diff -Nru libvpx-1.5.0/debian/changelog libvpx-1.5.0/debian/changelog --- libvpx-1.5.0/debian/changelog 2016-04-05 22:32:45.000000000 +0000 +++ libvpx-1.5.0/debian/changelog 2019-11-19 16:28:28.000000000 +0000 @@ -1,3 +1,30 @@ +libvpx (1.5.0-2ubuntu1.1) xenial-security; urgency=medium + + * SECURITY UPDATE: image width alignment issue + - debian/patches/CVE-2017-13194-1.patch: fix image width alignment in + vpx/src/vpx_image.c. + - debian/patches/CVE-2017-13194-2.patch: fix alignment without external + allocation in vpx/src/vpx_image.c. + - CVE-2017-13194 + * SECURITY UPDATE: double free in ParseContentEncodingEntry + - debian/patches/CVE-2019-2126.patch: set compression_entries_ to NULL + in third_party/libwebm/mkvparser/mkvparser.cc. + - CVE-2019-2126 + * SECURITY UPDATE: out of bounds read + - debian/patches/CVE-2019-9232.patch: use unsigned char in + vp8/decoder/dboolhuff.h, vpx_dsp/bitreader.h. + - CVE-2019-9232 + * SECURITY UPDATE: out of bounds read + - debian/patches/CVE-2019-9325.patch: fix size in vp9/vp9_dx_iface.c, + vpx_dsp/bitreader_buffer.c, test/decode_api_test.cc. + - CVE-2019-9325 + * SECURITY UPDATE: memory disclosure issue + - debian/patches/CVE-2019-9433.patch: fix use-after-free in + vp8/common/postproc.c. + - CVE-2019-9433 + + -- Marc Deslauriers Tue, 19 Nov 2019 11:26:37 -0500 + libvpx (1.5.0-2ubuntu1) xenial; urgency=medium * Update to PHP7.0 build-dependencies (LP: #1566423). diff -Nru libvpx-1.5.0/debian/patches/CVE-2017-13194-1.patch libvpx-1.5.0/debian/patches/CVE-2017-13194-1.patch --- libvpx-1.5.0/debian/patches/CVE-2017-13194-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvpx-1.5.0/debian/patches/CVE-2017-13194-1.patch 2019-11-19 16:10:43.000000000 +0000 @@ -0,0 +1,54 @@ +Backport of: + +From 5a40c8fde11bf82cccb5bd2f57c46ab5e6262cbf Mon Sep 17 00:00:00 2001 +From: Jerome Jiang +Date: Wed, 27 Sep 2017 11:08:37 -0700 +Subject: [PATCH] Fix image width alignment. Enable ImageSizeSetting test. + +BUG=b/64710201 + +Change-Id: I5465f6c6481d3c9a5e00fcab024cf4ae562b6b01 +--- + test/encode_api_test.cc | 2 +- + vpx/src/vpx_image.c | 24 ++++++++++++++++-------- + 2 files changed, 17 insertions(+), 9 deletions(-) + +--- a/vpx/src/vpx_image.c ++++ b/vpx/src/vpx_image.c +@@ -122,11 +122,10 @@ static vpx_image_t *img_alloc_helper(vpx + break; + } + +- /* Calculate storage sizes given the chroma subsampling */ +- align = (1 << xcs) - 1; +- w = (d_w + align) & ~align; +- align = (1 << ycs) - 1; +- h = (d_h + align) & ~align; ++ /* Calculate storage sizes. If the buffer was allocated externally, the width ++ * and height shouldn't be adjusted. */ ++ w = d_w; ++ h = d_h; + s = (fmt & VPX_IMG_FMT_PLANAR) ? w : bps * w / 8; + s = (s + stride_align - 1) & ~(stride_align - 1); + stride_in_bytes = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s; +@@ -146,8 +145,18 @@ static vpx_image_t *img_alloc_helper(vpx + img->img_data = img_data; + + if (!img_data) { +- const uint64_t alloc_size = (fmt & VPX_IMG_FMT_PLANAR) ? +- (uint64_t)h * s * bps / 8 : (uint64_t)h * s; ++ uint64_t alloc_size; ++ /* Calculate storage sizes given the chroma subsampling */ ++ align = xcs ? (1 << xcs) - 1 : 1; ++ w = (d_w + align - 1) & ~(align - 1); ++ align = ycs ? (1 << ycs) - 1 : 1; ++ h = (d_h + align - 1) & ~(align - 1); ++ ++ s = (fmt & VPX_IMG_FMT_PLANAR) ? w : bps * w / 8; ++ s = (s + stride_align - 1) & ~(stride_align - 1); ++ stride_in_bytes = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s; ++ alloc_size = (fmt & VPX_IMG_FMT_PLANAR) ? (uint64_t)h * s * bps / 8 ++ : (uint64_t)h * s; + + if (alloc_size != (size_t)alloc_size) + goto fail; diff -Nru libvpx-1.5.0/debian/patches/CVE-2017-13194-2.patch libvpx-1.5.0/debian/patches/CVE-2017-13194-2.patch --- libvpx-1.5.0/debian/patches/CVE-2017-13194-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvpx-1.5.0/debian/patches/CVE-2017-13194-2.patch 2019-11-19 16:11:16.000000000 +0000 @@ -0,0 +1,32 @@ +From 33c598990bc771d7367fe6282bd445e92cd856a6 Mon Sep 17 00:00:00 2001 +From: Jerome Jiang +Date: Mon, 9 Oct 2017 19:33:03 -0700 +Subject: [PATCH] Fix alignment in vpx_image without external allocation. + +This restores behaviors prior to +<40c8fde Fix image width alignment. Enable ImageSizeSetting test.>. + +BUG=b/64710201 + +Change-Id: I559557afe80d5ff5ea6ac24021561715068e7786 +--- + vpx/src/vpx_image.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/vpx/src/vpx_image.c ++++ b/vpx/src/vpx_image.c +@@ -147,10 +147,10 @@ static vpx_image_t *img_alloc_helper(vpx + if (!img_data) { + uint64_t alloc_size; + /* Calculate storage sizes given the chroma subsampling */ +- align = xcs ? (1 << xcs) - 1 : 1; +- w = (d_w + align - 1) & ~(align - 1); +- align = ycs ? (1 << ycs) - 1 : 1; +- h = (d_h + align - 1) & ~(align - 1); ++ align = (1 << xcs) - 1; ++ w = (d_w + align) & ~align; ++ align = (1 << ycs) - 1; ++ h = (d_h + align) & ~align; + + s = (fmt & VPX_IMG_FMT_PLANAR) ? w : bps * w / 8; + s = (s + stride_align - 1) & ~(stride_align - 1); diff -Nru libvpx-1.5.0/debian/patches/CVE-2019-2126.patch libvpx-1.5.0/debian/patches/CVE-2019-2126.patch --- libvpx-1.5.0/debian/patches/CVE-2019-2126.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvpx-1.5.0/debian/patches/CVE-2019-2126.patch 2019-11-19 16:12:52.000000000 +0000 @@ -0,0 +1,56 @@ +Backport of: + +From 6a7c84a2449dcc70de2525df209afea908622399 Mon Sep 17 00:00:00 2001 +From: James Zern +Date: Fri, 7 Jun 2019 15:06:29 -0700 +Subject: [PATCH] update libwebm to libwebm-1.0.0.27-361-g81de00c + +81de00c Check there is only one settings per ContentCompression +5623013 Fixes a double free in ContentEncoding +93b2ba0 mkvparser: quiet static analysis warnings + +Change-Id: Ieaa562ef2f10075381bd856388e6b29f97ca2746 +--- + third_party/libwebm/README.libvpx | 2 +- + third_party/libwebm/mkvparser/mkvparser.cc | 9 +++++++++ + 2 files changed, 10 insertions(+), 1 deletion(-) + +--- a/third_party/libwebm/mkvparser.cpp ++++ b/third_party/libwebm/mkvparser.cpp +@@ -4234,6 +4234,7 @@ long ContentEncoding::ParseContentEncodi + new (std::nothrow) ContentEncryption*[encryption_count]; + if (!encryption_entries_) { + delete[] compression_entries_; ++ compression_entries_ = NULL; + return -1; + } + encryption_entries_end_ = encryption_entries_; +@@ -4265,6 +4266,7 @@ long ContentEncoding::ParseContentEncodi + delete compression; + return status; + } ++ assert(compression_count > 0); + *compression_entries_end_++ = compression; + } else if (id == mkvmuxer::kMkvContentEncryption) { + ContentEncryption* const encryption = +@@ -4277,6 +4279,7 @@ long ContentEncoding::ParseContentEncodi + delete encryption; + return status; + } ++ assert(encryption_count > 0); + *encryption_entries_end_++ = encryption; + } + +@@ -4329,6 +4332,12 @@ long ContentEncoding::ParseCompressionEn + return status; + } + ++ // There should be only one settings element per content compression. ++ if (compression->settings != NULL) { ++ delete[] buf; ++ return E_FILE_FORMAT_INVALID; ++ } ++ + compression->settings = buf; + compression->settings_len = buflen; + } diff -Nru libvpx-1.5.0/debian/patches/CVE-2019-9232.patch libvpx-1.5.0/debian/patches/CVE-2019-9232.patch --- libvpx-1.5.0/debian/patches/CVE-2019-9232.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvpx-1.5.0/debian/patches/CVE-2019-9232.patch 2019-11-19 16:14:40.000000000 +0000 @@ -0,0 +1,42 @@ +Backport of: + +From 46e17f0cb4a80b36755c84b8bf15731d3386c08f Mon Sep 17 00:00:00 2001 +From: kyslov +Date: Fri, 4 Jan 2019 17:04:09 -0800 +Subject: [PATCH] Fix OOB memory access on fuzzed data + +vp8_norm table has 256 elements while index to it can be higher on +fuzzed data. Typecasting it to unsigned char will ensure valid range and +will trigger proper error later. Also declaring "shift" as unsigned char to +avoid UB sanitizer warning + +BUG=b/122373286,b/122373822,b/122371119 + +Change-Id: I3cef1d07f107f061b1504976a405fa0865afe9f5 +--- + vp8/decoder/dboolhuff.h | 2 +- + vpx_dsp/bitreader.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/vp8/decoder/dboolhuff.h ++++ b/vp8/decoder/dboolhuff.h +@@ -83,7 +83,7 @@ static int vp8dx_decode_bool(BOOL_DECODE + } + + { +- register unsigned int shift = vp8_norm[range]; ++ const unsigned char shift = vp8_norm[(unsigned char)range]; + range <<= shift; + value <<= shift; + count -= shift; +--- a/vpx_dsp/bitreader.h ++++ b/vpx_dsp/bitreader.h +@@ -98,7 +98,7 @@ static INLINE int vpx_read(vpx_reader *r + } + + { +- register unsigned int shift = vpx_norm[range]; ++ const unsigned char shift = vpx_norm[(unsigned char)range]; + range <<= shift; + value <<= shift; + count -= shift; diff -Nru libvpx-1.5.0/debian/patches/CVE-2019-9325.patch libvpx-1.5.0/debian/patches/CVE-2019-9325.patch --- libvpx-1.5.0/debian/patches/CVE-2019-9325.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvpx-1.5.0/debian/patches/CVE-2019-9325.patch 2019-11-19 16:21:36.000000000 +0000 @@ -0,0 +1,128 @@ +Backport of: + +From 0681cff1ad36b3ef8ec242f59b5a6c4234ccfb88 Mon Sep 17 00:00:00 2001 +From: James Zern +Date: Tue, 24 Jul 2018 21:36:50 -0700 +Subject: [PATCH] vp9: fix OOB read in decoder_peek_si_internal + +Profile 1 or 3 bitstreams may require 11 bytes for the header in the +intra-only case. + +Additionally add a check on the bit reader's error handler callback to +ensure it's non-NULL before calling to avoid future regressions. + +This has existed since at least (pre-1.4.0): +09bf1d61c Changes hdr for profiles > 1 for intraonly frames + +BUG=webm:1543 + +Change-Id: I23901e6e3a219170e8ea9efecc42af0be2e5c378 +--- + test/decode_api_test.cc | 52 +++++++++++++++++++++++++------------- + vp9/vp9_dx_iface.c | 5 +++- + vpx_dsp/bitreader_buffer.c | 2 +- + 3 files changed, 39 insertions(+), 20 deletions(-) + +--- a/test/decode_api_test.cc ++++ b/test/decode_api_test.cc +@@ -147,8 +147,30 @@ TEST(DecodeAPI, Vp9InvalidDecode) { + EXPECT_EQ(VPX_CODEC_OK, vpx_codec_destroy(&dec)); + } + +-TEST(DecodeAPI, Vp9PeekSI) { ++void