Hello community,
here is the log from the commit of package libvpx for openSUSE:Leap:15.2
checked in at 2020-02-04 17:53:37
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Leap:15.2/libvpx (Old)
and /work/SRC/openSUSE:Leap:15.2/.libvpx.new.26092 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libvpx"
Tue Feb 4 17:53:37 2020 rev:22 rq:766060 version:1.6.1
Changes:
--------
--- /work/SRC/openSUSE:Leap:15.2/libvpx/libvpx.changes 2020-01-15
15:25:40.662585145 +0100
+++ /work/SRC/openSUSE:Leap:15.2/.libvpx.new.26092/libvpx.changes
2020-02-04 17:53:59.424733727 +0100
@@ -1,0 +2,11 @@
+Fri Jan 10 12:11:16 UTC 2020 - Adrian Schröter <adr...@suse.com>
+
+- backport security fixes:
+ CVE-2019-2126.patch bsc#1160611: double free in ParseContentEncodingEntry()
+ CVE-2019-9325.patch bsc#1160612: out-of-bounds read
+ CVE-2019-9232.patch bsc#1160613: Fix OOB memory access on fuzzed data
+ CVE-2019-9433.patch bsc#1160614: use-after-free in vp8_deblock()
+ CVE-2019-9371.patch bsc#1160615: resource exhaustion after memory leak
+- executed test suite before submit
+
+-------------------------------------------------------------------
New:
----
CVE-2019-2126.patch
CVE-2019-9232.patch
CVE-2019-9325.patch
CVE-2019-9371.patch
CVE-2019-9433.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libvpx.spec ++++++
--- /var/tmp/diff_new_pack.EZJI8H/_old 2020-02-04 17:54:00.132734154 +0100
+++ /var/tmp/diff_new_pack.EZJI8H/_new 2020-02-04 17:54:00.140734159 +0100
@@ -30,6 +30,12 @@
Patch1: libvpx-define-config_pic.patch
Patch2: libvpx-configure-add-s390.patch
Patch4: libvpx-armv7-use-hard-float.patch
+Patch5: CVE-2019-9325.patch
+Patch6: CVE-2019-9232.patch
+Patch7: CVE-2019-9433.patch
+# libwebm:
+Patch100: CVE-2019-9371.patch
+Patch101: CVE-2019-2126.patch
# Needed to be able to create pkgconfig() provides.
BuildRequires: pkgconfig
BuildRequires: yasm
@@ -97,6 +103,13 @@
%patch1 -p1
%patch2 -p1
%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+# libwebm
+%patch100 -p0
+%patch101 -p0
+
%build
%if 0%{?suse_version} < 1310
++++++ CVE-2019-2126.patch ++++++
commit 562301346008c30d4a9bfc4e516d675320d4a55a
Author: Frank Galligan <fgalli...@google.com>
Date: Fri May 3 16:13:45 2019 -0700
Fixes a double free in ContentEncoding
BUG=b/127702368
Change-Id: Ifa958d72f8e2e75bae4cddd5c6d3625882da7c2b
Index: libwebm/mkvparser/mkvparser.cc
===================================================================
--- third_party/libwebm/mkvparser/mkvparser.cc
+++ third_party/libwebm/mkvparser/mkvparser.cc
@@ -4225,6 +4225,7 @@ long ContentEncoding::ParseContentEncodi
new (std::nothrow) ContentEncryption*[encryption_count];
if (!encryption_entries_) {
delete[] compression_entries_;
+ compression_entries_ = NULL;
return -1;
}
encryption_entries_end_ = encryption_entries_;
++++++ CVE-2019-9232.patch ++++++
commit 46e17f0cb4a80b36755c84b8bf15731d3386c08f
Author: Fyodor Kyslov <kys...@google.com>
Date: Fri Jan 4 17:04:09 2019 -0800
Fix OOB memory access on fuzzed data
vp8_norm table has 256 elements while index to it can be higher on
fuzzed data. Typecasting it to unsigned char will ensure valid range and
will trigger proper error later. Also declaring "shift" as unsigned char to
avoid UB sanitizer warning
BUG=b/122373286,b/122373822,b/122371119
Change-Id: I3cef1d07f107f061b1504976a405fa0865afe9f5
Index: libvpx-1.6.1/vp8/decoder/dboolhuff.h
===================================================================
--- libvpx-1.6.1.orig/vp8/decoder/dboolhuff.h
+++ libvpx-1.6.1/vp8/decoder/dboolhuff.h
@@ -76,7 +76,7 @@ static int vp8dx_decode_bool(BOOL_DECODE
}
{
- register int shift = vp8_norm[range];
+ const unsigned char shift = vp8_norm[(unsigned char)range];
range <<= shift;
value <<= shift;
count -= shift;
Index: libvpx-1.6.1/vpx_dsp/bitreader.h
===================================================================
--- libvpx-1.6.1.orig/vpx_dsp/bitreader.h
+++ libvpx-1.6.1/vpx_dsp/bitreader.h
@@ -94,7 +94,7 @@ static INLINE int vpx_read(vpx_reader *r
}
{
- register int shift = vpx_norm[range];
+ const unsigned char shift = vpx_norm[(unsigned char)range];
range <<= shift;
value <<= shift;
count -= shift;
++++++ CVE-2019-9325.patch ++++++
commit 0681cff1ad36b3ef8ec242f59b5a6c4234ccfb88
Author: James Zern <jz...@google.com>
Date: Tue Jul 24 21:36:50 2018 -0700
vp9: fix OOB read in decoder_peek_si_internal
Profile 1 or 3 bitstreams may require 11 bytes for the header in the
intra-only case.
