconfig
|
||||||
%{__cp} %{SOURCE24} mozilla-api-key
|
%{__cp} %{SOURCE24} mozilla-api-key
|
||||||
|
Loading…
Reference in New Issue
Block a user