Re: [OE-core] [kirkstone][PATCH v3] libwebp: Fix CVE-2023-5129
On Tue, Sep 26, 2023 at 2:25 PM Colin McAllister wrote: > > Add patch from libwebp 1.2.4 to fix CVE-2023-5129 > > Signed-off-by: Colin McAllister > --- > .../webp/files/CVE-2023-5129.patch| 364 ++ > meta/recipes-multimedia/webp/libwebp_1.2.4.bb | 1 + > 2 files changed, 365 insertions(+) > create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-5129.patch > > diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-5129.patch > b/meta/recipes-multimedia/webp/files/CVE-2023-5129.patch > new file mode 100644 > index 00..401fa370d4 > --- /dev/null > +++ b/meta/recipes-multimedia/webp/files/CVE-2023-5129.patch > @@ -0,0 +1,364 @@ > +From 383b8b4eb6780d855e8a8177fbce96ab39dba6a5 Mon Sep 17 00:00:00 2001 > +From: Vincent Rabaud > +Date: Thu, 7 Sep 2023 21:16:03 +0200 > +Subject: [PATCH 1/1] Fix OOB write in BuildHuffmanTable. > + > +First, BuildHuffmanTable is called to check if the data is valid. > +If it is and the table is not big enough, more memory is allocated. > + > +This will make sure that valid (but unoptimized because of unbalanced > +codes) streams are still decodable. > + > +Bug: chromium:1479274 > +Change-Id: I31c36dbf3aa78d35ecf38706b50464fd3d375741 > + > +CVE: CVE-2023-5129 > + > +Upstream-Status: Backport > [https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a] Missing your Signed-off-by: here in the patch file. Please send a V4, sorry! Steve > +--- > + src/dec/vp8l_dec.c| 46 ++- > + src/dec/vp8li_dec.h | 2 +- > + src/utils/huffman_utils.c | 97 +++ > + src/utils/huffman_utils.h | 27 +-- > + 4 files changed, 129 insertions(+), 43 deletions(-) > + > +diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c > +index 13480551..186b0b2f 100644 > +--- a/src/dec/vp8l_dec.c > b/src/dec/vp8l_dec.c > +@@ -253,11 +253,11 @@ static int ReadHuffmanCodeLengths( > + int symbol; > + int max_symbol; > + int prev_code_len = DEFAULT_CODE_LENGTH; > +- HuffmanCode table[1 << LENGTHS_TABLE_BITS]; > ++ HuffmanTables tables; > + > +- if (!VP8LBuildHuffmanTable(table, LENGTHS_TABLE_BITS, > +- code_length_code_lengths, > +- NUM_CODE_LENGTH_CODES)) { > ++ if (!VP8LHuffmanTablesAllocate(1 << LENGTHS_TABLE_BITS, ) || > ++ !VP8LBuildHuffmanTable(, LENGTHS_TABLE_BITS, > ++ code_length_code_lengths, > NUM_CODE_LENGTH_CODES)) { > + goto End; > + } > + > +@@ -277,7 +277,7 @@ static int ReadHuffmanCodeLengths( > + int code_len; > + if (max_symbol-- == 0) break; > + VP8LFillBitWindow(br); > +-p = [VP8LPrefetchBits(br) & LENGTHS_TABLE_MASK]; > ++p = _segment->start[VP8LPrefetchBits(br) & > LENGTHS_TABLE_MASK]; > + VP8LSetBitPos(br, br->bit_pos_ + p->bits); > + code_len = p->value; > + if (code_len < kCodeLengthLiterals) { > +@@ -300,6 +300,7 @@ static int ReadHuffmanCodeLengths( > + ok = 1; > + > + End: > ++ VP8LHuffmanTablesDeallocate(); > + if (!ok) dec->status_ = VP8_STATUS_BITSTREAM_ERROR; > + return ok; > + } > +@@ -307,7 +308,8 @@ static int ReadHuffmanCodeLengths( > + // 'code_lengths' is pre-allocated temporary buffer, used for creating > Huffman > + // tree. > + static int ReadHuffmanCode(int alphabet_size, VP8LDecoder* const dec, > +- int* const code_lengths, HuffmanCode* const > table) { > ++ int* const code_lengths, > ++ HuffmanTables* const table) { > + int ok = 0; > + int size = 0; > + VP8LBitReader* const br = >br_; > +@@ -362,8 +364,7 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int > xsize, int ysize, > + VP8LMetadata* const hdr = >hdr_; > + uint32_t* huffman_image = NULL; > + HTreeGroup* htree_groups = NULL; > +- HuffmanCode* huffman_tables = NULL; > +- HuffmanCode* huffman_table = NULL; > ++ HuffmanTables* huffman_tables = >huffman_tables_; > + int num_htree_groups = 1; > + int num_htree_groups_max = 1; > + int max_alphabet_size = 0; > +@@ -372,6 +373,10 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int > xsize, int ysize, > + int* mapping = NULL; > + int ok = 0; > + > ++ // Check the table has been 0 initialized (through InitMetadata). > ++ assert(huffman_tables->root.start == NULL); > ++ assert(huffman_tables->curr_segment == NULL); > ++ > + if (allow_recursion && VP8LReadBits(br, 1)) { > + // use meta Huffman codes. > + const int huffman_precision = VP8LReadBits(br, 3) + 2; > +@@ -434,16 +439,15 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, > int xsize, int ysize, > + > + code_lengths = (int*)WebPSafeCalloc((uint64_t)max_alphabet_size, > + sizeof(*code_lengths)); > +- huffman_tables = (HuffmanCode*)WebPSafeMalloc(num_htree_groups * > table_size, > +-
