replace undefined bit shifts, fix CVE-2024-56431

(cherry picked from commit 416f56f1c06073a6bc24846379a2a38c7da8f95b)
2025-03-25 17:23:06 +08:00 · 2025-03-25 17:23:06 +08:00 · 282b0198d7
commit 282b0198d7
parent 6ba90d001d
2 changed files with 235 additions and 3 deletions
--- a/backport-fix-CVE-2024-56431.patch
+++ b/backport-fix-CVE-2024-56431.patch
@ -0,0 +1,228 @@
 From a6766c94721bc55e8e56fb0d941ecfe2d27c3d17 Mon Sep 17 00:00:00 2001
 From: Petter Reinholdtsen <pere@debian.org>
 Date: Sun, 9 Mar 2025 08:07:49 +0100
 Subject: [PATCH 1/3] Replaced possible bit shifting into signed bit of stride
 values.
 Use multiplication instead, allowing the compiler to optimize to
 bitshifts if it believe it to be safe.
 Partly solves github issue #18.
 Backported to 1.1.1 by <wangshuo@kylinos.cn>, fix CVE-2024-56431
 https://github.com/xiph/theora/commit/a6766c94721bc55e8e56fb0d941ecfe2d27c3d17
 ---
 lib/decode.c      | 14 +++++++-------
 lib/state.c       |  4 ++--
 lib/x86/mmxfrag.c |  2 +-
 3 files changed, 10 insertions(+), 10 deletions(-)
 diff --git a/lib/decode.c b/lib/decode.c
 index bde967b..fd03fba 100644
 --- a/lib/decode.c
 +++ b/lib/decode.c
@@ -1747,13 +1747,13 @@ static void oc_dec_deblock_frag_rows(oc_dec_ctx *_dec,
       flimit=(qstep*3)>>2;
       oc_filter_hedge(dst+x,dst_ystride,src+x-src_ystride,src_ystride,
        qstep,flimit,variance,variance+nhfrags);
 -      oc_filter_vedge(dst+x-(dst_ystride<<2)-4,dst_ystride,
 +      oc_filter_vedge(dst+x-(dst_ystride*4)-4,dst_ystride,
        qstep,flimit,variance-1);
       variance++;
       dc_qi++;
     }
 -    dst+=dst_ystride<<3;
 -    src+=src_ystride<<3;
 +    dst+=dst_ystride*8;
 +    src+=src_ystride*8;
   }
   /*And finally, handle the last row in the frame, if it's in the range.*/
   if(!notdone){
@@ -1769,7 +1769,7 @@ static void oc_dec_deblock_frag_rows(oc_dec_ctx *_dec,
     for(x=8;x<width;x+=8){
       qstep=_dec->pp_dc_scale[*dc_qi++];
       flimit=(qstep*3)>>2;
 -      oc_filter_vedge(dst+x-(dst_ystride<<3)-4,dst_ystride,
 +      oc_filter_vedge(dst+x-(dst_ystride*8)-4,dst_ystride,
        qstep,flimit,variance++);
     }
   }
@@ -1944,7 +1944,7 @@ static void oc_dec_dering_frag_rows(oc_dec_ctx *_dec,th_img_plane *_img,
       frag++;
       variance++;
     }
 -    idata+=ystride<<3;
 +    idata+=ystride*8;
   }
 }
@@ -2877,10 +2877,10 @@ int th_decode_ycbcr_out(th_dec_ctx *_dec,th_ycbcr_buffer _ycbcr){
             u_row[x>>1]=OC_CLAMP255(u);
             v_row[x>>1]=OC_CLAMP255(v);
           }
 -          y_row+=_ycbcr[0].stride<<1;
 +          y_row+=_ycbcr[0].stride*2;
           u_row+=_ycbcr[1].stride;
           v_row+=_ycbcr[2].stride;
 -          rgb_row+=cstride<<1;
 +          rgb_row+=cstride*2;
         }
       }break;
       case TH_PF_422:{
 diff --git a/lib/state.c b/lib/state.c
 index 42ed33a..fe803d6 100644
 --- a/lib/state.c
 +++ b/lib/state.c
@@ -573,7 +573,7 @@ static int oc_state_ref_bufs_init(oc_theora_state *_state,int _nrefs){
         frag_buf_offs[fragi]=hpix-ref_frame_data;
         hpix+=8;
       }
 -      vpix+=stride<<3;
 +      vpix+=stride*8;
     }
   }
   /*Initialize the reference frame indices.*/
@@ -1055,7 +1055,7 @@ void oc_state_loop_filter_frag_rows_c(const oc_theora_state *_state,int *_bv,
           loop_filter_h(ref+8,ystride,_bv);
         }
         if(fragi+nhfrags<fragi_bot&&!frags[fragi+nhfrags].coded){
