From 993e975cabd4dce0460cf391333c9d7c3fb9912d Mon Sep 17 00:00:00 2001 From: wk333 <13474090681@163.com> Date: Fri, 7 Jun 2024 14:57:57 +0800 Subject: [PATCH] Fix CVE-2024-5197 --- CVE-2024-5197-1.patch | 152 +++++++++++++++++++++++++++++++++++++++ CVE-2024-5197-2.patch | 144 +++++++++++++++++++++++++++++++++++++ CVE-2024-5197-3.patch | 44 ++++++++++++ CVE-2024-5197-pre1.patch | 103 ++++++++++++++++++++++++++ libvpx.spec | 9 ++- 5 files changed, 451 insertions(+), 1 deletion(-) create mode 100644 CVE-2024-5197-1.patch create mode 100644 CVE-2024-5197-2.patch create mode 100644 CVE-2024-5197-3.patch create mode 100644 CVE-2024-5197-pre1.patch diff --git a/CVE-2024-5197-1.patch b/CVE-2024-5197-1.patch new file mode 100644 index 0000000..6638941 --- /dev/null +++ b/CVE-2024-5197-1.patch @@ -0,0 +1,152 @@ +Origin: https://github.com/webmproject/libvpx/commit/c5640e3300690705c336966e2a8bb346a388c829 + +From c5640e3300690705c336966e2a8bb346a388c829 Mon Sep 17 00:00:00 2001 +From: Wan-Teh Chang +Date: Wed, 10 Apr 2024 17:01:10 -0700 +Subject: [PATCH] Fix integer overflows in calc of stride_in_bytes + +A port of the libaom CL +https://aomedia-review.googlesource.com/c/aom/+/188761. + +Fix unsigned integer overflows in the calculation of stride_in_bytes in +img_alloc_helper() when d_w is huge. + +Change the type of stride_in_bytes from unsigned int to int because it +will be assigned to img->stride[VPX_PLANE_Y], which is of the int type. + +Test: +. ../libvpx/tools/set_analyzer_env.sh integer +../libvpx/configure --enable-debug --disable-optimizations +make -j +./test_libvpx --gtest_filter=VpxImageTest.VpxImgAllocHugeWidth + +Bug: chromium:332382766 +Change-Id: I3b39d78f61c7255e10cbf72ba2f4975425a05a82 +(cherry picked from commit 2e32276277c0b1739707c5e861c96cf78794f1a0) +--- + test/vpx_image_test.cc | 36 ++++++++++++++++++++++++++++++++++++ + vpx/src/vpx_image.c | 31 +++++++++++++++++++------------ + 2 files changed, 55 insertions(+), 12 deletions(-) + +--- a/test/vpx_image_test.cc ++++ b/test/vpx_image_test.cc +@@ -70,3 +70,39 @@ TEST(VpxImageTest, VpxImgAllocNv12) { + EXPECT_EQ(img.planes[VPX_PLANE_V], img.planes[VPX_PLANE_U] + 1); + vpx_img_free(&img); + } ++ ++TEST(VpxImageTest, VpxImgAllocHugeWidth) { ++ // The stride (0x80000000 * 2) would overflow unsigned int. ++ vpx_image_t *image = ++ vpx_img_alloc(nullptr, VPX_IMG_FMT_I42016, 0x80000000, 1, 1); ++ ASSERT_EQ(image, nullptr); ++ ++ // The stride (0x80000000) would overflow int. ++ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I420, 0x80000000, 1, 1); ++ ASSERT_EQ(image, nullptr); ++ ++ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I420, 0x7ffffffe, 1, 1); ++ if (image) { ++ vpx_img_free(image); ++ } ++ ++ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I420, 285245883, 64, 1); ++ if (image) { ++ vpx_img_free(image); ++ } ++ ++ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_NV12, 285245883, 64, 1); ++ if (image) { ++ vpx_img_free(image); ++ } ++ ++ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_YV12, 285245883, 64, 1); ++ if (image) { ++ vpx_img_free(image); ++ } ++ ++ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I42016, 285245883, 2, 1); ++ if (image) { ++ vpx_img_free(image); ++ } ++} +--- a/vpx/src/vpx_image.c ++++ b/vpx/src/vpx_image.c +@@ -21,8 +21,9 @@ static vpx_image_t *img_alloc_helper(vpx + unsigned int buf_align, + unsigned int stride_align, + unsigned char *img_data) { +- unsigned int h, w, s, xcs, ycs, bps; +- unsigned int stride_in_bytes; ++ unsigned int h, w, xcs, ycs, bps; ++ uint64_t s; ++ int