Hi,
attached are debdiffs for CVE-2024-5197/libvpx if this should be a DSA.
Alternatively, I could also make pu requests instead.
cu
Adrian
diffstat for libvpx-1.12.0 libvpx-1.12.0
changelog | 7
patches/0001-Add-test-vpx_image_test.cc.patch | 81
+++++
patches/0002-Fix-integer-overflows-in-calc-of-stride_in_bytes.patch | 156
++++++++++
patches/0003-Avoid-integer-overflows-in-arithmetic-operations.patch | 148
+++++++++
patches/0004-Fix-a-bug-in-alloc_size-for-high-bit-depths.patch | 46 ++
patches/series | 4
6 files changed, 442 insertions(+)
diff -Nru libvpx-1.12.0/debian/changelog libvpx-1.12.0/debian/changelog
--- libvpx-1.12.0/debian/changelog 2023-10-01 18:26:47.000000000 +0300
+++ libvpx-1.12.0/debian/changelog 2024-06-20 13:01:27.000000000 +0300
@@ -1,3 +1,10 @@
+libvpx (1.12.0-1+deb12u3) bookworm-security; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2024-5197: Integer overflows
+
+ -- Adrian Bunk <b...@debian.org> Thu, 20 Jun 2024 13:01:27 +0300
+
libvpx (1.12.0-1+deb12u2) bookworm-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru libvpx-1.12.0/debian/patches/0001-Add-test-vpx_image_test.cc.patch
libvpx-1.12.0/debian/patches/0001-Add-test-vpx_image_test.cc.patch
--- libvpx-1.12.0/debian/patches/0001-Add-test-vpx_image_test.cc.patch
1970-01-01 02:00:00.000000000 +0200
+++ libvpx-1.12.0/debian/patches/0001-Add-test-vpx_image_test.cc.patch
2024-06-20 13:01:27.000000000 +0300
@@ -0,0 +1,81 @@
+From 9a95107fa72b507469ddb2872725cbe978f9e0db Mon Sep 17 00:00:00 2001
+From: Wan-Teh Chang <w...@google.com>
+Date: Wed, 10 Apr 2024 17:55:01 -0700
+Subject: Add test/vpx_image_test.cc
+
+Ported from test/aom_image_test.cc in libaom commit 04d6253.
+
+Change-Id: I56478d0a5603cfb5b65e644add0918387ff69a00
+(cherry picked from commit 3dbab0e66479e1b5368d4b7a069051dba85843cf)
+---
+ test/test.mk | 1 +
+ test/vpx_image_test.cc | 45 ++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 46 insertions(+)
+ create mode 100644 test/vpx_image_test.cc
+
+diff --git a/test/test.mk b/test/test.mk
+index 6df457290..f2566dd73 100644
+--- a/test/test.mk
++++ b/test/test.mk
+@@ -19,6 +19,7 @@ LIBVPX_TEST_SRCS-yes += video_source.h
+ ## Black box tests only use the public API.
+ ##
+ LIBVPX_TEST_SRCS-yes += ../md5_utils.h ../md5_utils.c
++LIBVPX_TEST_SRCS-yes += vpx_image_test.cc
+ LIBVPX_TEST_SRCS-$(CONFIG_DECODERS) += ivf_video_source.h
+ LIBVPX_TEST_SRCS-$(CONFIG_ENCODERS) += ../y4minput.h ../y4minput.c
+ LIBVPX_TEST_SRCS-$(CONFIG_ENCODERS) += altref_test.cc
+diff --git a/test/vpx_image_test.cc b/test/vpx_image_test.cc
+new file mode 100644
+index 000000000..c93843c1e
+--- /dev/null
++++ b/test/vpx_image_test.cc
+@@ -0,0 +1,45 @@
++/*
++ * Copyright (c) 2024 The WebM project authors. All Rights Reserved.
++ *
++ * Use of this source code is governed by a BSD-style license
++ * that can be found in the LICENSE file in the root of the source
++ * tree. An additional intellectual property rights grant can be found
++ * in the file PATENTS. All contributing project authors may
++ * be found in the AUTHORS file in the root of the source tree.
++ */
++
++#include "vpx/vpx_image.h"
++#include "third_party/googletest/src/include/gtest/gtest.h"
++
++TEST(VpxImageTest, VpxImgWrapInvalidAlign) {
++ const int kWidth = 128;
++ const int kHeight = 128;
++ unsigned char buf[kWidth * kHeight * 3];
++
++ vpx_image_t img;
++ // Set img_data and img_data_owner to junk values. vpx_img_wrap() should
++ // not read these values on failure.
++ unsigned char empty[] = "";
++ img.img_data = empty;
++ img.img_data_owner = 1;
++
++ vpx_img_fmt_t format = VPX_IMG_FMT_I444;
++ // 'align' must be a power of 2 but is not. This causes the vpx_img_wrap()
++ // call to fail. The test verifies we do not read the junk values in 'img'.
++ unsigned int align = 31;
++ EXPECT_EQ(vpx_img_wrap(&img, format, kWidth, kHeight, align, buf), nullptr);
++}
++
++TEST(VpxImageTest, VpxImgAllocNv12) {
++ const int kWidth = 128;
++ const int kHeight = 128;
++
++ vpx_image_t img;
++ vpx_img_fmt_t format = VPX_IMG_FMT_NV12;
++ unsigned int align = 32;
++ EXPECT_EQ(vpx_img_alloc(&img, format, kWidth, kHeight, align), &img);
++ EXPECT_EQ(img.stride[VPX_PLANE_U], img.stride[VPX_PLANE_Y]);
++ EXPECT_EQ(img.stride[VPX_PLANE_V], img.stride[VPX_PLANE_U]);
++ EXPECT_EQ(img.planes[VPX_PLANE_V], img.planes[VPX_PLANE_U] + 1);
++ vpx_img_free(&img);
++}
+--
+2.30.2
+
diff -Nru
libvpx-1.12.0/debian/patches/0002-Fix-integer-overflows-in-calc-of-stride_in_bytes.patch
libvpx-1.12.0/debian/patches/0002-Fix-integer-overflows-in-calc-of-stride_in_bytes.patch
---
libvpx-1.12.0/debian/patches/0002-Fix-integer-overflows-in-calc-of-stride_in_bytes.patch
1970-01-01 02:00:00.000000000 +0200
+++
libvpx-1.12.0/debian/patches/0002-Fix-integer-overflows-in-calc-of-stride_in_bytes.patch
2024-06-20 13:01:27.000000000 +0300
@@ -0,0 +1,156 @@
+From 1a13e3bab13f8067fdd11d97caa9fa2360e31a1c Mon Sep 17 00:00:00 2001
+From: Wan-Teh Chang <w...@google.com>
+Date: Wed, 10 Apr 2024 17:01:10 -0700
+Subject: Fix integer overflows in calc of stride_in_bytes
+
+A port of the libaom CL
+https://aomedia-review.googlesource.com/c/aom/+/188761.
