File CVE-2024-5197.patch of Package libvpx.34567

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2024-5197.patch of Package libvpx.34567

commit 06af417e795e6a9b9309406ba399fb109def89e6
Author: Wan-Teh Chang <wtc@google.com>
Date:   Thu Apr 11 10:24:11 2024 -0700

Avoid integer overflows in arithmetic operations
    
    A port of the libaom CL
    https://aomedia-review.googlesource.com/c/aom/+/188823.
    
    Impose maximum values on the input parameters so that we can perform
    arithmetic operations without worrying about overflows.
    
    Also change the VpxImageTest.VpxImgAllocHugeWidth test to write to the
    first and last samples in the first row of the Y plane, so that the test
    will crash if there is unsigned integer overflow in the calculation of
    stride_in_bytes.
    
    Bug: chromium:332382766
    Change-Id: I54cec6c9e26377abaa8a991042ba277ff70afdf3

Index: libvpx-1.11.0/vpx/src/vpx_image.c
===================================================================
--- libvpx-1.11.0.orig/vpx/src/vpx_image.c
+++ libvpx-1.11.0/vpx/src/vpx_image.c
@@ -8,6 +8,7 @@
  *  be found in the AUTHORS file in the root of the source tree.
  */
 
+#include <assert.h>
 #include <limits.h>
 #include <stdlib.h>
 #include <string.h>
@@ -33,6 +34,14 @@ static vpx_image_t *img_alloc_helper(vpx
   /* Validate alignment (must be power of 2) */
   if (buf_align & (buf_align - 1)) goto fail;
 
+  /* Impose maximum values on input parameters so that this function can
+   * perform arithmetic operations without worrying about overflows.
+   */
+  if (d_w > 0x08000000 || d_h > 0x08000000 || buf_align > 65536 ||
+      stride_align > 65536) {
+    goto fail;
+  }
+
   /* Treat align==0 like align==1 */
   if (!stride_align) stride_align = 1;
 
@@ -81,8 +90,8 @@ static vpx_image_t *img_alloc_helper(vpx
   w = d_w;
   h = d_h;
   s = (fmt & VPX_IMG_FMT_PLANAR) ? w : bps * w / 8;
-  s = (s + stride_align - 1) & ~(stride_align - 1);
   stride_in_bytes = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
+  s = (s + stride_align - 1) & ~(stride_align - 1);
 
   /* Allocate the new image */
   if (!img) {
@@ -100,8 +109,10 @@ static vpx_image_t *img_alloc_helper(vpx
     /* Calculate storage sizes given the chroma subsampling */
     align = (1 << xcs) - 1;
     w = (d_w + align) & ~align;
+    assert(d_w <= w);
     align = (1 << ycs) - 1;
     h = (d_h + align) & ~align;
+    assert(d_h <= h);
 
     s = (fmt & VPX_IMG_FMT_PLANAR) ? w : bps * w / 8;
     s = (s + stride_align - 1) & ~(stride_align - 1);
Index: libvpx-1.11.0/vpx/vpx_image.h
===================================================================
--- libvpx-1.11.0.orig/vpx/vpx_image.h
+++ libvpx-1.11.0/vpx/vpx_image.h
@@ -132,10 +132,13 @@ typedef struct vpx_image_rect {
  *                         is NULL, the storage for the descriptor will be
  *                         allocated on the heap.
  * \param[in]    fmt       Format for the image
- * \param[in]    d_w       Width of the image
- * \param[in]    d_h       Height of the image
+ * \param[in]    d_w       Width of the image. Must not exceed 0x08000000
+ *                         (2^27).
+ * \param[in]    d_h       Height of the image. Must not exceed 0x08000000
+ *                         (2^27).
  * \param[in]    align     Alignment, in bytes, of the image buffer and
- *                         each row in the image(stride).
+ *                         each row in the image (stride). Must not exceed
+ *                         65536.
  *
  * \return Returns a pointer to the initialized image descriptor. If the img
  *         parameter is non-null, the value of the img parameter will be
@@ -155,9 +158,12 @@ vpx_image_t *vpx_img_alloc(vpx_image_t *
  *                             parameter is NULL, the storage for the descriptor
  *                             will be allocated on the heap.
  * \param[in]    fmt           Format for the image
- * \param[in]    d_w           Width of the image
- * \param[in]    d_h           Height of the image
- * \param[in]    stride_align  Alignment, in bytes, of each row in the image.
+ * \param[in]    d_w           Width of the image. Must not exceed 0x08000000
+ *                             (2^27).
+ * \param[in]    d_h           Height of the image. Must not exceed 0x08000000
+ *                             (2^27).
+ * \param[in]    stride_align  Alignment, in bytes, of each row in the image
+ *                             (stride). Must not exceed 65536.
  * \param[in]    img_data      Storage to use for the image
  *
  * \return Returns a pointer to the initialized image descriptor. If the img

Places

File CVE-2024-5197.patch of Package libvpx.34567

Places