Skip to content

Commit 7f5aeec

Browse files
colin-pmclopez
authored andcommitted
dav1d: Fix CVE-2024-1580
Adds patch for CVE-2024-1580 which affects dav1d 0.9.1. Signed-off-by: Colin McAllister <colinmca242@gmail.com>
1 parent 0e6b04b commit 7f5aeec

File tree

2 files changed

+71
-1
lines changed

2 files changed

+71
-1
lines changed

recipes-multimedia/dav1d/dav1d.inc

+5-1
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,11 @@ BUGTRACKER = "https://code.videolan.org/videolan/dav1d/-/issues"
44

55
DEPENDS = "nasm-native"
66

7-
SRC_URI = "https://code.videolan.org/videolan/${BPN}/-/archive/${PV}/${BPN}-${PV}.tar.gz"
7+
SRC_URI = " \
8+
https://code.videolan.org/videolan/${BPN}/-/archive/${PV}/${BPN}-${PV}.tar.gz \
9+
file://CVE-2024-1580.patch \
10+
"
11+
812
SRC_URI[sha256sum] = "097db6f370b88bf09fec62919c0d3af64e07d58210c665ec461d63f4ec79f6a2"
913

1014
LICENSE = "BSD-2-Clause"
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,66 @@
1+
From 8a9dbada543f4241da70c00c353d1aa0e133b6a2 Mon Sep 17 00:00:00 2001
2+
From: Henrik Gramner <gramner@twoorioles.com>
3+
Date: Tue, 21 Nov 2023 20:47:50 +0100
4+
Subject: [PATCH] Fix tile_start_off calculations for extremely large frame
5+
sizes
6+
7+
The tile start offset, in pixels, can exceed the range of a signed int.
8+
9+
CVE: CVE-2024-1580
10+
Upstream-Status: Backport [https://code.videolan.org/videolan/dav1d/-/commit/2b475307dc11be9a1c3cc4358102c76a7f386a51]
11+
---
12+
src/decode.c | 13 +++++++------
13+
src/internal.h | 2 +-
14+
2 files changed, 8 insertions(+), 7 deletions(-)
15+
16+
diff --git a/src/decode.c b/src/decode.c
17+
index d810ed2..f1aa6ce 100644
18+
--- a/src/decode.c
19+
+++ b/src/decode.c
20+
@@ -2359,7 +2359,7 @@ static void setup_tile(Dav1dTileState *const ts,
21+
const Dav1dFrameContext *const f,
22+
const uint8_t *const data, const size_t sz,
23+
const int tile_row, const int tile_col,
24+
- const int tile_start_off)
25+
+ const unsigned tile_start_off)
26+
{
27+
const int col_sb_start = f->frame_hdr->tiling.col_start_sb[tile_col];
28+
const int col_sb128_start = col_sb_start >> !f->seq_hdr->sb128;
29+
@@ -2758,15 +2758,16 @@ int dav1d_decode_frame(Dav1dFrameContext *const f) {
30+
const uint8_t *const size_mul = ss_size_mul[f->cur.p.layout];
31+
const int hbd = !!f->seq_hdr->hbd;
32+
if (c->n_fc > 1) {
33+
+ const unsigned sb_step4 = f->sb_step * 4;
34+
int tile_idx = 0;
35+
for (int tile_row = 0; tile_row < f->frame_hdr->tiling.rows; tile_row++) {
36+
- int row_off = f->frame_hdr->tiling.row_start_sb[tile_row] *
37+
- f->sb_step * 4 * f->sb128w * 128;
38+
- int b_diff = (f->frame_hdr->tiling.row_start_sb[tile_row + 1] -
39+
- f->frame_hdr->tiling.row_start_sb[tile_row]) * f->sb_step * 4;
40+
+ const unsigned row_off = f->frame_hdr->tiling.row_start_sb[tile_row] *
41+
+ sb_step4 * f->sb128w * 128;
42+
+ const unsigned b_diff = (f->frame_hdr->tiling.row_start_sb[tile_row + 1] -
43+
+ f->frame_hdr->tiling.row_start_sb[tile_row]) * sb_step4;
44+
for (int tile_col = 0; tile_col < f->frame_hdr->tiling.cols; tile_col++) {
45+
f->frame_thread.tile_start_off[tile_idx++] = row_off + b_diff *
46+
- f->frame_hdr->tiling.col_start_sb[tile_col] * f->sb_step * 4;
47+
+ f->frame_hdr->tiling.col_start_sb[tile_col] * sb_step4;
48+
}
49+
}
50+
51+
diff --git a/src/internal.h b/src/internal.h
52+
index fb84422..cdaaa47 100644
53+
--- a/src/internal.h
54+
+++ b/src/internal.h
55+
@@ -233,7 +233,7 @@ struct Dav1dFrameContext {
56+
coef *cf;
57+
int pal_sz, pal_idx_sz, cf_sz;
58+
// start offsets per tile
59+
- int *tile_start_off;
60+
+ unsigned *tile_start_off;
61+
} frame_thread;
62+
63+
// loopfilter
64+
--
65+
2.34.1
66+

0 commit comments

Comments
 (0)