Accepting request 1198638 from graphics

OBS-URL: https://build.opensuse.org/request/show/1198638
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libwebp?expand=0&rev=40

0001-Fix-invalid-incremental-decoding-check.patch

@@ -1,48 +0,0 @@
-From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001
-From: Vincent Rabaud <vrabaud@google.com>
-Date: Mon, 11 Sep 2023 16:06:08 +0200
-Subject: [PATCH] Fix invalid incremental decoding check.
-
-The first condition is only necessary if we have not read enough
-(enough being defined by src_last, not src_end which is the end
-of the image).
-The second condition now fits the comment below: "if not
-incremental, and we are past the end of buffer".
-
-BUG=oss-fuzz:62136
-
-Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
----
- src/dec/vp8l_dec.c | 15 +++++++++++++--
- 1 file changed, 13 insertions(+), 2 deletions(-)
-
-diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
-index 5ab34f56..809b1aa9 100644
---- a/src/dec/vp8l_dec.c
-+++ b/src/dec/vp8l_dec.c
-@@ -1233,9 +1233,20 @@ static int DecodeImageData(VP8LDecoder* const dec, uint32_t* const data,
-   }
- 
-   br->eos_ = VP8LIsEndOfStream(br);
--  if (dec->incremental_ && br->eos_ && src < src_end) {
-+  // In incremental decoding:
-+  // br->eos_ && src < src_last: if 'br' reached the end of the buffer and
-+  // 'src_last' has not been reached yet, there is not enough data. 'dec' has to
-+  // be reset until there is more data.
-+  // !br->eos_ && src < src_last: this cannot happen as either the buffer is
-+  // fully read, either enough has been read to reach 'src_last'.
-+  // src >= src_last: 'src_last' is reached, all is fine. 'src' can actually go
-+  // beyond 'src_last' in case the image is cropped and an LZ77 goes further.
-+  // The buffer might have been enough or there is some left. 'br->eos_' does
-+  // not matter.
-+  assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >= src_last);
-+  if (dec->incremental_ && br->eos_ && src < src_last) {
-     RestoreState(dec);
--  } else if (!br->eos_) {
-+  } else if ((dec->incremental_ && src >= src_last) || !br->eos_) {
-     // Process the remaining rows corresponding to last row-block.
-     if (process_func != NULL) {
-       process_func(dec, row > last_row ? last_row : row);
--- 
-2.41.0
-

libwebp-1.3.2.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEaw5rcJdt4wPt8vYB+cPWvbgjK10FAmUCSVoACgkQ+cPWvbgj
-K13/+xAAxdcgcBz6PAuDriln0NcEGqzLkhstDJIsBr9E/VpXKrr1La4z/7IdCHZv
-fi7xkH9zBiz+DjhEKICi/ItCJ0toovn0tiZIYZDZWdZ+wyi1Sns+w7rIPjrjNYpN
-nHCRyG8CZfTPJhPyWwrxj+ESkzogDpd+zEewE4gpLq4K3+HWIVA+IOV8K6tDRXua
-HgmWqQ+BSqAH9tc2kb8OeUuEYhBevb6PP8ijMKrC04WFI7DaAgCr4JeS3+brTfg+
-CUEw2af1THOA1vKeNo42xInduX8fZ3HPHAFwJzfNxYzJOyPVsOfG2pDPuUngB360
-ejc1nBk/tjqmdw01cAjhOKNcY6vctAW3Q8akTI2jCZftEoCbSxLHHdPCGvVOU8xy
-zPLyq06k71GI6aPYCBUcBqoGSdhY4FsSFkAzc+Ix28h6sJ4jakYPeXq9YoE/66HW
-s4O7FhBvsGlrUgTehrnFGgX+G9IB63zldfI6XfKZ6Z8upD/oy3EWDPBdvIX2vDQj
-wxYZtOljtNprljhcQ8xu1Kc68M3H4UYiEynYt1bq0dLucXqbb+axhmv5WilAqoXH
-iZQxcg6K1OKNSW7XAc0T3a2un8mREJAy4EddBKSsgp7RnHoRkKDzrNzYTPw6DZeh
-861HUotMSKAFXSLPyVpZRIG6IX6R62e+TKY5zT2hlA7K7UneLFA=
-=/nBK
------END PGP SIGNATURE-----

