From c5327efb97208df569b4682ef5bfe4ac825d1c4f Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Fri, 21 Sep 2018 04:34:10 -0400 Subject: gnu: libvpx: Add upstream security fix. * gnu/packages/patches/libvpx-use-after-free-in-postproc.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/video.scm (libvpx)[source]: Add patch. --- gnu/local.mk | 1 + .../libvpx-use-after-free-in-postproc.patch | 34 ++++++++++++++++++++++ gnu/packages/video.scm | 3 +- 3 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/libvpx-use-after-free-in-postproc.patch diff --git a/gnu/local.mk b/gnu/local.mk index 4bca986619..9c69fd4f35 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -916,6 +916,7 @@ dist_patch_DATA = \ %D%/packages/patches/libutils-remove-damaging-includes.patch \ %D%/packages/patches/libvdpau-va-gl-unbundle.patch \ %D%/packages/patches/libvpx-CVE-2016-2818.patch \ + %D%/packages/patches/libvpx-use-after-free-in-postproc.patch \ %D%/packages/patches/libxslt-generated-ids.patch \ %D%/packages/patches/libxt-guix-search-paths.patch \ %D%/packages/patches/lierolibre-check-unaligned-access.patch \ diff --git a/gnu/packages/patches/libvpx-use-after-free-in-postproc.patch b/gnu/packages/patches/libvpx-use-after-free-in-postproc.patch new file mode 100644 index 0000000000..04f2a953b7 --- /dev/null +++ b/gnu/packages/patches/libvpx-use-after-free-in-postproc.patch @@ -0,0 +1,34 @@ +From 52add5896661d186dec284ed646a4b33b607d2c7 Mon Sep 17 00:00:00 2001 +From: Jerome Jiang +Date: Wed, 23 May 2018 15:43:00 -0700 +Subject: [PATCH] VP8: Fix use-after-free in postproc. + +The pointer in vp8 postproc refers to show_frame_mi which is only +updated on show frame. However, when there is a no-show frame which also +changes the size (thus new frame buffers allocated), show_frame_mi is +not updated with new frame buffer memory. + +Change the pointer in postproc to mi which is always updated. + +Bug: 842265 +Change-Id: I33874f2112b39f74562cba528432b5f239e6a7bd +--- + vp8/common/postproc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/vp8/common/postproc.c b/vp8/common/postproc.c +index d67ee8a57..8c292d616 100644 +--- a/vp8/common/postproc.c ++++ b/vp8/common/postproc.c +@@ -65,7 +65,7 @@ void vp8_deblock(VP8_COMMON *cm, YV12_BUFFER_CONFIG *source, + double level = 6.0e-05 * q * q * q - .0067 * q * q + .306 * q + .0065; + int ppl = (int)(level + .5); + +- const MODE_INFO *mode_info_context = cm->show_frame_mi; ++ const MODE_INFO *mode_info_context = cm->mi; + int mbr, mbc; + + /* The pixel thresholds are adjusted according to if or not the macroblock +-- +2.19.0 + diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm index 4882f0476a..448773e0d9 100644 --- a/gnu/packages/video.scm +++ b/gnu/packages/video.scm @@ -1242,7 +1242,8 @@ access to mpv's powerful playback capabilities.") (sha256 (base32 "0vvh89hvp8qg9an9vcmwb7d9k3nixhxaz6zi65qdjnd0i56kkcz6")) - (patches (search-patches "libvpx-CVE-2016-2818.patch")))) + (patches (search-patches "libvpx-use-after-free-in-postproc.patch" + "libvpx-CVE-2016-2818.patch")))) (build-system gnu-build-system) (arguments `(#:configure-flags (list "--enable-shared" -- cgit v1.2.3