diff --git a/CVE-2023-44488.patch b/CVE-2023-44488.patch deleted file mode 100644 index a73a5c992676720f95d9433ca77d58a1f936b4ed..0000000000000000000000000000000000000000 --- a/CVE-2023-44488.patch +++ /dev/null @@ -1,100 +0,0 @@ -From df9fd9d5b7325060b2b921558a1eb20ca7880937 Mon Sep 17 00:00:00 2001 -From: Jerome Jiang -Date: Thu, 30 Jun 2022 13:48:56 -0400 -Subject: [PATCH] Fix bug with smaller width bigger size - -Fixed previous patch that clusterfuzz failed on. - -Local fuzzing passing overnight. - -Bug: webm:1642 -Change-Id: If0e08e72abd2e042efe4dcfac21e4cc51afdfdb9 -(cherry picked from commit 263682c9a29395055f3b3afe2d97be1828a6223f) ---- - vp9/common/vp9_alloccommon.c | 13 ++++++------- - vp9/encoder/vp9_encoder.c | 27 +++++++++++++++++++++++++-- - 2 files changed, 4 insertions(+), 2 deletions(-) - -diff --git a/vp9/common/vp9_alloccommon.c b/vp9/common/vp9_alloccommon.c -index e53883f621d..9e73e40ea09 100644 ---- a/vp9/common/vp9_alloccommon.c -+++ b/vp9/common/vp9_alloccommon.c -@@ -135,13 +135,6 @@ int vp9_alloc_context_buffers(VP9_COMMON *cm, int width, int height) { - cm->free_mi(cm); - if (cm->alloc_mi(cm, new_mi_size)) goto fail; - } -- -- if (cm->seg_map_alloc_size < cm->mi_rows * cm->mi_cols) { -- // Create the segmentation map structure and set to 0. -- free_seg_map(cm); -- if (alloc_seg_map(cm, cm->mi_rows * cm->mi_cols)) goto fail; -- } -- - if (cm->above_context_alloc_cols < cm->mi_cols) { - vpx_free(cm->above_context); - cm->above_context = (ENTROPY_CONTEXT *)vpx_calloc( -@@ -156,6 +149,12 @@ int vp9_alloc_context_buffers(VP9_COMMON *cm, int width, int height) { - cm->above_context_alloc_cols = cm->mi_cols; - } - -+ if (cm->seg_map_alloc_size < cm->mi_rows * cm->mi_cols) { -+ // Create the segmentation map structure and set to 0. -+ free_seg_map(cm); -+ if (alloc_seg_map(cm, cm->mi_rows * cm->mi_cols)) goto fail; -+ } -+ - if (vp9_alloc_loop_filter(cm)) goto fail; - - return 0; -diff --git a/vp9/encoder/vp9_encoder.c b/vp9/encoder/vp9_encoder.c -index b66fdc0bca3..e3850775455 100644 ---- a/vp9/encoder/vp9_encoder.c -+++ b/vp9/encoder/vp9_encoder.c -@@ -1973,6 +1973,17 @@ static void alloc_copy_partition_data(VP9_COMP *cpi) { - } - } - -+static void free_copy_partition_data(VP9_COMP *cpi) { -+ vpx_free(cpi->prev_partition); -+ cpi->prev_partition = NULL; -+ vpx_free(cpi->prev_segment_id); -+ cpi->prev_segment_id = NULL; -+ vpx_free(cpi->prev_variance_low); -+ cpi->prev_variance_low = NULL; -+ vpx_free(cpi->copied_frame_cnt); -+ cpi->copied_frame_cnt = NULL; -+} -+ - void vp9_change_config(struct VP9_COMP *cpi, const VP9EncoderConfig *oxcf) { - VP9_COMMON *const cm = &cpi->common; - RATE_CONTROL *const rc = &cpi->rc; -@@ -2052,6 +2063,8 @@ void vp9_change_config(struct VP9_COMP *cpi, const VP9EncoderConfig *oxcf) { - new_mi_size = cm->mi_stride * calc_mi_size(cm->mi_rows); - if (cm->mi_alloc_size < new_mi_size) { - vp9_free_context_buffers(cm); -+ vp9_free_pc_tree(&cpi->td); -+ vpx_free(cpi->mbmi_ext_base); - alloc_compressor_data(cpi); - realloc_segmentation_maps(cpi); - cpi->initial_width = cpi->initial_height = 0; -@@ -2070,8 +2083,18 @@ void vp9_change_config(struct VP9_COMP *cpi, const VP9EncoderConfig *oxcf) { - update_frame_size(cpi); - - if (last_w != cpi->oxcf.width || last_h != cpi->oxcf.height) { -- memset(cpi->consec_zero_mv, 0, -- cm->mi_rows * cm->mi_cols * sizeof(*cpi->consec_zero_mv)); -+ vpx_free(cpi->consec_zero_mv); -+ CHECK_MEM_ERROR( -+ cm, cpi->consec_zero_mv, -+ vpx_calloc(cm->mi_rows * cm->mi_cols, sizeof(*cpi->consec_zero_mv))); -+ -+ vpx_free(cpi->skin_map); -+ CHECK_MEM_ERROR( -+ cm, cpi->skin_map, -+ vpx_calloc(cm->mi_rows * cm->mi_cols, sizeof(cpi->skin_map[0]))); -+ -+ free_copy_partition_data(cpi); -+ alloc_copy_partition_data(cpi); - if (cpi->oxcf.aq_mode == CYCLIC_REFRESH_AQ) - vp9_cyclic_refresh_reset_resize(cpi); - rc->rc_1_frame = 0; diff --git a/CVE-2023-5217.patch b/CVE-2023-5217.patch deleted file mode 100644 index 269cacafbad28990de294cf5e41eae947e83ebca..0000000000000000000000000000000000000000 --- a/CVE-2023-5217.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 3fbd1dca6a4d2dad332a2110d646e4ffef36d590 Mon Sep 17 00:00:00 2001 -From: James Zern -Date: Mon, 25 Sep 2023 18:55:59 -0700 -Subject: [PATCH] VP8: disallow thread count changes - -Currently allocations are done at encoder creation time. Going from -threaded to non-threaded would cause a crash. - -Bug: chromium:1486441 -Change-Id: Ie301c2a70847dff2f0daae408fbef1e4d42e73d4 ---- - vp8/encoder/onyx_if.c | 5 +++++ - 1 files changed, 1 insertions(+), 0 deletions(-) - -diff --git a/vp8/encoder/onyx_if.c b/vp8/encoder/onyx_if.c -index c65afc643bf..c5e9970c3cc 100644 ---- a/vp8/encoder/onyx_if.c -+++ b/vp8/encoder/onyx_if.c -@@ -1447,6 +1447,11 @@ void vp8_change_config(VP8_COMP *cpi, VP8_CONFIG *oxcf) { - last_h = cpi->oxcf.Height; - prev_number_of_layers = cpi->oxcf.number_of_layers; - -+ if (cpi->initial_width) { -+ // TODO(https://crbug.com/1486441): Allow changing thread counts; the -+ // allocation is done once in vp8_create_compressor(). -+ oxcf->multi_threaded = cpi->oxcf.multi_threaded; -+ } - cpi->oxcf = *oxcf; - - switch (cpi->oxcf.Mode) { diff --git a/CVE-2024-5197.patch b/CVE-2024-5197.patch deleted file mode 100644 index 0bd31a10a3fcbc1cb619a25622ad1f2b09f7c175..0000000000000000000000000000000000000000 --- a/CVE-2024-5197.patch +++ /dev/null @@ -1,249 +0,0 @@ -From 6ba689e5f906b0038b0e4af3947f21bfc21edbf5 Mon Sep 17 00:00:00 2001 -From: pangqing -Date: Fri, 20 Sep 2024 14:53:59 +0800 -Subject: [PATCH] CVE-2024-5197 - ---- - test/test.mk | 1 + - test/vpx_image_test.cc | 72 ++++++++++++++++++++++++++++++++++++++++++ - vpx/src/vpx_image.c | 43 ++++++++++++++++++------- - vpx/vpx_image.h | 16 +++++++--- - 4 files changed, 115 insertions(+), 17 deletions(-) - create mode 100644 test/vpx_image_test.cc - -diff --git a/test/test.mk b/test/test.mk -index 6df4572..f2566dd 100644 ---- a/test/test.mk -+++ b/test/test.mk -@@ -19,6 +19,7 @@ LIBVPX_TEST_SRCS-yes += video_source.h - ## Black box tests only use the public API. - ## - LIBVPX_TEST_SRCS-yes += ../md5_utils.h ../md5_utils.c -+LIBVPX_TEST_SRCS-yes += vpx_image_test.cc - LIBVPX_TEST_SRCS-$(CONFIG_DECODERS) += ivf_video_source.h - LIBVPX_TEST_SRCS-$(CONFIG_ENCODERS) += ../y4minput.h ../y4minput.c - LIBVPX_TEST_SRCS-$(CONFIG_ENCODERS) += altref_test.cc -diff --git a/test/vpx_image_test.cc b/test/vpx_image_test.cc -new file mode 100644 -index 0000000..113353c ---- /dev/null -+++ b/test/vpx_image_test.cc -@@ -0,0 +1,72 @@ -+/* -+ * Copyright (c) 2024 The WebM project authors. All Rights Reserved. -+ * -+ * Use of this source code is governed by a BSD-style license -+ * that can be found in the LICENSE file in the root of the source -+ * tree. An additional intellectual property rights grant can be found -+ * in the file PATENTS. All contributing project authors may -+ * be found in the AUTHORS file in the root of the source tree. -+ */ -+ -+#include "vpx/vpx_image.h" -+#include "third_party/googletest/src/include/gtest/gtest.h" -+ -+TEST(VpxImageTest, VpxImgWrapInvalidAlign) { -+ const int kWidth = 128; -+ const int kHeight = 128; -+ unsigned char buf[kWidth * kHeight * 3]; -+ -+ vpx_image_t img; -+ // Set img_data and img_data_owner to junk values. vpx_img_wrap() should -+ // not read these values on failure. -+ unsigned char empty[] = ""; -+ img.img_data = empty; -+ img.img_data_owner = 1; -+ -+ vpx_img_fmt_t format = VPX_IMG_FMT_I444; -+ // 'align' must be a power of 2 but is not. This causes the vpx_img_wrap() -+ // call to fail. The test verifies we do not read the junk values in 'img'. -+ unsigned int align = 31; -+ EXPECT_EQ(vpx_img_wrap(&img, format, kWidth, kHeight, align, buf), nullptr); -+} -+ -+TEST(VpxImageTest, VpxImgSetRectOverflow) { -+ const int kWidth = 128; -+ const int kHeight = 128; -+ unsigned char buf[kWidth * kHeight * 3]; -+ -+ vpx_image_t img; -+ vpx_img_fmt_t format = VPX_IMG_FMT_I444; -+ unsigned int align = 32; -+ EXPECT_EQ(vpx_img_wrap(&img, format, kWidth, kHeight, align, buf), &img); -+ -+ EXPECT_EQ(vpx_img_set_rect(&img, 0, 0, kWidth, kHeight), 0); -+ // This would result in overflow because -1 is cast to UINT_MAX. -+ EXPECT_NE(vpx_img_set_rect(&img, static_cast(-1), -+ static_cast(-1), kWidth, kHeight), -+ 0); -+} -+ -+TEST(VpxImageTest, VpxImgAllocNone) { -+ const int kWidth = 128; -+ const int kHeight = 128; -+ -+ vpx_image_t img; -+ vpx_img_fmt_t format = VPX_IMG_FMT_NONE; -+ unsigned int align = 32; -+ ASSERT_EQ(vpx_img_alloc(&img, format, kWidth, kHeight, align), nullptr); -+} -+ -+TEST(VpxImageTest, VpxImgAllocNv12) { -+ const int kWidth = 128; -+ const int kHeight = 128; -+ -+ vpx_image_t img; -+ vpx_img_fmt_t format = VPX_IMG_FMT_NV12; -+ unsigned int align = 32; -+ EXPECT_EQ(vpx_img_alloc(&img, format, kWidth, kHeight, align), &img); -+ EXPECT_EQ(img.stride[VPX_PLANE_U], img.stride[VPX_PLANE_Y]); -+ EXPECT_EQ(img.stride[VPX_PLANE_V], img.stride[VPX_PLANE_U]); -+ EXPECT_EQ(img.planes[VPX_PLANE_V], img.planes[VPX_PLANE_U] + 1); -+ vpx_img_free(&img); -+} -diff --git a/vpx/src/vpx_image.c b/vpx/src/vpx_image.c -index f9f0dd6..fc6ff72 100644 ---- a/vpx/src/vpx_image.c -+++ b/vpx/src/vpx_image.c -@@ -8,6 +8,7 @@ - * be found in the AUTHORS file in the root of the source tree. - */ - -+#include - #include - #include - #include -@@ -21,12 +22,21 @@ static vpx_image_t *img_alloc_helper(vpx_image_t *img, vpx_img_fmt_t fmt, - unsigned int buf_align, - unsigned int stride_align, - unsigned char *img_data) { -- unsigned int h, w, s, xcs, ycs, bps; -- unsigned int stride_in_bytes; -+ unsigned int h, w, xcs, ycs, bps; -+ uint64_t s; -+ int stride_in_bytes; - unsigned int align; - - if (img != NULL) memset(img, 0, sizeof(vpx_image_t)); - -+ /* Impose