Sync from SUSE:SLFO:1.1 libwebp revision 1aae0478aeba9a1dc6f2a3df14ecc1c4

0001-Fix-invalid-incremental-decoding-check.patch

@@ -0,0 +1,48 @@
+From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001
+From: Vincent Rabaud <vrabaud@google.com>
+Date: Mon, 11 Sep 2023 16:06:08 +0200
+Subject: [PATCH] Fix invalid incremental decoding check.
+
+The first condition is only necessary if we have not read enough
+(enough being defined by src_last, not src_end which is the end
+of the image).
+The second condition now fits the comment below: "if not
+incremental, and we are past the end of buffer".
+
+BUG=oss-fuzz:62136
+
+Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
+---
+ src/dec/vp8l_dec.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
+index 5ab34f56..809b1aa9 100644
+--- a/src/dec/vp8l_dec.c
++++ b/src/dec/vp8l_dec.c
+@@ -1233,9 +1233,20 @@ static int DecodeImageData(VP8LDecoder* const dec, uint32_t* const data,
+   }
+ 
+   br->eos_ = VP8LIsEndOfStream(br);
+-  if (dec->incremental_ && br->eos_ && src < src_end) {
++  // In incremental decoding:
++  // br->eos_ && src < src_last: if 'br' reached the end of the buffer and
++  // 'src_last' has not been reached yet, there is not enough data. 'dec' has to
++  // be reset until there is more data.
++  // !br->eos_ && src < src_last: this cannot happen as either the buffer is
++  // fully read, either enough has been read to reach 'src_last'.
++  // src >= src_last: 'src_last' is reached, all is fine. 'src' can actually go
++  // beyond 'src_last' in case the image is cropped and an LZ77 goes further.
++  // The buffer might have been enough or there is some left. 'br->eos_' does
++  // not matter.
++  assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >= src_last);
++  if (dec->incremental_ && br->eos_ && src < src_last) {
+     RestoreState(dec);
+-  } else if (!br->eos_) {
++  } else if ((dec->incremental_ && src >= src_last) || !br->eos_) {
+     // Process the remaining rows corresponding to last row-block.
+     if (process_func != NULL) {
+       process_func(dec, row > last_row ? last_row : row);
+-- 
+2.41.0
+

libwebp-1.3.2.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEaw5rcJdt4wPt8vYB+cPWvbgjK10FAmUCSVoACgkQ+cPWvbgj
+K13/+xAAxdcgcBz6PAuDriln0NcEGqzLkhstDJIsBr9E/VpXKrr1La4z/7IdCHZv
+fi7xkH9zBiz+DjhEKICi/ItCJ0toovn0tiZIYZDZWdZ+wyi1Sns+w7rIPjrjNYpN
+nHCRyG8CZfTPJhPyWwrxj+ESkzogDpd+zEewE4gpLq4K3+HWIVA+IOV8K6tDRXua
+HgmWqQ+BSqAH9tc2kb8OeUuEYhBevb6PP8ijMKrC04WFI7DaAgCr4JeS3+brTfg+
+CUEw2af1THOA1vKeNo42xInduX8fZ3HPHAFwJzfNxYzJOyPVsOfG2pDPuUngB360
+ejc1nBk/tjqmdw01cAjhOKNcY6vctAW3Q8akTI2jCZftEoCbSxLHHdPCGvVOU8xy
+zPLyq06k71GI6aPYCBUcBqoGSdhY4FsSFkAzc+Ix28h6sJ4jakYPeXq9YoE/66HW
+s4O7FhBvsGlrUgTehrnFGgX+G9IB63zldfI6XfKZ6Z8upD/oy3EWDPBdvIX2vDQj
+wxYZtOljtNprljhcQ8xu1Kc68M3H4UYiEynYt1bq0dLucXqbb+axhmv5WilAqoXH
+iZQxcg6K1OKNSW7XAc0T3a2un8mREJAy4EddBKSsgp7RnHoRkKDzrNzYTPw6DZeh
+861HUotMSKAFXSLPyVpZRIG6IX6R62e+TKY5zT2hlA7K7UneLFA=
+=/nBK
+-----END PGP SIGNATURE-----

libwebp-1.5.0.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEaw5rcJdt4wPt8vYB+cPWvbgjK10FAmdkzo4ACgkQ+cPWvbgj
-K10s6BAAkRjFXqBHZw+iXFfNLGrz/DyjhBQmsTOC8F+/2YBBqSzy93/+/zX8PMb7
-n5A1ZnQgmPSN2N327MXssOfVs6Lj7SNE/7Txyby6Yeei+eD6QK83f1ssz1tmoMRO
-/nSeBDA/7jKLtmN/1olopMI8VqaUFyMTe9FVnD5CcjcObuPJVpm1b1hiTFKoPDkT
-mExPdjc/A84fagUtss0dmA7cBi3ykoCc2UKZQfMKX30wD6jYrJZfuoniJYb0UH+N
-SESFEiYm6QmYZekYWAs7ESZkGJQCb7OmGUnxLRpjNXermNmbR+ynFS4leKcO//Gz
-vLyULPBZL/I5AYUm7lub9Xbwq6JQJG1GNAxlNHCvxaV1imLAhpAGdhwOyp70y7WN
-7a0NbC3dRXMJWpunBwFFXroB0wiiHoIt+GxgB+JPInj6SUkkFdBPrSYUs0rZFNMv
-6EniX53bLSXql2r8wOJrT3Uif63qbYfDUg7IF2Iy1U3qNjgJE7pzUDji5+SRJAkU
-mIdfoHVDekGY3/Jyvtty4AYm93V9OInoek5fcyoAZdrwbwhtPsmQwtmrrYr74lOg
-79tPdKYwiY/9XGSsgvHo6ESGOEtFDqvrEvTHDCDCk7iT563Ahp96t4Sz8EJULAKx
-uLUgchzmLadZLy7qoWr5gJ7gGR2i3Jl/be6cQexjakdVRURlEtk=
-=bCkl
------END PGP SIGNATURE-----