Additionally add a check on the bit reader's error handler callback to
ensure it's non-NULL before calling to avoid future regressions.
This has existed since at least (pre-1.4.0):
09bf1d61c Changes hdr for profiles > 1 for intraonly frames
BUG=webm:1543
Change-Id: I23901e6e3a219170e8ea9efecc42af0be2e5c378
Index: libvpx-1.6.1/test/decode_api_test.cc
===================================================================
--- libvpx-1.6.1.orig/test/decode_api_test.cc
+++ libvpx-1.6.1/test/decode_api_test.cc
@@ -138,8 +138,30 @@ TEST(DecodeAPI, Vp9InvalidDecode) {
EXPECT_EQ(VPX_CODEC_OK, vpx_codec_destroy(&dec));
}
-TEST(DecodeAPI, Vp9PeekSI) {
+void TestPeekInfo(const uint8_t *const data, uint32_t data_sz,
+ uint32_t peek_size) {
const vpx_codec_iface_t *const codec = &vpx_codec_vp9_dx_algo;
+ // Verify behavior of vpx_codec_decode. vpx_codec_decode doesn't even get
+ // to decoder_peek_si_internal on frames of size < 8.
+ if (data_sz >= 8) {
+ vpx_codec_ctx_t dec;
+ EXPECT_EQ(VPX_CODEC_OK, vpx_codec_dec_init(&dec, codec, NULL, 0));
+ EXPECT_EQ((data_sz < peek_size) ? VPX_CODEC_UNSUP_BITSTREAM
+ : VPX_CODEC_CORRUPT_FRAME,
+ vpx_codec_decode(&dec, data, data_sz, NULL, 0));
+ vpx_codec_iter_t iter = NULL;
+ EXPECT_EQ(NULL, vpx_codec_get_frame(&dec, &iter));
+ EXPECT_EQ(VPX_CODEC_OK, vpx_codec_destroy(&dec));
+ }
+
+ // Verify behavior of vpx_codec_peek_stream_info.
+ vpx_codec_stream_info_t si;
+ si.sz = sizeof(si);
+ EXPECT_EQ((data_sz < peek_size) ? VPX_CODEC_UNSUP_BITSTREAM : VPX_CODEC_OK,
+ vpx_codec_peek_stream_info(codec, data, data_sz, &si));
+}
+
+TEST(DecodeAPI, Vp9PeekStreamInfo) {
// The first 9 bytes are valid and the rest of the bytes are made up. Until
// size 10, this should return VPX_CODEC_UNSUP_BITSTREAM and after that it
// should return VPX_CODEC_CORRUPT_FRAME.
@@ -150,24 +172,18 @@ TEST(DecodeAPI, Vp9PeekSI) {
};
for (uint32_t data_sz = 1; data_sz <= 32; ++data_sz) {
- // Verify behavior of vpx_codec_decode. vpx_codec_decode doesn't even get
- // to decoder_peek_si_internal on frames of size < 8.
- if (data_sz >= 8) {
- vpx_codec_ctx_t dec;
- EXPECT_EQ(VPX_CODEC_OK, vpx_codec_dec_init(&dec, codec, NULL, 0));
- EXPECT_EQ(
- (data_sz < 10) ? VPX_CODEC_UNSUP_BITSTREAM : VPX_CODEC_CORRUPT_FRAME,
- vpx_codec_decode(&dec, data, data_sz, NULL, 0));
- vpx_codec_iter_t iter = NULL;
- EXPECT_EQ(NULL, vpx_codec_get_frame(&dec, &iter));
- EXPECT_EQ(VPX_CODEC_OK, vpx_codec_destroy(&dec));
- }
-
- // Verify behavior of vpx_codec_peek_stream_info.
