gnu: libvpx: Patch CVE-2023-44488.

* gnu/packages/video.scm (libvpx/fixed)[source]: Add patch.
* gnu/packages/patches/libvpx-CVE-2023-44488.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.

Change-Id: Iec6fbc048a0f75ed60752601034a9da8bf23b186

3 files changed, 110 insertions, 1 deletions

diff --git a/gnu/local.mk b/gnu/local.mk
index 282cf30f7f..3a0b822899 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1662,6 +1662,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/libvdpau-va-gl-unbundle.patch		\
   %D%/packages/patches/libvpx-CVE-2016-2818.patch		\
   %D%/packages/patches/libvpx-CVE-2023-5217.patch		\
+  %D%/packages/patches/libvpx-CVE-2023-44488.patch		\
   %D%/packages/patches/libxml2-xpath0-Add-option-xpath0.patch	\
   %D%/packages/patches/libwpd-gcc-compat.patch			\
   %D%/packages/patches/libxslt-generated-ids.patch		\
diff --git a/gnu/packages/patches/libvpx-CVE-2023-44488.patch b/gnu/packages/patches/libvpx-CVE-2023-44488.patch
new file mode 100644
index 0000000000..4ebb034eb4
--- /dev/null
+++ b/gnu/packages/patches/libvpx-CVE-2023-44488.patch
@@ -0,0 +1,107 @@
+From the upstream repo, can be removed after 1.14.1
+https://github.com/webmproject/libvpx/commit/df9fd9d5b7325060b2b921558a1eb20ca7880937.patch
+https://www.openwall.com/lists/oss-security/2023/09/30/4
+
+The test change didn't apply so it was removed from the patch
+
+From df9fd9d5b7325060b2b921558a1eb20ca7880937 Mon Sep 17 00:00:00 2001
+From: Jerome Jiang <jianj@google.com>
+Date: Thu, 30 Jun 2022 13:48:56 -0400
+Subject: [PATCH] Fix bug with smaller width bigger size
+
+Fixed previous patch that clusterfuzz failed on.
+
+Local fuzzing passing overnight.
+
+Bug: webm:1642
+Change-Id: If0e08e72abd2e042efe4dcfac21e4cc51afdfdb9
+(cherry picked from commit 263682c9a29395055f3b3afe2d97be1828a6223f)
+---
+ test/resize_test.cc          | 11 +++--------
+ vp9/common/vp9_alloccommon.c | 13 ++++++-------
+ vp9/encoder/vp9_encoder.c    | 27 +++++++++++++++++++++++++--
+ 3 files changed, 34 insertions(+), 17 deletions(-)
+
+diff --git a/vp9/common/vp9_alloccommon.c b/vp9/common/vp9_alloccommon.c
+index e53883f621d..9e73e40ea09 100644
+--- a/vp9/common/vp9_alloccommon.c
++++ b/vp9/common/vp9_alloccommon.c
+@@ -135,13 +135,6 @@ int vp9_alloc_context_buffers(VP9_COMMON *cm, int width, int height) {
+     cm->free_mi(cm);
+     if (cm->alloc_mi(cm, new_mi_size)) goto fail;
+   }
+-
+-  if (cm->seg_map_alloc_size < cm->mi_rows * cm->mi_cols) {
+-    // Create the segmentation map structure and set to 0.
+-    free_seg_map(cm);
+-    if (alloc_seg_map(cm, cm->mi_rows * cm->mi_cols)) goto fail;
+-  }
+-
+   if (cm->above_context_alloc_cols < cm->mi_cols) {
+     vpx_free(cm->above_context);
+     cm->above_context = (ENTROPY_CONTEXT *)vpx_calloc(
+@@ -156,6 +149,12 @@ int vp9_alloc_context_buffers(VP9_COMMON *cm, int width, int height) {
+     cm->above_context_alloc_cols = cm->mi_cols;
+   }
+ 
