CVS commit: [pkgsrc-2025Q4] pkgsrc/multimedia/libvpx

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: [pkgsrc-2025Q4] pkgsrc/multimedia/libvpx
From: "Maya Rashish" <maya%netbsd.org@localhost>
Date: Wed, 18 Feb 2026 15:57:51 +0000

Module Name:    pkgsrc
Committed By:   maya
Date:           Wed Feb 18 15:57:51 UTC 2026

Modified Files:
        pkgsrc/multimedia/libvpx [pkgsrc-2025Q4]: Makefile distinfo
        pkgsrc/multimedia/libvpx/patches [pkgsrc-2025Q4]: patch-libs.mk
Added Files:
        pkgsrc/multimedia/libvpx/patches [pkgsrc-2025Q4]:
            patch-vp9_vp9__cx__iface.c

Log Message:
Pullup ticket #7051 - requested by gutteridge
multimedia/libvpx: Security fix

Revisions pulled up:
- multimedia/libvpx/Makefile                                    1.109-1.110
- multimedia/libvpx/distinfo                                    1.55-1.56
- multimedia/libvpx/patches/patch-libs.mk                       1.8
- multimedia/libvpx/patches/patch-vp9_vp9__cx__iface.c          1.1

---
   Module Name:    pkgsrc
   Committed By:   adam
   Date:           Mon Feb 16 11:30:11 UTC 2026

   Modified Files:
           pkgsrc/multimedia/libvpx: Makefile distinfo
           pkgsrc/multimedia/libvpx/patches: patch-libs.mk

   Log Message:
   libvpx: updated to 1.16.0

   v1.16.0 "Xenonetta Duck"

   This release includes Arm SVE2 and Neon optimizations for 12-tap filters,
   AVX512 implementations for SAD, support for per-frame and per-spatial-layer
   PSNR calculation, and numerous bug fixes.

   - Upgrading:
     This release is ABI incompatible with the previous release.

     Unit tests require C++17 to build.

     Support for 32-bit iOS targets (armv7, armv7s, and i386) has been removed.

   - Enhancement:
     Optimized Arm SVE2 and Neon implementations for 12-tap convolution filters.
     Optimized Neon High Bitdepth (HBD) SAD and sad_avg functions.
     Added Arm Neon DotProd and I8MM implementations for vpx_convolve12.
     Added AVX512 implementations for SAD64 and sad_skip functions.
     Added SSSE3 and AVX2 implementations for 12-tap temporal filter prediction.
     Added support for per-frame and per-spatial-layer PSNR calculation.

     Adjusted temporal filter strength to improve visual quality and reduce block
     artifacts.

     Added support for darwin24 (macOS 15) and darwin25 (macOS 26).
     libwebm is upgraded to commit b4f01ea.

   - Bug fixes:
     Fix to heap buffer overflow in vp9_deblock, vp9_post_proc_frame, and
     vp9_pack_bitstream.

     Fix to integer overflow in vp9_highbd_post_proc, vp9_rc_regulate_q,
     tiny_ssim, and vp9_calc_pframe_target_size_one_pass_cbr.

     Fix to use-of-uninitialized-value in vp9_highbd_post_proc, mfqe, and
     vp8_datarate_test.

     Fix to out-of-bounds in log_tile_cols_from_picsize_level.
     Fix to double free on initialization failure in vpx_codec_enc_init_multi.
     Fix to division-by-zero crash in vpxenc with 0 FPS numerator input.

     Fix to various build failures for Arm/SVE2, macOS cross-compilation, and
     Xcode 16.

---
   Module Name:    pkgsrc
   Committed By:   gutteridge
   Date:           Tue Feb 17 01:53:46 UTC 2026

   Modified Files:
           pkgsrc/multimedia/libvpx: Makefile distinfo
   Added Files:
           pkgsrc/multimedia/libvpx/patches: patch-vp9_vp9__cx__iface.c