+
+Fix unsigned integer overflows in the calculation of stride_in_bytes in
+img_alloc_helper() when d_w is huge.
+
+Change the type of stride_in_bytes from unsigned int to int because it
+will be assigned to img->stride[VPX_PLANE_Y], which is of the int type.
+
+Test:
+. ../libvpx/tools/set_analyzer_env.sh integer
+../libvpx/configure --enable-debug --disable-optimizations
+make -j
+./test_libvpx --gtest_filter=VpxImageTest.VpxImgAllocHugeWidth
+
+Bug: chromium:332382766
+Change-Id: I3b39d78f61c7255e10cbf72ba2f4975425a05a82
+(cherry picked from commit 2e32276277c0b1739707c5e861c96cf78794f1a0)
+---
+ test/vpx_image_test.cc | 36 ++++++++++++++++++++++++++++++++++++
+ vpx/src/vpx_image.c | 31 +++++++++++++++++++------------
+ 2 files changed, 55 insertions(+), 12 deletions(-)
+
+diff --git a/test/vpx_image_test.cc b/test/vpx_image_test.cc
+index c93843c1e..74515df70 100644
+--- a/test/vpx_image_test.cc
++++ b/test/vpx_image_test.cc
+@@ -43,3 +43,39 @@ TEST(VpxImageTest, VpxImgAllocNv12) {
+ EXPECT_EQ(img.planes[VPX_PLANE_V], img.planes[VPX_PLANE_U] + 1);
+ vpx_img_free(&img);
+ }
++
++TEST(VpxImageTest, VpxImgAllocHugeWidth) {
++ // The stride (0x80000000 * 2) would overflow unsigned int.
++ vpx_image_t *image =
++ vpx_img_alloc(nullptr, VPX_IMG_FMT_I42016, 0x80000000, 1, 1);
++ ASSERT_EQ(image, nullptr);
++
++ // The stride (0x80000000) would overflow int.
++ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I420, 0x80000000, 1, 1);
++ ASSERT_EQ(image, nullptr);
++
++ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I420, 0x7ffffffe, 1, 1);
++ if (image) {
++ vpx_img_free(image);
++ }
++
++ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I420, 285245883, 64, 1);
++ if (image) {
++ vpx_img_free(image);
++ }
++
++ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_NV12, 285245883, 64, 1);
++ if (image) {
++ vpx_img_free(image);
++ }
++
++ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_YV12, 285245883, 64, 1);
++ if (image) {
++ vpx_img_free(image);
++ }
++
++ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I42016, 285245883, 2, 1);
++ if (image) {
++ vpx_img_free(image);
++ }
++}
+diff --git a/vpx/src/vpx_image.c b/vpx/src/vpx_image.c
+index f9f0dd602..ab3c2b231 100644
+--- a/vpx/src/vpx_image.c
++++ b/vpx/src/vpx_image.c
+@@ -21,8 +21,9 @@ static vpx_image_t *img_alloc_helper(vpx_image_t *img,
vpx_img_fmt_t fmt,
+ unsigned int buf_align,
+ unsigned int stride_align,
+ unsigned char *img_data) {
+- unsigned int h, w, s, xcs, ycs, bps;
+- unsigned int stride_in_bytes;
++ unsigned int h, w, xcs, ycs, bps;
++ uint64_t s;
++ int stride_in_bytes;
+ unsigned int align;
+
+ if (img != NULL) memset(img, 0, sizeof(vpx_image_t));
+@@ -80,9 +81,11 @@ static vpx_image_t *img_alloc_helper(vpx_image_t *img,
vpx_img_fmt_t fmt,
+ * and height shouldn't be adjusted. */
+ w = d_w;
+ h = d_h;
+- s = (fmt & VPX_IMG_FMT_PLANAR) ? w : bps * w / 8;
+- s = (s + stride_align - 1) & ~(stride_align - 1);
+- stride_in_bytes = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
++ s = (fmt & VPX_IMG_FMT_PLANAR) ? w : (uint64_t)bps * w / 8;
++ s = (s + stride_align - 1) & ~((uint64_t)stride_align - 1);
++ s = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
++ if (s > INT_MAX) goto fail;
++ stride_in_bytes = (int)s;
+
+ /* Allocate the new image */
+ if (!img) {
+@@ -103,9 +106,11 @@ static vpx_image_t *img_alloc_helper(vpx_image_t *img,
vpx_img_fmt_t fmt,
+ align = (1 << ycs) - 1;
+ h = (d_h + align) & ~align;
+
+- s = (fmt & VPX_IMG_FMT_PLANAR) ? w : bps * w / 8;
+- s = (s + stride_align - 1) & ~(stride_align - 1);
+- stride_in_bytes = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
++ s = (fmt & VPX_IMG_FMT_PLANAR) ? w : (uint64_t)bps * w / 8;
++ s = (s + stride_align - 1) & ~((uint64_t)stride_align - 1);
++ s = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
++ if (s > INT_MAX) goto fail;
++ stride_in_bytes = (int)s;
+ alloc_size = (fmt & VPX_IMG_FMT_PLANAR) ? (uint64_t)h * s * bps / 8
+ : (uint64_t)h * s;
+
+@@ -170,12 +175,12 @@ int vpx_img_set_rect(vpx_image_t *img, unsigned int x,
unsigned int y,
+ if (img->fmt & VPX_IMG_FMT_HAS_ALPHA) {
+ img->planes[VPX_PLANE_ALPHA] =
+ data + x * bytes_per_sample + y * img->stride[VPX_PLANE_ALPHA];
+- data += img->h * img->stride[VPX_PLANE_ALPHA];
++ data += (size_t)img->h * img->stride[VPX_PLANE_ALPHA];
+ }
+
+ img->planes[VPX_PLANE_Y] =
+ data + x * bytes_per_sample + y * img->stride[VPX_PLANE_Y];
