[libvpx/f13/master] apply upstream change to resolve CVE-2010-4203

Tom Callaway spot at fedoraproject.org
Wed Nov 17 20:23:36 UTC 2010 

commit 4d29629d19f1acae04825ade54669d97fd1bc88a
Author: Tom "spot" Callaway <tcallawa at redhat.com>
Date:   Wed Nov 17 15:23:41 2010 -0500

    apply upstream change to resolve CVE-2010-4203

 libvpx-0.9.5-I6266aba7.patch |   73 ++++++++++++++++++++++++++++++++++++++++++
 libvpx.spec                  |    9 ++++-
 2 files changed, 81 insertions(+), 1 deletions(-)
---
diff --git a/libvpx-0.9.5-I6266aba7.patch b/libvpx-0.9.5-I6266aba7.patch
new file mode 100644
index 0000000..299a1e9
--- /dev/null
+++ b/libvpx-0.9.5-I6266aba7.patch
@@ -0,0 +1,73 @@
+From 9fb80f7170ec48e23c3c7b477149eeb37081c699 Mon Sep 17 00:00:00 2001
+From: John Koleszar <jkoleszar at google.com>
+Date: Thu, 4 Nov 2010 16:59:26 -0400
+Subject: [PATCH] fix integer promotion bug in partition size check
+
+The check '(user_data_end - partition < partition_size)' must be
+evaluated as a signed comparison, but because partition_size was
+unsigned, the LHS was promoted to unsigned, causing an incorrect
+result on 32-bit. Instead, check the upper and lower bounds of
+the segment separately.
+
+Change-Id: I6266aba7fd7de084268712a3d2a81424ead7aa06
+---
+ vp8/decoder/decodframe.c |    6 ++++--
+ vp8/vp8_dx_iface.c       |   10 ++++++++--
+ 2 files changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/vp8/decoder/decodframe.c b/vp8/decoder/decodframe.c
+index 2d81d61..f5e49a1 100644
+--- a/vp8/decoder/decodframe.c
++++ b/vp8/decoder/decodframe.c
+@@ -462,7 +462,8 @@ static void setup_token_decoder(VP8D_COMP *pbi,
+             partition_size = user_data_end - partition;
+         }
+ 
+-        if (user_data_end - partition < partition_size)
++        if (partition + partition_size > user_data_end
++            || partition + partition_size < partition)
+             vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
+                                "Truncated packet or corrupt partition "
+                                "%d length", i + 1);
+@@ -580,7 +581,8 @@ int vp8_decode_frame(VP8D_COMP *pbi)
+         (data[0] | (data[1] << 8) | (data[2] << 16)) >> 5;
+     data += 3;
+ 
+-    if (data_end - data < first_partition_length_in_bytes)
++    if (data + first_partition_length_in_bytes > data_end
++        || data + first_partition_length_in_bytes < data)
+         vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
+                            "Truncated packet or corrupt partition 0 length");
+     vp8_setup_version(pc);
+diff --git a/vp8/vp8_dx_iface.c b/vp8/vp8_dx_iface.c
+index e7e5356..f0adf5b 100644
+--- a/vp8/vp8_dx_iface.c
++++ b/vp8/vp8_dx_iface.c
+@@ -253,8 +253,11 @@ static vpx_codec_err_t vp8_peek_si(const uint8_t         *data,
+                                    unsigned int           data_sz,
+                                    vpx_codec_stream_info_t *si)
+ {
+-
+     vpx_codec_err_t res = VPX_CODEC_OK;
++
++    if(data + data_sz <= data)
++        res = VPX_CODEC_INVALID_PARAM;
++    else
+     {
+         /* Parse uncompresssed part of key frame header.
+          * 3 bytes:- including version, frame type and an offset
+@@ -331,7 +334,10 @@ static vpx_codec_err_t vp8_decode(vpx_codec_alg_priv_t  *ctx,
+ 
+     ctx->img_avail = 0;
+ 
+-    /* Determine the stream parameters */
++    /* Determine the stream parameters. Note that we rely on peek_si to
++     * validate that we have a buffer that does not wrap around the top
++     * of the heap.
++     */
+     if (!ctx->si.h)
+         res = ctx->base.iface->dec.peek_si(data, data_sz, &ctx->si);
+ 
+-- 
+1.7.3.1
+
diff --git a/libvpx.spec b/libvpx.spec
index 30073db..139eb98 100644
--- a/libvpx.spec
+++ b/libvpx.spec
@@ -1,7 +1,7 @@
 Name:			libvpx
 Summary:		VP8 Video Codec SDK
 Version:		0.9.5
-Release:		1%{?dist}
+Release:		2%{?dist}
 License:		BSD
 Group:			System Environment/Libraries
 Source0:		http://webm.googlecode.com/files/%{name}-v%{version}.tar.bz2
@@ -9,6 +9,9 @@ Source1:		libvpx.pc
 # Thanks to debian.
 Source2:		libvpx.ver
 Patch0:			libvpx-0.9.0-no-explicit-dep-on-static-lib.patch
+# From http://review.webmproject.org/#change,1098
+# Should resolve CVE-2010-4203
+Patch1:			libvpx-0.9.5-I6266aba7.patch
 URL:			http://www.webmproject.org/tools/vp8-sdk/
 %ifarch %{ix86} x86_64
 BuildRequires:		yasm
@@ -41,6 +44,7 @@ and decoder.
 %prep
 %setup -q -n %{name}-v%{version}
 %patch0 -p1 -b .no-static-lib
+%patch1 -p1 -b .I6266aba7
 
 %build
 %ifarch %{ix86}
@@ -157,6 +161,9 @@ rm -rf %{buildroot}
 %{_bindir}/*
 
 %changelog
+* Wed Nov 17 2010 Tom "spot" Callaway <tcallawa at redhat.com> 0.9.5-2
+- apply patch from upstream git (Change I6266aba7), should resolve CVE-2010-4203
+
 * Mon Nov  1 2010 Tom "spot" Callaway <tcallawa at redhat.com> 0.9.5-1
 - update to 0.9.5

More information about the scm-commits mailing list