Package: release.debian.org Affects: libtheora0 X-Debbugs-CC: Debian Multimedia Maintainers <debian-multime...@lists.debian.org>
While investigating CVE-2024-56431 reported in <URL: https://bugs.debian.org/1091633 >, using the code to reproduce the crash reported in CVE-2024-56431, I found that the exact crash reported in CVE-2024-56431 did not exist in Debian Bookworm, but similar issues caused by other bugs in the code did. I propose to fix these issues in stable. All of these issues are already fixed upstream, some in version 1.2.0alpha1 and others in 1.2.0beta1. Is it OK to update libtheora in bookworm with the following patch, also present in the salsa git repository branch debian/bookworm? Note, I did not create BTS reports for the issues found, they are already fixed upstream and there seem to be no advantage to coordinate anything regarding these fixes in a BTS report. I would be happy to create such report anyway if you believe it is needed. diff --git a/debian/changelog b/debian/changelog index 80489cf..8b9fba2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +libtheora (1.1.1+dfsg.1-16.1+deb12u1) UNRELEASED; urgency=medium + + * Team upload. + + * Added patches fixing issues found using GCC sanitize. + * Acknowledge NMU 1.1.1+dfsg.1-16.1. + + -- Petter Reinholdtsen <p...@debian.org> Sun, 16 Mar 2025 05:45:39 +0100 + libtheora (1.1.1+dfsg.1-16.1) unstable; urgency=medium * Non-maintainer upload by the Reproducible Builds team. diff --git a/debian/patches/0007-pp_sharp_mod-segfault.patch b/debian/patches/0007-pp_sharp_mod-segfault.patch new file mode 100644 index 0000000..0a09f52 --- /dev/null +++ b/debian/patches/0007-pp_sharp_mod-segfault.patch @@ -0,0 +1,33 @@ +commit 0ae66d565e6bead8604d312bc1a4e9dccf245c88 +Author: Tim Terriberry <tterr...@xiph.org> +Date: Tue May 8 02:51:57 2012 +0000 + + Fix pp_sharp_mod calculation. + + This was broken when the dequant_tables indexing changed in commit + r16102, but it only affected post-processing quality, so we never + noticed. + With gcc 4.8.0, this can now trigger a segfault during decoder + initialization. + + svn path=/trunk/theora/; revision=18268 + +Index: libtheora-salsa/lib/decode.c +=================================================================== +--- libtheora-salsa.orig/lib/decode.c 2025-03-16 05:39:47.754277765 +0100 ++++ libtheora-salsa/lib/decode.c 2025-03-16 05:39:51.000000000 +0100 +@@ -397,10 +397,10 @@ + int qsum; + qsum=0; + for(qti=0;qti<2;qti++)for(pli=0;pli<3;pli++){ +- qsum+=_dec->state.dequant_tables[qti][pli][qi][12]+ +- _dec->state.dequant_tables[qti][pli][qi][17]+ +- _dec->state.dequant_tables[qti][pli][qi][18]+ +- _dec->state.dequant_tables[qti][pli][qi][24]<<(pli==0); ++ qsum+=_dec->state.dequant_tables[qi][pli][qti][12]+ ++ _dec->state.dequant_tables[qi][pli][qti][17]+ ++ _dec->state.dequant_tables[qi][pli][qti][18]+ ++ _dec->state.dequant_tables[qi][pli][qti][24]<<(pli==0); + } + _dec->pp_sharp_mod[qi]=-(qsum>>11); + } diff --git a/debian/patches/0008-shift-negative-stride.patch b/debian/patches/0008-shift-negative-stride.patch new file mode 100644 index 0000000..8bdae8f --- /dev/null +++ b/debian/patches/0008-shift-negative-stride.patch @@ -0,0 +1,123 @@ +Description: Replaced possible bit shifting into signed bit of stride values. + Use multiplication instead, allowing the compiler to optimize to + bitshifts if it believe it to be safe. + + Based on upstream commits a6766c94721bc55e8e56fb0d941ecfe2d27c3d17 + and ec642ecf6d94f11d5eb05ab1fb7a9728c9a89cae, adjusted for 1.1.1. +Author: Petter Reinholdtsen <p...