libwebp: Fix CVE-2023-4863

Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. Removed CVE-2023-5129.patch as CVE-2023-5129 is duplicate of CVE-2023-4863. CVE: CVE-2023-4863 References: https://nvd.nist.gov/vuln/detail/CVE-2023-4863 https://security-tracker.debian.org/tracker/CVE-2023-4863 https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12 (From OE-Core rev: e2bd9494b59b486000320c6814371f37828d4c2d) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Soumya Sambu <soumya.sambu@windriver.com> 2023-11-03 08:54:54 +0000
committer: Steve Sakoman <steve@sakoman.com> 2023-11-11 08:23:01 -1000
commit: a09c4a48332ee1686f3c12a5373e16976ba4916b (patch)
tree: cdcecdda5cf5a0495a771f640447b771ee7cdecf /meta/recipes-multimedia
parent: c97d2f0f0961a7d524beb7716d24aa249980e604 (diff)
download: poky-a09c4a48332ee1686f3c12a5373e16976ba4916b.tar.gz
3 files changed, 66 insertions, 10 deletions
diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-5129.patch b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0001.patch
index b246ed42f9..e623569352 100644
--- a/meta/recipes-multimedia/webp/files/CVE-2023-5129.patch
+++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0001.patch
@@ -1,7 +1,7 @@
-From 6c928321f47ba69022cd4d814433f365dea63478 Mon Sep 17 00:00:00 2001
+From 902bc9190331343b2017211debcec8d2ab87e17a Mon Sep 17 00:00:00 2001
 From: Vincent Rabaud <vrabaud@google.com>
 Date: Thu, 7 Sep 2023 21:16:03 +0200
-Subject: [PATCH 1/1] Fix OOB write in BuildHuffmanTable.
+Subject: [PATCH 1/2] Fix OOB write in BuildHuffmanTable.
 First, BuildHuffmanTable is called to check if the data is valid.
 If it is and the table is not big enough, more memory is allocated.
@@ -12,9 +12,11 @@ codes) streams are still decodable.
 Bug: chromium:1479274
 Change-Id: I31c36dbf3aa78d35ecf38706b50464fd3d375741
-CVE: CVE-2023-5129
+CVE: CVE-2023-4863
 Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a]
-Signed-off-by: Colin McAllister <colinmca242@gmail.com>
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
 ---
 src/dec/vp8l_dec.c        | 46 ++++++++++---------
 src/dec/vp8li_dec.h       |  2 +-
@@ -23,7 +25,7 @@ Signed-off-by: Colin McAllister <colinmca242@gmail.com>
 4 files changed, 129 insertions(+), 43 deletions(-)
 diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
-index c0ea0181..7995313f 100644
+index 1348055..186b0b2 100644
 --- a/src/dec/vp8l_dec.c
 +++ b/src/dec/vp8l_dec.c
 @@ -253,11 +253,11 @@ static int ReadHuffmanCodeLengths(
@@ -171,7 +173,7 @@ index c0ea0181..7995313f 100644
   assert(dec->hdr_.num_htree_groups_ > 0);
 
 diff --git a/src/dec/vp8li_dec.h b/src/dec/vp8li_dec.h
-index 72b2e861..32540a4b 100644
+index 72b2e86..32540a4 100644
 --- a/src/dec/vp8li_dec.h
 +++ b/src/dec/vp8li_dec.h
 @@ -51,7 +51,7 @@ typedef struct {
@@ -184,7 +186,7 @@ index 72b2e861..32540a4b 100644
 
 typedef struct VP8LDecoder VP8LDecoder;
 diff --git a/src/utils/huffman_utils.c b/src/utils/huffman_utils.c
-index 90c2fbf7..cf73abd4 100644
+index 0cba0fb..9efd628 100644
 --- a/src/utils/huffman_utils.c
 +++ b/src/utils/huffman_utils.c
 @@ -177,21 +177,24 @@ static int BuildHuffmanTable(HuffmanCode* const root_table, int root_bits,
@@ -315,7 +317,7 @@ index 90c2fbf7..cf73abd4 100644
 +  }
 +}
 diff --git a/src/utils/huffman_utils.h b/src/utils/huffman_utils.h
-index 13b7ad1a..98415c53 100644
+index 13b7ad1..98415c5 100644
 --- a/src/utils/huffman_utils.h
 +++ b/src/utils/huffman_utils.h
 @@ -43,6 +43,29 @@ typedef struct {
@@ -360,5 +362,5 @@ index 13b7ad1a..98415c53 100644
 
