Version in base suite: 1.12.0-1+deb12u4

Base version: libvpx_1.12.0-1+deb12u4
Target version: libvpx_1.12.0-1+deb12u5
Base file: /srv/ftp-master.debian.org/ftp/pool/main/libv/libvpx/libvpx_1.12.0-1+deb12u4.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/libv/libvpx/libvpx_1.12.0-1+deb12u5.dsc

 changelog                   |    6 +++
 patches/CVE-2026-2447.patch |   83 ++++++++++++++++++++++++++++++++++++++++++++
 patches/series              |    1 
 3 files changed, 90 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpf1879_m7/libvpx_1.12.0-1+deb12u4.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpf1879_m7/libvpx_1.12.0-1+deb12u5.dsc: no acceptable signature found
diff -Nru libvpx-1.12.0/debian/changelog libvpx-1.12.0/debian/changelog
--- libvpx-1.12.0/debian/changelog	2025-05-27 21:16:51.000000000 +0000
+++ libvpx-1.12.0/debian/changelog	2026-02-17 08:30:07.000000000 +0000
@@ -1,3 +1,9 @@
+libvpx (1.12.0-1+deb12u5) bookworm-security; urgency=medium
+
+  * CVE-2026-2447 (aka CVE-2026-1861)
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Tue, 17 Feb 2026 09:30:07 +0100
+
 libvpx (1.12.0-1+deb12u4) bookworm-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru libvpx-1.12.0/debian/patches/CVE-2026-2447.patch libvpx-1.12.0/debian/patches/CVE-2026-2447.patch
--- libvpx-1.12.0/debian/patches/CVE-2026-2447.patch	1970-01-01 00:00:00.000000000 +0000
+++ libvpx-1.12.0/debian/patches/CVE-2026-2447.patch	2026-02-17 08:30:07.000000000 +0000
@@ -0,0 +1,83 @@
+commit d5f35ac8d93cba7f7a3f7ddb8f9dc8bd28f785e1
+Author: Wan-Teh Chang <wtc@google.com>
+Date:   Wed Jan 21 18:03:55 2026 -0800
+
+    write_superframe_index: return 0 if buffer is full
+    
+    write_superframe_index() should return the number of bytes written to
+    ctx->pending_cx_data. If ctx->pending_cx_data is full,
+    write_superframe_index() doesn't write the optional superframe index, so
+    it should return 0 in this case. Add an assertion that would have
+    detected this bug. Add and clarify comments for code related to this
+    bug.
+    
+    Also fix the buffer full check. The check should not assume that
+    ctx->pending_cx_data is equal to ctx->cx_data, and the check had an
+    off-by-one error.
+    
+    The bug was introduced when write_superframe_index() was added in the
+    following CLs:
+    https://chromium-review.googlesource.com/c/webm/libvpx/+/44659
+    https://chromium-review.googlesource.com/c/webm/libvpx/+/45268
+    
+    Bug: oss-fuzz:476466137
+    Change-Id: Ie113568cf25acc73f8af640a3c51cfdb5b900613
+
+--- libvpx-1.12.0.orig/vp9/vp9_cx_iface.c
++++ libvpx-1.12.0/vp9/vp9_cx_iface.c
+@@ -8,6 +8,8 @@
+  *  be found in the AUTHORS file in the root of the source tree.
+  */
+ 
++#include <assert.h>
++#include <stddef.h>
+ #include <stdlib.h>
+ #include <string.h>
+ 
+@@ -114,6 +116,7 @@ struct vpx_codec_alg_priv {
+   VP9_COMP *cpi;
+   unsigned char *cx_data;
+   size_t cx_data_sz;
++  // pending_cx_data either is a null pointer or points into the cx_data buffer.
+   unsigned char *pending_cx_data;
+   size_t pending_cx_data_sz;
+   int pending_frame_count;
+@@ -1207,8 +1210,12 @@ static int write_superframe_index(vpx_co
+ 
+   // Write the index
+   index_sz = 2 + (mag + 1) * ctx->pending_frame_count;
+-  if (ctx->pending_cx_data_sz + index_sz < ctx->cx_data_sz) {
+-    uint8_t *x = ctx->pending_cx_data + ctx->pending_cx_data_sz;
++  unsigned char *cx_data_end = ctx->cx_data + ctx->cx_data_sz;
++  unsigned char *pending_cx_data_end =
++      ctx->pending_cx_data + ctx->pending_cx_data_sz;
++  ptrdiff_t space_remaining = cx_data_end - pending_cx_data_end;
++  if (index_sz <= space_remaining) {
++    uint8_t *x = pending_cx_data_end;
+     int i, j;
+ #ifdef TEST_SUPPLEMENTAL_SUPERFRAME_DATA
+     uint8_t marker_test = 0xc0;
+@@ -1239,6 +1246,8 @@ static int write_superframe_index(vpx_co
+ #ifdef TEST_SUPPLEMENTAL_SUPERFRAME_DATA
+     index_sz += index_sz_test;
+ #endif
++  } else {
++    index_sz = 0;
+   }
+   return index_sz;
+ }
+@@ -1502,9 +1511,12 @@ static vpx_codec_err_t encoder_encode(vp
+               ctx->pending_frame_sizes[ctx->pending_frame_count++] = size;
+             ctx->pending_frame_magnitude |= size;
+             ctx->pending_cx_data_sz += size;
+-            // write the superframe only for the case when
+-            if (!ctx->output_cx_pkt_cb.output_cx_pkt)
++            // write the superframe only for the case when the callback function
++            // for getting per-layer packets is not registered.
++            if (!ctx->output_cx_pkt_cb.output_cx_pkt) {
+               size += write_superframe_index(ctx);
++              assert(size <= cx_data_sz);
++            }
+             pkt.data.frame.buf = ctx->pending_cx_data;
+             pkt.data.frame.sz = ctx->pending_cx_data_sz;
+             ctx->pending_cx_data = NULL;
diff -Nru libvpx-1.12.0/debian/patches/series libvpx-1.12.0/debian/patches/series
--- libvpx-1.12.0/debian/patches/series	2025-05-27 21:16:51.000000000 +0000
+++ libvpx-1.12.0/debian/patches/series	2026-02-17 08:30:07.000000000 +0000
@@ -7,3 +7,4 @@
 0003-Avoid-integer-overflows-in-arithmetic-operations.patch
 0004-Fix-a-bug-in-alloc_size-for-high-bit-depths.patch
 vpx_codec_enc_init_multi-fix-double-free-on-init-fai.patch
+CVE-2026-2447.patch