packages/libvpx
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!31 [sync] PR-29: Fix CVE-2024-5197

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @starlet-dx 
Signed-off-by: @starlet-dx
This commit is contained in:
openeuler-ci-bot 2024-06-07 07:52:37 +00:00 committed by Gitee
commit 3872ef1087
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
5 changed files with 451 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

152
CVE-2024-5197-1.patch Normal file
View File

@ -0,0 +1,152 @@
Origin: https://github.com/webmproject/libvpx/commit/c5640e3300690705c336966e2a8bb346a388c829
From c5640e3300690705c336966e2a8bb346a388c829 Mon Sep 17 00:00:00 2001
From: Wan-Teh Chang <wtc@google.com>
Date: Wed, 10 Apr 2024 17:01:10 -0700
Subject: [PATCH] Fix integer overflows in calc of stride_in_bytes
A port of the libaom CL
https://aomedia-review.googlesource.com/c/aom/+/188761.
Fix unsigned integer overflows in the calculation of stride_in_bytes in
img_alloc_helper() when d_w is huge.
Change the type of stride_in_bytes from unsigned int to int because it
will be assigned to img->stride[VPX_PLANE_Y], which is of the int type.
Test:
. ../libvpx/tools/set_analyzer_env.sh integer
../libvpx/configure --enable-debug --disable-optimizations
make -j
./test_libvpx --gtest_filter=VpxImageTest.VpxImgAllocHugeWidth
Bug: chromium:332382766
Change-Id: I3b39d78f61c7255e10cbf72ba2f4975425a05a82
(cherry picked from commit 2e32276277c0b1739707c5e861c96cf78794f1a0)
---
test/vpx_image_test.cc | 36 ++++++++++++++++++++++++++++++++++++
vpx/src/vpx_image.c | 31 +++++++++++++++++++------------
2 files changed, 55 insertions(+), 12 deletions(-)
--- a/test/vpx_image_test.cc
+++ b/test/vpx_image_test.cc
@@ -70,3 +70,39 @@ TEST(VpxImageTest, VpxImgAllocNv12) {
EXPECT_EQ(img.planes[VPX_PLANE_V], img.planes[VPX_PLANE_U] + 1);
vpx_img_free(&img);
}
+
+TEST(VpxImageTest, VpxImgAllocHugeWidth) {
+ // The stride (0x80000000 * 2) would overflow unsigned int.
+ vpx_image_t *image =
+ vpx_img_alloc(nullptr, VPX_IMG_FMT_I42016, 0x80000000, 1, 1);
+ ASSERT_EQ(image, nullptr);
+
+ // The stride (0x80000000) would overflow int.
+ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I420, 0x80000000, 1, 1);
+ ASSERT_EQ(image, nullptr);
+
+ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I420, 0x7ffffffe, 1, 1);
+ if (image) {
+ vpx_img_free(image);
+ }
+
+ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I420, 285245883, 64, 1);
+ if (image) {
+ vpx_img_free(image);
+ }
+
+ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_NV12, 285245883, 64, 1);
+ if (image) {
+ vpx_img_free(image);
+ }
+
+ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_YV12, 285245883, 64, 1);
+ if (image) {
+ vpx_img_free(image);
+ }
+
+ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I42016, 285245883, 2, 1);
+ if (image) {
+ vpx_img_free(image);
+ }
+}
--- a/vpx/src/vpx_image.c
+++ b/vpx/src/vpx_image.c
@@ -21,8 +21,9 @@ static vpx_image_t *img_alloc_helper(vpx
unsigned int buf_align,
