diff --git a/libvpx-0.9.5-I6266aba7.patch b/libvpx-0.9.5-I6266aba7.patch new file mode 100644 index 0000000..299a1e9 --- /dev/null +++ b/libvpx-0.9.5-I6266aba7.patch @@ -0,0 +1,73 @@ +From 9fb80f7170ec48e23c3c7b477149eeb37081c699 Mon Sep 17 00:00:00 2001 +From: John Koleszar +Date: Thu, 4 Nov 2010 16:59:26 -0400 +Subject: [PATCH] fix integer promotion bug in partition size check + +The check '(user_data_end - partition < partition_size)' must be +evaluated as a signed comparison, but because partition_size was +unsigned, the LHS was promoted to unsigned, causing an incorrect +result on 32-bit. Instead, check the upper and lower bounds of +the segment separately. + +Change-Id: I6266aba7fd7de084268712a3d2a81424ead7aa06 +--- + vp8/decoder/decodframe.c | 6 ++++-- + vp8/vp8_dx_iface.c | 10 ++++++++-- + 2 files changed, 12 insertions(+), 4 deletions(-) + +diff --git a/vp8/decoder/decodframe.c b/vp8/decoder/decodframe.c +index 2d81d61..f5e49a1 100644 +--- a/vp8/decoder/decodframe.c ++++ b/vp8/decoder/decodframe.c +@@ -462,7 +462,8 @@ static void setup_token_decoder(VP8D_COMP *pbi, + partition_size = user_data_end - partition; + } + +- if (user_data_end - partition < partition_size) ++ if (partition + partition_size > user_data_end ++ || partition + partition_size < partition) + vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME, + "Truncated packet or corrupt partition " + "%d length", i + 1); +@@ -580,7 +581,8 @@ int vp8_decode_frame(VP8D_COMP *pbi) + (data[0] | (data[1] << 8) | (data[2] << 16)) >> 5; + data += 3; + +- if (data_end - data < first_partition_length_in_bytes) ++ if (data + first_partition_length_in_bytes > data_end ++ || data + first_partition_length_in_bytes < data) + vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME, + "Truncated packet or corrupt partition 0 length"); + vp8_setup_version(pc); +diff --git a/vp8/vp8_dx_iface.c b/vp8/vp8_dx_iface.c +index e7e5356..f0adf5b 100644 +--- a/vp8/vp8_dx_iface.c ++++ b/vp8/vp8_dx_iface.c +@@ -253,8 +253,11 @@ static vpx_codec_err_t vp8_peek_si(const uint8_t *data, + unsigned int data_sz, + vpx_codec_stream_info_t *si) + { +- + vpx_codec_err_t res = VPX_CODEC_OK; ++ ++ if(data + data_sz <= data) ++ res = VPX_CODEC_INVALID_PARAM; ++ else + { + /* Parse uncompresssed part of key frame header. + * 3 bytes:- including version, frame type and an offset +@@ -331,7 +334,10 @@ static vpx_codec_err_t vp8_decode(vpx_codec_alg_priv_t *ctx, + + ctx->img_avail = 0; + +- /* Determine the stream parameters */ ++ /* Determine the stream parameters. Note that we rely on peek_si to ++ * validate that we have a buffer that does not wrap around the top ++ * of the heap. ++ */ + if (!ctx->si.h) + res = ctx->base.iface->dec.peek_si(data, data_sz, &ctx->si); + +-- +1.7.3.1 + diff --git a/libvpx.spec b/libvpx.spec index 30073db..139eb98 100644 --- a/libvpx.spec +++ b/libvpx.spec @@ -1,7 +1,7 @@ Name: libvpx Summary: VP8 Video Codec SDK Version: 0.9.5 -Release: 1%{?dist} +Release: 2%{?dist} License: BSD Group: System Environment/Libraries Source0: http://webm.googlecode.com/files/%{name}-v%{version}.tar.bz2 @@ -9,6 +9,9 @@ Source1: libvpx.pc # Thanks to debian. Source2: libvpx.ver Patch0: libvpx-0.9.0-no-explicit-dep-on-static-lib.patch +# From http://review.webmproject.org/#change,1098 +# Should resolve CVE-2010-4203 +Patch1: libvpx-0.9.5-I6266aba7.patch URL: http://www.webmproject.org/tools/vp8-sdk/ %ifarch %{ix86} x86_64 BuildRequires: yasm @@ -41,6 +44,7 @@ and decoder. %prep %setup -q -n %{name}-v%{version} %patch0 -p1 -b .no-static-lib +%patch1 -p1 -b .I6266aba7 %build %ifarch %{ix86} @@ -157,6 +161,9 @@ rm -rf %{buildroot} %{_bindir}/* %changelog +* Wed Nov 17 2010 Tom "spot" Callaway 0.9.5-2 +- apply patch from upstream git (Change I6266aba7), should resolve CVE-2010-4203 + * Mon Nov 1 2010 Tom "spot" Callaway 0.9.5-1 - update to 0.9.5