maximum values on input parameters so that this function can -+ * perform arithmetic operations without worrying about overflows. -+ */ -+ if (d_w > 0x08000000 || d_h > 0x08000000 || buf_align > 65536 || -+ stride_align > 65536) { -+ goto fail; -+ } -+ - /* Treat align==0 like align==1 */ - if (!buf_align) buf_align = 1; - -@@ -80,9 +90,12 @@ static vpx_image_t *img_alloc_helper(vpx_image_t *img, vpx_img_fmt_t fmt, - * and height shouldn't be adjusted. */ - w = d_w; - h = d_h; -- s = (fmt & VPX_IMG_FMT_PLANAR) ? w : bps * w / 8; -- s = (s + stride_align - 1) & ~(stride_align - 1); -- stride_in_bytes = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s; -+ s = (fmt & VPX_IMG_FMT_PLANAR) ? w : (uint64_t)bps * w / 8; -+ s = (s + stride_align - 1) & ~((uint64_t)stride_align - 1); -+ s = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s; -+ if (s > INT_MAX) goto fail; -+ stride_in_bytes = (int)s; -+ s = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s / 2 : s; - - /* Allocate the new image */ - if (!img) { -@@ -100,12 +113,16 @@ static vpx_image_t *img_alloc_helper(vpx_image_t *img, vpx_img_fmt_t fmt, - /* Calculate storage sizes given the chroma subsampling */ - align = (1 << xcs) - 1; - w = (d_w + align) & ~align; -+ assert(d_w <= w); - align = (1 << ycs) - 1; - h = (d_h + align) & ~align; -+ assert(d_h <= h); - -- s = (fmt & VPX_IMG_FMT_PLANAR) ? w : bps * w / 8; -- s = (s + stride_align - 1) & ~(stride_align - 1); -- stride_in_bytes = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s; -+ s = (fmt & VPX_IMG_FMT_PLANAR) ? w : (uint64_t)bps * w / 8; -+ s = (s + stride_align - 1) & ~((uint64_t)stride_align - 1); -+ s = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s; -+ if (s > INT_MAX) goto fail; -+ stride_in_bytes = (int)s; - alloc_size = (fmt & VPX_IMG_FMT_PLANAR) ? (uint64_t)h * s * bps / 8 - : (uint64_t)h * s; - -@@ -170,12 +187,12 @@ int vpx_img_set_rect(vpx_image_t *img, unsigned int x, unsigned int y, - if (img->fmt & VPX_IMG_FMT_HAS_ALPHA) { - img->planes[VPX_PLANE_ALPHA] = - data + x * bytes_per_sample + y * img->stride[VPX_PLANE_ALPHA]; -- data += img->h * img->stride[VPX_PLANE_ALPHA]; -+ data += (size_t)img->h * img->stride[VPX_PLANE_ALPHA]; - } - - img->planes[VPX_PLANE_Y] = - data + x * bytes_per_sample + y * img->stride[VPX_PLANE_Y]; -- data += img->h * img->stride[VPX_PLANE_Y]; -+ data += (size_t)img->h * img->stride[VPX_PLANE_Y]; - - if (img->fmt == VPX_IMG_FMT_NV12) { - img->planes[VPX_PLANE_U] = -@@ -186,7 +203,8 @@ int vpx_img_set_rect(vpx_image_t *img, unsigned int x, unsigned int y, - img->planes[VPX_PLANE_U] = - data + (x >> img->x_chroma_shift) * bytes_per_sample + - (y >> img->y_chroma_shift) * img->stride[VPX_PLANE_U]; -- data += (img->h >> img->y_chroma_shift) * img->stride[VPX_PLANE_U]; -+ data += -+ (size_t)(img->h >> img->y_chroma_shift) * img->stride[VPX_PLANE_U]; - img->planes[VPX_PLANE_V] = - data + (x >> img->x_chroma_shift) * bytes_per_sample + - (y >> img->y_chroma_shift) * img->stride[VPX_PLANE_V]; -@@ -194,7 +212,8 @@ int vpx_img_set_rect(vpx_image_t *img, unsigned int x, unsigned int y, - img->planes[VPX_PLANE_V] = - data + (x >> img->x_chroma_shift) * bytes_per_sample + - (y >> img->y_chroma_shift) * img->stride[VPX_PLANE_V]; -- data += (img->h >> img->y_chroma_shift) * img->stride[VPX_PLANE_V]; -+ data += -+ (size_t)(img->h >> img->y_chroma_shift) * img->stride[VPX_PLANE_V]; - img->planes[VPX_PLANE_U] = - data + (x >> img->x_chroma_shift) * bytes_per_sample + - (y >> img->y_chroma_shift) * img->stride[VPX_PLANE_U]; -diff --git a/vpx/vpx_image.h b/vpx/vpx_image.h -index 1adc9b9..2c30a89 100644 ---- a/vpx/vpx_image.h -+++ b/vpx/vpx_image.h -@@ -132,10 +132,13 @@ typedef struct vpx_image_rect { - * is NULL, the storage for the descriptor will be - * allocated on the heap. - * \param[in] fmt Format for the image -- * \param[in] d_w Width of the image -- * \param[in] d_h Height of the image -+ * \param[in] d_w Width of the image. Must not exceed 0x08000000 -+ * (2^27). -+ * \param[in] d_h Height of the image. Must not exceed 0x08000000 -+ * (2^27). - * \param[in] align Alignment, in bytes, of the image buffer and -- * each row in the image(stride). -+ * each row in the image (stride). Must not exceed -+ * 65536. - * - * \return Returns a pointer to the initialized image descriptor. If the img - * parameter is non-null, the value of the img parameter will be -@@ -155,9 +158,12 @@ vpx_image_t *vpx_img_alloc(vpx_image_t *img, vpx_img_fmt_t fmt, - * parameter is NULL, the storage for the descriptor - * will be allocated on the heap. - * \param[in] fmt Format for the image -- * \param[in] d_w Width of the image -- * \param[in] d_h Height of the image -+ * \param[in] d_w Width of the image. Must not exceed 0x08000000 -+ * (2^27). -+ * \param[in] d_h Height of the image. Must not exceed 0x08000000 -+ * (2^27). - * \param[in] stride_align Alignment, in bytes, of each row in the image. -+ * Must not exceed 65536. - * \param[in] img_data Storage to use for the image - * - * \return Returns a pointer to the initialized image descriptor. If the img --- -2.39.3 - diff --git a/libvpx.spec b/libvpx.spec index 7629f55e11775b6e9d4169f20a55536d19235924..2af7ce43c3e72f1d58ff29e345da10eca3741736 100644 --- a/libvpx.spec +++ b/libvpx.spec @@ -1,5 +1,5 @@ -%define anolis_release 4 -%global somajor 7 +%define anolis_release 1 +%global somajor 9 %global sominor 0 %global sotiny 0 %global soversion %{somajor}.%{sominor}.%{sotiny} @@ -16,16 +16,13 @@ Name: libvpx Summary: VP8/VP9 Video Codec SDK -Version: 1.12.0 +Version: 1.14.1 Release: %{anolis_release}%{?dist} License: BSD URL: http://www.webmproject.org/code/ Source0: https://github.com/webmproject/libvpx/archive/v%{version}.tar.gz Source1: vpx_config.h Source2: libvpx.ver -Patch0: CVE-2023-5217.patch -Patch1: CVE-2023-44488.patch -Patch2: CVE-2024-5197.patch BuildRequires: make gcc gcc-c++ yasm doxygen php-cli perl(Getopt::Long) @@ -128,6 +125,10 @@ rm -rf %{buildroot}%{_prefix}/src %doc AUTHORS CHANGELOG README %changelog +* Tue Jun 10 2025 wenxin - 1.14.1-1 +- Update to 1.14.1 from 1.12.0 +- Remove patches as the new version of tarball already includes changes + * Fri Sep 20 2024 pangqing - 1.12.0-4 - Fix CVE-2024-5197 diff --git a/v1.12.0.tar.gz b/v1.14.1.tar.gz similarity index 48% rename from v1.12.0.tar.gz rename to v1.14.1.tar.gz index 16213f83b4f75a020a12ef55c823584b42607a10..8fe06221ddb8d36e5e6082c914fdfc76e6359e93 100644 Binary files a/v1.12.0.tar.gz and b/v1.14.1.tar.gz differ