Control: tags 1105883 + patch Control: tags 1105883 + pending Control: tags 1105885 + patch Control: tags 1105885 + pending
Dear maintainer, I've prepared an NMU for libavif (versioned as 1.2.1-1.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should cancel it. Regards, Salvatore
diffstat for libavif-1.2.1 libavif-1.2.1 changelog | 12 ++ patches/Add-integer-overflow-check-to-makeRoom.patch | 33 ++++++++ patches/Add-integer-overflow-checks-to-makeRoom.patch | 29 +++++++ patches/Declare-RowBytes-as-size_t-in-avifImageRGBToYUV.patch | 41 ++++++++++ patches/Fix-format-errors.patch | 29 +++++++ patches/series | 4 6 files changed, 148 insertions(+) diff -Nru libavif-1.2.1/debian/changelog libavif-1.2.1/debian/changelog --- libavif-1.2.1/debian/changelog 2025-03-20 19:03:55.000000000 +0100 +++ libavif-1.2.1/debian/changelog 2025-05-17 16:03:36.000000000 +0200 @@ -1,3 +1,15 @@ +libavif (1.2.1-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Add integer overflow checks to makeRoom (CVE-2025-48174) (Closes: + #1105885) + * Add integer overflow check to makeRoom (CVE-2025-48174) (Closes: #1105885) + * Fix format errors (CVE-2025-48174) (Closes: #1105885) + * Declare *RowBytes as size_t in avifImageRGBToYUV() (CVE-2025-48175) + (Closes: #1105883) + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 17 May 2025 16:03:36 +0200 + libavif (1.2.1-1) unstable; urgency=medium * New upstream release. diff -Nru libavif-1.2.1/debian/patches/Add-integer-overflow-check-to-makeRoom.patch libavif-1.2.1/debian/patches/Add-integer-overflow-check-to-makeRoom.patch --- libavif-1.2.1/debian/patches/Add-integer-overflow-check-to-makeRoom.patch 1970-01-01 01:00:00.000000000 +0100 +++ libavif-1.2.1/debian/patches/Add-integer-overflow-check-to-makeRoom.patch 2025-05-17 15:44:27.000000000 +0200 @@ -0,0 +1,33 @@ +From: DanisJiang <43723722+danisji...@users.noreply.github.com> +Date: Mon, 21 Apr 2025 10:45:59 +0800 +Subject: Add integer overflow check to makeRoom. +Origin: https://github.com/AOMediaCodec/libavif/commit/50a743062938a3828581d725facc9c2b92a1d109 +Bug: https://github.com/AOMediaCodec/libavif/pull/2768 +Bug-Debian: https://bugs.debian.org/1105885 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-48174 + +--- + src/stream.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/stream.c b/src/stream.c +index 41252f89d9b2..da1f019c5a4f 100644 +--- a/src/stream.c ++++ b/src/stream.c +@@ -334,10 +334,10 @@ avifBool avifROStreamReadAndEnforceVersion(avifROStream * stream, uint8_t enforc + #define AVIF_STREAM_BUFFER_INCREMENT (1024 * 1024) + static avifResult makeRoom(avifRWStream * stream, size_t size) + { +- size_t neededSize = stream->offset + size; +- if (neededSize < stream->offset) { +- return AVIF_RESULT_INVALID_ARGUMENT; ++ if (size > SIZE_MAX - stream->offset) { ++ return AVIF_RESULT_OUT_OF_MEMORY; + } ++ size_t neededSize = stream->offset + size; + size_t newSize = stream->raw->size; + while (newSize < neededSize) { + newSize += AVIF_STREAM_BUFFER_INCREMENT; +-- +2.49.0 + diff -Nru libavif-1.2.1/debian/patches/Add-integer-overflow-checks-to-makeRoom.patch libavif-1.2.1/debian/patches/Add-integer-overflow-checks-to-makeRoom.patch --- libavif-1.2.1/debian/patches/Add-integer-overflow-checks-to-makeRoom.patch 1970-01-01 01:00:00.000000000 +0100 +++ libavif-1.2.1/debian/patches/Add-integer-overflow-checks-to-makeRoom.patch 2025-05-17 15:43:12.000000000 +0200 @@ -0,0 +1,29 @@ +From: DanisJiang <43723722+danisji...@users.noreply.github.com> +Date: Fri, 18 Apr 2025 17:31:53 +0800 +Subject: Add integer overflow checks to makeRoom. +Origin: https://github.com/AOMediaCodec/libavif/commit/e5fdefe7d1776e6c4cf1703c163a8c0535599029 +Bug: https://github.com/AOMediaCodec/libavif/pull/2768 +Bug-Debian: https://bugs.debian.org/1105885 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-48174 + +--- + src/stream.