1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
From: DanisJiang <43723722+DanisJiang@users.noreply.github.com>
Subject: Add integer overflow checks to makeRoom (CVE-2025-48174)
Origin: backport, https://github.com/AOMediaCodec/libavif/commit/e5fdefe7d1776e6c4cf1703c163a8c053559902,
https://github.com/AOMediaCodec/libavif/commit/50a743062938a3828581d725facc9c2b92a1d109,
https://github.com/AOMediaCodec/libavif/commit/c9f1bea437f21cb78f9919c332922a3b0ba65e11
Bug: https://github.com/AOMediaCodec/libavif/pull/2768
Bug-Debian: https://bugs.debian.org/1105885
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-48174
Instead of backporting requsites for the patches from
https://github.com/AOMediaCodec/libavif/pull/2768 make the overflow check and
abort() instead. Use abort() to be consistent with avifAlloc() in libavif
v0.11.1 (in src/mem.c):
void * avifAlloc(size_t size)
{
void * out = malloc(size);
if (out == NULL) {
abort();
}
return out;
}
Include <stdlib.h> for abort().
Thanks: Wan-Teh Chang <wtc@google.com>
---
src/stream.c | 3 +++
1 file changed, 3 insertions(+)
--- a/src/stream.c
+++ b/src/stream.c
@@ -6,6 +6,7 @@
#include <assert.h>
#include <inttypes.h>
#include <stdint.h>
+#include <stdlib.h>
#include <string.h>
// ---------------------------------------------------------------------------
@@ -234,6 +235,9 @@ avifBool avifROStreamReadAndEnforceVersi
#define AVIF_STREAM_BUFFER_INCREMENT (1024 * 1024)
static void makeRoom(avifRWStream * stream, size_t size)
{
+ if (size > SIZE_MAX - stream->offset) {
+ abort();
+ }
size_t neededSize = stream->offset + size;
size_t newSize = stream->raw->size;
while (newSize < neededSize) {
--
2.49.0
|
