mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-06-03 01:40:07 +00:00
Code Issues Projects Releases Wiki Activity

libwebp: Fix CVE-2023-4863

Browse Source 
Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187
allowed a remote attacker to perform an out of bounds memory write via
a crafted HTML page.

Removed CVE-2023-5129.patch as CVE-2023-5129 is duplicate of CVE-2023-4863.

CVE: CVE-2023-4863

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-4863
https://security-tracker.debian.org/tracker/CVE-2023-4863
https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12

(From OE-Core rev: b69bef1169cb33c153384be81845eaf903dc1570)

Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Soumya Sambu
2023-11-03 08:55:47 +00:00
committed by Steve Sakoman
parent be04eefcaf
commit a405e12beb
3 changed files with 66 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-multimedia/webp/files/CVE-2023-5129.patch → meta/recipes-multimedia/webp/files/CVE-2023-4863-0001.patch
+11 -16
View File
@@ -1,7 +1,7 @@
From 12b11893edf6c201710ebeee7c84743a8573fad6 Mon Sep 17 00:00:00 2001 From 902bc9190331343b2017211debcec8d2ab87e17a Mon Sep 17 00:00:00 2001
From: Vincent Rabaud <vrabaud@google.com> From: Vincent Rabaud <vrabaud@google.com>
Date: Thu, 7 Sep 2023 21:16:03 +0200 Date: Thu, 7 Sep 2023 21:16:03 +0200
Subject: [PATCH 1/1] Fix OOB write in BuildHuffmanTable. Subject: [PATCH 1/2] Fix OOB write in BuildHuffmanTable.
First, BuildHuffmanTable is called to check if the data is valid. First, BuildHuffmanTable is called to check if the data is valid.
If it is and the table is not big enough, more memory is allocated. If it is and the table is not big enough, more memory is allocated.
@@ -12,16 +12,11 @@ codes) streams are still decodable.
Bug: chromium:1479274 Bug: chromium:1479274
Change-Id: I31c36dbf3aa78d35ecf38706b50464fd3d375741 Change-Id: I31c36dbf3aa78d35ecf38706b50464fd3d375741
Notice that it references different CVE id: CVE: CVE-2023-4863
https://nvd.nist.gov/vuln/detail/CVE-2023-5129
which was marked as a rejected duplicate of:
https://nvd.nist.gov/vuln/detail/CVE-2023-4863
but it's the same issue. Hence update CVE ID CVE-2023-4863
CVE: CVE-2023-5129 CVE-2023-4863 Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a]
Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/2af26267cdfcb63a88e5c74a85927a12d6ca1d76]
Signed-off-by: Colin McAllister <colinmca242@gmail.com> Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
--- ---
src/dec/vp8l_dec.c | 46 ++++++++++--------- src/dec/vp8l_dec.c | 46 ++++++++++---------
src/dec/vp8li_dec.h | 2 +- src/dec/vp8li_dec.h | 2 +-
@@ -30,7 +25,7 @@ Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
4 files changed, 129 insertions(+), 43 deletions(-) 4 files changed, 129 insertions(+), 43 deletions(-)
diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
index 93615d4e..0d38314d 100644 index 93615d4..0d38314 100644
--- a/src/dec/vp8l_dec.c --- a/src/dec/vp8l_dec.c
+++ b/src/dec/vp8l_dec.c +++ b/src/dec/vp8l_dec.c
@@ -253,11 +253,11 @@ static int ReadHuffmanCodeLengths( @@ -253,11 +253,11 @@ static int ReadHuffmanCodeLengths(
@@ -178,7 +173,7 @@ index 93615d4e..0d38314d 100644
assert(dec->hdr_.num_htree_groups_ > 0); assert(dec->hdr_.num_htree_groups_ > 0);
diff --git a/src/dec/vp8li_dec.h b/src/dec/vp8li_dec.h diff --git a/src/dec/vp8li_dec.h b/src/dec/vp8li_dec.h
index 72b2e861..32540a4b 100644 index 72b2e86..32540a4 100644
--- a/src/dec/vp8li_dec.h --- a/src/dec/vp8li_dec.h
+++ b/src/dec/vp8li_dec.h +++ b/src/dec/vp8li_dec.h
@@ -51,7 +51,7 @@ typedef struct { @@ -51,7 +51,7 @@ typedef struct {
@@ -191,7 +186,7 @@ index 72b2e861..32540a4b 100644
