wok-current rev 25778

Patch libvpx (CVE-2025-5283)
author Stanislas Leduc <shann@slitaz.org>
date Mon Jun 09 10:46:07 2025 +0000 (3 months ago)
parents 5f4849b8241b
children 99fac26f0c0a
files libvpx/receipt libvpx/stuff/CVE-2025-5283.patch
line diff
     1.1 --- a/libvpx/receipt	Tue Jun 03 14:23:47 2025 +0000
     1.2 +++ b/libvpx/receipt	Mon Jun 09 10:46:07 2025 +0000
     1.3 @@ -25,6 +25,10 @@
     1.4  # Rules to configure and make the package.
     1.5  compile_rules()
     1.6  {
     1.7 +	# Patch for CVE-2025-5283
     1.8 +	# see https://www.cve.org/CVERecord?id=CVE-2025-5283
     1.9 +	patch -p1 < $stuff/CVE-2025-5283.patch
    1.10 +
    1.11  	./configure				\
    1.12  		--enable-vp8			\
    1.13  		--enable-runtime-cpu-detect	\

     2.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     2.2 +++ b/libvpx/stuff/CVE-2025-5283.patch	Mon Jun 09 10:46:07 2025 +0000
     2.3 @@ -0,0 +1,60 @@
     2.4 +From 865eaf63a727966d19185b79836480dfc844749b Mon Sep 17 00:00:00 2001
     2.5 +From: James Zern <jzern@google.com>
     2.6 +Date: Wed, 30 Apr 2025 19:28:48 -0700
     2.7 +Subject: [PATCH] vpx_codec_enc_init_multi: fix double free on init failure
     2.8 +
     2.9 +In `vp8e_init()`, the encoder would take ownership of
    2.10 +`mr_cfg.mr_low_res_mode_info` even if `vp8_create_compressor()` failed.
    2.11 +This caused confusion at the call site as other failures in
    2.12 +`vp8e_init()` did not result in ownership transfer and the caller would
    2.13 +free the memory. In the case of `vp8_create_compressor()` failure both
    2.14 +the caller and `vpx_codec_destroy()` would free the memory, causing a
    2.15 +crash. `mr_*` related variables are now cleared on failure to prevent
    2.16 +this situation.
    2.17 +
    2.18 +Bug: webm:413411335
    2.19 +Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1962421
    2.20 +Change-Id: Ie951d42b9029a586bf9059b650bd8863db9f9ffc
    2.21 +(cherry picked from commit 1c758781c428c0e895645b95b8ff1512b6bdcecb)
    2.22 +---
    2.23 + vp8/vp8_cx_iface.c    | 12 +++++++++++-
    2.24 + vpx/src/vpx_encoder.c |  3 +++
    2.25 + 2 files changed, 14 insertions(+), 1 deletion(-)
    2.26 +
    2.27 +diff --git a/vp8/vp8_cx_iface.c b/vp8/vp8_cx_iface.c
    2.28 +index 38456d2b90c..35c94fb0434 100644
    2.29 +--- a/vp8/vp8_cx_iface.c
    2.30 ++++ b/vp8/vp8_cx_iface.c
    2.31 +@@ -732,7 +732,17 @@ static vpx_codec_err_t vp8e_init(vpx_codec_ctx_t *ctx,
    2.32 + 
    2.33 +       set_vp8e_config(&priv->oxcf, priv->cfg, priv->vp8_cfg, mr_cfg);
    2.34 +       priv->cpi = vp8_create_compressor(&priv->oxcf);
    2.35 +-      if (!priv->cpi) res = VPX_CODEC_MEM_ERROR;
    2.36 ++      if (!priv->cpi) {
    2.37 ++#if CONFIG_MULTI_RES_ENCODING
    2.38 ++        // Release ownership of mr_cfg->mr_low_res_mode_info on failure. This
    2.39 ++        // prevents ownership confusion with the caller and avoids a double
    2.40 ++        // free when vpx_codec_destroy() is called on this instance.
    2.41 ++        priv->oxcf.mr_total_resolutions = 0;
    2.42 ++        priv->oxcf.mr_encoder_id = 0;
    2.43 ++        priv->oxcf.mr_low_res_mode_info = NULL;
    2.44 ++#endif
    2.45 ++        res = VPX_CODEC_MEM_ERROR;
    2.46 ++      }
    2.47 +     }
    2.48 +   }
    2.49 + 
    2.50 +diff --git a/vpx/src/vpx_encoder.c b/vpx/src/vpx_encoder.c
    2.51 +index 001d854abe9..3af4cea3a70 100644
    2.52 +--- a/vpx/src/vpx_encoder.c
    2.53 ++++ b/vpx/src/vpx_encoder.c
    2.54 +@@ -114,6 +114,9 @@ vpx_codec_err_t vpx_codec_enc_init_multi_ver(
    2.55 +           ctx->priv = NULL;
    2.56 +           ctx->init_flags = flags;
    2.57 +           ctx->config.enc = cfg;
    2.58 ++          // ctx takes ownership of mr_cfg.mr_low_res_mode_info if and only if
    2.59 ++          // this call succeeds. The first ctx entry in the array is
    2.60 ++          // responsible for freeing the memory.
    2.61 +           res = ctx->iface->init(ctx, &mr_cfg);
    2.62 +         }
    2.63 +