From: Brad Smith <brad@comstyle.com>
Subject: Re: UPDATE: libvpx 1.15.2
To: Landry Breuil <landry@openbsd.org>
Cc: ports@openbsd.org
Date: Wed, 9 Jul 2025 22:17:03 -0400

On Tue, Jul 08, 2025 at 08:56:40AM +0200, Landry Breuil wrote:
> Le Mon, Jul 07, 2025 at 11:40:39PM -0400, Brad Smith a ?crit :
> > On 2025-07-05 7:19 a.m., Landry Breuil wrote:
> > > Le Sat, Jul 05, 2025 at 04:00:47AM -0400, Brad Smith a ?crit :
> > > > Here is an update to libvpx 1.15.2.
> > > > 
> > > > CVE-2025-5283
> > > > 
> > > > Tested on aarch64.
> > > was it tested on BTI ? with what consumers ? i'll try to put it on the
> > > omnibook w/firefox.
> > > 
> > > does the cve warrant a backport to 7.7 which has 1.15.0 ?
> > > and if so, why the major bump, removed syms ?
> > 
> > I don't have such a system. But the only change between .0 and .2 is the
> > security fix. https://chromium.googlesource.com/webm/libvpx/+/865eaf63a727966d19185b79836480dfc844749b%5E%21/
> > 
> > 
> > It sounds like it probably should be.
> > 
> > The bump comes because there is an internal version check and if you do not
> > bump the major it'll fail. You can't build with one version and run with
> > another even if the ABI has not changed. [libvpx-vp9 @ 0x16ca7e3400] Failed
> > to initialize encoder: ABI version mismatch
> 
> so the backport of the update isnt possible if we cant do it without the
> bump..  have you tested what would happen if only the commit was
> backported ?

Here is a diff for stable.


Index: Makefile
===================================================================
RCS file: /cvs/ports/multimedia/libvpx/Makefile,v
retrieving revision 1.61
diff -u -p -u -p -r1.61 Makefile
--- Makefile	24 Nov 2024 08:38:14 -0000	1.61
+++ Makefile	10 Jul 2025 01:55:12 -0000
@@ -4,6 +4,7 @@ GH_ACCOUNT=	webmproject
 GH_PROJECT=	libvpx
 GH_TAGNAME=	v1.15.0
 EPOCH=		0
+REVISION=	0
 CATEGORIES=	multimedia
 
 SHARED_LIBS=	vpx	18.0
Index: patches/patch-vp8_vp8_cx_iface_c
===================================================================
RCS file: patches/patch-vp8_vp8_cx_iface_c
diff -N patches/patch-vp8_vp8_cx_iface_c
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ patches/patch-vp8_vp8_cx_iface_c	10 Jul 2025 01:55:12 -0000
@@ -0,0 +1,25 @@
+vpx_codec_enc_init_multi: fix double free on init failure
+865eaf63a727966d19185b79836480dfc844749b
+
+Index: vp8/vp8_cx_iface.c
+--- vp8/vp8_cx_iface.c.orig
++++ vp8/vp8_cx_iface.c
+@@ -732,7 +732,17 @@ static vpx_codec_err_t vp8e_init(vpx_codec_ctx_t *ctx,
+ 
+       set_vp8e_config(&priv->oxcf, priv->cfg, priv->vp8_cfg, mr_cfg);
+       priv->cpi = vp8_create_compressor(&priv->oxcf);
+-      if (!priv->cpi) res = VPX_CODEC_MEM_ERROR;
++      if (!priv->cpi) {
++#if CONFIG_MULTI_RES_ENCODING
++        // Release ownership of mr_cfg->mr_low_res_mode_info on failure. This
++        // prevents ownership confusion with the caller and avoids a double
++        // free when vpx_codec_destroy() is called on this instance.
++        priv->oxcf.mr_total_resolutions = 0;
++        priv->oxcf.mr_encoder_id = 0;
++        priv->oxcf.mr_low_res_mode_info = NULL;
++#endif
++        res = VPX_CODEC_MEM_ERROR;
++      }
+     }
+   }
+