Re: [OE-core] [kirkstone][PATCH v3] libwebp: Fix CVE-2023-5129
On Tue, Sep 26, 2023 at 2:25 PM Colin McAllister wrote:
>
> Add patch from libwebp 1.2.4 to fix CVE-2023-5129
>
> Signed-off-by: Colin McAllister
> ---
> .../webp/files/CVE-2023-5129.patch| 364 ++
> meta/recipes-multimedia/webp/libwebp_1.2.4.bb | 1 +
> 2 files changed, 365 insertions(+)
> create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-5129.patch
>
> diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-5129.patch
> b/meta/recipes-multimedia/webp/files/CVE-2023-5129.patch
> new file mode 100644
> index 00..401fa370d4
> --- /dev/null
> +++ b/meta/recipes-multimedia/webp/files/CVE-2023-5129.patch
> @@ -0,0 +1,364 @@
> +From 383b8b4eb6780d855e8a8177fbce96ab39dba6a5 Mon Sep 17 00:00:00 2001
> +From: Vincent Rabaud
> +Date: Thu, 7 Sep 2023 21:16:03 +0200
> +Subject: [PATCH 1/1] Fix OOB write in BuildHuffmanTable.
> +
> +First, BuildHuffmanTable is called to check if the data is valid.
> +If it is and the table is not big enough, more memory is allocated.
> +
> +This will make sure that valid (but unoptimized because of unbalanced
> +codes) streams are still decodable.
> +
> +Bug: chromium:1479274
> +Change-Id: I31c36dbf3aa78d35ecf38706b50464fd3d375741
> +
> +CVE: CVE-2023-5129
> +
> +Upstream-Status: Backport
> [https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a]
Missing your Signed-off-by: here in the patch file.
Please send a V4, sorry!
Steve
> +---
> + src/dec/vp8l_dec.c| 46 ++-
> + src/dec/vp8li_dec.h | 2 +-
> + src/utils/huffman_utils.c | 97 +++
> + src/utils/huffman_utils.h | 27 +--
> + 4 files changed, 129 insertions(+), 43 deletions(-)
> +
> +diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
> +index 13480551..186b0b2f 100644
> +--- a/src/dec/vp8l_dec.c
> b/src/dec/vp8l_dec.c
> +@@ -253,11 +253,11 @@ static int ReadHuffmanCodeLengths(
> + int symbol;
> + int max_symbol;
> + int prev_code_len = DEFAULT_CODE_LENGTH;
> +- HuffmanCode table[1 << LENGTHS_TABLE_BITS];
> ++ HuffmanTables tables;
> +
> +- if (!VP8LBuildHuffmanTable(table, LENGTHS_TABLE_BITS,
> +- code_length_code_lengths,
> +- NUM_CODE_LENGTH_CODES)) {
> ++ if (!VP8LHuffmanTablesAllocate(1 << LENGTHS_TABLE_BITS, ) ||
> ++ !VP8LBuildHuffmanTable(, LENGTHS_TABLE_BITS,
> ++ code_length_code_lengths,
> NUM_CODE_LENGTH_CODES)) {
> + goto End;
> + }
> +
> +@@ -277,7 +277,7 @@ static int ReadHuffmanCodeLengths(
> + int code_len;
> + if (max_symbol-- == 0) break;
> + VP8LFillBitWindow(br);
> +-p = [VP8LPrefetchBits(br) & LENGTHS_TABLE_MASK];
> ++p = _segment->start[VP8LPrefetchBits(br) &
> LENGTHS_TABLE_MASK];
> + VP8LSetBitPos(br, br->bit_pos_ + p->bits);
> + code_len = p->value;
> + if (code_len < kCodeLengthLiterals) {
> +@@ -300,6 +300,7 @@ static int ReadHuffmanCodeLengths(
> + ok = 1;
> +
> + End:
> ++ VP8LHuffmanTablesDeallocate();
> + if (!ok) dec->status_ = VP8_STATUS_BITSTREAM_ERROR;
> + return ok;
> + }
> +@@ -307,7 +308,8 @@ static int ReadHuffmanCodeLengths(
> + // 'code_lengths' is pre-allocated temporary buffer, used for creating
> Huffman
> + // tree.