+- data += img->h * img->stride[VPX_PLANE_Y];
++ data += (size_t)img->h * img->stride[VPX_PLANE_Y];
+
+ if (img->fmt == VPX_IMG_FMT_NV12) {
+ img->planes[VPX_PLANE_U] =
+@@ -186,7 +191,8 @@ int vpx_img_set_rect(vpx_image_t *img, unsigned int x,
unsigned int y,
+ img->planes[VPX_PLANE_U] =
+ data + (x >> img->x_chroma_shift) * bytes_per_sample +
+ (y >> img->y_chroma_shift) * img->stride[VPX_PLANE_U];
+- data += (img->h >> img->y_chroma_shift) * img->stride[VPX_PLANE_U];
++ data +=
++ (size_t)(img->h >> img->y_chroma_shift) *
img->stride[VPX_PLANE_U];
+ img->planes[VPX_PLANE_V] =
+ data + (x >> img->x_chroma_shift) * bytes_per_sample +
+ (y >> img->y_chroma_shift) * img->stride[VPX_PLANE_V];
+@@ -194,7 +200,8 @@ int vpx_img_set_rect(vpx_image_t *img, unsigned int x,
unsigned int y,
+ img->planes[VPX_PLANE_V] =
+ data + (x >> img->x_chroma_shift) * bytes_per_sample +
+ (y >> img->y_chroma_shift) * img->stride[VPX_PLANE_V];
+- data += (img->h >> img->y_chroma_shift) * img->stride[VPX_PLANE_V];
++ data +=
++ (size_t)(img->h >> img->y_chroma_shift) *
img->stride[VPX_PLANE_V];
+ img->planes[VPX_PLANE_U] =
+ data + (x >> img->x_chroma_shift) * bytes_per_sample +
+ (y >> img->y_chroma_shift) * img->stride[VPX_PLANE_U];
+--
+2.30.2
+
diff -Nru
libvpx-1.12.0/debian/patches/0003-Avoid-integer-overflows-in-arithmetic-operations.patch
libvpx-1.12.0/debian/patches/0003-Avoid-integer-overflows-in-arithmetic-operations.patch
---
libvpx-1.12.0/debian/patches/0003-Avoid-integer-overflows-in-arithmetic-operations.patch
1970-01-01 02:00:00.000000000 +0200
+++
libvpx-1.12.0/debian/patches/0003-Avoid-integer-overflows-in-arithmetic-operations.patch
2024-06-20 13:01:27.000000000 +0300
@@ -0,0 +1,148 @@
+From d3dc7c3cc8c85f65a4ee5620d104880d6b8754bf Mon Sep 17 00:00:00 2001
+From: Wan-Teh Chang <w...@google.com>
+Date: Thu, 11 Apr 2024 10:24:11 -0700
+Subject: Avoid integer overflows in arithmetic operations
+
+A port of the libaom CL
+https://aomedia-review.googlesource.com/c/aom/+/188823.
+
+Impose maximum values on the input parameters so that we can perform
+arithmetic operations without worrying about overflows.
+
+Also change the VpxImageTest.VpxImgAllocHugeWidth test to write to the
+first and last samples in the first row of the Y plane, so that the test
+will crash if there is unsigned integer overflow in the calculation of
+stride_in_bytes.
+
+Bug: chromium:332382766
+Change-Id: I54cec6c9e26377abaa8a991042ba277ff70afdf3
+(cherry picked from commit 06af417e795e6a9b9309406ba399fb109def89e6)
+---
+ test/vpx_image_test.cc | 19 +++++++++++++++++++
+ vpx/src/vpx_image.c | 11 +++++++++++
+ vpx/vpx_image.h | 16 +++++++++++-----
+ 3 files changed, 41 insertions(+), 5 deletions(-)
+
+diff --git a/test/vpx_image_test.cc b/test/vpx_image_test.cc
+index 74515df70..eb6e35474 100644
+--- a/test/vpx_image_test.cc
++++ b/test/vpx_image_test.cc
+@@ -8,6 +8,8 @@
+ * be found in the AUTHORS file in the root of the source tree.
+ */
+
++#include <climits>
++
+ #include "vpx/vpx_image.h"
+ #include "third_party/googletest/src/include/gtest/gtest.h"
+
+@@ -54,6 +56,10 @@ TEST(VpxImageTest, VpxImgAllocHugeWidth) {
+ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I420, 0x80000000, 1, 1);
+ ASSERT_EQ(image, nullptr);
+
++ // The aligned width (UINT_MAX + 1) would overflow unsigned int.
++ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I420, UINT_MAX, 1, 1);
++ ASSERT_EQ(image, nullptr);
++
+ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I420, 0x7ffffffe, 1, 1);
+ if (image) {
+ vpx_img_free(image);
+@@ -74,8 +80,21 @@ TEST(VpxImageTest, VpxImgAllocHugeWidth) {
+ vpx_img_free(image);
+ }
+
++ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I42016, 65536, 2, 1);
++ if (image) {
++ uint16_t *y_plane =
++ reinterpret_cast<uint16_t *>(image->planes[VPX_PLANE_Y]);
++ y_plane[0] = 0;
++ y_plane[image->d_w - 1] = 0;
++ vpx_img_free(image);
++ }
++
+ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I42016, 285245883, 2, 1);
+ if (image) {
++ uint16_t *y_plane =
++ reinterpret_cast<uint16_t *>(image->planes[VPX_PLANE_Y]);
++ y_plane[0] = 0;
++ y_plane[image->d_w - 1] = 0;
+ vpx_img_free(image);
+ }
+ }
+diff --git a/vpx/src/vpx_image.c b/vpx/src/vpx_image.c
+index ab3c2b231..373b80b60 100644
+--- a/vpx/src/vpx_image.c
++++ b/vpx/src/vpx_image.c
+@@ -8,6 +8,7 @@
+ * be found in the AUTHORS file in the root of the source tree.
