diff options
author | Caolán McNamara <caolan.mcnamara@collabora.com> | 2023-09-14 08:23:53 +0100 |
---|---|---|
committer | Miklos Vajna <vmiklos@collabora.com> | 2023-09-14 15:27:17 +0200 |
commit | 26dc2f15d04565016b8763544fedf21317c85625 (patch) | |
tree | 498c8b513bc604ea25bd9476db837db4f7f55ed4 | |
parent | 202f4119632cb845d0ba5e5fff23c1fd94c18bed (diff) |
tdf#157231 CVE-2023-4863 upgrade to libwebp-1.3.2.tar.gz
Change-Id: Ib60466a59069b59fa884654167f33ccc58e59330
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/156907
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
-rw-r--r-- | RepositoryExternal.mk | 1 | ||||
-rwxr-xr-x | bin/lo-all-static-libs | 1 | ||||
-rw-r--r-- | download.lst | 4 | ||||
-rw-r--r-- | external/libwebp/CVE-2023-1999.patch.1 | 52 | ||||
-rw-r--r-- | external/libwebp/Makefile.vc.patch | 33 | ||||
-rw-r--r-- | external/libwebp/UnpackedTarball_libwebp.mk | 1 |
6 files changed, 22 insertions, 70 deletions
diff --git a/RepositoryExternal.mk b/RepositoryExternal.mk index a87973327ac3..f1461e30dc65 100644 --- a/RepositoryExternal.mk +++ b/RepositoryExternal.mk @@ -2823,6 +2823,7 @@ $(call gb_LinkTarget_add_libs,$(1),\ else $(call gb_LinkTarget_add_libs,$(1),\ -L$(call gb_UnpackedTarball_get_dir,libwebp)/src/.libs -lwebp \ + -L$(call gb_UnpackedTarball_get_dir,libwebp)/sharpyuv/.libs -lsharpyuv \ ) endif $(call gb_LinkTarget_use_external_project,$(1),libwebp) diff --git a/bin/lo-all-static-libs b/bin/lo-all-static-libs index 839e21169e61..009ddce23730 100755 --- a/bin/lo-all-static-libs +++ b/bin/lo-all-static-libs @@ -126,6 +126,7 @@ echo $INSTDIR/$LIBO_LIB_FOLDER/lib*.a \ $WORKDIR/UnpackedTarball/libvisio/src/lib/.libs/*.a \ $WORKDIR/UnpackedTarball/libtiff/libtiff/.libs/*.a \ $WORKDIR/UnpackedTarball/libwebp/src/.libs/*.a \ + $WORKDIR/UnpackedTarball/libwebp/sharpyuv/.libs/*.a \ $WORKDIR/UnpackedTarball/libwp?/src/lib/.libs/*.a \ $WORKDIR/UnpackedTarball/raptor/src/.libs/*.a \ $WORKDIR/UnpackedTarball/rasqal/src/.libs/*.a \ diff --git a/download.lst b/download.lst index 411bc34d4f55..4e3aab3a045d 100644 --- a/download.lst +++ b/download.lst @@ -188,8 +188,8 @@ export LIBNUMBERTEXT_SHA256SUM := a285573864eaac8d36a0f66d946e9b1d3cf01c5d93d31f export LIBNUMBERTEXT_TARBALL := libnumbertext-1.0.10.tar.xz export LIBTOMMATH_SHA256SUM := 083daa92d8ee6f4af96a6143b12d7fc8fe1a547e14f862304f7281f8f7347483 export LIBTOMMATH_TARBALL := ltm-1.0.zip -export LIBWEBP_SHA256SUM := 808b98d2f5b84e9b27fdef6c5372dac769c3bda4502febbfa5031bd3c4d7d018 -export LIBWEBP_TARBALL := libwebp-1.2.1.tar.gz +export LIBWEBP_SHA256SUM := 2a499607df669e40258e53d0ade8035ba4ec0175244869d1025d460562aa09b4 +export LIBWEBP_TARBALL := libwebp-1.3.2.tar.gz export XMLSEC_SHA256SUM := 52ced4943f35bd7d0818a38298c1528ca4ac8a54440fd71134a07d2d1370a262 export XMLSEC_TARBALL := xmlsec1-1.2.34.tar.gz export LIBXML_SHA256SUM := 5d2cc3d78bec3dbe212a9d7fa629ada25a7da928af432c93060ff5c17ee28a9c diff --git a/external/libwebp/CVE-2023-1999.patch.1 