typedef struct VP8LDecoder VP8LDecoder; typedef struct VP8LDecoder VP8LDecoder;
diff --git a/src/utils/huffman_utils.c b/src/utils/huffman_utils.c diff --git a/src/utils/huffman_utils.c b/src/utils/huffman_utils.c
index 0cba0fbb..9efd6283 100644 index 0cba0fb..9efd628 100644
--- a/src/utils/huffman_utils.c --- a/src/utils/huffman_utils.c
+++ b/src/utils/huffman_utils.c +++ b/src/utils/huffman_utils.c
@@ -177,21 +177,24 @@ static int BuildHuffmanTable(HuffmanCode* const root_table, int root_bits, @@ -177,21 +177,24 @@ static int BuildHuffmanTable(HuffmanCode* const root_table, int root_bits,
@@ -322,7 +317,7 @@ index 0cba0fbb..9efd6283 100644
+ } + }
+} +}
diff --git a/src/utils/huffman_utils.h b/src/utils/huffman_utils.h diff --git a/src/utils/huffman_utils.h b/src/utils/huffman_utils.h
index 13b7ad1a..98415c53 100644 index 13b7ad1..98415c5 100644
--- a/src/utils/huffman_utils.h --- a/src/utils/huffman_utils.h
+++ b/src/utils/huffman_utils.h +++ b/src/utils/huffman_utils.h
@@ -43,6 +43,29 @@ typedef struct { @@ -43,6 +43,29 @@ typedef struct {
@@ -367,5 +362,5 @@ index 13b7ad1a..98415c53 100644
#ifdef __cplusplus #ifdef __cplusplus
-- --
2.34.1 2.40.0
meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch
+53
View File
@@ -0,0 +1,53 @@
From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001
From: Vincent Rabaud <vrabaud@google.com>
Date: Mon, 11 Sep 2023 16:06:08 +0200
Subject: [PATCH 2/2] Fix invalid incremental decoding check.
The first condition is only necessary if we have not read enough
(enough being defined by src_last, not src_end which is the end
of the image).
The second condition now fits the comment below: "if not
incremental, and we are past the end of buffer".
BUG=oss-fuzz:62136
Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
CVE: CVE-2023-4863
Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520]
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
---
src/dec/vp8l_dec.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
index 0d38314..684a5b6 100644
--- a/src/dec/vp8l_dec.c
+++ b/src/dec/vp8l_dec.c
@@ -1237,9 +1237,20 @@ static int DecodeImageData(VP8LDecoder* const dec, uint32_t* const data,
}
br->eos_ = VP8LIsEndOfStream(br);
- if (dec->incremental_ && br->eos_ && src < src_end) {
+ // In incremental decoding:
+ // br->eos_ && src < src_last: if 'br' reached the end of the buffer and
+ // 'src_last' has not been reached yet, there is not enough data. 'dec' has to
+ // be reset until there is more data.
+ // !br->eos_ && src < src_last: this cannot happen as either the buffer is
+ // fully read, either enough has been read to reach 'src_last'.
+ // src >= src_last: 'src_last' is reached, all is fine. 'src' can actually go
+ // beyond 'src_last' in case the image is cropped and an LZ77 goes further.
+ // The buffer might have been enough or there is some left. 'br->eos_' does
+ // not matter.
+ assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >= src_last);
+ if (dec->incremental_ && br->eos_ && src < src_last) {
RestoreState(dec);
- } else if (!br->eos_) {
+ } else if ((dec->incremental_ && src >= src_last) || !br->eos_) {
// Process the remaining rows corresponding to last row-block.
if (process_func != NULL) {
process_func(dec, row > last_row ? last_row : row);
--
2.40.0
meta/recipes-multimedia/webp/libwebp_1.1.0.bb
+2 -1
View File
@@ -21,7 +21,8 @@ UPSTREAM_CHECK_URI = "http://downloads.webmproject.org/releases/webp/index.html"
SRC_URI += " \ SRC_URI += " \
file://CVE-2023-1999.patch \ file://CVE-2023-1999.patch \
file://CVE-2023-5129.patch \ file://CVE-2023-4863-0001.patch \
file://CVE-2023-4863-0002.patch \
" "
EXTRA_OECONF = " \ EXTRA_OECONF = " \