Add patch from libwebp 1.2.4 to fix CVE-2023-5129
(From OE-Core rev: 544301c63801cf0c0cfcc0c8d71bdd8e2de82805)
Signed-off-by: Colin McAllister <colinmca242@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
There exists a use after free/double free in libwebp. An attacker can
use the ApplyFiltersAndEncode() function and loop through to free
best.bw and assign best = trial pointer. The second loop will then
return 0 because of an Out of memory error in VP8 encoder, the pointer
is still assigned to trial and the AddressSanitizer will attempt a double free.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-1999
Upstream patch:
a486d800b6
(From OE-Core rev: a5d0f8734ca643c25f0952387b38edf8ffd70525)
Signed-off-by: Soumya <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
- 8/4/2022: version 1.2.4
This is a binary compatible release.
* restore CMake libwebpmux target name for compatibility with 1.2.2 (#575)
* fix lossless crunch mode encoding with WEBP_REDUCE_SIZE
(chromium: #1345547, #1345595, #1345772, #1345804)
(From OE-Core rev: f6c1c16b7e85b804d5ee22462dda9171431e1556)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit efabd3d0d72220f17249abc13d2ca758bdd0141a)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
