Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package miniz for openSUSE:Factory checked 
in at 2026-07-01 17:14:29
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/miniz (Old)
 and      /work/SRC/openSUSE:Factory/.miniz.new.11887 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "miniz"

Wed Jul  1 17:14:29 2026 rev:3 rq:1363010 version:3.1.2

Changes:
--------
--- /work/SRC/openSUSE:Factory/miniz/miniz.changes      2026-03-11 
20:58:57.778936894 +0100
+++ /work/SRC/openSUSE:Factory/.miniz.new.11887/miniz.changes   2026-07-01 
17:14:36.463781727 +0200
@@ -1,0 +2,13 @@
+Wed Jul  1 14:07:45 UTC 2026 - Martin Hauke <[email protected]>
+
+- Updat eto version 3.1.2
+  * Fix central directory offset overflow when reading zip file
+    header.
+  * Add tdefl_write_image_to_png_file_in_memory_ex parameter
+    validation.
+  * Add fuzz targets for ZIP validation, writing, and compression
+    APIs.
+  * Support cmake4.
+  * Guard against code_len==0 infinite loop in tinfl_decompress.
+
+-------------------------------------------------------------------

Old:
----
  miniz-3.1.1.tar.gz

New:
----
  miniz-3.1.2.tar.gz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ miniz.spec ++++++
--- /var/tmp/diff_new_pack.9nF15b/_old  2026-07-01 17:14:37.015800716 +0200
+++ /var/tmp/diff_new_pack.9nF15b/_new  2026-07-01 17:14:37.019800853 +0200
@@ -19,7 +19,7 @@
 %define sover 3
 %define libpackage lib%{name}%{sover}
 Name:           miniz
-Version:        3.1.1
+Version:        3.1.2
 Release:        0
 Summary:        Single C source file zlib-replacement library
 License:        MIT

++++++ miniz-3.1.1.tar.gz -> miniz-3.1.2.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/miniz-3.1.1/CMakeLists.txt 
new/miniz-3.1.2/CMakeLists.txt
--- old/miniz-3.1.1/CMakeLists.txt      2026-02-03 12:42:03.000000000 +0100
+++ new/miniz-3.1.2/CMakeLists.txt      2026-07-01 15:43:44.000000000 +0200
@@ -1,4 +1,4 @@
-cmake_minimum_required(VERSION 3.5...3.12)
+cmake_minimum_required(VERSION 3.5)
 
 # determine whether this is a standalone project or included by other projects
 set (MINIZ_STANDALONE_PROJECT ON)
@@ -26,7 +26,7 @@
 
 set(MINIZ_API_VERSION 3)
 set(MINIZ_MINOR_VERSION 1)
-set(MINIZ_PATCH_VERSION 1)
+set(MINIZ_PATCH_VERSION 2)
 set(MINIZ_VERSION
     ${MINIZ_API_VERSION}.${MINIZ_MINOR_VERSION}.${MINIZ_PATCH_VERSION})
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/miniz-3.1.1/ChangeLog.md new/miniz-3.1.2/ChangeLog.md
--- old/miniz-3.1.1/ChangeLog.md        2026-02-03 12:42:03.000000000 +0100
+++ new/miniz-3.1.2/ChangeLog.md        2026-07-01 15:43:44.000000000 +0200
@@ -1,5 +1,13 @@
 ## Changelog
 
+### 3.1.2
+
+ - Fix central directory offset overflow when reading zip file header
+ - Add tdefl_write_image_to_png_file_in_memory_ex parameter validation
+ - Add fuzz targets for ZIP validation, writing, and compression APIs
+ - Support cmake 4
+ - Guard against code_len==0 infinite loop in tinfl_decompress
+
 ### 3.1.1
 
  - Declare function wrappers as inline static to fix warnings
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/miniz-3.1.1/miniz.h new/miniz-3.1.2/miniz.h
--- old/miniz-3.1.1/miniz.h     2026-02-03 12:42:03.000000000 +0100
+++ new/miniz-3.1.2/miniz.h     2026-07-01 15:43:44.000000000 +0200
@@ -1,4 +1,4 @@
-/* miniz.c 3.1.0 - public domain deflate/inflate, zlib-subset, ZIP 
reading/writing/appending, PNG writing
+/* miniz.c 3.1.2 - public domain deflate/inflate, zlib-subset, ZIP 
reading/writing/appending, PNG writing
    See "unlicense" statement at the end of this file.
    Rich Geldreich <[email protected]>, last updated Oct. 13, 2013
    Implements RFC 1950: http://www.ietf.org/rfc/rfc1950.txt and RFC 1951: 
http://www.ietf.org/rfc/rfc1951.txt
@@ -283,11 +283,11 @@
         MZ_DEFAULT_COMPRESSION = -1
     };
 
