Bug 2292396 (CVE-2024-5171)

Summary: CVE-2024-5171 libaom: Integer overflow in internal function img_alloc_helper
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: crizzo, erack, gotiwari, jhorak, mvyas, tpopela
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libaom 3.9.0 Doc Type: ---
Doc Text:
An integer overflow flaw was found in the libaom internal img_alloc_helper function. This issue can lead to a heap buffer overflow.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2292397, 2292398, 2292399, 2292400, 2292402, 2292403    
Bug Blocks: 2292404    

Description Pedro Sampaio 2024-06-14 13:21:16 UTC 
Integer overflow in libaom internal function img_alloc_helper can lead to heap buffer overflow. This function can be reached via 3 callers:


  *  Calling aom_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid.
  *  Calling aom_img_wrap() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid.
  *  Calling aom_img_alloc_with_border() with a large value of the d_w, d_h, align, size_align, or border parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid.

References:

https://issues.chromium.org/issues/332382766
Comment 1 Pedro Sampaio 2024-06-14 13:25:46 UTC 
Created aom tracking bugs for this issue:

Affects: epel-all [bug 2292397]


Created chromium tracking bugs for this issue:

Affects: epel-all [bug 2292398]
Affects: fedora-all [bug 2292399]
Comment 2 Pedro Sampaio 2024-06-14 13:27:11 UTC 
Created aom tracking bugs for this issue:

Affects: epel-all [bug 2292400]


Created chromium tracking bugs for this issue:

Affects: epel-all [bug 2292402]
Affects: fedora-all [bug 2292403]