[OE-core] [kirkstone][PATCH v3] libwebp: Fix CVE-2023-5129
Add patch from libwebp 1.2.4 to fix CVE-2023-5129 Signed-off-by: Colin McAllister --- .../webp/files/CVE-2023-5129.patch| 364 ++ meta/recipes-multimedia/webp/libwebp_1.2.4.bb | 1 + 2 files changed, 365 insertions(+) create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-5129.patch diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-5129.patch b/meta/recipes-multimedia/webp/files/CVE-2023-5129.patch new file mode 100644 index 00..401fa370d4 --- /dev/null +++ b/meta/recipes-multimedia/webp/files/CVE-2023-5129.patch @@ -0,0 +1,364 @@ +From 383b8b4eb6780d855e8a8177fbce96ab39dba6a5 Mon Sep 17 00:00:00 2001 +From: Vincent Rabaud +Date: Thu, 7 Sep 2023 21:16:03 +0200 +Subject: [PATCH 1/1] Fix OOB write in BuildHuffmanTable. + +First, BuildHuffmanTable is called to check if the data is valid. +If it is and the table is not big enough, more memory is allocated. + +This will make sure that valid (but unoptimized because of unbalanced +codes) streams are still decodable. + +Bug: chromium:1479274 +Change-Id: I31c36dbf3aa78d35ecf38706b50464fd3d375741 + +CVE: CVE-2023-5129 + +Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a] +--- + src/dec/vp8l_dec.c| 46 ++- + src/dec/vp8li_dec.h | 2 +- + src/utils/huffman_utils.c | 97 +++ + src/utils/huffman_utils.h | 27 +-- + 4 files changed, 129 insertions(+), 43 deletions(-) + +diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c +index 13480551..186b0b2f 100644 +--- a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c +@@ -253,11 +253,11 @@ static int ReadHuffmanCodeLengths( + int symbol; + int max_symbol; + int prev_code_len = DEFAULT_CODE_LENGTH; +- HuffmanCode table[1 << LENGTHS_TABLE_BITS]; ++ HuffmanTables tables; + +- if (!VP8LBuildHuffmanTable(table, LENGTHS_TABLE_BITS, +- code_length_code_lengths, +- NUM_CODE_LENGTH_CODES)) { ++ if (!VP8LHuffmanTablesAllocate(1 << LENGTHS_TABLE_BITS, ) || ++ !VP8LBuildHuffmanTable(, LENGTHS_TABLE_BITS, ++ code_length_code_lengths, NUM_CODE_LENGTH_CODES)) { + goto End; + } + +@@ -277,7 +277,7 @@ static int ReadHuffmanCodeLengths( + int code_len; + if (max_symbol-- == 0) break; + VP8LFillBitWindow(br); +-p = [VP8LPrefetchBits(br) & LENGTHS_TABLE_MASK]; ++p = _segment->start[VP8LPrefetchBits(br) & LENGTHS_TABLE_MASK]; + VP8LSetBitPos(br, br->bit_pos_ + p->bits); + code_len = p->value; + if (code_len < kCodeLengthLiterals) { +@@ -300,6 +300,7 @@ static int ReadHuffmanCodeLengths( + ok = 1; + + End: ++ VP8LHuffmanTablesDeallocate(); + if (!ok) dec->status_ = VP8_STATUS_BITSTREAM_ERROR; + return ok; + } +@@ -307,7 +308,8 @@ static int ReadHuffmanCodeLengths( + // 'code_lengths' is pre-allocated temporary buffer, used for creating Huffman + // tree. + static int ReadHuffmanCode(int alphabet_size, VP8LDecoder* const dec, +- int* const code_lengths, HuffmanCode* const table) { ++ int* const code_lengths, ++ HuffmanTables* const table) { + int ok = 0; + int size = 0; + VP8LBitReader* const br = >br_; +@@ -362,8 +364,7 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize, + VP8LMetadata* const hdr = >hdr_; + uint32_t* huffman_image = NULL; + HTreeGroup* htree_groups = NULL; +- HuffmanCode* huffman_tables = NULL; +- HuffmanCode* huffman_table = NULL; ++ HuffmanTables* huffman_tables = >huffman_tables_; + int num_htree_groups = 1; + int num_htree_groups_max = 1; + int max_alphabet_size = 0; +@@ -372,6 +373,10 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize, + int* mapping = NULL; + int ok = 0; + ++ // Check the table has been 0 initialized (through InitMetadata). ++ assert(huffman_tables->root.start == NULL); ++ assert(huffman_tables->curr_segment == NULL); ++ + if (allow_recursion && VP8LReadBits(br, 1)) { + // use meta Huffman codes. + const int huffman_precision = VP8LReadBits(br, 3) + 2; +@@ -434,16 +439,15 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize, + + code_lengths = (int*)WebPSafeCalloc((uint64_t)max_alphabet_size, + sizeof(*code_lengths)); +- huffman_tables = (HuffmanCode*)WebPSafeMalloc(num_htree_groups * table_size, +-sizeof(*huffman_tables)); + htree_groups = VP8LHtreeGroupsNew(num_htree_groups); + +- if (htree_groups == NULL || code_lengths == NULL || huffman_tables == NULL) { ++ if (htree_groups == NULL || code_lengths == NULL || ++ !VP8LHuffmanTablesAllocate(num_htree_groups * table_size, ++ huffman_tables)) { + dec->status_ = VP8_STATUS_OUT_OF_MEMORY; + goto