gnu: libvpx: Fix CVE-2026-2447.

* gnu/packages/video.scm (libvpx) [replacement]: New field. (libvpx/fixed): New variable. * gnu/packages/patches/libvpx-CVE-2026-2447.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. Change-Id: I196d1b7ab045f9599985d2f97cdb85c2c0b87d68
2026-04-06 21:20:33 +02:00 · 2026-02-16 16:46:30 -05:00
parent 2b1b212d57
commit 1f65495545
3 changed files with 103 additions and 0 deletions
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1833,6 +1833,7 @@ dist_patch_DATA =						\
  %D%/packages/patches/libutils-remove-damaging-includes.patch	\
  %D%/packages/patches/libvdpau-va-gl-unbundle.patch		\
  %D%/packages/patches/libvpx-CVE-2016-2818.patch		\
+  %D%/packages/patches/libvpx-CVE-2026-2447.patch		\
  %D%/packages/patches/libxcb-path-max.patch			\
  %D%/packages/patches/libxml2-xpath0-Add-option-xpath0.patch	\
  %D%/packages/patches/libwpd-gcc-compat.patch			\
--- a/gnu/packages/patches/libvpx-CVE-2026-2447.patch
+++ b/gnu/packages/patches/libvpx-CVE-2026-2447.patch
@@ -0,0 +1,96 @@
+Copied from <https://chromium.googlesource.com/webm/libvpx/+/d5f35ac8d93cba7f7a3f7ddb8f9dc8bd28f785e1%5E!/>
+See also: <https://www.mozilla.org/en-US/security/advisories/mfsa2026-10/#CVE-2026-2447>
+     and: <https://github.com/mozilla-firefox/firefox/commit/45e0cda30d01f798f17202aa4f9191bed164d40f>
+
+
+From d5f35ac8d93cba7f7a3f7ddb8f9dc8bd28f785e1 Mon Sep 17 00:00:00 2001
+From: Wan-Teh Chang <wtc@google.com>
+Date: Wed, 21 Jan 2026 18:03:55 -0800
+Subject: [PATCH] write_superframe_index: return 0 if buffer is full
+
+write_superframe_index() should return the number of bytes written to
+ctx->pending_cx_data. If ctx->pending_cx_data is full,
+write_superframe_index() doesn't write the optional superframe index, so
+it should return 0 in this case. Add an assertion that would have
+detected this bug. Add and clarify comments for code related to this
+bug.
+
+Also fix the buffer full check. The check should not assume that
+ctx->pending_cx_data is equal to ctx->cx_data, and the check had an
+off-by-one error.
+
+The bug was introduced when write_superframe_index() was added in the
+following CLs:
+https://chromium-review.googlesource.com/c/webm/libvpx/+/44659
+https://chromium-review.googlesource.com/c/webm/libvpx/+/45268
+
+Bug: oss-fuzz:476466137
+Change-Id: Ie113568cf25acc73f8af640a3c51cfdb5b900613
+---
+ vp9/vp9_cx_iface.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/vp9/vp9_cx_iface.c b/vp9/vp9_cx_iface.c
+index 83f45b01b..ab9c582db 100644
+--- a/vp9/vp9_cx_iface.c
+++ b/vp9/vp9_cx_iface.c
+@@ -8,7 +8,9 @@
+  *  be found in the AUTHORS file in the root of the source tree.
+  */
+ 
+#include <assert.h>
+ #include <limits.h>
+#include <stddef.h>
+ #include <stdint.h>
+ #include <stdlib.h>
+ #include <string.h>
+@@ -122,6 +124,7 @@ struct vpx_codec_alg_priv {
+   VP9_COMP *cpi;
+   unsigned char *cx_data;
+   size_t cx_data_sz;
+  // pending_cx_data either is a null pointer or points into the cx_data buffer.
+   unsigned char *pending_cx_data;
+   size_t pending_cx_data_sz;
+   int pending_frame_count;
+@@ -1253,8 +1256,12 @@ static int write_superframe_index(vpx_codec_alg_priv_t *ctx) {
+ 
+   // Write the index
+   index_sz = 2 + (mag + 1) * ctx->pending_frame_count;
+-  if (ctx->pending_cx_data_sz + index_sz < ctx->cx_data_sz) {
+-    uint8_t *x = ctx->pending_cx_data + ctx->pending_cx_data_sz;
+  unsigned char *cx_data_end = ctx->cx_data + ctx->cx_data_sz;
+  unsigned char *pending_cx_data_end =
+      ctx->pending_cx_data + ctx->pending_cx_data_sz;
+  ptrdiff_t space_remaining = cx_data_end - pending_cx_data_end;
+  if (index_sz <= space_remaining) {
+    uint8_t *x = pending_cx_data_end;
+     int i, j;
+ #ifdef TEST_SUPPLEMENTAL_SUPERFRAME_DATA
+     uint8_t marker_test = 0xc0;
+@@ -1285,6 +1292,8 @@ static int write_superframe_index(vpx_codec_alg_priv_t *ctx) {
+ #ifdef TEST_SUPPLEMENTAL_SUPERFRAME_DATA
+     index_sz += index_sz_test;
+ #endif
+  } else {
+    index_sz = 0;
+   }
+   return index_sz;
+ }
+@@ -1613,9 +1622,12 @@ static vpx_codec_err_t encoder_encode(vpx_codec_alg_priv_t *ctx,
+               ctx->pending_frame_sizes[ctx->pending_frame_count++] = size;
+             ctx->pending_frame_magnitude |= size;
+             ctx->pending_cx_data_sz += size;
+-            // write the superframe only for the case when
+-            if (!ctx->output_cx_pkt_cb.output_cx_pkt)
+            // write the superframe only for the case when the callback function
+            // for getting per-layer packets is not registered.
+            if (!ctx->output_cx_pkt_cb.output_cx_pkt) {
+               size += write_superframe_index(ctx);
+              assert(size <= cx_data_sz);
+            }
+             pkt.data.frame.buf = ctx->pending_cx_data;
+             pkt.data.frame.sz = ctx->pending_cx_data_sz;
+             ctx->pending_cx_data = NULL;
+-- 
+2.52.0
+
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -3132,6 +3132,7 @@ wallpaper using mpv.")
  (package
    (name "libvpx")
    (version "1.15.2")
+    (replacement libvpx/fixed)
    (source (origin
              (method git-fetch)
              (uri (git-reference
@@ -3170,6 +3171,11 @@ wallpaper using mpv.")
    (license license:bsd-3)
    (home-page "https://www.webmproject.org/")))

+(define-public libvpx/fixed
+  (hidden-package
+   (package-with-extra-patches libvpx
+                               (search-patches "libvpx-CVE-2026-2447.patch"))))
+
 (define-public orfondl
  (package
    (name "orfondl")