TestPeekInfo(const uint8_t *const data, uint32_t data_sz, ++ uint32_t peek_size) { + const vpx_codec_iface_t *const codec = &vpx_codec_vp9_dx_algo; ++ // Verify behavior of vpx_codec_decode. vpx_codec_decode doesn't even get ++ // to decoder_peek_si_internal on frames of size < 8. ++ if (data_sz >= 8) { ++ vpx_codec_ctx_t dec; ++ EXPECT_EQ(VPX_CODEC_OK, vpx_codec_dec_init(&dec, codec, NULL, 0)); ++ EXPECT_EQ((data_sz < peek_size) ? VPX_CODEC_UNSUP_BITSTREAM ++ : VPX_CODEC_CORRUPT_FRAME, ++ vpx_codec_decode(&dec, data, data_sz, NULL, 0)); ++ vpx_codec_iter_t iter = NULL; ++ EXPECT_EQ(NULL, vpx_codec_get_frame(&dec, &iter)); ++ EXPECT_EQ(VPX_CODEC_OK, vpx_codec_destroy(&dec)); ++ } ++ ++ // Verify behavior of vpx_codec_peek_stream_info. ++ vpx_codec_stream_info_t si; ++ si.sz = sizeof(si); ++ EXPECT_EQ((data_sz < peek_size) ? VPX_CODEC_UNSUP_BITSTREAM : VPX_CODEC_OK, ++ vpx_codec_peek_stream_info(codec, data, data_sz, &si)); ++} ++ ++TEST(DecodeAPI, Vp9PeekStreamInfo) { + // The first 9 bytes are valid and the rest of the bytes are made up. Until + // size 10, this should return VPX_CODEC_UNSUP_BITSTREAM and after that it + // should return VPX_CODEC_CORRUPT_FRAME. +@@ -160,24 +182,18 @@ TEST(DecodeAPI, Vp9PeekSI) { + }; + + for (uint32_t data_sz = 1; data_sz <= 32; ++data_sz) { +- // Verify behavior of vpx_codec_decode. vpx_codec_decode doesn't even get +- // to decoder_peek_si_internal on frames of size < 8. +- if (data_sz >= 8) { +- vpx_codec_ctx_t dec; +- EXPECT_EQ(VPX_CODEC_OK, vpx_codec_dec_init(&dec, codec, NULL, 0)); +- EXPECT_EQ((data_sz < 10) ? +- VPX_CODEC_UNSUP_BITSTREAM : VPX_CODEC_CORRUPT_FRAME, +- vpx_codec_decode(&dec, data, data_sz, NULL, 0)); +- vpx_codec_iter_t iter = NULL; +- EXPECT_EQ(NULL, vpx_codec_get_frame(&dec, &iter)); +- EXPECT_EQ(VPX_CODEC_OK, vpx_codec_destroy(&dec)); +- } +- +- // Verify behavior of vpx_codec_peek_stream_info. +- vpx_codec_stream_info_t si; +- si.sz = sizeof(si); +- EXPECT_EQ((data_sz < 10) ? VPX_CODEC_UNSUP_BITSTREAM : VPX_CODEC_OK, +- vpx_codec_peek_stream_info(codec, data, data_sz, &si)); ++ TestPeekInfo(data, data_sz, 10); ++ } ++} ++ ++TEST(DecodeAPI, Vp9PeekStreamInfoTruncated) { ++ // This profile 1 header requires 10.25 bytes, ensure ++ // vpx_codec_peek_stream_info doesn't over read. ++ const uint8_t profile1_data[10] = { 0xa4, 0xe9, 0x30, 0x68, 0x53, ++ 0xe9, 0x30, 0x68, 0x53, 0x04 }; ++ ++ for (uint32_t data_sz = 1; data_sz <= 10; ++data_sz) { ++ TestPeekInfo(profile1_data, data_sz, 11); + } + } + #endif // CONFIG_VP9_DECODER +--- a/vp9/vp9_dx_iface.c ++++ b/vp9/vp9_dx_iface.c +@@ -127,7 +127,7 @@ static vpx_codec_err_t decoder_peek_si_i + vpx_decrypt_cb decrypt_cb, + void *decrypt_state) { + int intra_only_flag = 0; +- uint8_t clear_buffer[10]; ++ uint8_t clear_buffer[11]; + + if (data + data_sz <= data) + return VPX_CODEC_INVALID_PARAM; +@@ -196,6 +196,9 @@ static vpx_codec_err_t decoder_peek_si_i + if (profile > PROFILE_0) { + if (!parse_bitdepth_colorspace_sampling(profile, &rb)) + return VPX_CODEC_UNSUP_BITSTREAM; ++ // The colorspace info may cause vp9_read_frame_size() to need 11 ++ // bytes. ++ if (data_sz < 11) return VPX_CODEC_UNSUP_BITSTREAM; + } + rb.bit_offset += REF_FRAMES; // refresh_frame_flags + vp9_read_frame_size(&rb, (int *)&si->w, (int *)&si->h); +--- a/vpx_dsp/bitreader_buffer.c ++++ b/vpx_dsp/bitreader_buffer.c +@@ -23,7 +23,7 @@ int vpx_rb_read_bit(struct vpx_read_bit_ + rb->bit_offset = off + 1; + return bit; + } else { +- rb->error_handler(rb->error_handler_data); ++ if (rb->error_handler != NULL) rb->error_handler(rb->error_handler_data); + return 0; + } + } diff -Nru libvpx-1.5.0/debian/patches/CVE-2019-9325-pre1.patch libvpx-1.5.0/debian/patches/CVE-2019-9325-pre1.patch --- libvpx-1.5.0/debian/patches/CVE-2019-9325-pre1.