commit ff3c6f9387b0ad4c76ae743f8754f0f8be542788 Author: Dominik Mierzejewski <dominik(a)greysector.net&gt; Date: Sat Dec 16 09:44:06 2023 +0100 Update to 1.17.5 (rhbz#2244583) - Backport fixes for: CVE-2023-49460 (rhbz#2253575, rhbz#2253576) CVE-2023-49462 (rhbz#2253567, rhbz#2253568) CVE-2023-49463 (rhbz#2253565, rhbz#2253566) CVE-2023-49464 (rhbz#2253562, rhbz#2253563) - Enable HEVC decoding via libavcodec 26ec3953d46bb5756b97955661565bcbc6647abf.patch | 25 +++ 56ef61d8daa55b56d782e5d8ab6f0ed31b98b494.patch | 24 +++ 730a9d80bea3434f75c79e721878cc67f3889969.patch | 208 +++++++++++++++++++++++++ fd5b02aca3e29088bf0a1fc400bd661be4a6ed76.patch | 28 ++++ libheif-freeworld.spec | 26 +++- sources | 2 +- 6 files changed, 309 insertions(+), 4 deletions(-) --- diff --git a/26ec3953d46bb5756b97955661565bcbc6647abf.patch b/26ec3953d46bb5756b97955661565bcbc6647abf.patch new file mode 100644 index 0000000..4d2ba07 --- /dev/null +++ b/26ec3953d46bb5756b97955661565bcbc6647abf.patch @@ -0,0 +1,25 @@ +From 26ec3953d46bb5756b97955661565bcbc6647abf Mon Sep 17 00:00:00 2001 +From: Dirk Farin <dirk.farin(a)gmail.com&gt; +Date: Thu, 14 Dec 2023 13:38:11 +0100 +Subject: [PATCH] fix #1042 (EXIF offset larger than data) + +--- + examples/encoder_jpeg.cc | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/examples/encoder_jpeg.cc b/examples/encoder_jpeg.cc +index bbf24396ba..84f1d7ec9b 100644 +--- a/examples/encoder_jpeg.cc ++++ b/examples/encoder_jpeg.cc +@@ -178,6 +178,11 @@ bool JpegEncoder::Encode(const struct heif_image_handle* handle, + uint32_t skip = (exifdata[0]<<24) | (exifdata[1]<<16) | (exifdata[2]<<8) | exifdata[3]; + skip += 4; + ++ if (skip > exifsize) { ++ fprintf(stderr, "Invalid EXIF data (offset too large)\n"); ++ return false; ++ } ++ + uint8_t* ptr = exifdata + skip; + size_t size = exifsize - skip; + diff --git a/56ef61d8daa55b56d782e5d8ab6f0ed31b98b494.patch b/56ef61d8daa55b56d782e5d8ab6f0ed31b98b494.patch new file mode 100644 index 0000000..966b215 --- /dev/null +++ b/56ef61d8daa55b56d782e5d8ab6f0ed31b98b494.patch @@ -0,0 +1,24 @@ +From 2bf226a300951e6897ee7267d0dd379ba5ad7287 Mon Sep 17 00:00:00 2001 +From: Brad Hards <bradh(a)frogmouth.net&gt; +Date: Thu, 30 Nov 2023 19:55:18 +1100 +Subject: [PATCH] uncompressed: protect against broken uncC box component + references + +--- + libheif/uncompressed_image.cc | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/libheif/uncompressed_image.cc b/libheif/uncompressed_image.cc +index 5218165b23..c91e5dba4f 100644 +--- a/libheif/uncompressed_image.cc ++++ b/libheif/uncompressed_image.cc +@@ -534,6 +534,9 @@ int UncompressedImageCodec::get_luma_bits_per_pixel_from_configuration_unci(cons + int alternate_channel_bits = 0; + for (Box_uncC::Component component : uncC_box->get_components()) { + uint16_t component_index = component.component_index; ++ if (component_index >= cmpd_box->get_components().size()) { ++ return -1; ++ } + auto component_type = cmpd_box->get_components()[component_index].component_type; + switch (component_type) { + case component_type_monochrome: diff --git a/730a9d80bea3434f75c79e721878cc67f3889969.patch b/730a9d80bea3434f75c79e721878cc67f3889969.patch new file mode 100644 index 0000000..c1464c4 --- /dev/null +++ b/730a9d80bea3434f75c79e721878cc67f3889969.patch @@ -0,0 +1,208 @@ +From 730a9d80bea3434f75c79e721878cc67f3889969 Mon Sep 17 00:00:00 2001 +From: Dirk Farin <dirk.farin(a)gmail.com&gt; +Date: Thu, 14 Dec 2023 16:09:05 +0100 +Subject: [PATCH] fix integer overflows when reading EXIF tags (fixes #1043) + (CVE-2023-49462) + +--- + examples/encoder_jpeg.cc | 2 +- + libheif/exif.cc | 78 +++++++++++++++++++++------------------- + libheif/exif.h | 4 +-- + 3 files changed, 44 insertions(+), 40 deletions(-) + +diff --git a/examples/encoder_jpeg.cc b/examples/encoder_jpeg.cc +index 84f1d7ec9b..41a0eefad6 100644 +--- a/examples/encoder_jpeg.cc ++++ b/examples/encoder_jpeg.cc +@@ -187,7 +187,7 @@ bool JpegEncoder::Encode(const struct heif_image_handle* handle, + size_t size = exifsize - skip; + + // libheif by default normalizes the image orientation, so that we have to set the EXIF Orientation to "Horizontal (normal)" +- modify_exif_orientation_tag_if_it_exists(ptr, (int)size, 1); ++ modify_exif_orientation_tag_if_it_exists(ptr, size, 1); + + // We have to limit the size for the memcpy, otherwise GCC warns that we exceed the maximum size. + if (size>0x1000000) { +diff --git a/libheif/exif.cc b/libheif/exif.cc +index ded0a2d29a..82c3cd1328 100644 +--- a/libheif/exif.cc ++++ b/libheif/exif.cc +@@ -25,12 +25,12 @@ + #define DEFAULT_EXIF_ORIENTATION 1 + #define EXIF_TAG_ORIENTATION 0x112 + ++// Note: As far as I can see, it is not defined in the EXIF standard whether the offsets and counts of the IFD is signed or unsigned. ++// We assume that these are all unsigned. + +-static int32_t read32(const uint8_t* data, int size, int pos, bool littleEndian) ++static uint32_t read32(const uint8_t* data, uint32_t size, uint32_t pos, bool littleEndian) + { +- if (pos + 4 > size) { +- return -1; +- } ++ assert(pos <= size - 4); + + const uint8_t* p = data + pos; + +@@ -43,28 +43,24 @@ static int32_t read32(const uint8_t* data, int size, int pos, bool littleEndian) + } + + +-static int32_t read16(const uint8_t* data, int size, int pos, bool littleEndian) ++static uint16_t read16(const uint8_t* data, uint32_t size, uint32_t pos, bool littleEndian) + { +- if (pos + 2 > size) { +- return -1; +- } ++ assert(pos <= size - 2); + + const uint8_t* p = data + pos; + + if (littleEndian) { +- return (p[1] << 8) | p[0]; ++ return static_cast<uint16_t>((p[1] << 8) | p[0]); + } + else { +- return (p[0] << 8) | p[1]; ++ return static_cast<uint16_t>((p[0] << 8) | p[1]); + } + } + + +-static void write16(uint8_t* data, int size, int pos, uint16_t value, bool littleEndian) ++static void write16(uint8_t* data, uint32_t size, uint32_t pos, uint16_t value, bool littleEndian) + { +- if (pos + 2 > size) { +- return; +- } ++ assert(pos <= size - 2); + + uint8_t* p = data + pos; + +@@ -78,16 +74,16 @@ static void write16(uint8_t* data, int size, int pos, uint16_t value, bool littl + } + } + +- +-static int find_exif_tag(const uint8_t* exif, int size, uint16_t query_tag, bool* out_littleEndian) ++// Returns 0 if the query_tag was not found. ++static uint32_t find_exif_tag(const uint8_t* exif, uint32_t size, uint16_t query_tag, bool* out_littleEndian) + { + if (size < 4) { +- return -1; ++ return 0; + } + + if ((exif[0] != 'I' && exif[0] != 'M') || + (exif[1] != 'I' && exif[1] != 'M')) { +- return -1; ++ return 0; + } + + bool littleEndian = (exif[0] == 'I'); +@@ -95,14 +91,22 @@ static int find_exif_tag(const uint8_t* exif, int size, uint16_t query_tag, boo + assert(out_littleEndian); + *out_littleEndian = littleEndian; + +- int offset = read32(exif, size, 4, littleEndian); +- if (offset < 0) { +- return -1; ++ uint32_t offset = read32(exif, size, 4, littleEndian); ++ ++ if (size - 2 < offset) { ++ return 0; + } + +- int cnt = read16(exif, size, offset, littleEndian); +- if (cnt < 1) { +- return -1; ++ uint16_t cnt = read16(exif, size, offset, littleEndian); ++ ++ // Does the IFD table fit into our memory range? We need this to prevent an underflow in the following