> + static int ReadHuffmanCode(int alphabet_size, VP8LDecoder* const dec,
> +- int* const code_lengths, HuffmanCode* const
> table) {
> ++ int* const code_lengths,
> ++ HuffmanTables* const table) {
> + int ok = 0;
> + int size = 0;
> + VP8LBitReader* const br = >br_;
> +@@ -362,8 +364,7 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int
> xsize, int ysize,
> + VP8LMetadata* const hdr = >hdr_;
> + uint32_t* huffman_image = NULL;
> + HTreeGroup* htree_groups = NULL;
> +- HuffmanCode* huffman_tables = NULL;
> +- HuffmanCode* huffman_table = NULL;
> ++ HuffmanTables* huffman_tables = >huffman_tables_;
> + int num_htree_groups = 1;
> + int num_htree_groups_max = 1;
> + int max_alphabet_size = 0;
> +@@ -372,6 +373,10 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int
> xsize, int ysize,
> + int* mapping = NULL;
> + int ok = 0;
> +
> ++ // Check the table has been 0 initialized (through InitMetadata).
> ++ assert(huffman_tables->root.start == NULL);
> ++ assert(huffman_tables->curr_segment == NULL);
> ++
> + if (allow_recursion && VP8LReadBits(br, 1)) {
> + // use meta Huffman codes.
> + const int huffman_precision = VP8LReadBits(br, 3) + 2;
> +@@ -434,16 +439,15 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec,
> int xsize, int ysize,
> +
> + code_lengths = (int*)WebPSafeCalloc((uint64_t)max_alphabet_size,
> + sizeof(*code_lengths));
> +- huffman_tables = (HuffmanCode*)WebPSafeMalloc(num_htree_groups *
> table_size,
> +-
[OE-core] [kirkstone][PATCH v3] libwebp: Fix CVE-2023-5129
Add patch from libwebp 1.2.4 to fix CVE-2023-5129
Signed-off-by: Colin McAllister
---
.../webp/files/CVE-2023-5129.patch| 364 ++
meta/recipes-multimedia/webp/libwebp_1.2.4.bb | 1 +
2 files changed, 365 insertions(+)
create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-5129.patch
diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-5129.patch
b/meta/recipes-multimedia/webp/files/CVE-2023-5129.patch
new file mode 100644
index 00..401fa370d4
--- /dev/null
+++ b/meta/recipes-multimedia/webp/files/CVE-2023-5129.patch
@@ -0,0 +1,364 @@
+From 383b8b4eb6780d855e8a8177fbce96ab39dba6a5 Mon Sep 17 00:00:00 2001
+From: Vincent Rabaud
+Date: Thu, 7 Sep 2023 21:16:03 +0200
+Subject: [PATCH 1/1] Fix OOB write in BuildHuffmanTable.
+
+First, BuildHuffmanTable is called to check if the data is valid.
+If it is and the table is not big enough, more memory is allocated.
+
+This will make sure that valid (but unoptimized because of unbalanced
+codes) streams are still decodable.
