Bug#1106500: libavif: diff for NMU version 1.2.1-1.2
Package: libavif
Version: 1.2.1-1.1
X-Debbugs-CC: Boyuan Yang <byang@debian.org>, team@security.debian.org
Severity: normal
Tags: patch pending
Dear maintainer,
I've prepared an NMU for libavif (versioned as 1.2.1-1.2) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should cancel it.
Should/can it go to unstable as well? Uploading to delayed to give a
bit of time to actually ACK/NACK it.
There is not bugreport associated with it but it adds another integer
overflow check (already in v1.3.0) to makeRoom.
Regards,
Salvatore
diffstat for libavif-1.2.1 libavif-1.2.1
changelog | 8 +
patches/Add-another-integer-overflow-check-to-makeRoom.patch | 71 ++++++++++
patches/Declare-RowBytes-as-size_t-in-avifImageRGBToYUV.patch | 2
patches/series | 1
4 files changed, 81 insertions(+), 1 deletion(-)
diff -Nru libavif-1.2.1/debian/changelog libavif-1.2.1/debian/changelog
--- libavif-1.2.1/debian/changelog 2025-05-17 16:03:36.000000000 +0200
+++ libavif-1.2.1/debian/changelog 2025-05-25 07:27:30.000000000 +0200
@@ -1,3 +1,11 @@
+libavif (1.2.1-1.2) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix upstream bug reference for patch for CVE-2025-48175
+ * Add another integer overflow check to makeRoom
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Sun, 25 May 2025 07:27:30 +0200
+
libavif (1.2.1-1.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru libavif-1.2.1/debian/patches/Add-another-integer-overflow-check-to-makeRoom.patch libavif-1.2.1/debian/patches/Add-another-integer-overflow-check-to-makeRoom.patch
--- libavif-1.2.1/debian/patches/Add-another-integer-overflow-check-to-makeRoom.patch 1970-01-01 01:00:00.000000000 +0100
+++ libavif-1.2.1/debian/patches/Add-another-integer-overflow-check-to-makeRoom.patch 2025-05-25 07:26:42.000000000 +0200
@@ -0,0 +1,71 @@
+From: Wan-Teh Chang <wtc@google.com>
+Date: Sun, 27 Apr 2025 14:34:35 -0700
+Subject: Add another integer overflow check to makeRoom
+Origin: https://github.com/AOMediaCodec/libavif/commit/32eae7c5c1e72d9999cb31d02e333b6a76029bad
+Bug: https://github.com/AOMediaCodec/libavif/pull/2778
+
+Replace the while loop with a formula in makeRoom.
+
+Test the integer overflow checks in makeRoom.
+
+See https://github.com/AOMediaCodec/libavif/pull/2768.
+---
+ src/stream.c | 16 +++++++++-------
+ tests/gtest/avifstreamtest.cc | 13 +++++++++++++
+ 2 files changed, 22 insertions(+), 7 deletions(-)
+
+diff --git a/src/stream.c b/src/stream.c
+index a2ae4f620a56..60e6aa384cbf 100644
+--- a/src/stream.c
++++ b/src/stream.c
+@@ -334,14 +334,16 @@ avifBool avifROStreamReadAndEnforceVersion(avifROStream * stream, uint8_t enforc
+ #define AVIF_STREAM_BUFFER_INCREMENT (1024 * 1024)
+ static avifResult makeRoom(avifRWStream * stream, size_t size)
+ {
+- if (size > SIZE_MAX - stream->offset) {
+- return AVIF_RESULT_OUT_OF_MEMORY;
+- }
+- size_t neededSize = stream->offset + size;
+- size_t newSize = stream->raw->size;
+- while (newSize < neededSize) {
+- newSize += AVIF_STREAM_BUFFER_INCREMENT;
++ AVIF_CHECKERR(size <= SIZE_MAX - stream->offset, AVIF_RESULT_OUT_OF_MEMORY);
++ size_t newSize = stream->offset + size;
++ if (newSize <= stream->raw->size) {
++ return AVIF_RESULT_OK;
+ }
++ // Make newSize a multiple of AVIF_STREAM_BUFFER_INCREMENT.
