From 42a6377272fd2fbda6c06174819ab2553a862555482b9a55c49cdcc6bfe86c4d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Thu, 18 Jan 2018 09:00:12 +0000 Subject: [PATCH] go OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/libvpx?expand=0&rev=82 --- CVE-2017-13194.patch | 42 ++++++++++++++++++++++++++++++++++++++++++ libvpx.changes | 9 +++++++++ libvpx.spec | 4 +++- 3 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 CVE-2017-13194.patch diff --git a/CVE-2017-13194.patch b/CVE-2017-13194.patch new file mode 100644 index 0000000..faa78ea --- /dev/null +++ b/CVE-2017-13194.patch @@ -0,0 +1,42 @@ +Index: libvpx-1.6.1/vpx/src/vpx_image.c +=================================================================== +--- libvpx-1.6.1.orig/vpx/src/vpx_image.c ++++ libvpx-1.6.1/vpx/src/vpx_image.c +@@ -88,11 +88,10 @@ static vpx_image_t *img_alloc_helper(vpx + default: ycs = 0; break; + } + +- /* Calculate storage sizes given the chroma subsampling */ +- align = (1 << xcs) - 1; +- w = (d_w + align) & ~align; +- align = (1 << ycs) - 1; +- h = (d_h + align) & ~align; ++ /* Calculate storage sizes. If the buffer was allocated externally, the width ++ * and height shouldn't be adjusted. */ ++ w = d_w; ++ h = d_h; + s = (fmt & VPX_IMG_FMT_PLANAR) ? w : bps * w / 8; + s = (s + stride_align - 1) & ~(stride_align - 1); + stride_in_bytes = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s; +@@ -111,9 +110,18 @@ static vpx_image_t *img_alloc_helper(vpx + img->img_data = img_data; + + if (!img_data) { +- const uint64_t alloc_size = (fmt & VPX_IMG_FMT_PLANAR) +- ? (uint64_t)h * s * bps / 8 +- : (uint64_t)h * s; ++ uint64_t alloc_size; ++ /* Calculate storage sizes given the chroma subsampling */ ++ align = (1 << xcs) - 1; ++ w = (d_w + align) & ~align; ++ align = (1 << ycs) - 1; ++ h = (d_h + align) & ~align; ++ ++ s = (fmt & VPX_IMG_FMT_PLANAR) ? w : bps * w / 8; ++ s = (s + stride_align - 1) & ~(stride_align - 1); ++ stride_in_bytes = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s; ++ alloc_size = (fmt & VPX_IMG_FMT_PLANAR) ? (uint64_t)h * s * bps / 8 ++ : (uint64_t)h * s; + + if (alloc_size != (size_t)alloc_size) goto fail; + diff --git a/libvpx.changes b/libvpx.changes index fb5b7c8..28670b2 100644 --- a/libvpx.changes +++ b/libvpx.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Thu Jan 18 08:57:32 UTC 2018 - Adrian Schröter + +- Fix OOB caused by odd frame width with patch from android + Adding patch CVE-2017-13194.patch (CVE-2017-13194) +- this changelog entry also contains the new scheme with full name + and "umlaut" to test which tools may break with it in our distro. + Please track problems here: https://github.com/openSUSE/obs-build/pull/214 + ------------------------------------------------------------------- Thu Aug 31 06:26:03 UTC 2017 - adrian@suse.de diff --git a/libvpx.spec b/libvpx.spec index e60fe58..a7f8acf 100644 --- a/libvpx.spec +++ b/libvpx.spec @@ -1,7 +1,7 @@ # # spec file for package libvpx # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -27,6 +27,7 @@ Url: http://www.webmproject.org/ Source0: https://storage.googleapis.com/downloads.webmproject.org/releases/webm/libvpx-%{version}.tar.bz2 Source1: test-data.sha1 Source1000: baselibs.conf +Patch0: CVE-2017-13194.patch Patch1: libvpx-define-config_pic.patch Patch2: libvpx-configure-add-s390.patch Patch4: libvpx-armv7-use-hard-float.patch @@ -92,6 +93,7 @@ The WebM file structure is based on the Matroska container. %prep %setup -q +%patch0 -p1 %patch1 -p1 %patch2 -p1 %patch4 -p1