+
+Bug: chromium:1479274
+Change-Id: I31c36dbf3aa78d35ecf38706b50464fd3d375741
+
+CVE: CVE-2023-5129
+
+Upstream-Status: Backport
[https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a]
+---
+ src/dec/vp8l_dec.c| 46 ++-
+ src/dec/vp8li_dec.h | 2 +-
+ src/utils/huffman_utils.c | 97 +++
+ src/utils/huffman_utils.h | 27 +--
+ 4 files changed, 129 insertions(+), 43 deletions(-)
+
+diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
+index 13480551..186b0b2f 100644
+--- a/src/dec/vp8l_dec.c
b/src/dec/vp8l_dec.c
+@@ -253,11 +253,11 @@ static int ReadHuffmanCodeLengths(
+ int symbol;
+ int max_symbol;
+ int prev_code_len = DEFAULT_CODE_LENGTH;
+- HuffmanCode table[1 << LENGTHS_TABLE_BITS];
++ HuffmanTables tables;
+
+- if (!VP8LBuildHuffmanTable(table, LENGTHS_TABLE_BITS,
+- code_length_code_lengths,
+- NUM_CODE_LENGTH_CODES)) {
++ if (!VP8LHuffmanTablesAllocate(1 << LENGTHS_TABLE_BITS, ) ||
++ !VP8LBuildHuffmanTable(, LENGTHS_TABLE_BITS,
++ code_length_code_lengths,
NUM_CODE_LENGTH_CODES)) {
+ goto End;
+ }
+
+@@ -277,7 +277,7 @@ static int ReadHuffmanCodeLengths(
+ int code_len;
+ if (max_symbol-- == 0) break;
+ VP8LFillBitWindow(br);
+-p = [VP8LPrefetchBits(br) & LENGTHS_TABLE_MASK];
++p = _segment->start[VP8LPrefetchBits(br) &
LENGTHS_TABLE_MASK];
+ VP8LSetBitPos(br, br->bit_pos_ + p->bits);
+ code_len = p->value;
+ if (code_len < kCodeLengthLiterals) {
+@@ -300,6 +300,7 @@ static int ReadHuffmanCodeLengths(
+ ok = 1;
+
+ End:
++ VP8LHuffmanTablesDeallocate();
+ if (!ok) dec->status_ = VP8_STATUS_BITSTREAM_ERROR;
+ return ok;
+ }
+@@ -307,7 +308,8 @@ static int ReadHuffmanCodeLengths(
+ // 'code_lengths' is pre-allocated temporary buffer, used for creating Huffman
+ // tree.
+ static int ReadHuffmanCode(int alphabet_size, VP8LDecoder* const dec,
+- int* const code_lengths, HuffmanCode* const table)
{
++ int* const code_lengths,
++ HuffmanTables* const table) {
+ int ok = 0;
+ int size = 0;
+ VP8LBitReader* const br = >br_;
+@@ -362,8 +364,7 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int
xsize, int ysize,
+ VP8LMetadata* const hdr = >hdr_;
+ uint32_t* huffman_image = NULL;
+ HTreeGroup* htree_groups = NULL;
+- HuffmanCode* huffman_tables = NULL;
+- HuffmanCode* huffman_table = NULL;
++ HuffmanTables* huffman_tables = >huffman_tables_;
+ int num_htree_groups = 1;
+ int num_htree_groups_max = 1;
+ int max_alphabet_size = 0;
+@@ -372,6 +373,10 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int
xsize, int ysize,
+ int* mapping = NULL;
+ int ok = 0;
+
++ // Check the table has been 0 initialized (through InitMetadata).
++ assert(huffman_tables->root.start == NULL);
++ assert(huffman_tables->curr_segment == NULL);
++
+ if (allow_recursion && VP8LReadBits(br, 1)) {
+ // use meta Huffman codes.
+ const int huffman_precision = VP8LReadBits(br, 3) + 2;
+@@ -434,16 +439,15 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int
xsize, int ysize,
+
+ code_lengths = (int*)WebPSafeCalloc((uint64_t)max_alphabet_size,
+ sizeof(*code_lengths));
+- huffman_tables = (HuffmanCode*)WebPSafeMalloc(num_htree_groups * table_size,
+-sizeof(*huffman_tables));
+ htree_groups = VP8LHtreeGroupsNew(num_htree_groups);
+
+- if (htree_groups == NULL || code_lengths == NULL || huffman_tables == NULL)
{
++ if (htree_groups == NULL || code_lengths == NULL ||
++ !VP8LHuffmanTablesAllocate(num_htree_groups * table_size,
++ huffman_tables)) {
+ dec->status_ = VP8_STATUS_OUT_OF_MEMORY;
+ goto