   Log Message:
   libvpx: apply upstream commit related to CVE-2026-2447


To generate a diff of this commit:
cvs rdiff -u -r1.108 -r1.108.4.1 pkgsrc/multimedia/libvpx/Makefile
cvs rdiff -u -r1.54 -r1.54.4.1 pkgsrc/multimedia/libvpx/distinfo
cvs rdiff -u -r1.7 -r1.7.28.1 pkgsrc/multimedia/libvpx/patches/patch-libs.mk
cvs rdiff -u -r0 -r1.1.2.2 \
    pkgsrc/multimedia/libvpx/patches/patch-vp9_vp9__cx__iface.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/multimedia/libvpx/Makefile
diff -u pkgsrc/multimedia/libvpx/Makefile:1.108 pkgsrc/multimedia/libvpx/Makefile:1.108.4.1
--- pkgsrc/multimedia/libvpx/Makefile:1.108     Mon Jul 14 10:44:45 2025
+++ pkgsrc/multimedia/libvpx/Makefile   Wed Feb 18 15:57:51 2026
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.108 2025/07/14 10:44:45 adam Exp $
+# $NetBSD: Makefile,v 1.108.4.1 2026/02/18 15:57:51 maya Exp $
 
-DISTNAME=      libvpx-1.15.2
+DISTNAME=      libvpx-1.16.0
+PKGREVISION=   1
 CATEGORIES=    multimedia
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=webmproject/}
 GITHUB_TAG=    v${PKGVERSION_NOREV}
@@ -10,8 +11,8 @@ HOMEPAGE=     https://chromium.googlesource.
 COMMENT=       On2 VP8/VP9 video codec library from Google
 LICENSE=       modified-bsd
 
+USE_CXX_FEATURES=      c++11
 USE_LANGUAGES=         c c++
-USE_CXX_FEATURES+=     c++11
 USE_LIBTOOL=           yes
 USE_TOOLS+=            gmake bash:build perl:build
 HAS_CONFIGURE=         yes

Index: pkgsrc/multimedia/libvpx/distinfo
diff -u pkgsrc/multimedia/libvpx/distinfo:1.54 pkgsrc/multimedia/libvpx/distinfo:1.54.4.1
--- pkgsrc/multimedia/libvpx/distinfo:1.54      Mon Jul 14 10:44:45 2025
+++ pkgsrc/multimedia/libvpx/distinfo   Wed Feb 18 15:57:51 2026
@@ -1,10 +1,11 @@
-$NetBSD: distinfo,v 1.54 2025/07/14 10:44:45 adam Exp $
+$NetBSD: distinfo,v 1.54.4.1 2026/02/18 15:57:51 maya Exp $
 
-BLAKE2s (libvpx-1.15.2.tar.gz) = c471130dbcc2c50f95e09038df77cf5db0ef21443915cc85443a353848ee31a1
-SHA512 (libvpx-1.15.2.tar.gz) = 824fe8719e4115ec359ae0642f5e1cea051d458f09eb8c24d60858cf082f66e411215e23228173ab154044bafbdfbb2d93b589bb726f55b233939b91f928aae0
-Size (libvpx-1.15.2.tar.gz) = 5630368 bytes
+BLAKE2s (libvpx-1.16.0.tar.gz) = 17341f5c9ce829528b4df6b3287470492041fbea5de712c19459102dfe35cb41
+SHA512 (libvpx-1.16.0.tar.gz) = 07f5e352411d6c0be331706d1835ac89bafbeddcbbac5542b473323766e9e974f4f68b33590f2aa50a7d8d69468a642b508cbb0a7c49a82c9933b07820f9c9d9
+Size (libvpx-1.16.0.tar.gz) = 5635379 bytes
 SHA1 (patch-build_make_Makefile) = f36e7addd3e26536e80f806e1bf759a9a72b4ce8
 SHA1 (patch-build_make_configure.sh) = ef4247ed3712ed81654f465f813160685dc09e8b
 SHA1 (patch-configure) = aeb5bfd9d58b06b4f2fdbdb8c73b03339de313e7
 SHA1 (patch-examples.mk) = 17410f43ff9952d616be3211ca697f37c107610a
-SHA1 (patch-libs.mk) = 9ddc9cb6c09c9eefce59072c2a657bc5b7e1d295
+SHA1 (patch-libs.mk) = 4fe233a421ee6f998b2cd0328b66b1d759706a5f
+SHA1 (patch-vp9_vp9__cx__iface.c) = 9a3e4e2c68f2a6aede22c502b07450a7f5d43e48

Index: pkgsrc/multimedia/libvpx/patches/patch-libs.mk
diff -u pkgsrc/multimedia/libvpx/patches/patch-libs.mk:1.7 pkgsrc/multimedia/libvpx/patches/patch-libs.mk:1.7.28.1
--- pkgsrc/multimedia/libvpx/patches/patch-libs.mk:1.7  Fri Jul 15 11:04:33 2022
+++ pkgsrc/multimedia/libvpx/patches/patch-libs.mk      Wed Feb 18 15:57:51 2026
@@ -1,18 +1,20 @@
-$NetBSD: patch-libs.mk,v 1.7 2022/07/15 11:04:33 adam Exp $
+$NetBSD: patch-libs.mk,v 1.7.28.1 2026/02/18 15:57:51 maya Exp $
 
 Do not install debug library.
 
