libavif: diff for NMU version 1.2.1-1.1

To: 1105883@bugs.debian.org, 1105885@bugs.debian.org
Cc: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>, Boyuan Yang <byang@debian.org>
Subject: libavif: diff for NMU version 1.2.1-1.1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 17 May 2025 16:17:17 +0200
Message-id: <[🔎] aCiabY9qxgoPj0av@lorien.valinor.li>
Mail-followup-to: 1105883@bugs.debian.org, 1105885@bugs.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>, Boyuan Yang <byang@debian.org>

Control: tags 1105883 + patch
Control: tags 1105883 + pending
Control: tags 1105885 + patch
Control: tags 1105885 + pending


Dear maintainer,

I've prepared an NMU for libavif (versioned as 1.2.1-1.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should cancel it.

Regards,
Salvatore

diffstat for libavif-1.2.1 libavif-1.2.1

 changelog                                                     |   12 ++
 patches/Add-integer-overflow-check-to-makeRoom.patch          |   33 ++++++++
 patches/Add-integer-overflow-checks-to-makeRoom.patch         |   29 +++++++
 patches/Declare-RowBytes-as-size_t-in-avifImageRGBToYUV.patch |   41 ++++++++++
 patches/Fix-format-errors.patch                               |   29 +++++++
 patches/series                                                |    4 
 6 files changed, 148 insertions(+)

diff -Nru libavif-1.2.1/debian/changelog libavif-1.2.1/debian/changelog
--- libavif-1.2.1/debian/changelog	2025-03-20 19:03:55.000000000 +0100
+++ libavif-1.2.1/debian/changelog	2025-05-17 16:03:36.000000000 +0200
@@ -1,3 +1,15 @@
+libavif (1.2.1-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Add integer overflow checks to makeRoom (CVE-2025-48174) (Closes:
+    #1105885)
+  * Add integer overflow check to makeRoom (CVE-2025-48174) (Closes: #1105885)
+  * Fix format errors (CVE-2025-48174) (Closes: #1105885)
+  * Declare *RowBytes as size_t in avifImageRGBToYUV() (CVE-2025-48175)
+    (Closes: #1105883)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 17 May 2025 16:03:36 +0200
+
 libavif (1.2.1-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru libavif-1.2.1/debian/patches/Add-integer-overflow-check-to-makeRoom.patch libavif-1.2.1/debian/patches/Add-integer-overflow-check-to-makeRoom.patch
--- libavif-1.2.1/debian/patches/Add-integer-overflow-check-to-makeRoom.patch	1970-01-01 01:00:00.000000000 +0100
+++ libavif-1.2.1/debian/patches/Add-integer-overflow-check-to-makeRoom.patch	2025-05-17 15:44:27.000000000 +0200
@@ -0,0 +1,33 @@
+From: DanisJiang <43723722+DanisJiang@users.noreply.github.com>
+Date: Mon, 21 Apr 2025 10:45:59 +0800
+Subject: Add integer overflow check to makeRoom.
+Origin: https://github.com/AOMediaCodec/libavif/commit/50a743062938a3828581d725facc9c2b92a1d109
+Bug: https://github.com/AOMediaCodec/libavif/pull/2768
+Bug-Debian: https://bugs.debian.org/1105885
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-48174
+
+---
+ src/stream.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/stream.c b/src/stream.c
+index 41252f89d9b2..da1f019c5a4f 100644
+--- a/src/stream.c
++++ b/src/stream.c
+@@ -334,10 +334,10 @@ avifBool avifROStreamReadAndEnforceVersion(avifROStream * stream, uint8_t enforc
+ #define AVIF_STREAM_BUFFER_INCREMENT (1024 * 1024)
+ static avifResult makeRoom(avifRWStream * stream, size_t size)
+ {
+-    size_t neededSize = stream->offset + size;
+-    if (neededSize < stream->offset) {
+-        return AVIF_RESULT_INVALID_ARGUMENT;
++    if (size > SIZE_MAX - stream->offset) {
++        return  AVIF_RESULT_OUT_OF_MEMORY;
+     }
++    size_t neededSize = stream->offset + size;
+     size_t newSize = stream->raw->size;
+     while (newSize < neededSize) {
+         newSize += AVIF_STREAM_BUFFER_INCREMENT;
+-- 
+2.49.0
+
diff -Nru libavif-1.2.1/debian/patches/Add-integer-overflow-checks-to-makeRoom.patch libavif-1.2.1/debian/patches/Add-integer-overflow-checks-to-makeRoom.patch
--- libavif-1.2.1/debian/patches/Add-integer-overflow-checks-to-makeRoom.patch	1970-01-01 01:00:00.000000000 +0100
+++ libavif-1.2.1/debian/patches/Add-integer-overflow-checks-to-makeRoom.patch	2025-05-17 15:43:12.000000000 +0200
@@ -0,0 +1,29 @@
+From: DanisJiang <43723722+DanisJiang@users.noreply.github.com>
+Date: Fri, 18 Apr 2025 17:31:53 +0800
+Subject: Add integer overflow checks to makeRoom.
+Origin: https://github.com/AOMediaCodec/libavif/commit/e5fdefe7d1776e6c4cf1703c163a8c0535599029
+Bug: https://github.com/AOMediaCodec/libavif/pull/2768
+Bug-Debian: https://bugs.debian.org/1105885
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-48174
+
+---
+ src/stream.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/stream.c b/src/stream.c
+index 770c8ba04280..41252f89d9b2 100644
+--- a/src/stream.c
++++ b/src/stream.c
+@@ -335,6 +335,9 @@ avifBool avifROStreamReadAndEnforceVersion(avifROStream * stream, uint8_t enforc
+ static avifResult makeRoom(avifRWStream * stream, size_t size)
+ {
+     size_t neededSize = stream->offset + size;
++    if (neededSize < stream->offset) {
++        return AVIF_RESULT_INVALID_ARGUMENT;
++    }
+     size_t newSize = stream->raw->size;
+     while (newSize < neededSize) {
+         newSize += AVIF_STREAM_BUFFER_INCREMENT;
+-- 
+2.49.0
+
diff -Nru libavif-1.2.1/debian/patches/Declare-RowBytes-as-size_t-in-avifImageRGBToYUV.patch libavif-1.2.1/debian/patches/Declare-RowBytes-as-size_t-in-avifImageRGBToYUV.patch
--- libavif-1.2.1/debian/patches/Declare-RowBytes-as-size_t-in-avifImageRGBToYUV.patch	1970-01-01 01:00:00.000000000 +0100
+++ libavif-1.2.1/debian/patches/Declare-RowBytes-as-size_t-in-avifImageRGBToYUV.patch	2025-05-17 16:03:05.000000000 +0200
