From c7c49446ebcc48c2b2136f4475ab66aecb63d18e Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Wed, 8 Jun 2016 09:53:56 -0400 Subject: [PATCH] gnu: libvpx: Add fix for CVE-2016-2818. * gnu/packages/patches/libvpx-CVE-2016-2818.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/video.scm (libvpx)[source]: Add patch. --- gnu/local.mk | 1 + .../patches/libvpx-CVE-2016-2818.patch | 36 +++++++++++++++++++ gnu/packages/video.scm | 3 +- 3 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/libvpx-CVE-2016-2818.patch diff --git a/gnu/local.mk b/gnu/local.mk index ff476be448..cc236a7d16 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -606,6 +606,7 @@ dist_patch_DATA = \ %D%/packages/patches/libtiff-oob-write-in-nextdecode.patch \ %D%/packages/patches/libtool-skip-tests2.patch \ %D%/packages/patches/libunwind-CVE-2015-3239.patch \ + %D%/packages/patches/libvpx-CVE-2016-2818.patch \ %D%/packages/patches/libwmf-CAN-2004-0941.patch \ %D%/packages/patches/libwmf-CVE-2006-3376.patch \ %D%/packages/patches/libwmf-CVE-2007-0455.patch \ diff --git a/gnu/packages/patches/libvpx-CVE-2016-2818.patch b/gnu/packages/patches/libvpx-CVE-2016-2818.patch new file mode 100644 index 0000000000..1fdf01cbca --- /dev/null +++ b/gnu/packages/patches/libvpx-CVE-2016-2818.patch @@ -0,0 +1,36 @@ +Patch contents copied from Mozilla esr45 changeset 312077:7ebfe49f001c + + changeset: 312077:7ebfe49f001c + user: Randell Jesup + Date: Fri Apr 15 23:11:01 2016 -0400 + summary: Bug 1263384: validate input frames against configured resolution in vp8 r=rillian, a=ritu,lizzard + + MozReview-Commit-ID: BxDCnJe0mzs + +--- libvpx-1.5.0/vp8/vp8_cx_iface.c.orig 2015-11-09 17:12:38.000000000 -0500 ++++ libvpx-1.5.0/vp8/vp8_cx_iface.c 2016-06-08 08:48:46.037213092 -0400 +@@ -925,11 +925,19 @@ + { + res = image2yuvconfig(img, &sd); + +- if (vp8_receive_raw_frame(ctx->cpi, ctx->next_frame_flag | lib_flags, +- &sd, dst_time_stamp, dst_end_time_stamp)) +- { +- VP8_COMP *cpi = (VP8_COMP *)ctx->cpi; +- res = update_error_state(ctx, &cpi->common.error); ++ if (sd.y_width != ctx->cfg.g_w || sd.y_height != ctx->cfg.g_h) { ++ /* from vp8_encoder.h for g_w/g_h: ++ "Note that the frames passed as input to the encoder must have this resolution" ++ */ ++ ctx->base.err_detail = "Invalid input frame resolution"; ++ res = VPX_CODEC_INVALID_PARAM; ++ } else { ++ if (vp8_receive_raw_frame(ctx->cpi, ctx->next_frame_flag | lib_flags, ++ &sd, dst_time_stamp, dst_end_time_stamp)) ++ { ++ VP8_COMP *cpi = (VP8_COMP *)ctx->cpi; ++ res = update_error_state(ctx, &cpi->common.error); ++ } + } + + /* reset for next frame */ diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm index 692f3645e6..eee04faec0 100644 --- a/gnu/packages/video.scm +++ b/gnu/packages/video.scm @@ -839,7 +839,8 @@ (define-public libvpx name "-" version ".tar.bz2")) (sha256 (base32 - "15v7qw0ydyxn08ksb6lxn1l51pxgpwgshdwd3275yrr5hs86fv9h")))) + "15v7qw0ydyxn08ksb6lxn1l51pxgpwgshdwd3275yrr5hs86fv9h")) + (patches (search-patches "libvpx-CVE-2016-2818.patch")))) (build-system gnu-build-system) (arguments `(#:phases