On 2023-09-28 23:14:20 +0200, Salvatore Bonaccorso wrote: > X-Debbugs-CC: Sebastian Ramacher <sramac...@debian.org> > > Control: tags 1053182 + patch > Control: tags 1053182 + pending > > > Dear maintainer, > > I've prepared an NMU for libvpx (versioned as 1.12.0-1.1) and > uploaded it to DELAYED/2. Please feel free to tell me if I > should delay it longer.
Thanks for working on the fix! Please feel free to reschedule it so that it directly lands in unstable. Cheers > > Regards, > Salvatore > diff -Nru libvpx-1.12.0/debian/changelog libvpx-1.12.0/debian/changelog > --- libvpx-1.12.0/debian/changelog 2022-07-09 15:20:25.000000000 +0200 > +++ libvpx-1.12.0/debian/changelog 2023-09-28 23:07:11.000000000 +0200 > @@ -1,3 +1,11 @@ > +libvpx (1.12.0-1.1) unstable; urgency=high > + > + * Non-maintainer upload. > + * encode_api_test: add ConfigResizeChangeThreadCount > + * VP8: disallow thread count changes (CVE-2023-5217) (Closes: #1053182) > + > + -- Salvatore Bonaccorso <car...@debian.org> Thu, 28 Sep 2023 23:07:11 +0200 > + > libvpx (1.12.0-1) unstable; urgency=medium > > * Team upload > diff -Nru > libvpx-1.12.0/debian/patches/0002-encode_api_test-add-ConfigResizeChangeThreadCount.patch > > libvpx-1.12.0/debian/patches/0002-encode_api_test-add-ConfigResizeChangeThreadCount.patch > --- > libvpx-1.12.0/debian/patches/0002-encode_api_test-add-ConfigResizeChangeThreadCount.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ > libvpx-1.12.0/debian/patches/0002-encode_api_test-add-ConfigResizeChangeThreadCount.patch > 2023-09-28 23:07:11.000000000 +0200 > @@ -0,0 +1,89 @@ > +From: James Zern <jz...@google.com> > +Date: Mon, 25 Sep 2023 18:53:41 -0700 > +Subject: encode_api_test: add ConfigResizeChangeThreadCount > +Origin: > https://github.com/webmproject/libvpx/commit/af6dedd715f4307669366944cca6e0417b290282 > +Bug-Debian: https://bugs.debian.org/1053182 > +Bug-Debian-Security: > https://security-tracker.debian.org/tracker/CVE-2023-5217 > + > +Update thread counts and resolution to ensure allocations are updated > +correctly. VP8 is disabled to avoid a crash. > + > +Bug: chromium:1486441 > +Change-Id: Ie89776d9818d27dc351eff298a44c699e850761b > +--- > + test/encode_api_test.cc | 50 ++++++++++++++++++++++++++++++++++++++++- > + 1 file changed, 49 insertions(+), 1 deletion(-) > + > +--- a/test/encode_api_test.cc > ++++ b/test/encode_api_test.cc > +@@ -304,7 +304,6 @@ TEST(EncodeAPI, SetRoi) { > + > + void InitCodec(const vpx_codec_iface_t &iface, int width, int height, > + vpx_codec_ctx_t *enc, vpx_codec_enc_cfg_t *cfg) { > +- ASSERT_EQ(vpx_codec_enc_config_default(&iface, cfg, 0), VPX_CODEC_OK); > + cfg->g_w = width; > + cfg->g_h = height; > + cfg->g_lag_in_frames = 0; > +@@ -342,6 +341,7 @@ TEST(EncodeAPI, ConfigChangeThreadCount) > + vpx_codec_ctx_t ctx = {}; > + } enc; > + > ++ ASSERT_EQ(vpx_codec_enc_config_default(iface, &cfg, 0), VPX_CODEC_OK); > + EXPECT_NO_FATAL_FAILURE( > + InitCodec(*iface, kWidth, kHeight, &enc.ctx, &cfg)); > + if (IsVP9(iface)) { > +@@ -353,6 +353,54 @@ TEST(EncodeAPI, ConfigChangeThreadCount) > + > + for (const auto threads : { 1, 4, 8, 6, 2, 1 }) { > + cfg.g_threads = threads; > ++ EXPECT_NO_FATAL_FAILURE(EncodeWithConfig(cfg, &enc.ctx)) > ++ << "iteration: " << i << " threads: " << threads; > ++ } > ++ } > ++ } > ++} > ++ > ++TEST(EncodeAPI, ConfigResizeChangeThreadCount) { > ++ constexpr int kInitWidth = 1024; > ++ constexpr int kInitHeight = 1024; > ++ > ++ for (const auto *iface : kCodecIfaces) { > ++ SCOPED_TRACE(vpx_codec_iface_name(iface)); > ++ if (!IsVP9(iface)) { > ++ GTEST_SKIP() << "TODO(https://crbug.com/1486441) remove this > condition " > ++ "after VP8 is fixed."; > ++ } > ++ for (int i = 0; i < (IsVP9(iface) ? 