packages/libvpx
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2024-5197

Browse Source
This commit is contained in:
wk333 2024-06-07 15:35:37 +08:00
parent c4fdd4f4be
commit 04214b29c3
5 changed files with 458 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

155
CVE-2024-5197-1.patch Normal file
View File

@ -0,0 +1,155 @@
Origin: https://github.com/webmproject/libvpx/commit/c5640e3300690705c336966e2a8bb346a388c829
Backport of:
From c5640e3300690705c336966e2a8bb346a388c829 Mon Sep 17 00:00:00 2001
From: Wan-Teh Chang <wtc@google.com>
Date: Wed, 10 Apr 2024 17:01:10 -0700
Subject: [PATCH] Fix integer overflows in calc of stride_in_bytes
A port of the libaom CL
https://aomedia-review.googlesource.com/c/aom/+/188761.
Fix unsigned integer overflows in the calculation of stride_in_bytes in
img_alloc_helper() when d_w is huge.
Change the type of stride_in_bytes from unsigned int to int because it
will be assigned to img->stride[VPX_PLANE_Y], which is of the int type.
Test:
. ../libvpx/tools/set_analyzer_env.sh integer
../libvpx/configure --enable-debug --disable-optimizations
make -j
./test_libvpx --gtest_filter=VpxImageTest.VpxImgAllocHugeWidth
Bug: chromium:332382766
Change-Id: I3b39d78f61c7255e10cbf72ba2f4975425a05a82
(cherry picked from commit 2e32276277c0b1739707c5e861c96cf78794f1a0)
---
test/vpx_image_test.cc | 36 ++++++++++++++++++++++++++++++++++++
vpx/src/vpx_image.c | 31 +++++++++++++++++++------------
2 files changed, 55 insertions(+), 12 deletions(-)
--- a/test/vpx_image_test.cc
+++ b/test/vpx_image_test.cc
@@ -70,3 +70,34 @@ TEST(VpxImageTest, VpxImgAllocYv12) {
EXPECT_EQ(img.planes[VPX_PLANE_V], img.planes[VPX_PLANE_U] + 1);
vpx_img_free(&img);
}
+
+TEST(VpxImageTest, VpxImgAllocHugeWidth) {
+ // The stride (0x80000000 * 2) would overflow unsigned int.
+ vpx_image_t *image =
+ vpx_img_alloc(nullptr, VPX_IMG_FMT_I42016, 0x80000000, 1, 1);
+ ASSERT_EQ(image, nullptr);
+
+ // The stride (0x80000000) would overflow int.
+ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I420, 0x80000000, 1, 1);
+ ASSERT_EQ(image, nullptr);
+
+ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I420, 0x7ffffffe, 1, 1);
+ if (image) {
+ vpx_img_free(image);
+ }
+
+ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I420, 285245883, 64, 1);
+ if (image) {
+ vpx_img_free(image);
+ }
+
+ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_YV12, 285245883, 64, 1);
+ if (image) {
+ vpx_img_free(image);
+ }
+
+ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I42016, 285245883, 2, 1);
+ if (image) {
+ vpx_img_free(image);
+ }
+}
--- a/vpx/src/vpx_image.c
+++ b/vpx/src/vpx_image.c
@@ -8,6 +8,7 @@
* be found in the AUTHORS file in the root of the source tree.
*/
+#include <limits.h>
#include <stdlib.h>
#include <string.h>
@@ -20,8 +21,9 @@ static vpx_image_t *img_alloc_helper(vpx
unsigned int buf_align,