- vpx_codec_stream_info_t si;
- si.sz = sizeof(si);
- EXPECT_EQ((data_sz < 10) ? VPX_CODEC_UNSUP_BITSTREAM : VPX_CODEC_OK,
- vpx_codec_peek_stream_info(codec, data, data_sz, &si));
+ TestPeekInfo(data, data_sz, 10);
+ }
+}
+
+TEST(DecodeAPI, Vp9PeekStreamInfoTruncated) {
+ // This profile 1 header requires 10.25 bytes, ensure
+ // vpx_codec_peek_stream_info doesn't over read.
+ const uint8_t profile1_data[10] = { 0xa4, 0xe9, 0x30, 0x68, 0x53,
+ 0xe9, 0x30, 0x68, 0x53, 0x04 };
+
+ for (uint32_t data_sz = 1; data_sz <= 10; ++data_sz) {
+ TestPeekInfo(profile1_data, data_sz, 11);
}
}
#endif // CONFIG_VP9_DECODER
Index: libvpx-1.6.1/vp9/vp9_dx_iface.c
===================================================================
--- libvpx-1.6.1.orig/vp9/vp9_dx_iface.c
+++ libvpx-1.6.1/vp9/vp9_dx_iface.c
@@ -129,7 +129,7 @@ static vpx_codec_err_t decoder_peek_si_i
const uint8_t *data, unsigned int data_sz, vpx_codec_stream_info_t *si,
int *is_intra_only, vpx_decrypt_cb decrypt_cb, void *decrypt_state) {
int intra_only_flag = 0;
- uint8_t clear_buffer[10];
+ uint8_t clear_buffer[11];
if (data + data_sz <= data) return VPX_CODEC_INVALID_PARAM;
@@ -190,6 +190,9 @@ static vpx_codec_err_t decoder_peek_si_i
if (profile > PROFILE_0) {
if (!parse_bitdepth_colorspace_sampling(profile, &rb))
return VPX_CODEC_UNSUP_BITSTREAM;
+ // The colorspace info may cause vp9_read_frame_size() to need 11
+ // bytes.
+ if (data_sz < 11) return VPX_CODEC_UNSUP_BITSTREAM;
}
rb.bit_offset += REF_FRAMES; // refresh_frame_flags
vp9_read_frame_size(&rb, (int *)&si->w, (int *)&si->h);
Index: libvpx-1.6.1/vpx_dsp/bitreader_buffer.c
===================================================================
--- libvpx-1.6.1.orig/vpx_dsp/bitreader_buffer.c
+++ libvpx-1.6.1/vpx_dsp/bitreader_buffer.c
@@ -23,7 +23,7 @@ int vpx_rb_read_bit(struct vpx_read_bit_
rb->bit_offset = off + 1;
return bit;
} else {
- rb->error_handler(rb->error_handler_data);
+ if (rb->error_handler != NULL) rb->error_handler(rb->error_handler_data);
return 0;
}
}
++++++ CVE-2019-9371.patch ++++++
commit cb5a9477073cf7ae4a28356d6e3e5638aba78dc9
Author: Angie Chiang <angieb...@google.com>
Date: Tue Nov 20 14:41:20 2018 -0800
Fix a potential memory leak in mkvparser.cc
BUG=webm:1575
Change-Id: Id9a903e14daaab7b93df3a2f443d2f196dbe9104
Index: third_party/libwebm/mkvparser/mkvparser.cc
===================================================================
--- third_party/libwebm/mkvparser/mkvparser.cc.orig
+++ third_party/libwebm/mkvparser/mkvparser.cc
@@ -5296,8 +5296,8 @@ long VideoTrack::Parse(Segment* pSegment
const long long stop = pos + s.size;
- Colour* colour = NULL;
- Projection* projection = NULL;
+ std::unique_ptr<Colour> colour_ptr;
+ std::unique_ptr<Projection> projection_ptr;
while (pos < stop) {
long long id, size;
@@ -5346,13 +5346,22 @@ long VideoTrack::Parse(Segment* pSegment
if (rate <= 0)
return E_FILE_FORMAT_INVALID;
} else if (id == libwebm::kMkvColour) {
- if (!Colour::Parse(pReader, pos, size, &colour))
+ Colour* colour = NULL;
+ if (!Colour::Parse(pReader, pos, size, &colour)) {
return E_FILE_FORMAT_INVALID;
+ } else {
+ colour_ptr.reset(colour);
+ }
} else if (id == libwebm::kMkvProjection) {
- if (!Projection::Parse(pReader, pos, size, &projection))
+ Projection* projection = NULL;
+ if (!Projection::Parse(pReader, pos, size, &projection)) {
return E_FILE_FORMAT_INVALID;
+ } else {
+ projection_ptr.reset(projection);
+ }
}
+
pos += size; // consume payload
if (pos > stop)
return E_FILE_FORMAT_INVALID;
@@ -5381,8 +5390,8 @@ long VideoTrack::Parse(Segment* pSegment
pTrack->m_display_unit = display_unit;
pTrack->m_stereo_mode = stereo_mode;
pTrack->m_rate = rate;
- pTrack->m_colour = colour;
- pTrack->m_projection = projection;
+ pTrack->m_colour = colour_ptr.release();
+ pTrack->m_projection = projection_ptr.release();
pResult = pTrack;
return 0; // success
++++++ CVE-2019-9433.patch ++++++
commit 52add5896661d186dec284ed646a4b33b607d2c7
Author: Jerome Jiang <ji...@google.com>
Date: Wed May 23 15:43:00 2018 -0700
VP8: Fix use-after-free in postproc.
The pointer in vp8 postproc refers to show_frame_mi which is only
updated on show frame. However, when there is a no-show frame which also
changes the size (thus new frame buffers allocated), show_frame_mi is
not updated with new frame buffer memory.
Change the pointer in postproc to mi which is always updated.
Bug: 842265
Change-Id: I33874f2112b39f74562cba528432b5f239e6a7bd
diff --git a/vp8/common/postproc.c b/vp8/common/postproc.c
index d67ee8a57..8c292d616 100644
--- a/vp8/common/postproc.c
+++ b/vp8/common/postproc.c
@@ -65,7 +65,7 @@ void vp8_deblock(VP8_COMMON *cm, YV12_BUFFER_CONFIG *source,
double level = 6.0e-05 * q * q * q - .0067 * q * q + .306 * q + .0065;
int ppl = (int)(level + .5);
- const MODE_INFO *mode_info_context = cm->show_frame_mi;
+ const MODE_INFO *mode_info_context = cm->mi;
int mbr, mbc;
/* The pixel thresholds are adjusted according to if or not the macroblock
++++++ libvpx-armv7-use-hard-float.patch ++++++
--- /var/tmp/diff_new_pack.EZJI8H/_old 2020-02-04 17:54:00.188734187 +0100
+++ /var/tmp/diff_new_pack.EZJI8H/_new 2020-02-04 17:54:00.188734187 +0100
@@ -1,6 +1,8 @@
---- a/build/make/configure.sh
-+++ b/build/make/configure.sh
-@@ -940,8 +940,8 @@ process_common_toolchain() {
+Index: libvpx-1.6.1/build/make/configure.sh
+===================================================================
+--- libvpx-1.6.1.orig/build/make/configure.sh
++++ libvpx-1.6.1/build/make/configure.sh
+@@ -907,8 +907,8 @@ process_common_toolchain() {
#endif
EOF
fi
++++++ libvpx-configure-add-s390.patch ++++++
--- /var/tmp/diff_new_pack.EZJI8H/_old 2020-02-04 17:54:00.192734191 +0100
+++ /var/tmp/diff_new_pack.EZJI8H/_new 2020-02-04 17:54:00.192734191 +0100
@@ -1,6 +1,8 @@
---- a/build/make/configure.sh
-+++ b/build/make/configure.sh
-@@ -697,6 +697,12 @@ process_common_toolchain() {
+Index: libvpx-1.6.1/build/make/configure.sh
+===================================================================
+--- libvpx-1.6.1.orig/build/make/configure.sh
++++ libvpx-1.6.1/build/make/configure.sh
+@@ -694,6 +694,12 @@ process_common_toolchain() {
*i[3456]86*)
tgt_isa=x86
;;
@@ -13,9 +15,11 @@
*sparc*)
tgt_isa=sparc
;;
---- a/configure
-+++ b/configure
-@@ -114,6 +114,8 @@ all_platforms="${all_platforms} armv7s-d
+Index: libvpx-1.6.1/configure
+===================================================================
+--- libvpx-1.6.1.orig/configure
++++ libvpx-1.6.1/configure
+@@ -113,6 +113,8 @@ all_platforms="${all_platforms} armv7s-d
all_platforms="${all_platforms} armv8-linux-gcc"
all_platforms="${all_platforms} mips32-linux-gcc"
all_platforms="${all_platforms} mips64-linux-gcc"