+ */
+
++#include <assert.h>
+ #include <limits.h>
+ #include <stdlib.h>
+ #include <string.h>
+@@ -28,6 +29,14 @@ static vpx_image_t *img_alloc_helper(vpx_image_t *img,
vpx_img_fmt_t fmt,
+
+ if (img != NULL) memset(img, 0, sizeof(vpx_image_t));
+
++ /* Impose maximum values on input parameters so that this function can
++ * perform arithmetic operations without worrying about overflows.
++ */
++ if (d_w > 0x08000000 || d_h > 0x08000000 || buf_align > 65536 ||
++ stride_align > 65536) {
++ goto fail;
++ }
++
+ /* Treat align==0 like align==1 */
+ if (!buf_align) buf_align = 1;
+
+@@ -103,8 +112,10 @@ static vpx_image_t *img_alloc_helper(vpx_image_t *img,
vpx_img_fmt_t fmt,
+ /* Calculate storage sizes given the chroma subsampling */
+ align = (1 << xcs) - 1;
+ w = (d_w + align) & ~align;
++ assert(d_w <= w);
+ align = (1 << ycs) - 1;
+ h = (d_h + align) & ~align;
++ assert(d_h <= h);
+
+ s = (fmt & VPX_IMG_FMT_PLANAR) ? w : (uint64_t)bps * w / 8;
+ s = (s + stride_align - 1) & ~((uint64_t)stride_align - 1);
+diff --git a/vpx/vpx_image.h b/vpx/vpx_image.h
+index 1adc9b9d9..2c30a8993 100644
+--- a/vpx/vpx_image.h
++++ b/vpx/vpx_image.h
+@@ -132,10 +132,13 @@ typedef struct vpx_image_rect {
+ * is NULL, the storage for the descriptor will be
+ * allocated on the heap.
+ * \param[in] fmt Format for the image
+- * \param[in] d_w Width of the image
+- * \param[in] d_h Height of the image
++ * \param[in] d_w Width of the image. Must not exceed 0x08000000
++ * (2^27).
++ * \param[in] d_h Height of the image. Must not exceed 0x08000000
++ * (2^27).
+ * \param[in] align Alignment, in bytes, of the image buffer and
+- * each row in the image(stride).
++ * each row in the image (stride). Must not exceed
++ * 65536.
+ *
+ * \return Returns a pointer to the initialized image descriptor. If the img
+ * parameter is non-null, the value of the img parameter will be
+@@ -155,9 +158,12 @@ vpx_image_t *vpx_img_alloc(vpx_image_t *img,
vpx_img_fmt_t fmt,
+ * parameter is NULL, the storage for the
descriptor
+ * will be allocated on the heap.
+ * \param[in] fmt Format for the image
+- * \param[in] d_w Width of the image
+- * \param[in] d_h Height of the image
++ * \param[in] d_w Width of the image. Must not exceed 0x08000000
++ * (2^27).
++ * \param[in] d_h Height of the image. Must not exceed 0x08000000
++ * (2^27).
+ * \param[in] stride_align Alignment, in bytes, of each row in the image.
++ * Must not exceed 65536.
+ * \param[in] img_data Storage to use for the image
+ *
+ * \return Returns a pointer to the initialized image descriptor. If the img
+--
+2.30.2
+
diff -Nru
libvpx-1.12.0/debian/patches/0004-Fix-a-bug-in-alloc_size-for-high-bit-depths.patch
libvpx-1.12.0/debian/patches/0004-Fix-a-bug-in-alloc_size-for-high-bit-depths.patch
---
libvpx-1.12.0/debian/patches/0004-Fix-a-bug-in-alloc_size-for-high-bit-depths.patch
1970-01-01 02:00:00.000000000 +0200
+++
libvpx-1.12.0/debian/patches/0004-Fix-a-bug-in-alloc_size-for-high-bit-depths.patch
2024-06-20 13:01:27.000000000 +0300
@@ -0,0 +1,46 @@
+From 28769a88ab54be873842feb799e20ec3e097aa4f Mon Sep 17 00:00:00 2001
+From: Wan-Teh Chang <w...@google.com>
+Date: Fri, 12 Apr 2024 15:48:04 -0700
+Subject: Fix a bug in alloc_size for high bit depths
+
+I introduced this bug in commit 2e32276:
+https://chromium-review.googlesource.com/c/webm/libvpx/+/5446333
+
+I changed the line
+
+ stride_in_bytes = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
+
+to three lines:
+
+ s = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
+ if (s > INT_MAX) goto fail;
+ stride_in_bytes = (int)s;
+
+But I didn't realize that `s` is used later in the calculation of
+alloc_size.
+
+As a quick fix, undo the effect of s * 2 for high bit depths after `s`
+has been assigned to stride_in_bytes.
