Hi On 2025-05-27 23:27:47 +0200, Salvatore Bonaccorso wrote: > X-Debbugs-Cc: Sebastian Dröge <sl...@debian.org>, Sebastian Ramacher > <sramac...@debian.org> > Control: tags 1106689 + patch > Control: tags 1106689 + pending > > > Dear maintainer, hi Sebastian and Sebastian > > I've prepared an NMU for libvpx (versioned as 1.15.0-2.1) and > uploaded it to DELAYED/2. Please feel free to tell me if I > should cancel it.
Thanks! Please feel free to reschedule to DELAYED/0. Cheers > > https://salsa.debian.org/multimedia-team/libvpx/-/merge_requests/5 > is the corresponding MR on salsa. > > Regards, > Salvatore > diffstat for libvpx-1.15.0 libvpx-1.15.0 > > changelog | 8 + > patches/series | 1 > patches/vpx_codec_enc_init_multi-fix-double-free-on-init-fai.patch | 62 > ++++++++++ > 3 files changed, 71 insertions(+) > > diff -Nru libvpx-1.15.0/debian/changelog libvpx-1.15.0/debian/changelog > --- libvpx-1.15.0/debian/changelog 2025-02-20 04:37:58.000000000 +0100 > +++ libvpx-1.15.0/debian/changelog 2025-05-27 23:00:58.000000000 +0200 > @@ -1,3 +1,11 @@ > +libvpx (1.15.0-2.1) unstable; urgency=medium > + > + * Non-maintainer upload. > + * vpx_codec_enc_init_multi: fix double free on init failure > + (Closes: #1106689) > + > + -- Salvatore Bonaccorso <car...@debian.org> Tue, 27 May 2025 23:00:58 +0200 > + > libvpx (1.15.0-2) unstable; urgency=medium > > * Team upload > diff -Nru libvpx-1.15.0/debian/patches/series > libvpx-1.15.0/debian/patches/series > --- libvpx-1.15.0/debian/patches/series 2025-02-20 04:37:58.000000000 > +0100 > +++ libvpx-1.15.0/debian/patches/series 2025-05-27 23:00:58.000000000 > +0200 > @@ -1,2 +1,3 @@ > 0001-Relax-ABI-check.patch > 0002-Do-not-undefine-_FORTIFY_SOURCE.patch > +vpx_codec_enc_init_multi-fix-double-free-on-init-fai.patch > diff -Nru > libvpx-1.15.0/debian/patches/vpx_codec_enc_init_multi-fix-double-free-on-init-fai.patch > > libvpx-1.15.0/debian/patches/vpx_codec_enc_init_multi-fix-double-free-on-init-fai.patch > --- > libvpx-1.15.0/debian/patches/vpx_codec_enc_init_multi-fix-double-free-on-init-fai.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ > libvpx-1.15.0/debian/patches/vpx_codec_enc_init_multi-fix-double-free-on-init-fai.patch > 2025-05-27 23:00:58.000000000 +0200 > @@ -0,0 +1,62 @@ > +From 1c758781c428c0e895645b95b8ff1512b6bdcecb Mon Sep 17 00:00:00 2001 > +From: James Zern <jz...@google.com> > +Date: Wed, 30 Apr 2025 19:28:48 -0700 > +Subject: [PATCH] vpx_codec_enc_init_multi: fix double free on init failure > + > +In `vp8e_init()`, the encoder would take ownership of > +`mr_cfg.mr_low_res_mode_info` even if `vp8_create_compressor()` failed. > +This caused confusion at the call site as other failures in > +`vp8e_init()` did not result in ownership transfer and the caller would > +free the memory. In the case of `vp8_create_compressor()` failure both > +the caller and `vpx_codec_destroy()` would free the memory, causing a > +crash. `mr_*` related variables are now cleared on failure to prevent > +this situation. > + > +Bug: webm:413411335 > +Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1962421 > +Change-Id: Ie951d42b9029a586bf9059b650bd8863db9f9ffc > +--- > + vp8/vp8_cx_iface.c | 12 +++++++++++- > + vpx/src/vpx_encoder.c | 3 +++ > + 2 files changed, 14 insertions(+), 1 deletion(-) > + > +diff --git a/vp8/vp8_cx_iface.c b/vp8/vp8_cx_iface.c > +index 38456d2b90c7..35c94fb04343 100644 > +--- a/vp8/vp8_cx_iface.c > ++++ b/vp8/vp8_cx_iface.c > +@@ -732,7 +732,17 @@ static vpx_codec_err_t vp8e_init(vpx_codec_ctx_t *ctx, > + > + set_vp8e_config(&priv->oxcf, priv->cfg, priv->vp8_cfg, mr_cfg); > + priv->cpi = vp8_create_compressor(&priv->oxcf); > +- if (!priv->cpi) res = VPX_CODEC_MEM_ERROR; > ++ if (!priv->cpi) { > ++#if CONFIG_MULTI_RES_ENCODING > ++ // Release ownership of mr_cfg->mr_low_res_mode_info on failure. > This > ++ // prevents ownership confusion with the caller and avoids a double > ++ // free when vpx_codec_destroy() is called on this instance. > ++ priv->oxcf.mr_total_resolutions = 0; > ++ priv->oxcf.mr_encoder_id = 0; > ++ priv->oxcf.mr_low_res_mode_info = NULL; > ++#endif > ++ res = VPX_CODEC_MEM_ERROR; > ++ } > + } > + } > + > +diff --git a/vpx/src/vpx_encoder.c b/vpx/src/vpx_encoder.c > +index 001d854abe9c..3af4cea3a70f 100644 > +--- a/vpx/src/vpx_encoder.c > ++++ b/vpx/src/vpx_encoder.c > +@@ -114,6 +114,9 @@ vpx_codec_err_t vpx_codec_enc_init_multi_ver( > + ctx->priv = NULL; > + ctx->init_flags = flags; > + ctx->config.enc = cfg; > ++ // ctx takes ownership of mr_cfg.mr_low_res_mode_info if and only > if > ++ // this call succeeds. The first ctx entry in the array is > ++ // responsible for freeing the memory. > + res = ctx->iface->init(ctx, &mr_cfg); > + } > + > +-- > +2.49.0 > + -- Sebastian Ramacher
