From 4ceee5f413365aef901c9cc73c2d3225771be4c3db8ef8f524a436060a61e3f3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= <adrian.schroeter@suse.com>
Date: Thu, 28 Sep 2023 09:29:35 +0000
Subject: [PATCH] fix

OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/libvpx?expand=0&rev=126
---
 CVE-2023-5217.patch   | 103 ++++++++++++++++++++++++++++++++++++++++++
 libvpx-1.13.0.obscpio |   2 +-
 libvpx.changes        |   6 +++
 libvpx.spec           |   2 +
 4 files changed, 112 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2023-5217.patch

diff --git a/CVE-2023-5217.patch b/CVE-2023-5217.patch
new file mode 100644
index 0000000..9872a50
--- /dev/null
+++ b/CVE-2023-5217.patch
@@ -0,0 +1,103 @@
+commit af6dedd715f4307669366944cca6e0417b290282
+Author: James Zern <jzern@google.com>
+Date:   Mon Sep 25 18:53:41 2023 -0700
+
+    encode_api_test: add ConfigResizeChangeThreadCount
+    
+    Update thread counts and resolution to ensure allocations are updated
+    correctly. VP8 is disabled to avoid a crash.
+    
+    Bug: chromium:1486441
+    Change-Id: Ie89776d9818d27dc351eff298a44c699e850761b
+
+Index: libvpx-1.13.0/test/encode_api_test.cc
+===================================================================
+--- libvpx-1.13.0.orig/test/encode_api_test.cc
++++ libvpx-1.13.0/test/encode_api_test.cc
+@@ -304,7 +304,6 @@ TEST(EncodeAPI, SetRoi) {
+ 
+ void InitCodec(const vpx_codec_iface_t &iface, int width, int height,
+                vpx_codec_ctx_t *enc, vpx_codec_enc_cfg_t *cfg) {
+-  ASSERT_EQ(vpx_codec_enc_config_default(&iface, cfg, 0), VPX_CODEC_OK);
+   cfg->g_w = width;
+   cfg->g_h = height;
+   cfg->g_lag_in_frames = 0;
+@@ -342,6 +341,7 @@ TEST(EncodeAPI, ConfigChangeThreadCount)
+         vpx_codec_ctx_t ctx = {};
+       } enc;
+ 
++      ASSERT_EQ(vpx_codec_enc_config_default(iface, &cfg, 0), VPX_CODEC_OK);
+       EXPECT_NO_FATAL_FAILURE(
+           InitCodec(*iface, kWidth, kHeight, &enc.ctx, &cfg));
+       if (IsVP9(iface)) {
+@@ -353,6 +353,54 @@ TEST(EncodeAPI, ConfigChangeThreadCount)
+ 
+       for (const auto threads : { 1, 4, 8, 6, 2, 1 }) {
+         cfg.g_threads = threads;
++        EXPECT_NO_FATAL_FAILURE(EncodeWithConfig(cfg, &enc.ctx))
++            << "iteration: " << i << " threads: " << threads;
++      }
++    }
++  }
++}
++
++TEST(EncodeAPI, ConfigResizeChangeThreadCount) {
++  constexpr int kInitWidth = 1024;
++  constexpr int kInitHeight = 1024;
++
++  for (const auto *iface : kCodecIfaces) {
++    SCOPED_TRACE(vpx_codec_iface_name(iface));
++    if (!IsVP9(iface)) {
++      GTEST_SKIP() << "TODO(https://crbug.com/1486441) remove this condition "
++                      "after VP8 is fixed.";
++    }
++    for (int i = 0; i < (IsVP9(iface) ? 2 : 1); ++i) {
++      vpx_codec_enc_cfg_t cfg = {};
++      struct Encoder {
++        ~Encoder() { EXPECT_EQ(vpx_codec_destroy(&ctx), VPX_CODEC_OK); }
++        vpx_codec_ctx_t ctx = {};
++      } enc;
++
++      ASSERT_EQ(vpx_codec_enc_config_default(iface, &cfg, 0), VPX_CODEC_OK);