statement. ++ if (2U + cnt * 12U > size) { ++ return 0; ++ } ++ ++ // end of IFD table would exceed the end of the EXIF data ++ if (size - 2U - cnt * 12U > offset) { ++ return 0; + } + + for (int i = 0; i < cnt; i++) { +@@ -114,20 +118,20 @@ static int find_exif_tag(const uint8_t* exif, int size, uint16_t query_tag, boo + + // TODO: do we have to also scan the next IFD table ? + +- return -1; ++ return 0; + } + + +-void modify_exif_tag_if_it_exists(uint8_t* exif, int size, uint16_t modify_tag, uint16_t modify_value) ++void modify_exif_tag_if_it_exists(uint8_t* exif, uint32_t size, uint16_t modify_tag, uint16_t modify_value) + { + bool little_endian; +- int pos = find_exif_tag(exif, size, modify_tag, &little_endian); +- if (pos < 0) { ++ uint32_t pos = find_exif_tag(exif, size, modify_tag, &little_endian); ++ if (pos == 0) { + return; + } + +- int type = read16(exif, size, pos + 2, little_endian); +- int count = read32(exif, size, pos + 4, little_endian); ++ uint16_t type = read16(exif, size, pos + 2, little_endian); ++ uint32_t count = read32(exif, size, pos + 4, little_endian); + + if (type == EXIF_TYPE_SHORT && count == 1) { + write16(exif, size, pos + 8, modify_value, little_endian); +@@ -135,26 +139,26 @@ void modify_exif_tag_if_it_exists(uint8_t* exif, int size, uint16_t modify_tag, + } + + +-void modify_exif_orientation_tag_if_it_exists(uint8_t* exifData, int size, uint16_t orientation) ++void modify_exif_orientation_tag_if_it_exists(uint8_t* exifData, uint32_t size, uint16_t orientation) + { + modify_exif_tag_if_it_exists(exifData, size, EXIF_TAG_ORIENTATION, orientation); + } + + +-int read_exif_orientation_tag(const uint8_t* exif, int size) ++int read_exif_orientation_tag(const uint8_t* exif, uint32_t size) + { + bool little_endian; +- int pos = find_exif_tag(exif, size, EXIF_TAG_ORIENTATION, &little_endian); +- if (pos < 0) { ++ uint32_t pos = find_exif_tag(exif, size, EXIF_TAG_ORIENTATION, &little_endian); ++ if (pos == 0) { + return DEFAULT_EXIF_ORIENTATION; + } + +- int type = read16(exif, size, pos + 2, little_endian); +- int count = read32(exif, size, pos + 4, little_endian); ++ uint16_t type = read16(exif, size, pos + 2, little_endian); ++ uint32_t count = read32(exif, size, pos + 4, little_endian); + + if (type == EXIF_TYPE_SHORT && count == 1) { + return read16(exif, size, pos + 8, little_endian); + } + + return DEFAULT_EXIF_ORIENTATION; +-} +\ No newline at end of file ++} +diff --git a/libheif/exif.h b/libheif/exif.h +index e877eaf5b1..7598c65534 100644 +--- a/libheif/exif.h ++++ b/libheif/exif.h +@@ -24,8 +24,8 @@ + #include <vector> + #include <cinttypes> + +-int read_exif_orientation_tag(const uint8_t* exif, int size); ++int read_exif_orientation_tag(const uint8_t* exif, uint32_t size); + +-void modify_exif_orientation_tag_if_it_exists(uint8_t* exifData, int size, uint16_t orientation); ++void modify_exif_orientation_tag_if_it_exists(uint8_t* exifData, uint32_t size, uint16_t orientation); + + #endif //LIBHEIF_EXIF_H diff --git a/fd5b02aca3e29088bf0a1fc400bd661be4a6ed76.patch b/fd5b02aca3e29088bf0a1fc400bd661be4a6ed76.patch new file mode 100644 index 0000000..dc12b43 --- /dev/null +++ b/fd5b02aca3e29088bf0a1fc400bd661be4a6ed76.patch @@ -0,0 +1,28 @@ +From fd5b02aca3e29088bf0a1fc400bd661be4a6ed76 Mon Sep 17 00:00:00 2001 +From: zhailiangliang <zhailiangliang(a)loongson.cn&gt; +Date: Thu, 14 Dec 2023 16:42:14 +0800 +Subject: [PATCH] fix null pointer dereference in + libheif/uncompressed_image.cc:758 + +--- + libheif/uncompressed_image.cc | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/libheif/uncompressed_image.cc b/libheif/uncompressed_image.cc +index c91e5dba4f..487d4cedbe 100644 +--- a/libheif/uncompressed_image.cc ++++ b/libheif/uncompressed_image.cc +@@ -616,6 +616,13 @@ Error UncompressedImageCodec::decode_uncompressed_image(const std::shared_ptr<co + if (error) { + return error; + } ++ ++ if (!