diff --git a/SOURCES/0001-CVE-2019-9232-Fix-OOB-memory-access-on-fuzzed-data.patch b/SOURCES/0001-CVE-2019-9232-Fix-OOB-memory-access-on-fuzzed-data.patch
new file mode 100644
index 0000000..01bbd4a
--- /dev/null
+++ b/SOURCES/0001-CVE-2019-9232-Fix-OOB-memory-access-on-fuzzed-data.patch
@@ -0,0 +1,45 @@
+From 953b0b85f8462efeac179341c912617c1bae8d4c Mon Sep 17 00:00:00 2001
+From: Wim Taymans <wtaymans@redhat.com>
+Date: Wed, 25 Mar 2020 13:39:30 +0100
+Subject: [PATCH 1/2] CVE-2019-9232: Fix OOB memory access on fuzzed data
+
+vp8_norm table has 256 elements while index to it can be higher on
+fuzzed data. Typecasting it to unsigned char will ensure valid range and
+will trigger proper error later. Also declaring "shift" as unsigned char to
+avoid UB sanitizer warning
+
+BUG=b/122373286,b/122373822,b/122371119
+---
+ vp8/decoder/dboolhuff.h | 2 +-
+ vpx_dsp/bitreader.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/vp8/decoder/dboolhuff.h b/vp8/decoder/dboolhuff.h
+index 04c027cd7..f3b080509 100644
+--- a/vp8/decoder/dboolhuff.h
++++ b/vp8/decoder/dboolhuff.h
+@@ -76,7 +76,7 @@ static int vp8dx_decode_bool(BOOL_DECODER *br, int probability) {
+ }
+
+ {
+- register int shift = vp8_norm[range];
++ register unsigned char shift = vp8_norm[(unsigned char)range];
+ range <<= shift;
+ value <<= shift;
+ count -= shift;
+diff --git a/vpx_dsp/bitreader.h b/vpx_dsp/bitreader.h
+index 6ee2a5863..4b87e986c 100644
+--- a/vpx_dsp/bitreader.h
++++ b/vpx_dsp/bitreader.h
+@@ -94,7 +94,7 @@ static INLINE int vpx_read(vpx_reader *r, int prob) {
+ }
+
+ {
+- register int shift = vpx_norm[range];
++ register unsigned char shift = vpx_norm[(unsigned char)range];
+ range <<= shift;
+ value <<= shift;
+ count -= shift;
+--
+2.25.1
+
diff --git a/SOURCES/0002-CVE-2019-9433-VP8-Fix-use-after-free-in-postproc.patch b/SOURCES/0002-CVE-2019-9433-VP8-Fix-use-after-free-in-postproc.patch
new file mode 100644
index 0000000..458a45e
--- /dev/null
+++ b/SOURCES/0002-CVE-2019-9433-VP8-Fix-use-after-free-in-postproc.patch
@@ -0,0 +1,33 @@
+From 93681819b22d3f42cf5fdfa85701f38e5bab10dd Mon Sep 17 00:00:00 2001
+From: Wim Taymans <wtaymans@redhat.com>
+Date: Wed, 25 Mar 2020 13:42:07 +0100
+Subject: [PATCH 2/2] CVE-2019-9433: VP8: Fix use-after-free in postproc.
+
+The pointer in vp8 postproc refers to show_frame_mi which is only
+updated on show frame. However, when there is a no-show frame which also
+changes the size (thus new frame buffers allocated), show_frame_mi is
+not updated with new frame buffer memory.
+
+Change the pointer in postproc to mi which is always updated.
+
+Bug: 842265
+---
+ vp8/common/postproc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/vp8/common/postproc.c b/vp8/common/postproc.c
+index d67ee8a57..8c292d616 100644
+--- a/vp8/common/postproc.c
++++ b/vp8/common/postproc.c
+@@ -65,7 +65,7 @@ void vp8_deblock(VP8_COMMON *cm, YV12_BUFFER_CONFIG *source,
+ double level = 6.0e-05 * q * q * q - .0067 * q * q + .306 * q + .0065;
+ int ppl = (int)(level + .5);
+
+- const MODE_INFO *mode_info_context = cm->show_frame_mi;
++ const MODE_INFO *mode_info_context = cm->mi;
+ int mbr, mbc;
+
+ /* The pixel thresholds are adjusted according to if or not the macroblock
+--
+2.25.1
+
diff --git a/SOURCES/0003-CVE-2019-9371-update-libwebm.patch b/SOURCES/0003-CVE-2019-9371-update-libwebm.patch
new file mode 100644
index 0000000..79aba43
--- /dev/null
+++ b/SOURCES/0003-CVE-2019-9371-update-libwebm.patch
@@ -0,0 +1,755 @@
+From ca1647dda267762c03c8641d2c605a9853a8ac59 Mon Sep 17 00:00:00 2001
+From: Johann <johannkoenig@google.com>
+Date: Tue, 24 Apr 2018 15:22:28 -0700
+Subject: [PATCH 3/4] CVE-2019-9371: update libwebm
+
+update libwebm to libwebm-1.0.0.27-358-gdbf1d10
+---
+ configure | 8 +-
+ third_party/libwebm/AUTHORS.TXT | 8 +-
+ third_party/libwebm/Android.mk | 2 +-
+ third_party/libwebm/README.libvpx | 14 +++-
+ third_party/libwebm/common/file_util.cc | 19 ++++-
+ third_party/libwebm/common/file_util.h | 5 +-
+ third_party/libwebm/common/hdr_util.cc | 8 +-
+ third_party/libwebm/common/hdr_util.h | 10 +--
+ third_party/libwebm/common/webmids.h | 1 +
+ third_party/libwebm/mkvmuxer/mkvmuxer.cc | 77 +++++++++++++-------
+ third_party/libwebm/mkvmuxer/mkvmuxer.h | 5 +-
+ third_party/libwebm/mkvmuxer/mkvmuxerutil.cc | 13 ++--
+ third_party/libwebm/mkvmuxer/mkvmuxerutil.h | 3 +
+ third_party/libwebm/mkvmuxer/mkvwriter.cc | 2 +
+ third_party/libwebm/mkvparser/mkvparser.cc | 64 +++++++++++-----
+ third_party/libwebm/mkvparser/mkvparser.h | 6 +-
