Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libjxl for openSUSE:Factory checked in at 2026-05-30 22:54:32 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libjxl (Old) and /work/SRC/openSUSE:Factory/.libjxl.new.1937 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libjxl" Sat May 30 22:54:32 2026 rev:26 rq:1355840 version:0.11.2 Changes: -------- --- /work/SRC/openSUSE:Factory/libjxl/libjxl.changes 2026-02-27 17:03:50.781043286 +0100 +++ /work/SRC/openSUSE:Factory/.libjxl.new.1937/libjxl.changes 2026-05-30 22:54:48.660086286 +0200 @@ -1,0 +2,6 @@ +Thu May 28 16:41:28 UTC 2026 - Michael Gorse <[email protected]> + +- Add libjxl-CVE-2025-70103.patch: take EC into accound when + checking required PNM inmput length (bsc#1266460 CVE-2025-70103). + +------------------------------------------------------------------- @@ -4 +10 @@ -- Update to release 0.11.2 +- Update to release 0.11.2 (bsc#1258090 bsc#1258091 CVE-2025-12474) New: ---- libjxl-CVE-2025-70103.patch ----------(New B)---------- New: - Add libjxl-CVE-2025-70103.patch: take EC into accound when checking required PNM inmput length (bsc#1266460 CVE-2025-70103). ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libjxl.spec ++++++ --- /var/tmp/diff_new_pack.iV5RY1/_old 2026-05-30 22:54:49.540122440 +0200 +++ /var/tmp/diff_new_pack.iV5RY1/_new 2026-05-30 22:54:49.548122769 +0200 @@ -37,6 +37,7 @@ #changes-too-damn-often: https://skia.googlesource.com/skcms/+archive/%skcms_commit.tar.gz Source2: %skcms_commit.tar.gz Patch1: system-jpeg.diff +Patch2: libjxl-CVE-2025-70103.patch BuildRequires: asciidoc BuildRequires: c++_compiler BuildRequires: cmake ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.iV5RY1/_old 2026-05-30 22:54:49.608125234 +0200 +++ /var/tmp/diff_new_pack.iV5RY1/_new 2026-05-30 22:54:49.616125563 +0200 @@ -1,5 +1,5 @@ -mtime: 1771969172 -commit: 16ff0e2b2177f499379dd1ddd955e8901f4371812e5d754c14209466c7eb5a8f +mtime: 1780043375 +commit: 4c4324345f5a27dfd35aacf6f5f0f7f7d23b0b58929ec0109752e0280606d97d url: https://src.opensuse.org/jengelh/libjxl revision: master ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-05-29 10:29:35.000000000 +0200 @@ -0,0 +1 @@ +.osc ++++++ libjxl-CVE-2025-70103.patch ++++++ >From 49fb89f23473e57fa1dac416adce7c7679e5d051 Mon Sep 17 00:00:00 2001 From: Eugene Kliuchnikov <[email protected]> Date: Fri, 8 Aug 2025 12:29:08 +0200 Subject: [PATCH] Take EC into accound when checking required PNM inmput length (#4380) Based on #4338 --- lib/extras/dec/pnm.cc | 66 +++++++++++++++++++++++++++---------------- 1 file changed, 42 insertions(+), 24 deletions(-) diff --git a/lib/extras/dec/pnm.cc b/lib/extras/dec/pnm.cc index 6d857fbc..8b6dcd84 100644 --- a/lib/extras/dec/pnm.cc +++ b/lib/extras/dec/pnm.cc @@ -514,13 +514,26 @@ Status DecodeImagePNM(const Span<const uint8_t> bytes, } } + // No align - pixels are tightly packed. + constexpr size_t kAlign = 0; + size_t twidth = PackedImage::BitsPerChannel(data_type) / 8; const JxlPixelFormat format{ /*num_channels=*/num_interleaved_channels, /*data_type=*/data_type, /*endianness=*/header.big_endian ? JXL_BIG_ENDIAN : JXL_LITTLE_ENDIAN, - /*align=*/0, + kAlign, }; - const JxlPixelFormat