diff --git a/SOURCES/0001-CVE-2019-9232-Fix-OOB-memory-access-on-fuzzed-data.patch b/SOURCES/0001-CVE-2019-9232-Fix-OOB-memory-access-on-fuzzed-data.patch new file mode 100644 index 0000000..01bbd4a --- /dev/null +++ b/SOURCES/0001-CVE-2019-9232-Fix-OOB-memory-access-on-fuzzed-data.patch @@ -0,0 +1,45 @@ +From 953b0b85f8462efeac179341c912617c1bae8d4c Mon Sep 17 00:00:00 2001 +From: Wim Taymans +Date: Wed, 25 Mar 2020 13:39:30 +0100 +Subject: [PATCH 1/2] CVE-2019-9232: Fix OOB memory access on fuzzed data + +vp8_norm table has 256 elements while index to it can be higher on +fuzzed data. Typecasting it to unsigned char will ensure valid range and +will trigger proper error later. Also declaring "shift" as unsigned char to +avoid UB sanitizer warning + +BUG=b/122373286,b/122373822,b/122371119 +--- + vp8/decoder/dboolhuff.h | 2 +- + vpx_dsp/bitreader.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/vp8/decoder/dboolhuff.h b/vp8/decoder/dboolhuff.h +index 04c027cd7..f3b080509 100644 +--- a/vp8/decoder/dboolhuff.h ++++ b/vp8/decoder/dboolhuff.h +@@ -76,7 +76,7 @@ static int vp8dx_decode_bool(BOOL_DECODER *br, int probability) { + } + + { +- register int shift = vp8_norm[range]; ++ register unsigned char shift = vp8_norm[(unsigned char)range]; + range <<= shift; + value <<= shift; + count -= shift; +diff --git a/vpx_dsp/bitreader.h b/vpx_dsp/bitreader.h +index 6ee2a5863..4b87e986c 100644 +--- a/vpx_dsp/bitreader.h ++++ b/vpx_dsp/bitreader.h +@@ -94,7 +94,7 @@ static INLINE int vpx_read(vpx_reader *r, int prob) { + } + + { +- register int shift = vpx_norm[range]; ++ register unsigned char shift = vpx_norm[(unsigned char)range]; + range <<= shift; + value <<= shift; + count -= shift; +-- +2.25.1 + diff --git a/SOURCES/0002-CVE-2019-9433-VP8-Fix-use-after-free-in-postproc.patch b/SOURCES/0002-CVE-2019-9433-VP8-Fix-use-after-free-in-postproc.patch new file mode 100644 index 0000000..458a45e --- /dev/null +++ b/SOURCES/0002-CVE-2019-9433-VP8-Fix-use-after-free-in-postproc.patch @@ -0,0 +1,33 @@ +From 93681819b22d3f42cf5fdfa85701f38e5bab10dd Mon Sep 17 00:00:00 2001 +From: Wim Taymans +Date: Wed, 25 Mar 2020 13:42:07 +0100 +Subject: [PATCH 2/2] CVE-2019-9433: VP8: Fix use-after-free in postproc. + +The pointer in vp8 postproc refers to show_frame_mi which is only +updated on show frame. However, when there is a no-show frame which also +changes the size (thus new frame buffers allocated), show_frame_mi is +not updated with new frame buffer memory. + +Change the pointer in postproc to mi which is always updated. + +Bug: 842265 +--- + vp8/common/postproc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/vp8/common/postproc.c b/vp8/common/postproc.c +index d67ee8a57..8c292d616 100644 +--- a/vp8/common/postproc.c ++++ b/vp8/common/postproc.c +@@ -65,7 +65,7 @@ void vp8_deblock(VP8_COMMON *cm, YV12_BUFFER_CONFIG *source, + double level = 6.0e-05 * q * q * q - .0067 * q * q + .306 * q + .0065; + int ppl = (int)(level + .5); + +- const MODE_INFO *mode_info_context = cm->show_frame_mi; ++ const MODE_INFO *mode_info_context = cm->mi; + int mbr, mbc; + + /* The pixel thresholds are adjusted according to if or not the macroblock +-- +2.25.1 + diff --git a/SOURCES/0003-CVE-2019-9371-update-libwebm.patch b/SOURCES/0003-CVE-2019-9371-update-libwebm.patch new file mode 100644 index 0000000..79aba43 --- /dev/null +++ b/SOURCES/0003-CVE-2019-9371-update-libwebm.patch @@ -0,0 +1,755 @@ +From ca1647dda267762c03c8641d2c605a9853a8ac59 Mon Sep 17 00:00:00 2001 +From: Johann +Date: Tue, 24 Apr 2018 15:22:28 -0700 +Subject: [PATCH 3/4] CVE-2019-9371: update libwebm + +update libwebm to libwebm-1.0.0.27-358-gdbf1d10 +--- + configure | 8 +- + third_party/libwebm/AUTHORS.TXT | 8 +- + third_party/libwebm/Android.mk | 2 +- + third_party/libwebm/README.libvpx | 14 +++- + third_party/libwebm/common/file_util.cc | 19 ++++- + third_party/libwebm/common/file_util.h | 5 +- + third_party/libwebm/common/hdr_util.cc | 8 +- + third_party/libwebm/common/hdr_util.h | 10 +-- + third_party/libwebm/common/webmids.h | 1 + + third_party/libwebm/mkvmuxer/mkvmuxer.cc | 77 +++++++++++++------- + third_party/libwebm/mkvmuxer/mkvmuxer.h | 5 +- + third_party/libwebm/mkvmuxer/mkvmuxerutil.cc | 13 ++-- + third_party/libwebm/mkvmuxer/mkvmuxerutil.h | 3 + + third_party/libwebm/mkvmuxer/mkvwriter.cc | 2 + + third_party/libwebm/mkvparser/mkvparser.cc | 64 +++++++++++----- + third_party/libwebm/mkvparser/mkvparser.h | 6 +- + third_party/libwebm/mkvparser/mkvreader.cc | 2 + + 17 files changed, 165 insertions(+), 82 deletions(-) + +diff --git a/configure b/configure +index e5a74c6f2..56d203e6b 100755 +--- a/configure ++++ b/configure +@@ -703,9 +703,7 @@ process_toolchain() { + check_cxx "$@" < +- +-Google Inc. ++# Names should be added to this file like so: ++# Name or Organization ++ ++Google Inc. +diff --git a/third_party/libwebm/Android.mk b/third_party/libwebm/Android.mk +index 8149a083f..b46ba101d 100644 +--- a/third_party/libwebm/Android.mk ++++ b/third_party/libwebm/Android.mk +@@ -3,7 +3,7 @@ LOCAL_PATH:= $(call my-dir) + include $(CLEAR_VARS) + LOCAL_MODULE:= libwebm + LOCAL_CPPFLAGS:=-D__STDC_CONSTANT_MACROS -D__STDC_FORMAT_MACROS +-LOCAL_CPPFLAGS+=-D__STDC_LIMIT_MACROS -Wno-extern-c-compat ++LOCAL_CPPFLAGS+=-D__STDC_LIMIT_MACROS -std=c++11 + LOCAL_C_INCLUDES:= $(LOCAL_PATH) + LOCAL_EXPORT_C_INCLUDES:= $(LOCAL_PATH) + +diff --git a/third_party/libwebm/README.libvpx b/third_party/libwebm/README.libvpx +index ebb5ff2f4..16f17513e 100644 +--- a/third_party/libwebm/README.libvpx ++++ b/third_party/libwebm/README.libvpx +@@ -1,5 +1,5 @@ + URL: https://chromium.googlesource.com/webm/libwebm +-Version: 0ae757087f5e6eb01dfea16cc09205b2425cfb74 ++Version: dbf1d1089756e7cb5b1a04d6752310ef35912347 + License: BSD + License File: LICENSE.txt + +@@ -7,4 +7,14 @@ Description: + libwebm is used to handle WebM container I/O. + + Local Changes: +-* ++Only keep: ++ - Android.mk ++ - AUTHORS.TXT ++ - common/ ++ file_util.cc/h ++ hdr_util.cc/h ++ webmids.h ++ - LICENSE.TXT ++ - mkvmuxer/ ++ - mkvparser/ ++ - PATENTS.TXT +diff --git a/third_party/libwebm/common/file_util.cc b/third_party/libwebm/common/file_util.cc +index 6dab146dd..6eb6428b9 100644 +--- a/third_party/libwebm/common/file_util.cc ++++ b/third_party/libwebm/common/file_util.cc +@@ -17,14 +17,15 @@ + #include + #include + #include ++#include + + namespace libwebm { + + std::string GetTempFileName() { + #if !defined _MSC_VER && !defined __MINGW32__ + std::string temp_file_name_template_str = +- std::string(std::getenv("TEST_TMPDIR") ? std::getenv("TEST_TMPDIR") : +- ".") + ++ std::string(std::getenv("TEST_TMPDIR") ? std::getenv("TEST_TMPDIR") ++ : ".") + + "/libwebm_temp.XXXXXX"; + char* temp_file_name_template = + new char[temp_file_name_template_str.length() + 1]; +@@ -41,7 +42,12 @@ std::string GetTempFileName() { + return temp_file_name; + #else + char tmp_file_name[_MAX_PATH]; ++#if defined _MSC_VER || defined MINGW_HAS_SECURE_API + errno_t err = tmpnam_s(tmp_file_name); ++#else ++ char* fname_pointer = tmpnam(tmp_file_name); ++ int err = (fname_pointer == &tmp_file_name[0]) ? 0 : -1; ++#endif + if (err == 0) { + return std::string(tmp_file_name); + } +@@ -65,6 +71,15 @@ uint64_t GetFileSize(const std::string& file_name) { + return file_size; + } + ++bool GetFileContents(const std::string& file_name, std::string* contents) { ++ std::ifstream file(file_name.c_str()); ++ *contents = std::string(static_cast(GetFileSize(file_name)), 0); ++ if (file.good() && contents->size()) { ++ file.read(&(*contents)[0], contents->size()); ++ } ++ return !file.fail(); ++} ++ + TempFileDeleter::TempFileDeleter() { file_name_ = GetTempFileName(); } + + TempFileDeleter::~TempFileDeleter() { +diff --git a/third_party/libwebm/common/file_util.h b/third_party/libwebm/common/file_util.h +index 0e71eac11..a87373464 100644 +--- a/third_party/libwebm/common/file_util.h ++++ b/third_party/libwebm/common/file_util.h +@@ -22,6 +22,9 @@ std::string GetTempFileName(); + // Returns size of file specified by |file_name|, or 0 upon failure. + uint64_t GetFileSize(const std::string& file_name); + ++// Gets the contents file_name as a string. Returns false on error. ++bool GetFileContents(const std::string& file_name, std::string* contents); ++ + // Manages life of temporary file specified at time of construction. Deletes + // file upon destruction. + class TempFileDeleter { +@@ -38,4 +41,4 @@ class TempFileDeleter { + + } // namespace libwebm + +-#endif // LIBWEBM_COMMON_FILE_UTIL_H_ +\ No newline at end of file ++#endif // LIBWEBM_COMMON_FILE_UTIL_H_ +diff --git a/third_party/libwebm/common/hdr_util.cc b/third_party/libwebm/common/hdr_util.cc +index e1618ce75..916f7170b 100644 +--- a/third_party/libwebm/common/hdr_util.cc ++++ b/third_party/libwebm/common/hdr_util.cc +@@ -36,10 +36,10 @@ bool CopyMasteringMetadata(const mkvparser::MasteringMetadata& parser_mm, + if (MasteringMetadataValuePresent(parser_mm.luminance_min)) + muxer_mm->set_luminance_min(parser_mm.luminance_min); + +- PrimaryChromaticityPtr r_ptr(NULL); +- PrimaryChromaticityPtr g_ptr(NULL); +- PrimaryChromaticityPtr b_ptr(NULL); +- PrimaryChromaticityPtr wp_ptr(NULL); ++ PrimaryChromaticityPtr r_ptr(nullptr); ++ PrimaryChromaticityPtr g_ptr(nullptr); ++ PrimaryChromaticityPtr b_ptr(nullptr); ++ PrimaryChromaticityPtr wp_ptr(nullptr); + + if (parser_mm.r) { + if (!CopyPrimaryChromaticity(*parser_mm.r, &r_ptr)) +diff --git a/third_party/libwebm/common/hdr_util.h b/third_party/libwebm/common/hdr_util.h +index 3ef5388fd..78e2eeb70 100644 +--- a/third_party/libwebm/common/hdr_util.h ++++ b/third_party/libwebm/common/hdr_util.h +@@ -47,15 +47,7 @@ struct Vp9CodecFeatures { + int chroma_subsampling; + }; + +-// disable deprecation warnings for auto_ptr +-#if defined(__GNUC__) && __GNUC__ >= 5 +-#pragma GCC diagnostic push +-#pragma GCC diagnostic ignored "-Wdeprecated-declarations" +-#endif +-typedef std::auto_ptr PrimaryChromaticityPtr; +-#if defined(__GNUC__) && __GNUC__ >= 5 +-#pragma GCC diagnostic pop +-#endif ++typedef std::unique_ptr PrimaryChromaticityPtr; + + bool CopyPrimaryChromaticity(const mkvparser::PrimaryChromaticity& parser_pc, + PrimaryChromaticityPtr* muxer_pc); +diff --git a/third_party/libwebm/common/webmids.h b/third_party/libwebm/common/webmids.h +index 89d722a71..fc0c20814 100644 +--- a/third_party/libwebm/common/webmids.h ++++ b/third_party/libwebm/common/webmids.h +@@ -93,6 +93,7 @@ enum MkvId { + kMkvDisplayHeight = 0x54BA, + kMkvDisplayUnit = 0x54B2, + kMkvAspectRatioType = 0x54B3, ++ kMkvColourSpace = 0x2EB524, + kMkvFrameRate = 0x2383E3, + // end video + // colour +diff --git a/third_party/libwebm/mkvmuxer/mkvmuxer.cc b/third_party/libwebm/mkvmuxer/mkvmuxer.cc +index 15b9a908d..512031211 100644 +--- a/third_party/libwebm/mkvmuxer/mkvmuxer.cc ++++ b/third_party/libwebm/mkvmuxer/mkvmuxer.cc +@@ -8,6 +8,8 @@ + + #include "mkvmuxer/mkvmuxer.h" + ++#include ++ + #include + #include + #include +@@ -24,11 +26,6 @@ + #include "mkvmuxer/mkvwriter.h" + #include "mkvparser/mkvparser.h" + +-// disable deprecation warnings for auto_ptr +-#if defined(__GNUC__) && __GNUC__ >= 5 +-#pragma GCC diagnostic ignored "-Wdeprecated-declarations" +-#endif +- + namespace mkvmuxer { + + const float PrimaryChromaticity::kChromaticityMin = 0.0f; +@@ -72,7 +69,7 @@ bool StrCpy(const char* src, char** dst_ptr) { + return true; + } + +-typedef std::auto_ptr PrimaryChromaticityPtr; ++typedef std::unique_ptr PrimaryChromaticityPtr; + bool CopyChromaticity(const PrimaryChromaticity* src, + PrimaryChromaticityPtr* dst) { + if (!dst) +@@ -776,6 +773,14 @@ bool Track::Write(IMkvWriter* writer) const { + if (!type_ || !codec_id_) + return false; + ++ // AV1 tracks require a CodecPrivate. See ++ // https://github.com/Matroska-Org/matroska-specification/blob/av1-mappin/codec/av1.md ++ // TODO(tomfinegan): Update the above link to the AV1 Matroska mappings to ++ // point to a stable version once it is finalized, or our own WebM mappings ++ // page on webmproject.org should we decide to release them. ++ if (!strcmp(codec_id_, Tracks::kAv1CodecId) && !codec_private_) ++ return false; ++ + // |size| may be bigger than what is written out in this function because + // derived classes may write out more data in the Track element. + const uint64_t payload_size = PayloadSize(); +@@ -1030,19 +1035,16 @@ bool MasteringMetadata::Write(IMkvWriter* writer) const { + !WriteEbmlElement(writer, libwebm::kMkvLuminanceMin, luminance_min_)) { + return false; + } +- if (r_ && +- !r_->Write(writer, libwebm::kMkvPrimaryRChromaticityX, +- libwebm::kMkvPrimaryRChromaticityY)) { ++ if (r_ && !r_->Write(writer, libwebm::kMkvPrimaryRChromaticityX, ++ libwebm::kMkvPrimaryRChromaticityY)) { + return