b/external/libwebp/CVE-2023-1999.patch.1 deleted file mode 100644 index 65c2cf75fb79..000000000000 --- a/external/libwebp/CVE-2023-1999.patch.1 +++ /dev/null @@ -1,52 +0,0 @@ -From a486d800b60d0af4cc0836bf7ed8f21e12974129 Mon Sep 17 00:00:00 2001 -From: James Zern <jzern@google.com> -Date: Wed, 22 Feb 2023 22:15:47 -0800 -Subject: [PATCH] EncodeAlphaInternal: clear result->bw on error - -This avoids a double free should the function fail prior to -VP8BitWriterInit() and a previous trial result's buffer carried over. -Previously in ApplyFiltersAndEncode() trial.bw (with a previous -iteration's buffer) would be freed, followed by best.bw pointing to the -same buffer. - -Since: -187d379d add a fallback to ALPHA_NO_COMPRESSION - -In addition, check the return value of VP8BitWriterInit() in this -function. - -Bug: webp:603 -Change-Id: Ic258381ee26c8c16bc211d157c8153831c8c6910 ---- - src/enc/alpha_enc.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/enc/alpha_enc.c b/src/enc/alpha_enc.c -index f7c02690e3..7d205586fe 100644 ---- a/src/enc/alpha_enc.c -+++ b/src/enc/alpha_enc.c -@@ -13,6 +13,7 @@ - - #include <assert.h> - #include <stdlib.h> -+#include <string.h> - - #include "src/enc/vp8i_enc.h" - #include "src/dsp/dsp.h" -@@ -148,6 +149,7 @@ static int EncodeAlphaInternal(const uint8_t* const data, int width, int height, - } - } else { - VP8LBitWriterWipeOut(&tmp_bw); -+ memset(&result->bw, 0, sizeof(result->bw)); - return 0; - } - } -@@ -162,7 +164,7 @@ static int EncodeAlphaInternal(const uint8_t* const data, int width, int height, - header = method | (filter << 2); - if (reduce_levels) header |= ALPHA_PREPROCESSED_LEVELS << 4; - -- VP8BitWriterInit(&result->bw, ALPHA_HEADER_LEN + output_size); -+ if (!VP8BitWriterInit(&result->bw, ALPHA_HEADER_LEN + output_size)) ok = 0; - ok = ok && VP8BitWriterAppend(&result->bw, &header, ALPHA_HEADER_LEN); - ok = ok && VP8BitWriterAppend(&result->bw, output, output_size); - diff --git a/external/libwebp/Makefile.vc.patch b/external/libwebp/Makefile.vc.patch index 653998319b82..41c899921a1c 100644 --- a/external/libwebp/Makefile.vc.patch +++ b/external/libwebp/Makefile.vc.patch @@ -1,7 +1,7 @@ --- Makefile.vc.sav 2021-07-30 00:55:37.000000000 +0200 +++ Makefile.vc 2022-01-25 17:35:30.206117700 +0100 -@@ -7,11 +7,11 @@ - LIBWEBPDEMUX_BASENAME = libwebpdemux +@@ -8,11 +8,11 @@ + LIBSHARPYUV_BASENAME = libsharpyuv !IFNDEF ARCH -!IF ! [ cl 2>&1 | find "x86" > NUL ] @@ -15,7 +15,7 @@ ARCH = ARM !ELSE !ERROR Unable to auto-detect toolchain architecture! \ -@@ -27,8 +27,8 @@ +@@ -28,8 +28,8 @@ ## Nothing more to do below this line! NOLOGO = /nologo @@ -25,7 +25,7 @@ +CCDEBUG = $(CC) $(NOLOGO) /Od /Zi /D_DEBUG /RTC1 CFLAGS = /I. /Isrc $(NOLOGO) /W3 /EHsc /c CFLAGS = $(CFLAGS) /DWIN32 /D_CRT_SECURE_NO_WARNINGS /DWIN32_LEAN_AND_MEAN - LDFLAGS = /LARGEADDRESSAWARE /MANIFEST /NXCOMPAT /DYNAMICBASE + LDFLAGS = /LARGEADDRESSAWARE /MANIFEST:EMBED /NXCOMPAT /DYNAMICBASE @@ -67,7 +67,7 @@ RTLIB = /MD RTLIBD = /MDd @@ -35,7 +35,7 @@ DIROBJ = $(DIRBASE)\obj DIRLIB = $(DIRBASE)\lib DIRINC = $(DIRBASE)\include -@@ -86,10 +86,10 @@ +@@ -87,10 +87,10 @@ # Target configuration !IF "$(CFG)" == "release-static" @@ -48,9 +48,9 @@ RTLIB = $(RTLIBD) STATICLIBBUILD = TRUE LIBWEBPDECODER_BASENAME = $(LIBWEBPDECODER_BASENAME)_debug -@@ -97,11 +97,11 @@ - LIBWEBPMUX_BASENAME = $(LIBWEBPMUX_BASENAME)_debug +@@ -99,11 +99,11 @@ LIBWEBPDEMUX_BASENAME = $(LIBWEBPDEMUX_BASENAME)_debug + LIBSHARPYUV_BASENAME = $(LIBSHARPYUV_BASENAME)_debug !ELSE IF "$(CFG)" == "release-dynamic" -CC = $(CCNODBG) +CC_ = $(CCNODBG) @@ -62,7 +62,7 @@ RC = $(RCDEBUG) RTLIB = $(RTLIBD) DLLBUILD = TRUE -@@ -112,7 +112,7 @@ +@@ -115,7 +115,7 @@ !ENDIF !IF "$(STATICLIBBUILD)" == "TRUE" @@ -71,25 +71,25 @@ CFGSET = TRUE LIBWEBPDECODER = $(DIRLIB)\$(LIBWEBPDECODER_BASENAME).lib LIBWEBP = $(DIRLIB)\$(LIBWEBP_BASENAME).lib -@@ -120,7 +120,7 @@ +@@ -123,7 +123,7 @@ LIBWEBPDEMUX = $(DIRLIB)\$(LIBWEBPDEMUX_BASENAME).lib + LIBSHARPYUV = $(DIRLIB)\$(LIBSHARPYUV_BASENAME).lib !ELSE IF "$(DLLBUILD)" == "TRUE" - DLLINC = webp_dll.h --CC = $(CC) /I$(DIROBJ) /FI$(DLLINC) $(RTLIB) /DWEBP_DLL -+CC_ = $(CC_) /I$(DIROBJ) /FI$(DLLINC) $(RTLIB) /DWEBP_DLL +-CC = $(CC) /I$(DIROBJ) $(RTLIB) /DWEBP_DLL ++CC_ = $(CC_) /I$(DIROBJ) $(RTLIB) /DWEBP_DLL LIBWEBPDECODER = $(DIRLIB)\$(LIBWEBPDECODER_BASENAME)_dll.lib LIBWEBP = $(DIRLIB)\$(LIBWEBP_BASENAME)_dll.lib LIBWEBPMUX = $(DIRLIB)\$(LIBWEBPMUX_BASENAME)_dll.lib -@@ -421,7 +421,7 @@ - $(DIROBJ)\$(DLLINC) +@@ -434,7 +434,7 @@ + !IF "$(DLLBUILD)" == "TRUE" {$(DIROBJ)}.c{$(DIROBJ)}.obj: - $(CC) $(CFLAGS) /Fd$(LIBWEBP_PDBNAME) /Fo$@ $< + $(CC_) $(CFLAGS) /Fd$(LIBWEBP_PDBNAME) /Fo$@ $< {src}.rc{$(DIROBJ)}.res: $(RC) /fo$@ $< -@@ -461,39 +461,39 @@ +@@ -467,41 +467,41 @@ # File-specific flag builds. Note batch rules take precedence over wildcards, # so for now name each file individually. $(DIROBJ)\examples\anim_diff.obj: examples\anim_diff.c @@ -122,6 +122,9 @@ {imageio}.c{$(DIROBJ)\imageio}.obj:: - $(CC) $(CFLAGS) /Fd$(DIROBJ)\imageio\ /Fo$(DIROBJ)\imageio\ $< + $(CC_) $(CFLAGS) /Fd$(DIROBJ)\imageio\ /Fo$(DIROBJ)\imageio\ $< + {sharpyuv}.c{$(DIROBJ)\sharpyuv}.obj:: +- $(CC) $(CFLAGS) /Fd$(DIROBJ)\sharpyuv\ /Fo$(DIROBJ)\sharpyuv\ $< ++ $(CC_) $(CFLAGS) /Fd$(DIROBJ)\sharpyuv\ /Fo$(DIROBJ)\sharpyuv\ $< {src\dec}.c{$(DIROBJ)\dec}.obj:: - $(CC) $(CFLAGS) /Fd$(LIBWEBP_PDBNAME) /Fo$(DIROBJ)\dec\ $< + $(CC_) $(CFLAGS) /Fd$(LIBWEBP_PDBNAME) /Fo$(DIROBJ)\dec\ $< diff --git a/external/libwebp/UnpackedTarball_libwebp.mk b/external/libwebp/UnpackedTarball_libwebp.mk index 78761793174e..67f797157717 100644 --- a/external/libwebp/UnpackedTarball_libwebp.mk +++ b/external/libwebp/UnpackedTarball_libwebp.mk @@ -15,7 +15,6 @@ $(eval $(call gb_UnpackedTarball_set_patchlevel,libwebp,0)) $(eval $(call gb_UnpackedTarball_add_patches,libwebp,\ external/libwebp/Makefile.vc.patch \ - external/libwebp/CVE-2023-1999.patch.1 \ )) # vim: set noet sw=4 ts=4: |