From d88f5787614b5b4c17b49ada5076a70be443ddf0 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Sep 29 2020 06:57:10 +0000 Subject: import libvpx-1.3.0-8.el7 --- diff --git a/SOURCES/0001-CVE-2019-9232-Fix-OOB-memory-access-on-fuzzed-data.patch b/SOURCES/0001-CVE-2019-9232-Fix-OOB-memory-access-on-fuzzed-data.patch new file mode 100644 index 0000000..4158c0c --- /dev/null +++ b/SOURCES/0001-CVE-2019-9232-Fix-OOB-memory-access-on-fuzzed-data.patch @@ -0,0 +1,43 @@ +From d4a359feea3b2d1ca8dc1493d0fb4aac376fb967 Mon Sep 17 00:00:00 2001 +From: Wim Taymans +Date: Wed, 25 Mar 2020 12:26:24 +0100 +Subject: [PATCH 1/2] CVE-2019-9232: Fix OOB memory access on fuzzed data + +vp8_norm table has 256 elements while index to it can be higher on +fuzzed data. Typecasting it to unsigned char will ensure valid range and +will trigger proper error later. Also declaring "shift" as unsigned char to +avoid UB sanitizer warning +--- + vp8/decoder/dboolhuff.h | 2 +- + vp9/decoder/vp9_dboolhuff.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/vp8/decoder/dboolhuff.h b/vp8/decoder/dboolhuff.h +index 4c0ca1ce7..00a330723 100644 +--- a/vp8/decoder/dboolhuff.h ++++ b/vp8/decoder/dboolhuff.h +@@ -84,7 +84,7 @@ static int vp8dx_decode_bool(BOOL_DECODER *br, int probability) { + } + + { +- register unsigned int shift = vp8_norm[range]; ++ register unsigned char shift = vp8_norm[(unsigned char)range]; + range <<= shift; + value <<= shift; + count -= shift; +diff --git a/vp9/decoder/vp9_dboolhuff.h b/vp9/decoder/vp9_dboolhuff.h +index fd8e74ca4..0f3634a06 100644 +--- a/vp9/decoder/vp9_dboolhuff.h ++++ b/vp9/decoder/vp9_dboolhuff.h +@@ -63,7 +63,7 @@ static int vp9_read(vp9_reader *br, int probability) { + } + + { +- register unsigned int shift = vp9_norm[range]; ++ register unsigned char shift = vp9_norm[(unsigned char)range]; + range <<= shift; + value <<= shift; + count -= shift; +-- +2.25.1 + diff --git a/SOURCES/0001-vp8-fix-threading-issues.patch b/SOURCES/0001-vp8-fix-threading-issues.patch new file mode 100644 index 0000000..6046316 --- /dev/null +++ b/SOURCES/0001-vp8-fix-threading-issues.patch @@ -0,0 +1,187 @@ +From c1524f293784d9957c2339fc462fcea5c9619bee Mon Sep 17 00:00:00 2001 +From: Jim Bankoski +Date: Tue, 7 Jan 2020 11:38:36 +0100 +Subject: [PATCH] vp8:fix threading issues + +1 - stops de allocating before threads are closed. +2 - limits threads to mb_rows when mb_rows < partitions + +BUG=webm:851 +--- + vp8/decoder/decodframe.c | 2 + + vp8/decoder/onyxd_if.c | 2 - + vp8/decoder/threading.c | 107 +++++++++++++++++++-------------------- + 3 files changed, 55 insertions(+), 56 deletions(-) + +diff --git a/vp8/decoder/decodframe.c b/vp8/decoder/decodframe.c +index 16da78a2c..ee14c3b04 100644 +--- a/vp8/decoder/decodframe.c ++++ b/vp8/decoder/decodframe.c +@@ -904,6 +904,8 @@ static void setup_token_decoder(VP8D_COMP *pbi, + /* Clamp number of decoder threads */ + if (pbi->decoding_thread_count > num_token_partitions - 1) + pbi->decoding_thread_count = num_token_partitions - 1; ++ if (pbi->decoding_thread_count > pbi->common.mb_rows - 1) ++ pbi->decoding_thread_count = pbi->common.mb_rows - 1; + #endif + } + +diff --git a/vp8/decoder/onyxd_if.c b/vp8/decoder/onyxd_if.c +index 2d9e343bc..57fa39bc7 100644 +--- a/vp8/decoder/onyxd_if.c ++++ b/vp8/decoder/onyxd_if.c +@@ -509,8 +509,6 @@ int vp8_remove_decoder_instances(struct frame_buffers *fb) + if (!pbi) + return VPX_CODEC_ERROR; + #if CONFIG_MULTITHREAD +- if (pbi->b_multithreaded_rd) +- vp8mt_de_alloc_temp_buffers(pbi, pbi->common.mb_rows); + vp8_decoder_remove_threads(pbi); + #endif + +diff --git a/vp8/decoder/threading.c b/vp8/decoder/threading.c +index fe290cffe..9001d275f 100644 +--- a/vp8/decoder/threading.c ++++ b/vp8/decoder/threading.c +@@ -696,78 +696,75 @@ void vp8mt_de_alloc_temp_buffers(VP8D_COMP *pbi, int mb_rows) + { + int i; + +- if (pbi->b_multithreaded_rd) +- { +- vpx_free(pbi->mt_current_mb_col); +- pbi->mt_current_mb_col = NULL ; ++ vpx_free(pbi->mt_current_mb_col); ++ pbi->mt_current_mb_col = NULL ; + +- /* Free above_row buffers. */ +- if (pbi->mt_yabove_row) ++ /* Free above_row buffers. */ ++ if (pbi->mt_yabove_row) ++ { ++ for (i=0; i< mb_rows; i++) + { +- for (i=0; i< mb_rows; i++) +- { +- vpx_free(pbi->mt_yabove_row[i]); +- pbi->mt_yabove_row[i] = NULL ; +- } +- vpx_free(pbi->mt_yabove_row); +- pbi->mt_yabove_row = NULL ; ++ vpx_free(pbi->mt_yabove_row[i]); ++ pbi->mt_yabove_row[i] = NULL ; + } ++ vpx_free(pbi->mt_yabove_row); ++ pbi->mt_yabove_row = NULL ; ++ } + +- if (pbi->mt_uabove_row) ++ if (pbi->mt_uabove_row) ++ { ++ for (i=0; i< mb_rows; i++) + { +- for (i=0; i< mb_rows; i++) +- { +- vpx_free(pbi->mt_uabove_row[i]); +- pbi->mt_uabove_row[i] = NULL ; +- } +- vpx_free(pbi->mt_uabove_row); +- pbi->mt_uabove_row = NULL ; ++ vpx_free(pbi->mt_uabove_row[i]); ++ pbi->mt_uabove_row[i] = NULL ; + } ++ vpx_free(pbi->mt_uabove_row); ++ pbi->mt_uabove_row = NULL ; ++ } + +- if (pbi->mt_vabove_row) ++ if (pbi->mt_vabove_row) ++ { ++ for (i=0; i< mb_rows; i++) + { +- for (i=0; i< mb_rows; i++) +- { +- vpx_free(pbi->mt_vabove_row[i]); +- pbi->mt_vabove_row[i] = NULL ; +- } +- vpx_free(pbi->mt_vabove_row); +- pbi->mt_vabove_row = NULL ; ++ vpx_free(pbi->mt_vabove_row[i]); ++ pbi->mt_vabove_row[i] = NULL ; + } ++ vpx_free(pbi->mt_vabove_row); ++ pbi->mt_vabove_row = NULL ; ++ } + +- /* Free left_col buffers. */ +- if (pbi->mt_yleft_col) ++ /* Free left_col buffers. */ ++ if (pbi->mt_yleft_col) ++ { ++ for (i=0; i< mb_rows; i++) + { +- for (i=0; i< mb_rows; i++) +- { +- vpx_free(pbi->mt_yleft_col[i]); +- pbi->mt_yleft_col[i] = NULL ; +- } +- vpx_free(pbi->mt_yleft_col); +- pbi->mt_yleft_col = NULL ; ++ vpx_free(pbi->mt_yleft_col[i]); ++ pbi->mt_yleft_col[i] = NULL ; + } ++ vpx_free(pbi->mt_yleft_col); ++ pbi->mt_yleft_col = NULL ; ++ } + +- if (pbi->mt_uleft_col) ++ if (pbi->mt_uleft_col) ++ { ++ for (i=0; i< mb_rows; i++) + { +- for (i=0; i< mb_rows; i++) +- { +- vpx_free(pbi->mt_uleft_col[i]); +- pbi->mt_uleft_col[i] = NULL ; +- } +- vpx_free(pbi->mt_uleft_col); +- pbi->mt_uleft_col = NULL ; ++ vpx_free(pbi->mt_uleft_col[i]); ++ pbi->mt_uleft_col[i] = NULL ; + } ++ vpx_free(pbi->mt_uleft_col); ++ pbi->mt_uleft_col = NULL ; ++ } + +- if (pbi->mt_vleft_col) ++ if (pbi->mt_vleft_col) ++ { ++ for (i=0; i< mb_rows; i++) + { +- for (i=0; i< mb_rows; i++) +- { +- vpx_free(pbi->mt_vleft_col[i]); +- pbi->mt_vleft_col[i] = NULL ; +- } +- vpx_free(pbi->mt_vleft_col); +- pbi->mt_vleft_col = NULL ; ++ vpx_free(pbi->mt_vleft_col[i]); ++ pbi->mt_vleft_col[i] = NULL ; + } ++ vpx_free(pbi->mt_vleft_col); ++ pbi->mt_vleft_col = NULL ; + } + } + +@@ -859,6 +856,8 @@ void vp8_decoder_remove_threads(VP8D_COMP *pbi) + + vpx_free(pbi->de_thread_data); + pbi->de_thread_data = NULL; ++ ++ vp8mt_de_alloc_temp_buffers(pbi, pbi->common.mb_rows); + } + } + +-- +2.24.1 + diff --git a/SOURCES/0001-vp8_decode_frame-fix-oob-read-on-truncated-key-frame.patch b/SOURCES/0001-vp8_decode_frame-fix-oob-read-on-truncated-key-frame.patch new file mode 100644 index 0000000..a072fc1 --- /dev/null +++ b/SOURCES/0001-vp8_decode_frame-fix-oob-read-on-truncated-key-frame.patch @@ -0,0 +1,59 @@ +From b6d8f3b4918d9c834cb0a65e1280a473242d99f1 Mon Sep 17 00:00:00 2001 +From: Wim Taymans +Date: Wed, 15 Apr 2020 11:09:35 +0200 +Subject: [PATCH] vp8_decode_frame: fix oob read on truncated key frame + +the check for error correction being disabled was overriding the data +length checks. this avoids returning incorrect information (width / +height) for the decoded frame which could result in inconsistent sizes +returned in to an application causing it to read beyond the bounds of +the frame allocation. + +BUG=webm:1443 +BUG=b/62458770 + +Change-Id: I063459674e01b57c0990cb29372e0eb9a1fbf342 +--- + vp8/decoder/decodframe.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/vp8/decoder/decodframe.c b/vp8/decoder/decodframe.c +index ee14c3b04..2072fcbdc 100644 +--- a/vp8/decoder/decodframe.c ++++ b/vp8/decoder/decodframe.c +@@ -1051,7 +1051,7 @@ int vp8_decode_frame(VP8D_COMP *pbi) + /* When error concealment is enabled we should only check the sync + * code if we have enough bits available + */ +- if (!pbi->ec_active || data + 3 < data_end) ++ if (data + 3 < data_end) + { + if (clear[0] != 0x9d || clear[1] != 0x01 || clear[2] != 0x2a) + vpx_internal_error(&pc->error, VPX_CODEC_UNSUP_BITSTREAM, +@@ -1062,15 +1062,20 @@ int vp8_decode_frame(VP8D_COMP *pbi) + * if we have enough data. Otherwise we will end up with the wrong + * size. + */ +- if (!pbi->ec_active || data + 6 < data_end) ++ if (data + 6 < data_end) + { + pc->Width = (clear[3] | (clear[4] << 8)) & 0x3fff; + pc->horiz_scale = clear[4] >> 6; + pc->Height = (clear[5] | (clear[6] << 8)) & 0x3fff; + pc->vert_scale = clear[6] >> 6; ++ data += 7; ++ } else if (!pbi->ec_active) { ++ vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME, ++ "Truncated key frame header"); ++ } else { ++ /* Error concealment is active, clear the frame. */ ++ data = data_end; + } +- data += 7; +- clear += 7; + } + else + { +-- +2.26.0 + diff --git