false; + } +- if (g_ && +- !g_->Write(writer, libwebm::kMkvPrimaryGChromaticityX, +- libwebm::kMkvPrimaryGChromaticityY)) { ++ if (g_ && !g_->Write(writer, libwebm::kMkvPrimaryGChromaticityX, ++ libwebm::kMkvPrimaryGChromaticityY)) { + return false; + } +- if (b_ && +- !b_->Write(writer, libwebm::kMkvPrimaryBChromaticityX, +- libwebm::kMkvPrimaryBChromaticityY)) { ++ if (b_ && !b_->Write(writer, libwebm::kMkvPrimaryBChromaticityX, ++ libwebm::kMkvPrimaryBChromaticityY)) { + return false; + } + if (white_point_ && +@@ -1057,22 +1059,22 @@ bool MasteringMetadata::Write(IMkvWriter* writer) const { + bool MasteringMetadata::SetChromaticity( + const PrimaryChromaticity* r, const PrimaryChromaticity* g, + const PrimaryChromaticity* b, const PrimaryChromaticity* white_point) { +- PrimaryChromaticityPtr r_ptr(NULL); ++ PrimaryChromaticityPtr r_ptr(nullptr); + if (r) { + if (!CopyChromaticity(r, &r_ptr)) + return false; + } +- PrimaryChromaticityPtr g_ptr(NULL); ++ PrimaryChromaticityPtr g_ptr(nullptr); + if (g) { + if (!CopyChromaticity(g, &g_ptr)) + return false; + } +- PrimaryChromaticityPtr b_ptr(NULL); ++ PrimaryChromaticityPtr b_ptr(nullptr); + if (b) { + if (!CopyChromaticity(b, &b_ptr)) + return false; + } +- PrimaryChromaticityPtr wp_ptr(NULL); ++ PrimaryChromaticityPtr wp_ptr(nullptr); + if (white_point) { + if (!CopyChromaticity(white_point, &wp_ptr)) + return false; +@@ -1238,7 +1240,7 @@ bool Colour::Write(IMkvWriter* writer) const { + } + + bool Colour::SetMasteringMetadata(const MasteringMetadata& mastering_metadata) { +- std::auto_ptr mm_ptr(new MasteringMetadata()); ++ std::unique_ptr mm_ptr(new MasteringMetadata()); + if (!mm_ptr.get()) + return false; + +@@ -1424,6 +1426,7 @@ VideoTrack::VideoTrack(unsigned int* seed) + stereo_mode_(0), + alpha_mode_(0), + width_(0), ++ colour_space_(NULL), + colour_(NULL), + projection_(NULL) {} + +@@ -1521,6 +1524,10 @@ bool VideoTrack::Write(IMkvWriter* writer) const { + static_cast(alpha_mode_))) + return false; + } ++ if (colour_space_) { ++ if (!WriteEbmlElement(writer, libwebm::kMkvColourSpace, colour_space_)) ++ return false; ++ } + if (frame_rate_ > 0.0) { + if (!WriteEbmlElement(writer, libwebm::kMkvFrameRate, + static_cast(frame_rate_))) { +@@ -1545,8 +1552,24 @@ bool VideoTrack::Write(IMkvWriter* writer) const { + return true; + } + ++void VideoTrack::set_colour_space(const char* colour_space) { ++ if (colour_space) { ++ delete[] colour_space_; ++ ++ const size_t length = strlen(colour_space) + 1; ++ colour_space_ = new (std::nothrow) char[length]; // NOLINT ++ if (colour_space_) { ++#ifdef _MSC_VER ++ strcpy_s(colour_space_, length, colour_space); ++#else ++ strcpy(colour_space_, colour_space); ++#endif ++ } ++ } ++} ++ + bool VideoTrack::SetColour(const Colour& colour) { +- std::auto_ptr colour_ptr(new Colour()); ++ std::unique_ptr colour_ptr(new Colour()); + if (!colour_ptr.get()) + return false; + +@@ -1574,7 +1597,7 @@ bool VideoTrack::SetColour(const Colour& colour) { + } + + bool VideoTrack::SetProjection(const Projection& projection) { +- std::auto_ptr projection_ptr(new Projection()); ++ std::unique_ptr projection_ptr(new Projection()); + if (!projection_ptr.get()) + return false; + +@@ -1628,6 +1651,8 @@ uint64_t VideoTrack::VideoPayloadSize() const { + if (frame_rate_ > 0.0) + size += EbmlElementSize(libwebm::kMkvFrameRate, + static_cast(frame_rate_)); ++ if (colour_space_) ++ size += EbmlElementSize(libwebm::kMkvColourSpace, colour_space_); + if (colour_) + size += colour_->ColourSize(); + if (projection_) +@@ -1705,9 +1730,9 @@ bool AudioTrack::Write(IMkvWriter* writer) const { + + const char Tracks::kOpusCodecId[] = "A_OPUS"; + const char Tracks::kVorbisCodecId[] = "A_VORBIS"; ++const char Tracks::kAv1CodecId[] = "V_AV1"; + const char Tracks::kVp8CodecId[] = "V_VP8"; + const char Tracks::kVp9CodecId[] = "V_VP9"; +-const char Tracks::kVp10CodecId[] = "V_VP10"; + const char Tracks::kWebVttCaptionsId[] = "D_WEBVTT/CAPTIONS"; + const char Tracks::kWebVttDescriptionsId[] = "D_WEBVTT/DESCRIPTIONS"; + const char Tracks::kWebVttMetadataId[] = "D_WEBVTT/METADATA"; +@@ -2666,7 +2691,7 @@ bool Cluster::QueueOrWriteFrame(const Frame* const frame) { + // and write it if it is