Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package htmldoc for openSUSE:Factory checked in at 2022-05-14 22:51:51 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/htmldoc (Old) and /work/SRC/openSUSE:Factory/.htmldoc.new.1538 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "htmldoc" Sat May 14 22:51:51 2022 rev:31 rq:976398 version:1.9.15 Changes: -------- --- /work/SRC/openSUSE:Factory/htmldoc/htmldoc.changes 2022-05-01 18:53:52.399178812 +0200 +++ /work/SRC/openSUSE:Factory/.htmldoc.new.1538/htmldoc.changes 2022-05-14 22:51:52.386969222 +0200 @@ -1,0 +2,8 @@ +Wed May 11 07:35:17 UTC 2022 - pgaj...@suse.com + +- security update +- added patches + fix CVE-2022-27114 [bsc#1199370], image_load_jpeg can cause integer overflow + + htmldoc-CVE-2022-27114.patch + +------------------------------------------------------------------- New: ---- htmldoc-CVE-2022-27114.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ htmldoc.spec ++++++ --- /var/tmp/diff_new_pack.vcNzns/_old 2022-05-14 22:51:52.874969832 +0200 +++ /var/tmp/diff_new_pack.vcNzns/_new 2022-05-14 22:51:52.882969842 +0200 @@ -26,6 +26,8 @@ Source: https://github.com/michaelrsweet/htmldoc/releases/download/v%{version}/htmldoc-%{version}-source.tar.gz # CVE-2022-28085 [bsc#1198933], Heap buffer overflow in function pdf_write_names in ps-pdf.cxx Patch0: htmldoc-CVE-2022-28085.patch +# CVE-2022-27114 [bsc#1199370], image_load_jpeg can cause integer overflow +Patch1: htmldoc-CVE-2022-27114.patch BuildRequires: fltk-devel BuildRequires: gcc-c++ BuildRequires: hicolor-icon-theme ++++++ htmldoc-CVE-2022-27114.patch ++++++ diff --git a/htmldoc/image.cxx b/htmldoc/image.cxx index 8aeccced..9b4d11de 100644 --- a/htmldoc/image.cxx +++ b/htmldoc/image.cxx @@ -26,6 +26,13 @@ extern "C" { /* Workaround for JPEG header problems... */ #endif // HAVE_LIBPNG +/* + * Limits... + */ + +#define IMAGE_MAX_DIM 37837 // Maximum dimension - sqrt(4GiB / 3) + + /* * GIF definitions... */ @@ -926,7 +933,7 @@ image_load_bmp(image_t *img, /* I - Image to load into */ colors_used = (int)read_dword(fp); read_dword(fp); - if (img->width <= 0 || img->width > 8192 || img->height <= 0 || img->height > 8192 || info_size < 0) + if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM || info_size < 0) return (-1); if (info_size > 40) @@ -1278,7 +1285,7 @@ image_load_gif(image_t *img, /* I - Image pointer */ img->height = (buf[9] << 8) | buf[8]; ncolors = 2 << (buf[10] & 0x07); - if (img->width <= 0 || img->width > 32767 || img->height <= 0 || img->height > 32767) + if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM) return (-1); // If we are writing an encrypted PDF file, bump the use count so we create @@ -1326,7 +1333,7 @@ image_load_gif(image_t *img, /* I - Image pointer */ img->height = (buf[7] << 8) | buf[6]; img->depth = gray ? 1 : 3; - if (img->width <= 0 || img->width > 32767 || img->height <= 0 || img->height > 32767) + if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM) return (-1); if (transparent >= 0) @@ -1443,6 +1450,12 @@ JSAMPROW row; /* Sample row pointer */ img->height = (int)cinfo.output_height; img->depth = (int)cinfo.output_components; + if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM) + { + jpeg_destroy_decompress(&cinfo); + return (-1); + } + if (!load_data) { jpeg_destroy_decompress(&cinfo); @@ -1598,6 +1611,12 @@ image_load_png(image_t *img, /* I - Image pointer */ img->width = (int)png_get_image_width(pp, info); img->height = (int)png_get_image_height(pp, info); + if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM) + { + png_destroy_read_struct(&pp, &info, NULL); + return (-1); + } + if (color_type & PNG_COLOR_MASK_ALPHA) { if ((PSLevel == 0 && PDFVersion >= 14) || PSLevel == 3)