Bug#1106500: marked as done (libavif: diff for NMU version 1.2.1-1.2)

Wed, 20 Aug 2025 11:57:58 -0700 

Your message dated Wed, 20 Aug 2025 14:54:44 -0400
with message-id <[email protected]>
and subject line Re: libavif: diff for NMU version 1.2.1-1.2
has caused the Debian Bug report #1106500,
regarding libavif: diff for NMU version 1.2.1-1.2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1106500: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106500
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: libavif
Version: 1.2.1-1.1
X-Debbugs-CC: Boyuan Yang <[email protected]>, [email protected]
Severity: normal
Tags: patch  pending

Dear maintainer,

I've prepared an NMU for libavif (versioned as 1.2.1-1.2) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should cancel it.

Should/can it go to unstable as well? Uploading to delayed to give a
bit of time to actually ACK/NACK it.

There is not bugreport associated with it but it adds another integer
overflow check (already in v1.3.0) to makeRoom.

Regards,
Salvatore

diffstat for libavif-1.2.1 libavif-1.2.1

 changelog                                                     |    8 +
 patches/Add-another-integer-overflow-check-to-makeRoom.patch  |   71 ++++++++++
 patches/Declare-RowBytes-as-size_t-in-avifImageRGBToYUV.patch |    2 
 patches/series                                                |    1 
 4 files changed, 81 insertions(+), 1 deletion(-)

diff -Nru libavif-1.2.1/debian/changelog libavif-1.2.1/debian/changelog
--- libavif-1.2.1/debian/changelog	2025-05-17 16:03:36.000000000 +0200
+++ libavif-1.2.1/debian/changelog	2025-05-25 07:27:30.000000000 +0200
@@ -1,3 +1,11 @@
+libavif (1.2.1-1.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix upstream bug reference for patch for CVE-2025-48175
+  * Add another integer overflow check to makeRoom
+
+ -- Salvatore Bonaccorso <[email protected]>  Sun, 25 May 2025 07:27:30 +0200
+
 libavif (1.2.1-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru libavif-1.2.1/debian/patches/Add-another-integer-overflow-check-to-makeRoom.patch libavif-1.2.1/debian/patches/Add-another-integer-overflow-check-to-makeRoom.patch
--- libavif-1.2.1/debian/patches/Add-another-integer-overflow-check-to-makeRoom.patch	1970-01-01 01:00:00.000000000 +0100
+++ libavif-1.2.1/debian/patches/Add-another-integer-overflow-check-to-makeRoom.patch	2025-05-25 07:26:42.000000000 +0200
@@ -0,0 +1,71 @@
+From: Wan-Teh Chang <[email protected]>
+Date: Sun, 27 Apr 2025 14:34:35 -0700
+Subject: Add another integer overflow check to makeRoom
+Origin: https://github.com/AOMediaCodec/libavif/commit/32eae7c5c1e72d9999cb31d02e333b6a76029bad
+Bug: https://github.com/AOMediaCodec/libavif/pull/2778
+
+Replace the while loop with a formula in makeRoom.
+
+Test the integer overflow checks in makeRoom.
+
+See https://github.com/AOMediaCodec/libavif/pull/2768.
+---
+ src/stream.c                  | 16 +++++++++-------
+ tests/gtest/avifstreamtest.cc | 13 +++++++++++++
+ 2 files changed, 22 insertions(+), 7 deletions(-)
+
+diff --git a/src/stream.c b/src/stream.c
+index a2ae4f620a56..60e6aa384cbf 100644
+--- a/src/stream.c
++++ b/src/stream.c
+@@ -334,14 +334,16 @@ avifBool avifROStreamReadAndEnforceVersion(avifROStream * stream, uint8_t enforc
+ #define AVIF_STREAM_BUFFER_INCREMENT (1024 * 1024)
+ static avifResult makeRoom(avifRWStream * stream, size_t size)
+ {
+-    if (size > SIZE_MAX - stream->offset) {
+-        return AVIF_RESULT_OUT_OF_MEMORY;
+-    }
+-    size_t neededSize = stream->offset + size;
+-    size_t newSize = stream->raw->size;
+-    while (newSize < neededSize) {
+-        newSize += AVIF_STREAM_BUFFER_INCREMENT;
++    AVIF_CHECKERR(size <= SIZE_MAX - stream->offset, AVIF_RESULT_OUT_OF_MEMORY);
++    size_t newSize = stream->offset + size;
++    if (newSize <= stream->raw->size) {
++        return AVIF_RESULT_OK;
+     }
++    // Make newSize a multiple of AVIF_STREAM_BUFFER_INCREMENT.
++    size_t rem = newSize % AVIF_STREAM_BUFFER_INCREMENT;
++    size_t padding = (rem == 0) ? 0 : AVIF_STREAM_BUFFER_INCREMENT - rem;
++    AVIF_CHECKERR(newSize <= SIZE_MAX - padding, AVIF_RESULT_OUT_OF_MEMORY);
++    newSize += padding;
+     return avifRWDataRealloc(stream->raw, newSize);
+ }
+ 
+diff --git a/tests/gtest/avifstreamtest.cc b/tests/gtest/avifstreamtest.cc
+index 1ba4e9f25e59..199b8bef12c5 100644
+--- a/tests/gtest/avifstreamtest.cc
++++ b/tests/gtest/avifstreamtest.cc
+@@ -202,6 +202,19 @@ TEST(StreamTest, WriteBitsLimit) {
+             AVIF_RESULT_INVALID_ARGUMENT);
+ }
+ 
++// Test the overflow checks in the makeRoom() function in src/stream.c.
++TEST(StreamTest, OverflowChecksInMakeRoom) {
++  testutil::AvifRwData rw_data;
++  avifRWStream rw_stream;
++  avifRWStreamStart(&rw_stream, &rw_data);
++  const char ten_bytes[10] = {0};
++  EXPECT_EQ(avifRWStreamWrite(&rw_stream, ten_bytes, 10), AVIF_RESULT_OK);
++  EXPECT_EQ(avifRWStreamWrite(&rw_stream, ten_bytes, SIZE_MAX - 9),
++            AVIF_RESULT_OUT_OF_MEMORY);
++  EXPECT_EQ(avifRWStreamWrite(&rw_stream, ten_bytes, SIZE_MAX - 10),
++            AVIF_RESULT_OUT_OF_MEMORY);
++}
++
+ //------------------------------------------------------------------------------
+ 
+ }  // namespace
+-- 
+2.49.0
+
diff -Nru libavif-1.2.1/debian/patches/Declare-RowBytes-as-size_t-in-avifImageRGBToYUV.patch libavif-1.2.1/debian/patches/Declare-RowBytes-as-size_t-in-avifImageRGBToYUV.patch
--- libavif-1.2.1/debian/patches/Declare-RowBytes-as-size_t-in-avifImageRGBToYUV.patch	2025-05-17 16:03:05.000000000 +0200
+++ libavif-1.2.1/debian/patches/Declare-RowBytes-as-size_t-in-avifImageRGBToYUV.patch	2025-05-25 06:42:02.000000000 +0200
@@ -2,7 +2,7 @@
 Date: Fri, 18 Apr 2025 15:29:20 -0700
 Subject: Declare *RowBytes as size_t in avifImageRGBToYUV()
 Origin: https://github.com/AOMediaCodec/libavif/commit/64d956ed5a602f78cebf29da023280944ee92efd
-Bug: https://github.com/AOMediaCodec/libavif/pull/2768
+Bug: https://github.com/AOMediaCodec/libavif/pull/2769
 Bug-Debian: https://bugs.debian.org/1105883
 Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-48175
 