okay to do so (i.e.) no other track has an held back + // frame with timestamp <= the timestamp of the frame in question. + std::vector::iterator> frames_to_erase; +- for (std::list::iterator ++ for (std::list::iterator + current_track_iterator = stored_frames_[track_number].begin(), + end = --stored_frames_[track_number].end(); + current_track_iterator != end; ++current_track_iterator) { +@@ -4168,8 +4193,8 @@ bool Segment::DocTypeIsWebm() const { + // TODO(vigneshv): Tweak .clang-format. + const char* kWebmCodecIds[kNumCodecIds] = { + Tracks::kOpusCodecId, Tracks::kVorbisCodecId, +- Tracks::kVp8CodecId, Tracks::kVp9CodecId, +- Tracks::kVp10CodecId, Tracks::kWebVttCaptionsId, ++ Tracks::kAv1CodecId, Tracks::kVp8CodecId, ++ Tracks::kVp9CodecId, Tracks::kWebVttCaptionsId, + Tracks::kWebVttDescriptionsId, Tracks::kWebVttMetadataId, + Tracks::kWebVttSubtitlesId}; + +diff --git a/third_party/libwebm/mkvmuxer/mkvmuxer.h b/third_party/libwebm/mkvmuxer/mkvmuxer.h +index 46b0029dc..f2db37714 100644 +--- a/third_party/libwebm/mkvmuxer/mkvmuxer.h ++++ b/third_party/libwebm/mkvmuxer/mkvmuxer.h +@@ -795,6 +795,8 @@ class VideoTrack : public Track { + uint64_t alpha_mode() { return alpha_mode_; } + void set_width(uint64_t width) { width_ = width; } + uint64_t width() const { return width_; } ++ void set_colour_space(const char* colour_space); ++ const char* colour_space() const { return colour_space_; } + + Colour* colour() { return colour_; } + +@@ -824,6 +826,7 @@ class VideoTrack : public Track { + uint64_t stereo_mode_; + uint64_t alpha_mode_; + uint64_t width_; ++ char* colour_space_; + + Colour* colour_; + Projection* projection_; +@@ -871,9 +874,9 @@ class Tracks { + + static const char kOpusCodecId[]; + static const char kVorbisCodecId[]; ++ static const char kAv1CodecId[]; + static const char kVp8CodecId[]; + static const char kVp9CodecId[]; +- static const char kVp10CodecId[]; + static const char kWebVttCaptionsId[]; + static const char kWebVttDescriptionsId[]; + static const char kWebVttMetadataId[]; +diff --git a/third_party/libwebm/mkvmuxer/mkvmuxerutil.cc b/third_party/libwebm/mkvmuxer/mkvmuxerutil.cc +index 355d4e22b..7636a9f4e 100644 +--- a/third_party/libwebm/mkvmuxer/mkvmuxerutil.cc ++++ b/third_party/libwebm/mkvmuxer/mkvmuxerutil.cc +@@ -136,9 +136,8 @@ uint64 WriteBlock(IMkvWriter* writer, const Frame* const frame, int64 timecode, + return false; + } + +- if (!frame->is_key() && +- !WriteEbmlElement(writer, libwebm::kMkvReferenceBlock, +- reference_block_timestamp)) { ++ if (!frame->is_key() && !WriteEbmlElement(writer, libwebm::kMkvReferenceBlock, ++ reference_block_timestamp)) { + return false; + } + +@@ -563,10 +562,10 @@ uint64 WriteFrame(IMkvWriter* writer, const Frame* const frame, + if (relative_timecode < 0 || relative_timecode > kMaxBlockTimecode) + return 0; + +- return frame->CanBeSimpleBlock() ? +- WriteSimpleBlock(writer, frame, relative_timecode) : +- WriteBlock(writer, frame, relative_timecode, +- cluster->timecode_scale()); ++ return frame->CanBeSimpleBlock() ++ ? WriteSimpleBlock(writer, frame, relative_timecode) ++ : WriteBlock(writer, frame, relative_timecode, ++ cluster->timecode_scale()); + } + + uint64 WriteVoidElement(IMkvWriter* writer, uint64 size) { +diff --git a/third_party/libwebm/mkvmuxer/mkvmuxerutil.h b/third_party/libwebm/mkvmuxer/mkvmuxerutil.h +index 132388da5..3355428bd 100644 +--- a/third_party/libwebm/mkvmuxer/mkvmuxerutil.h ++++ b/third_party/libwebm/mkvmuxer/mkvmuxerutil.h +@@ -31,6 +31,9 @@ const int64 kMaxBlockTimecode = 0x07FFFLL; + // Writes out |value| in Big Endian order. Returns 0 on success. + int32 SerializeInt(IMkvWriter* writer, int64 value, int32 size); + ++// Writes out |f| in Big Endian order. Returns 0 on success. ++int32 SerializeFloat(IMkvWriter* writer, float f); ++ + // Returns the size in bytes of the element. + int32 GetUIntSize(uint64 value); + int32 GetIntSize(int64 value); +diff --git a/third_party/libwebm/mkvmuxer/mkvwriter.cc b/third_party/libwebm/mkvmuxer/mkvwriter.cc +index 84655d802..d668384d8 100644 +--- a/third_party/libwebm/mkvmuxer/mkvwriter.cc ++++ b/third_party/libwebm/mkvmuxer/mkvwriter.cc +@@ -78,6 +78,8 @@ int32 MkvWriter::Position(int64 position) { + + #ifdef _MSC_VER + return _fseeki64(file_, position, SEEK_SET); ++#elif defined(_WIN32) ++ return fseeko64(file_, static_cast(position), SEEK_SET); + #else + return fseeko(file_, static_cast(position), SEEK_SET); + #endif +diff --git a/third_party/libwebm/mkvparser/mkvparser.cc b/third_party/libwebm/mkvparser/mkvparser.cc +index 37f230d0a..dcb969dcf 100644 +--- a/third_party/libwebm/mkvparser/mkvparser.cc ++++ b/third_party/libwebm/mkvparser/mkvparser.cc +@@ -22,12 +22,8 @@ + + #include "common/webmids.h" + +-// disable deprecation warnings for auto_ptr +-#if defined(__GNUC__) && __GNUC__ >= 5 +-#pragma GCC diagnostic ignored "-Wdeprecated-declarations" +-#endif +- + namespace mkvparser { ++const long long kStringElementSizeLimit = 20 * 1000 * 1000; + const float MasteringMetadata::kValueNotPresent = FLT_MAX; + const long long Colour::kValueNotPresent = LLONG_MAX; + const float Projection::kValueNotPresent = FLT_MAX; +@@ -40,8 +36,6 @@ inline bool isnan(double val) { return std::isnan(val); } + inline bool isinf(double val) { return std::isinf(val); } + #endif // MSC_COMPAT + +-IMkvReader::~IMkvReader() {} +- + template + Type* SafeArrayAlloc(unsigned long long num_elements, + unsigned long long element_size) { +@@ -330,7 +324,7 @@ long UnserializeString(IMkvReader* pReader, long long pos, long long size, + delete[] str; + str = NULL; + +- if (size >= LONG_MAX || size < 0) ++ if (size >= LONG_MAX || size < 0 || size > kStringElementSizeLimit) + return E_FILE_FORMAT_INVALID; + + // +1 for '\0' terminator +@@ -5015,7 +5009,7 @@ bool MasteringMetadata::Parse(IMkvReader* reader, long long mm_start, + if (!reader || *mm) + return false; + +- std::auto_ptr mm_ptr(new MasteringMetadata()); ++ std::unique_ptr mm_ptr(new MasteringMetadata()); + if (!mm_ptr.get()) + return false; + +@@ -5035,6 +5029,10 @@ bool MasteringMetadata::Parse(IMkvReader* reader, long long mm_start, + double value = 0; + const long long value_parse_status = + UnserializeFloat(reader, read_pos, child_size, value); ++ if (value < -FLT_MAX || value > FLT_MAX || ++ (value > 0.0 && value < FLT_MIN)) { ++ return false; ++ } + mm_ptr->luminance_max = static_cast(value); + if (value_parse_status < 0 || mm_ptr->luminance_max < 0.0 || + mm_ptr->luminance_max > 9999.99) { +@@ -5044,6 +5042,10 @@ bool MasteringMetadata::Parse(IMkvReader* reader, long long mm_start, + double value = 0; + const long long value_parse_status = + UnserializeFloat(reader, read_pos, child_size, value); ++ if (value < -FLT_MAX || value > FLT_MAX || ++ (value > 0.0 && value < FLT_MIN)) { ++ return false; ++ } + mm_ptr->luminance_min = static_cast(value); + if (value_parse_status < 0 || mm_ptr->luminance_min < 0.0 || + mm_ptr->luminance_min > 999.9999) { +@@ -5096,7 +5098,7 @@ bool Colour::Parse(IMkvReader* reader, long long colour_start, + if (!reader || *colour) + return false; + +- std::auto_ptr colour_ptr(new Colour()); ++ std::unique_ptr colour_ptr(new Colour()); + if (!colour_ptr.get()) + return false; + +@@ -5194,7 +5196,7 @@ bool Projection::Parse(IMkvReader* reader, long long start, long long size, + if (!reader || *projection) + return false; + +- std::auto_ptr projection_ptr(new Projection()); ++ std::unique_ptr projection_ptr(new Projection()); + if (!projection_ptr.get()) + return false; + +@@ -5270,6 +5272,7 @@ bool Projection::Parse(IMkvReader* reader, long long start, long long size, + VideoTrack::VideoTrack(Segment* pSegment, long long element_start, + long long element_size) + : Track(pSegment, element_start, element_size), ++ m_colour_space(NULL), + m_colour(NULL), + m_projection(NULL) {} + +@@ -5295,6 +5298,7 @@ long VideoTrack::Parse(Segment* pSegment, const Info& info, + long long stereo_mode = 0; + + double rate = 0.0; ++ char* colour_space = NULL; + + IMkvReader* const pReader = pSegment->m_pReader; + +@@ -5307,8 +5311,8 @@ long VideoTrack::Parse(Segment* pSegment, const Info& info, + + const long long stop = pos + s.size; + +- Colour* colour = NULL; +- Projection* projection = NULL; ++ std::unique_ptr colour_ptr; ++ std::unique_ptr projection_ptr; + + while (pos < stop) { + long long id, size; +@@ -5357,11 +5361,23 @@ long VideoTrack::Parse(Segment* pSegment, const Info& info, + if (rate <= 0) + return E_FILE_FORMAT_INVALID; + } else