Accepting request 1110966 from home:xiaoguang_wang:branches:graphics

- Add 0001-Fix-invalid-incremental-decoding-check.patch:
  [boo#1215231] [CVE-2023-4863]

OBS-URL: https://build.opensuse.org/request/show/1110966
OBS-URL: https://build.opensuse.org/package/show/graphics/libwebp?expand=0&rev=37

0001-Fix-invalid-incremental-decoding-check.patch

@@ -0,0 +1,48 @@
+From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001
+From: Vincent Rabaud <vrabaud@google.com>
+Date: Mon, 11 Sep 2023 16:06:08 +0200
+Subject: [PATCH] Fix invalid incremental decoding check.
+
+The first condition is only necessary if we have not read enough
+(enough being defined by src_last, not src_end which is the end
+of the image).
+The second condition now fits the comment below: "if not
+incremental, and we are past the end of buffer".
+
+BUG=oss-fuzz:62136
+
+Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
+---
+ src/dec/vp8l_dec.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
+index 5ab34f56..809b1aa9 100644
+--- a/src/dec/vp8l_dec.c
++++ b/src/dec/vp8l_dec.c
+@@ -1233,9 +1233,20 @@ static int DecodeImageData(VP8LDecoder* const dec, uint32_t* const data,
+   }
+ 
+   br->eos_ = VP8LIsEndOfStream(br);
+-  if (dec->incremental_ && br->eos_ && src < src_end) {
++  // In incremental decoding:
++  // br->eos_ && src < src_last: if 'br' reached the end of the buffer and
++  // 'src_last' has not been reached yet, there is not enough data. 'dec' has to
++  // be reset until there is more data.
++  // !br->eos_ && src < src_last: this cannot happen as either the buffer is
++  // fully read, either enough has been read to reach 'src_last'.
++  // src >= src_last: 'src_last' is reached, all is fine. 'src' can actually go
++  // beyond 'src_last' in case the image is cropped and an LZ77 goes further.
++  // The buffer might have been enough or there is some left. 'br->eos_' does
++  // not matter.
++  assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >= src_last);
++  if (dec->incremental_ && br->eos_ && src < src_last) {
+     RestoreState(dec);
+-  } else if (!br->eos_) {
++  } else if ((dec->incremental_ && src >= src_last) || !br->eos_) {
+     // Process the remaining rows corresponding to last row-block.
+     if (process_func != NULL) {
+       process_func(dec, row > last_row ? last_row : row);
+-- 
+2.41.0
+

libwebp.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Sep 14 01:27:02 UTC 2023 - Xiaoguang Wang <xiaoguang.wang@suse.com>
+
+- Add 0001-Fix-invalid-incremental-decoding-check.patch:
+  [boo#1215231] [CVE-2023-4863]
+
 -------------------------------------------------------------------
 Tue Sep 12 12:53:18 UTC 2023 - Jan Engelhardt <jengelh@inai.de>
 

libwebp.spec

@@ -29,6 +29,7 @@ Source2:        https://storage.googleapis.com/downloads.webmproject.org/release
 Source3:        %name.keyring
 Source4:        baselibs.conf
 Patch1:         0001-Fix-OOB-write-in-BuildHuffmanTable.patch
+Patch2:         0001-Fix-invalid-incremental-decoding-check.patch
 
 BuildRequires:  giflib-devel
 BuildRequires:  pkgconfig