-#define MZ_VERSION "11.3.1"
-#define MZ_VERNUM 0xB301
+#define MZ_VERSION "11.3.2"
+#define MZ_VERNUM 0xB302
 #define MZ_VER_MAJOR 11
 #define MZ_VER_MINOR 3
-#define MZ_VER_REVISION 1
+#define MZ_VER_REVISION 2
 #define MZ_VER_SUBREVISION 0
 
 #ifndef MINIZ_NO_ZLIB_APIS
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/miniz-3.1.1/miniz_tdef.c new/miniz-3.1.2/miniz_tdef.c
--- old/miniz-3.1.1/miniz_tdef.c        2026-02-03 12:42:03.000000000 +0100
+++ new/miniz-3.1.2/miniz_tdef.c        2026-07-01 15:43:44.000000000 +0200
@@ -1498,6 +1498,11 @@
         *pLen_out = 0;
         if (!pComp)
             return NULL;
+        if (w <= 0 || h <= 0 || w > 0xFFFF || h > 0xFFFF || num_chans < 1 || 
num_chans > 4)
+        {
+            MZ_FREE(pComp);
+            return NULL;
+        }
         MZ_CLEAR_OBJ(out_buf);
         out_buf.m_expandable = MZ_TRUE;
         out_buf.m_capacity = 57 + MZ_MAX(64, (1 + bpl) * h);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/miniz-3.1.1/miniz_tinfl.c 
new/miniz-3.1.2/miniz_tinfl.c
--- old/miniz-3.1.1/miniz_tinfl.c       2026-02-03 12:42:03.000000000 +0100
+++ new/miniz-3.1.2/miniz_tinfl.c       2026-07-01 15:43:44.000000000 +0200
@@ -467,6 +467,10 @@
                             counter = sym2;
                             bit_buf >>= code_len;
                             num_bits -= code_len;
+                            if (code_len == 0)
+                            {
+                                TINFL_CR_RETURN_FOREVER(40, 
TINFL_STATUS_FAILED);
+                            }
                             if (counter & 256)
                                 break;
 
@@ -490,6 +494,10 @@
                             }
                             bit_buf >>= code_len;
                             num_bits -= code_len;
+                            if (code_len == 0)
+                            {
+                                TINFL_CR_RETURN_FOREVER(54, 
TINFL_STATUS_FAILED);
+                            }
 
                             pOut_buf_cur[0] = (mz_uint8)counter;
                             if (sym2 & 256)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/miniz-3.1.1/miniz_zip.c new/miniz-3.1.2/miniz_zip.c
--- old/miniz-3.1.1/miniz_zip.c 2026-02-03 12:42:03.000000000 +0100
+++ new/miniz-3.1.2/miniz_zip.c 2026-07-01 15:43:44.000000000 +0200
@@ -787,7 +787,7 @@
         if (cdir_size < (mz_uint64)pZip->m_total_files * 
MZ_ZIP_CENTRAL_DIR_HEADER_SIZE)
             return mz_zip_set_error(pZip, MZ_ZIP_INVALID_HEADER_OR_CORRUPTED);
 
-        if ((cdir_ofs + (mz_uint64)cdir_size) > pZip->m_archive_size)
+        if (cdir_size> pZip->m_archive_size || cdir_ofs > pZip->m_archive_size 
- cdir_size)
             return mz_zip_set_error(pZip, MZ_ZIP_INVALID_HEADER_OR_CORRUPTED);
 
         if (eocd_ofs < cdir_ofs + cdir_size)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/miniz-3.1.1/tests/main.cpp 
new/miniz-3.1.2/tests/main.cpp
--- old/miniz-3.1.1/tests/main.cpp      2026-02-03 12:42:03.000000000 +0100
+++ new/miniz-3.1.2/tests/main.cpp      2026-07-01 15:43:44.000000000 +0200
@@ -1,5 +1,6 @@
 #include "catch_amalgamated.hpp"
 #include "../miniz.h"
+#include "miniz_zip.h"
 #include <assert.h>
 #include <string>
 
@@ -10,11 +11,11 @@
 #endif
 
 #ifndef MINIZ_NO_STDIO
-bool create_test_zip()
+bool create_test_zip(const bool zip64)
 {
     unlink("test.zip");
     mz_zip_archive zip_archive = {};
-    auto b = mz_zip_writer_init_file(&zip_archive, "test.zip", 0);
+    auto b = mz_zip_writer_init_file_v2(&zip_archive, "test.zip", 0, zip64 ? 
MZ_ZIP_FLAG_WRITE_ZIP64 : 0);
     if (!b)
         return false;
 
@@ -35,7 +36,7 @@
 
 TEST_CASE("Zip writer tests")
 {
-    auto b = create_test_zip();
+    auto b = create_test_zip(false);
     REQUIRE(b);
 
     SECTION("Test test.txt content correct")
@@ -82,6 +83,59 @@
         }
     }
 }
+
+TEST_CASE("Zip reader tests")
+{
+    const auto b = create_test_zip(true);
+    REQUIRE(b);
+
+    SECTION("Test zip file reading")
+    {
+        mz_zip_archive zip_archive = {};
+
+        auto b = mz_zip_reader_init_file(&zip_archive, "test.zip", 0);
+        REQUIRE(b);
+
+        size_t num_files = mz_zip_reader_get_num_files(&zip_archive);
+        REQUIRE(num_files == 1);
+
+        mz_zip_archive_file_stat file_stat;
+        b = mz_zip_reader_file_stat(&zip_archive, 0, &file_stat);
+        REQUIRE(b);
+
+        REQUIRE(file_stat.m_file_index == 0);
+        REQUIRE(file_stat.m_uncomp_size == 3);
+        REQUIRE(file_stat.m_comp_size == 3);
+        REQUIRE(std::string_view(file_stat.m_filename) == "test.txt");
+
+        mz_zip_reader_end(&zip_archive);
+    }
+
+    SECTION("Test central dir overflow")
+    {
+        auto f = fopen("test.zip", "rb");
+        REQUIRE(f);
+        char buf[1000];
+        const auto read = fread(buf, 1, 1000, f);
+        fclose(f);
+
+        unsigned long long cdir_ofs = -1;
+        memcpy(buf + 159, &cdir_ofs, sizeof(cdir_ofs));
+
+        unlink("test.zip");
+        f = fopen("test.zip", "wb");
+        REQUIRE(f);
+        fwrite(buf, 1, read, f);
+        fclose(f);
+
+        mz_zip_archive zip_archive = {};
+
+        auto b = mz_zip_reader_init_file(&zip_archive, "test.zip", 0);
+        REQUIRE(!b);
+        REQUIRE(zip_archive.m_last_error == 
MZ_ZIP_INVALID_HEADER_OR_CORRUPTED);
+    }
+}
+
 #endif
 