ec_format{1, format.data_type, format.endianness, 0}; + // EC format is same as color, but 1-channel. + JxlPixelFormat ec_format = format; + ec_format.num_channels = 1; + size_t required_pnm_size = + header.ysize * header.xsize * + (num_interleaved_channels + header.ec_types.size()) * twidth; + size_t pnm_remaining_size = bytes.data() + bytes.size() - pos; + if (pnm_remaining_size < required_pnm_size) { + return JXL_FAILURE("PNM file too small"); + } + ppf->frames.clear(); { JXL_ASSIGN_OR_RETURN( @@ -529,42 +542,47 @@ Status DecodeImagePNM(const Span<const uint8_t> bytes, ppf->frames.emplace_back(std::move(frame)); } auto* frame = &ppf->frames.back(); + uint8_t* out = reinterpret_cast<uint8_t*>(frame->color.pixels()); + std::vector<uint8_t*> ec_out; for (size_t i = 0; i < header.ec_types.size(); ++i) { JXL_ASSIGN_OR_RETURN( PackedImage ec, PackedImage::Create(header.xsize, header.ysize, ec_format)); frame->extra_channels.emplace_back(std::move(ec)); + ec_out.emplace_back( + reinterpret_cast<uint8_t*>(frame->extra_channels.back().pixels())); + JXL_DASSERT(frame->extra_channels.back().stride == header.xsize * twidth); } - size_t pnm_remaining_size = bytes.data() + bytes.size() - pos; - if (pnm_remaining_size < frame->color.pixels_size) { - return JXL_FAILURE("PNM file too small"); - } - - uint8_t* out = reinterpret_cast<uint8_t*>(frame->color.pixels()); - std::vector<uint8_t*> ec_out(header.ec_types.size()); - for (size_t i = 0; i < ec_out.size(); ++i) { - ec_out[i] = reinterpret_cast<uint8_t*>(frame->extra_channels[i].pixels()); - } + JXL_DASSERT(frame->color.stride == + header.xsize * num_interleaved_channels * twidth); if (ec_out.empty()) { - const bool flipped_y = header.bits_per_sample == 32; // PFMs are flipped - for (size_t y = 0; y < header.ysize; ++y) { - size_t y_in = flipped_y ? header.ysize - 1 - y : y; - const uint8_t* row_in = &pos[y_in * frame->color.stride]; - uint8_t* row_out = &out[y * frame->color.stride]; - memcpy(row_out, row_in, frame->color.stride); + const bool flipped_y = (header.bits_per_sample == 32); // PFMs are flipped + if (!flipped_y) { + // When there are no EC and input is not flipped we can copy the whole + // image at once. + memcpy(out, pos, header.ysize * frame->color.stride); + } else { + // Otherwise copy row-by-row. + for (size_t y = 0; y < header.ysize; ++y) { + size_t y_out = header.ysize - 1 - y; + const uint8_t* row_in = pos + y * frame->color.stride; + uint8_t* row_out = out + y_out * frame->color.stride; + memcpy(row_out, row_in, frame->color.stride); + } } } else { + // In case there are EC, we have to deinterleave data pixel-wise. JXL_RETURN_IF_ERROR(PackedImage::ValidateDataType(data_type)); - size_t pwidth = PackedImage::BitsPerChannel(data_type) / 8; + size_t color_stride = twidth * num_interleaved_channels; for (size_t y = 0; y < header.ysize; ++y) { for (size_t x = 0; x < header.xsize; ++x) { memcpy(out, pos, frame->color.pixel_stride()); - out += frame->color.pixel_stride(); - pos += frame->color.pixel_stride(); + out += color_stride; + pos += color_stride; for (auto& p : ec_out) { - memcpy(p, pos, pwidth); - pos += pwidth; - p += pwidth; + memcpy(p, pos, twidth); + pos += twidth; + p += twidth; } } } -- 2.54.0
