Overview

File CVE-2023-6349.patch of Package libvpx.34567

commit df9fd9d5b7325060b2b921558a1eb20ca7880937
Author: Jerome Jiang <jianj@google.com>
Date:   Thu Jun 30 13:48:56 2022 -0400

    Fix bug with smaller width bigger size
    
    Fixed previous patch that clusterfuzz failed on.
    
    Local fuzzing passing overnight.
    
    Bug: webm:1642
    Change-Id: If0e08e72abd2e042efe4dcfac21e4cc51afdfdb9
    (cherry picked from commit 263682c9a29395055f3b3afe2d97be1828a6223f)

Index: libvpx-1.11.0/test/resize_test.cc
===================================================================
--- libvpx-1.11.0.orig/test/resize_test.cc
+++ libvpx-1.11.0/test/resize_test.cc
@@ -101,11 +101,8 @@ void ScaleForFrameNumber(unsigned int fr
       *h = initial_h;
       return;
     }
-    if (frame < 100) {
-      *w = initial_w * 7 / 10;
-      *h = initial_h * 16 / 10;
-      return;
-    }
+    *w = initial_w * 7 / 10;
+    *h = initial_h * 16 / 10;
     return;
   }
   if (frame < 10) {
@@ -578,7 +575,7 @@ TEST_P(ResizeRealtimeTest, TestExternalR
   }
 }
 
-TEST_P(ResizeRealtimeTest, DISABLED_TestExternalResizeSmallerWidthBiggerSize) {
+TEST_P(ResizeRealtimeTest, TestExternalResizeSmallerWidthBiggerSize) {
   ResizingVideoSource video;
   video.flag_codec_ = true;
   video.smaller_width_larger_size_ = true;
commit a53700e4a3820ad929e2b8c79d10e46abef62575
Author: James Zern <jzern@google.com>
Date:   Mon Jun 26 19:06:51 2023 -0700

    vp9_alloccommon: clear allocation sizes on free
    
    This fixes reallocations (and avoids potential crashes) if any
    allocations fails and the application continues to call
    vpx_codec_decode().
    
    Found with vpx_dec_fuzzer_vp9 & Nallocfuzz
    (https://github.com/catenacyber/nallocfuzz).
    
    Bug: webm:1807
    Change-Id: If5dc96b73c02efc94ec84c25eb50d10ad6b645a6
    (cherry picked from commit 02ab555e992c191e5c509ed87b3cc48ed915b447)

diff --git a/vp9/common/vp9_alloccommon.c b/vp9/common/vp9_alloccommon.c
index faad657a0..e53883f62 100644
--- a/vp9/common/vp9_alloccommon.c
+++ b/vp9/common/vp9_alloccommon.c
@@ -65,6 +65,7 @@ static void free_seg_map(VP9_COMMON *cm) {
     vpx_free(cm->seg_map_array[i]);
     cm->seg_map_array[i] = NULL;
   }
+  cm->seg_map_alloc_size = 0;
 
   cm->current_frame_seg_map = NULL;
   cm->last_frame_seg_map = NULL;
@@ -108,6 +109,7 @@ void vp9_free_context_buffers(VP9_COMMON *cm) {
   cm->above_context = NULL;
   vpx_free(cm->above_seg_context);
   cm->above_seg_context = NULL;
+  cm->above_context_alloc_cols = 0;
   vpx_free(cm->lf.lfm);
   cm->lf.lfm = NULL;
 }
openSUSE Build Service is sponsored by
Places