File CVE-2023-5217.patch of Package libvpx.30875

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2023-5217.patch of Package libvpx.30875

commit 581731a95f74d83d4fe3cc466ce502ffb4326e8e
Author: Aℓex Converse <alexconv@twitch.tv>
Date:   Fri Jan 16 16:02:05 2015 -0800

vp8enc: Prevent out of bounds memory access.
    
    Prevent out of bounds access when attempting to increase frame size
    
    Change-Id: I710c40c692802a72963c9680c2125da17f9060a9

Index: libvpx-1.3.0/vp8/encoder/onyx_if.c
===================================================================
--- libvpx-1.3.0.orig/vp8/encoder/onyx_if.c
+++ libvpx-1.3.0/vp8/encoder/onyx_if.c
@@ -1469,6 +1469,12 @@ void vp8_change_config(VP8_COMP *cpi, VP
     last_h = cpi->oxcf.Height;
     prev_number_of_layers = cpi->oxcf.number_of_layers;
 
+    if (cpi->initial_width) {
+      // TODO(https://crbug.com/1486441): Allow changing thread counts; the
+      // allocation is done once in vp8_create_compressor().
+      oxcf->multi_threaded = cpi->oxcf.multi_threaded;
+    }
+
     cpi->oxcf = *oxcf;
 
     switch (cpi->oxcf.Mode)
@@ -1671,8 +1677,16 @@ void vp8_change_config(VP8_COMP *cpi, VP
         reset_temporal_layer_change(cpi, oxcf, prev_number_of_layers);
     }
 
+    if (!cpi->initial_width)
+    {
+        cpi->initial_width = cpi->oxcf.Width;
+        cpi->initial_height = cpi->oxcf.Height;
+    }
+
     cm->Width       = cpi->oxcf.Width;
     cm->Height      = cpi->oxcf.Height;
+    assert(cm->Width <= cpi->initial_width);
+    assert(cm->Height <= cpi->initial_height);
 
     /* TODO(jkoleszar): if an internal spatial resampling is active,
      * and we downsize the input image, maybe we should clear the
Index: libvpx-1.3.0/vp8/encoder/onyx_int.h
===================================================================
--- libvpx-1.3.0.orig/vp8/encoder/onyx_int.h
+++ libvpx-1.3.0/vp8/encoder/onyx_int.h
@@ -654,6 +654,9 @@ typedef struct VP8_COMP
 
     int droppable;
 
+    int initial_width;
+    int initial_height;
+
 #if CONFIG_TEMPORAL_DENOISING
     VP8_DENOISER denoiser;
 #endif
Index: libvpx-1.3.0/vp8/vp8_cx_iface.c
===================================================================
--- libvpx-1.3.0.orig/vp8/vp8_cx_iface.c
+++ libvpx-1.3.0/vp8/vp8_cx_iface.c
@@ -449,9 +449,14 @@ static vpx_codec_err_t vp8e_set_config(v
 {
     vpx_codec_err_t res;
 
-    if (((cfg->g_w != ctx->cfg.g_w) || (cfg->g_h != ctx->cfg.g_h))
-        && (cfg->g_lag_in_frames > 1 || cfg->g_pass != VPX_RC_ONE_PASS))
-        ERROR("Cannot change width or height after initialization");
+    if (cfg->g_w != ctx->cfg.g_w || cfg->g_h != ctx->cfg.g_h)
+    {
+        if (cfg->g_lag_in_frames > 1 || cfg->g_pass != VPX_RC_ONE_PASS)
+            ERROR("Cannot change width or height after initialization");
+        if ((ctx->cpi->initial_width && (int)cfg->g_w > ctx->cpi->initial_width) ||
+            (ctx->cpi->initial_height && (int)cfg->g_h > ctx->cpi->initial_height))
+            ERROR("Cannot increast width or height larger than their initial values");
+    }
 
     /* Prevent increasing lag_in_frames. This check is stricter than it needs
      * to be -- the limit is not increasing past the first lag_in_frames

Places

File CVE-2023-5217.patch of Package libvpx.30875

Places