Overview

File libavif-CVE-2023-6704.patch of Package libavif

From 7845153645cfe245de5add94fb07c227c2d16402 Mon Sep 17 00:00:00 2001
From: Vignesh Venkatasubramanian <vigneshv@google.com>
Date: Mon, 27 Nov 2023 11:31:38 -0800
Subject: [PATCH] Do not store colorproperties until alpha item is found

colorProperties could be pointing to a dangling pointer if
findAlphaItem() resizes the meta.items array.
---

diff --git a/src/read.c b/src/read.c
index 68784fe..d9e4c25 100644
--- a/src/read.c
+++ b/src/read.c
@@ -3332,7 +3332,6 @@ avifResult avifDecoderReset(avifDecoder * decoder)
             avifDiagnosticsPrintf(&decoder->diag, "Primary item not found");
             return AVIF_RESULT_NO_AV1_ITEMS_FOUND;
         }
-        colorProperties = &colorItem->properties;
 
         // Find the alphaOBU item, if any
         for (uint32_t itemIndex = 0; itemIndex < data->meta->items.count; ++itemIndex) {
@@ -3369,6 +3368,8 @@ avifResult avifDecoderReset(avifDecoder * decoder)
             }
         }
 
+        colorProperties = &colorItem->properties;
+
         // Find Exif and/or XMP metadata, if any
         avifResult findResult = avifDecoderFindMetadata(decoder, data->meta, decoder->image, colorItem->id);
         if (findResult != AVIF_RESULT_OK) {
openSUSE Build Service is sponsored by
Places