+ third_party/libwebm/mkvparser/mkvreader.cc | 2 +
+ 17 files changed, 165 insertions(+), 82 deletions(-)
+
+diff --git a/configure b/configure
+index e5a74c6f2..56d203e6b 100755
+--- a/configure
++++ b/configure
+@@ -703,9 +703,7 @@ process_toolchain() {
+ check_cxx "$@" <<EOF && soft_enable unit_tests
+ int z;
+ EOF
+- check_cxx "$@" <<EOF && soft_enable webm_io
+-int z;
+-EOF
++ check_add_cxx_flags -std=c++11 && soft_enable webm_io
+ check_cxx "$@" <<EOF && soft_enable libyuv
+ int z;
+ EOF
+@@ -714,9 +712,7 @@ EOF
+ enabled pthread_h && check_cxx "$@" <<EOF && soft_enable unit_tests
+ int z;
+ EOF
+- check_cxx "$@" <<EOF && soft_enable webm_io
+-int z;
+-EOF
++ check_add_cxx_flags -std=c++11 && soft_enable webm_io
+ check_cxx "$@" <<EOF && soft_enable libyuv
+ int z;
+ EOF
+diff --git a/third_party/libwebm/AUTHORS.TXT b/third_party/libwebm/AUTHORS.TXT
+index 8ab6f794c..9686ac13e 100644
+--- a/third_party/libwebm/AUTHORS.TXT
++++ b/third_party/libwebm/AUTHORS.TXT
+@@ -1,4 +1,4 @@
+-# Names should be added to this file like so:
+-# Name or Organization <email address>
+-
+-Google Inc.
++# Names should be added to this file like so:
++# Name or Organization <email address>
++
++Google Inc.
+diff --git a/third_party/libwebm/Android.mk b/third_party/libwebm/Android.mk
+index 8149a083f..b46ba101d 100644
+--- a/third_party/libwebm/Android.mk
++++ b/third_party/libwebm/Android.mk
+@@ -3,7 +3,7 @@ LOCAL_PATH:= $(call my-dir)
+ include $(CLEAR_VARS)
+ LOCAL_MODULE:= libwebm
+ LOCAL_CPPFLAGS:=-D__STDC_CONSTANT_MACROS -D__STDC_FORMAT_MACROS
+-LOCAL_CPPFLAGS+=-D__STDC_LIMIT_MACROS -Wno-extern-c-compat
++LOCAL_CPPFLAGS+=-D__STDC_LIMIT_MACROS -std=c++11
+ LOCAL_C_INCLUDES:= $(LOCAL_PATH)
+ LOCAL_EXPORT_C_INCLUDES:= $(LOCAL_PATH)
+
+diff --git a/third_party/libwebm/README.libvpx b/third_party/libwebm/README.libvpx
+index ebb5ff2f4..16f17513e 100644
+--- a/third_party/libwebm/README.libvpx
++++ b/third_party/libwebm/README.libvpx
+@@ -1,5 +1,5 @@
+ URL: https://chromium.googlesource.com/webm/libwebm
+-Version: 0ae757087f5e6eb01dfea16cc09205b2425cfb74
++Version: dbf1d1089756e7cb5b1a04d6752310ef35912347
+ License: BSD
+ License File: LICENSE.txt
+
+@@ -7,4 +7,14 @@ Description:
+ libwebm is used to handle WebM container I/O.
+
+ Local Changes:
+-* <none>
++Only keep:
++ - Android.mk
++ - AUTHORS.TXT
++ - common/
++ file_util.cc/h
++ hdr_util.cc/h
++ webmids.h
++ - LICENSE.TXT
++ - mkvmuxer/
++ - mkvparser/
++ - PATENTS.TXT
+diff --git a/third_party/libwebm/common/file_util.cc b/third_party/libwebm/common/file_util.cc
+index 6dab146dd..6eb6428b9 100644
+--- a/third_party/libwebm/common/file_util.cc
++++ b/third_party/libwebm/common/file_util.cc
+@@ -17,14 +17,15 @@
+ #include <cstring>
+ #include <fstream>
+ #include <ios>
++#include <string>
+
+ namespace libwebm {
+
+ std::string GetTempFileName() {
+ #if !defined _MSC_VER && !defined __MINGW32__
+ std::string temp_file_name_template_str =
+- std::string(std::getenv("TEST_TMPDIR") ? std::getenv("TEST_TMPDIR") :
+- ".") +
++ std::string(std::getenv("TEST_TMPDIR") ? std::getenv("TEST_TMPDIR")
++ : ".") +
+ "/libwebm_temp.XXXXXX";
+ char* temp_file_name_template =
+ new char[temp_file_name_template_str.length() + 1];
+@@ -41,7 +42,12 @@ std::string GetTempFileName() {
+ return temp_file_name;
+ #else
+ char tmp_file_name[_MAX_PATH];
++#if defined _MSC_VER || defined MINGW_HAS_SECURE_API
+ errno_t err = tmpnam_s(tmp_file_name);
++#else
++ char* fname_pointer = tmpnam(tmp_file_name);
++ int err = (fname_pointer == &tmp_file_name[0]) ? 0 : -1;
++#endif
+ if (err == 0) {
+ return std::string(tmp_file_name);
+ }
+@@ -65,6 +71,15 @@ uint64_t GetFileSize(const std::string& file_name) {
+ return file_size;
+ }
+
++bool GetFileContents(const std::string& file_name, std::string* contents) {
++ std::ifstream file(file_name.c_str());
++ *contents = std::string(static_cast<size_t>(GetFileSize(file_name)), 0);
++ if (file.good() && contents->size()) {
++ file.read(&(*contents)[0], contents->size());
++ }
++ return !file.fail();
++}
++
+ TempFileDeleter::TempFileDeleter() { file_name_ = GetTempFileName(); }
+
+ TempFileDeleter::~TempFileDeleter() {
+diff --git a/third_party/libwebm/common/file_util.h b/third_party/libwebm/common/file_util.h
+index 0e71eac11..a87373464 100644
+--- a/third_party/libwebm/common/file_util.h
++++ b/third_party/libwebm/common/file_util.h
+@@ -22,6 +22,9 @@ std::string GetTempFileName();
+ // Returns size of file specified by |file_name|, or 0 upon failure.