---- libs.mk.orig       2022-06-28 19:00:48.000000000 +0000
+--- libs.mk.orig       2026-01-08 16:01:40.000000000 +0000
 +++ libs.mk
-@@ -187,7 +187,6 @@ INSTALL-LIBS-$(CONFIG_SHARED) += $(forea
+@@ -190,9 +190,6 @@ INSTALL-LIBS-$(CONFIG_SHARED) += $(forea
  endif
  else
  INSTALL-LIBS-$(CONFIG_STATIC) += $(LIBSUBDIR)/libvpx.a
+-ifeq ($(CONFIG_STATIC),yes)
 -INSTALL-LIBS-$(CONFIG_DEBUG_LIBS) += $(LIBSUBDIR)/libvpx_g.a
+-endif
  endif
  
- ifeq ($(CONFIG_VP9_ENCODER)$(CONFIG_RATE_CTRL),yesyes)
-@@ -297,8 +296,8 @@ endif # ifeq ($(CONFIG_MSVS),yes)
+ CODEC_SRCS=$(call enabled,CODEC_SRCS)
+@@ -297,8 +294,8 @@ endif # ifeq ($(CONFIG_MSVS),yes)
  else # ifeq ($(CONFIG_EXTERNAL_BUILD),yes)
  LIBVPX_OBJS=$(call objs, $(filter-out $(ASM_INCLUDES), $(CODEC_SRCS)))
  OBJS-yes += $(LIBVPX_OBJS)
@@ -23,7 +25,7 @@ Do not install debug library.
  
  # Updating version info.
  # https://www.gnu.org/software/libtool/manual/libtool.html#Updating-version-info
-@@ -414,15 +413,15 @@ CLEAN-OBJS += vpx.pc
+@@ -414,8 +411,8 @@ CLEAN-OBJS += vpx.pc
  ifeq ($(CONFIG_ENCODERS),yes)
    RC_RTC_OBJS=$(call objs,$(RC_RTC_SRCS))
    OBJS-yes += $(RC_RTC_OBJS)
@@ -33,13 +35,15 @@ Do not install debug library.
 +  $(BUILD_PFX)libvpxrc.a: $(RC_RTC_OBJS)
  endif
  
- ifeq ($(CONFIG_VP9_ENCODER)$(CONFIG_RATE_CTRL),yesyes)
-   SIMPLE_ENCODE_OBJS=$(call objs,$(SIMPLE_ENCODE_SRCS))
-   OBJS-yes += $(SIMPLE_ENCODE_OBJS)
--  LIBS-yes += $(BUILD_PFX)libsimple_encode.a $(BUILD_PFX)libsimple_encode_g.a
--  $(BUILD_PFX)libsimple_encode_g.a: $(SIMPLE_ENCODE_OBJS)
-+  LIBS-yes += $(BUILD_PFX)libsimple_encode.a
-+  $(BUILD_PFX)libsimple_encode.a: $(SIMPLE_ENCODE_OBJS)
- endif
- 
  endif # ifeq ($(CONFIG_EXTERNAL_BUILD),yes)
+@@ -634,8 +631,8 @@ GTEST_INCLUDES := -I$(SRC_PATH_BARE)/thi
+ GTEST_INCLUDES += -I$(SRC_PATH_BARE)/third_party/googletest/src/include
+ $(GTEST_OBJS) $(GTEST_OBJS:.o=.d): CXXFLAGS += $(GTEST_INCLUDES)
+ OBJS-yes += $(GTEST_OBJS)
+-LIBS-yes += $(BUILD_PFX)libgtest.a $(BUILD_PFX)libgtest_g.a
+-$(BUILD_PFX)libgtest_g.a: $(GTEST_OBJS)
++LIBS-yes += $(BUILD_PFX)libgtest.a
++$(BUILD_PFX)libgtest.a: $(GTEST_OBJS)
+ 
+ LIBVPX_TEST_OBJS=$(sort $(call objs,$(LIBVPX_TEST_SRCS)))
+ $(LIBVPX_TEST_OBJS) $(LIBVPX_TEST_OBJS:.o=.d): CXXFLAGS += $(GTEST_INCLUDES)

