diff -up libvpx-v1.3.0/build/make/configure.sh.CVE-2015-1258 libvpx-v1.3.0/build/make/configure.sh
--- libvpx-v1.3.0/build/make/configure.sh.CVE-2015-1258 2015-09-15 11:53:10.541095521 -0400
+++ libvpx-v1.3.0/build/make/configure.sh 2015-09-15 11:54:55.218408321 -0400
@@ -471,6 +471,7 @@ EOF
print_config_h ARCH "${TMP_H}" ${ARCH_LIST}
print_config_h HAVE "${TMP_H}" ${HAVE_LIST}
print_config_h CONFIG "${TMP_H}" ${CONFIG_LIST}
+ print_config_vars_h "${TMP_H}" ${VAR_LIST}
echo "#endif /* VPX_CONFIG_H */" >> ${TMP_H}
mkdir -p `dirname "$1"`
cmp "$1" ${TMP_H} >/dev/null 2>&1 || mv ${TMP_H} "$1"
@@ -536,6 +537,15 @@ process_common_cmdline() {
|| die "Must be yasm, nasm or auto: ${optval}"
alt_as="${optval}"
;;
+ --size-limit=*)
+ w="${optval%%x*}"
+ h="${optval##*x}"
+ VAR_LIST="DECODE_WIDTH_LIMIT ${w} DECODE_HEIGHT_LIMIT ${h}"
+ [ ${w} -gt 0 -a ${h} -gt 0 ] || die "Invalid size-limit: too small."
+ [ ${w} -lt 65536 -a ${h} -lt 65536 ] \
+ || die "Invalid size-limit: too big."
+ enable_feature size_limit
+ ;;
--prefix=*)
prefix="${optval}"
;;
@@ -1294,6 +1304,16 @@ print_config_h() {
done
}
+print_config_vars_h() {
+ local header=$1
+ shift
+ while [ $# -gt 0 ]; do
+ upname="`toupper $1`"
+ echo "#define ${upname} $2" >> $header
+ shift 2
+ done
+}
+
print_webm_license() {
local destination=$1
local prefix="$2"
diff -up libvpx-v1.3.0/configure.CVE-2015-1258 libvpx-v1.3.0/configure
--- libvpx-v1.3.0/configure.CVE-2015-1258 2015-09-15 11:55:10.097310642 -0400
+++ libvpx-v1.3.0/configure 2015-09-15 11:56:18.313862804 -0400
@@ -25,6 +25,7 @@ Advanced options:
${toggle_docs} documentation
${toggle_unit_tests} unit tests
--libc=PATH path to alternate libc
+ --size-limit=WxH max size to allow in the decoder
--as={yasm|nasm|auto} use specified assembler [auto, yasm preferred]
--sdk-path=PATH path to root of sdk (android builds only)
${toggle_fast_unaligned} don't use unaligned accesses, even when
@@ -306,6 +307,7 @@ CONFIG_LIST="
temporal_denoising
experimental
decrypt
+ size_limit
${EXPERIMENT_LIST}
"
CMDLINE_SELECT="
@@ -331,6 +333,7 @@ CMDLINE_SELECT="
docs
libc
as
+ size_limit
fast_unaligned
codec_srcs
debug_libs
diff -up libvpx-v1.3.0/vp9/decoder/vp9_decodframe.c.CVE-2015-1258 libvpx-v1.3.0/vp9/decoder/vp9_decodframe.c
--- libvpx-v1.3.0/vp9/decoder/vp9_decodframe.c.CVE-2015-1258 2015-09-15 11:57:47.569276850 -0400
+++ libvpx-v1.3.0/vp9/decoder/vp9_decodframe.c 2015-09-15 11:58:14.873097600 -0400
@@ -703,6 +703,12 @@ static void setup_display_size(VP9_COMMO
static void apply_frame_size(VP9D_COMP *pbi, int width, int height) {
VP9_COMMON *cm = &pbi->common;
+#if CONFIG_SIZE_LIMIT
+ if (width > DECODE_WIDTH_LIMIT || height > DECODE_HEIGHT_LIMIT)
+ vpx_internal_error(&cm->error, VPX_CODEC_CORRUPT_FRAME,
+ "Width and height beyond allowed size.");
+#endif
+
if (cm->width != width || cm->height != height) {
// Change in frame size.
if (cm->width == 0 || cm->height == 0) {
diff -up libvpx-v1.3.0/vpx/src/vpx_image.c.CVE-2015-1258 libvpx-v1.3.0/vpx/src/vpx_image.c
--- libvpx-v1.3.0/vpx/src/vpx_image.c.CVE-2015-1258 2015-09-15 11:58:36.912952912 -0400
+++ libvpx-v1.3.0/vpx/src/vpx_image.c 2015-09-15 12:00:05.111373894 -0400
@@ -12,6 +12,7 @@
#include <stdlib.h>
#include <string.h>
#include "vpx/vpx_image.h"
+#include "vpx/vpx_integer.h"
#define ADDRESS_STORAGE_SIZE sizeof(size_t)
/*returns an addr aligned to the byte boundary specified by align*/
@@ -147,8 +148,13 @@ static vpx_image_t *img_alloc_helper(vpx
img->img_data = img_data;
if (!img_data) {
- img->img_data = img_buf_memalign(buf_align, ((fmt & VPX_IMG_FMT_PLANAR) ?
- h * s * bps / 8 : h * s));
+ const uint64_t alloc_size = (fmt & VPX_IMG_FMT_PLANAR) ?
+ (uint64_t)h * s * bps / 8 : (uint64_t)h * s;
+
+ if (alloc_size != (size_t)alloc_size)
+ goto fail;
+
+ img->img_data = img_buf_memalign(buf_align, (size_t)alloc_size);
img->img_data_owner = 1;
}