unsigned int stride_align,
unsigned char *img_data) {
- unsigned int h, w, s, xcs, ycs, bps;
- unsigned int stride_in_bytes;
+ unsigned int h, w, xcs, ycs, bps;
+ uint64_t s;
+ int stride_in_bytes;
unsigned int align;
if (img != NULL) memset(img, 0, sizeof(vpx_image_t));
@@ -80,9 +81,11 @@ static vpx_image_t *img_alloc_helper(vpx
* and height shouldn't be adjusted. */
w = d_w;
h = d_h;
- s = (fmt & VPX_IMG_FMT_PLANAR) ? w : bps * w / 8;
- s = (s + stride_align - 1) & ~(stride_align - 1);
- stride_in_bytes = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
+ s = (fmt & VPX_IMG_FMT_PLANAR) ? w : (uint64_t)bps * w / 8;
+ s = (s + stride_align - 1) & ~((uint64_t)stride_align - 1);
+ s = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
+ if (s > INT_MAX) goto fail;
+ stride_in_bytes = (int)s;
/* Allocate the new image */
if (!img) {
@@ -103,9 +106,11 @@ static vpx_image_t *img_alloc_helper(vpx
align = (1 << ycs) - 1;
h = (d_h + align) & ~align;
- s = (fmt & VPX_IMG_FMT_PLANAR) ? w : bps * w / 8;
- s = (s + stride_align - 1) & ~(stride_align - 1);
- stride_in_bytes = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
+ s = (fmt & VPX_IMG_FMT_PLANAR) ? w : (uint64_t)bps * w / 8;
+ s = (s + stride_align - 1) & ~((uint64_t)stride_align - 1);
+ s = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
+ if (s > INT_MAX) goto fail;
+ stride_in_bytes = (int)s;
alloc_size = (fmt & VPX_IMG_FMT_PLANAR) ? (uint64_t)h * s * bps / 8
: (uint64_t)h * s;
@@ -170,12 +175,12 @@ int vpx_img_set_rect(vpx_image_t *img, u
if (img->fmt & VPX_IMG_FMT_HAS_ALPHA) {
img->planes[VPX_PLANE_ALPHA] =
data + x * bytes_per_sample + y * img->stride[VPX_PLANE_ALPHA];
- data += img->h * img->stride[VPX_PLANE_ALPHA];
+ data += (size_t)img->h * img->stride[VPX_PLANE_ALPHA];
}
img->planes[VPX_PLANE_Y] =
data + x * bytes_per_sample + y * img->stride[VPX_PLANE_Y];
- data += img->h * img->stride[VPX_PLANE_Y];
+ data += (size_t)img->h * img->stride[VPX_PLANE_Y];
if (img->fmt == VPX_IMG_FMT_NV12) {
img->planes[VPX_PLANE_U] =
@@ -186,7 +191,8 @@ int vpx_img_set_rect(vpx_image_t *img, u
img->planes[VPX_PLANE_U] =
data + (x >> img->x_chroma_shift) * bytes_per_sample +
(y >> img->y_chroma_shift) * img->stride[VPX_PLANE_U];
- data += (img->h >> img->y_chroma_shift) * img->stride[VPX_PLANE_U];
+ data +=
+ (size_t)(img->h >> img->y_chroma_shift) * img->stride[VPX_PLANE_U];
img->planes[VPX_PLANE_V] =
data + (x >> img->x_chroma_shift) * bytes_per_sample +
(y >> img->y_chroma_shift) * img->stride[VPX_PLANE_V];
@@ -194,7 +200,8 @@ int vpx_img_set_rect(vpx_image_t *img, u
img->planes[VPX_PLANE_V] =
data + (x >> img->x_chroma_shift) * bytes_per_sample +
(y >> img->y_chroma_shift) * img->stride[VPX_PLANE_V];
- data += (img->h >> img->y_chroma_shift) * img->stride[VPX_PLANE_V];
+ data +=
+ (size_t)(img->h >> img->y_chroma_shift) * img->stride[VPX_PLANE_V];
img->planes[VPX_PLANE_U] =
data + (x >> img->x_chroma_shift) * bytes_per_sample +
(y >> img->y_chroma_shift) * img->stride[VPX_PLANE_U];

