Sync from SUSE:ALP:Source:Standard:1.0 libvpx revision 26c4ad2252da6801dee0104abecab340

CVE-2024-5197.patch

@@ -0,0 +1,105 @@
+commit 06af417e795e6a9b9309406ba399fb109def89e6
+Author: Wan-Teh Chang <wtc@google.com>
+Date:   Thu Apr 11 10:24:11 2024 -0700
+
+    Avoid integer overflows in arithmetic operations
+    
+    A port of the libaom CL
+    https://aomedia-review.googlesource.com/c/aom/+/188823.
+    
+    Impose maximum values on the input parameters so that we can perform
+    arithmetic operations without worrying about overflows.
+    
+    Also change the VpxImageTest.VpxImgAllocHugeWidth test to write to the
+    first and last samples in the first row of the Y plane, so that the test
+    will crash if there is unsigned integer overflow in the calculation of
+    stride_in_bytes.
+    
+    Bug: chromium:332382766
+    Change-Id: I54cec6c9e26377abaa8a991042ba277ff70afdf3
+
+Index: libvpx-1.11.0/vpx/src/vpx_image.c
+===================================================================
+--- libvpx-1.11.0.orig/vpx/src/vpx_image.c
++++ libvpx-1.11.0/vpx/src/vpx_image.c
+@@ -8,6 +8,7 @@
+  *  be found in the AUTHORS file in the root of the source tree.
+  */
+ 
++#include <assert.h>
+ #include <limits.h>
+ #include <stdlib.h>
+ #include <string.h>
+@@ -33,6 +34,14 @@ static vpx_image_t *img_alloc_helper(vpx
+   /* Validate alignment (must be power of 2) */
+   if (buf_align & (buf_align - 1)) goto fail;
+ 
++  /* Impose maximum values on input parameters so that this function can
++   * perform arithmetic operations without worrying about overflows.
++   */
++  if (d_w > 0x08000000 || d_h > 0x08000000 || buf_align > 65536 ||
++      stride_align > 65536) {
++    goto fail;
++  }
++
+   /* Treat align==0 like align==1 */
+   if (!stride_align) stride_align = 1;
+ 
+@@ -81,8 +90,8 @@ static vpx_image_t *img_alloc_helper(vpx
+   w = d_w;
+   h = d_h;
+   s = (fmt & VPX_IMG_FMT_PLANAR) ? w : bps * w / 8;
+-  s = (s + stride_align - 1) & ~(stride_align - 1);
+   stride_in_bytes = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
++  s = (s + stride_align - 1) & ~(stride_align - 1);
+ 
+   /* Allocate the new image */
+   if (!img) {
+@@ -100,8 +109,10 @@ static vpx_image_t *img_alloc_helper(vpx
+     /* Calculate storage sizes given the chroma subsampling */
+     align = (1 << xcs) - 1;
+     w = (d_w + align) & ~align;
++    assert(d_w <= w);
+     align = (1 << ycs) - 1;
+     h = (d_h + align) & ~align;
++    assert(d_h <= h);
+ 
+     s = (fmt & VPX_IMG_FMT_PLANAR) ? w : bps * w / 8;
+     s = (s + stride_align - 1) & ~(stride_align - 1);
+Index: libvpx-1.11.0/vpx/vpx_image.h
+===================================================================
+--- libvpx-1.11.0.orig/vpx/vpx_image.h
++++ libvpx-1.11.0/vpx/vpx_image.h
+@@ -132,10 +132,13 @@ typedef struct vpx_image_rect {
+  *                         is NULL, the storage for the descriptor will be
+  *                         allocated on the heap.
+  * \param[in]    fmt       Format for the image
+- * \param[in]    d_w       Width of the image
+- * \param[in]    d_h       Height of the image
++ * \param[in]    d_w       Width of the image. Must not exceed 0x08000000
++ *                         (2^27).
++ * \param[in]    d_h       Height of the image. Must not exceed 0x08000000
++ *                         (2^27).
+  * \param[in]    align     Alignment, in bytes, of the image buffer and
+- *                         each row in the image(stride).
++ *                         each row in the image (stride). Must not exceed
++ *                         65536.
+  *
+  * \return Returns a pointer to the initialized image descriptor. If the img
+  *         parameter is non-null, the value of the img parameter will be
+@@ -155,9 +158,12 @@ vpx_image_t *vpx_img_alloc(vpx_image_t *
+  *                             parameter is NULL, the storage for the descriptor
+  *                             will be allocated on the heap.
+  * \param[in]    fmt           Format for the image
+- * \param[in]    d_w           Width of the image
+- * \param[in]    d_h           Height of the image
+- * \param[in]    stride_align  Alignment, in bytes, of each row in the image.
++ * \param[in]    d_w           Width of the image. Must not exceed 0x08000000
++ *                             (2^27).
++ * \param[in]    d_h           Height of the image. Must not exceed 0x08000000
++ *                             (2^27).
++ * \param[in]    stride_align  Alignment, in bytes, of each row in the image
++ *                             (stride). Must not exceed 65536.
+  * \param[in]    img_data      Storage to use for the image
+  *
+  * \return Returns a pointer to the initialized image descriptor. If the img

libvpx.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Jul  2 15:34:07 UTC 2024 - Adrian Schröter <adrian@suse.de>
+
+- Fixing Integer overflow (boo#1225879)
+  added CVE-2024-5197.patch
+
 -------------------------------------------------------------------
 Sun Oct  1 07:24:46 UTC 2023 - Bjørn Lie <bjorn.lie@gmail.com>
 

libvpx.spec

@@ -27,6 +27,7 @@ URL:            https://www.webmproject.org/
 Source0:        %{name}-%{version}.tar.xz
 Source1000:     baselibs.conf
 Patch2:         libvpx-configure-add-arch.patch
+Patch3:         CVE-2024-5197.patch
 # only needed for test suite
 BuildRequires:  gcc-c++
 # Needed to be able to create pkgconfig() provides.