Sync from SUSE:SLFO:1.1 capstone revision 033ac2f7f0b989ece5980ee08b61b805

capstone.changes

@@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Tue Dec 23 15:10:39 UTC 2025 - Dario Faggioli <dfaggioli@suse.com>
+
+- fix bsc#1255309 (CVE-2025-67873)
+  Patch added:
+  * fix-unchecked-lenght-cbef76.patch 
+
+-------------------------------------------------------------------
+Fri Dec 19 13:24:25 UTC 2025 - Dario Faggioli <dfaggioli@suse.com>
+
+- Fix bsc#1255310 (CVE-2025-68114)
+  Patch added:
+  * fix-buffer-overflow-2c7797.patch 
+
 -------------------------------------------------------------------
 Tue Jan  3 15:28:46 UTC 2023 - Martin Wilck <mwilck@suse.com>
 

capstone.spec

@@ -25,6 +25,10 @@ License:        BSD-3-Clause
 Group:          Development/Tools/Building
 URL:            https://www.capstone-engine.org
 Source:         https://github.com/aquynh/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
+# Fixes issue with .... upstream commit 2c7797
+# URL: https://github.com/capstone-engine/capstone/commit/2c7797182a1618be12017d7d41e0b6581d5d529e.patch
+Patch0:         fix-buffer-overflow-2c7797.patch
+Patch1:         fix-unchecked-lenght-cbef76.patch
 BuildRequires:  fdupes
 BuildRequires:  pkgconfig
 BuildRequires:  python-rpm-macros
@@ -77,7 +81,7 @@ Capstone is a multi-architecture disassembly framework.
 This package contains the Capstone bindings for Python.
 
 %prep
-%autosetup
+%autosetup -p1
 
 %build
 CAPSTONE_ARCHS="arm aarch64 mips powerpc sparc systemz x86" CAPSTONE_STATIC="yes" \

fix-buffer-overflow-2c7797.patch

@@ -0,0 +1,72 @@
+From ed4c30c3385c4071737831f1b61788add040f4dc Mon Sep 17 00:00:00 2001
+From: Rot127 <45763064+Rot127@users.noreply.github.com>
+Date: Wed, 17 Dec 2025 14:01:10 +0000
+Subject: [PATCH] Merge commit from fork
+
+* Check return value of cs_vsnprintf for negative values.
+
+This prevents underflow of SStream.index.
+This bug was reported by Github user Finder16.
+
+* Add overflow check before adding cs_vsnprintf return value.
+
+[DF: Removed the test related hunks;]
+
+(cherry picked from commit 2c7797182a1618be12017d7d41e0b6581d5d529e)
+
+* Introduce the macro SSTREAM_OVERFLOW_CHECK
+
+(cherry picked from commit af1ed2fb3d9d67926389a71e12531bef76f50482)
+
+References: bsc#1255310 (CVE-2025-68114)
+Signed-off-by: Dario Faggioli <dfaggioli@suse.com>
+---
+ SStream.c |  4 ++++
+ SStream.h | 12 +++++++++++-
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/SStream.c b/SStream.c
+index 5ae237fd..a4224835 100644
+--- a/SStream.c
++++ b/SStream.c
+@@ -48,6 +48,10 @@ void SStream_concat(SStream *ss, const char *fmt, ...)
+ 	va_start(ap, fmt);
+ 	ret = cs_vsnprintf(ss->buffer + ss->index, sizeof(ss->buffer) - (ss->index + 1), fmt, ap);
+ 	va_end(ap);
++	if (ret < 0) {
++		return;
++	}
++	SSTREAM_OVERFLOW_CHECK(ss, ret);
+ 	ss->index += ret;
+ #endif
+ }
+diff --git a/SStream.h b/SStream.h
+index 3473085d..1869978d 100644
+--- a/SStream.h
++++ b/SStream.h
+@@ -6,11 +6,21 @@
+ 
+ #include "include/capstone/platform.h"
+ 
++#define SSTREAM_BUF_LEN 512
++
+ typedef struct SStream {
+-	char buffer[512];
++	char buffer[SSTREAM_BUF_LEN];
+ 	int index;
+ } SStream;
+ 
++#define SSTREAM_OVERFLOW_CHECK(OS, len) \
++do { \
++	if (OS->index + len + 1 > SSTREAM_BUF_LEN) { \
++		fprintf(stderr, "Buffer overflow caught!\n"); \
++		return; \
++	} \
++} while(0)
++
+ void SStream_Init(SStream *ss);
+ 
+ void SStream_concat(SStream *ss, const char *fmt, ...);
+-- 
+2.52.0
+

fix-unchecked-lenght-cbef76.patch

@@ -0,0 +1,55 @@
+From 423bc64c7dbd06e5d3c6aeb3d120fd428e704c41 Mon Sep 17 00:00:00 2001
+From: Rot127 <45763064+Rot127@users.noreply.github.com>
+Date: Wed, 17 Dec 2025 14:01:34 +0000
+Subject: [PATCH] Merge commit from fork
+
+The overflow was reported by Github user Finder16
+
+(cherry picked from commit cbef767ab33b82166d263895f24084b75b316df3)
+References: bsc#1255309 (CVE-2025-67873)
+[DF: Remove the tests related hunks of the commit;]
+Signed-off-by: Dario Faggioli <dfaggioli@suse.com>
+---
+ cs.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/cs.c b/cs.c
+index 98f30f76..495dbeb1 100644
+--- a/cs.c
++++ b/cs.c
+@@ -916,10 +916,13 @@ size_t CAPSTONE_API cs_disasm(csh ud, const uint8_t *buffer, size_t size, uint64
+ 				skipdata_bytes = handle->skipdata_size;
+ 
+ 			// we have to skip some amount of data, depending on arch & mode
+-			insn_cache->id = 0;	// invalid ID for this "data" instruction
++			// invalid ID for this "data" instruction
++			insn_cache->id = 0;
+ 			insn_cache->address = offset;
+-			insn_cache->size = (uint16_t)skipdata_bytes;
+-			memcpy(insn_cache->bytes, buffer, skipdata_bytes);
++			insn_cache->size = (uint16_t)MIN(
++				skipdata_bytes, sizeof(insn_cache->bytes));
++			memcpy(insn_cache->bytes, buffer,
++			       MIN(skipdata_bytes, sizeof(insn_cache->bytes)));
+ #ifdef CAPSTONE_DIET
+ 			insn_cache->mnemonic[0] = '\0';
+ 			insn_cache->op_str[0] = '\0';
+@@ -1128,12 +1131,13 @@ bool CAPSTONE_API cs_disasm_iter(csh ud, const uint8_t **code, size_t *size,
+ 		// we have to skip some amount of data, depending on arch & mode
+ 		insn->id = 0;	// invalid ID for this "data" instruction
+ 		insn->address = *address;
+-		insn->size = (uint16_t)skipdata_bytes;
++		insn->size = (uint16_t)MIN(skipdata_bytes, sizeof(insn->bytes));
++		memcpy(insn->bytes, *code,
++		       MIN(skipdata_bytes, sizeof(insn->bytes)));
+ #ifdef CAPSTONE_DIET
+ 		insn->mnemonic[0] = '\0';
+ 		insn->op_str[0] = '\0';
+ #else
+-		memcpy(insn->bytes, *code, skipdata_bytes);
+ 		strncpy(insn->mnemonic, handle->skipdata_setup.mnemonic,
+ 				sizeof(insn->mnemonic) - 1);
+ 		skipdata_opstr(insn->op_str, *code, skipdata_bytes);
+-- 
+2.52.0
+