1 files changed, 53 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch
new file mode 100644
index 0000000000..231894e882
--- /dev/null
+++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch
@@ -0,0 +1,53 @@
+From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001
+From: Vincent Rabaud <vrabaud@google.com>
+Date: Mon, 11 Sep 2023 16:06:08 +0200
+Subject: [PATCH 2/2] Fix invalid incremental decoding check.
+The first condition is only necessary if we have not read enough
+(enough being defined by src_last, not src_end which is the end
+of the image).
+The second condition now fits the comment below: "if not
+incremental, and we are past the end of buffer".
+BUG=oss-fuzz:62136
+Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
+CVE: CVE-2023-4863
+Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520]
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ src/dec/vp8l_dec.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
+index 186b0b2..59a9e64 100644
+--- a/src/dec/vp8l_dec.c
+++ b/src/dec/vp8l_dec.c
+@@ -1241,9 +1241,20 @@ static int DecodeImageData(VP8LDecoder* const dec, uint32_t* const data,
+   }
+   br->eos_ = VP8LIsEndOfStream(br);
+-  if (dec->incremental_ && br->eos_ && src < src_end) {
+  // In incremental decoding:
+  // br->eos_ && src < src_last: if 'br' reached the end of the buffer and
+  // 'src_last' has not been reached yet, there is not enough data. 'dec' has to
+  // be reset until there is more data.
+  // !br->eos_ && src < src_last: this cannot happen as either the buffer is
+  // fully read, either enough has been read to reach 'src_last'.
+  // src >= src_last: 'src_last' is reached, all is fine. 'src' can actually go
+  // beyond 'src_last' in case the image is cropped and an LZ77 goes further.
+  // The buffer might have been enough or there is some left. 'br->eos_' does
+  // not matter.
+  assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >= src_last);
+  if (dec->incremental_ && br->eos_ && src < src_last) {
+     RestoreState(dec);
+-  } else if (!br->eos_) {
+  } else if ((dec->incremental_ && src >= src_last) || !br->eos_) {
+     // Process the remaining rows corresponding to last row-block.
+     if (process_func != NULL) {
+       process_func(dec, row > last_row ? last_row : row);
+--
+2.40.0

diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch new file mode 100644 index 0000000000..231894e882 --- /dev/null +++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch
@@ -0,0 +1,53 @@
	1	From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001
	2	From: Vincent Rabaud <vrabaud@google.com>
	3	Date: Mon, 11 Sep 2023 16:06:08 +0200
	4	Subject: [PATCH 2/2] Fix invalid incremental decoding check.
	5
	6	The first condition is only necessary if we have not read enough
	7	(enough being defined by src_last, not src_end which is the end
	8	of the image).
	9	The second condition now fits the comment below: "if not
	10	incremental, and we are past the end of buffer".
	11
	12	BUG=oss-fuzz:62136
	13
	14	Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
	15
	16	CVE: CVE-2023-4863
	17
	18	Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520]
	19
	20	Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
	21	---
	22	src/dec/vp8l_dec.c \| 15 +++++++++++++--
	23	1 file changed, 13 insertions(+), 2 deletions(-)
	24
	25	diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
	26	index 186b0b2..59a9e64 100644
	27	--- a/src/dec/vp8l_dec.c
	28	+++ b/src/dec/vp8l_dec.c
	29	@@ -1241,9 +1241,20 @@ static int DecodeImageData(VP8LDecoder* const dec, uint32_t* const data,
	30	}
	31
	32	br->eos_ = VP8LIsEndOfStream(br);
	33	- if (dec->incremental_ && br->eos_ && src < src_end) {
	34	+ // In incremental decoding:
	35	+ // br->eos_ && src < src_last: if 'br' reached the end of the buffer and
	36	+ // 'src_last' has not been reached yet, there is not enough data. 'dec' has to
	37	+ // be reset until there is more data.
	38	+ // !br->eos_ && src < src_last: this cannot happen as either the buffer is
	39	+ // fully read, either enough has been read to reach 'src_last'.
	40	+ // src >= src_last: 'src_last' is reached, all is fine. 'src' can actually go
	41	+ // beyond 'src_last' in case the image is cropped and an LZ77 goes further.
	42	+ // The buffer might have been enough or there is some left. 'br->eos_' does
	43	+ // not matter.
	44	+ assert(!dec->incremental_ \|\| (br->eos_ && src < src_last) \|\| src >= src_last);
	45	+ if (dec->incremental_ && br->eos_ && src < src_last) {
	46	RestoreState(dec);
	47	- } else if (!br->eos_) {
	48	+ } else if ((dec->incremental_ && src >= src_last) \|\| !br->eos_) {
	49	// Process the remaining rows corresponding to last row-block.
	50	if (process_func != NULL) {
	51	process_func(dec, row > last_row ? last_row : row);
	52	--
	53	2.40.0