Version in base suite: 1.12.0-1+deb12u3 Base version: libvpx_1.12.0-1+deb12u3 Target version: libvpx_1.12.0-1+deb12u4 Base file: /srv/ftp-master.debian.org/ftp/pool/main/libv/libvpx/libvpx_1.12.0-1+deb12u3.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/libv/libvpx/libvpx_1.12.0-1+deb12u4.dsc changelog | 8 + patches/series | 1 patches/vpx_codec_enc_init_multi-fix-double-free-on-init-fai.patch | 62 ++++++++++ 3 files changed, 71 insertions(+) diff -Nru libvpx-1.12.0/debian/changelog libvpx-1.12.0/debian/changelog --- libvpx-1.12.0/debian/changelog 2024-06-20 10:01:27.000000000 +0000 +++ libvpx-1.12.0/debian/changelog 2025-05-27 21:16:51.000000000 +0000 @@ -1,3 +1,11 @@ +libvpx (1.12.0-1+deb12u4) bookworm-security; urgency=high + + * Non-maintainer upload by the Security Team. + * vpx_codec_enc_init_multi: fix double free on init failure + (Closes: #1106689) + + -- Salvatore Bonaccorso Tue, 27 May 2025 23:16:51 +0200 + libvpx (1.12.0-1+deb12u3) bookworm-security; urgency=medium * Non-maintainer upload. diff -Nru libvpx-1.12.0/debian/patches/series libvpx-1.12.0/debian/patches/series --- libvpx-1.12.0/debian/patches/series 2024-06-20 10:01:27.000000000 +0000 +++ libvpx-1.12.0/debian/patches/series 2025-05-27 21:16:51.000000000 +0000 @@ -6,3 +6,4 @@ 0002-Fix-integer-overflows-in-calc-of-stride_in_bytes.patch 0003-Avoid-integer-overflows-in-arithmetic-operations.patch 0004-Fix-a-bug-in-alloc_size-for-high-bit-depths.patch +vpx_codec_enc_init_multi-fix-double-free-on-init-fai.patch diff -Nru libvpx-1.12.0/debian/patches/vpx_codec_enc_init_multi-fix-double-free-on-init-fai.patch libvpx-1.12.0/debian/patches/vpx_codec_enc_init_multi-fix-double-free-on-init-fai.patch --- libvpx-1.12.0/debian/patches/vpx_codec_enc_init_multi-fix-double-free-on-init-fai.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvpx-1.12.0/debian/patches/vpx_codec_enc_init_multi-fix-double-free-on-init-fai.patch 2025-05-27 21:16:51.000000000 +0000 @@ -0,0 +1,62 @@ +From 1c758781c428c0e895645b95b8ff1512b6bdcecb Mon Sep 17 00:00:00 2001 +From: James Zern +Date: Wed, 30 Apr 2025 19:28:48 -0700 +Subject: [PATCH] vpx_codec_enc_init_multi: fix double free on init failure + +In `vp8e_init()`, the encoder would take ownership of +`mr_cfg.mr_low_res_mode_info` even if `vp8_create_compressor()` failed. +This caused confusion at the call site as other failures in +`vp8e_init()` did not result in ownership transfer and the caller would +free the memory. In the case of `vp8_create_compressor()` failure both +the caller and `vpx_codec_destroy()` would free the memory, causing a +crash. `mr_*` related variables are now cleared on failure to prevent +this situation. + +Bug: webm:413411335 +Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1962421 +Change-Id: Ie951d42b9029a586bf9059b650bd8863db9f9ffc +--- + vp8/vp8_cx_iface.c | 12 +++++++++++- + vpx/src/vpx_encoder.c | 3 +++ + 2 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/vp8/vp8_cx_iface.c b/vp8/vp8_cx_iface.c +index 38456d2b90c7..35c94fb04343 100644 +--- a/vp8/vp8_cx_iface.c ++++ b/vp8/vp8_cx_iface.c +@@ -732,7 +732,17 @@ static vpx_codec_err_t vp8e_init(vpx_codec_ctx_t *ctx, + + set_vp8e_config(&priv->oxcf, priv->cfg, priv->vp8_cfg, mr_cfg); + priv->cpi = vp8_create_compressor(&priv->oxcf); +- if (!priv->cpi) res = VPX_CODEC_MEM_ERROR; ++ if (!priv->cpi) { ++#if CONFIG_MULTI_RES_ENCODING ++ // Release ownership of mr_cfg->mr_low_res_mode_info on failure. This ++ // prevents ownership confusion with the caller and avoids a double ++ // free when vpx_codec_destroy() is called on this instance. ++ priv->oxcf.mr_total_resolutions = 0; ++ priv->oxcf.mr_encoder_id = 0; ++ priv->oxcf.mr_low_res_mode_info = NULL; ++#endif ++ res = VPX_CODEC_MEM_ERROR; ++ } + } + } + +diff --git a/vpx/src/vpx_encoder.c b/vpx/src/vpx_encoder.c +index 001d854abe9c..3af4cea3a70f 100644 +--- a/vpx/src/vpx_encoder.c ++++ b/vpx/src/vpx_encoder.c +@@ -114,6 +114,9 @@ vpx_codec_err_t vpx_codec_enc_init_multi_ver( + ctx->priv = NULL; + ctx->init_flags = flags; + ctx->config.enc = cfg; ++ // ctx takes ownership of mr_cfg.mr_low_res_mode_info if and only if ++ // this call succeeds. The first ctx entry in the array is ++ // responsible for freeing the memory. + res = ctx->iface->init(ctx, &mr_cfg); + } + +-- +2.49.0 +