diff options
| author | Andreas Enge <andreas@enge.fr> | 2025-08-21 01:13:50 +0200 |
|---|---|---|
| committer | Andreas Enge <andreas@enge.fr> | 2025-09-01 22:03:13 +0200 |
| commit | 7d89da8c89f89331df4f293af700e6bb843bf634 (patch) | |
| tree | 43a5fe5a173d7bf526cf98d47f918038ba0e0cf3 | |
| parent | 6ae6e8ae2a6e17eae06d03ba4f278c43159ddafa (diff) | |
gnu: libvpx: Update to 1.15.2.
* gnu/packages/patches/libvpx-CVE-2025-5262.patch: Remove file.
* gnu/local.mk (dist_patch_DATA): Unregister file.
* gnu/packages/video.scm (libvpx): Update to 1.15.2.
[source]: Remove patch.
Change-Id: If7f5d584204a5bab29156f53930e45f76a4a68e3
| -rw-r--r-- | gnu/local.mk | 1 | ||||
| -rw-r--r-- | gnu/packages/patches/libvpx-CVE-2025-5262.patch | 75 | ||||
| -rw-r--r-- | gnu/packages/video.scm | 7 |
3 files changed, 3 insertions, 80 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 5083b2f4a6..9b1213489b 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1793,7 +1793,6 @@ dist_patch_DATA = \ %D%/packages/patches/libutils-remove-damaging-includes.patch \ %D%/packages/patches/libvdpau-va-gl-unbundle.patch \ %D%/packages/patches/libvpx-CVE-2016-2818.patch \ - %D%/packages/patches/libvpx-CVE-2025-5262.patch \ %D%/packages/patches/libxml2-xpath0-Add-option-xpath0.patch \ %D%/packages/patches/libwpd-gcc-compat.patch \ %D%/packages/patches/libxslt-generated-ids.patch \ diff --git a/gnu/packages/patches/libvpx-CVE-2025-5262.patch b/gnu/packages/patches/libvpx-CVE-2025-5262.patch deleted file mode 100644 index 413487126b..0000000000 --- a/gnu/packages/patches/libvpx-CVE-2025-5262.patch +++ /dev/null @@ -1,75 +0,0 @@ -Copied from <https://chromium.googlesource.com/webm/libvpx/+/1c758781c428c0e895645b95b8ff1512b6bdcecb%5E%21/> -See also: <https://www.mozilla.org/en-US/security/advisories/mfsa2025-44/#CVE-2025-5262> - and: <https://hg-edge.mozilla.org/releases/mozilla-esr128/rev/69f53ce5ef0bca2816a3b13cae570e835938c010> - -Author: James Zern <jzern@google.com> Thu May 01 02:28:48 2025 - -vpx_codec_enc_init_multi: fix double free on init failure - -In `vp8e_init()`, the encoder would take ownership of -`mr_cfg.mr_low_res_mode_info` even if `vp8_create_compressor()` failed. -This caused confusion at the call site as other failures in -`vp8e_init()` did not result in ownership transfer and the caller would -free the memory. In the case of `vp8_create_compressor()` failure both -the caller and `vpx_codec_destroy()` would free the memory, causing a -crash. `mr_*` related variables are now cleared on failure to prevent -this situation. - -Bug: webm:413411335 -Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1962421 -Change-Id: Ie951d42b9029a586bf9059b650bd8863db9f9ffc - ---- a/vp8/vp8_cx_iface.c -+++ b/vp8/vp8_cx_iface.c -@@ -727,17 +727,27 @@ static vpx_codec_err_t vp8e_init(vpx_cod - priv->pts_offset_initialized = 0; - priv->timestamp_ratio.den = priv->cfg.g_timebase.den; - priv->timestamp_ratio.num = (int64_t)priv->cfg.g_timebase.num; - priv->timestamp_ratio.num *= TICKS_PER_SEC; - reduce_ratio(&priv->timestamp_ratio); - - set_vp8e_config(&priv->oxcf, priv->cfg, priv->vp8_cfg, mr_cfg); - priv->cpi = vp8_create_compressor(&priv->oxcf); -- if (!priv->cpi) res = VPX_CODEC_MEM_ERROR; -+ if (!priv->cpi) { -+#if CONFIG_MULTI_RES_ENCODING -+ // Release ownership of mr_cfg->mr_low_res_mode_info on failure. This -+ // prevents ownership confusion with the caller and avoids a double -+ // free when vpx_codec_destroy() is called on this instance. -+ priv->oxcf.mr_total_resolutions = 0; -+ priv->oxcf.mr_encoder_id = 0; -+ priv->oxcf.mr_low_res_mode_info = NULL; -+#endif -+ res = VPX_CODEC_MEM_ERROR; -+ } - } - } - - return res; - } - - static vpx_codec_err_t vp8e_destroy(vpx_codec_alg_priv_t *ctx) { - #if CONFIG_MULTI_RES_ENCODING ---- a/vpx/src/vpx_encoder.c -+++ b/vpx/src/vpx_encoder.c -@@ -109,16 +109,19 @@ vpx_codec_err_t vpx_codec_enc_init_multi - mr_cfg.mr_down_sampling_factor.num = dsf->num; - mr_cfg.mr_down_sampling_factor.den = dsf->den; - - ctx->iface = iface; - ctx->name = iface->name; - ctx->priv = NULL; - ctx->init_flags = flags; - ctx->config.enc = cfg; -+ // ctx takes ownership of mr_cfg.mr_low_res_mode_info if and only if -+ // this call succeeds. The first ctx entry in the array is -+ // responsible for freeing the memory. - res = ctx->iface->init(ctx, &mr_cfg); - } - - if (res) { - const char *error_detail = ctx->priv ? ctx->priv->err_detail : NULL; - /* Destroy current ctx */ - ctx->err_detail = error_detail; - vpx_codec_destroy(ctx); - diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm index f5858121f5..8cfce5750d 100644 --- a/gnu/packages/video.scm +++ b/gnu/packages/video.scm @@ -3013,7 +3013,7 @@ wallpaper using mpv.") (define-public libvpx (package (name "libvpx") - (version "1.15.0") + (version "1.15.2") (source (origin (method git-fetch) (uri (git-reference @@ -3022,9 +3022,8 @@ wallpaper using mpv.") (file-name (git-file-name name version)) (sha256 (base32 - "1q2scpfiifhpilw6qqpqihk98plj57gwh0vyiqwsv991i7b322bv")) - (patches (search-patches "libvpx-CVE-2016-2818.patch" - "libvpx-CVE-2025-5262.patch")))) + "07c29a5q19613pldp8qm6harqwl7kvqhs7vw4mr8s3dnwyb5jpnl")) + (patches (search-patches "libvpx-CVE-2016-2818.patch")))) (build-system gnu-build-system) (arguments `(#:configure-flags (list "--enable-shared" |