@@ -0,0 +1,41 @@
+From: Wan-Teh Chang <wtc@google.com>
+Date: Fri, 18 Apr 2025 15:29:20 -0700
+Subject: Declare *RowBytes as size_t in avifImageRGBToYUV()
+Origin: https://github.com/AOMediaCodec/libavif/commit/64d956ed5a602f78cebf29da023280944ee92efd
+Bug: https://github.com/AOMediaCodec/libavif/pull/2768
+Bug-Debian: https://bugs.debian.org/1105883
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-48175
+
+Declare rgbRowBytes, yRowBytes, uRowBytes, and vRowBytes as size_t in
+avifImageRGBToYUV(). This causes multiplications with these variables to
+be performed in size_t (which may be 64 bits) instead of uint32_t. For
+very large image width and height, these multiplications may overflow
+uint32_t.
+
+Acknowledgements: DanisJiang
+https://github.com/AOMediaCodec/libavif/security/advisories/GHSA-762c-2538-h844
+---
+ src/reformat.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/src/reformat.c
++++ b/src/reformat.c
+@@ -259,14 +259,14 @@ avifResult avifImageRGBToYUV(avifImage *
+         const uint32_t offsetBytesG = state.rgb.offsetBytesG;
+         const uint32_t offsetBytesB = state.rgb.offsetBytesB;
+         const uint32_t offsetBytesA = state.rgb.offsetBytesA;
+-        const uint32_t rgbRowBytes = rgb->rowBytes;
++        const size_t rgbRowBytes = rgb->rowBytes;
+         const float rgbMaxChannelF = state.rgb.maxChannelF;
+         uint8_t * yPlane = image->yuvPlanes[AVIF_CHAN_Y];
+         uint8_t * uPlane = image->yuvPlanes[AVIF_CHAN_U];
+         uint8_t * vPlane = image->yuvPlanes[AVIF_CHAN_V];
+-        const uint32_t yRowBytes = image->yuvRowBytes[AVIF_CHAN_Y];
+-        const uint32_t uRowBytes = image->yuvRowBytes[AVIF_CHAN_U];
+-        const uint32_t vRowBytes = image->yuvRowBytes[AVIF_CHAN_V];
++        const size_t yRowBytes = image->yuvRowBytes[AVIF_CHAN_Y];
++        const size_t uRowBytes = image->yuvRowBytes[AVIF_CHAN_U];
++        const size_t vRowBytes = image->yuvRowBytes[AVIF_CHAN_V];
+         for (uint32_t outerJ = 0; outerJ < image->height; outerJ += 2) {
+             for (uint32_t outerI = 0; outerI < image->width; outerI += 2) {
+                 int blockW = 2, blockH = 2;
diff -Nru libavif-1.2.1/debian/patches/Fix-format-errors.patch libavif-1.2.1/debian/patches/Fix-format-errors.patch
--- libavif-1.2.1/debian/patches/Fix-format-errors.patch	1970-01-01 01:00:00.000000000 +0100
+++ libavif-1.2.1/debian/patches/Fix-format-errors.patch	2025-05-17 15:45:41.000000000 +0200
@@ -0,0 +1,29 @@
+From: "Danis Jiang (Yuhao Jiang)"
+ <43723722+DanisJiang@users.noreply.github.com>
+Date: Thu, 24 Apr 2025 10:39:19 +0800
+Subject: Fix format errors
+Origin: https://github.com/AOMediaCodec/libavif/commit/c9f1bea437f21cb78f9919c332922a3b0ba65e11
+Bug: https://github.com/AOMediaCodec/libavif/pull/2768
+Bug-Debian: https://bugs.debian.org/1105885
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-48174
+
+---
+ src/stream.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/stream.c b/src/stream.c
+index da1f019c5a4f..a2ae4f620a56 100644
+--- a/src/stream.c
++++ b/src/stream.c
+@@ -335,7 +335,7 @@ avifBool avifROStreamReadAndEnforceVersion(avifROStream * stream, uint8_t enforc
+ static avifResult makeRoom(avifRWStream * stream, size_t size)
+ {
+     if (size > SIZE_MAX - stream->offset) {
+-        return  AVIF_RESULT_OUT_OF_MEMORY;
++        return AVIF_RESULT_OUT_OF_MEMORY;
+     }
+     size_t neededSize = stream->offset + size;
+     size_t newSize = stream->raw->size;
+-- 
+2.49.0
+
diff -Nru libavif-1.2.1/debian/patches/series libavif-1.2.1/debian/patches/series
--- libavif-1.2.1/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ libavif-1.2.1/debian/patches/series	2025-05-17 16:02:38.000000000 +0200
@@ -0,0 +1,4 @@
+Add-integer-overflow-checks-to-makeRoom.patch
+Add-integer-overflow-check-to-makeRoom.patch
+Fix-format-errors.patch
+Declare-RowBytes-as-size_t-in-avifImageRGBToYUV.patch

Reply to:

Follow-Ups:
- Re: Bug#1105885: libavif: diff for NMU version 1.2.1-1.1
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: lmms is marked for autoremoval from testing
Next by Date: Processed: libavif: diff for NMU version 1.2.1-1.1
Previous by thread: lmms is marked for autoremoval from testing
Next by thread: Re: Bug#1105885: libavif: diff for NMU version 1.2.1-1.1
Index(es):
- Date
- Thread