+
+Bug: chromium:332382766
+Change-Id: I53fbf405555645ab1d7254d31aadabe4f426be8c
+(cherry picked from commit 74c70af01667733483dc69298b8921779f5f6ff3)
+---
+ vpx/src/vpx_image.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/vpx/src/vpx_image.c b/vpx/src/vpx_image.c
+index 373b80b60..fc6ff722b 100644
+--- a/vpx/src/vpx_image.c
++++ b/vpx/src/vpx_image.c
+@@ -95,6 +95,7 @@ static vpx_image_t *img_alloc_helper(vpx_image_t *img,
vpx_img_fmt_t fmt,
+ s = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
+ if (s > INT_MAX) goto fail;
+ stride_in_bytes = (int)s;
++ s = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s / 2 : s;
+
+ /* Allocate the new image */
+ if (!img) {
+--
+2.30.2
+
diff -Nru libvpx-1.12.0/debian/patches/series
libvpx-1.12.0/debian/patches/series
--- libvpx-1.12.0/debian/patches/series 2023-10-01 18:26:47.000000000 +0300
+++ libvpx-1.12.0/debian/patches/series 2024-06-20 13:01:27.000000000 +0300
@@ -2,3 +2,7 @@
0002-encode_api_test-add-ConfigResizeChangeThreadCount.patch
0003-VP8-disallow-thread-count-changes.patch
0004-Fix-bug-with-smaller-width-bigger-size.patch
+0001-Add-test-vpx_image_test.cc.patch
+0002-Fix-integer-overflows-in-calc-of-stride_in_bytes.patch
+0003-Avoid-integer-overflows-in-arithmetic-operations.patch
+0004-Fix-a-bug-in-alloc_size-for-high-bit-depths.patch
diffstat for libvpx-1.9.0 libvpx-1.9.0
changelog | 7
patches/0001-Add-test-vpx_image_test.cc.patch | 81
+++++
patches/0002-Fix-integer-overflows-in-calc-of-stride_in_bytes.patch | 156
++++++++++
patches/0003-Avoid-integer-overflows-in-arithmetic-operations.patch | 149
+++++++++
patches/0004-Fix-a-bug-in-alloc_size-for-high-bit-depths.patch | 46 ++
patches/series | 4
6 files changed, 443 insertions(+)
diff -Nru libvpx-1.9.0/debian/changelog libvpx-1.9.0/debian/changelog
--- libvpx-1.9.0/debian/changelog 2023-10-01 18:25:58.000000000 +0300
+++ libvpx-1.9.0/debian/changelog 2024-06-20 13:27:49.000000000 +0300
@@ -1,3 +1,10 @@
+libvpx (1.9.0-1+deb11u3) bullseye-security; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2024-5197: Integer overflows
+
+ -- Adrian Bunk <b...@debian.org> Thu, 20 Jun 2024 13:27:49 +0300
+
libvpx (1.9.0-1+deb11u2) bullseye-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru libvpx-1.9.0/debian/patches/0001-Add-test-vpx_image_test.cc.patch
libvpx-1.9.0/debian/patches/0001-Add-test-vpx_image_test.cc.patch
--- libvpx-1.9.0/debian/patches/0001-Add-test-vpx_image_test.cc.patch
1970-01-01 02:00:00.000000000 +0200
+++ libvpx-1.9.0/debian/patches/0001-Add-test-vpx_image_test.cc.patch
2024-06-20 13:27:49.000000000 +0300
@@ -0,0 +1,81 @@
+From 0f48f11cb4da75484550e740f6729fc01b554c90 Mon Sep 17 00:00:00 2001
+From: Wan-Teh Chang <w...@google.com>
+Date: Wed, 10 Apr 2024 17:55:01 -0700
+Subject: Add test/vpx_image_test.cc
+
+Ported from test/aom_image_test.cc in libaom commit 04d6253.
+
+Change-Id: I56478d0a5603cfb5b65e644add0918387ff69a00
+(cherry picked from commit 3dbab0e66479e1b5368d4b7a069051dba85843cf)
+---
+ test/test.mk | 1 +
+ test/vpx_image_test.cc | 45 ++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 46 insertions(+)
+ create mode 100644 test/vpx_image_test.cc
+
+diff --git a/test/test.mk b/test/test.mk
+index 5aecb013f..04a31e7a1 100644
+--- a/test/test.mk
++++ b/test/test.mk
+@@ -19,6 +19,7 @@ LIBVPX_TEST_SRCS-yes += video_source.h
+ ## Black box tests only use the public API.
+ ##
+ LIBVPX_TEST_SRCS-yes += ../md5_utils.h ../md5_utils.c
++LIBVPX_TEST_SRCS-yes += vpx_image_test.cc
+ LIBVPX_TEST_SRCS-$(CONFIG_DECODERS) += ivf_video_source.h
+ LIBVPX_TEST_SRCS-$(CONFIG_ENCODERS) += ../y4minput.h ../y4minput.c
+ LIBVPX_TEST_SRCS-$(CONFIG_ENCODERS) += altref_test.cc
+diff --git a/test/vpx_image_test.cc b/test/vpx_image_test.cc
+new file mode 100644
+index 000000000..c93843c1e
+--- /dev/null
++++ b/test/vpx_image_test.cc
+@@ -0,0 +1,45 @@
++/*
++ * Copyright (c) 2024 The WebM project authors. All Rights Reserved.
++ *
++ * Use of this source code is governed by a BSD-style license
++ * that can be found in the LICENSE file in the root of the source
++ * tree. An additional intellectual property rights grant can be found
++ * in the file PATENTS. All contributing project authors may
++ * be found in the AUTHORS file in the root of the source tree.
++ */
++
++#include "vpx/vpx_image.h"
++#include "third_party/googletest/src/include/gtest/gtest.h"
++
++TEST(VpxImageTest, VpxImgWrapInvalidAlign) {
++ const int kWidth = 128;
++ const int kHeight = 128;
++ unsigned char buf[kWidth * kHeight * 3];
++
++ vpx_image_t img;
++ // Set img_data and img_data_owner to junk values. vpx_img_wrap() should
++ // not read these values on failure.
++ unsigned char empty[] = "";
++ img.img_data = empty;
++ img.img_data_owner = 1;
++
++ vpx_img_fmt_t format = VPX_IMG_FMT_I444;
++ // 'align' must be a power of 2 but is not. This causes the vpx_img_wrap()
++ // call to fail. The test verifies we do not read the junk values in 'img'.
++ unsigned int align = 31;
++ EXPECT_EQ(vpx_img_wrap(&img, format, kWidth, kHeight, align, buf), nullptr);
++}
++
++TEST(VpxImageTest, VpxImgAllocNv12) {
++ const int kWidth = 128;
++ const int kHeight = 128;
++
++ vpx_image_t img;
++ vpx_img_fmt_t format = VPX_IMG_FMT_NV12;
++ unsigned int align = 32;
++ EXPECT_EQ(vpx_img_alloc(&img, format, kWidth, kHeight, align), &img);
++ EXPECT_EQ(img.stride[VPX_PLANE_U], img.stride[VPX_PLANE_Y]);
++ EXPECT_EQ(img.stride[VPX_PLANE_V], img.stride[VPX_PLANE_U]);
++ EXPECT_EQ(img.planes[VPX_PLANE_V], img.planes[VPX_PLANE_U] + 1);
++ vpx_img_free(&img);
++}
+--
+2.30.2
+
diff -Nru
libvpx-1.9.0/debian/patches/0002-Fix-integer-overflows-in-calc-of-stride_in_bytes.patch
libvpx-1.9.0/debian/patches/0002-Fix-integer-overflows-in-calc-of-stride_in_bytes.patch
---
libvpx-1.9.0/debian/patches/0002-Fix-integer-overflows-in-calc-of-stride_in_bytes.patch
1970-01-01 02:00:00.000000000 +0200
+++
libvpx-1.9.0/debian/patches/0002-Fix-integer-overflows-in-calc-of-stride_in_bytes.patch
2024-06-20 13:27:49.000000000 +0300
@@ -0,0 +1,156 @@
+From 7ed3c5428b701e74b1be844e38bed1654f334957 Mon Sep 17 00:00:00 2001
+From: Wan-Teh Chang <w...@google.com>
+Date: Wed, 10 Apr 2024 17:01:10 -0700
+Subject: Fix integer overflows in calc of stride_in_bytes
+
+A port of the libaom CL
+https://aomedia-review.googlesource.com/c/aom/+/188761.