stride_in_bytes; + unsigned int align; + + if (img != NULL) memset(img, 0, sizeof(vpx_image_t)); +@@ -80,9 +81,11 @@ static vpx_image_t *img_alloc_helper(vpx + * and height shouldn't be adjusted. */ + w = d_w; + h = d_h; +- s = (fmt & VPX_IMG_FMT_PLANAR) ? w : bps * w / 8; +- s = (s + stride_align - 1) & ~(stride_align - 1); +- stride_in_bytes = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s; ++ s = (fmt & VPX_IMG_FMT_PLANAR) ? w : (uint64_t)bps * w / 8; ++ s = (s + stride_align - 1) & ~((uint64_t)stride_align - 1); ++ s = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s; ++ if (s > INT_MAX) goto fail; ++ stride_in_bytes = (int)s; + + /* Allocate the new image */ + if (!img) { +@@ -103,9 +106,11 @@ static vpx_image_t *img_alloc_helper(vpx + align = (1 << ycs) - 1; + h = (d_h + align) & ~align; + +- s = (fmt & VPX_IMG_FMT_PLANAR) ? w : bps * w / 8; +- s = (s + stride_align - 1) & ~(stride_align - 1); +- stride_in_bytes = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s; ++ s = (fmt & VPX_IMG_FMT_PLANAR) ? w : (uint64_t)bps * w / 8; ++ s = (s + stride_align - 1) & ~((uint64_t)stride_align - 1); ++ s = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s; ++ if (s > INT_MAX) goto fail; ++ stride_in_bytes = (int)s; + alloc_size = (fmt & VPX_IMG_FMT_PLANAR) ? (uint64_t)h * s * bps / 8 + : (uint64_t)h * s; + +@@ -170,12 +175,12 @@ int vpx_img_set_rect(vpx_image_t *img, u + if (img->fmt & VPX_IMG_FMT_HAS_ALPHA) { + img->planes[VPX_PLANE_ALPHA] = + data + x * bytes_per_sample + y * img->stride[VPX_PLANE_ALPHA]; +- data += img->h * img->stride[VPX_PLANE_ALPHA]; ++ data += (size_t)img->h * img->stride[VPX_PLANE_ALPHA]; + } + + img->planes[VPX_PLANE_Y] = + data + x * bytes_per_sample + y * img->stride[VPX_PLANE_Y]; +- data += img->h * img->stride[VPX_PLANE_Y]; ++ data += (size_t)img->h * img->stride[VPX_PLANE_Y]; + + if (img->fmt == VPX_IMG_FMT_NV12) { + img->planes[VPX_PLANE_U] = +@@ -186,7 +191,8 @@ int vpx_img_set_rect(vpx_image_t *img, u + img->planes[VPX_PLANE_U] = + data + (x >> img->x_chroma_shift) * bytes_per_sample + + (y >> img->y_chroma_shift) * img->stride[VPX_PLANE_U]; +- data += (img->h >> img->y_chroma_shift) * img->stride[VPX_PLANE_U]; ++ data += ++ (size_t)(img->h >> img->y_chroma_shift) * img->stride[VPX_PLANE_U]; + img->planes[VPX_PLANE_V] = + data + (x >> img->x_chroma_shift) * bytes_per_sample + + (y >> img->y_chroma_shift) * img->stride[VPX_PLANE_V]; +@@ -194,7 +200,8 @@ int vpx_img_set_rect(vpx_image_t *img, u + img->planes[VPX_PLANE_V] = + data + (x >> img->x_chroma_shift) * bytes_per_sample + + (y >> img->y_chroma_shift) * img->stride[VPX_PLANE_V]; +- data += (img->h >> img->y_chroma_shift) * img->stride[VPX_PLANE_V]; ++ data += ++ (size_t)(img->h >> img->y_chroma_shift) * img->stride[VPX_PLANE_V]; + img->planes[VPX_PLANE_U] = + data + (x >> img->x_chroma_shift) * bytes_per_sample + + (y >> img->y_chroma_shift) * img->stride[VPX_PLANE_U]; + diff --git a/CVE-2024-5197-2.patch b/CVE-2024-5197-2.patch new file mode 100644 index 0000000..73abc66 --- /dev/null +++ b/CVE-2024-5197-2.patch @@ -0,0 +1,144 @@ +Origin: https://github.com/webmproject/libvpx/commit/9d7054c0cb83665a74cf6f59b6261f455e692149 + +Backport of: + +From 9d7054c0cb83665a74cf6f59b6261f455e692149 Mon Sep 17 00:00:00 2001 +From: Wan-Teh Chang +Date: Thu, 11 Apr 2024 10:24:11 -0700 +Subject: [PATCH] Avoid integer overflows in arithmetic operations + +A port of the libaom CL +https://aomedia-review.googlesource.com/c/aom/+/188823. + +Impose maximum values on the input parameters so that we can perform +arithmetic operations without