if (id == libwebm::kMkvColour) { +- if (!Colour::Parse(pReader, pos, size, &colour)) ++ Colour* colour = NULL; ++ if (!Colour::Parse(pReader, pos, size, &colour)) { + return E_FILE_FORMAT_INVALID; ++ } else { ++ colour_ptr.reset(colour); ++ } + } else if (id == libwebm::kMkvProjection) { +- if (!Projection::Parse(pReader, pos, size, &projection)) ++ Projection* projection = NULL; ++ if (!Projection::Parse(pReader, pos, size, &projection)) { + return E_FILE_FORMAT_INVALID; ++ } else { ++ projection_ptr.reset(projection); ++ } ++ } else if (id == libwebm::kMkvColourSpace) { ++ const long status = UnserializeString(pReader, pos, size, colour_space); ++ if (status < 0) ++ return status; + } + + pos += size; // consume payload +@@ -5392,8 +5408,9 @@ long VideoTrack::Parse(Segment* pSegment, const Info& info, + pTrack->m_display_unit = display_unit; + pTrack->m_stereo_mode = stereo_mode; + pTrack->m_rate = rate; +- pTrack->m_colour = colour; +- pTrack->m_projection = projection; ++ pTrack->m_colour = colour_ptr.release(); ++ pTrack->m_colour_space = colour_space; ++ pTrack->m_projection = projection_ptr.release(); + + pResult = pTrack; + return 0; // success +@@ -7903,6 +7920,10 @@ long Block::Parse(const Cluster* pCluster) { + return E_FILE_FORMAT_INVALID; + + curr.len = static_cast(frame_size); ++ // Check if size + curr.len could overflow. ++ if (size > LLONG_MAX - curr.len) { ++ return E_FILE_FORMAT_INVALID; ++ } + size += curr.len; // contribution of this frame + + --frame_count; +@@ -7964,6 +7985,11 @@ long long Block::GetTimeCode(const Cluster* pCluster) const { + const long long tc0 = pCluster->GetTimeCode(); + assert(tc0 >= 0); + ++ // Check if tc0 + m_timecode would overflow. ++ if (tc0 < 0 || LLONG_MAX - tc0 < m_timecode) { ++ return -1; ++ } ++ + const long long tc = tc0 + m_timecode; + + return tc; // unscaled timecode units +@@ -7981,6 +8007,10 @@ long long Block::GetTime(const Cluster* pCluster) const { + const long long scale = pInfo->GetTimeCodeScale(); + assert(scale >= 1); + ++ // Check if tc * scale could overflow. ++ if (tc != 0 && scale > LLONG_MAX / tc) { ++ return -1; ++ } + const long long ns = tc * scale; + + return ns; +diff --git a/third_party/libwebm/mkvparser/mkvparser.h b/third_party/libwebm/mkvparser/mkvparser.h +index 26c2b7e5e..848d01f03 100644 +--- a/third_party/libwebm/mkvparser/mkvparser.h ++++ b/third_party/libwebm/mkvparser/mkvparser.h +@@ -22,7 +22,7 @@ class IMkvReader { + virtual int Length(long long* total, long long* available) = 0; + + protected: +- virtual ~IMkvReader(); ++ virtual ~IMkvReader() {} + }; + + template +@@ -527,6 +527,8 @@ class VideoTrack : public Track { + + Projection* GetProjection() const; + ++ const char* GetColourSpace() const { return m_colour_space; } ++ + private: + long long m_width; + long long m_height; +@@ -534,7 +536,7 @@ class VideoTrack : public Track { + long long m_display_height; + long long m_display_unit; + long long m_stereo_mode; +- ++ char* m_colour_space; + double m_rate; + + Colour* m_colour; +diff --git a/third_party/libwebm/mkvparser/mkvreader.cc b/third_party/libwebm/mkvparser/mkvreader.cc +index 23d68f508..9d19c1be5 100644 +--- a/third_party/libwebm/mkvparser/mkvreader.cc ++++ b/third_party/libwebm/mkvparser/mkvreader.cc +@@ -118,6 +118,8 @@ int MkvReader::Read(long long offset, long len, unsigned char* buffer) { + + if (status) + return -1; // error ++#elif defined(_WIN32) ++ fseeko64(m_file, static_cast(offset), SEEK_SET); + #else + fseeko(m_file, static_cast(offset), SEEK_SET); + #endif +-- +2.25.1 + diff --git a/SOURCES/0004-CVE-2019-2126-update-libwebm-to-libwebm-1.0.0.27-361.patch b/SOURCES/0004-CVE-2019-2126-update-libwebm-to-libwebm-1.0.0.27-361.patch new file mode 100644 index 0000000..3e64446 --- /dev/null +++ b/SOURCES/0004-CVE-2019-2126-update-libwebm-to-libwebm-1.0.0.27-361.patch @@ -0,0 +1,71 @@ +From d06fa15d1c113edea0d6760ea19af8e8d0af0d94 Mon Sep 17 00:00:00 2001 +From: James Zern +Date: Fri, 7 Jun 2019 15:06:29 -0700 +Subject: [PATCH 4/4] CVE-2019-2126: update libwebm to + libwebm-1.0.0.27-361-g81de00c + +81de00c Check there is only one settings per ContentCompression +5623013 Fixes a double free in ContentEncoding +93b2ba0 mkvparser: quiet