(uncompressed_data.data())) { ++ return Error(heif_error_Invalid_input, ++ heif_suberror_Unspecified, ++ "Invalid data: uncompressed_data.data() is null for uncompressed codec"); ++ } ++ + uint32_t width = 0; + uint32_t height = 0; + bool found_ispe = false; diff --git a/libheif-freeworld.spec b/libheif-freeworld.spec index b43fb4c..d912405 100644 --- a/libheif-freeworld.spec +++ b/libheif-freeworld.spec @@ -1,17 +1,26 @@ %bcond_with check Name: libheif-freeworld -Version: 1.16.2 -Release: 2%{?dist} +Version: 1.17.5 +Release: 1%{?dist} Summary: HEVC support for HEIF and AVIF file format decoder and encoder License: LGPL-3.0-or-later and MIT URL: https://github.com/strukturag/libheif Source0: %{url}/archive/v%{version}/libheif-%{version}.tar.gz +# fix for CVE-2023-49460 (https://github.com/strukturag/libheif/issues/1046) +Patch10: https://github.com/strukturag/libheif/commit/fd5b02aca3e29088bf0a1fc400bd... +# fix for CVE-2023-49462 (https://github.com/strukturag/libheif/issues/1043) +Patch11: https://github.com/strukturag/libheif/commit/730a9d80bea3434f75c79e721878... +# fix for CVE-2023-49463 (https://github.com/strukturag/libheif/issues/1042) +Patch12: https://github.com/strukturag/libheif/commit/26ec3953d46bb5756b9795566156... +# fix for CVE-2023-49464 (https://github.com/strukturag/libheif/issues/1044) +Patch13: https://github.com/strukturag/libheif/commit/56ef61d8daa55b56d782e5d8ab6f... BuildRequires: cmake BuildRequires: gcc-c++ BuildRequires: ninja-build +BuildRequires: pkgconfig(libavcodec) BuildRequires: pkgconfig(libde265) BuildRequires: pkgconfig(x265) %if %{with check} @@ -41,8 +50,11 @@ rm -rf third-party/ %if %{with check} -DBUILD_TESTING=ON \ -DWITH_REDUCED_VISIBILITY=OFF \ + -DWITH_FFMPEG_DECODER=ON \ -DWITH_LIBDE265=ON -DWITH_X265=ON \ %else + -DWITH_FFMPEG_DECODER=ON \ + -DWITH_FFMPEG_DECODER_PLUGIN=ON \ -DWITH_LIBDE265_PLUGIN:BOOL=ON -DWITH_X265_PLUGIN:BOOL=ON \ %endif -DWITH_EXAMPLES:BOOL=OFF \ @@ -57,7 +69,6 @@ rm -rv .%{_includedir}/libheif rm -rv .%{_libdir}/cmake/libheif rm -rv .%{_libdir}/libheif.so* rm -v .%{_libdir}/pkgconfig/libheif.pc -rm -rv .%{_datadir}/thumbnailers popd %if %{with check} @@ -68,10 +79,19 @@ popd %files %license COPYING %doc README.md +%{_libdir}/libheif/libheif-ffmpegdec.so %{_libdir}/libheif/libheif-libde265.so %{_libdir}/libheif/libheif-x265.so %changelog +* Fri Dec 15 2023 Dominik Mierzejewski <dominik(a)greysector.net&gt; - 1.17.5-2 +- Update to 1.17.5 (rhbz#2244583) +- Backport fixes for: CVE-2023-49460 (rhbz#2253575, rhbz#2253576) + CVE-2023-49462 (rhbz#2253567, rhbz#2253568) + CVE-2023-49463 (rhbz#2253565, rhbz#2253566) + CVE-2023-49464 (rhbz#2253562, rhbz#2253563) +- Enable HEVC decoding via libavcodec + * Fri Sep 08 2023 Dominik Mierzejewski <dominik(a)greysector.net&gt; - 1.16.2-2 - Enable uncompressed codec (rhbz#2237849) - Run tests conditionally (requires making all symbols visible) diff --git a/sources b/sources index e321e03..7a5642d 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (libheif-1.16.2.tar.gz) = ef32fced3a66d888caf2202b55bc4c81094045abfd2806216bbf0c359a30663c500ed5e33a9cef316bcfd933498e87753e9af6b3c179e84c370efd62900493c0 +SHA512 (libheif-1.17.5.tar.gz) = e17f990fcb4b3ebfec19cbf304ae8f9b00a3d33aaf46802eff8b3c21c614ccd02cb0a92960324b4c579e579021615c88d16efe6df84a171ddbc05313d2c73931