+ uint64_t GetFileSize(const std::string& file_name);
+
++// Gets the contents file_name as a string. Returns false on error.
++bool GetFileContents(const std::string& file_name, std::string* contents);
++
+ // Manages life of temporary file specified at time of construction. Deletes
+ // file upon destruction.
+ class TempFileDeleter {
+@@ -38,4 +41,4 @@ class TempFileDeleter {
+
+ } // namespace libwebm
+
+-#endif // LIBWEBM_COMMON_FILE_UTIL_H_
+\ No newline at end of file
++#endif // LIBWEBM_COMMON_FILE_UTIL_H_
+diff --git a/third_party/libwebm/common/hdr_util.cc b/third_party/libwebm/common/hdr_util.cc
+index e1618ce75..916f7170b 100644
+--- a/third_party/libwebm/common/hdr_util.cc
++++ b/third_party/libwebm/common/hdr_util.cc
+@@ -36,10 +36,10 @@ bool CopyMasteringMetadata(const mkvparser::MasteringMetadata& parser_mm,
+ if (MasteringMetadataValuePresent(parser_mm.luminance_min))
+ muxer_mm->set_luminance_min(parser_mm.luminance_min);
+
+- PrimaryChromaticityPtr r_ptr(NULL);
+- PrimaryChromaticityPtr g_ptr(NULL);
+- PrimaryChromaticityPtr b_ptr(NULL);
+- PrimaryChromaticityPtr wp_ptr(NULL);
++ PrimaryChromaticityPtr r_ptr(nullptr);
++ PrimaryChromaticityPtr g_ptr(nullptr);
++ PrimaryChromaticityPtr b_ptr(nullptr);
++ PrimaryChromaticityPtr wp_ptr(nullptr);
+
+ if (parser_mm.r) {
+ if (!CopyPrimaryChromaticity(*parser_mm.r, &r_ptr))
+diff --git a/third_party/libwebm/common/hdr_util.h b/third_party/libwebm/common/hdr_util.h
+index 3ef5388fd..78e2eeb70 100644
+--- a/third_party/libwebm/common/hdr_util.h
++++ b/third_party/libwebm/common/hdr_util.h
+@@ -47,15 +47,7 @@ struct Vp9CodecFeatures {
+ int chroma_subsampling;
+ };
+
+-// disable deprecation warnings for auto_ptr
+-#if defined(__GNUC__) && __GNUC__ >= 5
+-#pragma GCC diagnostic push
+-#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
+-#endif
+-typedef std::auto_ptr<mkvmuxer::PrimaryChromaticity> PrimaryChromaticityPtr;
+-#if defined(__GNUC__) && __GNUC__ >= 5
+-#pragma GCC diagnostic pop
+-#endif
++typedef std::unique_ptr<mkvmuxer::PrimaryChromaticity> PrimaryChromaticityPtr;
+
+ bool CopyPrimaryChromaticity(const mkvparser::PrimaryChromaticity& parser_pc,
+ PrimaryChromaticityPtr* muxer_pc);
+diff --git a/third_party/libwebm/common/webmids.h b/third_party/libwebm/common/webmids.h
+index 89d722a71..fc0c20814 100644
+--- a/third_party/libwebm/common/webmids.h
++++ b/third_party/libwebm/common/webmids.h
+@@ -93,6 +93,7 @@ enum MkvId {
+ kMkvDisplayHeight = 0x54BA,
+ kMkvDisplayUnit = 0x54B2,
+ kMkvAspectRatioType = 0x54B3,
++ kMkvColourSpace = 0x2EB524,
+ kMkvFrameRate = 0x2383E3,
+ // end video
+ // colour
+diff --git a/third_party/libwebm/mkvmuxer/mkvmuxer.cc b/third_party/libwebm/mkvmuxer/mkvmuxer.cc
+index 15b9a908d..512031211 100644
+--- a/third_party/libwebm/mkvmuxer/mkvmuxer.cc
++++ b/third_party/libwebm/mkvmuxer/mkvmuxer.cc
+@@ -8,6 +8,8 @@
+
+ #include "mkvmuxer/mkvmuxer.h"
+
++#include <stdint.h>
++
+ #include <cfloat>
+ #include <climits>
+ #include <cstdio>
+@@ -24,11 +26,6 @@
+ #include "mkvmuxer/mkvwriter.h"
+ #include "mkvparser/mkvparser.h"
+
+-// disable deprecation warnings for auto_ptr
+-#if defined(__GNUC__) && __GNUC__ >= 5
+-#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
+-#endif
+-
+ namespace mkvmuxer {
+
+ const float PrimaryChromaticity::kChromaticityMin = 0.0f;
+@@ -72,7 +69,7 @@ bool StrCpy(const char* src, char** dst_ptr) {
+ return true;
+ }
+
+-typedef std::auto_ptr<PrimaryChromaticity> PrimaryChromaticityPtr;
++typedef std::unique_ptr<PrimaryChromaticity> PrimaryChromaticityPtr;
+ bool CopyChromaticity(const PrimaryChromaticity* src,
+ PrimaryChromaticityPtr* dst) {
+ if (!dst)
+@@ -776,6 +773,14 @@ bool Track::Write(IMkvWriter* writer) const {
+ if (!type_ || !codec_id_)
+ return false;
+
++ // AV1 tracks require a CodecPrivate. See
++ // https://github.com/Matroska-Org/matroska-specification/blob/av1-mappin/codec/av1.md
++ // TODO(tomfinegan): Update the above link to the AV1 Matroska mappings to
++ // point to a stable version once it is finalized, or our own WebM mappings
++ // page on webmproject.org should we decide to release them.
