Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libredwg for openSUSE:Factory checked in at 2022-08-20 20:28:57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libredwg (Old) and /work/SRC/openSUSE:Factory/.libredwg.new.2083 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libredwg" Sat Aug 20 20:28:57 2022 rev:15 rq:998213 version:0.12.5 Changes: -------- --- /work/SRC/openSUSE:Factory/libredwg/libredwg.changes 2022-05-17 17:24:25.023170091 +0200 +++ /work/SRC/openSUSE:Factory/.libredwg.new.2083/libredwg.changes 2022-08-20 20:29:18.057458823 +0200 @@ -1,0 +2,7 @@ +Fri Aug 19 15:13:22 UTC 2022 - Jan Engelhardt <[email protected]> + +- Add 0001-bits-change-bit_copy_chain.patch, + 0001-fix-obj_flush_hdlstream-GH-497.patch + [CVE-2022-35164] [boo#1202553] + +------------------------------------------------------------------- New: ---- 0001-bits-change-bit_copy_chain.patch 0001-fix-obj_flush_hdlstream-GH-497.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libredwg.spec ++++++ --- /var/tmp/diff_new_pack.lfQyfq/_old 2022-08-20 20:29:18.597460320 +0200 +++ /var/tmp/diff_new_pack.lfQyfq/_new 2022-08-20 20:29:18.601460331 +0200 @@ -29,6 +29,8 @@ Source2: https://ftp.gnu.org/pub/gnu/libredwg/%name-%version.tar.gz.sig Source3: http://savannah.gnu.org/people/viewgpg.php?user_id=101103#/%name.keyring Source4: %name-rpmlintrc +Patch1: 0001-bits-change-bit_copy_chain.patch +Patch2: 0001-fix-obj_flush_hdlstream-GH-497.patch BuildRequires: pkg-config %description ++++++ 0001-bits-change-bit_copy_chain.patch ++++++ >From bb97cadde05277f089b730a7aff4cffa4c9f8afa Mon Sep 17 00:00:00 2001 From: Reini Urban <[email protected]> Date: Mon, 15 Aug 2022 10:23:08 +0200 Subject: [PATCH] bits: change bit_copy_chain copy only the rest of the 2nd dat, not the whole. and don't reset it to 0, keep its position. --- src/bits.c | 14 +++++++------- src/encode.c | 5 ++++- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/src/bits.c b/src/bits.c index a7a8ca98..4c9ca878 100644 --- a/src/bits.c +++ b/src/bits.c @@ -3353,25 +3353,25 @@ bool does_cross_unicode_datversion (Bit_Chain *restrict dat) return false; } -/* Copy the whole content of tmp_data to dat, and reset tmp_dat. +/* Copy the rest content of tmp_data to dat. WARN: This might change dat->chain */ void bit_copy_chain (Bit_Chain *restrict dat, Bit_Chain *restrict tmp_dat) { unsigned long i; - unsigned long dat_bits = bit_position (tmp_dat); - unsigned long size = tmp_dat->byte; + unsigned long size = tmp_dat->size - tmp_dat->byte; while (dat->byte + size > dat->size) bit_chain_alloc (dat); // check if dat is byte aligned, tmp_dat always is. we can use memcpy then. - if (!dat->bit) + if (!dat->bit && !tmp_dat->bit) { assert(!tmp_dat->bit); - memcpy (&dat->chain[dat->byte], &tmp_dat->chain[0], size); + memcpy (&dat->chain[dat->byte], &tmp_dat->chain[tmp_dat->byte], size); dat->byte += size; } else { - bit_set_position (tmp_dat, 0); + unsigned long dat_bits = bit_position (tmp_dat); + //bit_set_position (tmp_dat, 0); for (i = 0; i < size; i++) { bit_write_RC (dat, bit_read_RC (tmp_dat)); @@ -3380,6 +3380,6 @@ void bit_copy_chain (Bit_Chain *restrict dat, Bit_Chain *restrict tmp_dat) { bit_write_B (dat, bit_read_B (tmp_dat)); } + bit_set_position (tmp_dat, dat_bits); } - bit_set_position (tmp_dat, 0); } diff --git a/src/encode.c b/src/encode.c index d533e1fa..d4a63e16 100644 --- a/src/encode.c +++ b/src/encode.c @@ -846,13 +846,16 @@ obj_flush_hdlstream (Dwg_Object *restrict obj, Bit_Chain *restrict dat, { unsigned long datpos = bit_position (dat); unsigned long hdlpos = bit_position (hdl_dat); + unsigned long hdlsize = (hdl_dat->size * 8) - hdlpos; unsigned long objpos = obj->address * 8; #if 0 unsigned char* oldchain = dat->chain; #endif - LOG_TRACE ("Flush handle stream of size %lu (@%lu.%u) to @%lu.%lu\n", hdlpos, + LOG_TRACE ("Flush handle stream of %lu bits (@%lu.%u) to @%lu.%lu\n", hdlsize, hdl_dat->byte, hdl_dat->bit, (datpos - objpos) / 8, (datpos - objpos) % 8); + if (hdlpos > 10000U) + LOG_ERROR("Possible hdl_data overflow") // This might change dat->chain bit_copy_chain (dat, hdl_dat); } -- 2.37.1 ++++++ 0001-fix-obj_flush_hdlstream-GH-497.patch ++++++ >From 2f36577e6ef6a32c81be48a6faac303f76f6f943 Mon Sep 17 00:00:00 2001 From: Reini Urban <[email protected]> Date: Mon, 15 Aug 2022 11:06:14 +0200 Subject: [PATCH] fix obj_flush_hdlstream GH #497 don't free non-temp hdl_dat chain, when it's the dat->chain really. (on old DWG's) --- src/encode.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/encode.c b/src/encode.c index d4a63e16..1b82dd2a 100644 --- a/src/encode.c +++ b/src/encode.c @@ -823,9 +823,11 @@ const unsigned char unknown_section[53] bit_chain_init_dat (&dat2, 12, dat); \ hdl_dat = &dat2; \ ENCODE_COMMON_HANDLES \ + bit_set_position (hdl_dat, 0); \ obj_flush_hdlstream (obj, dat, hdl_dat); /* common */ \ obj_flush_hdlstream (obj, dat, &dat1); /* special accumulated */ \ - bit_chain_free (&dat1); \ + if (dat1.chain != dat->chain) \ + bit_chain_free (&dat1); \ bit_chain_free (&dat2); \ *hdl_dat = *dat; \ hdl_dat = dat; \ @@ -855,7 +857,12 @@ obj_flush_hdlstream (Dwg_Object *restrict obj, Bit_Chain *restrict dat, hdl_dat->byte, hdl_dat->bit, (datpos - objpos) / 8, (datpos - objpos) % 8); if (hdlpos > 10000U) - LOG_ERROR("Possible hdl_data overflow") + LOG_WARN("Possible hdl_data overflow") + if (dat->chain == hdl_dat->chain) + { + LOG_WARN("Ignore identical hdl chains") + return; + } // This might change dat->chain bit_copy_chain (dat, hdl_dat); } -- 2.37.1