unsigned int stride_align,
unsigned char *img_data) {
- unsigned int h, w, s, xcs, ycs, bps;
- unsigned int stride_in_bytes;
+ unsigned int h, w, xcs, ycs, bps;
+ uint64_t s;
+ int stride_in_bytes;
int align;
/* Treat align==0 like align==1 */
@@ -73,9 +75,11 @@ static vpx_image_t *img_alloc_helper(vpx
* and height shouldn't be adjusted. */
w = d_w;
h = d_h;
- s = (fmt & VPX_IMG_FMT_PLANAR) ? w : bps * w / 8;
- s = (s + stride_align - 1) & ~(stride_align - 1);
- stride_in_bytes = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
+ s = (fmt & VPX_IMG_FMT_PLANAR) ? w : (uint64_t)bps * w / 8;
+ s = (s + stride_align - 1) & ~((uint64_t)stride_align - 1);
+ s = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
+ if (s > INT_MAX) goto fail;
+ stride_in_bytes = (int)s;
/* Allocate the new image */
if (!img) {
@@ -98,9 +102,11 @@ static vpx_image_t *img_alloc_helper(vpx
align = (1 << ycs) - 1;
h = (d_h + align) & ~align;
- s = (fmt & VPX_IMG_FMT_PLANAR) ? w : bps * w / 8;
- s = (s + stride_align - 1) & ~(stride_align - 1);
- stride_in_bytes = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
+ s = (fmt & VPX_IMG_FMT_PLANAR) ? w : (uint64_t)bps * w / 8;
+ s = (s + stride_align - 1) & ~((uint64_t)stride_align - 1);
+ s = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
+ if (s > INT_MAX) goto fail;
+ stride_in_bytes = (int)s;
alloc_size = (fmt & VPX_IMG_FMT_PLANAR) ? (uint64_t)h * s * bps / 8
: (uint64_t)h * s;
@@ -166,18 +172,19 @@ int vpx_img_set_rect(vpx_image_t *img, u
if (img->fmt & VPX_IMG_FMT_HAS_ALPHA) {
img->planes[VPX_PLANE_ALPHA] =
data + x * bytes_per_sample + y * img->stride[VPX_PLANE_ALPHA];
- data += img->h * img->stride[VPX_PLANE_ALPHA];
+ data += (size_t)img->h * img->stride[VPX_PLANE_ALPHA];
}
img->planes[VPX_PLANE_Y] =
data + x * bytes_per_sample + y * img->stride[VPX_PLANE_Y];
- data += img->h * img->stride[VPX_PLANE_Y];
+ data += (size_t)img->h * img->stride[VPX_PLANE_Y];
if (!(img->fmt & VPX_IMG_FMT_UV_FLIP)) {
img->planes[VPX_PLANE_U] =
data + (x >> img->x_chroma_shift) * bytes_per_sample +
(y >> img->y_chroma_shift) * img->stride[VPX_PLANE_U];
- data += (img->h >> img->y_chroma_shift) * img->stride[VPX_PLANE_U];
+ data +=
+ (size_t)(img->h >> img->y_chroma_shift) * img->stride[VPX_PLANE_U];
img->planes[VPX_PLANE_V] =
data + (x >> img->x_chroma_shift) * bytes_per_sample +
(y >> img->y_chroma_shift) * img->stride[VPX_PLANE_V];
@@ -185,7 +192,8 @@ int vpx_img_set_rect(vpx_image_t *img, u
img->planes[VPX_PLANE_V] =
data + (x >> img->x_chroma_shift) * bytes_per_sample +
(y >> img->y_chroma_shift) * img->stride[VPX_PLANE_V];
- data += (img->h >> img->y_chroma_shift) * img->stride[VPX_PLANE_V];
+ data +=
+ (size_t)(img->h >> img->y_chroma_shift) * img->stride[VPX_PLANE_V];
img->planes[VPX_PLANE_U] =
data + (x >> img->x_chroma_shift) * bytes_per_sample +
(y >> img->y_chroma_shift) * img->stride[VPX_PLANE_U];

