Bug#1106689: libvpx: diff for NMU version 1.15.0-2.1

To: 1106689@bugs.debian.org
Subject: Bug#1106689: libvpx: diff for NMU version 1.15.0-2.1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 27 May 2025 23:27:47 +0200
Message-id: <[🔎] aDYuU9A3BHSxK1zr@lorien.valinor.li>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1106689@bugs.debian.org
References: <[🔎] 174837916018.2946179.8529869495277177517.reportbug@eldamar.lan>

X-Debbugs-Cc: Sebastian Dröge <slomo@debian.org>, Sebastian Ramacher <sramacher@debian.org>
Control: tags 1106689 + patch
Control: tags 1106689 + pending


Dear maintainer, hi Sebastian and Sebastian

I've prepared an NMU for libvpx (versioned as 1.15.0-2.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should cancel it.

https://salsa.debian.org/multimedia-team/libvpx/-/merge_requests/5
is the corresponding MR on salsa.

Regards,
Salvatore

diffstat for libvpx-1.15.0 libvpx-1.15.0

 changelog                                                          |    8 +
 patches/series                                                     |    1 
 patches/vpx_codec_enc_init_multi-fix-double-free-on-init-fai.patch |   62 ++++++++++
 3 files changed, 71 insertions(+)

diff -Nru libvpx-1.15.0/debian/changelog libvpx-1.15.0/debian/changelog
--- libvpx-1.15.0/debian/changelog	2025-02-20 04:37:58.000000000 +0100
+++ libvpx-1.15.0/debian/changelog	2025-05-27 23:00:58.000000000 +0200
@@ -1,3 +1,11 @@
+libvpx (1.15.0-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * vpx_codec_enc_init_multi: fix double free on init failure
+    (Closes: #1106689)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Tue, 27 May 2025 23:00:58 +0200
+
 libvpx (1.15.0-2) unstable; urgency=medium
 
   * Team upload
diff -Nru libvpx-1.15.0/debian/patches/series libvpx-1.15.0/debian/patches/series
--- libvpx-1.15.0/debian/patches/series	2025-02-20 04:37:58.000000000 +0100
+++ libvpx-1.15.0/debian/patches/series	2025-05-27 23:00:58.000000000 +0200
@@ -1,2 +1,3 @@
 0001-Relax-ABI-check.patch
 0002-Do-not-undefine-_FORTIFY_SOURCE.patch
+vpx_codec_enc_init_multi-fix-double-free-on-init-fai.patch
diff -Nru libvpx-1.15.0/debian/patches/vpx_codec_enc_init_multi-fix-double-free-on-init-fai.patch libvpx-1.15.0/debian/patches/vpx_codec_enc_init_multi-fix-double-free-on-init-fai.patch
--- libvpx-1.15.0/debian/patches/vpx_codec_enc_init_multi-fix-double-free-on-init-fai.patch	1970-01-01 01:00:00.000000000 +0100
+++ libvpx-1.15.0/debian/patches/vpx_codec_enc_init_multi-fix-double-free-on-init-fai.patch	2025-05-27 23:00:58.000000000 +0200
@@ -0,0 +1,62 @@
+From 1c758781c428c0e895645b95b8ff1512b6bdcecb Mon Sep 17 00:00:00 2001
+From: James Zern <jzern@google.com>
+Date: Wed, 30 Apr 2025 19:28:48 -0700
+Subject: [PATCH] vpx_codec_enc_init_multi: fix double free on init failure
+
+In `vp8e_init()`, the encoder would take ownership of
+`mr_cfg.mr_low_res_mode_info` even if `vp8_create_compressor()` failed.
+This caused confusion at the call site as other failures in
+`vp8e_init()` did not result in ownership transfer and the caller would
+free the memory. In the case of `vp8_create_compressor()` failure both
+the caller and `vpx_codec_destroy()` would free the memory, causing a
+crash. `mr_*` related variables are now cleared on failure to prevent
+this situation.
+
+Bug: webm:413411335
+Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1962421
+Change-Id: Ie951d42b9029a586bf9059b650bd8863db9f9ffc
+---
+ vp8/vp8_cx_iface.c    | 12 +++++++++++-
+ vpx/src/vpx_encoder.c |  3 +++
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/vp8/vp8_cx_iface.c b/vp8/vp8_cx_iface.c
+index 38456d2b90c7..35c94fb04343 100644
+--- a/vp8/vp8_cx_iface.c
++++ b/vp8/vp8_cx_iface.c
+@@ -732,7 +732,17 @@ static vpx_codec_err_t vp8e_init(vpx_codec_ctx_t *ctx,
+ 
+       set_vp8e_config(&priv->oxcf, priv->cfg, priv->vp8_cfg, mr_cfg);
+       priv->cpi = vp8_create_compressor(&priv->oxcf);
+-      if (!priv->cpi) res = VPX_CODEC_MEM_ERROR;
++      if (!priv->cpi) {
++#if CONFIG_MULTI_RES_ENCODING
++        // Release ownership of mr_cfg->mr_low_res_mode_info on failure. This
++        // prevents ownership confusion with the caller and avoids a double
++        // free when vpx_codec_destroy() is called on this instance.
++        priv->oxcf.mr_total_resolutions = 0;
++        priv->oxcf.mr_encoder_id = 0;
++        priv->oxcf.mr_low_res_mode_info = NULL;
++#endif
++        res = VPX_CODEC_MEM_ERROR;
++      }
+     }
+   }
+ 
+diff --git a/vpx/src/vpx_encoder.c b/vpx/src/vpx_encoder.c
+index 001d854abe9c..3af4cea3a70f 100644
+--- a/vpx/src/vpx_encoder.c
++++ b/vpx/src/vpx_encoder.c
+@@ -114,6 +114,9 @@ vpx_codec_err_t vpx_codec_enc_init_multi_ver(
+           ctx->priv = NULL;
+           ctx->init_flags = flags;
+           ctx->config.enc = cfg;
++          // ctx takes ownership of mr_cfg.mr_low_res_mode_info if and only if
++          // this call succeeds. The first ctx entry in the array is
++          // responsible for freeing the memory.
+           res = ctx->iface->init(ctx, &mr_cfg);
+         }
+ 
+-- 
+2.49.0
+

Reply to:

Follow-Ups:
- Bug#1106689: libvpx: diff for NMU version 1.15.0-2.1
  - From: Sebastian Ramacher <sramacher@debian.org>

References:
- Bug#1106689: libvpx: double-free in vpx_codec_enc_init_multi
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#1106689: libvpx: double-free in vpx_codec_enc_init_multi
Next by Date: Processed: libvpx: diff for NMU version 1.15.0-2.1
Previous by thread: Bug#1106689: libvpx: double-free in vpx_codec_enc_init_multi
Next by thread: Bug#1106689: libvpx: diff for NMU version 1.15.0-2.1
Index(es):
- Date
- Thread