From c9f8e17b26ca887196dbb2507eaf980c6cb4140f Mon Sep 17 00:00:00 2001
From: lvfei <lvfei@kylinos.cn>
Date: Mon, 22 Apr 2024 16:30:34 +0800
Subject: [PATCH] Fix CVE-2023-44488

(cherry picked from commit 9b1e11b9a87a1214081db71cabc8b3db8331c419)
---
 CVE-2023-44488.patch | 125 +++++++++++++++++++++++++++++++++++++++++++
 firefox.spec         |  10 ++--
 2 files changed, 131 insertions(+), 4 deletions(-)
 create mode 100644 CVE-2023-44488.patch

diff --git a/CVE-2023-44488.patch b/CVE-2023-44488.patch
new file mode 100644
index 0000000..3ef1da6
--- /dev/null
+++ b/CVE-2023-44488.patch
@@ -0,0 +1,125 @@
+From dfff1be88eaa0e0756c74b702484465b48b66fca Mon Sep 17 00:00:00 2001
+From: Jerome Jiang <jianj@google.com>
+Date: Thu, 30 Jun 2022 13:48:56 -0400
+Subject: [PATCH] CVE-2023-44488 Fix bug with smaller width bigger size
+
+---
+ media/libvpx/libvpx/test/resize_test.cc       |  9 +++----
+ .../libvpx/vp9/common/vp9_alloccommon.c       | 14 +++++-----
+ media/libvpx/libvpx/vp9/encoder/vp9_encoder.c | 27 +++++++++++++++++--
+ 3 files changed, 35 insertions(+), 15 deletions(-)
+
+diff --git a/media/libvpx/libvpx/test/resize_test.cc b/media/libvpx/libvpx/test/resize_test.cc
+index 5f323db5ab..55a2fe58c6 100644
+--- a/media/libvpx/libvpx/test/resize_test.cc
++++ b/media/libvpx/libvpx/test/resize_test.cc
+@@ -101,11 +101,8 @@ void ScaleForFrameNumber(unsigned int frame, unsigned int initial_w,
+       *h = initial_h;
+       return;
+     }
+-    if (frame < 100) {
+-      *w = initial_w * 7 / 10;
+-      *h = initial_h * 16 / 10;
+-      return;
+-    }
++    *w = initial_w * 7 / 10;
++    *h = initial_h * 16 / 10;    
+     return;
+   }
+   if (frame < 10) {
+@@ -578,7 +575,7 @@ TEST_P(ResizeRealtimeTest, TestExternalResizeWorks) {
+   }
+ }
+ 
+-TEST_P(ResizeRealtimeTest, DISABLED_TestExternalResizeSmallerWidthBiggerSize) {
++TEST_P(ResizeRealtimeTest, TestExternalResizeSmallerWidthBiggerSize) {
+   ResizingVideoSource video;
+   video.flag_codec_ = true;
+   video.smaller_width_larger_size_ = true;
+diff --git a/media/libvpx/libvpx/vp9/common/vp9_alloccommon.c b/media/libvpx/libvpx/vp9/common/vp9_alloccommon.c
+index 5702dca718..7841c5e793 100644
+--- a/media/libvpx/libvpx/vp9/common/vp9_alloccommon.c
++++ b/media/libvpx/libvpx/vp9/common/vp9_alloccommon.c
+@@ -131,13 +131,7 @@ int vp9_alloc_context_buffers(VP9_COMMON *cm, int width, int height) {
+     cm->free_mi(cm);
+     if (cm->alloc_mi(cm, new_mi_size)) goto fail;
+   }
+-
+-  if (cm->seg_map_alloc_size < cm->mi_rows * cm->mi_cols) {
+-    // Create the segmentation map structure and set to 0.
+-    free_seg_map(cm);
+-    if (alloc_seg_map(cm, cm->mi_rows * cm->mi_cols)) goto fail;
+-  }
+-
++  
+   if (cm->above_context_alloc_cols < cm->mi_cols) {
+     vpx_free(cm->above_context);
+     cm->above_context = (ENTROPY_CONTEXT *)vpx_calloc(
+@@ -151,6 +145,12 @@ int vp9_alloc_context_buffers(VP9_COMMON *cm, int width, int height) {
+     if (!cm->above_seg_context) goto fail;
+     cm->above_context_alloc_cols = cm->mi_cols;
+   }
++ 
++  if (cm->seg_map_alloc_size < cm->mi_rows * cm->mi_cols) {
++    // Create the segmentation map structure and set to 0.
++    free_seg_map(cm);
++    if (alloc_seg_map(cm, cm->mi_rows * cm->mi_cols)) goto fail;
++  }
+ 
+   if (vp9_alloc_loop_filter(cm)) goto fail;
+ 
+diff --git a/media/libvpx/libvpx/vp9/encoder/vp9_encoder.c b/media/libvpx/libvpx/vp9/encoder/vp9_encoder.c
