libwebp: Fix CVE-2023-4863

Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. Removed CVE-2023-5129.patch as CVE-2023-5129 is duplicate of CVE-2023-4863. CVE: CVE-2023-4863 References: https://nvd.nist.gov/vuln/detail/CVE-2023-4863 https://security-tracker.debian.org/tracker/CVE-2023-4863 https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12 (From OE-Core rev: b69bef1169cb33c153384be81845eaf903dc1570) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Soumya Sambu <soumya.sambu@windriver.com> 2023-11-03 08:55:47 +0000
committer: Steve Sakoman <steve@sakoman.com> 2023-11-17 06:00:32 -1000
commit: a405e12bebcb5ddea7ac0e2d088ea3f083d9eee1 (patch)
tree: 70c7223e00e1ca237fc07dab8e2538c2ab9c0bc7
parent: be04eefcaf2e28270fecc370d382c7fb82ec9372 (diff)
download: poky-a405e12bebcb5ddea7ac0e2d088ea3f083d9eee1.tar.gz
3 files changed, 66 insertions, 17 deletions
diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-5129.patch b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0001.patch
index ffff068c56..419b12f7d9 100644
--- a/meta/recipes-multimedia/webp/files/CVE-2023-5129.patch
+++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0001.patch
@@ -1,7 +1,7 @@
-From 12b11893edf6c201710ebeee7c84743a8573fad6 Mon Sep 17 00:00:00 2001
+From 902bc9190331343b2017211debcec8d2ab87e17a Mon Sep 17 00:00:00 2001
 From: Vincent Rabaud <vrabaud@google.com>
 Date: Thu, 7 Sep 2023 21:16:03 +0200
-Subject: [PATCH 1/1] Fix OOB write in BuildHuffmanTable.
+Subject: [PATCH 1/2] Fix OOB write in BuildHuffmanTable.
 First, BuildHuffmanTable is called to check if the data is valid.
 If it is and the table is not big enough, more memory is allocated.
@@ -12,16 +12,11 @@ codes) streams are still decodable.
 Bug: chromium:1479274
 Change-Id: I31c36dbf3aa78d35ecf38706b50464fd3d375741
-Notice that it references different CVE id:
+CVE: CVE-2023-4863
-https://nvd.nist.gov/vuln/detail/CVE-2023-5129
-which was marked as a rejected duplicate of:
-https://nvd.nist.gov/vuln/detail/CVE-2023-4863
-but it's the same issue. Hence update CVE ID CVE-2023-4863
-CVE: CVE-2023-5129 CVE-2023-4863
+Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a]
-Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/2af26267cdfcb63a88e5c74a85927a12d6ca1d76]
-Signed-off-by: Colin McAllister <colinmca242@gmail.com>
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
-Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
 ---
 src/dec/vp8l_dec.c        | 46 ++++++++++---------
 src/dec/vp8li_dec.h       |  2 +-
@@ -30,7 +25,7 @@ Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
 4 files changed, 129 insertions(+), 43 deletions(-)
 diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
-index 93615d4e..0d38314d 100644
+index 93615d4..0d38314 100644
 --- a/src/dec/vp8l_dec.c
 +++ b/src/dec/vp8l_dec.c
 @@ -253,11 +253,11 @@ static int ReadHuffmanCodeLengths(
@@ -178,7 +173,7 @@ index 93615d4e..0d38314d 100644
   assert(dec->hdr_.num_htree_groups_ > 0);
 
 diff --git a/src/dec/vp8li_dec.h b/src/dec/vp8li_dec.h
-index 72b2e861..32540a4b 100644
+index 72b2e86..32540a4 100644
 --- a/src/dec/vp8li_dec.h
 +++ b/src/dec/vp8li_dec.h
 @@ -51,7 +51,7 @@ typedef struct {
@@ -191,7 +186,7 @@ index 72b2e861..32540a4b 100644
 
 typedef struct VP8LDecoder VP8LDecoder;
 diff --git a/src/utils/huffman_utils.c b/src/utils/huffman_utils.c
-index 0cba0fbb..9efd6283 100644
+index 0cba0fb..9efd628 100644
 --- a/src/utils/huffman_utils.c
 +++ b/src/utils/huffman_utils.c
 @@ -177,21 +177,24 @@ static int BuildHuffmanTable(HuffmanCode* const root_table, int root_bits,
@@ -322,7 +317,7 @@ index 0cba0fbb..9efd6283 100644
 +  }
 +}
 diff --git a/src/utils/huffman_utils.h b/src/utils/huffman_utils.h
-index 13b7ad1a..98415c53 100644
+index 13b7ad1..98415c5 100644
 --- a/src/utils/huffman_utils.h
 +++ b/src/utils/huffman_utils.h
 @@ -43,6 +43,29 @@ typedef struct {
@@ -367,5 +362,5 @@ index 13b7ad1a..98415c53 100644
 