144
CVE-2024-5197-2.patch Normal file
View File

@ -0,0 +1,144 @@
Origin: https://github.com/webmproject/libvpx/commit/9d7054c0cb83665a74cf6f59b6261f455e692149
Backport of:
From 9d7054c0cb83665a74cf6f59b6261f455e692149 Mon Sep 17 00:00:00 2001
From: Wan-Teh Chang <wtc@google.com>
Date: Thu, 11 Apr 2024 10:24:11 -0700
Subject: [PATCH] Avoid integer overflows in arithmetic operations
A port of the libaom CL
https://aomedia-review.googlesource.com/c/aom/+/188823.
Impose maximum values on the input parameters so that we can perform
arithmetic operations without worrying about overflows.
Also change the VpxImageTest.VpxImgAllocHugeWidth test to write to the
first and last samples in the first row of the Y plane, so that the test
will crash if there is unsigned integer overflow in the calculation of
stride_in_bytes.
Bug: chromium:332382766
Change-Id: I54cec6c9e26377abaa8a991042ba277ff70afdf3
(cherry picked from commit 06af417e795e6a9b9309406ba399fb109def89e6)
---
test/vpx_image_test.cc | 19 +++++++++++++++++++
vpx/src/vpx_image.c | 11 +++++++++++
vpx/vpx_image.h | 16 +++++++++++-----
3 files changed, 41 insertions(+), 5 deletions(-)
--- a/test/vpx_image_test.cc
+++ b/test/vpx_image_test.cc
@@ -8,6 +8,8 @@
* be found in the AUTHORS file in the root of the source tree.
*/
+#include <climits>
+
#include "vpx/vpx_image.h"
#include "third_party/googletest/src/include/gtest/gtest.h"
@@ -81,6 +83,10 @@ TEST(VpxImageTest, VpxImgAllocHugeWidth)
image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I420, 0x80000000, 1, 1);
ASSERT_EQ(image, nullptr);
+ // The aligned width (UINT_MAX + 1) would overflow unsigned int.
+ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I420, UINT_MAX, 1, 1);
+ ASSERT_EQ(image, nullptr);
+
image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I420, 0x7ffffffe, 1, 1);
if (image) {
vpx_img_free(image);
@@ -101,8 +107,21 @@ TEST(VpxImageTest, VpxImgAllocHugeWidth)
vpx_img_free(image);
}
+ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I42016, 65536, 2, 1);
+ if (image) {
+ uint16_t *y_plane =
+ reinterpret_cast<uint16_t *>(image->planes[VPX_PLANE_Y]);
+ y_plane[0] = 0;
+ y_plane[image->d_w - 1] = 0;
+ vpx_img_free(image);
+ }
+
image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I42016, 285245883, 2, 1);
if (image) {
+ uint16_t *y_plane =
+ reinterpret_cast<uint16_t *>(image->planes[VPX_PLANE_Y]);
+ y_plane[0] = 0;
+ y_plane[image->d_w - 1] = 0;
vpx_img_free(image);
}
}
--- a/vpx/src/vpx_image.c
+++ b/vpx/src/vpx_image.c
@@ -8,6 +8,7 @@
* be found in the AUTHORS file in the root of the source tree.
*/
+#include <assert.h>
#include <limits.h>
#include <stdlib.h>
#include <string.h>
@@ -28,6 +29,14 @@ static vpx_image_t *img_alloc_helper(vpx
if (img != NULL) memset(img, 0, sizeof(vpx_image_t));
+ /* Impose maximum values on input parameters so that this function can
+ * perform arithmetic operations without worrying about overflows.
+ */
+ if (d_w > 0x08000000 || d_h > 0x08000000 || buf_align > 65536 ||
+ stride_align > 65536) {
+ goto fail;
+ }
+
/* Treat align==0 like align==1 */
if (!buf_align) buf_align = 1;
@@ -103,8 +112,10 @@ static vpx_image_t *img_alloc_helper(vpx
/* Calculate storage sizes given the chroma subsampling */
align = (1 << xcs) - 1;
w = (d_w + align) & ~align;
+ assert(d_w <= w);
align = (1 << ycs) - 1;
h = (d_h + align) & ~align;
+ assert(d_h <= h);
s = (fmt & VPX_IMG_FMT_PLANAR) ? w : (uint64_t)bps * w / 8;
s = (s + stride_align - 1) & ~((uint64_t)stride_align - 1);
--- a/vpx/vpx_image.h
+++ b/vpx/vpx_image.h
@@ -132,10 +132,13 @@ typedef struct vpx_image_rect {
* is NULL, the storage for the descriptor will be
* allocated on the heap.
* \param[in] fmt Format for the image
- * \param[in] d_w Width of the image
- * \param[in] d_h Height of the image
+ * \param[in] d_w Width of the image. Must not exceed 0x08000000
+ * (2^27).
+ * \param[in] d_h Height of the image. Must not exceed 0x08000000
+ * (2^27).
* \param[in] align Alignment, in bytes, of the image buffer and
- * each row in the image(stride).
+ * each row in the image (stride). Must not exceed
+ * 65536.
*
* \return Returns a pointer to the initialized image descriptor. If the img
* parameter is non-null, the value of the img parameter will be
@@ -155,9 +158,12 @@ vpx_image_t *vpx_img_alloc(vpx_image_t *
* parameter is NULL, the storage for the descriptor
* will be allocated on the heap.
* \param[in] fmt Format for the image
- * \param[in] d_w Width of the image
- * \param[in] d_h Height of the image
+ * \param[in] d_w Width of the image. Must not exceed 0x08000000
+ * (2^27).
+ * \param[in] d_h Height of the image. Must not exceed 0x08000000
+ * (2^27).
* \param[in] stride_align Alignment, in bytes, of each row in the image.
+ * Must not exceed 65536.
* \param[in] img_data Storage to use for the image
*
* \return Returns a pointer to the initialized image descriptor. If the img

44
CVE-2024-5197-3.patch Normal file
View File

@ -0,0 +1,44 @@
Origin: https://github.com/webmproject/libvpx/commit/61c4d556bd03b97d84e3fa49180d14bde5a62baa
From 61c4d556bd03b97d84e3fa49180d14bde5a62baa Mon Sep 17 00:00:00 2001
From: Wan-Teh Chang <wtc@google.com>
Date: Fri, 12 Apr 2024 15:48:04 -0700
Subject: [PATCH] Fix a bug in alloc_size for high bit depths
I introduced this bug in commit 2e32276:
https://chromium-review.googlesource.com/c/webm/libvpx/+/5446333
I changed the line
stride_in_bytes = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
to three lines:
s = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
if (s > INT_MAX) goto fail;
stride_in_bytes = (int)s;
But I didn't realize that `s` is used later in the calculation of
alloc_size.
As a quick fix, undo the effect of s * 2 for high bit depths after `s`
has been assigned to stride_in_bytes.
Bug: chromium:332382766
Change-Id: I53fbf405555645ab1d7254d31aadabe4f426be8c
(cherry picked from commit 74c70af01667733483dc69298b8921779f5f6ff3)
---
vpx/src/vpx_image.c | 1 +
1 file changed, 1 insertion(+)
--- a/vpx/src/vpx_image.c
+++ b/vpx/src/vpx_image.c
@@ -95,6 +95,7 @@ static vpx_image_t *img_alloc_helper(vpx
s = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
if (s > INT_MAX) goto fail;
stride_in_bytes = (int)s;
+ s = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s / 2 : s;
/* Allocate the new image */
if (!img) {