 #ifdef __cplusplus
 -- 
-2.34.1
+2.40.0
diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch
new file mode 100644
index 0000000000..231894e882
--- /dev/null
+++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch
@@ -0,0 +1,53 @@
+From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001
+From: Vincent Rabaud <vrabaud@google.com>
+Date: Mon, 11 Sep 2023 16:06:08 +0200
+Subject: [PATCH 2/2] Fix invalid incremental decoding check.
+The first condition is only necessary if we have not read enough
+(enough being defined by src_last, not src_end which is the end
+of the image).
+The second condition now fits the comment below: "if not
+incremental, and we are past the end of buffer".
+BUG=oss-fuzz:62136
+Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
+CVE: CVE-2023-4863
+Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520]
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ src/dec/vp8l_dec.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
+index 186b0b2..59a9e64 100644
+--- a/src/dec/vp8l_dec.c
+++ b/src/dec/vp8l_dec.c
+@@ -1241,9 +1241,20 @@ static int DecodeImageData(VP8LDecoder* const dec, uint32_t* const data,
+   }
+   br->eos_ = VP8LIsEndOfStream(br);
+-  if (dec->incremental_ && br->eos_ && src < src_end) {
+  // In incremental decoding:
+  // br->eos_ && src < src_last: if 'br' reached the end of the buffer and
+  // 'src_last' has not been reached yet, there is not enough data. 'dec' has to
+  // be reset until there is more data.
+  // !br->eos_ && src < src_last: this cannot happen as either the buffer is
+  // fully read, either enough has been read to reach 'src_last'.
+  // src >= src_last: 'src_last' is reached, all is fine. 'src' can actually go
+  // beyond 'src_last' in case the image is cropped and an LZ77 goes further.
+  // The buffer might have been enough or there is some left. 'br->eos_' does
+  // not matter.
+  assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >= src_last);
+  if (dec->incremental_ && br->eos_ && src < src_last) {
+     RestoreState(dec);
+-  } else if (!br->eos_) {
+  } else if ((dec->incremental_ && src >= src_last) || !br->eos_) {
+     // Process the remaining rows corresponding to last row-block.
+     if (process_func != NULL) {
+       process_func(dec, row > last_row ? last_row : row);
+--
+2.40.0
diff --git a/meta/recipes-multimedia/webp/libwebp_1.3.1.bb b/meta/recipes-multimedia/webp/libwebp_1.3.1.bb
index 4d2b655644..c4e3cceb6f 100644
--- a/meta/recipes-multimedia/webp/libwebp_1.3.1.bb
+++ b/meta/recipes-multimedia/webp/libwebp_1.3.1.bb
@@ -14,7 +14,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=6e8dee932c26f2dab503abf70c96d8bb \
                    file://PATENTS;md5=c6926d0cb07d296f886ab6e0cc5a85b7"
 SRC_URI = "http://downloads.webmproject.org/releases/webp/${BP}.tar.gz \
-    file://CVE-2023-5129.patch \
+    file://CVE-2023-4863-0001.patch \
+    file://CVE-2023-4863-0002.patch \
    "
 SRC_URI[sha256sum] = "b3779627c2dfd31e3d8c4485962c2efe17785ef975e2be5c8c0c9e6cd3c4ef66"
author	Soumya Sambu <soumya.sambu@windriver.com>	2023-11-03 08:54:54 +0000
committer	Steve Sakoman <steve@sakoman.com>	2023-11-11 08:23:01 -1000
commit	a09c4a48332ee1686f3c12a5373e16976ba4916b (patch)
tree	cdcecdda5cf5a0495a771f640447b771ee7cdecf /meta/recipes-multimedia
parent	c97d2f0f0961a7d524beb7716d24aa249980e604 (diff)
download	poky-a09c4a48332ee1686f3c12a5373e16976ba4916b.tar.gz

diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-5129.patch b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0001.patch index b246ed42f9..e623569352 100644 --- a/meta/recipes-multimedia/webp/files/CVE-2023-5129.patch +++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0001.patch
@@ -1,7 +1,7 @@
1	From 6c928321f47ba69022cd4d814433f365dea63478 Mon Sep 17 00:00:00 2001	1	From 902bc9190331343b2017211debcec8d2ab87e17a Mon Sep 17 00:00:00 2001
2	From: Vincent Rabaud <vrabaud@google.com>	2	From: Vincent Rabaud <vrabaud@google.com>
3	Date: Thu, 7 Sep 2023 21:16:03 +0200	3	Date: Thu, 7 Sep 2023 21:16:03 +0200
4	Subject: [PATCH 1/1] Fix OOB write in BuildHuffmanTable.	4	Subject: [PATCH 1/2] Fix OOB write in BuildHuffmanTable.
5		5
6	First, BuildHuffmanTable is called to check if the data is valid.	6	First, BuildHuffmanTable is called to check if the data is valid.
7	If it is and the table is not big enough, more memory is allocated.	7	If it is and the table is not big enough, more memory is allocated.
@@ -12,9 +12,11 @@ codes) streams are still decodable.
12	Bug: chromium:1479274	12	Bug: chromium:1479274
13	Change-Id: I31c36dbf3aa78d35ecf38706b50464fd3d375741	13	Change-Id: I31c36dbf3aa78d35ecf38706b50464fd3d375741
14		14
15	CVE: CVE-2023-5129	15	CVE: CVE-2023-4863
		16
16	Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a]	17	Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a]
17	Signed-off-by: Colin McAllister <colinmca242@gmail.com>	18
		19	Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
18	---	20	---
19	src/dec/vp8l_dec.c \| 46 ++++++++++---------	21	src/dec/vp8l_dec.c \| 46 ++++++++++---------
20	src/dec/vp8li_dec.h \| 2 +-	22	src/dec/vp8li_dec.h \| 2 +-
@@ -23,7 +25,7 @@ Signed-off-by: Colin McAllister <colinmca242@gmail.com>
23	4 files changed, 129 insertions(+), 43 deletions(-)	25	4 files changed, 129 insertions(+), 43 deletions(-)
24		26
25	diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c	27	diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
26	index c0ea0181..7995313f 100644	28	index 1348055..186b0b2 100644
27	--- a/src/dec/vp8l_dec.c	29	--- a/src/dec/vp8l_dec.c
28	+++ b/src/dec/vp8l_dec.c	30	+++ b/src/dec/vp8l_dec.c
29	@@ -253,11 +253,11 @@ static int ReadHuffmanCodeLengths(	31	@@ -253,11 +253,11 @@ static int ReadHuffmanCodeLengths(
@@ -171,7 +173,7 @@ index c0ea0181..7995313f 100644
171	assert(dec->hdr_.num_htree_groups_ > 0);	173	assert(dec->hdr_.num_htree_groups_ > 0);
172		174
173	diff --git a/src/dec/vp8li_dec.h b/src/dec/vp8li_dec.h	175	diff --git a/src/dec/vp8li_dec.h b/src/dec/vp8li_dec.h
174	index 72b2e861..32540a4b 100644	176	index 72b2e86..32540a4 100644
175	--- a/src/dec/vp8li_dec.h	177	--- a/src/dec/vp8li_dec.h
176	+++ b/src/dec/vp8li_dec.h	178	+++ b/src/dec/vp8li_dec.h
177	@@ -51,7 +51,7 @@ typedef struct {	179	@@ -51,7 +51,7 @@ typedef struct {
@@ -184,7 +186,7 @@ index 72b2e861..32540a4b 100644
184		186
185	typedef struct VP8LDecoder VP8LDecoder;	187	typedef struct VP8LDecoder VP8LDecoder;
186	diff --git a/src/utils/huffman_utils.c b/src/utils/huffman_utils.c	188	diff --git a/src/utils/huffman_utils.c b/src/utils/huffman_utils.c
187	index 90c2fbf7..cf73abd4 100644	189	index 0cba0fb..9efd628 100644
188	--- a/src/utils/huffman_utils.c	190	--- a/src/utils/huffman_utils.c
189	+++ b/src/utils/huffman_utils.c	191	+++ b/src/utils/huffman_utils.c
190	@@ -177,21 +177,24 @@ static int BuildHuffmanTable(HuffmanCode* const root_table, int root_bits,	192	@@ -177,21 +177,24 @@ static int BuildHuffmanTable(HuffmanCode* const root_table, int root_bits,
@@ -315,7 +317,7 @@ index 90c2fbf7..cf73abd4 100644
315	+ }	317	+ }
316	+}	318	+}
317	diff --git a/src/utils/huffman_utils.h b/src/utils/huffman_utils.h	319	diff --git a/src/utils/huffman_utils.h b/src/utils/huffman_utils.h
318	index 13b7ad1a..98415c53 100644	320	index 13b7ad1..98415c5 100644
319	--- a/src/utils/huffman_utils.h	321	--- a/src/utils/huffman_utils.h
320	+++ b/src/utils/huffman_utils.h	322	+++ b/src/utils/huffman_utils.h
321	@@ -43,6 +43,29 @@ typedef struct {	323	@@ -43,6 +43,29 @@ typedef struct {
@@ -360,5 +362,5 @@ index 13b7ad1a..98415c53 100644
360		362
361	#ifdef __cplusplus	363	#ifdef __cplusplus
362	--	364	--
363	2.34.1	365	2.40.0
364		366


diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch new file mode 100644 index 0000000000..231894e882 --- /dev/null +++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch
@@ -0,0 +1,53 @@
		1	From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001
		2	From: Vincent Rabaud <vrabaud@google.com>
		3	Date: Mon, 11 Sep 2023 16:06:08 +0200
		4	Subject: [PATCH 2/2] Fix invalid incremental decoding check.
		5
		6	The first condition is only necessary if we have not read enough
		7	(enough being defined by src_last, not src_end which is the end
		8	of the image).
		9	The second condition now fits the comment below: "if not
		10	incremental, and we are past the end of buffer".
		11
		12	BUG=oss-fuzz:62136
		13
		14	Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
		15
		16	CVE: CVE-2023-4863
		17
		18	Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520]
		19
		20	Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
		21	---
		22	src/dec/vp8l_dec.c \| 15 +++++++++++++--
		23	1 file changed, 13 insertions(+), 2 deletions(-)
		24
		25	diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
		26	index 186b0b2..59a9e64 100644
		27	--- a/src/dec/vp8l_dec.c
		28	+++ b/src/dec/vp8l_dec.c
		29	@@ -1241,9 +1241,20 @@ static int DecodeImageData(VP8LDecoder* const dec, uint32_t* const data,
		30	}
		31
		32	br->eos_ = VP8LIsEndOfStream(br);
		33	- if (dec->incremental_ && br->eos_ && src < src_end) {
		34	+ // In incremental decoding:
		35	+ // br->eos_ && src < src_last: if 'br' reached the end of the buffer and
		36	+ // 'src_last' has not been reached yet, there is not enough data. 'dec' has to
		37	+ // be reset until there is more data.
		38	+ // !br->eos_ && src < src_last: this cannot happen as either the buffer is
		39	+ // fully read, either enough has been read to reach 'src_last'.
		40	+ // src >= src_last: 'src_last' is reached, all is fine. 'src' can actually go
		41	+ // beyond 'src_last' in case the image is cropped and an LZ77 goes further.
		42	+ // The buffer might have been enough or there is some left. 'br->eos_' does
		43	+ // not matter.
		44	+ assert(!dec->incremental_ \|\| (br->eos_ && src < src_last) \|\| src >= src_last);
		45	+ if (dec->incremental_ && br->eos_ && src < src_last) {
		46	RestoreState(dec);
		47	- } else if (!br->eos_) {
		48	+ } else if ((dec->incremental_ && src >= src_last) \|\| !br->eos_) {
		49	// Process the remaining rows corresponding to last row-block.
		50	if (process_func != NULL) {
		51	process_func(dec, row > last_row ? last_row : row);
		52	--
		53	2.40.0


diff --git a/meta/recipes-multimedia/webp/libwebp_1.3.1.bb b/meta/recipes-multimedia/webp/libwebp_1.3.1.bb index 4d2b655644..c4e3cceb6f 100644 --- a/meta/recipes-multimedia/webp/libwebp_1.3.1.bb +++ b/meta/recipes-multimedia/webp/libwebp_1.3.1.bb
@@ -14,7 +14,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=6e8dee932c26f2dab503abf70c96d8bb \
14	file://PATENTS;md5=c6926d0cb07d296f886ab6e0cc5a85b7"	14	file://PATENTS;md5=c6926d0cb07d296f886ab6e0cc5a85b7"
15		15
16	SRC_URI = "http://downloads.webmproject.org/releases/webp/${BP}.tar.gz \	16	SRC_URI = "http://downloads.webmproject.org/releases/webp/${BP}.tar.gz \
17	file://CVE-2023-5129.patch \	17	file://CVE-2023-4863-0001.patch \
		18	file://CVE-2023-4863-0002.patch \
18	"	19	"
19	SRC_URI[sha256sum] = "b3779627c2dfd31e3d8c4485962c2efe17785ef975e2be5c8c0c9e6cd3c4ef66"	20	SRC_URI[sha256sum] = "b3779627c2dfd31e3d8c4485962c2efe17785ef975e2be5c8c0c9e6cd3c4ef66"
20		21