diff -Nru libavif-1.2.1/debian/patches/series libavif-1.2.1/debian/patches/series
--- libavif-1.2.1/debian/patches/series	2025-05-17 16:02:38.000000000 +0200
+++ libavif-1.2.1/debian/patches/series	2025-05-25 07:27:04.000000000 +0200
@@ -2,3 +2,4 @@
 Add-integer-overflow-check-to-makeRoom.patch
 Fix-format-errors.patch
 Declare-RowBytes-as-size_t-in-avifImageRGBToYUV.patch
+Add-another-integer-overflow-check-to-makeRoom.patch

--- End Message ---
--- Begin Message --- 
Version: 1.3.0-1

On Sun, 25 May 2025 07:42:22 +0200 Salvatore Bonaccorso <[email protected]> 
wrote:
> Package: libavif
> Version: 1.2.1-1.1
> X-Debbugs-CC: Boyuan Yang <[email protected]>, [email protected]
> Severity: normal
> Tags: patch  pending
> 
> Dear maintainer,
> 
> I've prepared an NMU for libavif (versioned as 1.2.1-1.2) and
> uploaded it to DELAYED/2. Please feel free to tell me if I
> should cancel it.
> 
> Should/can it go to unstable as well? Uploading to delayed to give a
> bit of time to actually ACK/NACK it.
> 
> There is not bugreport associated with it but it adds another integer
> overflow check (already in v1.3.0) to makeRoom.

Closing the bug as version 1.3.0-1 is already present in Debian Unstable.

Thanks,
Boyuan Yang

Attachment: signature.asc
Description: This is a digitally signed message part


--- End Message ---

Reply via email to