a/SOURCES/0002-CVE-2019-9433-VP8-Fix-use-after-free-in-postproc.patch b/SOURCES/0002-CVE-2019-9433-VP8-Fix-use-after-free-in-postproc.patch new file mode 100644 index 0000000..f72c896 --- /dev/null +++ b/SOURCES/0002-CVE-2019-9433-VP8-Fix-use-after-free-in-postproc.patch @@ -0,0 +1,33 @@ +From e8c72275a68e5c566bd780097286522a9cd7f906 Mon Sep 17 00:00:00 2001 +From: Wim Taymans +Date: Wed, 25 Mar 2020 12:30:32 +0100 +Subject: [PATCH 2/2] CVE-2019-9433: VP8: Fix use-after-free in postproc. + +The pointer in vp8 postproc refers to show_frame_mi which is only +updated on show frame. However, when there is a no-show frame which also +changes the size (thus new frame buffers allocated), show_frame_mi is +not updated with new frame buffer memory. + +Change the pointer in postproc to mi which is always updated. + +Bug: 842265 +--- + vp8/common/postproc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/vp8/common/postproc.c b/vp8/common/postproc.c +index dd998f16e..2693ef017 100644 +--- a/vp8/common/postproc.c ++++ b/vp8/common/postproc.c +@@ -334,7 +334,7 @@ void vp8_deblock(VP8_COMMON *cm, + double level = 6.0e-05 * q * q * q - .0067 * q * q + .306 * q + .0065; + int ppl = (int)(level + .5); + +- const MODE_INFO *mode_info_context = cm->show_frame_mi; ++ const MODE_INFO *mode_info_context = cm->mi; + int mbr, mbc; + + /* The pixel thresholds are adjusted according to if or not the macroblock +-- +2.25.1 + diff --git a/SPECS/libvpx.spec b/SPECS/libvpx.spec index da72f32..9b99173 100644 --- a/SPECS/libvpx.spec +++ b/SPECS/libvpx.spec @@ -6,7 +6,7 @@ Name: libvpx Summary: VP8 Video Codec SDK Version: %{majorver}.%{minorver}.%{tinyver} %global soversion %{version} -Release: 5%{?dist} +Release: 8%{?dist} License: BSD Group: System Environment/Libraries Source0: http://webm.googlecode.com/files/%{name}-v%{version}.tar.bz2 @@ -16,6 +16,10 @@ Patch0: Bug-fix-in-ssse3-quantize-function.patch Patch1: x86inc-nasm.patch Patch2: vp9-nasm.patch Patch3: sectalign-nasm.patch +Patch4: 0001-vp8-fix-threading-issues.patch +Patch5: 0001-CVE-2019-9232-Fix-OOB-memory-access-on-fuzzed-data.patch +Patch6: 0002-CVE-2019-9433-VP8-Fix-use-after-free-in-postproc.patch +Patch7: 0001-vp8_decode_frame-fix-oob-read-on-truncated-key-frame.patch URL: http://www.webmproject.org/tools/vp8-sdk/ %ifarch %{ix86} x86_64 BuildRequires: nasm @@ -51,6 +55,10 @@ and decoder. %patch1 -p1 -b .x86inc-nasm %patch2 -p1 -b .vp9-nasm %patch3 -p1 -b .sectalign-nasm +%patch4 -p1 -b .0004 +%patch5 -p1 -b .0005 +%patch6 -p1 -b .0006 +%patch7 -p1 -b .0007 sed -i -e 's/^\(global .*\) PRIVATE$/\1/' $(find -name "*.asm") %build @@ -178,6 +186,18 @@ popd %{_bindir}/* %changelog +* Wed Apr 15 2020 Taymans - 1.3.0-8 +- Fix for CVE-2020-0034 +- Resolves: rhbz#1823909 + +* Wed Mar 25 2020 Taymans - 1.3.0-7 +- Fix for CVE-2019-9232 and CVE-2019-9433 +- Resolves: rhbz#1796085, rhbz#1796099 + +* Tue Jan 7 2020 Taymans - 1.3.0-6 +- Fix for CVE-2017-0393 +- Resolves: rhbz#1779498 + * Thu Mar 20 2014 Wim Taymans - 1.3.0-4 - fix Illegal Instruction abort