+index 4a37816e20..6efcf91066 100644
+--- a/media/libvpx/libvpx/vp9/encoder/vp9_encoder.c
++++ b/media/libvpx/libvpx/vp9/encoder/vp9_encoder.c
+@@ -1937,6 +1937,17 @@ static void alloc_copy_partition_data(VP9_COMP *cpi) {
+   }
+ }
+ 
++static void free_copy_partition_data(VP9_COMP *cpi) {
++  vpx_free(cpi->prev_partition);
++  cpi->prev_partition = NULL;
++  vpx_free(cpi->prev_segment_id);
++  cpi->prev_segment_id = NULL;
++  vpx_free(cpi->prev_variance_low);
++  cpi->prev_variance_low = NULL;
++  vpx_free(cpi->copied_frame_cnt);
++  cpi->copied_frame_cnt = NULL;
++}
++
+ void vp9_change_config(struct VP9_COMP *cpi, const VP9EncoderConfig *oxcf) {
+   VP9_COMMON *const cm = &cpi->common;
+   RATE_CONTROL *const rc = &cpi->rc;
+@@ -2021,6 +2032,8 @@ void vp9_change_config(struct VP9_COMP *cpi, const VP9EncoderConfig *oxcf) {
+     new_mi_size = cm->mi_stride * calc_mi_size(cm->mi_rows);
+     if (cm->mi_alloc_size < new_mi_size) {
+       vp9_free_context_buffers(cm);
++      vp9_free_pc_tree(&cpi->td);
++      vpx_free(cpi->mbmi_ext_base);
+       alloc_compressor_data(cpi);
+       realloc_segmentation_maps(cpi);
+       cpi->initial_width = cpi->initial_height = 0;
+@@ -2036,8 +2049,18 @@ void vp9_change_config(struct VP9_COMP *cpi, const VP9EncoderConfig *oxcf) {
+     update_frame_size(cpi);
+ 
+   if (last_w != cpi->oxcf.width || last_h != cpi->oxcf.height) {
+-    memset(cpi->consec_zero_mv, 0,
+-           cm->mi_rows * cm->mi_cols * sizeof(*cpi->consec_zero_mv));
++    vpx_free(cpi->consec_zero_mv);
++    CHECK_MEM_ERROR(
++        cm, cpi->consec_zero_mv,
++        vpx_calloc(cm->mi_rows * cm->mi_cols, sizeof(*cpi->consec_zero_mv)));
++
++    vpx_free(cpi->skin_map);
++    CHECK_MEM_ERROR(
++        cm, cpi->skin_map,
++        vpx_calloc(cm->mi_rows * cm->mi_cols, sizeof(cpi->skin_map[0])));
++
++    free_copy_partition_data(cpi);
++    alloc_copy_partition_data(cpi);    
+     if (cpi->oxcf.aq_mode == CYCLIC_REFRESH_AQ)
+       vp9_cyclic_refresh_reset_resize(cpi);
+     rc->rc_1_frame = 0;
+-- 
+2.27.0
+
diff --git a/firefox.spec b/firefox.spec
index 7cde77d..2054b7b 100644
--- a/firefox.spec
+++ b/firefox.spec
@@ -88,7 +88,7 @@
 Summary:             Mozilla Firefox Web browser
 Name:                firefox
 Version:             79.0
-Release:             17
+Release:             18
 URL:                 https://www.mozilla.org/firefox/
 License:             MPLv1.1 or GPLv2+ or LGPLv2+
 Source0:             https://archive.mozilla.org/pub/firefox/releases/%{version}/source/firefox-%{version}.source.tar.xz
@@ -196,8 +196,7 @@ Patch652:            CVE-2023-5217.patch
 Patch653:            CVE-2023-7104.patch
 Patch654:            CVE-2022-22755.patch
 Patch655:            CVE-2022-1802.patch
-
-
+Patch656:            CVE-2023-44488.patch
 
 %if %{?system_nss}
 BuildRequires:       pkgconfig(nspr) >= %{nspr_version} pkgconfig(nss) >= %{nss_version}
@@ -388,7 +387,7 @@ tar -xf %{SOURCE3}
 %patch653 -p1
 %patch654 -p1
 %patch655 -p1
-
+%patch656 -p1
 
 %{__rm} -f .mozconfig
 %{__cp} %{SOURCE10} .mozconfig
@@ -837,6 +836,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 %endif
 
 %changelog
+* Fri Apr 19 2024 lvfei <lvfei@kylinos.cn> - 79.0-18
+- Fix CVE-2023-44488
+
 * Thu Mar 21 2024 lvfei <lvfei@kylinos.cn> - 79.0-17
 - Fix CVE-2022-1802
 
-- 
Gitee