144
CVE-2024-5197-2.patch Normal file
View File

@ -0,0 +1,144 @@
Origin: https://github.com/webmproject/libvpx/commit/9d7054c0cb83665a74cf6f59b6261f455e692149
Backport of:
From 9d7054c0cb83665a74cf6f59b6261f455e692149 Mon Sep 17 00:00:00 2001
From: Wan-Teh Chang <wtc@google.com>
Date: Thu, 11 Apr 2024 10:24:11 -0700
Subject: [PATCH] Avoid integer overflows in arithmetic operations
A port of the libaom CL
https://aomedia-review.googlesource.com/c/aom/+/188823.
Impose maximum values on the input parameters so that we can perform
arithmetic operations without worrying about overflows.
Also change the VpxImageTest.VpxImgAllocHugeWidth test to write to the
first and last samples in the first row of the Y plane, so that the test
will crash if there is unsigned integer overflow in the calculation of
stride_in_bytes.
Bug: chromium:332382766
Change-Id: I54cec6c9e26377abaa8a991042ba277ff70afdf3
(cherry picked from commit 06af417e795e6a9b9309406ba399fb109def89e6)
---
test/vpx_image_test.cc | 19 +++++++++++++++++++
vpx/src/vpx_image.c | 11 +++++++++++
vpx/vpx_image.h | 16 +++++++++++-----
3 files changed, 41 insertions(+), 5 deletions(-)
--- a/test/vpx_image_test.cc
+++ b/test/vpx_image_test.cc
@@ -8,6 +8,8 @@
* be found in the AUTHORS file in the root of the source tree.
*/
+#include <climits>
+
#include "vpx/vpx_image.h"
#include "third_party/googletest/src/include/gtest/gtest.h"
@@ -81,6 +83,10 @@ TEST(VpxImageTest, VpxImgAllocHugeWidth)
image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I420, 0x80000000, 1, 1);
ASSERT_EQ(image, nullptr);
+ // The aligned width (UINT_MAX + 1) would overflow unsigned int.
+ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I420, UINT_MAX, 1, 1);
+ ASSERT_EQ(image, nullptr);
+
image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I420, 0x7ffffffe, 1, 1);
if (image) {
vpx_img_free(image);
@@ -96,8 +102,21 @@ TEST(VpxImageTest, VpxImgAllocHugeWidth)
vpx_img_free(image);
}
+ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I42016, 65536, 2, 1);
+ if (image) {
+ uint16_t *y_plane =
+ reinterpret_cast<uint16_t *>(image->planes[VPX_PLANE_Y]);
+ y_plane[0] = 0;
+ y_plane[image->d_w - 1] = 0;
+ vpx_img_free(image);
+ }
+
image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I42016, 285245883, 2, 1);
if (image) {
+ uint16_t *y_plane =
+ reinterpret_cast<uint16_t *>(image->planes[VPX_PLANE_Y]);
+ y_plane[0] = 0;
+ y_plane[image->d_w - 1] = 0;
vpx_img_free(image);
}
}
--- a/vpx/src/vpx_image.c
+++ b/vpx/src/vpx_image.c
@@ -8,6 +8,7 @@
* be found in the AUTHORS file in the root of the source tree.
*/
+#include <assert.h>
#include <limits.h>
#include <stdlib.h>
#include <string.h>
@@ -26,6 +27,14 @@ static vpx_image_t *img_alloc_helper(vpx
int stride_in_bytes;
int align;
+ /* Impose maximum values on input parameters so that this function can
+ * perform arithmetic operations without worrying about overflows.
+ */
+ if (d_w > 0x08000000 || d_h > 0x08000000 || buf_align > 65536 ||
+ stride_align > 65536) {
+ goto fail;
+ }
+
/* Treat align==0 like align==1 */
if (!buf_align) buf_align = 1;
@@ -99,8 +108,10 @@ static vpx_image_t *img_alloc_helper(vpx
/* Calculate storage sizes given the chroma subsampling */
align = (1 << xcs) - 1;
w = (d_w + align) & ~align;
+ assert(d_w <= w);
align = (1 << ycs) - 1;
h = (d_h + align) & ~align;
+ assert(d_h <= h);
s = (fmt & VPX_IMG_FMT_PLANAR) ? w : (uint64_t)bps * w / 8;
s = (s + stride_align - 1) & ~((uint64_t)stride_align - 1);
--- a/vpx/vpx_image.h
+++ b/vpx/vpx_image.h
@@ -131,10 +131,13 @@ typedef struct vpx_image_rect {
* is NULL, the storage for the descriptor will be
* allocated on the heap.
* \param[in] fmt Format for the image
- * \param[in] d_w Width of the image
- * \param[in] d_h Height of the image
+ * \param[in] d_w Width of the image. Must not exceed 0x08000000
+ * (2^27).
+ * \param[in] d_h Height of the image. Must not exceed 0x08000000
+ * (2^27).
* \param[in] align Alignment, in bytes, of the image buffer and
- * each row in the image(stride).
+ * each row in the image (stride). Must not exceed
+ * 65536.
*
* \return Returns a pointer to the initialized image descriptor. If the img
* parameter is non-null, the value of the img parameter will be
@@ -157,9 +160,12 @@ vpx_image_t *vpx_img_alloc(vpx_image_t *
* is NULL, the storage for the descriptor will be
* allocated on the heap.
* \param[in] fmt Format for the image
- * \param[in] d_w Width of the image
- * \param[in] d_h Height of the image
+ * \param[in] d_w Width of the image. Must not exceed 0x08000000
+ * (2^27).
+ * \param[in] d_h Height of the image. Must not exceed 0x08000000
+ * (2^27).
* \param[in] align Alignment, in bytes, of each row in the image.
+ * Must not exceed 65536.
* \param[in] img_data Storage to use for the image
*
* \return Returns a pointer to the initialized image descriptor. If the img

