Bugzilla – Bug 1218429
VUL-0: CVE-2023-6879: libaom: heap-buffer-overflow on frame size change
Last modified: 2024-07-11 13:09:42 UTC
Increasing the resolution of video frames, while performing a multi-threaded encode, can result in a heap overflow in av1_loop_restoration_dealloc(). References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6879 https://aomedia.googlesource.com/aom/+/refs/tags/v3.7.1 https://bugs.chromium.org/p/aomedia/issues/detail?id=3491 Patch: https://aomedia.googlesource.com/aom/+/7ae7bef246e85c8f349513d668b4571c79a43c5c%5E%21
ALP submission: https://build.suse.de/request/show/316799
Created attachment 871719 [details] AddressSanitizer testcase frame resize I have tried with the AddressSanitizer library loaded but the results are the same of yours for the old test case, I run it also for the other and in some case the stack calls seems different. $ cmake path/to/aom -DSANITIZE=address $ make
I had not chance to get to it so far. I have coldpool duty next week, perhaps I will discover something.
3.7.0 reproduces the segfault 3.7.1 fixes the segfault completely (even that one mentioned in comment 4) Backport of these following two commits to 3.2.0 does not suffice https://aomedia.googlesource.com/aom/+/7ae7bef246e85c8f349513d668b4571c79a43c5c%5E! https://aomedia.googlesource.com/aom/+/fcfdc09d81b122cd5e70f66dc55833065127bf47%5E! for me.
> Backport of these following two commits to 3.2.0 does not suffice [..] > for me. I. e. it crashes with different backtrace (comment 4 and comment 5).
Created attachment 872106 [details] unsuccessful patch
Created attachment 872107 [details] patch which adds the testcase (might be also wrong)
SUSE-SU-2024:0517-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1218429 CVE References: CVE-2023-6879 Sources used: SUSE Linux Enterprise Real Time 15 SP4 (src): libaom-3.2.0-150400.3.3.1 openSUSE Leap 15.4 (src): libaom-3.2.0-150400.3.3.1 openSUSE Leap 15.5 (src): libaom-3.2.0-150400.3.3.1 Basesystem Module 15-SP5 (src): libaom-3.2.0-150400.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
(In reply to Petr Gajdos from comment #11) > 3.7.0 reproduces the segfault > 3.7.1 fixes the segfault completely (even that one mentioned in comment 4) > > Backport of these following two commits to 3.2.0 does not suffice > > https://aomedia.googlesource.com/aom/+/ > 7ae7bef246e85c8f349513d668b4571c79a43c5c%5E! > https://aomedia.googlesource.com/aom/+/ > fcfdc09d81b122cd5e70f66dc55833065127bf47%5E! > > for me. Trying to backport theses commits related to the changes: https://aomedia.googlesource.com/aom/+/dc2c3eb26556636dbdae1fef9dbe624276544124 https://aomedia.googlesource.com/aom/+/f4db04befe03ca3ead84ef30a82a56437bd91a90 Doesn't fix the sigsegv either