++      // Start in threaded mode to ensure resolution and thread related
++      // allocations are updated correctly across changes in resolution and
++      // thread counts. See https://crbug.com/1486441.
++      cfg.g_threads = 4;
++      EXPECT_NO_FATAL_FAILURE(
++          InitCodec(*iface, kInitWidth, kInitHeight, &enc.ctx, &cfg));
++      if (IsVP9(iface)) {
++        EXPECT_EQ(vpx_codec_control_(&enc.ctx, VP9E_SET_TILE_COLUMNS, 6),
++                  VPX_CODEC_OK);
++        EXPECT_EQ(vpx_codec_control_(&enc.ctx, VP9E_SET_ROW_MT, i),
++                  VPX_CODEC_OK);
++      }
++
++      cfg.g_w = 1000;
++      cfg.g_h = 608;
++      EXPECT_EQ(vpx_codec_enc_config_set(&enc.ctx, &cfg), VPX_CODEC_OK)
++          << vpx_codec_error_detail(&enc.ctx);
++
++      cfg.g_w = 16;
++      cfg.g_h = 720;
++
++      for (const auto threads : { 1, 4, 8, 6, 2, 1 }) {
++        cfg.g_threads = threads;
+         EXPECT_NO_FATAL_FAILURE(EncodeWithConfig(cfg, &enc.ctx))
+             << "iteration: " << i << " threads: " << threads;
+       }
+Index: libvpx-1.13.0/vp8/encoder/onyx_if.c
+===================================================================
+--- libvpx-1.13.0.orig/vp8/encoder/onyx_if.c
++++ libvpx-1.13.0/vp8/encoder/onyx_if.c
+@@ -1443,6 +1443,11 @@ void vp8_change_config(VP8_COMP *cpi, VP
+   last_h = cpi->oxcf.Height;
+   prev_number_of_layers = cpi->oxcf.number_of_layers;
+ 
++  if (cpi->initial_width) {
++    // TODO(https://crbug.com/1486441): Allow changing thread counts; the
++    // allocation is done once in vp8_create_compressor().
++    oxcf->multi_threaded = cpi->oxcf.multi_threaded;
++  }
+   cpi->oxcf = *oxcf;
+ 
+   switch (cpi->oxcf.Mode) {
diff --git a/libvpx-1.13.0.obscpio b/libvpx-1.13.0.obscpio
index c68c183..5088627 100644
--- a/libvpx-1.13.0.obscpio
+++ b/libvpx-1.13.0.obscpio
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:cad179c757b63e0a36d52fe0fe402c848bdf32c5e2bb63bf9b0ed02472d1f958
+oid sha256:e34888f94bc91fef1c063c65457f1e557d2ef7cb6265f23db45d09938c5a2b51
 size 23993869
diff --git a/libvpx.changes b/libvpx.changes
index a3aeb80..c988a0a 100644
--- a/libvpx.changes
+++ b/libvpx.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Sep 28 09:27:46 UTC 2023 - Adrian Schröter <adrian@suse.de>
+
+- Fixing CVE-2023-5217 heap buffer overflow (boo#1215778)
+  added CVE-2023-5217.patch
+
 -------------------------------------------------------------------
 Tue Feb 14 12:31:04 UTC 2023 - Bjørn Lie <bjorn.lie@gmail.com>
 
diff --git a/libvpx.spec b/libvpx.spec
index 295cc73..bf3d580 100644
--- a/libvpx.spec
+++ b/libvpx.spec
@@ -26,6 +26,8 @@ Group:          Productivity/Multimedia/Other
 URL:            https://www.webmproject.org/
 Source0:        %{name}-%{version}.tar.xz
 Source1000:     baselibs.conf
+# PATCH-FIX-UPSTREAM
+Patch1:         CVE-2023-5217.patch
 Patch2:         libvpx-configure-add-arch.patch
 # only needed for test suite
 BuildRequires:  gcc-c++