 TEST_CASE("Tinfl / tdefl tests")
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/miniz-3.1.1/tests/miniz_tdefl_fuzzer.cc 
new/miniz-3.1.2/tests/miniz_tdefl_fuzzer.cc
--- old/miniz-3.1.1/tests/miniz_tdefl_fuzzer.cc 1970-01-01 01:00:00.000000000 
+0100
+++ new/miniz-3.1.2/tests/miniz_tdefl_fuzzer.cc 2026-07-01 15:43:44.000000000 
+0200
@@ -0,0 +1,115 @@
+// Copyright 2025 Google LLC
+// Fuzz target for miniz tdefl (tiny deflate) functions
+// Targets: tdefl_compress_mem_to_mem (0% coverage, complexity ~400)
+//          tdefl_compress_mem_to_heap (0% coverage)
+//          tdefl_write_image_to_png_file_in_memory (0% coverage, complexity 
503)
+
+#include "miniz.h"
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+
+// Fuzz target for tdefl compression functions
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+    if (size < 1) return 0;
+    
+    // Determine compression level from input
+    tdefl_compress_level compression_level = (tdefl_compress_level)(data[0] % 
TDEFL_MAX_LEVELS);
+    const uint8_t* content = data + 1;
+    size_t content_size = size - 1;
+    
+    // Test tdefl_compress_mem_to_mem - 0% coverage target
+    if (content_size > 0 && content_size <= 10 * 1024 * 1024) { // Max 10MB
+        size_t max_compressed_size = content_size + 1024;
+        void* compressed = malloc(max_compressed_size);
+        
+        if (compressed) {
+            size_t actual_compressed_size = tdefl_compress_mem_to_mem(
+                compressed,
+                max_compressed_size,
+                content,
+                content_size,
+                compression_level
+            );
+            
+            // If compression succeeded, try decompression
+            if (actual_compressed_size > 0 && actual_compressed_size <= 
max_compressed_size) {
+                size_t max_uncompressed = content_size * 2;
+                void* uncompressed = malloc(max_uncompressed);
+                
+                if (uncompressed) {
+                    tinfl_decompress_mem_to_mem(
+                        uncompressed,
+                        max_uncompressed,
+                        compressed,
+                        actual_compressed_size,
+                        TINFL_FLAG_PARSE_ZLIB_HEADER
+                    );
+                    free(uncompressed);
+                }
+            }
+            
+            free(compressed);
+        }
+    }
+    
+    // Test tdefl_compress_mem_to_heap - 0% coverage target
+    if (content_size > 0 && content_size <= 10 * 1024 * 1024) {
+        size_t compressed_size = 0;
+        void* heap_compressed = tdefl_compress_mem_to_heap(
+            content,
+            content_size,
+            &compressed_size,
+            compression_level
+        );
+        
+        if (heap_compressed) {
+            // Decompress to verify
+            if (compressed_size > 0) {
+                size_t uncomp_size = content_size * 2;
+                void* uncomp = malloc(uncomp_size);
+                if (uncomp) {
+                    tinfl_decompress_mem_to_mem(
+                        uncomp,
+                        uncomp_size,
+                        heap_compressed,
+                        compressed_size,
+                        TINFL_FLAG_PARSE_ZLIB_HEADER
+                    );
+                    free(uncomp);
+                }
+            }
+            free(heap_compressed);
+        }
+    }
+    
+    // Test tdefl_write_image_to_png_file_in_memory - 0% coverage target 
(complexity 503)
+    // This function compresses a grayscale or RGB/RGBA image to PNG format
+    if (content_size >= 4) {
+        // Try to interpret input as a small image
+        // Extract dimensions from first bytes
+        int w = (data[0] % 64) + 1;  // 1-64 width
+        int h = (data[1] % 64) + 1;  // 1-64 height
+        int num_chans = (data[2] % 4) + 1;  // 1-4 channels (grayscale, RGB, 
RGBA)
+        
+        size_t expected_size = w * h * num_chans;
+        if (content_size - 3 >= expected_size && expected_size > 0) {
+            const void* image_data = data + 3;
+            
+            size_t png_size = 0;
+            void* png_data = tdefl_write_image_to_png_file_in_memory(
+                image_data,
+                w,
+                h,
+                num_chans,
+                &png_size
+            );
+            
+            if (png_data && png_size > 0) {
+                free(png_data);
+            }
+        }
+    }
+    
+    return 0;
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/miniz-3.1.1/tests/miniz_zip_validate_fuzzer.cc 
new/miniz-3.1.2/tests/miniz_zip_validate_fuzzer.cc
--- old/miniz-3.1.1/tests/miniz_zip_validate_fuzzer.cc  1970-01-01 
01:00:00.000000000 +0100
+++ new/miniz-3.1.2/tests/miniz_zip_validate_fuzzer.cc  2026-07-01 
15:43:44.000000000 +0200
@@ -0,0 +1,71 @@
+// Copyright 2025 Google LLC
+// Fuzz target for miniz ZIP validation functions
+// Targets: mz_zip_validate_mem_archive (0% coverage, complexity 642)
+//          mz_zip_validate_file_archive (0% coverage, complexity 651)
+
+#include "miniz.h"
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+
+// Fuzz target for ZIP archive validation
+// Tests both memory-based and file-based validation functions
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+    if (size < 4) return 0; // Need at least a minimal ZIP header
+    
+    // Test mz_zip_validate_mem_archive - 0% coverage target