libwebp.changes

@@ -1,37 +1,3 @@
--------------------------------------------------------------------
-Tue Dec 31 23:56:38 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
-
-- Update to release 1.5.0
-  * API changes: `cross_color_transform_bits` added to WebPAuxStats
-  * Minor lossless encoder speed and compression improvements
-  * Lossless encoding does not use floats anymore
-  * Additional ARM optimizations for lossy & lossless + general
-    code generation improvements
-  * Tool updates:
-  * gif2webp: added -sharp_yuv & -near_lossless
-  * img2webp: added -exact & -noexact
-  * Exit codes normalized; running an example program with no
-    arguments will output its help and exit with an error.
-
--------------------------------------------------------------------
-Sat Nov  9 20:45:59 UTC 2024 - Marcus Rueckert <mrueckert@suse.de>
-
-- switch to cmake based build as other packages now require the
-  cmake finders
-
--------------------------------------------------------------------
-Tue May 21 14:21:04 UTC 2024 - Yann BOYER <yann.boyer742@gmail.com>
-
-- Update to 1.4.0 & fix libwebp.changes header from previous commit:
-  * further security related hardening in libwebp & examples
-  * some minor optimizations in the lossless encoder
-  * added WEBP_NODISCARD to report unused result warnings; enable with
-    -DWEBP_ENABLE_NODISCARD=1
-  * improvements and corrections in webp-container-spec.txt and
-    webp-lossless-bitstream-spec.txt (#611)
-  * miscellaneous warning, bug & build fixes
-- Remove 0001-Fix-invalid-incremental-decoding-check.patch
-
 -------------------------------------------------------------------
 Wed Sep 27 20:37:54 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de>
 

libwebp.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package libwebp
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
 
 
 Name:           libwebp
-Version:        1.5.0
+Version:        1.3.2
 Release:        0
 Summary:        Library and tools for the WebP graphics format
 License:        BSD-3-Clause
@@ -29,7 +29,9 @@ Source2:        https://storage.googleapis.com/downloads.webmproject.org/release
 Source3:        %name.keyring
 Source4:        baselibs.conf
 
-BuildRequires:  cmake
+# PATCH-FIX-UPSTREAM 0001-Fix-invalid-incremental-decoding-check.patch boo#1215231 CVE-2023-4863 xwang@suse.com -- Fix invalid incremental decoding check
+Patch2:         0001-Fix-invalid-incremental-decoding-check.patch
+
 BuildRequires:  giflib-devel
 BuildRequires:  pkgconfig
 BuildRequires:  pkgconfig(glut)
@@ -140,19 +142,27 @@ images more efficiently.
 %autosetup -p1
 
 %build
-%cmake
+%configure --disable-static \
-%cmake_build
+	--enable-libwebpmux --enable-libwebpdemux \
+	--enable-libwebpdecoder --enable-libwebpextras
+%make_build
 
 %install
-%cmake_install
+%make_install
 find "%buildroot" -type f -name "*.la" -delete -print
 
-%ldconfig_scriptlets -n libwebp7
+%post   -n libwebp7 -p /sbin/ldconfig
-%ldconfig_scriptlets -n libwebpdemux2
+%postun -n libwebp7 -p /sbin/ldconfig
-%ldconfig_scriptlets -n libwebpmux3
+%post   -n libwebpdemux2 -p /sbin/ldconfig
-%ldconfig_scriptlets -n libwebpdecoder3
+%postun -n libwebpdemux2 -p /sbin/ldconfig
-%ldconfig_scriptlets -n libsharpyuv0
+%post   -n libwebpmux3 -p /sbin/ldconfig
-%ldconfig_scriptlets -n libwebpextras0
+%postun -n libwebpmux3 -p /sbin/ldconfig
+%post   -n libwebpdecoder3 -p /sbin/ldconfig
+%postun -n libwebpdecoder3 -p /sbin/ldconfig
+%post   -n libsharpyuv0 -p /sbin/ldconfig
+%postun -n libsharpyuv0 -p /sbin/ldconfig
+%post   -n libwebpextras0 -p /sbin/ldconfig
+%postun -n libwebpextras0 -p /sbin/ldconfig
 
 %files -n libwebp-tools
 %_bindir/*
@@ -184,6 +194,5 @@ find "%buildroot" -type f -name "*.la" -delete -print
 %_includedir/webp/
 %_libdir/pkgconfig/libwebp*.pc
 %_libdir/pkgconfig/libsharpyuv.pc
-%_datadir/WebP/
 
 %changelog