++ if (!strcmp(codec_id_, Tracks::kAv1CodecId) && !codec_private_)
++ return false;
++
+ // |size| may be bigger than what is written out in this function because
+ // derived classes may write out more data in the Track element.
+ const uint64_t payload_size = PayloadSize();
+@@ -1030,19 +1035,16 @@ bool MasteringMetadata::Write(IMkvWriter* writer) const {
+ !WriteEbmlElement(writer, libwebm::kMkvLuminanceMin, luminance_min_)) {
+ return false;
+ }
+- if (r_ &&
+- !r_->Write(writer, libwebm::kMkvPrimaryRChromaticityX,
+- libwebm::kMkvPrimaryRChromaticityY)) {
++ if (r_ && !r_->Write(writer, libwebm::kMkvPrimaryRChromaticityX,
++ libwebm::kMkvPrimaryRChromaticityY)) {
+ return false;
+ }
+- if (g_ &&
+- !g_->Write(writer, libwebm::kMkvPrimaryGChromaticityX,
+- libwebm::kMkvPrimaryGChromaticityY)) {
++ if (g_ && !g_->Write(writer, libwebm::kMkvPrimaryGChromaticityX,
++ libwebm::kMkvPrimaryGChromaticityY)) {
+ return false;
+ }
+- if (b_ &&
+- !b_->Write(writer, libwebm::kMkvPrimaryBChromaticityX,
+- libwebm::kMkvPrimaryBChromaticityY)) {
++ if (b_ && !b_->Write(writer, libwebm::kMkvPrimaryBChromaticityX,
++ libwebm::kMkvPrimaryBChromaticityY)) {
+ return false;
+ }
+ if (white_point_ &&
+@@ -1057,22 +1059,22 @@ bool MasteringMetadata::Write(IMkvWriter* writer) const {
+ bool MasteringMetadata::SetChromaticity(
+ const PrimaryChromaticity* r, const PrimaryChromaticity* g,
+ const PrimaryChromaticity* b, const PrimaryChromaticity* white_point) {
+- PrimaryChromaticityPtr r_ptr(NULL);
++ PrimaryChromaticityPtr r_ptr(nullptr);
+ if (r) {
+ if (!CopyChromaticity(r, &r_ptr))
+ return false;
+ }
+- PrimaryChromaticityPtr g_ptr(NULL);
++ PrimaryChromaticityPtr g_ptr(nullptr);
+ if (g) {
+ if (!CopyChromaticity(g, &g_ptr))
+ return false;
+ }
+- PrimaryChromaticityPtr b_ptr(NULL);
++ PrimaryChromaticityPtr b_ptr(nullptr);
+ if (b) {
+ if (!CopyChromaticity(b, &b_ptr))
+ return false;
+ }
+- PrimaryChromaticityPtr wp_ptr(NULL);
++ PrimaryChromaticityPtr wp_ptr(nullptr);
+ if (white_point) {
+ if (!CopyChromaticity(white_point, &wp_ptr))
+ return false;
+@@ -1238,7 +1240,7 @@ bool Colour::Write(IMkvWriter* writer) const {
+ }
+
+ bool Colour::SetMasteringMetadata(const MasteringMetadata& mastering_metadata) {
+- std::auto_ptr<MasteringMetadata> mm_ptr(new MasteringMetadata());
++ std::unique_ptr<MasteringMetadata> mm_ptr(new MasteringMetadata());
+ if (!mm_ptr.get())
+ return false;
+
+@@ -1424,6 +1426,7 @@ VideoTrack::VideoTrack(unsigned int* seed)
+ stereo_mode_(0),
+ alpha_mode_(0),
+ width_(0),
++ colour_space_(NULL),
+ colour_(NULL),
+ projection_(NULL) {}
+
+@@ -1521,6 +1524,10 @@ bool VideoTrack::Write(IMkvWriter* writer) const {
+ static_cast<uint64>(alpha_mode_)))
+ return false;
+ }
++ if (colour_space_) {
++ if (!WriteEbmlElement(writer, libwebm::kMkvColourSpace, colour_space_))
++ return false;
++ }
+ if (frame_rate_ > 0.0) {
+ if (!WriteEbmlElement(writer, libwebm::kMkvFrameRate,
+ static_cast<float>(frame_rate_))) {
+@@ -1545,8 +1552,24 @@ bool VideoTrack::Write(IMkvWriter* writer) const {
+ return true;
+ }
+
++void VideoTrack::set_colour_space(const char* colour_space) {
++ if (colour_space) {
++ delete[] colour_space_;
++
++ const size_t length = strlen(colour_space) + 1;
++ colour_space_ = new (std::nothrow) char[length]; // NOLINT
++ if (colour_space_) {
++#ifdef _MSC_VER
++ strcpy_s(colour_space_, length, colour_space);
++#else
++ strcpy(colour_space_, colour_space);
++#endif
++ }
++ }
++}
++
+ bool VideoTrack::SetColour(const Colour& colour) {
+- std::auto_ptr<Colour> colour_ptr(new Colour());
++ std::unique_ptr<Colour> colour_ptr(new Colour());
+ if (!colour_ptr.get())
+ return false;
+
+@@ -1574,7 +1597,7 @@ bool VideoTrack::SetColour(const Colour& colour) {
+ }
+
+ bool VideoTrack::SetProjection(const Projection& projection) {
+- std::auto_ptr<Projection> projection_ptr(new Projection());
++ std::unique_ptr<Projection> projection_ptr(new Projection());
+ if (!projection_ptr.get())
+ return false;
+
+@@ -1628,6 +1651,8 @@ uint64_t VideoTrack::VideoPayloadSize() const {
+ if (frame_rate_ > 0.0)
+ size += EbmlElementSize(libwebm::kMkvFrameRate,
+ static_cast<float>(frame_rate_));
++ if (colour_space_)
++ size += EbmlElementSize(libwebm::kMkvColourSpace, colour_space_);
+ if (colour_)
+ size += colour_->ColourSize();
+ if (projection_)
+@@ -1705,9 +1730,9 @@ bool AudioTrack::Write(IMkvWriter* writer) const {
+
+ const char Tracks::kOpusCodecId[] = "A_OPUS";
+ const char Tracks::kVorbisCodecId[] = "A_VORBIS";
++const char Tracks::kAv1CodecId[] = "V_AV1";
+ const char Tracks::kVp8CodecId[] = "V_VP8";
+ const char Tracks::kVp9CodecId[] = "V_VP9";
+-const char Tracks::kVp10CodecId[] = "V_VP10";
+ const char Tracks::kWebVttCaptionsId[] = "D_WEBVTT/CAPTIONS";
+ const char Tracks::kWebVttDescriptionsId[] = "D_WEBVTT/DESCRIPTIONS";
+ const char Tracks::kWebVttMetadataId[] = "D_WEBVTT/METADATA";
+@@ -2666,7 +2691,7 @@ bool Cluster::QueueOrWriteFrame(const Frame* const frame) {
+ // and write it if it is okay to do so (i.e.) no other track has an held back
+ // frame with timestamp <= the timestamp of the frame in question.