2 : 1); ++i) { > ++ vpx_codec_enc_cfg_t cfg = {}; > ++ struct Encoder { > ++ ~Encoder() { EXPECT_EQ(vpx_codec_destroy(&ctx), VPX_CODEC_OK); } > ++ vpx_codec_ctx_t ctx = {}; > ++ } enc; > ++ > ++ ASSERT_EQ(vpx_codec_enc_config_default(iface, &cfg, 0), VPX_CODEC_OK); > ++ // Start in threaded mode to ensure resolution and thread related > ++ // allocations are updated correctly across changes in resolution and > ++ // thread counts. See https://crbug.com/1486441. > ++ cfg.g_threads = 4; > ++ EXPECT_NO_FATAL_FAILURE( > ++ InitCodec(*iface, kInitWidth, kInitHeight, &enc.ctx, &cfg)); > ++ if (IsVP9(iface)) { > ++ EXPECT_EQ(vpx_codec_control_(&enc.ctx, VP9E_SET_TILE_COLUMNS, 6), > ++ VPX_CODEC_OK); > ++ EXPECT_EQ(vpx_codec_control_(&enc.ctx, VP9E_SET_ROW_MT, i), > ++ VPX_CODEC_OK); > ++ } > ++ > ++ cfg.g_w = 1000; > ++ cfg.g_h = 608; > ++ EXPECT_EQ(vpx_codec_enc_config_set(&enc.ctx, &cfg), VPX_CODEC_OK) > ++ << vpx_codec_error_detail(&enc.ctx); > ++ > ++ cfg.g_w = 16; > ++ cfg.g_h = 720; > ++ > ++ for (const auto threads : { 1, 4, 8, 6, 2, 1 }) { > ++ cfg.g_threads = threads; > + EXPECT_NO_FATAL_FAILURE(EncodeWithConfig(cfg, &enc.ctx)) > + << "iteration: " << i << " threads: " << threads; > + } > diff -Nru > libvpx-1.12.0/debian/patches/0003-VP8-disallow-thread-count-changes.patch > libvpx-1.12.0/debian/patches/0003-VP8-disallow-thread-count-changes.patch > --- libvpx-1.12.0/debian/patches/0003-VP8-disallow-thread-count-changes.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ libvpx-1.12.0/debian/patches/0003-VP8-disallow-thread-count-changes.patch > 2023-09-28 23:07:11.000000000 +0200 > @@ -0,0 +1,51 @@ > +From: James Zern <jz...@google.com> > +Date: Mon, 25 Sep 2023 18:55:59 -0700 > +Subject: VP8: disallow thread count changes > +Origin: > https://github.com/webmproject/libvpx/commit/3fbd1dca6a4d2dad332a2110d646e4ffef36d590 > +Bug-Debian: https://bugs.debian.org/1053182 > +Bug-Debian-Security: > https://security-tracker.debian.org/tracker/CVE-2023-5217 > + > +Currently allocations are done at encoder creation time. Going from > +threaded to non-threaded would cause a crash. > + > +Bug: chromium:1486441 > +Change-Id: Ie301c2a70847dff2f0daae408fbef1e4d42e73d4 > +--- > + test/encode_api_test.cc | 4 ---- > + vp8/encoder/onyx_if.c | 5 +++++ > + 2 files changed, 5 insertions(+), 4 deletions(-) > + > +diff --git a/test/encode_api_test.cc b/test/encode_api_test.cc > +index a8a4df2ddf88..f1c98b2c71c9 100644 > +--- a/test/encode_api_test.cc > ++++ b/test/encode_api_test.cc > +@@ -370,10 +370,6 @@ TEST(EncodeAPI, ConfigResizeChangeThreadCount) { > + > + for (const auto *iface : kCodecIfaces) { > + SCOPED_TRACE(vpx_codec_iface_name(iface)); > +- if (!IsVP9(iface)) { > +- GTEST_SKIP() << "TODO(https://crbug.com/1486441) remove this > condition " > +- "after VP8 is fixed."; > +- } > + for (int i = 0; i < (IsVP9(iface) ? 2 : 1); ++i) { > + vpx_codec_enc_cfg_t cfg = {}; > + struct Encoder { > +diff --git a/vp8/encoder/onyx_if.c b/vp8/encoder/onyx_if.c > +index c65afc643bf6..c5e9970c3cc8 100644 > +--- a/vp8/encoder/onyx_if.c > ++++ b/vp8/encoder/onyx_if.c > +@@ -1447,6 +1447,11 @@ void vp8_change_config(VP8_COMP *cpi, VP8_CONFIG > *oxcf) { > + last_h = cpi->oxcf.Height; > + prev_number_of_layers = cpi->oxcf.number_of_layers; > + > ++ if (cpi->initial_width) { > ++ // TODO(https://crbug.com/1486441): Allow changing thread counts; the > ++ // allocation is done once in vp8_create_compressor(). > ++ oxcf->multi_threaded = cpi->oxcf.multi_threaded; > ++ } > + cpi->oxcf = *oxcf; > + > + switch (cpi->oxcf.Mode) { > +-- > +2.40.1 > + > diff -Nru libvpx-1.12.0/debian/patches/series > libvpx-1.12.0/debian/patches/series > --- libvpx-1.12.0/debian/patches/series 2021-09-01 23:10:14.000000000 > +0200 > +++ libvpx-1.12.0/debian/patches/series 2023-09-28 23:07:11.000000000 > +0200 > @@ -1 +1,3 @@ > 0001-Relax-ABI-check.patch > +0002-encode_api_test-add-ConfigResizeChangeThreadCount.patch > +0003-VP8-disallow-thread-count-changes.patch -- Sebastian Ramacher