Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libwebp for openSUSE:Factory checked
in at 2023-10-02 20:04:08
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libwebp (Old)
and /work/SRC/openSUSE:Factory/.libwebp.new.28202 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libwebp"
Mon Oct 2 20:04:08 2023 rev:39 rq:1114613 version:1.3.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/libwebp/libwebp.changes 2023-09-17
19:29:23.373776197 +0200
+++ /work/SRC/openSUSE:Factory/.libwebp.new.28202/libwebp.changes
2023-10-02 20:04:32.390647352 +0200
@@ -1,0 +2,6 @@
+Wed Sep 27 20:37:54 UTC 2023 - Andreas Stieger <andreas.stie...@gmx.de>
+
+- Add 0001-Fix-invalid-incremental-decoding-check.patch
+ A fuzzing finding fixed in the SLE/Leap updates
+
+-------------------------------------------------------------------
New:
----
0001-Fix-invalid-incremental-decoding-check.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libwebp.spec ++++++
--- /var/tmp/diff_new_pack.5Os1T1/_old 2023-10-02 20:04:33.678693674 +0200
+++ /var/tmp/diff_new_pack.5Os1T1/_new 2023-10-02 20:04:33.678693674 +0200
@@ -29,6 +29,9 @@
Source3: %name.keyring
Source4: baselibs.conf
+# PATCH-FIX-UPSTREAM 0001-Fix-invalid-incremental-decoding-check.patch
boo#1215231 CVE-2023-4863 xw...@suse.com -- Fix invalid incremental decoding
check
+Patch2: 0001-Fix-invalid-incremental-decoding-check.patch
+
BuildRequires: giflib-devel
BuildRequires: pkgconfig
BuildRequires: pkgconfig(glut)
++++++ 0001-Fix-invalid-incremental-decoding-check.patch ++++++
>From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001
From: Vincent Rabaud <vrab...@google.com>
Date: Mon, 11 Sep 2023 16:06:08 +0200
Subject: [PATCH] Fix invalid incremental decoding check.
The first condition is only necessary if we have not read enough
(enough being defined by src_last, not src_end which is the end
of the image).
The second condition now fits the comment below: "if not
incremental, and we are past the end of buffer".
BUG=oss-fuzz:62136
Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
---
src/dec/vp8l_dec.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
index 5ab34f56..809b1aa9 100644
--- a/src/dec/vp8l_dec.c
+++ b/src/dec/vp8l_dec.c
@@ -1233,9 +1233,20 @@ static int DecodeImageData(VP8LDecoder* const dec,
uint32_t* const data,
}
br->eos_ = VP8LIsEndOfStream(br);
- if (dec->incremental_ && br->eos_ && src < src_end) {
+ // In incremental decoding:
+ // br->eos_ && src < src_last: if 'br' reached the end of the buffer and
+ // 'src_last' has not been reached yet, there is not enough data. 'dec' has
to
+ // be reset until there is more data.
+ // !br->eos_ && src < src_last: this cannot happen as either the buffer is
+ // fully read, either enough has been read to reach 'src_last'.
+ // src >= src_last: 'src_last' is reached, all is fine. 'src' can actually go
+ // beyond 'src_last' in case the image is cropped and an LZ77 goes further.
+ // The buffer might have been enough or there is some left. 'br->eos_' does
+ // not matter.
+ assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >=
src_last);
+ if (dec->incremental_ && br->eos_ && src < src_last) {
RestoreState(dec);
- } else if (!br->eos_) {
+ } else if ((dec->incremental_ && src >= src_last) || !br->eos_) {
// Process the remaining rows corresponding to last row-block.
if (process_func != NULL) {
process_func(dec, row > last_row ? last_row : row);
--
2.41.0