static analysis warnings + +Change-Id: Ieaa562ef2f10075381bd856388e6b29f97ca2746 +--- + third_party/libwebm/README.libvpx | 2 +- + third_party/libwebm/mkvparser/mkvparser.cc | 9 +++++++++ + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/third_party/libwebm/README.libvpx b/third_party/libwebm/README.libvpx +index 16f17513e..714f5d0eb 100644 +--- a/third_party/libwebm/README.libvpx ++++ b/third_party/libwebm/README.libvpx +@@ -1,5 +1,5 @@ + URL: https://chromium.googlesource.com/webm/libwebm +-Version: dbf1d1089756e7cb5b1a04d6752310ef35912347 ++Version: 81de00c43ea3c087b48a8c20337db7531b9f7612 + License: BSD + License File: LICENSE.txt + +diff --git a/third_party/libwebm/mkvparser/mkvparser.cc b/third_party/libwebm/mkvparser/mkvparser.cc +index dcb969dcf..ace65bd59 100644 +--- a/third_party/libwebm/mkvparser/mkvparser.cc ++++ b/third_party/libwebm/mkvparser/mkvparser.cc +@@ -4230,6 +4230,7 @@ long ContentEncoding::ParseContentEncodingEntry(long long start, long long size, + new (std::nothrow) ContentEncryption*[encryption_count]; + if (!encryption_entries_) { + delete[] compression_entries_; ++ compression_entries_ = NULL; + return -1; + } + encryption_entries_end_ = encryption_entries_; +@@ -4261,6 +4262,7 @@ long ContentEncoding::ParseContentEncodingEntry(long long start, long long size, + delete compression; + return status; + } ++ assert(compression_count > 0); + *compression_entries_end_++ = compression; + } else if (id == libwebm::kMkvContentEncryption) { + ContentEncryption* const encryption = +@@ -4273,6 +4275,7 @@ long ContentEncoding::ParseContentEncodingEntry(long long start, long long size, + delete encryption; + return status; + } ++ assert(encryption_count > 0); + *encryption_entries_end_++ = encryption; + } + +@@ -4325,6 +4328,12 @@ long ContentEncoding::ParseCompressionEntry(long long start, long long size, + return status; + } + ++ // There should be only one settings element per content compression. ++ if (compression->settings != NULL) { ++ delete[] buf; ++ return E_FILE_FORMAT_INVALID; ++ } ++ + compression->settings = buf; + compression->settings_len = buflen; + } +-- +2.25.1 + diff --git a/SPECS/libvpx.spec b/SPECS/libvpx.spec index 77d7413..e667c44 100644 --- a/SPECS/libvpx.spec +++ b/SPECS/libvpx.spec @@ -6,7 +6,7 @@ Name: libvpx Summary: VP8/VP9 Video Codec SDK Version: 1.7.0 -Release: 6%{?dist} +Release: 8%{?dist} License: BSD Group: System Environment/Libraries #Source0: http://downloads.webmproject.org/releases/webm/%{name}-%{version}.tar.bz2 @@ -18,9 +18,13 @@ URL: http://www.webmproject.org/code/ %ifarch %{ix86} x86_64 BuildRequires: yasm %endif -BuildRequires: doxygen, php-cli, perl(Getopt::Long) +BuildRequires: doxygen, perl(Getopt::Long) # Do not disable FORTIFY_SOURCE=2 Patch0: libvpx-1.7.0-leave-fortify-source-on.patch +Patch1: 0001-CVE-2019-9232-Fix-OOB-memory-access-on-fuzzed-data.patch +Patch2: 0002-CVE-2019-9433-VP8-Fix-use-after-free-in-postproc.patch +Patch3: 0003-CVE-2019-9371-update-libwebm.patch +Patch4: 0004-CVE-2019-2126-update-libwebm-to-libwebm-1.0.0.27-361.patch %description libvpx provides the VP8/VP9 SDK, which allows you to integrate your applications @@ -48,6 +52,10 @@ and decoder. %prep %setup -q -n libvpx-%{version} %patch0 -p1 -b .leave-fs-on +%patch1 -p1 -b .0001 +%patch2 -p1 -b .0002 +%patch3 -p1 -b .0003 +%patch4 -p1 -b .0004 %build %ifarch %{ix86} @@ -93,7 +101,7 @@ CROSS=armv7hl-redhat-linux-gnueabi- CHOST=armv7hl-redhat-linux-gnueabi-hardfloat --enable-pic --disable-install-srcs \ --enable-vp9-decoder --enable-vp9-encoder \ --enable-experimental --enable-spatial-svc \ ---enable-vp9-highbitdepth \ +--enable-vp9-highbitdepth --enable-webm-io \ %if ! %{generic_target} --enable-shared \ %endif @@ -237,6 +245,15 @@ rm -rf %{buildroot}%{_prefix}/src %{_bindir}/* %changelog +* Wed Apr 1 2020 Wim Taymans - 1.7.0-8 +- Resolves: rhbz#1796086, rhbz#1796100, rhbz#1796448, rhbz#1796454 +- Enable webm-io explicitly + +* Wed Mar 25 2020 Wim Taymans - 1.7.0-7 +- Fix for CVE-2019-9232, CVE-2019-9433, CVE-2019-9371, CVE-2019-2126 +- Resolves: rhbz#1796086, rhbz#1796100, rhbz#1796448, rhbz#1796454 +- Remove php-cli BR + * Tue Oct 09 2018 Wim Taymans - 1.7.0-6 - Set build flags in all cases - Resolves: #1630588