44
CVE-2024-5197-3.patch Normal file
View File

@ -0,0 +1,44 @@
Origin: https://github.com/webmproject/libvpx/commit/61c4d556bd03b97d84e3fa49180d14bde5a62baa
From 61c4d556bd03b97d84e3fa49180d14bde5a62baa Mon Sep 17 00:00:00 2001
From: Wan-Teh Chang <wtc@google.com>
Date: Fri, 12 Apr 2024 15:48:04 -0700
Subject: [PATCH] Fix a bug in alloc_size for high bit depths
I introduced this bug in commit 2e32276:
https://chromium-review.googlesource.com/c/webm/libvpx/+/5446333
I changed the line
stride_in_bytes = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
to three lines:
s = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
if (s > INT_MAX) goto fail;
stride_in_bytes = (int)s;
But I didn't realize that `s` is used later in the calculation of
alloc_size.
As a quick fix, undo the effect of s * 2 for high bit depths after `s`
has been assigned to stride_in_bytes.
Bug: chromium:332382766
Change-Id: I53fbf405555645ab1d7254d31aadabe4f426be8c
(cherry picked from commit 74c70af01667733483dc69298b8921779f5f6ff3)
---
vpx/src/vpx_image.c | 1 +
1 file changed, 1 insertion(+)
--- a/vpx/src/vpx_image.c
+++ b/vpx/src/vpx_image.c
@@ -89,6 +89,7 @@ static vpx_image_t *img_alloc_helper(vpx
s = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
if (s > INT_MAX) goto fail;
stride_in_bytes = (int)s;
+ s = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s / 2 : s;
/* Allocate the new image */
if (!img) {