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/stream.c b/src/stream.c +index 770c8ba04280..41252f89d9b2 100644 +--- a/src/stream.c ++++ b/src/stream.c +@@ -335,6 +335,9 @@ avifBool avifROStreamReadAndEnforceVersion(avifROStream * stream, uint8_t enforc + static avifResult makeRoom(avifRWStream * stream, size_t size) + { + size_t neededSize = stream->offset + size; ++ if (neededSize < stream->offset) { ++ return AVIF_RESULT_INVALID_ARGUMENT; ++ } + size_t newSize = stream->raw->size; + while (newSize < neededSize) { + newSize += AVIF_STREAM_BUFFER_INCREMENT; +-- +2.49.0 + diff -Nru libavif-1.2.1/debian/patches/Declare-RowBytes-as-size_t-in-avifImageRGBToYUV.patch libavif-1.2.1/debian/patches/Declare-RowBytes-as-size_t-in-avifImageRGBToYUV.patch --- libavif-1.2.1/debian/patches/Declare-RowBytes-as-size_t-in-avifImageRGBToYUV.patch 1970-01-01 01:00:00.000000000 +0100 +++ libavif-1.2.1/debian/patches/Declare-RowBytes-as-size_t-in-avifImageRGBToYUV.patch 2025-05-17 16:03:05.000000000 +0200 @@ -0,0 +1,41 @@ +From: Wan-Teh Chang <w...@google.com> +Date: Fri, 18 Apr 2025 15:29:20 -0700 +Subject: Declare *RowBytes as size_t in avifImageRGBToYUV() +Origin: https://github.com/AOMediaCodec/libavif/commit/64d956ed5a602f78cebf29da023280944ee92efd +Bug: https://github.com/AOMediaCodec/libavif/pull/2768 +Bug-Debian: https://bugs.debian.org/1105883 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-48175 + +Declare rgbRowBytes, yRowBytes, uRowBytes, and vRowBytes as size_t in +avifImageRGBToYUV(). This causes multiplications with these variables to +be performed in size_t (which may be 64 bits) instead of uint32_t. For +very large image width and height, these multiplications may overflow +uint32_t. + +Acknowledgements: DanisJiang +https://github.com/AOMediaCodec/libavif/security/advisories/GHSA-762c-2538-h844 +--- + src/reformat.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/src/reformat.c ++++ b/src/reformat.c +@@ -259,14 +259,14 @@ avifResult avifImageRGBToYUV(avifImage * + const uint32_t offsetBytesG = state.rgb.offsetBytesG; + const uint32_t offsetBytesB = state.rgb.offsetBytesB; + const uint32_t offsetBytesA = state.rgb.offsetBytesA; +- const uint32_t rgbRowBytes = rgb->rowBytes; ++ const size_t rgbRowBytes = rgb->rowBytes; + const float rgbMaxChannelF = state.rgb.maxChannelF; + uint8_t * yPlane = image->yuvPlanes[AVIF_CHAN_Y]; + uint8_t * uPlane = image->yuvPlanes[AVIF_CHAN_U]; + uint8_t * vPlane = image->yuvPlanes[AVIF_CHAN_V]; +- const uint32_t yRowBytes = image->yuvRowBytes[AVIF_CHAN_Y]; +- const uint32_t uRowBytes = image->yuvRowBytes[AVIF_CHAN_U]; +- const uint32_t vRowBytes = image->yuvRowBytes[AVIF_CHAN_V]; ++ const size_t yRowBytes = image->yuvRowBytes[AVIF_CHAN_Y]; ++ const size_t uRowBytes = image->yuvRowBytes[AVIF_CHAN_U]; ++ const size_t vRowBytes = image->yuvRowBytes[AVIF_CHAN_V]; + for (uint32_t outerJ = 0; outerJ < image->height; outerJ += 2) { + for (uint32_t outerI = 0; outerI < image->width; outerI += 2) { + int blockW = 2, blockH = 2; diff -Nru libavif-1.2.1/debian/patches/Fix-format-errors.patch libavif-1.2.1/debian/patches/Fix-format-errors.patch --- libavif-1.2.1/debian/patches/Fix-format-errors.patch 1970-01-01 01:00:00.000000000 +0100 +++ libavif-1.2.1/debian/patches/Fix-format-errors.patch 2025-05-17 15:45:41.000000000 +0200 @@ -0,0 +1,29 @@ +From: "Danis Jiang (Yuhao Jiang)" + <43723722+danisji...@users.noreply.github.com> +Date: Thu, 24 Apr 2025 10:39:19 +0800 +Subject: Fix format errors +Origin: https://github.com/AOMediaCodec/libavif/commit/c9f1bea437f21cb78f9919c332922a3b0ba65e11 +Bug: https://github.com/AOMediaCodec/libavif/pull/2768 +Bug-Debian: https://bugs.debian.org/1105885 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-48174 + +--- + src/stream.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/stream.c b/src/stream.c +index da1f019c5a4f..a2ae4f620a56 100644 +--- a/src/stream.c ++++ b/src/stream.c +@@ -335,7 +335,7 @@ avifBool avifROStreamReadAndEnforceVersion(avifROStream * stream, uint8_t enforc + static avifResult makeRoom(avifRWStream * stream, size_t size) + { + if (size > SIZE_MAX - stream->offset) { +- return AVIF_RESULT_OUT_OF_MEMORY; ++ return AVIF_RESULT_OUT_OF_MEMORY; + } + size_t neededSize = stream->offset + size; + size_t newSize = stream->raw->size; +-- +2.49.0 + diff -Nru libavif-1.2.1/debian/patches/series libavif-1.2.1/debian/patches/series --- libavif-1.2.1/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ libavif-1.2.1/debian/patches/series 2025-05-17 16:02:38.000000000 +0200 @@ -0,0 +1,4 @@ +Add-integer-overflow-checks-to-makeRoom.patch +Add-integer-overflow-check-to-makeRoom.patch +Fix-format-errors.patch +Declare-RowBytes-as-size_t-in-avifImageRGBToYUV.patch
