packages/firefox
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2023-44488

Browse Source
This commit is contained in:
lvfei 2024-04-22 16:30:34 +08:00
parent 5b7918d87a
commit 9b1e11b9a8
2 changed files with 131 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

125
CVE-2023-44488.patch Normal file
View File

@ -0,0 +1,125 @@
From dfff1be88eaa0e0756c74b702484465b48b66fca Mon Sep 17 00:00:00 2001
From: Jerome Jiang <jianj@google.com>
Date: Thu, 30 Jun 2022 13:48:56 -0400
Subject: [PATCH] CVE-2023-44488 Fix bug with smaller width bigger size
---
media/libvpx/libvpx/test/resize_test.cc | 9 +++----
.../libvpx/vp9/common/vp9_alloccommon.c | 14 +++++-----
media/libvpx/libvpx/vp9/encoder/vp9_encoder.c | 27 +++++++++++++++++--
3 files changed, 35 insertions(+), 15 deletions(-)
diff --git a/media/libvpx/libvpx/test/resize_test.cc b/media/libvpx/libvpx/test/resize_test.cc
index 5f323db5ab..55a2fe58c6 100644
--- a/media/libvpx/libvpx/test/resize_test.cc
+++ b/media/libvpx/libvpx/test/resize_test.cc
@@ -101,11 +101,8 @@ void ScaleForFrameNumber(unsigned int frame, unsigned int initial_w,
*h = initial_h;
return;
}
- if (frame < 100) {
- *w = initial_w * 7 / 10;
- *h = initial_h * 16 / 10;
- return;
- }
+ *w = initial_w * 7 / 10;
+ *h = initial_h * 16 / 10;
return;
}
if (frame < 10) {
@@ -578,7 +575,7 @@ TEST_P(ResizeRealtimeTest, TestExternalResizeWorks) {
}
}
-TEST_P(ResizeRealtimeTest, DISABLED_TestExternalResizeSmallerWidthBiggerSize) {
+TEST_P(ResizeRealtimeTest, TestExternalResizeSmallerWidthBiggerSize) {
ResizingVideoSource video;
video.flag_codec_ = true;
video.smaller_width_larger_size_ = true;
diff --git a/media/libvpx/libvpx/vp9/common/vp9_alloccommon.c b/media/libvpx/libvpx/vp9/common/vp9_alloccommon.c
index 5702dca718..7841c5e793 100644
--- a/media/libvpx/libvpx/vp9/common/vp9_alloccommon.c
+++ b/media/libvpx/libvpx/vp9/common/vp9_alloccommon.c
@@ -131,13 +131,7 @@ int vp9_alloc_context_buffers(VP9_COMMON *cm, int width, int height) {
cm->free_mi(cm);
if (cm->alloc_mi(cm, new_mi_size)) goto fail;
}
-
- if (cm->seg_map_alloc_size < cm->mi_rows * cm->mi_cols) {
- // Create the segmentation map structure and set to 0.
- free_seg_map(cm);
- if (alloc_seg_map(cm, cm->mi_rows * cm->mi_cols)) goto fail;
- }
-
+
if (cm->above_context_alloc_cols < cm->mi_cols) {
vpx_free(cm->above_context);
cm->above_context = (ENTROPY_CONTEXT *)vpx_calloc(
@@ -151,6 +145,12 @@ int vp9_alloc_context_buffers(VP9_COMMON *cm, int width, int height) {
if (!cm->above_seg_context) goto fail;
cm->above_context_alloc_cols = cm->mi_cols;
}
+
+ if (cm->seg_map_alloc_size < cm->mi_rows * cm->mi_cols) {
+ // Create the segmentation map structure and set to 0.
+ free_seg_map(cm);
+ if (alloc_seg_map(cm, cm->mi_rows * cm->mi_cols)) goto fail;
+ }
if (vp9_alloc_loop_filter(cm)) goto fail;
diff --git a/media/libvpx/libvpx/vp9/encoder/vp9_encoder.c b/media/libvpx/libvpx/vp9/encoder/vp9_encoder.c
index 4a37816e20..6efcf91066 100644
--- a/media/libvpx/libvpx/vp9/encoder/vp9_encoder.c
+++ b/media/libvpx/libvpx/vp9/encoder/vp9_encoder.c
@@ -1937,6 +1937,17 @@ static void alloc_copy_partition_data(VP9_COMP *cpi) {
}
}
+static void free_copy_partition_data(VP9_COMP *cpi) {
+ vpx_free(cpi->prev_partition);
+ cpi->prev_partition = NULL;
+ vpx_free(cpi->prev_segment_id);
+ cpi->prev_segment_id = NULL;
+ vpx_free(cpi->prev_variance_low);
+ cpi->prev_variance_low = NULL;
+ vpx_free(cpi->copied_frame_cnt);
+ cpi->copied_frame_cnt = NULL;
+}
+
void vp9_change_config(struct VP9_COMP *cpi, const VP9EncoderConfig *oxcf) {
VP9_COMMON *const cm = &cpi->common;
RATE_CONTROL *const rc = &cpi->rc;
@@ -2021,6 +2032,8 @@ void vp9_change_config(struct VP9_COMP *cpi, const VP9EncoderConfig *oxcf) {
new_mi_size = cm->mi_stride * calc_mi_size(cm->mi_rows);
if (cm->mi_alloc_size < new_mi_size) {
vp9_free_context_buffers(cm);
+ vp9_free_pc_tree(&cpi->td);
+ vpx_free(cpi->mbmi_ext_base);
alloc_compressor_data(cpi);
realloc_segmentation_maps(cpi);
cpi->initial_width = cpi->initial_height = 0;
@@ -2036,8 +2049,18 @@ void vp9_change_config(struct VP9_COMP *cpi, const VP9EncoderConfig *oxcf) {
update_frame_size(cpi);
if (last_w != cpi->oxcf.width || last_h != cpi->oxcf.height) {
- memset(cpi->consec_zero_mv, 0,
- cm->mi_rows * cm->mi_cols * sizeof(*cpi->consec_zero_mv));
+ vpx_free(cpi->consec_zero_mv);
+ CHECK_MEM_ERROR(
+ cm, cpi->consec_zero_mv,
+ vpx_calloc(cm->mi_rows * cm->mi_cols, sizeof(*cpi->consec_zero_mv)));
+
+ vpx_free(cpi->skin_map);
+ CHECK_MEM_ERROR(
+ cm, cpi->skin_map,
+ vpx_calloc(cm->mi_rows * cm->mi_cols, sizeof(cpi->skin_map[0])));
+
+ free_copy_partition_data(cpi);
+ alloc_copy_partition_data(cpi);
if (cpi->oxcf.aq_mode == CYCLIC_REFRESH_AQ)
vp9_cyclic_refresh_reset_resize(cpi);
rc->rc_1_frame = 0;
--
2.27.0