+
+Fix unsigned integer overflows in the calculation of stride_in_bytes in
+img_alloc_helper() when d_w is huge.
+
+Change the type of stride_in_bytes from unsigned int to int because it
+will be assigned to img->stride[VPX_PLANE_Y], which is of the int type.
+
+Test:
+. ../libvpx/tools/set_analyzer_env.sh integer
+../libvpx/configure --enable-debug --disable-optimizations
+make -j
+./test_libvpx --gtest_filter=VpxImageTest.VpxImgAllocHugeWidth
+
+Bug: chromium:332382766
+Change-Id: I3b39d78f61c7255e10cbf72ba2f4975425a05a82
+(cherry picked from commit 2e32276277c0b1739707c5e861c96cf78794f1a0)
+---
+ test/vpx_image_test.cc | 36 ++++++++++++++++++++++++++++++++++++
+ vpx/src/vpx_image.c | 31 +++++++++++++++++++------------
+ 2 files changed, 55 insertions(+), 12 deletions(-)
+
+diff --git a/test/vpx_image_test.cc b/test/vpx_image_test.cc
+index c93843c1e..74515df70 100644
+--- a/test/vpx_image_test.cc
++++ b/test/vpx_image_test.cc
+@@ -43,3 +43,39 @@ TEST(VpxImageTest, VpxImgAllocNv12) {
+ EXPECT_EQ(img.planes[VPX_PLANE_V], img.planes[VPX_PLANE_U] + 1);
+ vpx_img_free(&img);
+ }
++
++TEST(VpxImageTest, VpxImgAllocHugeWidth) {
++ // The stride (0x80000000 * 2) would overflow unsigned int.
++ vpx_image_t *image =
++ vpx_img_alloc(nullptr, VPX_IMG_FMT_I42016, 0x80000000, 1, 1);
++ ASSERT_EQ(image, nullptr);
++
++ // The stride (0x80000000) would overflow int.
++ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I420, 0x80000000, 1, 1);
++ ASSERT_EQ(image, nullptr);
++
++ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I420, 0x7ffffffe, 1, 1);
++ if (image) {
++ vpx_img_free(image);
++ }
++
++ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I420, 285245883, 64, 1);
++ if (image) {
++ vpx_img_free(image);
++ }
++
++ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_NV12, 285245883, 64, 1);
++ if (image) {
++ vpx_img_free(image);
++ }
++
++ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_YV12, 285245883, 64, 1);
++ if (image) {
++ vpx_img_free(image);
++ }
++
++ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I42016, 285245883, 2, 1);
++ if (image) {
++ vpx_img_free(image);
++ }
++}
+diff --git a/vpx/src/vpx_image.c b/vpx/src/vpx_image.c
+index ff496b5d3..a30c7cad0 100644
+--- a/vpx/src/vpx_image.c
++++ b/vpx/src/vpx_image.c
+@@ -20,8 +20,9 @@ static vpx_image_t *img_alloc_helper(vpx_image_t *img,
vpx_img_fmt_t fmt,
+ unsigned int buf_align,
+ unsigned int stride_align,
+ unsigned char *img_data) {
+- unsigned int h, w, s, xcs, ycs, bps;
+- unsigned int stride_in_bytes;
++ unsigned int h, w, xcs, ycs, bps;
++ uint64_t s;
++ int stride_in_bytes;
+ int align;
+
+ /* Treat align==0 like align==1 */
+@@ -77,9 +78,11 @@ static vpx_image_t *img_alloc_helper(vpx_image_t *img,
vpx_img_fmt_t fmt,
+ * and height shouldn't be adjusted. */
+ w = d_w;
+ h = d_h;
+- s = (fmt & VPX_IMG_FMT_PLANAR) ? w : bps * w / 8;
+- s = (s + stride_align - 1) & ~(stride_align - 1);
+- stride_in_bytes = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
++ s = (fmt & VPX_IMG_FMT_PLANAR) ? w : (uint64_t)bps * w / 8;
++ s = (s + stride_align - 1) & ~((uint64_t)stride_align - 1);
++ s = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
++ if (s > INT_MAX) goto fail;
++ stride_in_bytes = (int)s;
+
+ /* Allocate the new image */
+ if (!img) {
+@@ -102,9 +105,11 @@ static vpx_image_t *img_alloc_helper(vpx_image_t *img,
vpx_img_fmt_t fmt,
+ align = (1 << ycs) - 1;
+ h = (d_h + align) & ~align;
+
+- s = (fmt & VPX_IMG_FMT_PLANAR) ? w : bps * w / 8;
+- s = (s + stride_align - 1) & ~(stride_align - 1);
+- stride_in_bytes = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
++ s = (fmt & VPX_IMG_FMT_PLANAR) ? w : (uint64_t)bps * w / 8;
++ s = (s + stride_align - 1) & ~((uint64_t)stride_align - 1);
++ s = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
++ if (s > INT_MAX) goto fail;
++ stride_in_bytes = (int)s;
+ alloc_size = (fmt & VPX_IMG_FMT_PLANAR) ? (uint64_t)h * s * bps / 8
+ : (uint64_t)h * s;
+
+@@ -170,12 +175,12 @@ int vpx_img_set_rect(vpx_image_t *img, unsigned int x,
unsigned int y,
+ if (img->fmt & VPX_IMG_FMT_HAS_ALPHA) {
+ img->planes[VPX_PLANE_ALPHA] =
+ data + x * bytes_per_sample + y * img->stride[VPX_PLANE_ALPHA];
+- data += img->h * img->stride[VPX_PLANE_ALPHA];
++ data += (size_t)img->h * img->stride[VPX_PLANE_ALPHA];
+ }
+
+ img->planes[VPX_PLANE_Y] =
+ data + x * bytes_per_sample + y * img->stride[VPX_PLANE_Y];
