From 8a9b6f4254a4da78f3d65ed68aaddf25e99fda21 Mon Sep 17 00:00:00 2001 From: sa-buc Date: Thu, 19 Jun 2025 10:39:14 +0800 Subject: [PATCH] libvpx-modified Signed-off-by: sa-buc --- 0001-CVE-2025-5283.patch | 63 ++++++++++++++++++++++++++++++++++++++++ libvpx.spec | 7 ++++- 2 files changed, 69 insertions(+), 1 deletion(-) create mode 100644 0001-CVE-2025-5283.patch diff --git a/0001-CVE-2025-5283.patch b/0001-CVE-2025-5283.patch new file mode 100644 index 0000000..99d16b9 --- /dev/null +++ b/0001-CVE-2025-5283.patch @@ -0,0 +1,63 @@ +From 1c758781c428c0e895645b95b8ff1512b6bdcecb Mon Sep 17 00:00:00 2001 +From: James Zern +Date: Wed, 30 Apr 2025 19:28:48 -0700 +Subject: [PATCH] vpx_codec_enc_init_multi: fix double free on init failure + +In `vp8e_init()`, the encoder would take ownership of +`mr_cfg.mr_low_res_mode_info` even if `vp8_create_compressor()` failed. +This caused confusion at the call site as other failures in +`vp8e_init()` did not result in ownership transfer and the caller would +free the memory. In the case of `vp8_create_compressor()` failure both +the caller and `vpx_codec_destroy()` would free the memory, causing a +crash. `mr_*` related variables are now cleared on failure to prevent +this situation. + +Bug: webm:413411335 +Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1962421 +Change-Id: Ie951d42b9029a586bf9059b650bd8863db9f9ffc +--- + vp8/vp8_cx_iface.c | 12 +++++++++++- + vpx/src/vpx_encoder.c | 3 +++ + 2 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/vp8/vp8_cx_iface.c b/vp8/vp8_cx_iface.c +index 38456d2b90c7..35c94fb04343 100644 +--- a/vp8/vp8_cx_iface.c ++++ b/vp8/vp8_cx_iface.c +@@ -732,7 +732,17 @@ static vpx_codec_err_t vp8e_init(vpx_codec_ctx_t *ctx, + + set_vp8e_config(&priv->oxcf, priv->cfg, priv->vp8_cfg, mr_cfg); + priv->cpi = vp8_create_compressor(&priv->oxcf); +- if (!priv->cpi) res = VPX_CODEC_MEM_ERROR; ++ if (!priv->cpi) { ++#if CONFIG_MULTI_RES_ENCODING ++ // Release ownership of mr_cfg->mr_low_res_mode_info on failure. This ++ // prevents ownership confusion with the caller and avoids a double ++ // free when vpx_codec_destroy() is called on this instance. ++ priv->oxcf.mr_total_resolutions = 0; ++ priv->oxcf.mr_encoder_id = 0; ++ priv->oxcf.mr_low_res_mode_info = NULL; ++#endif ++ res = VPX_CODEC_MEM_ERROR; ++ } + } + } + +diff --git a/vpx/src/vpx_encoder.c b/vpx/src/vpx_encoder.c +index 001d854abe9c..3af4cea3a70f 100644 +--- a/vpx/src/vpx_encoder.c ++++ b/vpx/src/vpx_encoder.c +@@ -114,6 +114,9 @@ vpx_codec_err_t vpx_codec_enc_init_multi_ver( + ctx->priv = NULL; + ctx->init_flags = flags; + ctx->config.enc = cfg; ++ // ctx takes ownership of mr_cfg.mr_low_res_mode_info if and only if ++ // this call succeeds. The first ctx entry in the array is ++ // responsible for freeing the memory. + res = ctx->iface->init(ctx, &mr_cfg); + } + +-- +2.49.0 + + diff --git a/libvpx.spec b/libvpx.spec index 5eab630..3c8fe6f 100644 --- a/libvpx.spec +++ b/libvpx.spec @@ -1,4 +1,4 @@ -%define anolis_release 1 +%define anolis_release 2 %global somajor 9 %global sominor 0 %global sotiny 0 @@ -25,6 +25,8 @@ Source1: vpx_config.h Source2: libvpx.ver BuildRequires: make gcc gcc-c++ yasm doxygen php-cli perl(Getopt::Long) +# From https://salsa.debian.org/multimedia-team/libvpx/-/merge_requests/5/diffs +Patch0: 0001-CVE-2025-5283.patch %description libvpx provides the VP8/VP9 SDK, which allows you to integrate your applications @@ -125,6 +127,9 @@ rm -rf %{buildroot}%{_prefix}/src %doc AUTHORS CHANGELOG README %changelog +* Mon Jun 18 2025 lzq11122 - 1.14.1-2 +- add patch to fix CVE-2025-5283 + * Wed Mar 19 2025 mgb01105731 - 1.14.1-1 - Update to 1.14.1 from 1.12.0 - Remove patches as the new version of tarball already includes changes -- Gitee