 #ifdef __cplusplus
 -- 
-2.34.1
+2.40.0
diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch
new file mode 100644
index 0000000000..c1eedb6100
--- /dev/null
+++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch
@@ -0,0 +1,53 @@
+From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001
+From: Vincent Rabaud <vrabaud@google.com>
+Date: Mon, 11 Sep 2023 16:06:08 +0200
+Subject: [PATCH 2/2] Fix invalid incremental decoding check.
+The first condition is only necessary if we have not read enough
+(enough being defined by src_last, not src_end which is the end
+of the image).
+The second condition now fits the comment below: "if not
+incremental, and we are past the end of buffer".
+BUG=oss-fuzz:62136
+Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
+CVE: CVE-2023-4863
+Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520]
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ src/dec/vp8l_dec.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
+index 0d38314..684a5b6 100644
+--- a/src/dec/vp8l_dec.c
+++ b/src/dec/vp8l_dec.c
+@@ -1237,9 +1237,20 @@ static int DecodeImageData(VP8LDecoder* const dec, uint32_t* const data,
+   }
+   br->eos_ = VP8LIsEndOfStream(br);
+-  if (dec->incremental_ && br->eos_ && src < src_end) {
+  // In incremental decoding:
+  // br->eos_ && src < src_last: if 'br' reached the end of the buffer and
+  // 'src_last' has not been reached yet, there is not enough data. 'dec' has to
+  // be reset until there is more data.
+  // !br->eos_ && src < src_last: this cannot happen as either the buffer is
+  // fully read, either enough has been read to reach 'src_last'.
+  // src >= src_last: 'src_last' is reached, all is fine. 'src' can actually go
+  // beyond 'src_last' in case the image is cropped and an LZ77 goes further.
+  // The buffer might have been enough or there is some left. 'br->eos_' does
+  // not matter.
+  assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >= src_last);
+  if (dec->incremental_ && br->eos_ && src < src_last) {
+     RestoreState(dec);
+-  } else if (!br->eos_) {
+  } else if ((dec->incremental_ && src >= src_last) || !br->eos_) {
+     // Process the remaining rows corresponding to last row-block.
+     if (process_func != NULL) {
+       process_func(dec, row > last_row ? last_row : row);
+--
+2.40.0
diff --git a/meta/recipes-multimedia/webp/libwebp_1.1.0.bb b/meta/recipes-multimedia/webp/libwebp_1.1.0.bb
index 27c5d92c92..88c36cb76c 100644
--- a/meta/recipes-multimedia/webp/libwebp_1.1.0.bb
+++ b/meta/recipes-multimedia/webp/libwebp_1.1.0.bb
@@ -21,7 +21,8 @@ UPSTREAM_CHECK_URI = "http://downloads.webmproject.org/releases/webp/index.html"
 SRC_URI += " \
    file://CVE-2023-1999.patch \
-    file://CVE-2023-5129.patch \
+    file://CVE-2023-4863-0001.patch \
+    file://CVE-2023-4863-0002.patch \
 "
 EXTRA_OECONF = " \
author	Soumya Sambu <soumya.sambu@windriver.com>	2023-11-03 08:55:47 +0000
committer	Steve Sakoman <steve@sakoman.com>	2023-11-17 06:00:32 -1000
commit	a405e12bebcb5ddea7ac0e2d088ea3f083d9eee1 (patch)
tree	70c7223e00e1ca237fc07dab8e2538c2ab9c0bc7
parent	be04eefcaf2e28270fecc370d382c7fb82ec9372 (diff)
download	poky-a405e12bebcb5ddea7ac0e2d088ea3f083d9eee1.tar.gz

diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-5129.patch b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0001.patch index ffff068c56..419b12f7d9 100644 --- a/meta/recipes-multimedia/webp/files/CVE-2023-5129.patch +++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0001.patch
@@ -1,7 +1,7 @@
1	From 12b11893edf6c201710ebeee7c84743a8573fad6 Mon Sep 17 00:00:00 2001	1	From 902bc9190331343b2017211debcec8d2ab87e17a Mon Sep 17 00:00:00 2001
2	From: Vincent Rabaud <vrabaud@google.com>	2	From: Vincent Rabaud <vrabaud@google.com>
3	Date: Thu, 7 Sep 2023 21:16:03 +0200	3	Date: Thu, 7 Sep 2023 21:16:03 +0200
4	Subject: [PATCH 1/1] Fix OOB write in BuildHuffmanTable.	4	Subject: [PATCH 1/2] Fix OOB write in BuildHuffmanTable.
5		5
6	First, BuildHuffmanTable is called to check if the data is valid.	6	First, BuildHuffmanTable is called to check if the data is valid.
7	If it is and the table is not big enough, more memory is allocated.	7	If it is and the table is not big enough, more memory is allocated.
@@ -12,16 +12,11 @@ codes) streams are still decodable.
12	Bug: chromium:1479274	12	Bug: chromium:1479274
13	Change-Id: I31c36dbf3aa78d35ecf38706b50464fd3d375741	13	Change-Id: I31c36dbf3aa78d35ecf38706b50464fd3d375741
14		14
15	Notice that it references different CVE id:	15	CVE: CVE-2023-4863
16	https://nvd.nist.gov/vuln/detail/CVE-2023-5129
17	which was marked as a rejected duplicate of:
18	https://nvd.nist.gov/vuln/detail/CVE-2023-4863
19	but it's the same issue. Hence update CVE ID CVE-2023-4863
20		16
21	CVE: CVE-2023-5129 CVE-2023-4863	17	Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a]
22	Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/2af26267cdfcb63a88e5c74a85927a12d6ca1d76]	18
23	Signed-off-by: Colin McAllister <colinmca242@gmail.com>	19	Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
24	Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
25	---	20	---
26	src/dec/vp8l_dec.c \| 46 ++++++++++---------	21	src/dec/vp8l_dec.c \| 46 ++++++++++---------
27	src/dec/vp8li_dec.h \| 2 +-	22	src/dec/vp8li_dec.h \| 2 +-
@@ -30,7 +25,7 @@ Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
30	4 files changed, 129 insertions(+), 43 deletions(-)	25	4 files changed, 129 insertions(+), 43 deletions(-)
31		26
32	diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c	27	diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
33	index 93615d4e..0d38314d 100644	28	index 93615d4..0d38314 100644
34	--- a/src/dec/vp8l_dec.c	29	--- a/src/dec/vp8l_dec.c
35	+++ b/src/dec/vp8l_dec.c	30	+++ b/src/dec/vp8l_dec.c
36	@@ -253,11 +253,11 @@ static int ReadHuffmanCodeLengths(	31	@@ -253,11 +253,11 @@ static int ReadHuffmanCodeLengths(
@@ -178,7 +173,7 @@ index 93615d4e..0d38314d 100644
178	assert(dec->hdr_.num_htree_groups_ > 0);	173	assert(dec->hdr_.num_htree_groups_ > 0);
179		174
180	diff --git a/src/dec/vp8li_dec.h b/src/dec/vp8li_dec.h	175	diff --git a/src/dec/vp8li_dec.h b/src/dec/vp8li_dec.h
181	index 72b2e861..32540a4b 100644	176	index 72b2e86..32540a4 100644
182	--- a/src/dec/vp8li_dec.h	177	--- a/src/dec/vp8li_dec.h
183	+++ b/src/dec/vp8li_dec.h	178	+++ b/src/dec/vp8li_dec.h
184	@@ -51,7 +51,7 @@ typedef struct {	179	@@ -51,7 +51,7 @@ typedef struct {
@@ -191,7 +186,7 @@ index 72b2e861..32540a4b 100644
191		186
192	typedef struct VP8LDecoder VP8LDecoder;	187	typedef struct VP8LDecoder VP8LDecoder;
193	diff --git a/src/utils/huffman_utils.c b/src/utils/huffman_utils.c	188	diff --git a/src/utils/huffman_utils.c b/src/utils/huffman_utils.c
194	index 0cba0fbb..9efd6283 100644	189	index 0cba0fb..9efd628 100644
195	--- a/src/utils/huffman_utils.c	190	--- a/src/utils/huffman_utils.c
196	+++ b/src/utils/huffman_utils.c	191	+++ b/src/utils/huffman_utils.c
197	@@ -177,21 +177,24 @@ static int BuildHuffmanTable(HuffmanCode* const root_table, int root_bits,	192	@@ -177,21 +177,24 @@ static int BuildHuffmanTable(HuffmanCode* const root_table, int root_bits,
@@ -322,7 +317,7 @@ index 0cba0fbb..9efd6283 100644
322	+ }	317	+ }
323	+}	318	+}
324	diff --git a/src/utils/huffman_utils.h b/src/utils/huffman_utils.h	319	diff --git a/src/utils/huffman_utils.h b/src/utils/huffman_utils.h
325	index 13b7ad1a..98415c53 100644	320	index 13b7ad1..98415c5 100644
326	--- a/src/utils/huffman_utils.h	321	--- a/src/utils/huffman_utils.h
327	+++ b/src/utils/huffman_utils.h	322	+++ b/src/utils/huffman_utils.h
328	@@ -43,6 +43,29 @@ typedef struct {	323	@@ -43,6 +43,29 @@ typedef struct {
@@ -367,5 +362,5 @@ index 13b7ad1a..98415c53 100644
367		362
368	#ifdef __cplusplus	363	#ifdef __cplusplus
369	--	364	--
370	2.34.1	365	2.40.0
371		366


diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch new file mode 100644 index 0000000000..c1eedb6100 --- /dev/null +++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch
@@ -0,0 +1,53 @@
		1	From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001
		2	From: Vincent Rabaud <vrabaud@google.com>
		3	Date: Mon, 11 Sep 2023 16:06:08 +0200
		4	Subject: [PATCH 2/2] Fix invalid incremental decoding check.
		5
		6	The first condition is only necessary if we have not read enough
		7	(enough being defined by src_last, not src_end which is the end
		8	of the image).
		9	The second condition now fits the comment below: "if not
		10	incremental, and we are past the end of buffer".
		11
		12	BUG=oss-fuzz:62136
		13
		14	Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
		15
		16	CVE: CVE-2023-4863
		17
		18	Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520]
		19
		20	Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
		21	---
		22	src/dec/vp8l_dec.c \| 15 +++++++++++++--
		23	1 file changed, 13 insertions(+), 2 deletions(-)
		24
		25	diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
		26	index 0d38314..684a5b6 100644
		27	--- a/src/dec/vp8l_dec.c
		28	+++ b/src/dec/vp8l_dec.c
		29	@@ -1237,9 +1237,20 @@ static int DecodeImageData(VP8LDecoder* const dec, uint32_t* const data,
		30	}
		31
		32	br->eos_ = VP8LIsEndOfStream(br);
		33	- if (dec->incremental_ && br->eos_ && src < src_end) {
		34	+ // In incremental decoding:
		35	+ // br->eos_ && src < src_last: if 'br' reached the end of the buffer and
		36	+ // 'src_last' has not been reached yet, there is not enough data. 'dec' has to
		37	+ // be reset until there is more data.
		38	+ // !br->eos_ && src < src_last: this cannot happen as either the buffer is
		39	+ // fully read, either enough has been read to reach 'src_last'.
		40	+ // src >= src_last: 'src_last' is reached, all is fine. 'src' can actually go
		41	+ // beyond 'src_last' in case the image is cropped and an LZ77 goes further.
		42	+ // The buffer might have been enough or there is some left. 'br->eos_' does
		43	+ // not matter.
		44	+ assert(!dec->incremental_ \|\| (br->eos_ && src < src_last) \|\| src >= src_last);
		45	+ if (dec->incremental_ && br->eos_ && src < src_last) {
		46	RestoreState(dec);
		47	- } else if (!br->eos_) {
		48	+ } else if ((dec->incremental_ && src >= src_last) \|\| !br->eos_) {
		49	// Process the remaining rows corresponding to last row-block.
		50	if (process_func != NULL) {
		51	process_func(dec, row > last_row ? last_row : row);
		52	--
		53	2.40.0


diff --git a/meta/recipes-multimedia/webp/libwebp_1.1.0.bb b/meta/recipes-multimedia/webp/libwebp_1.1.0.bb index 27c5d92c92..88c36cb76c 100644 --- a/meta/recipes-multimedia/webp/libwebp_1.1.0.bb +++ b/meta/recipes-multimedia/webp/libwebp_1.1.0.bb
@@ -21,7 +21,8 @@ UPSTREAM_CHECK_URI = "http://downloads.webmproject.org/releases/webp/index.html"
21		21
22	SRC_URI += " \	22	SRC_URI += " \
23	file://CVE-2023-1999.patch \	23	file://CVE-2023-1999.patch \
24	file://CVE-2023-5129.patch \	24	file://CVE-2023-4863-0001.patch \
		25	file://CVE-2023-4863-0002.patch \
25	"	26	"
26		27
27	EXTRA_OECONF = " \	28	EXTRA_OECONF = " \