+- data += img->h * img->stride[VPX_PLANE_Y];
++ data += (size_t)img->h * img->stride[VPX_PLANE_Y];
+
+ if (img->fmt == VPX_IMG_FMT_NV12) {
+ img->planes[VPX_PLANE_U] =
+@@ -186,7 +191,8 @@ int vpx_img_set_rect(vpx_image_t *img, unsigned int x,
unsigned int y,
+ img->planes[VPX_PLANE_U] =
+ data + (x >> img->x_chroma_shift) * bytes_per_sample +
+ (y >> img->y_chroma_shift) * img->stride[VPX_PLANE_U];
+- data += (img->h >> img->y_chroma_shift) * img->stride[VPX_PLANE_U];
++ data +=
++ (size_t)(img->h >> img->y_chroma_shift) *
img->stride[VPX_PLANE_U];
+ img->planes[VPX_PLANE_V] =
+ data + (x >> img->x_chroma_shift) * bytes_per_sample +
+ (y >> img->y_chroma_shift) * img->stride[VPX_PLANE_V];
+@@ -194,7 +200,8 @@ int vpx_img_set_rect(vpx_image_t *img, unsigned int x,
unsigned int y,
+ img->planes[VPX_PLANE_V] =
+ data + (x >> img->x_chroma_shift) * bytes_per_sample +
+ (y >> img->y_chroma_shift) * img->stride[VPX_PLANE_V];
+- data += (img->h >> img->y_chroma_shift) * img->stride[VPX_PLANE_V];
++ data +=
++ (size_t)(img->h >> img->y_chroma_shift) *
img->stride[VPX_PLANE_V];
+ img->planes[VPX_PLANE_U] =
+ data + (x >> img->x_chroma_shift) * bytes_per_sample +
+ (y >> img->y_chroma_shift) * img->stride[VPX_PLANE_U];
+--
+2.30.2
+
diff -Nru
libvpx-1.9.0/debian/patches/0003-Avoid-integer-overflows-in-arithmetic-operations.patch
libvpx-1.9.0/debian/patches/0003-Avoid-integer-overflows-in-arithmetic-operations.patch
---
libvpx-1.9.0/debian/patches/0003-Avoid-integer-overflows-in-arithmetic-operations.patch
1970-01-01 02:00:00.000000000 +0200
+++
libvpx-1.9.0/debian/patches/0003-Avoid-integer-overflows-in-arithmetic-operations.patch
2024-06-20 13:27:49.000000000 +0300
@@ -0,0 +1,149 @@
+From 99d546e66d91ffaa186b8e932a234a78691c1a19 Mon Sep 17 00:00:00 2001
+From: Wan-Teh Chang <w...@google.com>
+Date: Thu, 11 Apr 2024 10:24:11 -0700
+Subject: Avoid integer overflows in arithmetic operations
+
+A port of the libaom CL
+https://aomedia-review.googlesource.com/c/aom/+/188823.
+
+Impose maximum values on the input parameters so that we can perform
+arithmetic operations without worrying about overflows.
+
+Also change the VpxImageTest.VpxImgAllocHugeWidth test to write to the
+first and last samples in the first row of the Y plane, so that the test
+will crash if there is unsigned integer overflow in the calculation of
+stride_in_bytes.
+
+Bug: chromium:332382766
+Change-Id: I54cec6c9e26377abaa8a991042ba277ff70afdf3
+(cherry picked from commit 06af417e795e6a9b9309406ba399fb109def89e6)
+---
+ test/vpx_image_test.cc | 19 +++++++++++++++++++
+ vpx/src/vpx_image.c | 12 ++++++++++++
+ vpx/vpx_image.h | 16 +++++++++++-----
+ 3 files changed, 42 insertions(+), 5 deletions(-)
+
+diff --git a/test/vpx_image_test.cc b/test/vpx_image_test.cc
+index 74515df70..eb6e35474 100644
+--- a/test/vpx_image_test.cc
++++ b/test/vpx_image_test.cc
+@@ -8,6 +8,8 @@
+ * be found in the AUTHORS file in the root of the source tree.
+ */
+
++#include <climits>
++
+ #include "vpx/vpx_image.h"
+ #include "third_party/googletest/src/include/gtest/gtest.h"
+
+@@ -54,6 +56,10 @@ TEST(VpxImageTest, VpxImgAllocHugeWidth) {
+ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I420, 0x80000000, 1, 1);
+ ASSERT_EQ(image, nullptr);
+
++ // The aligned width (UINT_MAX + 1) would overflow unsigned int.
++ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I420, UINT_MAX, 1, 1);
++ ASSERT_EQ(image, nullptr);
++
+ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I420, 0x7ffffffe, 1, 1);
+ if (image) {
+ vpx_img_free(image);
+@@ -74,8 +80,21 @@ TEST(VpxImageTest, VpxImgAllocHugeWidth) {
+ vpx_img_free(image);
+ }
+
++ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I42016, 65536, 2, 1);
++ if (image) {
++ uint16_t *y_plane =
++ reinterpret_cast<uint16_t *>(image->planes[VPX_PLANE_Y]);
++ y_plane[0] = 0;
++ y_plane[image->d_w - 1] = 0;
++ vpx_img_free(image);
++ }
++
+ image = vpx_img_alloc(nullptr, VPX_IMG_FMT_I42016, 285245883, 2, 1);
+ if (image) {
++ uint16_t *y_plane =
++ reinterpret_cast<uint16_t *>(image->planes[VPX_PLANE_Y]);
++ y_plane[0] = 0;
++ y_plane[image->d_w - 1] = 0;
+ vpx_img_free(image);
+ }
+ }
+diff --git a/vpx/src/vpx_image.c b/vpx/src/vpx_image.c
+index a30c7cad0..63773dfb8 100644
+--- a/vpx/src/vpx_image.c
++++ b/vpx/src/vpx_image.c
+@@ -8,6 +8,8 @@
+ * be found in the AUTHORS file in the root of the source tree.
