File CVE-2024-5197.patch of Package libvpx.34569
commit 06af417e795e6a9b9309406ba399fb109def89e6
Author: Wan-Teh Chang <wtc@google.com>
Date: Thu Apr 11 10:24:11 2024 -0700
Avoid integer overflows in arithmetic operations
A port of the libaom CL
https://aomedia-review.googlesource.com/c/aom/+/188823.
Impose maximum values on the input parameters so that we can perform
arithmetic operations without worrying about overflows.
Also change the VpxImageTest.VpxImgAllocHugeWidth test to write to the
first and last samples in the first row of the Y plane, so that the test
will crash if there is unsigned integer overflow in the calculation of
stride_in_bytes.
Bug: chromium:332382766
Change-Id: I54cec6c9e26377abaa8a991042ba277ff70afdf3
Index: libvpx-1.6.1/vpx/src/vpx_image.c
===================================================================
--- libvpx-1.6.1.orig/vpx/src/vpx_image.c
+++ libvpx-1.6.1/vpx/src/vpx_image.c
@@ -8,6 +8,7 @@
* be found in the AUTHORS file in the root of the source tree.
*/
+#include <assert.h>
#include <stdlib.h>
#include <string.h>
@@ -30,6 +31,14 @@ static vpx_image_t *img_alloc_helper(vpx
/* Validate alignment (must be power of 2) */
if (buf_align & (buf_align - 1)) goto fail;
+ /* Impose maximum values on input parameters so that this function can
+ * perform arithmetic operations without worrying about overflows.
+ */
+ if (d_w > 0x08000000 || d_h > 0x08000000 || buf_align > 65536 ||
+ stride_align > 65536) {
+ goto fail;
+ }
+
/* Treat align==0 like align==1 */
if (!stride_align) stride_align = 1;
@@ -93,8 +102,8 @@ static vpx_image_t *img_alloc_helper(vpx
w = d_w;
h = d_h;
s = (fmt & VPX_IMG_FMT_PLANAR) ? w : bps * w / 8;
- s = (s + stride_align - 1) & ~(stride_align - 1);
stride_in_bytes = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
+ s = (s + stride_align - 1) & ~(stride_align - 1);
/* Allocate the new image */
if (!img) {
@@ -114,8 +123,10 @@ static vpx_image_t *img_alloc_helper(vpx
/* Calculate storage sizes given the chroma subsampling */
align = (1 << xcs) - 1;
w = (d_w + align) & ~align;
+ assert(d_w <= w);
align = (1 << ycs) - 1;
h = (d_h + align) & ~align;
+ assert(d_h <= h);
s = (fmt & VPX_IMG_FMT_PLANAR) ? w : bps * w / 8;
s = (s + stride_align - 1) & ~(stride_align - 1);
Index: libvpx-1.6.1/vpx/vpx_image.h
===================================================================
--- libvpx-1.6.1.orig/vpx/vpx_image.h
+++ libvpx-1.6.1/vpx/vpx_image.h
@@ -148,10 +148,13 @@ typedef struct vpx_image_rect {
* is NULL, the storage for the descriptor will be
* allocated on the heap.
* \param[in] fmt Format for the image
- * \param[in] d_w Width of the image
- * \param[in] d_h Height of the image
+ * \param[in] d_w Width of the image. Must not exceed 0x08000000
+ * (2^27).
+ * \param[in] d_h Height of the image. Must not exceed 0x08000000
+ * (2^27).
* \param[in] align Alignment, in bytes, of the image buffer and
- * each row in the image(stride).
+ * each row in the image (stride). Must not exceed
+ * 65536.
*
* \return Returns a pointer to the initialized image descriptor. If the img
* parameter is non-null, the value of the img parameter will be