+ std::vector<std::list<Frame*>::iterator> frames_to_erase;
+- for (std::list<Frame *>::iterator
++ for (std::list<Frame*>::iterator
+ current_track_iterator = stored_frames_[track_number].begin(),
+ end = --stored_frames_[track_number].end();
+ current_track_iterator != end; ++current_track_iterator) {
+@@ -4168,8 +4193,8 @@ bool Segment::DocTypeIsWebm() const {
+ // TODO(vigneshv): Tweak .clang-format.
+ const char* kWebmCodecIds[kNumCodecIds] = {
+ Tracks::kOpusCodecId, Tracks::kVorbisCodecId,
+- Tracks::kVp8CodecId, Tracks::kVp9CodecId,
+- Tracks::kVp10CodecId, Tracks::kWebVttCaptionsId,
++ Tracks::kAv1CodecId, Tracks::kVp8CodecId,
++ Tracks::kVp9CodecId, Tracks::kWebVttCaptionsId,
+ Tracks::kWebVttDescriptionsId, Tracks::kWebVttMetadataId,
+ Tracks::kWebVttSubtitlesId};
+
+diff --git a/third_party/libwebm/mkvmuxer/mkvmuxer.h b/third_party/libwebm/mkvmuxer/mkvmuxer.h
+index 46b0029dc..f2db37714 100644
+--- a/third_party/libwebm/mkvmuxer/mkvmuxer.h
++++ b/third_party/libwebm/mkvmuxer/mkvmuxer.h
+@@ -795,6 +795,8 @@ class VideoTrack : public Track {
+ uint64_t alpha_mode() { return alpha_mode_; }
+ void set_width(uint64_t width) { width_ = width; }
+ uint64_t width() const { return width_; }
++ void set_colour_space(const char* colour_space);
++ const char* colour_space() const { return colour_space_; }
+
+ Colour* colour() { return colour_; }
+
+@@ -824,6 +826,7 @@ class VideoTrack : public Track {
+ uint64_t stereo_mode_;
+ uint64_t alpha_mode_;
+ uint64_t width_;
++ char* colour_space_;
+
+ Colour* colour_;
+ Projection* projection_;
+@@ -871,9 +874,9 @@ class Tracks {
+
+ static const char kOpusCodecId[];
+ static const char kVorbisCodecId[];
++ static const char kAv1CodecId[];
+ static const char kVp8CodecId[];
+ static const char kVp9CodecId[];
+- static const char kVp10CodecId[];
+ static const char kWebVttCaptionsId[];
+ static const char kWebVttDescriptionsId[];
+ static const char kWebVttMetadataId[];
+diff --git a/third_party/libwebm/mkvmuxer/mkvmuxerutil.cc b/third_party/libwebm/mkvmuxer/mkvmuxerutil.cc
+index 355d4e22b..7636a9f4e 100644
+--- a/third_party/libwebm/mkvmuxer/mkvmuxerutil.cc
++++ b/third_party/libwebm/mkvmuxer/mkvmuxerutil.cc
+@@ -136,9 +136,8 @@ uint64 WriteBlock(IMkvWriter* writer, const Frame* const frame, int64 timecode,
+ return false;
+ }
+
+- if (!frame->is_key() &&
+- !WriteEbmlElement(writer, libwebm::kMkvReferenceBlock,
+- reference_block_timestamp)) {
++ if (!frame->is_key() && !WriteEbmlElement(writer, libwebm::kMkvReferenceBlock,
++ reference_block_timestamp)) {
+ return false;
+ }
+
+@@ -563,10 +562,10 @@ uint64 WriteFrame(IMkvWriter* writer, const Frame* const frame,
+ if (relative_timecode < 0 || relative_timecode > kMaxBlockTimecode)
+ return 0;
+
+- return frame->CanBeSimpleBlock() ?
+- WriteSimpleBlock(writer, frame, relative_timecode) :
+- WriteBlock(writer, frame, relative_timecode,
+- cluster->timecode_scale());
++ return frame->CanBeSimpleBlock()
++ ? WriteSimpleBlock(writer, frame, relative_timecode)
++ : WriteBlock(writer, frame, relative_timecode,
++ cluster->timecode_scale());
+ }
+
+ uint64 WriteVoidElement(IMkvWriter* writer, uint64 size) {
+diff --git a/third_party/libwebm/mkvmuxer/mkvmuxerutil.h b/third_party/libwebm/mkvmuxer/mkvmuxerutil.h
+index 132388da5..3355428bd 100644
+--- a/third_party/libwebm/mkvmuxer/mkvmuxerutil.h
++++ b/third_party/libwebm/mkvmuxer/mkvmuxerutil.h
+@@ -31,6 +31,9 @@ const int64 kMaxBlockTimecode = 0x07FFFLL;
+ // Writes out |value| in Big Endian order. Returns 0 on success.