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvpx-1.5.0/debian/patches/CVE-2019-9325-pre1.patch 2019-11-19 16:19:19.000000000 +0000 @@ -0,0 +1,115 @@ +From aa1c813c43c6b2e43036d5573f361924195d65b7 Mon Sep 17 00:00:00 2001 +From: Vignesh Venkatasubramanian +Date: Wed, 22 Jun 2016 10:24:27 -0700 +Subject: [PATCH] vp9: Fix potential SEGV in decoder_peek_si_internal + +decoder_peek_si_internal could potentially read more bytes than +what actually exists in the input buffer. We check for the buffer +size to be at least 8, but we try to read up to 10 bytes in the +worst case. A well crafted file could thus cause a segfault. +Likely change that introduced this bug was: +https://chromium-review.googlesource.com/#/c/70439 (git hash: +7c43fb6) + +BUG=chromium:621095 + +Change-Id: Id74880cfdded44caaa45bbdbaac859c09d3db752 +--- + test/decode_api_test.cc | 34 ++++++++++++++++++++++++++++++++++ + vp9/vp9_dx_iface.c | 19 ++++++++++++++----- + 2 files changed, 48 insertions(+), 5 deletions(-) + +diff --git a/test/decode_api_test.cc b/test/decode_api_test.cc +index 318351b73d..e5fa2cdc42 100644 +--- a/test/decode_api_test.cc ++++ b/test/decode_api_test.cc +@@ -146,6 +146,40 @@ TEST(DecodeAPI, Vp9InvalidDecode) { + TestVp9Controls(&dec); + EXPECT_EQ(VPX_CODEC_OK, vpx_codec_destroy(&dec)); + } ++ ++TEST(DecodeAPI, Vp9PeekSI) { ++ const vpx_codec_iface_t *const codec = &vpx_codec_vp9_dx_algo; ++ // The first 9 bytes are valid and the rest of the bytes are made up. Until ++ // size 10, this should return VPX_CODEC_UNSUP_BITSTREAM and after that it ++ // should return VPX_CODEC_CORRUPT_FRAME. ++ const uint8_t data[32] = { ++ 0x85, 0xa4, 0xc1, 0xa1, 0x38, 0x81, 0xa3, 0x49, ++ 0x83, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, ++ }; ++ ++ for (uint32_t data_sz = 1; data_sz <= 32; ++data_sz) { ++ // Verify behavior of vpx_codec_decode. vpx_codec_decode doesn't even get ++ // to decoder_peek_si_internal on frames of size < 8. ++ if (data_sz >= 8) { ++ vpx_codec_ctx_t dec; ++ EXPECT_EQ(VPX_CODEC_OK, vpx_codec_dec_init(&dec, codec, NULL, 0)); ++ EXPECT_EQ((data_sz < 10) ? ++ VPX_CODEC_UNSUP_BITSTREAM : VPX_CODEC_CORRUPT_FRAME, ++ vpx_codec_decode(&dec, data, data_sz, NULL, 0)); ++ vpx_codec_iter_t iter = NULL; ++ EXPECT_EQ(NULL, vpx_codec_get_frame(&dec, &iter)); ++ EXPECT_EQ(VPX_CODEC_OK, vpx_codec_destroy(&dec)); ++ } ++ ++ // Verify behavior of vpx_codec_peek_stream_info. ++ vpx_codec_stream_info_t si; ++ si.sz = sizeof(si); ++ EXPECT_EQ((data_sz < 10) ? VPX_CODEC_UNSUP_BITSTREAM : VPX_CODEC_OK, ++ vpx_codec_peek_stream_info(codec, data, data_sz, &si)); ++ } ++} + #endif // CONFIG_VP9_DECODER + + } // namespace +diff --git a/vp9/vp9_dx_iface.c b/vp9/vp9_dx_iface.c +index be5d1600a5..6531e2c618 100644 +--- a/vp9/vp9_dx_iface.c ++++ b/vp9/vp9_dx_iface.c +@@ -127,7 +127,7 @@ static vpx_codec_err_t decoder_peek_si_internal(const