From e99999d7cb1dca94d1073fc1b2db672152cd728b Mon Sep 17 00:00:00 2001 From: Bernd Kuhls Date: Fri, 29 Sep 2023 18:29:10 +0200 Subject: [PATCH] package/libvpx: Add upstream security patch to fix CVE-2023-5217 Fixes CVE_2023-5217: Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. https://www.openwall.com/lists/oss-security/2023/09/28/5 Signed-off-by: Bernd Kuhls [Peter: extend commit message, add _IGNORE_CVES] Signed-off-by: Peter Korsgaard --- ...02-VP8-disallow-thread-count-changes.patch | 38 +++++++++++++++++++ package/libvpx/libvpx.mk | 3 ++ 2 files changed, 41 insertions(+) create mode 100644 package/libvpx/0002-VP8-disallow-thread-count-changes.patch diff --git a/package/libvpx/0002-VP8-disallow-thread-count-changes.patch b/package/libvpx/0002-VP8-disallow-thread-count-changes.patch new file mode 100644 index 0000000000..d625255a9f --- /dev/null +++ b/package/libvpx/0002-VP8-disallow-thread-count-changes.patch @@ -0,0 +1,38 @@ +From 3fbd1dca6a4d2dad332a2110d646e4ffef36d590 Mon Sep 17 00:00:00 2001 +From: James Zern +Date: Mon, 25 Sep 2023 18:55:59 -0700 +Subject: [PATCH] VP8: disallow thread count changes + +Currently allocations are done at encoder creation time. Going from +threaded to non-threaded would cause a crash. + +Bug: chromium:1486441 +Change-Id: Ie301c2a70847dff2f0daae408fbef1e4d42e73d4 + +Fixes CVE-2023-5217: https://www.cve.org/CVERecord?id=CVE-2023-5217 + +Upstream: https://github.com/webmproject/libvpx/commit/3fbd1dca6a4d2dad332a2110d646e4ffef36d590 +Upstream: https://chromium.googlesource.com/webm/libvpx/+/3fbd1dca6a4d2dad332a2110d646e4ffef36d590 + +[Bernd: Removed patch for test/encode_api_test.cc] +Signed-off-by: Bernd Kuhls +--- + vp8/encoder/onyx_if.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/vp8/encoder/onyx_if.c b/vp8/encoder/onyx_if.c +index c65afc643bf..c5e9970c3cc 100644 +--- a/vp8/encoder/onyx_if.c ++++ b/vp8/encoder/onyx_if.c +@@ -1447,6 +1447,11 @@ void vp8_change_config(VP8_COMP *cpi, VP8_CONFIG *oxcf) { + last_h = cpi->oxcf.Height; + prev_number_of_layers = cpi->oxcf.number_of_layers; + ++ if (cpi->initial_width) { ++ // TODO(https://crbug.com/1486441): Allow changing thread counts; the ++ // allocation is done once in vp8_create_compressor(). ++ oxcf->multi_threaded = cpi->oxcf.multi_threaded; ++ } + cpi->oxcf = *oxcf; + + switch (cpi->oxcf.Mode) { diff --git a/package/libvpx/libvpx.mk b/package/libvpx/libvpx.mk index 67b25c9100..b558c41981 100644 --- a/package/libvpx/libvpx.mk +++ b/package/libvpx/libvpx.mk @@ -11,6 +11,9 @@ LIBVPX_LICENSE_FILES = LICENSE PATENTS LIBVPX_CPE_ID_VENDOR = webmproject LIBVPX_INSTALL_STAGING = YES +# 0002-VP8-disallow-thread-count-changes.patch +LIBVPX_IGNORE_CVES += CVE-2023-5217 + # ld is being used with cc options. therefore, pretend ld is cc. LIBVPX_CONF_ENV = \ LD="$(TARGET_CC)" \