File libavif-CVE-2023-6704.patch of Package libavif
From 7845153645cfe245de5add94fb07c227c2d16402 Mon Sep 17 00:00:00 2001
From: Vignesh Venkatasubramanian <vigneshv@google.com>
Date: Mon, 27 Nov 2023 11:31:38 -0800
Subject: [PATCH] Do not store colorproperties until alpha item is found
colorProperties could be pointing to a dangling pointer if
findAlphaItem() resizes the meta.items array.
---
diff --git a/src/read.c b/src/read.c
index 68784fe..d9e4c25 100644
--- a/src/read.c
+++ b/src/read.c
@@ -3332,7 +3332,6 @@ avifResult avifDecoderReset(avifDecoder * decoder)
avifDiagnosticsPrintf(&decoder->diag, "Primary item not found");
return AVIF_RESULT_NO_AV1_ITEMS_FOUND;
}
- colorProperties = &colorItem->properties;
// Find the alphaOBU item, if any
for (uint32_t itemIndex = 0; itemIndex < data->meta->items.count; ++itemIndex) {
@@ -3369,6 +3368,8 @@ avifResult avifDecoderReset(avifDecoder * decoder)
}
}
+ colorProperties = &colorItem->properties;
+
// Find Exif and/or XMP metadata, if any
avifResult findResult = avifDecoderFindMetadata(decoder, data->meta, decoder->image, colorItem->id);
if (findResult != AVIF_RESULT_OK) {