++  if (cm->seg_map_alloc_size < cm->mi_rows * cm->mi_cols) {
++    // Create the segmentation map structure and set to 0.
++    free_seg_map(cm);
++    if (alloc_seg_map(cm, cm->mi_rows * cm->mi_cols)) goto fail;
++  }
++
+   if (vp9_alloc_loop_filter(cm)) goto fail;
+ 
+   return 0;
+diff --git a/vp9/encoder/vp9_encoder.c b/vp9/encoder/vp9_encoder.c
+index b66fdc0bca3..e3850775455 100644
+--- a/vp9/encoder/vp9_encoder.c
++++ b/vp9/encoder/vp9_encoder.c
+@@ -1973,6 +1973,17 @@ static void alloc_copy_partition_data(VP9_COMP *cpi) {
+   }
+ }
+ 
++static void free_copy_partition_data(VP9_COMP *cpi) {
++  vpx_free(cpi->prev_partition);
++  cpi->prev_partition = NULL;
++  vpx_free(cpi->prev_segment_id);
++  cpi->prev_segment_id = NULL;
++  vpx_free(cpi->prev_variance_low);
++  cpi->prev_variance_low = NULL;
++  vpx_free(cpi->copied_frame_cnt);
++  cpi->copied_frame_cnt = NULL;
++}
++
+ void vp9_change_config(struct VP9_COMP *cpi, const VP9EncoderConfig *oxcf) {
+   VP9_COMMON *const cm = &cpi->common;
+   RATE_CONTROL *const rc = &cpi->rc;
+@@ -2052,6 +2063,8 @@ void vp9_change_config(struct VP9_COMP *cpi, const VP9EncoderConfig *oxcf) {
+     new_mi_size = cm->mi_stride * calc_mi_size(cm->mi_rows);
+     if (cm->mi_alloc_size < new_mi_size) {
+       vp9_free_context_buffers(cm);
++      vp9_free_pc_tree(&cpi->td);
++      vpx_free(cpi->mbmi_ext_base);
+       alloc_compressor_data(cpi);
+       realloc_segmentation_maps(cpi);
+       cpi->initial_width = cpi->initial_height = 0;
+@@ -2070,8 +2083,18 @@ void vp9_change_config(struct VP9_COMP *cpi, const VP9EncoderConfig *oxcf) {
+     update_frame_size(cpi);
+ 
+   if (last_w != cpi->oxcf.width || last_h != cpi->oxcf.height) {
+-    memset(cpi->consec_zero_mv, 0,
+-           cm->mi_rows * cm->mi_cols * sizeof(*cpi->consec_zero_mv));
++    vpx_free(cpi->consec_zero_mv);
++    CHECK_MEM_ERROR(
++        cm, cpi->consec_zero_mv,
++        vpx_calloc(cm->mi_rows * cm->mi_cols, sizeof(*cpi->consec_zero_mv)));
++
++    vpx_free(cpi->skin_map);
++    CHECK_MEM_ERROR(
++        cm, cpi->skin_map,
++        vpx_calloc(cm->mi_rows * cm->mi_cols, sizeof(cpi->skin_map[0])));
++
++    free_copy_partition_data(cpi);
++    alloc_copy_partition_data(cpi);
+     if (cpi->oxcf.aq_mode == CYCLIC_REFRESH_AQ)
+       vp9_cyclic_refresh_reset_resize(cpi);
+     rc->rc_1_frame = 0;
diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index 77cdfe9078..411ad4c2bf 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -2962,7 +2962,8 @@ To load this plugin, specify the following option when starting mpv:
      (origin
        (inherit (package-source libvpx))
        (patches (search-patches "libvpx-CVE-2016-2818.patch"
-                                "libvpx-CVE-2023-5217.patch"))))))
+                                "libvpx-CVE-2023-5217.patch"
+                                "libvpx-CVE-2023-44488.patch"))))))
 
 (define-public orfondl
   (package