From d13927bee7d0a6d837c9237259081dcc7035f6b9037dcdd6767a04e2eaf3e198 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Wed, 29 Nov 2023 06:54:11 +0000
Subject: [PATCH] Accepting request 1129665 from
 home:AndreasStieger:branches:multimedia:libs

libavif 1.0.2
CVE-2023-6350 boo#1217614
CVE-2023-6351 boo#1217615

OBS-URL: https://build.opensuse.org/request/show/1129665
OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/libavif?expand=0&rev=54
---
 fix-gdkpixbuf.patch  | 24 ------------------------
 libavif-1.0.0.tar.gz |  3 ---
 libavif-1.0.2.tar.gz |  3 +++
 libavif.changes      | 11 +++++++++++
 libavif.spec         | 18 ++++++++----------
 5 files changed, 22 insertions(+), 37 deletions(-)
 delete mode 100644 fix-gdkpixbuf.patch
 delete mode 100644 libavif-1.0.0.tar.gz
 create mode 100644 libavif-1.0.2.tar.gz

diff --git a/fix-gdkpixbuf.patch b/fix-gdkpixbuf.patch
deleted file mode 100644
index 2e734ba..0000000
--- a/fix-gdkpixbuf.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-From 8e79701b2d2b8cd872d23b7c9e5e746b61cab65e Mon Sep 17 00:00:00 2001
-From: Xi Ruoyao <xry111@xry111.site>
-Date: Tue, 29 Aug 2023 13:08:33 +0800
-Subject: [PATCH] gdk-pixbuf: Fix build failure after imir.mode -> imir.axis
- rename
-
-Fixes #1526.
----
- contrib/gdk-pixbuf/loader.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/contrib/gdk-pixbuf/loader.c b/contrib/gdk-pixbuf/loader.c
-index 47e25a13b..868b054fb 100644
---- a/contrib/gdk-pixbuf/loader.c
-+++ b/contrib/gdk-pixbuf/loader.c
-@@ -209,7 +209,7 @@ static gboolean avif_context_try_load(struct avif_context * context, GError ** e
-     if (image->transformFlags & AVIF_TRANSFORM_IMIR) {
-         GdkPixbuf *output_mirrored = NULL;
- 
--        switch (image->imir.mode) {
-+        switch (image->imir.axis) {
-         case 0:
-             output_mirrored = gdk_pixbuf_flip(output, FALSE);
-             break;
diff --git a/libavif-1.0.0.tar.gz b/libavif-1.0.0.tar.gz
deleted file mode 100644
index b8b7c0c..0000000
--- a/libavif-1.0.0.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:410f85cf0d13f403b41197c0774da469f5d73b89aa06d40fc726165377f215a0
-size 10569801
diff --git a/libavif-1.0.2.tar.gz b/libavif-1.0.2.tar.gz
new file mode 100644
index 0000000..ff609e2
--- /dev/null
+++ b/libavif-1.0.2.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:de8bf79488c5b523b77358df8b85ae69c3078e6b3f1636fc1f313f952269ad20
+size 10576546
diff --git a/libavif.changes b/libavif.changes
index aa83292..fee43d2 100644
--- a/libavif.changes
+++ b/libavif.changes
@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Tue Nov 28 20:40:32 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- update to 1.0.2:
+  * Update avifCropRectConvertCleanApertureBox() to the revised
+    requirements in ISO/IEC 23000-22:2019/Amd. 2:2021 Section
+    7.3.6.7.
+  * CVE-2023-6350: Out of bounds memory to alphaItemIndices (boo#1217614)
+  * CVE-2023-6351: use-after-free in colorProperties (boo#1217615)
+- drop fix-gdkpixbuf.patch
+
 -------------------------------------------------------------------
 Tue Aug 29 05:18:59 UTC 2023 - Paolo Stivanin <info@paolostivanin.com>
 
diff --git a/libavif.spec b/libavif.spec
index ca5f169..714bfb3 100644
--- a/libavif.spec
+++ b/libavif.spec
@@ -16,6 +16,9 @@
 #
 
 
+# Also update baselibs.conf if you bump the version
+%global lib_soversion 16
+%global lib_name libavif%{lib_soversion}
 %if 0%{?suse_version} >= 1550
 %bcond_without aom
 %bcond_without yuv
@@ -23,13 +26,8 @@
 %bcond_with aom
 %bcond_with yuv
 %endif
-
-# Also update baselibs.conf if you bump the version
-%global lib_soversion 16
-%global lib_name libavif%{lib_soversion}
-
 Name:           libavif
-Version:        1.0.0
+Version:        1.0.2
 Release:        0
 Summary:        Library for encoding and decoding .avif files
 License:        BSD-2-Clause
@@ -37,11 +35,10 @@ Group:          Development/Libraries/C and C++
 URL:            https://github.com/AOMediaCodec/libavif
 Source:         https://github.com/AOMediaCodec/libavif/archive/v%{version}/%{name}-%{version}.tar.gz
 Source99:       baselibs.conf
-# PATCH-FIX-UPSTREAM https://github.com/AOMediaCodec/libavif/pull/1528
-Patch0:         fix-gdkpixbuf.patch
+BuildRequires:  c++_compiler
 BuildRequires:  cmake
-BuildRequires:  gcc-c++
 BuildRequires:  libjpeg8-devel
+BuildRequires:  pkgconfig
 BuildRequires:  pkgconfig(dav1d)
 BuildRequires:  pkgconfig(gdk-pixbuf-2.0)
 BuildRequires:  pkgconfig(glib-2.0)
@@ -97,10 +94,10 @@ Group:          Development/Libraries/C and C++
 A pixbuf-loader plugin to load AVIF images in GTK+ applications.
 
 %package devel
-Requires:       %{lib_name} = %{version}-%{release}
 #
 Summary:        Development files for libavif
 Group:          Development/Libraries/C and C++
+Requires:       %{lib_name} = %{version}-%{release}
 
 %description devel
 This library aims to be a friendly, portable C implementation of the AV1 Image
@@ -148,6 +145,7 @@ This package holds the development files for libavif.
 %{_bindir}/avifenc
 
 %files -n gdk-pixbuf-loader-libavif
+%license LICENSE
 %{_libdir}/gdk-pixbuf-2.0/*/loaders/libpixbufloader-avif.so
 %dir %{_datadir}/thumbnailers
 %{_datadir}/thumbnailers/avif.thumbnailer