105
CVE-2024-5197-pre1.patch Normal file
View File

@ -0,0 +1,105 @@
Origin: https://github.com/webmproject/libvpx/commit/f60da3e3ea58ddca7178d2228e1106f0d2dccd24
Backport of:
From f60da3e3ea58ddca7178d2228e1106f0d2dccd24 Mon Sep 17 00:00:00 2001
From: Wan-Teh Chang <wtc@google.com>
Date: Wed, 10 Apr 2024 17:55:01 -0700
Subject: [PATCH] Add test/vpx_image_test.cc
Ported from test/aom_image_test.cc in libaom commit 04d6253.
Change-Id: I56478d0a5603cfb5b65e644add0918387ff69a00
(cherry picked from commit 3dbab0e66479e1b5368d4b7a069051dba85843cf)
---
test/test.mk | 1 +
test/vpx_image_test.cc | 72 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 73 insertions(+)
create mode 100644 test/vpx_image_test.cc
--- a/test/test.mk
+++ b/test/test.mk
@@ -19,6 +19,7 @@ LIBVPX_TEST_SRCS-yes += video_source.h
## Black box tests only use the public API.
##
LIBVPX_TEST_SRCS-yes += ../md5_utils.h ../md5_utils.c
+LIBVPX_TEST_SRCS-yes += vpx_image_test.cc
LIBVPX_TEST_SRCS-$(CONFIG_DECODERS) += ivf_video_source.h
LIBVPX_TEST_SRCS-$(CONFIG_ENCODERS) += ../y4minput.h ../y4minput.c
LIBVPX_TEST_SRCS-$(CONFIG_ENCODERS) += altref_test.cc
--- /dev/null
+++ b/test/vpx_image_test.cc
@@ -0,0 +1,72 @@
+/*
+ * Copyright (c) 2024 The WebM project authors. All Rights Reserved.
+ *
+ * Use of this source code is governed by a BSD-style license
+ * that can be found in the LICENSE file in the root of the source
+ * tree. An additional intellectual property rights grant can be found
+ * in the file PATENTS. All contributing project authors may
+ * be found in the AUTHORS file in the root of the source tree.
+ */
+
+#include "vpx/vpx_image.h"
+#include "third_party/googletest/src/include/gtest/gtest.h"
+
+TEST(VpxImageTest, VpxImgWrapInvalidAlign) {
+ const int kWidth = 128;
+ const int kHeight = 128;
+ unsigned char buf[kWidth * kHeight * 3];
+
+ vpx_image_t img;
+ // Set img_data and img_data_owner to junk values. vpx_img_wrap() should
+ // not read these values on failure.
+ unsigned char empty[] = "";
+ img.img_data = empty;
+ img.img_data_owner = 1;
+
+ vpx_img_fmt_t format = VPX_IMG_FMT_I444;
+ // 'align' must be a power of 2 but is not. This causes the vpx_img_wrap()
+ // call to fail. The test verifies we do not read the junk values in 'img'.
+ unsigned int align = 31;
+ EXPECT_EQ(vpx_img_wrap(&img, format, kWidth, kHeight, align, buf), nullptr);
+}
+
+TEST(VpxImageTest, VpxImgSetRectOverflow) {
+ const int kWidth = 128;
+ const int kHeight = 128;
+ unsigned char buf[kWidth * kHeight * 3];
+
+ vpx_image_t img;
+ vpx_img_fmt_t format = VPX_IMG_FMT_I444;
+ unsigned int align = 32;
+ EXPECT_EQ(vpx_img_wrap(&img, format, kWidth, kHeight, align, buf), &img);
+
+ EXPECT_EQ(vpx_img_set_rect(&img, 0, 0, kWidth, kHeight), 0);
+ // This would result in overflow because -1 is cast to UINT_MAX.
+ EXPECT_NE(vpx_img_set_rect(&img, static_cast<unsigned int>(-1),
+ static_cast<unsigned int>(-1), kWidth, kHeight),
+ 0);
+}
+
+TEST(VpxImageTest, VpxImgAllocNone) {
+ const int kWidth = 128;
+ const int kHeight = 128;
+
+ vpx_image_t img;
+ vpx_img_fmt_t format = VPX_IMG_FMT_NONE;
+ unsigned int align = 32;
+ ASSERT_EQ(vpx_img_alloc(&img, format, kWidth, kHeight, align), nullptr);
+}
+
+TEST(VpxImageTest, VpxImgAllocYv12) {
+ const int kWidth = 128;
+ const int kHeight = 128;
+
+ vpx_image_t img;
+ vpx_img_fmt_t format = VPX_IMG_FMT_YV12;
+ unsigned int align = 32;
+ EXPECT_EQ(vpx_img_alloc(&img, format, kWidth, kHeight, align), &img);
+ EXPECT_EQ(img.stride[VPX_PLANE_U], img.stride[VPX_PLANE_Y]);
+ EXPECT_EQ(img.stride[VPX_PLANE_V], img.stride[VPX_PLANE_U]);
+ EXPECT_EQ(img.planes[VPX_PLANE_V], img.planes[VPX_PLANE_U] + 1);
+ vpx_img_free(&img);
+}

13
libvpx.spec
View File

@ -1,11 +1,15 @@
Name: libvpx
Version: 1.7.0
Release: 11
Release: 12
Summary: VP8/VP9 Video Codec SDK
License: BSD
Source0: https://github.com/webmproject/libvpx/archive/v%{version}.tar.gz
Patch0: CVE-2023-5217.patch
Patch1: CVE-2023-44488.patch
Patch0: CVE-2023-5217.patch
Patch1: CVE-2023-44488.patch
Patch2: CVE-2024-5197-pre1.patch
Patch3: CVE-2024-5197-1.patch
Patch4: CVE-2024-5197-2.patch
Patch5: CVE-2024-5197-3.patch
URL: http://www.webmproject.org/code/
BuildRequires: gcc gcc-c++ doxygen, php-cli, perl(Getopt::Long)
%ifarch x86_64
@ -108,6 +112,9 @@ mv %{buildroot}%{_prefix}/src/vpx_scale %{buildroot}%{_includedir}/
%{_libdir}/libvpx.so
%changelog
* Fri Jun 07 2024 wangkai <13474090681@163.com> - 1.7.0-12
- Fix CVE-2024-5197
* Mon Mar 11 2024 hefq343<fengqing.he@shingroup.cn> - 1.7.0-11
- add ppc64le support