libavif/libavif-CVE-2023-6704.patch

31 lines
1.2 KiB
Diff
Raw Normal View History

From 7845153645cfe245de5add94fb07c227c2d16402 Mon Sep 17 00:00:00 2001
From: Vignesh Venkatasubramanian <vigneshv@google.com>
Date: Mon, 27 Nov 2023 11:31:38 -0800
Subject: [PATCH] Do not store colorproperties until alpha item is found
colorProperties could be pointing to a dangling pointer if
findAlphaItem() resizes the meta.items array.
---
Index: libavif-0.11.1/src/read.c
===================================================================
--- libavif-0.11.1.orig/src/read.c
+++ libavif-0.11.1/src/read.c
@@ -3487,7 +3487,6 @@ avifResult avifDecoderReset(avifDecoder
avifDiagnosticsPrintf(&decoder->diag, "Primary item not found");
return AVIF_RESULT_NO_AV1_ITEMS_FOUND;
}
- colorProperties = &colorItem->properties;
// Find the alphaOBU item, if any
for (uint32_t itemIndex = 0; itemIndex < data->meta->items.count; ++itemIndex) {
@@ -3529,6 +3528,8 @@ avifResult avifDecoderReset(avifDecoder
}
}
+ colorProperties = &colorItem->properties;
+
// Find Exif and/or XMP metadata, if any
avifResult findResult = avifDecoderFindMetadata(decoder, data->meta, decoder->image, colorItem->id);
if (findResult != AVIF_RESULT_OK) {