103
CVE-2024-5197-pre1.patch Normal file
View File

@ -0,0 +1,103 @@
Origin: https://github.com/webmproject/libvpx/commit/f60da3e3ea58ddca7178d2228e1106f0d2dccd24
From f60da3e3ea58ddca7178d2228e1106f0d2dccd24 Mon Sep 17 00:00:00 2001
From: Wan-Teh Chang <wtc@google.com>
Date: Wed, 10 Apr 2024 17:55:01 -0700
Subject: [PATCH] Add test/vpx_image_test.cc
Ported from test/aom_image_test.cc in libaom commit 04d6253.
Change-Id: I56478d0a5603cfb5b65e644add0918387ff69a00
(cherry picked from commit 3dbab0e66479e1b5368d4b7a069051dba85843cf)
---
test/test.mk | 1 +
test/vpx_image_test.cc | 72 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 73 insertions(+)
create mode 100644 test/vpx_image_test.cc
--- a/test/test.mk
+++ b/test/test.mk
@@ -19,6 +19,7 @@ LIBVPX_TEST_SRCS-yes += video_source.h
## Black box tests only use the public API.
##
LIBVPX_TEST_SRCS-yes += ../md5_utils.h ../md5_utils.c
+LIBVPX_TEST_SRCS-yes += vpx_image_test.cc
LIBVPX_TEST_SRCS-$(CONFIG_DECODERS) += ivf_video_source.h
LIBVPX_TEST_SRCS-$(CONFIG_ENCODERS) += ../y4minput.h ../y4minput.c
LIBVPX_TEST_SRCS-$(CONFIG_ENCODERS) += altref_test.cc
--- /dev/null
+++ b/test/vpx_image_test.cc
@@ -0,0 +1,72 @@
+/*
+ * Copyright (c) 2024 The WebM project authors. All Rights Reserved.
+ *
+ * Use of this source code is governed by a BSD-style license
+ * that can be found in the LICENSE file in the root of the source
+ * tree. An additional intellectual property rights grant can be found
+ * in the file PATENTS. All contributing project authors may
+ * be found in the AUTHORS file in the root of the source tree.
+ */
+
+#include "vpx/vpx_image.h"
+#include "third_party/googletest/src/include/gtest/gtest.h"
+
+TEST(VpxImageTest, VpxImgWrapInvalidAlign) {
+ const int kWidth = 128;
+ const int kHeight = 128;
+ unsigned char buf[kWidth * kHeight * 3];
+
+ vpx_image_t img;
+ // Set img_data and img_data_owner to junk values. vpx_img_wrap() should
+ // not read these values on failure.
+ unsigned char empty[] = "";
+ img.img_data = empty;
+ img.img_data_owner = 1;
+
+ vpx_img_fmt_t format = VPX_IMG_FMT_I444;
+ // 'align' must be a power of 2 but is not. This causes the vpx_img_wrap()
+ // call to fail. The test verifies we do not read the junk values in 'img'.
+ unsigned int align = 31;
+ EXPECT_EQ(vpx_img_wrap(&img, format, kWidth, kHeight, align, buf), nullptr);
+}
+
+TEST(VpxImageTest, VpxImgSetRectOverflow) {
+ const int kWidth = 128;
+ const int kHeight = 128;
+ unsigned char buf[kWidth * kHeight * 3];
+
+ vpx_image_t img;
+ vpx_img_fmt_t format = VPX_IMG_FMT_I444;
+ unsigned int align = 32;
+ EXPECT_EQ(vpx_img_wrap(&img, format, kWidth, kHeight, align, buf), &img);
+
+ EXPECT_EQ(vpx_img_set_rect(&img, 0, 0, kWidth, kHeight), 0);
+ // This would result in overflow because -1 is cast to UINT_MAX.
+ EXPECT_NE(vpx_img_set_rect(&img, static_cast<unsigned int>(-1),
+ static_cast<unsigned int>(-1), kWidth, kHeight),
+ 0);
+}
+
+TEST(VpxImageTest, VpxImgAllocNone) {
+ const int kWidth = 128;
+ const int kHeight = 128;
+
+ vpx_image_t img;
+ vpx_img_fmt_t format = VPX_IMG_FMT_NONE;
+ unsigned int align = 32;
+ ASSERT_EQ(vpx_img_alloc(&img, format, kWidth, kHeight, align), nullptr);
+}
+
+TEST(VpxImageTest, VpxImgAllocNv12) {
+ const int kWidth = 128;
+ const int kHeight = 128;
+
+ vpx_image_t img;
+ vpx_img_fmt_t format = VPX_IMG_FMT_NV12;
+ unsigned int align = 32;
+ EXPECT_EQ(vpx_img_alloc(&img, format, kWidth, kHeight, align), &img);
+ EXPECT_EQ(img.stride[VPX_PLANE_U], img.stride[VPX_PLANE_Y]);
+ EXPECT_EQ(img.stride[VPX_PLANE_V], img.stride[VPX_PLANE_U]);
+ EXPECT_EQ(img.planes[VPX_PLANE_V], img.planes[VPX_PLANE_U] + 1);
+ vpx_img_free(&img);
+}

9
libvpx.spec
View File

@ -1,10 +1,14 @@
Name: libvpx
Version: 1.13.1
Release: 1
Release: 2
Summary: VP8/VP9 Video Codec SDK
License: BSD-3-Clause
Source0: https://github.com/webmproject/libvpx/archive/v%{version}.tar.gz
Patch0: add-riscv64-arch.patch
Patch1: CVE-2024-5197-pre1.patch
Patch2: CVE-2024-5197-1.patch
Patch3: CVE-2024-5197-2.patch
Patch4: CVE-2024-5197-3.patch
URL: http://www.webmproject.org/code/
BuildRequires: gcc gcc-c++ doxygen, php-cli, perl(Getopt::Long)
%ifarch x86_64
@ -110,6 +114,9 @@ mv %{buildroot}%{_prefix}/src/vpx_scale %{buildroot}%{_includedir}/
%{_libdir}/libvpx.so
%changelog
* Fri Jun 07 2024 wangkai <13474090681@163.com> - 1.13.1-2
- Fix CVE-2024-5197
* Sat Nov 25 2023 Jingwiw <wangjingwei@iscas.ac.cn> - 1.13.1-1
- Update to 1.13.1 version
- Migrate to SPDX license