Submitted By:            Zeckma <zeckma_DOT_tech_AT_gmail_DOT_com>
Date:                    2026-02-20
Initial Package Version: 2.53.23
Upstream Status:         Not applied, pulls from upstream
Origin:                  Upstream from libvpx, modified for Seamonkey
Description:             Fixes CVE-2026-2447 in libvpx, bundled with Seamonkey.

diff '--color=auto' -Naur seamonkey-2.53.23.orig/media/libvpx/libvpx/vp9/vp9_cx_iface.c seamonkey-2.53.23/media/libvpx/libvpx/vp9/vp9_cx_iface.c
--- seamonkey-2.53.23.orig/media/libvpx/libvpx/vp9/vp9_cx_iface.c	2025-11-15 13:08:16.000000000 -0700
+++ seamonkey-2.53.23/media/libvpx/libvpx/vp9/vp9_cx_iface.c	2026-02-20 22:33:22.346869866 -0700
@@ -8,7 +8,9 @@
  *  be found in the AUTHORS file in the root of the source tree.
  */
 
+#include <assert.h>
 #include <stdlib.h>
+#include <stddef.h>
 #include <string.h>
 
 #include "./vpx_config.h"
@@ -96,6 +98,7 @@ struct vpx_codec_alg_priv {
   VP9_COMP *cpi;
   unsigned char *cx_data;
   size_t cx_data_sz;
+  // pending_cx_data either is a null pointer or points into the cx_data buffer.
   unsigned char *pending_cx_data;
   size_t pending_cx_data_sz;
   int pending_frame_count;
@@ -1015,8 +1018,12 @@ static int write_superframe_index(vpx_co
 
   // Write the index
   index_sz = 2 + (mag + 1) * ctx->pending_frame_count;
-  if (ctx->pending_cx_data_sz + index_sz < ctx->cx_data_sz) {
-    uint8_t *x = ctx->pending_cx_data + ctx->pending_cx_data_sz;
+  unsigned char *cx_data_end = ctx->cx_data + ctx->cx_data_sz;
+  unsigned char *pending_cx_data_end =
+      ctx->pending_cx_data + ctx->pending_cx_data_sz;
+  ptrdiff_t space_remaining = cx_data_end - pending_cx_data_end;
+  if (index_sz <= space_remaining) {
+    uint8_t *x = pending_cx_data_end;
     int i, j;
 #ifdef TEST_SUPPLEMENTAL_SUPERFRAME_DATA
     uint8_t marker_test = 0xc0;
@@ -1047,6 +1054,8 @@ static int write_superframe_index(vpx_co
 #ifdef TEST_SUPPLEMENTAL_SUPERFRAME_DATA
     index_sz += index_sz_test;
 #endif
+  } else {
+    index_sz = 0; 
   }
   return index_sz;
 }
@@ -1274,9 +1283,12 @@ static vpx_codec_err_t encoder_encode(vp
           ctx->pending_frame_sizes[ctx->pending_frame_count++] = size;
           ctx->pending_frame_magnitude |= size;
           ctx->pending_cx_data_sz += size;
-          // write the superframe only for the case when
-          if (!ctx->output_cx_pkt_cb.output_cx_pkt)
+            // write the superframe only for the case when the callback function
+            // for getting per-layer packets is not registered.
+            if (!ctx->output_cx_pkt_cb.output_cx_pkt) {
             size += write_superframe_index(ctx);
+              assert(size <= cx_data_sz);
+            }
           pkt.data.frame.buf = ctx->pending_cx_data;
           pkt.data.frame.sz = ctx->pending_cx_data_sz;
           ctx->pending_cx_data = NULL;