@debian.org> +Forwarded: not-needed +Last-Update: 2025-06-03 +--- +diff --git a/lib/decode.c b/lib/decode.c +index 7be6646..ad56716 100644 +--- a/lib/decode.c ++++ b/lib/decode.c +@@ -1747,13 +1747,13 @@ static void oc_dec_deblock_frag_rows(oc_dec_ctx *_dec, + flimit=(qstep*3)>>2; + oc_filter_hedge(dst+x,dst_ystride,src+x-src_ystride,src_ystride, + qstep,flimit,variance,variance+nhfrags); +- oc_filter_vedge(dst+x-(dst_ystride<<2)-4,dst_ystride, ++ oc_filter_vedge(dst+x-(dst_ystride*4)-4,dst_ystride, + qstep,flimit,variance-1); + variance++; + dc_qi++; + } +- dst+=dst_ystride<<3; +- src+=src_ystride<<3; ++ dst+=dst_ystride*8; ++ src+=src_ystride*8; + } + /*And finally, handle the last row in the frame, if it's in the range.*/ + if(!notdone){ +@@ -1769,7 +1769,7 @@ static void oc_dec_deblock_frag_rows(oc_dec_ctx *_dec, + for(x=8;x<width;x+=8){ + qstep=_dec->pp_dc_scale[*dc_qi++]; + flimit=(qstep*3)>>2; +- oc_filter_vedge(dst+x-(dst_ystride<<3)-4,dst_ystride, ++ oc_filter_vedge(dst+x-(dst_ystride*8)-4,dst_ystride, + qstep,flimit,variance++); + } + } +@@ -1944,7 +1944,7 @@ static void oc_dec_dering_frag_rows(oc_dec_ctx *_dec,th_img_plane *_img, + frag++; + variance++; + } +- idata+=ystride<<3; ++ idata+=ystride*8; + } + } + +@@ -2877,10 +2877,10 @@ int th_decode_ycbcr_out(th_dec_ctx *_dec,th_ycbcr_buffer _ycbcr){ + u_row[x>>1]=OC_CLAMP255(u); + v_row[x>>1]=OC_CLAMP255(v); + } +- y_row+=_ycbcr[0].stride<<1; ++ y_row+=_ycbcr[0].stride*2; + u_row+=_ycbcr[1].stride; + v_row+=_ycbcr[2].stride; +- rgb_row+=cstride<<1; ++ rgb_row+=cstride*2; + } + }break; + case TH_PF_422:{ +diff --git a/lib/state.c b/lib/state.c +index 42ed33a..fe803d6 100644 +--- a/lib/state.c ++++ b/lib/state.c +@@ -573,7 +573,7 @@ static int oc_state_ref_bufs_init(oc_theora_state *_state,int _nrefs){ + frag_buf_offs[fragi]=hpix-ref_frame_data; + hpix+=8; + } +- vpix+=stride<<3; ++ vpix+=stride*8; + } + } + /*Initialize the reference frame indices.*/ +@@ -1055,7 +1055,7 @@ void oc_state_loop_filter_frag_rows_c(const oc_theora_state *_state,int *_bv, + loop_filter_h(ref+8,ystride,_bv); + } + if(fragi+nhfrags<fragi_bot&&!frags[fragi+nhfrags].coded){ +- loop_filter_v(ref+(ystride<<3),ystride,_bv); ++ loop_filter_v(ref+(ystride*8),ystride,_bv); + } + } + fragi++; +diff --git a/lib/x86/mmxfrag.c b/lib/x86/mmxfrag.c +index 2c73293..6930aaf 100644 +--- a/lib/x86/mmxfrag.c ++++ b/lib/x86/mmxfrag.c +@@ -141,7 +141,7 @@ void oc_frag_recon_intra_mmx(unsigned char *_dst,int _ystride, + : + :[residue]"r"(_residue), + [dst]"r"(_dst), +- [dst4]"r"(_dst+(_ystride<<2)), ++ [dst4]"r"(_dst+(_ystride*4)), + [ystride]"r"((ptrdiff_t)_ystride), + [ystride3]"r"((ptrdiff_t)_ystride*3) + :"memory" +diff --git a/lib/x86/mmxstate.c b/lib/x86/mmxstate.c +index 808b0a7..dd428d6 100644 +--- a/lib/x86/mmxstate.c ++++ b/lib/x86/mmxstate.c +@@ -176,7 +176,7 @@ void oc_state_loop_filter_frag_rows_mmx(const oc_theora_state *_state, + OC_LOOP_FILTER_H_MMX(ref+8,ystride,ll); + } + if(fragi+nhfrags<fragi_bot&&!frags[fragi+nhfrags].coded){ +- OC_LOOP_FILTER_V_MMX(ref+(ystride<<3),ystride,ll); ++ OC_LOOP_FILTER_V_MMX(ref+(ystride*8),ystride,ll); + } + } + fragi++; +diff --git a/lib/x86_vc/mmxstate.c b/lib/x86_vc/mmxstate.c +index 73bd198..8a00909 100644 +--- a/lib/x86_vc/mmxstate.c ++++ b/lib/x86_vc/mmxstate.c +@@ -193,7 +193,7 @@ void oc_state_loop_filter_frag_rows_mmx(const oc_theora_state *_state, + OC_LOOP_FILTER_H_MMX(ref+8,ystride,ll); + } + if(fragi+nhfrags<fragi_bot&&!frags[fragi+nhfrags].coded){ +- OC_LOOP_FILTER_V_MMX(ref+(ystride<<3),ystride,ll); ++ OC_LOOP_FILTER_V_MMX(ref+(ystride*8),ystride,ll); + } + #undef PIX + #undef YSTRIDE3 diff --git a/debian/patches/series b/debian/patches/series index 70cae7d..d702217 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -4,3 +4,5 @@ 0004-player-example-needs-lm-for-rint.patch 0005-latex.patch 0006-libpng16.patch +0007-pp_sharp_mod-segfault.patch +0008-shift-negative-stride.patch -- Happy hacking Petter Reinholdtsen