worrying about overflows. + +Also change the VpxImageTest.VpxImgAllocHugeWidth test to write to the +first and last samples in the first row of the Y plane, so that the test +will crash if there is unsigned integer overflow in the calculation of +stride_in_bytes. + +Bug: chromium:332382766 +Change-Id: I54cec6c9e26377abaa8a991042ba277ff70afdf3 +(cherry picked from commit 06af417e795e6a9b9309406ba399fb109def89e6) +--- + test/vpx_image_test.cc | 19 +++++++++++++++++++ + vpx/src/vpx_image.c | 11 +++++++++++ + vpx/vpx_image.h | 16 +++++++++++----- + 3 files changed, 41 insertions(+), 5 deletions(-) + +--- a/test/vpx_image_test.cc ++++ b/test/vpx_image_test.cc +@@ -8,6 +8,8 @@ + * be found in the AUTHORS file in the root of the source tree. + */ + ++#include ++ + #include "vpx/vpx_image.h" + #include "third_party/googletest/src/include/gtest/gtest.h" + +@@ -81,6 +83,10 @@ TEST(VpxImageTest, VpxImgAllocHugeWidth) + image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I420, 0x80000000, 1, 1); + ASSERT_EQ(image, nullptr); + ++ // The aligned width (UINT_MAX + 1) would overflow unsigned int. ++ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I420, UINT_MAX, 1, 1); ++ ASSERT_EQ(image, nullptr); ++ + image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I420, 0x7ffffffe, 1, 1); + if (image) { + vpx_img_free(image); +@@ -101,8 +107,21 @@ TEST(VpxImageTest, VpxImgAllocHugeWidth) + vpx_img_free(image); + } + ++ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I42016, 65536, 2, 1); ++ if (image) { ++ uint16_t *y_plane = ++ reinterpret_cast(image->planes[VPX_PLANE_Y]); ++ y_plane[0] = 0; ++ y_plane[image->d_w - 1] = 0; ++ vpx_img_free(image); ++ } ++ + image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I42016, 285245883, 2, 1); + if (image) { ++ uint16_t *y_plane = ++ reinterpret_cast(image->planes[VPX_PLANE_Y]); ++ y_plane[0] = 0; ++ y_plane[image->d_w - 1] = 0; + vpx_img_free(image); + } + } +--- a/vpx/src/vpx_image.c ++++ b/vpx/src/vpx_image.c +@@ -8,6 +8,7 @@ + * be found in the AUTHORS file in the root of the source tree. + */ + ++#include + #include + #include + #include +@@ -28,6 +29,14 @@ static vpx_image_t *img_alloc_helper(vpx + + if (img != NULL) memset(img, 0, sizeof(vpx_image_t)); + ++ /* Impose maximum values on input parameters so that this function can ++ * perform arithmetic operations without worrying about overflows. ++ */ ++ if (d_w > 0x08000000 || d_h > 0x08000000 || buf_align > 65536 || ++ stride_align > 65536) { ++ goto fail; ++ } ++ + /* Treat align==0 like align==1 */ + if (!buf_align) buf_align = 1; + +@@ -103,8 +112,10 @@ static vpx_image_t *img_alloc_helper(vpx + /* Calculate storage sizes given the chroma subsampling */ + align = (1 << xcs) - 1; + w = (d_w + align) & ~align; ++ assert(d_w <= w); + align = (1 << ycs) - 1; + h = (d_h + align) & ~align; ++ assert(d_h <= h); + + s = (fmt & VPX_IMG_FMT_PLANAR) ? w : (uint64_t)bps * w / 8; + s = (s + stride_align - 1) & ~((uint64_t)stride_align - 1); +--- a/vpx/vpx_image.h ++++ b/vpx/vpx_image.h +@@ -132,10 +132,13 @@ typedef struct vpx_image_rect { + * is NULL, the storage for the descriptor will be + * allocated on the heap. + * \param[in] fmt Format for the image +- * \param[in] d_w Width of the image +- * \param[in] d_h Height of the image ++ * \param[in] d_w Width of the image. Must not exceed 0x08000000 ++ * (2^27). ++ * \param[in] d_h Height of the image. Must not exceed 0x08000000 ++ * (2^27). + * \param[in] align Alignment, in bytes, of the image buffer and +- * each row in the image(stride). ++ * each row in the image (stride). Must not exceed ++ * 65536. + * + * \return Returns a pointer to the initialized image descriptor. If the img + * parameter is non-null, the value of the img parameter will be +@@ -155,9 +158,12 @@ vpx_image_t *vpx_img_alloc(vpx_image_t * + * parameter is NULL, the storage for the descriptor + * will be allocated on the heap. + * \param[in] fmt Format for the image +- * \param[in] d_w Width of the image +- * \param[in] d_h Height of the image ++ * \param[in] d_w Width of the image. Must not exceed 0x08000000 ++ * (2^27). ++ * \param[in] d_h Height of the image. Must not exceed 0x08000000 ++ * (2^27). + * \param[in] stride_align Alignment, in bytes, of each row in the image. ++ * Must not exceed 65536. + * \param[in] img_data Storage to use for the image + * + * \return Returns a pointer to the initialized image descriptor. If the img + diff --git a/CVE-2024-5197-3.patch b/CVE-2024-5197-3.patch new file mode 100644 index 0000000..327ee61 --- /dev/null +++ b/CVE-2024-5197-3.patch @@ -0,0 +1,44 @@ +Origin: https://github.com/webmproject/libvpx/commit/61c4d556bd03b97d84e3fa49180d14bde5a62baa + +From 61c4d556bd03b97d84e3fa49180d14bde5a62baa Mon Sep 17 00:00:00 2001 +From: Wan-Teh Chang +Date: Fri, 12 Apr 2024 15:48:04 -0700 +Subject: [PATCH] Fix a bug in alloc_size for high bit depths + +I introduced this bug in commit 2e32276: +https://chromium-review.googlesource.com/c/webm/libvpx/+/5446333 + +I changed the line + + stride_in_bytes = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s; + +to three lines: + + s = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s; + if (s > INT_MAX) goto fail; + stride_in_bytes = (int)s; + +But I didn't realize that `s` is used later in the calculation of +alloc_size. + +As a quick fix, undo the effect of s * 2 for high bit depths after `s` +has been assigned to stride_in_bytes. + +Bug: chromium:332382766 +Change-Id: I53fbf405555645ab1d7254d31aadabe4f426be8c +(cherry picked from commit 74c70af01667733483dc69298b8921779f5f6ff3) +--- + vpx/src/vpx_image.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/vpx/src/vpx_image.c ++++ b/vpx/src/vpx_image.c +@@ -95,6 +95,7 @@ static vpx_image_t *img_alloc_helper(vpx + s = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s; + if (s > INT_MAX) goto fail; + stride_in_bytes = (int)s; ++ s = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s / 2 : s; + + /* Allocate the new image */ + if (!img) { + diff --git a/CVE-2024-5197-pre1.patch b/CVE-2024-5197-pre1.patch new file mode 100644 index 0000000..742bfa7 --- /dev/null +++ b/CVE-2024-5197-pre1.patch @@ -0,0 +1,103 @@ +Origin: https://github.com/webmproject/libvpx/commit/f60da3e3ea58ddca7178d2228e1106f0d2dccd24 + +From f60da3e3ea58ddca7178d2228e1106f0d2dccd24 Mon Sep 17 00:00:00 2001 +From: Wan-Teh Chang +Date: Wed, 10 Apr 2024 17:55:01 -0700 +Subject: [PATCH] Add test/vpx_image_test.cc + +Ported from test/aom_image_test.cc in libaom commit 04d6253. + +Change-Id: I56478d0a5603cfb5b65e644add0918387ff69a00 +(cherry picked from commit 3dbab0e66479e1b5368d4b7a069051dba85843cf) +--- + test/test.mk | 1 + + test/vpx_image_test.cc | 72 ++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 73 insertions(+) + create mode 100644 test/vpx_image_test.cc + +--- a/test/test.mk ++++ b/test/test.mk +@@ -19,6 +19,7 @@ LIBVPX_TEST_SRCS-yes += video_source.h + ## Black box tests only use the public API. + ## + LIBVPX_TEST_SRCS-yes += ../md5_utils.h ../md5_utils.c ++LIBVPX_TEST_SRCS-yes += vpx_image_test.cc + LIBVPX_TEST_SRCS-$(CONFIG_DECODERS) += ivf_video_source.h + LIBVPX_TEST_SRCS-$(CONFIG_ENCODERS) += ../y4minput.h ../y4minput.c + LIBVPX_TEST_SRCS-$(CONFIG_ENCODERS) += altref_test.cc +--- /dev/null ++++ b/test/vpx_image_test.cc +@@ -0,0 +1,72 @@ ++/* ++ * Copyright (c) 2024 The WebM project authors. All Rights Reserved. ++ * ++ * Use of this source code is governed by a BSD-style license ++ * that can be found in the LICENSE file in the root of the source ++ * tree. An additional intellectual property rights grant can be found ++ * in the file PATENTS. All contributing project authors may ++ * be found in the AUTHORS file in the root of the source tree. ++ */ ++ ++#include "vpx/vpx_image.h" ++#include "third_party/googletest/src/include/gtest/gtest.h" ++ ++TEST(VpxImageTest, VpxImgWrapInvalidAlign) { ++ const int kWidth = 128; ++ const int kHeight = 128; ++ unsigned char buf[kWidth * kHeight * 3]; ++ ++ vpx_image_t img; ++ // Set img_data and img_data_owner to junk values. vpx_img_wrap() should ++ // not read these values on failure. ++ unsigned char empty[] = ""; ++ img.img_data = empty; ++ img.img_data_owner = 1; ++ ++ vpx_img_fmt_t format = VPX_IMG_FMT_I444; ++ // 'align' must be a power of 2 but is not. This causes the vpx_img_wrap() ++ // call to fail. The test verifies we do not read the junk values in 'img'. ++ unsigned int align = 31; ++ EXPECT_EQ(vpx_img_wrap(&img, format, kWidth, kHeight, align, buf), nullptr); ++} ++ ++TEST(VpxImageTest, VpxImgSetRectOverflow) { ++ const int kWidth = 128; ++ const int kHeight = 128; ++ unsigned char buf[kWidth * kHeight * 3]; ++ ++ vpx_image_t img; ++ vpx_img_fmt_t format = VPX_IMG_FMT_I444; ++ unsigned int align = 32; ++ EXPECT_EQ(vpx_img_wrap(&img, format, kWidth, kHeight, align, buf), &img); ++ ++ EXPECT_EQ(vpx_img_set_rect(&img, 0, 0, kWidth, kHeight), 0); ++ // This would result in overflow because -1 is cast to UINT_MAX. ++ EXPECT_NE(vpx_img_set_rect(&img, static_cast(-1), ++ static_cast(-1), kWidth, kHeight), ++ 0); ++} ++ ++TEST(VpxImageTest, VpxImgAllocNone) { ++ const int kWidth = 128; ++ const int kHeight = 128; ++ ++ vpx_image_t img; ++ vpx_img_fmt_t format = VPX_IMG_FMT_NONE; ++ unsigned int align = 32; ++ ASSERT_EQ(vpx_img_alloc(&img, format, kWidth, kHeight, align), nullptr); ++} ++ ++TEST(VpxImageTest, VpxImgAllocNv12) { ++ const int kWidth = 128; ++ const int kHeight = 128; ++ ++ vpx_image_t img; ++ vpx_img_fmt_t format = VPX_IMG_FMT_NV12; ++ unsigned int align = 32; ++ EXPECT_EQ(vpx_img_alloc(&img, format, kWidth, kHeight, align), &img); ++ EXPECT_EQ(img.stride[VPX_PLANE_U], img.stride[VPX_PLANE_Y]); ++ EXPECT_EQ(img.stride[VPX_PLANE_V], img.stride[VPX_PLANE_U]); ++ EXPECT_EQ(img.planes[VPX_PLANE_V], img.planes[VPX_PLANE_U] + 1); ++ vpx_img_free(&img); ++} + diff --git a/libvpx.spec b/libvpx.spec index 8e6beb2..4d93a20 100644 --- a/libvpx.spec +++ b/libvpx.spec @@ -1,10 +1,14 @@ Name: libvpx Version: 1.13.1 -Release: 1 +Release: 2 Summary: VP8/VP9 Video Codec SDK License: BSD-3-Clause Source0: https://github.com/webmproject/libvpx/archive/v%{version}.tar.gz Patch0: add-riscv64-arch.patch +Patch1: CVE-2024-5197-pre1.patch +Patch2: CVE-2024-5197-1.patch +Patch3: CVE-2024-5197-2.patch +Patch4: CVE-2024-5197-3.patch URL: http://www.webmproject.org/code/ BuildRequires: gcc gcc-c++ doxygen, php-cli, perl(Getopt::Long) %ifarch x86_64 @@ -110,6 +114,9 @@ mv %{buildroot}%{_prefix}/src/vpx_scale %{buildroot}%{_includedir}/ %{_libdir}/libvpx.so %changelog +* Fri Jun 07 2024 wangkai <13474090681@163.com> - 1.13.1-2 +- Fix CVE-2024-5197 + * Sat Nov 25 2023 Jingwiw - 1.13.1-1 - Update to 1.13.1 version - Migrate to SPDX license -- Gitee