diff options
author | Soumya <soumya.sambu@windriver.com> | 2023-07-17 03:29:31 +0000 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-07-17 04:45:01 -1000 |
commit | a5d0f8734ca643c25f0952387b38edf8ffd70525 (patch) | |
tree | 6cd8805301ac77912038190fa8441adeb0a0acfe /meta/recipes-multimedia | |
parent | f19c20c429395c1b4c62a6e0388ef51b830871c5 (diff) | |
download | openembedded-core-contrib-a5d0f8734ca643c25f0952387b38edf8ffd70525.tar.gz |
libwebp: Fix CVE-2023-1999
There exists a use after free/double free in libwebp. An attacker can
use the ApplyFiltersAndEncode() function and loop through to free
best.bw and assign best = trial pointer. The second loop will then
return 0 because of an Out of memory error in VP8 encoder, the pointer
is still assigned to trial and the AddressSanitizer will attempt a double free.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-1999
Upstream patch:
https://github.com/webmproject/libwebp/commit/a486d800b60d0af4cc0836bf7ed8f21e12974129
Signed-off-by: Soumya <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-multimedia')
-rw-r--r-- | meta/recipes-multimedia/webp/files/CVE-2023-1999.patch | 60 | ||||
-rw-r--r-- | meta/recipes-multimedia/webp/libwebp_1.2.4.bb | 4 |
2 files changed, 63 insertions, 1 deletions
diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-1999.patch b/meta/recipes-multimedia/webp/files/CVE-2023-1999.patch new file mode 100644 index 0000000000..895d01ea7d --- /dev/null +++ b/meta/recipes-multimedia/webp/files/CVE-2023-1999.patch @@ -0,0 +1,60 @@ +From a486d800b60d0af4cc0836bf7ed8f21e12974129 Mon Sep 17 00:00:00 2001 +From: James Zern <jzern@google.com> +Date: Wed, 22 Feb 2023 22:15:47 -0800 +Subject: [PATCH] EncodeAlphaInternal: clear result->bw on error + +This avoids a double free should the function fail prior to +VP8BitWriterInit() and a previous trial result's buffer carried over. +Previously in ApplyFiltersAndEncode() trial.bw (with a previous +iteration's buffer) would be freed, followed by best.bw pointing to the +same buffer. + +Since: +187d379d add a fallback to ALPHA_NO_COMPRESSION + +In addition, check the return value of VP8BitWriterInit() in this +function. + +Bug: webp:603 +Change-Id: Ic258381ee26c8c16bc211d157c8153831c8c6910 + +CVE: CVE-2023-1999 + +Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/a486d800b60d0af4cc0836bf7ed8f21e12974129] + +Signed-off-by: Soumya <soumya.sambu@windriver.com> +--- + src/enc/alpha_enc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/enc/alpha_enc.c b/src/enc/alpha_enc.c +index f7c0269..7d20558 100644 +--- a/src/enc/alpha_enc.c ++++ b/src/enc/alpha_enc.c +@@ -13,6 +13,7 @@ + + #include <assert.h> + #include <stdlib.h> ++#include <string.h> + + #include "src/enc/vp8i_enc.h" + #include "src/dsp/dsp.h" +@@ -148,6 +149,7 @@ static int EncodeAlphaInternal(const uint8_t* const data, int width, int height, + } + } else { + VP8LBitWriterWipeOut(&tmp_bw); ++ memset(&result->bw, 0, sizeof(result->bw)); + return 0; + } + } +@@ -162,7 +164,7 @@ static int EncodeAlphaInternal(const uint8_t* const data, int width, int height, + header = method | (filter << 2); + if (reduce_levels) header |= ALPHA_PREPROCESSED_LEVELS << 4; + +- VP8BitWriterInit(&result->bw, ALPHA_HEADER_LEN + output_size); ++ if (!VP8BitWriterInit(&result->bw, ALPHA_HEADER_LEN + output_size)) ok = 0; + ok = ok && VP8BitWriterAppend(&result->bw, &header, ALPHA_HEADER_LEN); + ok = ok && VP8BitWriterAppend(&result->bw, output, output_size); + +-- +2.40.0 diff --git a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb index 263589846a..5d868b3b96 100644 --- a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb +++ b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb @@ -13,7 +13,9 @@ LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://COPYING;md5=6e8dee932c26f2dab503abf70c96d8bb \ file://PATENTS;md5=c6926d0cb07d296f886ab6e0cc5a85b7" -SRC_URI = "http://downloads.webmproject.org/releases/webp/${BP}.tar.gz" +SRC_URI = "http://downloads.webmproject.org/releases/webp/${BP}.tar.gz \ + file://CVE-2023-1999.patch \ + " SRC_URI[sha256sum] = "7bf5a8a28cc69bcfa8cb214f2c3095703c6b73ac5fba4d5480c205331d9494df" UPSTREAM_CHECK_URI = "http://downloads.webmproject.org/releases/webp/index.html" |