+ */
+
++#include <assert.h>
++#include <limits.h>
+ #include <stdlib.h>
+ #include <string.h>
+
+@@ -25,6 +27,14 @@ static vpx_image_t *img_alloc_helper(vpx_image_t *img,
vpx_img_fmt_t fmt,
+ int stride_in_bytes;
+ int align;
+
++ /* Impose maximum values on input parameters so that this function can
++ * perform arithmetic operations without worrying about overflows.
++ */
++ if (d_w > 0x08000000 || d_h > 0x08000000 || buf_align > 65536 ||
++ stride_align > 65536) {
++ goto fail;
++ }
++
+ /* Treat align==0 like align==1 */
+ if (!buf_align) buf_align = 1;
+
+@@ -102,8 +112,10 @@ static vpx_image_t *img_alloc_helper(vpx_image_t *img,
vpx_img_fmt_t fmt,
+ /* Calculate storage sizes given the chroma subsampling */
+ align = (1 << xcs) - 1;
+ w = (d_w + align) & ~align;
++ assert(d_w <= w);
+ align = (1 << ycs) - 1;
+ h = (d_h + align) & ~align;
++ assert(d_h <= h);
+
+ s = (fmt & VPX_IMG_FMT_PLANAR) ? w : (uint64_t)bps * w / 8;
+ s = (s + stride_align - 1) & ~((uint64_t)stride_align - 1);
+diff --git a/vpx/vpx_image.h b/vpx/vpx_image.h
+index bc23be50c..1417580ef 100644
+--- a/vpx/vpx_image.h
++++ b/vpx/vpx_image.h
+@@ -132,10 +132,13 @@ typedef struct vpx_image_rect {
+ * is NULL, the storage for the descriptor will be
+ * allocated on the heap.
+ * \param[in] fmt Format for the image
+- * \param[in] d_w Width of the image
+- * \param[in] d_h Height of the image
++ * \param[in] d_w Width of the image. Must not exceed 0x08000000
++ * (2^27).
++ * \param[in] d_h Height of the image. Must not exceed 0x08000000
++ * (2^27).
+ * \param[in] align Alignment, in bytes, of the image buffer and
+- * each row in the image(stride).
++ * each row in the image (stride). Must not exceed
++ * 65536.
+ *
+ * \return Returns a pointer to the initialized image descriptor. If the img
+ * parameter is non-null, the value of the img parameter will be
+@@ -155,9 +158,12 @@ vpx_image_t *vpx_img_alloc(vpx_image_t *img,
vpx_img_fmt_t fmt,
+ * parameter is NULL, the storage for the
descriptor
+ * will be allocated on the heap.
+ * \param[in] fmt Format for the image
+- * \param[in] d_w Width of the image
+- * \param[in] d_h Height of the image
++ * \param[in] d_w Width of the image. Must not exceed 0x08000000
++ * (2^27).
++ * \param[in] d_h Height of the image. Must not exceed 0x08000000
++ * (2^27).
+ * \param[in] stride_align Alignment, in bytes, of each row in the image.
++ * Must not exceed 65536.
+ * \param[in] img_data Storage to use for the image
+ *
+ * \return Returns a pointer to the initialized image descriptor. If the img
+--
+2.30.2
+
diff -Nru
libvpx-1.9.0/debian/patches/0004-Fix-a-bug-in-alloc_size-for-high-bit-depths.patch
libvpx-1.9.0/debian/patches/0004-Fix-a-bug-in-alloc_size-for-high-bit-depths.patch
---
libvpx-1.9.0/debian/patches/0004-Fix-a-bug-in-alloc_size-for-high-bit-depths.patch
1970-01-01 02:00:00.000000000 +0200
+++
libvpx-1.9.0/debian/patches/0004-Fix-a-bug-in-alloc_size-for-high-bit-depths.patch
2024-06-20 13:27:49.000000000 +0300
@@ -0,0 +1,46 @@
+From fd0ebf6c4ea138ba83ffbbcf59ad47bbbcfb4285 Mon Sep 17 00:00:00 2001
+From: Wan-Teh Chang <w...@google.com>
+Date: Fri, 12 Apr 2024 15:48:04 -0700
+Subject: Fix a bug in alloc_size for high bit depths
+
+I introduced this bug in commit 2e32276:
+https://chromium-review.googlesource.com/c/webm/libvpx/+/5446333
+
+I changed the line
+
+ stride_in_bytes = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
+
+to three lines:
+
+ s = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
+ if (s > INT_MAX) goto fail;
+ stride_in_bytes = (int)s;
+
+But I didn't realize that `s` is used later in the calculation of
+alloc_size.
+
+As a quick fix, undo the effect of s * 2 for high bit depths after `s`
+has been assigned to stride_in_bytes.
+
+Bug: chromium:332382766
+Change-Id: I53fbf405555645ab1d7254d31aadabe4f426be8c
+(cherry picked from commit 74c70af01667733483dc69298b8921779f5f6ff3)
+---
+ vpx/src/vpx_image.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/vpx/src/vpx_image.c b/vpx/src/vpx_image.c
+index 63773dfb8..a08495139 100644
+--- a/vpx/src/vpx_image.c
++++ b/vpx/src/vpx_image.c
+@@ -93,6 +93,7 @@ static vpx_image_t *img_alloc_helper(vpx_image_t *img,
vpx_img_fmt_t fmt,
+ s = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
+ if (s > INT_MAX) goto fail;
+ stride_in_bytes = (int)s;
++ s = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s / 2 : s;
+
+ /* Allocate the new image */
+ if (!img) {
+--
+2.30.2
+
diff -Nru libvpx-1.9.0/debian/patches/series libvpx-1.9.0/debian/patches/series
--- libvpx-1.9.0/debian/patches/series 2023-10-01 18:25:58.000000000 +0300
+++ libvpx-1.9.0/debian/patches/series 2024-06-20 13:27:10.000000000 +0300
@@ -1,2 +1,6 @@
0001-VP8-disallow-thread-count-changes.patch
0002-Fix-bug-with-smaller-width-bigger-size.patch
+0001-Add-test-vpx_image_test.cc.patch
+0002-Fix-integer-overflows-in-calc-of-stride_in_bytes.patch
+0003-Avoid-integer-overflows-in-arithmetic-operations.patch
+0004-Fix-a-bug-in-alloc_size-for-high-bit-depths.patch
