Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package htmldoc for openSUSE:Factory checked 
in at 2022-05-14 22:51:51
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/htmldoc (Old)
 and      /work/SRC/openSUSE:Factory/.htmldoc.new.1538 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "htmldoc"

Sat May 14 22:51:51 2022 rev:31 rq:976398 version:1.9.15

Changes:
--------
--- /work/SRC/openSUSE:Factory/htmldoc/htmldoc.changes  2022-05-01 
18:53:52.399178812 +0200
+++ /work/SRC/openSUSE:Factory/.htmldoc.new.1538/htmldoc.changes        
2022-05-14 22:51:52.386969222 +0200
@@ -1,0 +2,8 @@
+Wed May 11 07:35:17 UTC 2022 - pgaj...@suse.com
+
+- security update
+- added patches
+  fix CVE-2022-27114 [bsc#1199370], image_load_jpeg can cause integer overflow
+  + htmldoc-CVE-2022-27114.patch
+
+-------------------------------------------------------------------

New:
----
  htmldoc-CVE-2022-27114.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ htmldoc.spec ++++++
--- /var/tmp/diff_new_pack.vcNzns/_old  2022-05-14 22:51:52.874969832 +0200
+++ /var/tmp/diff_new_pack.vcNzns/_new  2022-05-14 22:51:52.882969842 +0200
@@ -26,6 +26,8 @@
 Source:         
https://github.com/michaelrsweet/htmldoc/releases/download/v%{version}/htmldoc-%{version}-source.tar.gz
 # CVE-2022-28085 [bsc#1198933], Heap buffer overflow in function 
pdf_write_names in ps-pdf.cxx
 Patch0:         htmldoc-CVE-2022-28085.patch
+# CVE-2022-27114 [bsc#1199370], image_load_jpeg can cause integer overflow
+Patch1:         htmldoc-CVE-2022-27114.patch
 BuildRequires:  fltk-devel
 BuildRequires:  gcc-c++
 BuildRequires:  hicolor-icon-theme

++++++ htmldoc-CVE-2022-27114.patch ++++++
diff --git a/htmldoc/image.cxx b/htmldoc/image.cxx
index 8aeccced..9b4d11de 100644
--- a/htmldoc/image.cxx
+++ b/htmldoc/image.cxx
@@ -26,6 +26,13 @@ extern "C" {         /* Workaround for JPEG header 
problems... */
 #endif // HAVE_LIBPNG
 
 
+/*
+ * Limits...
+ */
+
+#define IMAGE_MAX_DIM  37837           // Maximum dimension - sqrt(4GiB / 3)
+
+
 /*
  * GIF definitions...
  */
@@ -926,7 +933,7 @@ image_load_bmp(image_t *img,        /* I - Image to load 
into */
   colors_used      = (int)read_dword(fp);
   read_dword(fp);
 
-  if (img->width <= 0 || img->width > 8192 || img->height <= 0 || img->height 
> 8192 || info_size < 0)
+  if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || 
img->height > IMAGE_MAX_DIM || info_size < 0)
     return (-1);
 
   if (info_size > 40)
@@ -1278,7 +1285,7 @@ image_load_gif(image_t *img,      /* I - Image pointer */
   img->height = (buf[9] << 8) | buf[8];
   ncolors     = 2 << (buf[10] & 0x07);
 
-  if (img->width <= 0 || img->width > 32767 || img->height <= 0 || img->height 
> 32767)
+  if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || 
img->height > IMAGE_MAX_DIM)
     return (-1);
 
   // If we are writing an encrypted PDF file, bump the use count so we create
@@ -1326,7 +1333,7 @@ image_load_gif(image_t *img,      /* I - Image pointer */
           img->height = (buf[7] << 8) | buf[6];
           img->depth  = gray ? 1 : 3;
 
-         if (img->width <= 0 || img->width > 32767 || img->height <= 0 || 
img->height > 32767)
+         if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 
|| img->height > IMAGE_MAX_DIM)
            return (-1);
 
           if (transparent >= 0)
@@ -1443,6 +1450,12 @@ JSAMPROW                 row;            /* Sample row 
pointer */
   img->height = (int)cinfo.output_height;
   img->depth  = (int)cinfo.output_components;
 
+  if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || 
img->height > IMAGE_MAX_DIM)
+  {
+    jpeg_destroy_decompress(&cinfo);
+    return (-1);
+  }
+
   if (!load_data)
   {
     jpeg_destroy_decompress(&cinfo);
@@ -1598,6 +1611,12 @@ image_load_png(image_t *img,     /* I - Image pointer */
   img->width  = (int)png_get_image_width(pp, info);
   img->height = (int)png_get_image_height(pp, info);
 
+  if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || 
img->height > IMAGE_MAX_DIM)
+  {
+    png_destroy_read_struct(&pp, &info, NULL);
+    return (-1);
+  }
+
   if (color_type & PNG_COLOR_MASK_ALPHA)
   {
     if ((PSLevel == 0 && PDFVersion >= 14) || PSLevel == 3)

Reply via email to