libavif/libavif-CVE-2023-6704.patch

From 7845153645cfe245de5add94fb07c227c2d16402 Mon Sep 17 00:00:00 2001
From: Vignesh Venkatasubramanian <vigneshv@google.com>
Date: Mon, 27 Nov 2023 11:31:38 -0800
Subject: [PATCH] Do not store colorproperties until alpha item is found

colorProperties could be pointing to a dangling pointer if
findAlphaItem() resizes the meta.items array.
---

Index: libavif-0.11.1/src/read.c
===================================================================
--- libavif-0.11.1.orig/src/read.c
+++ libavif-0.11.1/src/read.c
@@ -3487,7 +3487,6 @@ avifResult avifDecoderReset(avifDecoder
             avifDiagnosticsPrintf(&decoder->diag, "Primary item not found");
             return AVIF_RESULT_NO_AV1_ITEMS_FOUND;
         }
-        colorProperties = &colorItem->properties;
 
         // Find the alphaOBU item, if any
         for (uint32_t itemIndex = 0; itemIndex < data->meta->items.count; ++itemIndex) {
@@ -3529,6 +3528,8 @@ avifResult avifDecoderReset(avifDecoder
             }
         }
 
+        colorProperties = &colorItem->properties;
+
         // Find Exif and/or XMP metadata, if any
         avifResult findResult = avifDecoderFindMetadata(decoder, data->meta, decoder->image, colorItem->id);
         if (findResult != AVIF_RESULT_OK) {