freeswitch-stable: fix CVE in libvpx

[feed/telephony.git] / net / freeswitch-stable / patches / 340-libvpx-CVE-2017-13194.patch

Subject: Fix OOB caused by odd frame width, CVE-2017-13194
Origin: https://android.googlesource.com/platform/external/libvpx/+/55cd1dd7c8d0a3de907d22e0f12718733f4e41d

diff --git a/libs/libvpx/libvpx/vpx/src/vpx_image.c b/libs/libvpx/libvpx/vpx/src/vpx_image.c
index dba439c..af7c529 100644
--- a/libs/libvpx/vpx/src/vpx_image.c
+++ b/libs/libvpx/vpx/src/vpx_image.c
@@ -88,11 +88,10 @@
     default: ycs = 0; break;
   }
 
-  /* Calculate storage sizes given the chroma subsampling */
-  align = (1 << xcs) - 1;
-  w = (d_w + align) & ~align;
-  align = (1 << ycs) - 1;
-  h = (d_h + align) & ~align;
+  /* Calculate storage sizes. If the buffer was allocated externally, the width
+   * and height shouldn't be adjusted. */
+  w = d_w;
+  h = d_h;
   s = (fmt & VPX_IMG_FMT_PLANAR) ? w : bps * w / 8;
   s = (s + stride_align - 1) & ~(stride_align - 1);
   stride_in_bytes = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
@@ -111,9 +110,18 @@
   img->img_data = img_data;
 
   if (!img_data) {
-    const uint64_t alloc_size = (fmt & VPX_IMG_FMT_PLANAR)
-                                    ? (uint64_t)h * s * bps / 8
-                                    : (uint64_t)h * s;
+    uint64_t alloc_size;
+    /* Calculate storage sizes given the chroma subsampling */
+    align = (1 << xcs) - 1;
+    w = (d_w + align) & ~align;
+    align = (1 << ycs) - 1;
+    h = (d_h + align) & ~align;
+
+    s = (fmt & VPX_IMG_FMT_PLANAR) ? w : bps * w / 8;
+    s = (s + stride_align - 1) & ~(stride_align - 1);
+    stride_in_bytes = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
+    alloc_size = (fmt & VPX_IMG_FMT_PLANAR) ? (uint64_t)h * s * bps / 8
+                                            : (uint64_t)h * s;
 
     if (alloc_size != (size_t)alloc_size) goto fail;