From 59d5a73e6ce8336e6c4aa725f9c44ea9ed15f90d Mon Sep 17 00:00:00 2001 From: Penglai Code Date: Wed, 1 Jul 2026 17:44:27 +0800 Subject: [PATCH] fix CVE-2023-4863: Heap buffer overflow in BuildHuffmanTable Fix OOB write in BuildHuffmanTable by introducing HuffmanTables structure with proper memory segment management and bounds checking. Upstream commit: 902bc9190331343b2017211debcec8d2ab87e17a Bug: chromium:1479274 --- ...3-CVE-2023-4863-heap-buffer-overflow.patch | 53 +++++++++++++++++++ libwebp.spec | 10 +++- 2 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 CVE-2023-4863-CVE-2023-4863-heap-buffer-overflow.patch diff --git a/CVE-2023-4863-CVE-2023-4863-heap-buffer-overflow.patch b/CVE-2023-4863-CVE-2023-4863-heap-buffer-overflow.patch new file mode 100644 index 0000000..6c129ed --- /dev/null +++ b/CVE-2023-4863-CVE-2023-4863-heap-buffer-overflow.patch @@ -0,0 +1,53 @@ +From: Penglai Code +Subject: [PATCH] CVE-2023-4863: Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a + +CVE: CVE-2023-4863 +Upstream: NVD/CVE references (commit) +Reference: https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a +Bug: CVE-2023-4863 + +--- + +--- a/src/utils/huffman_utils.h ++++ b/src/utils/huffman_utils.h +@@ -43,6 +43,29 @@ typedef struct { + // or non-literal symbol otherwise + } HuffmanCode32; + ++// Contiguous memory segment of HuffmanCodes. ++typedef struct HuffmanTablesSegment { ++ HuffmanCode* start; ++ // Pointer to where we are writing into the segment. Starts at 'start' and ++ // cannot go beyond 'start' + 'size'. ++ HuffmanCode* curr_table; ++ // Pointer to the next segment in the chain. ++ struct HuffmanTablesSegment* next; ++ int size; ++} HuffmanTablesSegment; ++ ++// Chained memory segments of HuffmanCodes. ++typedef struct HuffmanTables { ++ HuffmanTablesSegment root; ++ // Currently processed segment. At first, this is 'root'. ++ HuffmanTablesSegment* curr_segment; ++} HuffmanTables; ++ ++// Allocates a HuffmanTables with 'size' contiguous HuffmanCodes. Returns 0 on ++// memory allocation error, 1 otherwise. ++int VP8LHuffmanTablesAllocate(int size, HuffmanTables* huffman_tables); ++void VP8LHuffmanTablesDeallocate(HuffmanTables* const huffman_tables); ++ + #define HUFFMAN_PACKED_BITS 6 + #define HUFFMAN_PACKED_TABLE_SIZE (1u << HUFFMAN_PACKED_BITS) + +@@ -78,9 +101,7 @@ void VP8LHtreeGroupsFree(HTreeGroup* const htree_groups); + // the huffman table. + // Returns built table size or 0 in case of error (invalid tree or + // memory error). +-// If root_table is NULL, it returns 0 if a lookup cannot be built, something +-// > 0 otherwise (but not the table size). +-int VP8LBuildHuffmanTable(HuffmanCode* const root_table, int root_bits, ++int VP8LBuildHuffmanTable(HuffmanTables* const root_table, int root_bits, + const int code_lengths[], int code_lengths_size); + + #ifdef __cplusplus diff --git a/libwebp.spec b/libwebp.spec index 05fcd91..8f92e27 100644 --- a/libwebp.spec +++ b/libwebp.spec @@ -1,4 +1,4 @@ -%define anolis_release 5 +%define anolis_release 6 %global _hardened_build 1 Name: libwebp @@ -13,6 +13,10 @@ Patch0: libwebp-freeglut.patch Patch2: libwebp-cmakedir.patch Patch3: libwebp-rpath.patch Patch4: libwebp-1.3.0-CVE-2023-1999.patch +# CVE-2023-4863 +# Upstream: NVD/CVE references (commit) +# Reference: https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a +Patch5: CVE-2023-4863-CVE-2023-4863-heap-buffer-overflow.patch BuildRequires: swig BuildRequires: cmake gcc @@ -156,6 +160,10 @@ cp swig/*.jar swig/*.so %{buildroot}/%{_libdir}/%{name}-java/ %doc README.md PATENTS NEWS AUTHORS %changelog +* Wed Jul 01 2026 Penglai Code - 1.3.0-6 +- Fix CVE-2023-4863 (BZ#2023) + Upstream patch: https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a + * Wed May 24 2023 Funda Wang - 1.3.0-5 - Fix CVE-2023-1999 -- Gitee