 -          loop_filter_v(ref+(ystride<<3),ystride,_bv);
 +          loop_filter_v(ref+(ystride*8),ystride,_bv);
         }
       }
       fragi++;
 diff --git a/lib/x86/mmxfrag.c b/lib/x86/mmxfrag.c
 index 2c73293..6930aaf 100644
 --- a/lib/x86/mmxfrag.c
 +++ b/lib/x86/mmxfrag.c
@@ -141,7 +141,7 @@ void oc_frag_recon_intra_mmx(unsigned char *_dst,int _ystride,
     :
     :[residue]"r"(_residue),
      [dst]"r"(_dst),
 -     [dst4]"r"(_dst+(_ystride<<2)),
 +     [dst4]"r"(_dst+(_ystride*4)),
      [ystride]"r"((ptrdiff_t)_ystride),
      [ystride3]"r"((ptrdiff_t)_ystride*3)
     :"memory"
 -- 
 2.27.0
 From 62b266ae4e2465ab24b5ed4761044e2af3015fee Mon Sep 17 00:00:00 2001
 From: Petter Reinholdtsen <pere@debian.org>
 Date: Sun, 9 Mar 2025 08:11:17 +0100
 Subject: [PATCH 2/3] Made mask unsigned to avoid shifting into sign bit.
 The last iteration of the loop execute 1<<63, which would push the
 result into the signed bit of a signed 64 bit type, and this
 move into currently undefined behaviour with C99.  Avoid the
 issue by making the operation work on unsigned 64 bit type instead.
 This require libogg version to 1.3.4, raise autotools dependency check
 to look for this.
 Partly solves github issue #18.
 Backported to 1.1.1 by <wangshuo@kylinos.cn>, fix CVE-2024-56431
 https://github.com/xiph/theora/commit/62b266ae4e2465ab24b5ed4761044e2af3015fee
 ---
 configure.ac | 4 ++--
 lib/state.c  | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)
 diff --git a/configure.ac b/configure.ac
 index 8260bdf..078ec13 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -268,7 +268,7 @@ dnl check for pkg-config itself so we don't try the m4 macro without pkg-config
 AC_CHECK_PROG(HAVE_PKG_CONFIG, pkg-config, yes)
 if test "x$HAVE_PKG_CONFIG" = "xyes"
 then
 -  PKG_CHECK_MODULES(OGG, ogg >= 1.1, HAVE_OGG=yes, HAVE_OGG=no)
 +  PKG_CHECK_MODULES(OGG, ogg >= 1.3.4, HAVE_OGG=yes, HAVE_OGG=no)
 fi
 if test "x$HAVE_OGG" = "xno"
 then
@@ -283,7 +283,7 @@ then
   CFLAGS="$CFLAGS $OGG_CFLAGS"
   LIBS="$LIBS $OGG_LIBS"
   AC_CHECK_FUNC(oggpackB_read, , [
 -    AC_MSG_ERROR([newer libogg version (1.1 or later) required])
 +    AC_MSG_ERROR([newer libogg version (1.3.4 or later) required])
   ])
   CFLAGS=$cflags_save
   LIBS=$libs_save
 diff --git a/lib/state.c b/lib/state.c
 index fe803d6..1deb4b0 100644
 --- a/lib/state.c
 +++ b/lib/state.c
@@ -316,7 +316,7 @@ static void oc_state_border_init(oc_theora_state *_state){
         /*Otherwise, check to see if it straddles the border.*/
         else if(x<crop_x0&&crop_x0<x+8||x<crop_xf&&crop_xf<x+8||
          y<crop_y0&&crop_y0<y+8||y<crop_yf&&crop_yf<y+8){
 -          ogg_int64_t mask;
 +          ogg_uint64_t mask;
           int         npixels;
           int         i;
           mask=npixels=0;
@@ -324,7 +324,7 @@ static void oc_state_border_init(oc_theora_state *_state){
             int j;
             for(j=0;j<8;j++){
               if(x+j>=crop_x0&&x+j<crop_xf&&y+i>=crop_y0&&y+i<crop_yf){
 -                mask|=(ogg_int64_t)1<<(i<<3|j);
 +                mask|=(ogg_uint64_t)1<<(i<<3|j);
                 npixels++;
               }
             }
 -- 
 2.27.0
 From ec642ecf6d94f11d5eb05ab1fb7a9728c9a89cae Mon Sep 17 00:00:00 2001
 From: Petter Reinholdtsen <pere@debian.org>
 Date: Sun, 9 Mar 2025 22:53:57 +0100
 Subject: [PATCH 3/3] Replaced more possible bit shifting into signed bit of
 stride values.