10
firefox.spec
View File

@ -88,7 +88,7 @@
Summary: Mozilla Firefox Web browser
Name: firefox
Version: 79.0
Release: 17
Release: 18
URL: https://www.mozilla.org/firefox/
License: MPLv1.1 or GPLv2+ or LGPLv2+
Source0: https://archive.mozilla.org/pub/firefox/releases/%{version}/source/firefox-%{version}.source.tar.xz
@ -196,8 +196,7 @@ Patch652: CVE-2023-5217.patch
Patch653: CVE-2023-7104.patch
Patch654: CVE-2022-22755.patch
Patch655: CVE-2022-1802.patch
Patch656: CVE-2023-44488.patch
%if %{?system_nss}
BuildRequires: pkgconfig(nspr) >= %{nspr_version} pkgconfig(nss) >= %{nss_version}
@ -388,7 +387,7 @@ tar -xf %{SOURCE3}
%patch653 -p1
%patch654 -p1
%patch655 -p1
%patch656 -p1
%{__rm} -f .mozconfig
%{__cp} %{SOURCE10} .mozconfig
@ -837,6 +836,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
%endif
%changelog
* Fri Apr 19 2024 lvfei <lvfei@kylinos.cn> - 79.0-18
- Fix CVE-2023-44488
* Thu Mar 21 2024 lvfei <lvfei@kylinos.cn> - 79.0-17
- Fix CVE-2022-1802