libwebp-1.4.0.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:61f873ec69e3be1b99535634340d5bde750b2e4447caa1db9f61be3fd49ab1e5
+size 4281370

libwebp-1.4.0.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEaw5rcJdt4wPt8vYB+cPWvbgjK10FAmYZuzcACgkQ+cPWvbgj
+K12roBAAv0AS7ROXwqObQpRmhVrm7miHd2SH0OvUm5x2aBv70cAEV//IwGg3nMkp
+5y4ce/l/Z5TwIlZs+zUVjzYjmZ3+rsO/r1VY7hvaydnjyHPSUykAnp8zW9RiKfv4
+l4+RHTwvBKHTFKLcvyBx0oXWaS0fXhA09aXJXbBKxCyvI4YC7UfWmca+tVABv4Zo
+rp2G0HSrU+U2Tu8WZ7bRXEmr5bnNVl1JUNmxbMd5HuNR4YxDVs7+XGeDdNT74GQF
+tyB9Z7Wj5eeq1NYh97Ujzrd4ChmkJZHSr698jppfX5hShlFNr79nCYVtjnjyis6H
+299NJEHlN0pbHzhxFRudvnl98EW9gm8WxzA174lF8iQzQ4+KMs7GG3IFu4xqxkh+
+fHEMphhkarFGwjiH8y5JSHEuppEQswdKh/862XcBJEUwKPFTWC8sXfsVhwSiRiR7
+rM33Fjz7vNFgOKruTlHruVFjrbN+XIE/S87rlAO5GVJSndlJ5Mnq5vq6lqCOb0nW
+XDbMw9Glkg2Ao6/xwECS3OjItGUA5XHYwYYKlCQ1n3r5+MvqT+GIYbWA/3aVU0kE
+HOULCWnnKD7mx/uNnkQalVagPmhG9TgYiwHOJYibYTI5F+ITv+WE2WuXEVK6rr5F
+UVQd1Wv0F0vDevUfyeihW3opAqhqg/nloasC0PS+hgiSn4OV8HM=
+=Ty7E
+-----END PGP SIGNATURE-----

libwebp.changes

@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Tue May 21 14:21:04 UTC 2024 - Yann BOYER <yann.boyer742@gmail.com>
+
+- Update to 1.4.0 & fix libwebp.changes header from previous commit:
+  * further security related hardening in libwebp & examples
+  * some minor optimizations in the lossless encoder
+  * added WEBP_NODISCARD to report unused result warnings; enable with
+    -DWEBP_ENABLE_NODISCARD=1
+  * improvements and corrections in webp-container-spec.txt and
+    webp-lossless-bitstream-spec.txt (#611)
+  * miscellaneous warning, bug & build fixes
+- Remove 0001-Fix-invalid-incremental-decoding-check.patch
+
 -------------------------------------------------------------------
 Wed Sep 27 20:37:54 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de>
 

libwebp.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package libwebp
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
 
 
 Name:           libwebp
-Version:        1.3.2
+Version:        1.4.0
 Release:        0
 Summary:        Library and tools for the WebP graphics format
 License:        BSD-3-Clause
@@ -29,9 +29,6 @@ Source2:        https://storage.googleapis.com/downloads.webmproject.org/release
 Source3:        %name.keyring
 Source4:        baselibs.conf
 
-# PATCH-FIX-UPSTREAM 0001-Fix-invalid-incremental-decoding-check.patch boo#1215231 CVE-2023-4863 xwang@suse.com -- Fix invalid incremental decoding check
-Patch2:         0001-Fix-invalid-incremental-decoding-check.patch
-
 BuildRequires:  giflib-devel
 BuildRequires:  pkgconfig
 BuildRequires:  pkgconfig(glut)