From 7b36c9255265099fedb24bc9faa60133d26e346f61e9f83b9eb6e78cf9fd1e9a Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sun, 1 Oct 2023 14:30:23 +0000 Subject: [PATCH] Accepting request 1113927 from home:AndreasStieger:branches:graphics - Add 0001-Fix-invalid-incremental-decoding-check.patch A fuzzing finding fixed in the SLE/Leap updates OBS-URL: https://build.opensuse.org/request/show/1113927 OBS-URL: https://build.opensuse.org/package/show/graphics/libwebp?expand=0&rev=41 --- ...x-invalid-incremental-decoding-check.patch | 48 +++++++++++++++++++ libwebp.changes | 6 +++ libwebp.spec | 3 ++ 3 files changed, 57 insertions(+) create mode 100644 0001-Fix-invalid-incremental-decoding-check.patch diff --git a/0001-Fix-invalid-incremental-decoding-check.patch b/0001-Fix-invalid-incremental-decoding-check.patch new file mode 100644 index 0000000..c80a24d --- /dev/null +++ b/0001-Fix-invalid-incremental-decoding-check.patch @@ -0,0 +1,48 @@ +From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001 +From: Vincent Rabaud +Date: Mon, 11 Sep 2023 16:06:08 +0200 +Subject: [PATCH] Fix invalid incremental decoding check. + +The first condition is only necessary if we have not read enough +(enough being defined by src_last, not src_end which is the end +of the image). +The second condition now fits the comment below: "if not +incremental, and we are past the end of buffer". + +BUG=oss-fuzz:62136 + +Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f +--- + src/dec/vp8l_dec.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c +index 5ab34f56..809b1aa9 100644 +--- a/src/dec/vp8l_dec.c ++++ b/src/dec/vp8l_dec.c +@@ -1233,9 +1233,20 @@ static int DecodeImageData(VP8LDecoder* const dec, uint32_t* const data, + } + + br->eos_ = VP8LIsEndOfStream(br); +- if (dec->incremental_ && br->eos_ && src < src_end) { ++ // In incremental decoding: ++ // br->eos_ && src < src_last: if 'br' reached the end of the buffer and ++ // 'src_last' has not been reached yet, there is not enough data. 'dec' has to ++ // be reset until there is more data. ++ // !br->eos_ && src < src_last: this cannot happen as either the buffer is ++ // fully read, either enough has been read to reach 'src_last'. ++ // src >= src_last: 'src_last' is reached, all is fine. 'src' can actually go ++ // beyond 'src_last' in case the image is cropped and an LZ77 goes further. ++ // The buffer might have been enough or there is some left. 'br->eos_' does ++ // not matter. ++ assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >= src_last); ++ if (dec->incremental_ && br->eos_ && src < src_last) { + RestoreState(dec); +- } else if (!br->eos_) { ++ } else if ((dec->incremental_ && src >= src_last) || !br->eos_) { + // Process the remaining rows corresponding to last row-block. + if (process_func != NULL) { + process_func(dec, row > last_row ? last_row : row); +-- +2.41.0 + diff --git a/libwebp.changes b/libwebp.changes index 7d2470a..702b24d 100644 --- a/libwebp.changes +++ b/libwebp.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Sep 27 20:37:54 UTC 2023 - Andreas Stieger + +- Add 0001-Fix-invalid-incremental-decoding-check.patch + A fuzzing finding fixed in the SLE/Leap updates + ------------------------------------------------------------------- Fri Sep 15 07:37:46 UTC 2023 - Andreas Stieger diff --git a/libwebp.spec b/libwebp.spec index 49706d7..19bea91 100644 --- a/libwebp.spec +++ b/libwebp.spec @@ -29,6 +29,9 @@ Source2: https://storage.googleapis.com/downloads.webmproject.org/release Source3: %name.keyring Source4: baselibs.conf +# PATCH-FIX-UPSTREAM 0001-Fix-invalid-incremental-decoding-check.patch boo#1215231 CVE-2023-4863 xwang@suse.com -- Fix invalid incremental decoding check +Patch2: 0001-Fix-invalid-incremental-decoding-check.patch + BuildRequires: giflib-devel BuildRequires: pkgconfig BuildRequires: pkgconfig(glut)