++ size_t rem = newSize % AVIF_STREAM_BUFFER_INCREMENT;
++ size_t padding = (rem == 0) ? 0 : AVIF_STREAM_BUFFER_INCREMENT - rem;
++ AVIF_CHECKERR(newSize <= SIZE_MAX - padding, AVIF_RESULT_OUT_OF_MEMORY);
++ newSize += padding;
+ return avifRWDataRealloc(stream->raw, newSize);
+ }
+
+diff --git a/tests/gtest/avifstreamtest.cc b/tests/gtest/avifstreamtest.cc
+index 1ba4e9f25e59..199b8bef12c5 100644
+--- a/tests/gtest/avifstreamtest.cc
++++ b/tests/gtest/avifstreamtest.cc
+@@ -202,6 +202,19 @@ TEST(StreamTest, WriteBitsLimit) {
+ AVIF_RESULT_INVALID_ARGUMENT);
+ }
+
++// Test the overflow checks in the makeRoom() function in src/stream.c.
++TEST(StreamTest, OverflowChecksInMakeRoom) {
++ testutil::AvifRwData rw_data;
++ avifRWStream rw_stream;
++ avifRWStreamStart(&rw_stream, &rw_data);
++ const char ten_bytes[10] = {0};
++ EXPECT_EQ(avifRWStreamWrite(&rw_stream, ten_bytes, 10), AVIF_RESULT_OK);
++ EXPECT_EQ(avifRWStreamWrite(&rw_stream, ten_bytes, SIZE_MAX - 9),
++ AVIF_RESULT_OUT_OF_MEMORY);
++ EXPECT_EQ(avifRWStreamWrite(&rw_stream, ten_bytes, SIZE_MAX - 10),
++ AVIF_RESULT_OUT_OF_MEMORY);
++}
++
+ //------------------------------------------------------------------------------
+
+ } // namespace
+--
+2.49.0
+
diff -Nru libavif-1.2.1/debian/patches/Declare-RowBytes-as-size_t-in-avifImageRGBToYUV.patch libavif-1.2.1/debian/patches/Declare-RowBytes-as-size_t-in-avifImageRGBToYUV.patch
--- libavif-1.2.1/debian/patches/Declare-RowBytes-as-size_t-in-avifImageRGBToYUV.patch 2025-05-17 16:03:05.000000000 +0200
+++ libavif-1.2.1/debian/patches/Declare-RowBytes-as-size_t-in-avifImageRGBToYUV.patch 2025-05-25 06:42:02.000000000 +0200
@@ -2,7 +2,7 @@
Date: Fri, 18 Apr 2025 15:29:20 -0700
Subject: Declare *RowBytes as size_t in avifImageRGBToYUV()
Origin: https://github.com/AOMediaCodec/libavif/commit/64d956ed5a602f78cebf29da023280944ee92efd
-Bug: https://github.com/AOMediaCodec/libavif/pull/2768
+Bug: https://github.com/AOMediaCodec/libavif/pull/2769
Bug-Debian: https://bugs.debian.org/1105883
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-48175
diff -Nru libavif-1.2.1/debian/patches/series libavif-1.2.1/debian/patches/series
--- libavif-1.2.1/debian/patches/series 2025-05-17 16:02:38.000000000 +0200
+++ libavif-1.2.1/debian/patches/series 2025-05-25 07:27:04.000000000 +0200
@@ -2,3 +2,4 @@
Add-integer-overflow-check-to-makeRoom.patch
Fix-format-errors.patch
Declare-RowBytes-as-size_t-in-avifImageRGBToYUV.patch
+Add-another-integer-overflow-check-to-makeRoom.patch
Reply to: