ALP-pool/dav1d
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Sync from SUSE:ALP:Source:Standard:1.0 dav1d revision 5ad4157ecdeef85d4ce6e1146c7e896b

Browse Source
This commit is contained in:
Adrian Schröter 2024-03-01 23:02:48 +01:00
parent 5f38c42a1d
commit 5e0af94ed7
3 changed files with 71 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
dav1d-CVE-2024-1580.patch Normal file
View File

@ -0,0 +1,63 @@
From 2b475307dc11be9a1c3cc4358102c76a7f386a51 Mon Sep 17 00:00:00 2001
From: Henrik Gramner <gramner@twoorioles.com>
Date: Tue, 21 Nov 2023 20:47:50 +0100
Subject: [PATCH] Fix tile_start_off calculations for extremely large frame
sizes
The tile start offset, in pixels, can exceed the range of a signed int.
---
src/decode.c | 13 +++++++------
src/internal.h | 2 +-
2 files changed, 8 insertions(+), 7 deletions(-)
diff --git a/src/decode.c b/src/decode.c
index fdf5a6b..eed9dfb 100644
--- a/src/decode.c
+++ b/src/decode.c
@@ -2470,7 +2470,7 @@ static void setup_tile(Dav1dTileState *const ts,
const Dav1dFrameContext *const f,
const uint8_t *const data, const size_t sz,
const int tile_row, const int tile_col,
- const int tile_start_off)
+ const unsigned tile_start_off)
{
const int col_sb_start = f->frame_hdr->tiling.col_start_sb[tile_col];
const int col_sb128_start = col_sb_start >> !f->seq_hdr->sb128;
@@ -2843,15 +2843,16 @@ int dav1d_decode_frame_init(Dav1dFrameContext *const f) {
const uint8_t *const size_mul = ss_size_mul[f->cur.p.layout];
const int hbd = !!f->seq_hdr->hbd;
if (c->n_fc > 1) {
+ const unsigned sb_step4 = f->sb_step * 4;
int tile_idx = 0;
for (int tile_row = 0; tile_row < f->frame_hdr->tiling.rows; tile_row++) {
- int row_off = f->frame_hdr->tiling.row_start_sb[tile_row] *
- f->sb_step * 4 * f->sb128w * 128;
- int b_diff = (f->frame_hdr->tiling.row_start_sb[tile_row + 1] -
- f->frame_hdr->tiling.row_start_sb[tile_row]) * f->sb_step * 4;
+ const unsigned row_off = f->frame_hdr->tiling.row_start_sb[tile_row] *
+ sb_step4 * f->sb128w * 128;
+ const unsigned b_diff = (f->frame_hdr->tiling.row_start_sb[tile_row + 1] -
+ f->frame_hdr->tiling.row_start_sb[tile_row]) * sb_step4;
for (int tile_col = 0; tile_col < f->frame_hdr->tiling.cols; tile_col++) {
f->frame_thread.tile_start_off[tile_idx++] = row_off + b_diff *
- f->frame_hdr->tiling.col_start_sb[tile_col] * f->sb_step * 4;
+ f->frame_hdr->tiling.col_start_sb[tile_col] * sb_step4;
}
}
diff --git a/src/internal.h b/src/internal.h
index 631c5a8..72f6560 100644
--- a/src/internal.h
+++ b/src/internal.h
@@ -289,7 +289,7 @@ struct Dav1dFrameContext {
int prog_sz;
int cbi_sz, pal_sz, pal_idx_sz, cf_sz;
// start offsets per tile
- int *tile_start_off;
+ unsigned *tile_start_off;
} frame_thread;
// loopfilter
--
2.43.0

6
dav1d.changes
View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Wed Feb 21 19:45:40 UTC 2024 - Michael Gorse <mgorse@suse.com>
- Add dav1d-CVE-2024-1580.patch: fix tile_start_off calculations
for extremely large frame sizes (bsc#1220100 CVE-2024-1580).
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Oct 4 04:17:53 UTC 2023 - Luigi Baldoni <aloisio@gmx.com> Wed Oct 4 04:17:53 UTC 2023 - Luigi Baldoni <aloisio@gmx.com>

2
dav1d.spec
View File

@ -27,6 +27,8 @@ Group: Productivity/Multimedia/Video/Editors and Convertors
URL: https://code.videolan.org/videolan/dav1d URL: https://code.videolan.org/videolan/dav1d
Source: %{url}/-/archive/%{version}/dav1d-%{version}.tar.gz Source: %{url}/-/archive/%{version}/dav1d-%{version}.tar.gz
Source99: baselibs.conf Source99: baselibs.conf
# PATCH-FIX-UPSTREAM dav1d-CVE-2024-1580.patch bsc#1220100 mgorse@suse.com -- fix tile_start_off calculations for extremely large frame sizes.
Patch0: dav1d-CVE-2024-1580.patch
BuildRequires: meson >= 0.49.0 BuildRequires: meson >= 0.49.0
BuildRequires: nasm >= 2.14 BuildRequires: nasm >= 2.14