Package: libavif Version: 1.2.1-1.1 X-Debbugs-CC: Boyuan Yang <by...@debian.org>, t...@security.debian.org Severity: normal Tags: patch pending
Dear maintainer, I've prepared an NMU for libavif (versioned as 1.2.1-1.2) and uploaded it to DELAYED/2. Please feel free to tell me if I should cancel it. Should/can it go to unstable as well? Uploading to delayed to give a bit of time to actually ACK/NACK it. There is not bugreport associated with it but it adds another integer overflow check (already in v1.3.0) to makeRoom. Regards, Salvatore
diffstat for libavif-1.2.1 libavif-1.2.1 changelog | 8 + patches/Add-another-integer-overflow-check-to-makeRoom.patch | 71 ++++++++++ patches/Declare-RowBytes-as-size_t-in-avifImageRGBToYUV.patch | 2 patches/series | 1 4 files changed, 81 insertions(+), 1 deletion(-) diff -Nru libavif-1.2.1/debian/changelog libavif-1.2.1/debian/changelog --- libavif-1.2.1/debian/changelog 2025-05-17 16:03:36.000000000 +0200 +++ libavif-1.2.1/debian/changelog 2025-05-25 07:27:30.000000000 +0200 @@ -1,3 +1,11 @@ +libavif (1.2.1-1.2) unstable; urgency=medium + + * Non-maintainer upload. + * Fix upstream bug reference for patch for CVE-2025-48175 + * Add another integer overflow check to makeRoom + + -- Salvatore Bonaccorso <car...@debian.org> Sun, 25 May 2025 07:27:30 +0200 + libavif (1.2.1-1.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru libavif-1.2.1/debian/patches/Add-another-integer-overflow-check-to-makeRoom.patch libavif-1.2.1/debian/patches/Add-another-integer-overflow-check-to-makeRoom.patch --- libavif-1.2.1/debian/patches/Add-another-integer-overflow-check-to-makeRoom.patch 1970-01-01 01:00:00.000000000 +0100 +++ libavif-1.2.1/debian/patches/Add-another-integer-overflow-check-to-makeRoom.patch 2025-05-25 07:26:42.000000000 +0200 @@ -0,0 +1,71 @@ +From: Wan-Teh Chang <w...@google.com> +Date: Sun, 27 Apr 2025 14:34:35 -0700 +Subject: Add another integer overflow check to makeRoom +Origin: https://github.com/AOMediaCodec/libavif/commit/32eae7c5c1e72d9999cb31d02e333b6a76029bad +Bug: https://github.com/AOMediaCodec/libavif/pull/2778 + +Replace the while loop with a formula in makeRoom. + +Test the integer overflow checks in makeRoom. + +See https://github.com/AOMediaCodec/libavif/pull/2768. +--- + src/stream.c | 16 +++++++++------- + tests/gtest/avifstreamtest.cc | 13 +++++++++++++ + 2 files changed, 22 insertions(+), 7 deletions(-) + +diff --git a/src/stream.c b/src/stream.c +index a2ae4f620a56..60e6aa384cbf 100644 +--- a/src/stream.c ++++ b/src/stream.c +@@ -334,14 +334,16 @@ avifBool avifROStreamReadAndEnforceVersion(avifROStream * stream, uint8_t enforc + #define AVIF_STREAM_BUFFER_INCREMENT (1024 * 1024) + static avifResult makeRoom(avifRWStream * stream, size_t size) + { +- if (size > SIZE_MAX - stream->offset) { +- return AVIF_RESULT_OUT_OF_MEMORY; +- } +- size_t neededSize = stream->offset + size; +- size_t newSize = stream->raw->size; +- while (newSize < neededSize) { +- newSize += AVIF_STREAM_BUFFER_INCREMENT; ++ AVIF_CHECKERR(size <= SIZE_MAX - stream->offset, AVIF_RESULT_OUT_OF_MEMORY); ++ size_t newSize = stream->offset + size; ++ if (newSize <= stream->raw->size) { ++ return AVIF_RESULT_OK; + } ++ // Make newSize a multiple of AVIF_STREAM_BUFFER_INCREMENT. ++ size_t rem = newSize % AVIF_STREAM_BUFFER_INCREMENT; ++ size_t padding = (rem == 0) ? 0 : AVIF_STREAM_BUFFER_INCREMENT - rem; ++ AVIF_CHECKERR(newSize <= SIZE_MAX - padding, AVIF_RESULT_OUT_OF_MEMORY); ++ newSize += padding; + return avifRWDataRealloc(stream->raw, newSize); + } + +diff --git a/tests/gtest/avifstreamtest.cc b/tests/gtest/avifstreamtest.cc +index 1ba4e9f25e59..199b8bef12c5 100644 +--- a/tests/gtest/avifstreamtest.cc ++++ b/tests/gtest/avifstreamtest.cc +@@ -202,6 +202,19 @@ TEST(StreamTest, WriteBitsLimit) { + AVIF_RESULT_INVALID_ARGUMENT); + } + ++// Test the overflow checks in the makeRoom() function in src/stream.c. ++TEST(StreamTest, OverflowChecksInMakeRoom) { ++ testutil::AvifRwData rw_data; ++ avifRWStream rw_stream; ++ avifRWStreamStart(&rw_stream, &rw_data); ++ const char ten_bytes[10] = {0}; ++ EXPECT_EQ(avifRWStreamWrite(&rw_stream, ten_bytes, 10), AVIF_RESULT_OK); ++ EXPECT_EQ(avifRWStreamWrite(&rw_stream, ten_bytes, SIZE_MAX - 9), ++ AVIF_RESULT_OUT_OF_MEMORY); ++ EXPECT_EQ(avifRWStreamWrite(&rw_stream, ten_bytes, SIZE_MAX - 10), ++ AVIF_RESULT_OUT_OF_MEMORY); ++} ++ + //------------------------------------------------------------------------------ + + } // namespace +-- +2.49.0 + diff -Nru libavif-1.2.1/debian/patches/Declare-RowBytes-as-size_t-in-avifImageRGBToYUV.patch libavif-1.2.1/debian/patches/Declare-RowBytes-as-size_t-in-avifImageRGBToYUV.patch --- libavif-1.2.1/debian/patches/Declare-RowBytes-as-size_t-in-avifImageRGBToYUV.patch 2025-05-17 16:03:05.000000000 +0200 +++ libavif-1.2.1/debian/patches/Declare-RowBytes-as-size_t-in-avifImageRGBToYUV.patch 2025-05-25 06:42:02.000000000 +0200 @@ -2,7 +2,7 @@ Date: Fri, 18 Apr 2025 15:29:20 -0700 Subject: Declare *RowBytes as size_t in avifImageRGBToYUV() Origin: https://github.com/AOMediaCodec/libavif/commit/64d956ed5a602f78cebf29da023280944ee92efd -Bug: https://github.com/AOMediaCodec/libavif/pull/2768 +Bug: https://github.com/AOMediaCodec/libavif/pull/2769 Bug-Debian: https://bugs.debian.org/1105883 Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-48175 diff -Nru libavif-1.2.1/debian/patches/series libavif-1.2.1/debian/patches/series --- libavif-1.2.1/debian/patches/series 2025-05-17 16:02:38.000000000 +0200 +++ libavif-1.2.1/debian/patches/series 2025-05-25 07:27:04.000000000 +0200 @@ -2,3 +2,4 @@ Add-integer-overflow-check-to-makeRoom.patch Fix-format-errors.patch Declare-RowBytes-as-size_t-in-avifImageRGBToYUV.patch +Add-another-integer-overflow-check-to-makeRoom.patch