 Leftover changes from a6766c94721bc55e8e56fb0d941ecfe2d27c3d17.
 Use multiplication instead, allowing the compiler to optimize to
 bitshifts if it believe it to be safe.
 Partly solves github issue #18.
 Backported to 1.1.1 by <wangshuo@kylinos.cn>, fix CVE-2024-56431
 https://github.com/xiph/theora/commit/ec642ecf6d94f11d5eb05ab1fb7a9728c9a89cae
 ---
 lib/x86/mmxstate.c    | 2 +-
 lib/x86_vc/mmxstate.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
 diff --git a/lib/x86/mmxstate.c b/lib/x86/mmxstate.c
 index 808b0a7..dd428d6 100644
 --- a/lib/x86/mmxstate.c
 +++ b/lib/x86/mmxstate.c
@@ -176,7 +176,7 @@ void oc_state_loop_filter_frag_rows_mmx(const oc_theora_state *_state,
           OC_LOOP_FILTER_H_MMX(ref+8,ystride,ll);
         }
         if(fragi+nhfrags<fragi_bot&&!frags[fragi+nhfrags].coded){
 -          OC_LOOP_FILTER_V_MMX(ref+(ystride<<3),ystride,ll);
 +          OC_LOOP_FILTER_V_MMX(ref+(ystride*8),ystride,ll);
         }
       }
       fragi++;
 diff --git a/lib/x86_vc/mmxstate.c b/lib/x86_vc/mmxstate.c
 index 73bd198..8a00909 100644
 --- a/lib/x86_vc/mmxstate.c
 +++ b/lib/x86_vc/mmxstate.c
@@ -193,7 +193,7 @@ void oc_state_loop_filter_frag_rows_mmx(const oc_theora_state *_state,
           OC_LOOP_FILTER_H_MMX(ref+8,ystride,ll);
         }
         if(fragi+nhfrags<fragi_bot&&!frags[fragi+nhfrags].coded){
 -          OC_LOOP_FILTER_V_MMX(ref+(ystride<<3),ystride,ll);
 +          OC_LOOP_FILTER_V_MMX(ref+(ystride*8),ystride,ll);
         }
 #undef PIX
 #undef YSTRIDE3
 -- 
 2.27.0
--- a/libtheora.spec
+++ b/libtheora.spec
@ -1,6 +1,6 @@
 Name:           libtheora
 Version:        1.1.1
-Release:        27
+Release:        28
 Summary:        Theora Video Compression
 License:        BSD
 Epoch:          1
@ -14,6 +14,7 @@ BuildRequires:  libvorbis-devel tetex-latex transfig
 Patch0:         Fix-pp_sharp_mod-calculation.patch
 Patch1:         examples-fix-underlinking.patch
 Patch2:         examples-png_sizeof-no-longer-available-since-libpng.patch
 Patch3:         backport-fix-CVE-2024-56431.patch
 %description
 Theora is a free and open video compression format from the Xiph.org Foundation. Like all
@ -106,10 +107,13 @@ install -m 755 examples/.libs/png2theora $RPM_BUILD_ROOT/%{_bindir}/png2theora
 %{_bindir}/*
 %changelog
-* Tue Mar 18 2025 mahailiang <mahailiang@uniontech.com> - 1.1.1-27
+* Fri Mar 21 2025 wangshuo <wangshuo@kylinos.cn> - 1:1.1.1-28
 - Fix CVE-2024-56431, fix changelog format
 * Tue Mar 18 2025 mahailiang <mahailiang@uniontech.com> - 1:1.1.1-27
 - fix sw_64 build error
-* Fri Jul 30 2021 chenyanpanHW <chenyanpan@huawei.com> - 1.1.1-26
+* Fri Jul 30 2021 chenyanpanHW <chenyanpan@huawei.com> - 1:1.1.1-26
 - DESC: delete -Sgit from %autosetup
 * Wed Jun 23 2021 wuchaochao <wuchaochao4@huawei.com> - 1:1.1.1-25