uint8_t *data, + vpx_decrypt_cb decrypt_cb, + void *decrypt_state) { + int intra_only_flag = 0; +- uint8_t clear_buffer[9]; ++ uint8_t clear_buffer[10]; + + if (data + data_sz <= data) + return VPX_CODEC_INVALID_PARAM; +@@ -141,6 +141,11 @@ static vpx_codec_err_t decoder_peek_si_internal(const uint8_t *data, + data = clear_buffer; + } + ++ // A maximum of 6 bits are needed to read the frame marker, profile and ++ // show_existing_frame. ++ if (data_sz < 1) ++ return VPX_CODEC_UNSUP_BITSTREAM; ++ + { + int show_frame; + int error_resilient; +@@ -154,15 +159,19 @@ static vpx_codec_err_t decoder_peek_si_internal(const uint8_t *data, + if (profile >= MAX_PROFILES) + return VPX_CODEC_UNSUP_BITSTREAM; + +- if ((profile >= 2 && data_sz <= 1) || data_sz < 1) +- return VPX_CODEC_UNSUP_BITSTREAM; +- + if (vpx_rb_read_bit(&rb)) { // show an existing frame ++ // If profile is > 2 and show_existing_frame is true, then at least 1 more ++ // byte (6+3=9 bits) is needed. ++ if (profile > 2 && data_sz < 2) ++ return VPX_CODEC_UNSUP_BITSTREAM; + vpx_rb_read_literal(&rb, 3); // Frame buffer to show. + return VPX_CODEC_OK; + } + +- if (data_sz <= 8) ++ // For the rest of the function, a maximum of 9 more bytes are needed ++ // (computed by taking the maximum possible bits needed in each case). Note ++ // that this has to be updated if we read any more bits in this function. ++ if (data_sz < 10) + return VPX_CODEC_UNSUP_BITSTREAM; + + si->is_kf = !vpx_rb_read_bit(&rb); diff -Nru libvpx-1.5.0/debian/patches/CVE-2019-9433.patch libvpx-1.5.0/debian/patches/CVE-2019-9433.patch --- libvpx-1.5.0/debian/patches/CVE-2019-9433.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvpx-1.5.0/debian/patches/CVE-2019-9433.patch 2019-11-19 16:25:28.000000000 +0000 @@ -0,0 +1,31 @@ +Backport of: + +From 52add5896661d186dec284ed646a4b33b607d2c7 Mon Sep 17 00:00:00 2001 +From: Jerome Jiang +Date: Wed, 23 May 2018 15:43:00 -0700 +Subject: [PATCH] VP8: Fix use-after-free in postproc. + +The pointer in vp8 postproc refers to show_frame_mi which is only +updated on show frame. However, when there is a no-show frame which also +changes the size (thus new frame buffers allocated), show_frame_mi is +not updated with new frame buffer memory. + +Change the pointer in postproc to mi which is always updated. + +Bug: 842265 +Change-Id: I33874f2112b39f74562cba528432b5f239e6a7bd +--- + vp8/common/postproc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/vp8/common/postproc.c ++++ b/vp8/common/postproc.c +@@ -330,7 +330,7 @@ void vp8_deblock(VP8_COMMON + double level = 6.0e-05 * q * q * q - .0067 * q * q + .306 * q + .0065; + int ppl = (int)(level + .5); + +- const MODE_INFO *mode_info_context = cm->show_frame_mi; ++ const MODE_INFO *mode_info_context = cm->mi; + int mbr, mbc; + + /* The pixel thresholds are adjusted according to if or not the macroblock diff -Nru libvpx-1.5.0/debian/patches/series libvpx-1.5.0/debian/patches/series --- libvpx-1.5.0/debian/patches/series 2015-12-28 08:21:04.000000000 +0000 +++ libvpx-1.5.0/debian/patches/series 2019-11-19 16:24:28.000000000 +0000 @@ -1,2 +1,9 @@ fix-armhf-link.patch fix-build.patch +CVE-2017-13194-1.patch +CVE-2017-13194-2.patch +CVE-2019-2126.patch +CVE-2019-9232.patch +CVE-2019-9325-pre1.patch +CVE-2019-9325.patch +CVE-2019-9433.patch