+ int32 SerializeInt(IMkvWriter* writer, int64 value, int32 size);
+
++// Writes out |f| in Big Endian order. Returns 0 on success.
++int32 SerializeFloat(IMkvWriter* writer, float f);
++
+ // Returns the size in bytes of the element.
+ int32 GetUIntSize(uint64 value);
+ int32 GetIntSize(int64 value);
+diff --git a/third_party/libwebm/mkvmuxer/mkvwriter.cc b/third_party/libwebm/mkvmuxer/mkvwriter.cc
+index 84655d802..d668384d8 100644
+--- a/third_party/libwebm/mkvmuxer/mkvwriter.cc
++++ b/third_party/libwebm/mkvmuxer/mkvwriter.cc
+@@ -78,6 +78,8 @@ int32 MkvWriter::Position(int64 position) {
+
+ #ifdef _MSC_VER
+ return _fseeki64(file_, position, SEEK_SET);
++#elif defined(_WIN32)
++ return fseeko64(file_, static_cast<off_t>(position), SEEK_SET);
+ #else
+ return fseeko(file_, static_cast<off_t>(position), SEEK_SET);
+ #endif
+diff --git a/third_party/libwebm/mkvparser/mkvparser.cc b/third_party/libwebm/mkvparser/mkvparser.cc
+index 37f230d0a..dcb969dcf 100644
+--- a/third_party/libwebm/mkvparser/mkvparser.cc
++++ b/third_party/libwebm/mkvparser/mkvparser.cc
+@@ -22,12 +22,8 @@
+
+ #include "common/webmids.h"
+
+-// disable deprecation warnings for auto_ptr
+-#if defined(__GNUC__) && __GNUC__ >= 5
+-#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
+-#endif
+-
+ namespace mkvparser {
++const long long kStringElementSizeLimit = 20 * 1000 * 1000;
+ const float MasteringMetadata::kValueNotPresent = FLT_MAX;
+ const long long Colour::kValueNotPresent = LLONG_MAX;
+ const float Projection::kValueNotPresent = FLT_MAX;
+@@ -40,8 +36,6 @@ inline bool isnan(double val) { return std::isnan(val); }
+ inline bool isinf(double val) { return std::isinf(val); }
+ #endif // MSC_COMPAT
+
+-IMkvReader::~IMkvReader() {}
+-
+ template <typename Type>
+ Type* SafeArrayAlloc(unsigned long long num_elements,
+ unsigned long long element_size) {
+@@ -330,7 +324,7 @@ long UnserializeString(IMkvReader* pReader, long long pos, long long size,
+ delete[] str;
+ str = NULL;
+
+- if (size >= LONG_MAX || size < 0)
++ if (size >= LONG_MAX || size < 0 || size > kStringElementSizeLimit)
+ return E_FILE_FORMAT_INVALID;
+
+ // +1 for '\0' terminator
+@@ -5015,7 +5009,7 @@ bool MasteringMetadata::Parse(IMkvReader* reader, long long mm_start,
+ if (!reader || *mm)
+ return false;
+
+- std::auto_ptr<MasteringMetadata> mm_ptr(new MasteringMetadata());
++ std::unique_ptr<MasteringMetadata> mm_ptr(new MasteringMetadata());
+ if (!mm_ptr.get())
+ return false;
+
+@@ -5035,6 +5029,10 @@ bool MasteringMetadata::Parse(IMkvReader* reader, long long mm_start,
+ double value = 0;
+ const long long value_parse_status =
+ UnserializeFloat(reader, read_pos, child_size, value);
++ if (value < -FLT_MAX || value > FLT_MAX ||
++ (value > 0.0 && value < FLT_MIN)) {
++ return false;
++ }
+ mm_ptr->luminance_max = static_cast<float>(value);
+ if (value_parse_status < 0 || mm_ptr->luminance_max < 0.0 ||
+ mm_ptr->luminance_max > 9999.99) {
+@@ -5044,6 +5042,10 @@ bool MasteringMetadata::Parse(IMkvReader* reader, long long mm_start,
+ double value = 0;
+ const long long value_parse_status =
+ UnserializeFloat(reader, read_pos, child_size, value);
++ if (value < -FLT_MAX || value > FLT_MAX ||
++ (value > 0.0 && value < FLT_MIN)) {
++ return false;
++ }
+ mm_ptr->luminance_min = static_cast<float>(value);
+ if (value_parse_status < 0 || mm_ptr->luminance_min < 0.0 ||
+ mm_ptr->luminance_min > 999.9999) {
+@@ -5096,7 +5098,7 @@ bool Colour::Parse(IMkvReader* reader, long long colour_start,
+ if (!reader || *colour)
+ return false;
+
+- std::auto_ptr<Colour> colour_ptr(new Colour());
++ std::unique_ptr<Colour> colour_ptr(new Colour());
+ if (!colour_ptr.get())
+ return false;
+
+@@ -5194,7 +5196,7 @@ bool Projection::Parse(IMkvReader* reader, long long start, long long size,
+ if (!reader || *projection)
+ return false;
+
+- std::auto_ptr<Projection> projection_ptr(new Projection());
++ std::unique_ptr<Projection> projection_ptr(new Projection());
+ if (!projection_ptr.get())
+ return false;
+
+@@ -5270,6 +5272,7 @@ bool Projection::Parse(IMkvReader* reader, long long start, long long size,
+ VideoTrack::VideoTrack(Segment* pSegment, long long element_start,
+ long long element_size)
+ : Track(pSegment, element_start, element_size),
++ m_colour_space(NULL),
+ m_colour(NULL),
+ m_projection(NULL) {}
+
+@@ -5295,6 +5298,7 @@ long VideoTrack::Parse(Segment* pSegment, const Info& info,
+ long long stereo_mode = 0;
+
+ double rate = 0.0;
++ char* colour_space = NULL;
+
+ IMkvReader* const pReader = pSegment->m_pReader;
