Bug 1226021

Summary: VUL-0: CVE-2024-5171: chromium,libaom,libvpx: heap buffer overflow in img_alloc_helper() caused by integer overflow
Product: [openSUSE] openSUSE Tumbleweed Reporter: Robert Frohl <rfrohl>
Component: SecurityAssignee: Andreas Stieger <Andreas.Stieger>
Status: NEW --- QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P3 - Medium CC: adrian.schroeter, coldpool, daniel, rfrohl, security-team, smash_bz
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/408840/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1226020    
Bug Blocks:    

Description Robert Frohl 2024-06-06 06:18:11 UTC 
+++ This bug was initially created as a clone of Bug #1226020 +++

Integer overflow in libaom internal function img_alloc_helper can lead to heap buffer overflow. This function can be reached via 3 callers:


  *  Calling aom_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid.
  *  Calling aom_img_wrap() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid.
  *  Calling aom_img_alloc_with_border() with a large value of the d_w, d_h, align, size_align, or border parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-5171
https://www.cve.org/CVERecord?id=CVE-2024-5171
https://issues.chromium.org/issues/332382766
Comment 1 Robert Frohl 2024-06-06 07:10:45 UTC 
probably not relevant at the moment, as it is dev channel only. Probably will be released at one point though..

Leaving the bug open for now
Comment 2 Andreas Stieger 2024-06-06 07:23:38 UTC 
- libaom: CVE-2024-5171 bug 1226020
- libvpx: CVE-2024-5197 bug 1225879