[arch-commits] Commit in libvpx/trunk (CVE-2010-4203.patch PKGBUILD)

Ionut Biru ibiru at archlinux.org
Sat Nov 27 10:13:03 UTC 2010 

    Date: Saturday, November 27, 2010 @ 05:13:02
  Author: ibiru
Revision: 100998

upgpkg: libvpx 0.9.5-2
apply upstream changes for CVE-2010-4203 

Added:
  libvpx/trunk/CVE-2010-4203.patch
Modified:
  libvpx/trunk/PKGBUILD

---------------------+
 CVE-2010-4203.patch |   69 ++++++++++++++++++++++++++++++++++++++++++++++++++
 PKGBUILD            |    9 ++++--
 2 files changed, 75 insertions(+), 3 deletions(-)

Added: CVE-2010-4203.patch
===================================================================
--- CVE-2010-4203.patch	                        (rev 0)
+++ CVE-2010-4203.patch	2010-11-27 10:13:02 UTC (rev 100998)
@@ -0,0 +1,69 @@
+From: John Koleszar <jkoleszar at google.com>
+Date: Thu, 4 Nov 2010 20:59:26 +0000 (-0400)
+Subject: fix integer promotion bug in partition size check
+X-Git-Url: https://review.webmproject.org/gitweb?p=libvpx.git;a=commitdiff_plain;h=9fb80f7170ec48e23c3c7b477149eeb37081c699;hp=09bcc1f710ea65dc158639479288fb1908ff0c53
+
+fix integer promotion bug in partition size check
+
+The check '(user_data_end - partition < partition_size)' must be
+evaluated as a signed comparison, but because partition_size was
+unsigned, the LHS was promoted to unsigned, causing an incorrect
+result on 32-bit. Instead, check the upper and lower bounds of
+the segment separately.
+
+Change-Id: I6266aba7fd7de084268712a3d2a81424ead7aa06
+---
+
+diff --git a/vp8/decoder/decodframe.c b/vp8/decoder/decodframe.c
+index 2d81d61..f5e49a1 100644
+--- a/vp8/decoder/decodframe.c
++++ b/vp8/decoder/decodframe.c
+@@ -462,7 +462,8 @@ static void setup_token_decoder(VP8D_COMP *pbi,
+             partition_size = user_data_end - partition;
+         }
+ 
+-        if (user_data_end - partition < partition_size)
++        if (partition + partition_size > user_data_end
++            || partition + partition_size < partition)
+             vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
+                                "Truncated packet or corrupt partition "
+                                "%d length", i + 1);
+@@ -580,7 +581,8 @@ int vp8_decode_frame(VP8D_COMP *pbi)
+         (data[0] | (data[1] << 8) | (data[2] << 16)) >> 5;
+     data += 3;
+ 
+-    if (data_end - data < first_partition_length_in_bytes)
++    if (data + first_partition_length_in_bytes > data_end
++        || data + first_partition_length_in_bytes < data)
+         vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
+                            "Truncated packet or corrupt partition 0 length");
+     vp8_setup_version(pc);
+diff --git a/vp8/vp8_dx_iface.c b/vp8/vp8_dx_iface.c
+index e7e5356..f0adf5b 100644
+--- a/vp8/vp8_dx_iface.c
++++ b/vp8/vp8_dx_iface.c
+@@ -253,8 +253,11 @@ static vpx_codec_err_t vp8_peek_si(const uint8_t         *data,
+                                    unsigned int           data_sz,
+                                    vpx_codec_stream_info_t *si)
+ {
+-
+     vpx_codec_err_t res = VPX_CODEC_OK;
++
++    if(data + data_sz <= data)
++        res = VPX_CODEC_INVALID_PARAM;
++    else
+     {
+         /* Parse uncompresssed part of key frame header.
+          * 3 bytes:- including version, frame type and an offset
+@@ -331,7 +334,10 @@ static vpx_codec_err_t vp8_decode(vpx_codec_alg_priv_t  *ctx,
+ 
+     ctx->img_avail = 0;
+ 
+-    /* Determine the stream parameters */
++    /* Determine the stream parameters. Note that we rely on peek_si to
++     * validate that we have a buffer that does not wrap around the top
++     * of the heap.
++     */
+     if (!ctx->si.h)
+         res = ctx->base.iface->dec.peek_si(data, data_sz, &ctx->si);
+ 

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2010-11-27 10:06:47 UTC (rev 100997)
+++ PKGBUILD	2010-11-27 10:13:02 UTC (rev 100998)
@@ -2,18 +2,21 @@
 # Maintainer: Ionut Biru <ibiru at archlinux.org>
 pkgname=libvpx
 pkgver=0.9.5
-pkgrel=1
+pkgrel=2
 pkgdesc="The VP8 Codec SDK"
 arch=('i686' 'x86_64')
 url="http://www.webmproject.org/"
 license=('BSD')
 depends=('glibc')
 makedepends=('yasm')
-source=(http://webm.googlecode.com/files/${pkgname}-v${pkgver}.tar.bz2)
-sha1sums=('223965ff16737251afb3377c0800d1f8b5f84379')
+source=(http://webm.googlecode.com/files/${pkgname}-v${pkgver}.tar.bz2
+        CVE-2010-4203.patch)
+sha1sums=('223965ff16737251afb3377c0800d1f8b5f84379'
+          '4a6399bbf604ab397f53ad42c087fda588eb4ddf')
 
 build() {
     cd "${srcdir}/${pkgname}-v${pkgver}"
+    patch -Np1 -i "${srcdir}/CVE-2010-4203.patch"
     ./configure --enable-vp8 \
         --enable-runtime-cpu-detect \
         --enable-shared \

More information about the arch-commits mailing list