+
+@@ -5307,8 +5311,8 @@ long VideoTrack::Parse(Segment* pSegment, const Info& info,
+
+ const long long stop = pos + s.size;
+
+- Colour* colour = NULL;
+- Projection* projection = NULL;
++ std::unique_ptr<Colour> colour_ptr;
++ std::unique_ptr<Projection> projection_ptr;
+
+ while (pos < stop) {
+ long long id, size;
+@@ -5357,11 +5361,23 @@ long VideoTrack::Parse(Segment* pSegment, const Info& info,
+ if (rate <= 0)
+ return E_FILE_FORMAT_INVALID;
+ } else if (id == libwebm::kMkvColour) {
+- if (!Colour::Parse(pReader, pos, size, &colour))
++ Colour* colour = NULL;
++ if (!Colour::Parse(pReader, pos, size, &colour)) {
+ return E_FILE_FORMAT_INVALID;
++ } else {
++ colour_ptr.reset(colour);
++ }
+ } else if (id == libwebm::kMkvProjection) {
+- if (!Projection::Parse(pReader, pos, size, &projection))
++ Projection* projection = NULL;
++ if (!Projection::Parse(pReader, pos, size, &projection)) {
+ return E_FILE_FORMAT_INVALID;
++ } else {
++ projection_ptr.reset(projection);
++ }
++ } else if (id == libwebm::kMkvColourSpace) {
++ const long status = UnserializeString(pReader, pos, size, colour_space);
++ if (status < 0)
++ return status;
+ }
+
+ pos += size; // consume payload
+@@ -5392,8 +5408,9 @@ long VideoTrack::Parse(Segment* pSegment, const Info& info,
+ pTrack->m_display_unit = display_unit;
+ pTrack->m_stereo_mode = stereo_mode;
+ pTrack->m_rate = rate;
+- pTrack->m_colour = colour;
+- pTrack->m_projection = projection;
++ pTrack->m_colour = colour_ptr.release();
++ pTrack->m_colour_space = colour_space;
++ pTrack->m_projection = projection_ptr.release();
+
+ pResult = pTrack;
+ return 0; // success
+@@ -7903,6 +7920,10 @@ long Block::Parse(const Cluster* pCluster) {
+ return E_FILE_FORMAT_INVALID;
+
+ curr.len = static_cast<long>(frame_size);
++ // Check if size + curr.len could overflow.
++ if (size > LLONG_MAX - curr.len) {
++ return E_FILE_FORMAT_INVALID;
++ }
+ size += curr.len; // contribution of this frame
+
+ --frame_count;
+@@ -7964,6 +7985,11 @@ long long Block::GetTimeCode(const Cluster* pCluster) const {
+ const long long tc0 = pCluster->GetTimeCode();
+ assert(tc0 >= 0);
+
++ // Check if tc0 + m_timecode would overflow.
++ if (tc0 < 0 || LLONG_MAX - tc0 < m_timecode) {
++ return -1;
++ }
++
+ const long long tc = tc0 + m_timecode;
+
+ return tc; // unscaled timecode units
+@@ -7981,6 +8007,10 @@ long long Block::GetTime(const Cluster* pCluster) const {
+ const long long scale = pInfo->GetTimeCodeScale();
+ assert(scale >= 1);
+
++ // Check if tc * scale could overflow.
++ if (tc != 0 && scale > LLONG_MAX / tc) {
++ return -1;
++ }
+ const long long ns = tc * scale;
+
+ return ns;
+diff --git a/third_party/libwebm/mkvparser/mkvparser.h b/third_party/libwebm/mkvparser/mkvparser.h
+index 26c2b7e5e..848d01f03 100644
+--- a/third_party/libwebm/mkvparser/mkvparser.h
++++ b/third_party/libwebm/mkvparser/mkvparser.h
+@@ -22,7 +22,7 @@ class IMkvReader {
+ virtual int Length(long long* total, long long* available) = 0;
+
+ protected:
+- virtual ~IMkvReader();
++ virtual ~IMkvReader() {}
+ };
+
+ template <typename Type>
+@@ -527,6 +527,8 @@ class VideoTrack : public Track {
+
+ Projection* GetProjection() const;
+
++ const char* GetColourSpace() const { return m_colour_space; }
++
+ private:
+ long long m_width;
+ long long m_height;
+@@ -534,7 +536,7 @@ class VideoTrack : public Track {
+ long long m_display_height;
+ long long m_display_unit;
+ long long m_stereo_mode;
+-
++ char* m_colour_space;
+ double m_rate;
+
+ Colour* m_colour;
+diff --git a/third_party/libwebm/mkvparser/mkvreader.cc b/third_party/libwebm/mkvparser/mkvreader.cc
+index 23d68f508..9d19c1be5 100644
+--- a/third_party/libwebm/mkvparser/mkvreader.cc
++++ b/third_party/libwebm/mkvparser/mkvreader.cc
+@@ -118,6 +118,8 @@ int MkvReader::Read(long long offset, long len, unsigned char* buffer) {
+
+ if (status)
+ return -1; // error
++#elif defined(_WIN32)
++ fseeko64(m_file, static_cast<off_t>(offset), SEEK_SET);
+ #else
+ fseeko(m_file, static_cast<off_t>(offset), SEEK_SET);
+ #endif
+--
+2.25.1
+
diff --git a/SOURCES/0004-CVE-2019-2126-update-libwebm-to-libwebm-1.0.0.27-361.patch b/SOURCES/0004-CVE-2019-2126-update-libwebm-to-libwebm-1.0.0.27-361.patch
new file mode 100644
index 0000000..3e64446
--- /dev/null
+++ b/SOURCES/0004-CVE-2019-2126-update-libwebm-to-libwebm-1.0.0.27-361.patch
@@ -0,0 +1,71 @@
+From d06fa15d1c113edea0d6760ea19af8e8d0af0d94 Mon Sep 17 00:00:00 2001
+From: James Zern <jzern@google.com>
+Date: Fri, 7 Jun 2019 15:06:29 -0700
