Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package mozjs115 for openSUSE:Factory checked in at 2026-06-02 21:03:01 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mozjs115 (Old) and /work/SRC/openSUSE:Factory/.mozjs115.new.1937 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mozjs115" Tue Jun 2 21:03:01 2026 rev:18 rq:1356765 version:115.15.0 Changes: -------- --- /work/SRC/openSUSE:Factory/mozjs115/mozjs115.changes 2026-04-26 21:14:58.758406019 +0200 +++ /work/SRC/openSUSE:Factory/.mozjs115.new.1937/mozjs115.changes 2026-06-02 21:03:08.541636787 +0200 @@ -1,0 +2,7 @@ +Tue Jun 2 09:24:36 UTC 2026 - Michael Gorse <[email protected]> + +- Add mozjs115-CVE-2025-70103.patch: libjxl: take EC into account + when checking required PNM input length (bsc#1266463 + CVE-2025-70103). + +------------------------------------------------------------------- New: ---- mozjs115-CVE-2025-70103.patch ----------(New B)---------- New: - Add mozjs115-CVE-2025-70103.patch: libjxl: take EC into account when checking required PNM input length (bsc#1266463 ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mozjs115.spec ++++++ --- /var/tmp/diff_new_pack.iGZ6pN/_old 2026-06-02 21:03:11.533760653 +0200 +++ /var/tmp/diff_new_pack.iGZ6pN/_new 2026-06-02 21:03:11.537760818 +0200 @@ -98,6 +98,8 @@ Patch29: mozjs115-CVE-2026-32777.patch # PATCH-FIX-UPSTREAM mozjs115-CVE-2026-32778.patch bsc#1259731 [email protected] -- libexpat: NULL pointer dereference in `setContext` on retry after an out-of-memory condition Patch30: mozjs115-CVE-2026-32778.patch +# PATCH-FIX-UPSTREAM mozjs115-CVE-2025-70103.patch bsc#1266463 [email protected] -- libjxl: Take EC into account when checking required PNM input length. +Patch31: mozjs115-CVE-2025-70103.patch BuildRequires: autoconf213 BuildRequires: cargo BuildRequires: ccache @@ -192,6 +194,7 @@ %patch -P 28 -p1 %patch -P 29 -p1 %patch -P 30 -p1 +%patch -P 31 -p1 %if %{pkg_vcmp libicu-devel >= 76.1} sed -i 's/icu-i18n/icu-uc &/' js/moz.configure ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.iGZ6pN/_old 2026-06-02 21:03:11.629764627 +0200 +++ /var/tmp/diff_new_pack.iGZ6pN/_new 2026-06-02 21:03:11.633764793 +0200 @@ -1,6 +1,6 @@ -mtime: 1777127934 -commit: 03faefebd5df7ed8ef62e14e56a9f388646f3a2526d268e308b8d2be947f3cb9 +mtime: 1780392299 +commit: 9bab72e6b85ce284763c0a119d8ad97910bf59adb82500ac1661f7cb43062be2 url: https://src.opensuse.org/GNOME/mozjs115 -revision: 03faefebd5df7ed8ef62e14e56a9f388646f3a2526d268e308b8d2be947f3cb9 +revision: 9bab72e6b85ce284763c0a119d8ad97910bf59adb82500ac1661f7cb43062be2 projectscmsync: https://src.opensuse.org/GNOME/_ObsPrj ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-06-02 11:24:59.000000000 +0200 @@ -0,0 +1,4 @@ +*.obscpio +*.osc +_build.* +.pbuild ++++++ mozjs115-CVE-2025-70103.patch ++++++ >From 1f97c9a9c04440df2b26433a2f1d06bad9e84d36 Mon Sep 17 00:00:00 2001 From: Mike Gorse <[email protected]> Date: Mon, 1 Jun 2026 16:04:32 -0500 Subject: [PATCH] Take EC into account when checking required input length This is a backport of https://github.com/libjxl/libjxl/pull/4380 (originally authored by Eugene Kliuchnikov). --- diff -urp firefox-115.15.0.orig/third_party/jpeg-xl/lib/extras/dec/pnm.cc firefox-115.15.0/third_party/jpeg-xl/lib/extras/dec/pnm.cc --- firefox-115.15.0.orig/third_party/jpeg-xl/lib/extras/dec/pnm.cc 2024-08-26 09:25:41.000000000 -0500 +++ firefox-115.15.0/third_party/jpeg-xl/lib/extras/dec/pnm.cc 2026-06-01 18:04:06.745909401 -0500 @@ -386,48 +386,67 @@ Status DecodeImagePNM(const Span<const u } } + // No align - pixels are tightly packed. + constexpr size_t kAlign = 0; + size_t twidth = PackedImage::BitsPerChannel(data_type) / 8; const JxlPixelFormat format{ /*num_channels=*/num_interleaved_channels, /*data_type=*/data_type, /*endianness=*/header.big_endian ? JXL_BIG_ENDIAN : JXL_LITTLE_ENDIAN, - /*align=*/0, + kAlign, }; - const JxlPixelFormat ec_format{1, format.data_type, format.endianness, 0}; + // EC format is same as color, but 1-channel. + JxlPixelFormat ec_format = format; + ec_format.num_channels = 1; + size_t required_pnm_size = + header.ysize * header.xsize * + (num_interleaved_channels + header.ec_types.size()) * twidth; + size_t pnm_remaining_size = bytes.data() + bytes.size() - pos; + if (pnm_remaining_size < required_pnm_size) { + return JXL_FAILURE("PNM file too small"); + } + ppf->frames.clear(); ppf->frames.emplace_back(header.xsize, header.ysize, format); auto* frame = &ppf->frames.back(); + uint8_t* out = reinterpret_cast<uint8_t*>(frame->color.pixels()); + std::vector<uint8_t*> ec_out; for (size_t i = 0; i < header.ec_types.size(); ++i) { frame->extra_channels.emplace_back(header.xsize, header.ysize, ec_format); - } - size_t pnm_remaining_size = bytes.data() + bytes.size() - pos; - if (pnm_remaining_size < frame->color.pixels_size) { - return JXL_FAILURE("PNM file too small"); + ec_out.emplace_back( + reinterpret_cast<uint8_t*>(frame->extra_channels.back().pixels())); + JXL_DASSERT(frame->extra_channels.back().stride == header.xsize * twidth); } - uint8_t* out = reinterpret_cast<uint8_t*>(frame->color.pixels()); - std::vector<uint8_t*> ec_out(header.ec_types.size()); - for (size_t i = 0; i < ec_out.size(); ++i) { - ec_out[i] = reinterpret_cast<uint8_t*>(frame->extra_channels[i].pixels()); - } + JXL_DASSERT(frame->color.stride == + header.xsize * num_interleaved_channels * twidth); if (ec_out.empty()) { - const bool flipped_y = header.bits_per_sample == 32; // PFMs are flipped - for (size_t y = 0; y < header.ysize; ++y) { - size_t y_in = flipped_y ? header.ysize - 1 - y : y; - const uint8_t* row_in = &pos[y_in * frame->color.stride]; - uint8_t* row_out = &out[y * frame->color.stride]; - memcpy(row_out, row_in, frame->color.stride); + const bool flipped_y = (header.bits_per_sample == 32); // PFMs are flipped + if (!flipped_y) { + // When there are no EC and input is not flipped we can copy the whole + // image at once. + memcpy(out, pos, header.ysize * frame->color.stride); + } else { + // Otherwise copy row-by-row. + for (size_t y = 0; y < header.ysize; ++y) { + size_t y_out = header.ysize - 1 - y; + const uint8_t* row_in = pos + y * frame->color.stride; + uint8_t* row_out = out + y_out * frame->color.stride; + memcpy(row_out, row_in, frame->color.stride); + } } } else { - size_t pwidth = PackedImage::BitsPerChannel(data_type) / 8; + // In case there are EC, we have to deinterleave data pixel-wise. + size_t color_stride = twidth * num_interleaved_channels; for (size_t y = 0; y < header.ysize; ++y) { for (size_t x = 0; x < header.xsize; ++x) { memcpy(out, pos, frame->color.pixel_stride()); - out += frame->color.pixel_stride(); - pos += frame->color.pixel_stride(); + out += color_stride; + pos += color_stride; for (auto& p : ec_out) { - memcpy(p, pos, pwidth); - pos += pwidth; - p += pwidth; + memcpy(p, pos, twidth); + pos += twidth; + p += twidth; } } } Only in firefox-115.15.0/third_party/jpeg-xl/lib/extras/dec: pnm.cc.orig
