Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libheif for openSUSE:Factory checked in at 2026-03-29 20:00:19 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libheif (Old) and /work/SRC/openSUSE:Factory/.libheif.new.8177 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libheif" Sun Mar 29 20:00:19 2026 rev:51 rq:1343292 version:1.21.2 Changes: -------- --- /work/SRC/openSUSE:Factory/libheif/libheif.changes 2026-01-17 21:41:47.995586866 +0100 +++ /work/SRC/openSUSE:Factory/.libheif.new.8177/libheif.changes 2026-03-29 20:00:21.956625320 +0200 @@ -1,0 +2,7 @@ +Mon Mar 16 09:03:49 UTC 2026 - Petr Gajdos <[email protected]> + +- added patches + CVE-2026-3949: manipulation of the argument size of a malicious frame can lead to out-of-bounds read (bsc#1259541) + * libheif-CVE-2026-3949.patch + +------------------------------------------------------------------- @@ -36,0 +44 @@ +- fixes [bsc#1255735] New: ---- libheif-CVE-2026-3949.patch ----------(New B)---------- New: CVE-2026-3949: manipulation of the argument size of a malicious frame can lead to out-of-bounds read (bsc#1259541) * libheif-CVE-2026-3949.patch ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libheif.spec ++++++ --- /var/tmp/diff_new_pack.kXUIrn/_old 2026-03-29 20:00:22.540649382 +0200 +++ /var/tmp/diff_new_pack.kXUIrn/_new 2026-03-29 20:00:22.544649546 +0200 @@ -1,6 +1,7 @@ # # spec file for package libheif # +# Copyright (c) 2026 SUSE LLC # Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties @@ -54,6 +55,8 @@ URL: https://github.com/strukturag/libheif Source0: %{url}/releases/download/v%{version}/libheif-%{version}.tar.gz Source99: baselibs.conf +# CVE-2026-3949: manipulation of the argument size of a malicious frame can lead to out-of-bounds read (bsc#1259541) +Patch0: libheif-CVE-2026-3949.patch BuildRequires: chrpath BuildRequires: cmake >= 3.25 BuildRequires: fdupes ++++++ libheif-CVE-2026-3949.patch ++++++ >From b97c8b5f198b27f375127cd597a35f2113544d03 Mon Sep 17 00:00:00 2001 From: Dirk Farin <[email protected]> Date: Tue, 24 Feb 2026 00:32:48 +0100 Subject: [PATCH] vvdec: check that NAL size does not exceed data size (#1712) --- libheif/plugins/decoder_vvdec.cc | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/libheif/plugins/decoder_vvdec.cc b/libheif/plugins/decoder_vvdec.cc index 095157209c..14b3e9fd2b 100644 --- a/libheif/plugins/decoder_vvdec.cc +++ b/libheif/plugins/decoder_vvdec.cc @@ -55,6 +55,7 @@ struct vvdec_decoder std::string error_message; }; +static const char kEmptyString[] = ""; static const char kSuccess[] = "Success"; static const int VVDEC_PLUGIN_PRIORITY = 100; @@ -179,9 +180,25 @@ heif_error vvdec_push_data2(void* decoder_raw, const void* frame_data, size_t fr const auto* data = (const uint8_t*) frame_data; + if (frame_size < 4) { + return { + heif_error_Decoder_plugin_error, + heif_suberror_End_of_data, + kEmptyString + }; + } + for (;;) { uint32_t size = four_bytes_to_uint32(data[0], data[1], data[2], data[3]); + if (frame_size < 4 + size) { + return { + heif_error_Decoder_plugin_error, + heif_suberror_End_of_data, + kEmptyString + }; + } + data += 4; std::vector<uint8_t> nalu;