+    // This validates a ZIP archive in memory
+    mz_zip_error zip_error = MZ_ZIP_NO_ERROR;
+    mz_bool result = mz_zip_validate_mem_archive(
+        data, 
+        size, 
+        MZ_ZIP_FLAG_DO_NOT_SORT_CENTRAL_DIRECTORY, 
+        &zip_error
+    );
+    
+    // Try with different flags
+    zip_error = MZ_ZIP_NO_ERROR;
+    mz_zip_validate_mem_archive(data, size, 0, &zip_error);
+    
+    // Test with various buffer sizes to hit edge cases
+    if (size > 1024) {
+        zip_error = MZ_ZIP_NO_ERROR;
+        mz_zip_validate_mem_archive(data, 1024, 0, &zip_error);
+    }
+    
+    // Test mz_compress and mz_uncompress - 0% coverage targets
+    // These are the simple zlib-compatible API functions
+    if (size > 0 && size <= 1024 * 1024) { // Reasonable size limit
+        // Compress
+        mz_ulong compressed_size = compressBound(size);
+        unsigned char* compressed = (unsigned char*)malloc(compressed_size);
+        
+        if (compressed) {
+            int compress_result = mz_compress(
+                compressed, 
+                &compressed_size, 
+                data, 
+                size
+            );
+            
+            // If compression succeeded, try decompression
+            if (compress_result == MZ_OK && compressed_size > 0) {
+                mz_ulong uncompressed_size = size * 2; // Give some headroom
+                unsigned char* uncompressed = (unsigned 
char*)malloc(uncompressed_size);
+                
+                if (uncompressed) {
+                    mz_uncompress(uncompressed, &uncompressed_size, 
compressed, compressed_size);
+                    free(uncompressed);
+                }
+            }
+            
+            free(compressed);
+        }
+    }
+    
+    // Test mz_adler32 and mz_crc32 - checksum functions
+    mz_adler32(MZ_ADLER32_INIT, data, size);
+    mz_crc32(MZ_CRC32_INIT, data, size);
+    
+    return 0;
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/miniz-3.1.1/tests/miniz_zip_writer_fuzzer.cc 
new/miniz-3.1.2/tests/miniz_zip_writer_fuzzer.cc
--- old/miniz-3.1.1/tests/miniz_zip_writer_fuzzer.cc    1970-01-01 
01:00:00.000000000 +0100
+++ new/miniz-3.1.2/tests/miniz_zip_writer_fuzzer.cc    2026-07-01 
15:43:44.000000000 +0200
@@ -0,0 +1,96 @@
+// Copyright 2025 Google LLC
+// Fuzz target for miniz ZIP writer functions
+// Targets: mz_zip_writer_add_mem (0% coverage, complexity 627)
+//          mz_zip_writer_add_mem_ex (0% coverage)
+//          mz_zip_writer_add_mem_ex_v2 (0% coverage)
+//          mz_zip_writer_finalize_archive (0% coverage)
+
+#include "miniz.h"
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdio.h>
+
+// Fuzz target for ZIP archive creation and writing
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+    if (size < 16) return 0; // Need enough data for meaningful test
+    
+    // Create a memory-backed ZIP archive
+    mz_zip_archive zip_archive;
+    memset(&zip_archive, 0, sizeof(zip_archive));
+    
+    // Initialize the archive with a growable memory buffer
+    size_t initial_capacity = size * 2;
+    if (!mz_zip_writer_init_heap(&zip_archive, initial_capacity, 0)) {
+        return 0;
+    }
+    
+    // Extract parameters from fuzz input
+    // First byte determines compression level
+    int compression_level = data[0] % 11; // 0-10 (10 = best compression)
+    
+    // Second byte determines flags
+    mz_uint flags = data[1];
+    
+    // Rest of data is content to add to ZIP
+    const char* filename = "fuzz_test.txt";
+    const uint8_t* content = data + 2;
+    size_t content_size = size - 2;
+    
+    // Test mz_zip_writer_add_mem - 0% coverage target
+    mz_bool add_result = mz_zip_writer_add_mem(
+        &zip_archive,
+        filename,
+        content,
+        content_size,
+        flags | (compression_level << MZ_ZIP_LDH_BIT_OFFS_SHL)
+    );
+    
+    // Add multiple entries with different strategies
+    if (content_size > 4) {
+        // Add raw (uncompressed) entry
+        mz_zip_writer_add_mem(&zip_archive, "raw.bin", content, content_size / 
2, 0);
+        
+        // Add compressed entry with store-only flag
+        mz_zip_writer_add_mem(
+            &zip_archive, 
+            "stored.bin", 
+            content + content_size / 2, 
+            content_size / 2, 
+            MZ_ZIP_FLAG_STORE
+        );
+        
+        // Add with AES encryption flag (may fail without proper setup, but 
good for fuzzing)
+        if (content_size > 8) {
+            mz_zip_writer_add_mem(
+                &zip_archive,
+                "encrypted.bin",
+                content + 4,
+                content_size - 4,
+                MZ_ZIP_FLAG_ENCRYPTED
+            );
+        }
+    }
+    
+    // Test mz_zip_writer_finalize_archive - 0% coverage target
+    mz_zip_writer_finalize_archive(&zip_archive);
+    
+    // Get the final archive data
+    void* archive_data = NULL;
+    size_t archive_size = 0;
+    mz_zip_writer_finalize_heap_archive(&zip_archive, &archive_data, 
&archive_size);
+    
+    // If we successfully created an archive, try to validate it
+    if (archive_data && archive_size > 0) {
+        mz_zip_error zip_error = MZ_ZIP_NO_ERROR;
+        mz_zip_validate_mem_archive(archive_data, archive_size, 0, &zip_error);
+        
+        // Cleanup
+        free(archive_data);
+    }
+    
+    // Cleanup the writer
+    mz_zip_writer_end(&zip_archive);
+    
+    return 0;
+}

Reply via email to