Added files:

Index: pkgsrc/multimedia/libvpx/patches/patch-vp9_vp9__cx__iface.c
diff -u /dev/null pkgsrc/multimedia/libvpx/patches/patch-vp9_vp9__cx__iface.c:1.1.2.2
--- /dev/null   Wed Feb 18 15:57:51 2026
+++ pkgsrc/multimedia/libvpx/patches/patch-vp9_vp9__cx__iface.c Wed Feb 18 15:57:51 2026
@@ -0,0 +1,64 @@
+$NetBSD: patch-vp9_vp9__cx__iface.c,v 1.1.2.2 2026/02/18 15:57:51 maya Exp $
+
+Apply upstream commit related to CVE-2026-2447.
+https://github.com/webmproject/libvpx/commit/d5f35ac8d93cba7f7a3f7ddb8f9dc8bd28f785e1
+
+--- vp9/vp9_cx_iface.c.orig    2026-01-08 16:01:40.000000000 +0000
++++ vp9/vp9_cx_iface.c
+@@ -8,7 +8,9 @@
+  *  be found in the AUTHORS file in the root of the source tree.
+  */
+ 
++#include <assert.h>
+ #include <limits.h>
++#include <stddef.h>
+ #include <stdint.h>
+ #include <stdlib.h>
+ #include <string.h>
+@@ -122,6 +124,7 @@ struct vpx_codec_alg_priv {
+   VP9_COMP *cpi;
+   unsigned char *cx_data;
+   size_t cx_data_sz;
++  // pending_cx_data either is a null pointer or points into the cx_data buffer.
+   unsigned char *pending_cx_data;
+   size_t pending_cx_data_sz;
+   int pending_frame_count;
+@@ -1252,8 +1255,12 @@ static int write_superframe_index(vpx_codec_alg_priv_t
+ 
+   // Write the index
+   index_sz = 2 + (mag + 1) * ctx->pending_frame_count;
+-  if (ctx->pending_cx_data_sz + index_sz < ctx->cx_data_sz) {
+-    uint8_t *x = ctx->pending_cx_data + ctx->pending_cx_data_sz;
++  unsigned char *cx_data_end = ctx->cx_data + ctx->cx_data_sz;
++  unsigned char *pending_cx_data_end =
++      ctx->pending_cx_data + ctx->pending_cx_data_sz;
++  ptrdiff_t space_remaining = cx_data_end - pending_cx_data_end;
++  if (index_sz <= space_remaining) {
++    uint8_t *x = pending_cx_data_end;
+     int i, j;
+ #ifdef TEST_SUPPLEMENTAL_SUPERFRAME_DATA
+     uint8_t marker_test = 0xc0;
+@@ -1284,6 +1291,8 @@ static int write_superframe_index(vpx_codec_alg_priv_t
+ #ifdef TEST_SUPPLEMENTAL_SUPERFRAME_DATA
+     index_sz += index_sz_test;
+ #endif
++  } else {
++    index_sz = 0;
+   }
+   return index_sz;
+ }
+@@ -1612,9 +1621,12 @@ static vpx_codec_err_t encoder_encode(vpx_codec_alg_pr
+               ctx->pending_frame_sizes[ctx->pending_frame_count++] = size;
+             ctx->pending_frame_magnitude |= size;
+             ctx->pending_cx_data_sz += size;
+-            // write the superframe only for the case when
+-            if (!ctx->output_cx_pkt_cb.output_cx_pkt)
++            // write the superframe only for the case when the callback function
++            // for getting per-layer packets is not registered.
++            if (!ctx->output_cx_pkt_cb.output_cx_pkt) {
+               size += write_superframe_index(ctx);
++              assert(size <= cx_data_sz);
++            }
+             pkt.data.frame.buf = ctx->pending_cx_data;
+             pkt.data.frame.sz = ctx->pending_cx_data_sz;
+             ctx->pending_cx_data = NULL;

Prev by Date: CVS commit: pkgsrc/devel/py-buildbot
Previous by Thread: CVS commit: pkgsrc/devel/py-buildbot
Indexes:

Home | Main Index | Thread Index | Old Index