+Subject: [PATCH 4/4] CVE-2019-2126: update libwebm to
+ libwebm-1.0.0.27-361-g81de00c
+
+81de00c Check there is only one settings per ContentCompression
+5623013 Fixes a double free in ContentEncoding
+93b2ba0 mkvparser: quiet static analysis warnings
+
+Change-Id: Ieaa562ef2f10075381bd856388e6b29f97ca2746
+---
+ third_party/libwebm/README.libvpx | 2 +-
+ third_party/libwebm/mkvparser/mkvparser.cc | 9 +++++++++
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/third_party/libwebm/README.libvpx b/third_party/libwebm/README.libvpx
+index 16f17513e..714f5d0eb 100644
+--- a/third_party/libwebm/README.libvpx
++++ b/third_party/libwebm/README.libvpx
+@@ -1,5 +1,5 @@
+ URL: https://chromium.googlesource.com/webm/libwebm
+-Version: dbf1d1089756e7cb5b1a04d6752310ef35912347
++Version: 81de00c43ea3c087b48a8c20337db7531b9f7612
+ License: BSD
+ License File: LICENSE.txt
+
+diff --git a/third_party/libwebm/mkvparser/mkvparser.cc b/third_party/libwebm/mkvparser/mkvparser.cc
+index dcb969dcf..ace65bd59 100644
+--- a/third_party/libwebm/mkvparser/mkvparser.cc
++++ b/third_party/libwebm/mkvparser/mkvparser.cc
+@@ -4230,6 +4230,7 @@ long ContentEncoding::ParseContentEncodingEntry(long long start, long long size,
+ new (std::nothrow) ContentEncryption*[encryption_count];
+ if (!encryption_entries_) {
+ delete[] compression_entries_;
++ compression_entries_ = NULL;
+ return -1;
+ }
+ encryption_entries_end_ = encryption_entries_;
+@@ -4261,6 +4262,7 @@ long ContentEncoding::ParseContentEncodingEntry(long long start, long long size,
+ delete compression;
+ return status;
+ }
++ assert(compression_count > 0);
+ *compression_entries_end_++ = compression;
+ } else if (id == libwebm::kMkvContentEncryption) {
+ ContentEncryption* const encryption =
+@@ -4273,6 +4275,7 @@ long ContentEncoding::ParseContentEncodingEntry(long long start, long long size,
+ delete encryption;
+ return status;
+ }
++ assert(encryption_count > 0);
+ *encryption_entries_end_++ = encryption;
+ }
+
+@@ -4325,6 +4328,12 @@ long ContentEncoding::ParseCompressionEntry(long long start, long long size,
+ return status;
+ }
+
++ // There should be only one settings element per content compression.
++ if (compression->settings != NULL) {
++ delete[] buf;
++ return E_FILE_FORMAT_INVALID;
++ }
++
+ compression->settings = buf;
+ compression->settings_len = buflen;
+ }
+--
+2.25.1
+
diff --git a/SPECS/libvpx.spec b/SPECS/libvpx.spec
index 77d7413..e667c44 100644
--- a/SPECS/libvpx.spec
+++ b/SPECS/libvpx.spec
@@ -6,7 +6,7 @@
Name: libvpx
Summary: VP8/VP9 Video Codec SDK
Version: 1.7.0
-Release: 6%{?dist}
+Release: 8%{?dist}
License: BSD
Group: System Environment/Libraries
#Source0: http://downloads.webmproject.org/releases/webm/%{name}-%{version}.tar.bz2
@@ -18,9 +18,13 @@ URL: http://www.webmproject.org/code/
%ifarch %{ix86} x86_64
BuildRequires: yasm
%endif
-BuildRequires: doxygen, php-cli, perl(Getopt::Long)
+BuildRequires: doxygen, perl(Getopt::Long)
# Do not disable FORTIFY_SOURCE=2
Patch0: libvpx-1.7.0-leave-fortify-source-on.patch
+Patch1: 0001-CVE-2019-9232-Fix-OOB-memory-access-on-fuzzed-data.patch
+Patch2: 0002-CVE-2019-9433-VP8-Fix-use-after-free-in-postproc.patch
+Patch3: 0003-CVE-2019-9371-update-libwebm.patch
+Patch4: 0004-CVE-2019-2126-update-libwebm-to-libwebm-1.0.0.27-361.patch
%description
libvpx provides the VP8/VP9 SDK, which allows you to integrate your applications
@@ -48,6 +52,10 @@ and decoder.
%prep
%setup -q -n libvpx-%{version}
%patch0 -p1 -b .leave-fs-on
+%patch1 -p1 -b .0001
+%patch2 -p1 -b .0002
+%patch3 -p1 -b .0003
+%patch4 -p1 -b .0004
%build
%ifarch %{ix86}
@@ -93,7 +101,7 @@ CROSS=armv7hl-redhat-linux-gnueabi- CHOST=armv7hl-redhat-linux-gnueabi-hardfloat
--enable-pic --disable-install-srcs \
--enable-vp9-decoder --enable-vp9-encoder \
--enable-experimental --enable-spatial-svc \
---enable-vp9-highbitdepth \
+--enable-vp9-highbitdepth --enable-webm-io \
%if ! %{generic_target}
--enable-shared \
%endif
@@ -237,6 +245,15 @@ rm -rf %{buildroot}%{_prefix}/src
%{_bindir}/*
%changelog
+* Wed Apr 1 2020 Wim Taymans <wtaymans@redhat.com> - 1.7.0-8
+- Resolves: rhbz#1796086, rhbz#1796100, rhbz#1796448, rhbz#1796454
+- Enable webm-io explicitly
+
+* Wed Mar 25 2020 Wim Taymans <wtaymans@redhat.com> - 1.7.0-7
+- Fix for CVE-2019-9232, CVE-2019-9433, CVE-2019-9371, CVE-2019-2126
+- Resolves: rhbz#1796086, rhbz#1796100, rhbz#1796448, rhbz#1796454
+- Remove php-cli BR
+
* Tue Oct 09 2018 Wim Taymans <wtaymans@redhat.com> - 1.7.0-6
- Set build flags in all cases
- Resolves: #1630588