From 74c8ad1e4aedebaf670464e4b37a950b21570cb614af75ae7b3e60c3198c1a43 Mon Sep 17 00:00:00 2001
From: Petr Gajdos <pgajdos@suse.cz>
Date: Wed, 29 Oct 2025 12:06:28 +0100
Subject: [PATCH 1/2] fix CVE-2025-62813

---
 lz4-CVE-2025-62813.patch | 55 ++++++++++++++++++++++++++++++++++++++++
 lz4.changes              | 10 ++++++++
 lz4.spec                 |  1 +
 3 files changed, 66 insertions(+)
 create mode 100644 lz4-CVE-2025-62813.patch

diff --git a/lz4-CVE-2025-62813.patch b/lz4-CVE-2025-62813.patch
new file mode 100644
index 0000000..400c550
--- /dev/null
+++ b/lz4-CVE-2025-62813.patch
@@ -0,0 +1,55 @@
+Index: lz4-1.10.0/lib/lz4frame.c
+===================================================================
+--- lz4-1.10.0.orig/lib/lz4frame.c
++++ lz4-1.10.0/lib/lz4frame.c
+@@ -539,9 +539,16 @@ LZ4F_CDict*
+ LZ4F_createCDict_advanced(LZ4F_CustomMem cmem, const void* dictBuffer, size_t dictSize)
+ {
+     const char* dictStart = (const char*)dictBuffer;
+-    LZ4F_CDict* const cdict = (LZ4F_CDict*)LZ4F_malloc(sizeof(*cdict), cmem);
++    LZ4F_CDict* cdict = NULL;
++
+     DEBUGLOG(4, "LZ4F_createCDict_advanced");
+-    if (!cdict) return NULL;
++
++    if (!dictStart)
++        return NULL;
++    cdict = (LZ4F_CDict*)LZ4F_malloc(sizeof(*cdict), cmem);
++    if (!cdict)
++        return NULL;
++
+     cdict->cmem = cmem;
+     if (dictSize > 64 KB) {
+         dictStart += dictSize - 64 KB;
+@@ -1486,6 +1493,10 @@ LZ4F_errorCode_t LZ4F_getFrameInfo(LZ4F_
+                                    LZ4F_frameInfo_t* frameInfoPtr,
+                              const void* srcBuffer, size_t* srcSizePtr)
+ {
++    assert(dctx != NULL);
++    RETURN_ERROR_IF(frameInfoPtr == NULL, parameter_null);
++    RETURN_ERROR_IF(srcSizePtr == NULL, parameter_null);
++
+     LZ4F_STATIC_ASSERT(dstage_getFrameHeader < dstage_storeFrameHeader);
+     if (dctx->dStage > dstage_storeFrameHeader) {
+         /* frameInfo already decoded */
+Index: lz4-1.10.0/tests/frametest.c
+===================================================================
+--- lz4-1.10.0.orig/tests/frametest.c
++++ lz4-1.10.0/tests/frametest.c
+@@ -714,10 +714,13 @@ static int unitTests(U32 seed, double co
+         size_t const srcSize = 65 KB; /* must be > 64 KB to avoid short-size optimizations */
+         size_t const dstCapacity = LZ4F_compressFrameBound(srcSize, NULL);
+         size_t cSizeNoDict, cSizeWithDict;
+-        LZ4F_CDict* const cdict = LZ4F_createCDict(CNBuffer, dictSize);
+-        if (cdict == NULL) goto _output_error;
+-        CHECK( LZ4F_createCompressionContext(&cctx, LZ4F_VERSION) );
++        LZ4F_CDict* cdict = NULL;
+ 
++        CHECK( LZ4F_createCompressionContext(&cctx, LZ4F_VERSION) );
++        cdict = LZ4F_createCDict(CNBuffer, dictSize);
++        if (cdict == NULL)
++            goto _output_error;
++
+         DISPLAYLEVEL(3, "Testing LZ4F_createCDict_advanced : ");
+         {   LZ4F_CDict* const cda = LZ4F_createCDict_advanced(lz4f_cmem_test, CNBuffer, dictSize);
+             if (cda == NULL) goto _output_error;
diff --git a/lz4.changes b/lz4.changes
index 69a8349..1934e88 100644
--- a/lz4.changes
+++ b/lz4.changes
@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Wed Oct 29 10:49:47 UTC 2025 - pgajdos@suse.com
+
+- security update
+- added patches
+  CVE-2025-62813 [bsc#1252557], incorrect error handling when passing
+   a NULL pointer to lz4frame functions allows for application crash
+   when processing untrusted LZ4 frames
+  * lz4-CVE-2025-62813.patch
+
 -------------------------------------------------------------------
 Wed Aug 14 16:09:45 UTC 2024 - Ben Greiner <code@bnavigator.de>
 
diff --git a/lz4.spec b/lz4.spec
index 2fff8f8..46a2ab8 100644
--- a/lz4.spec
+++ b/lz4.spec
@@ -29,6 +29,7 @@ URL:            https://lz4.github.io/lz4/
 Source:         https://github.com/lz4/lz4/archive/v%version.tar.gz
 Source99:       baselibs.conf
 Patch2:         lz-export.diff
+Patch3:         lz4-CVE-2025-62813.patch
 BuildRequires:  pkgconfig
 BuildRequires:  cmake
 BuildRequires:  fdupes
-- 
2.51.1


From e63d10ee2763d202f1dd4de40d8bba1411fa9f22f6fb52c6fd1e5325701be3d5 Mon Sep 17 00:00:00 2001
From: Petr Gajdos <pgajdos@suse.cz>
Date: Wed, 29 Oct 2025 14:02:25 +0100
Subject: [PATCH 2/2] do not ignore testsuite results

---
 lz4.spec | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/lz4.spec b/lz4.spec
index 46a2ab8..861af26 100644
--- a/lz4.spec
+++ b/lz4.spec
@@ -85,8 +85,7 @@ applications that want to make use of liblz4.
 
 %check
 LD_LIBRARY_PATH="%buildroot/%_libdir" ldd -r "%buildroot/%_bindir/lz4"
-# TS fails on its own help output
-%make_build check -k || :
+%make_build check -k
 
 %post   -n %lname -p /sbin/ldconfig
 %postun -n %lname -p /sbin/ldconfig
-- 
2.51.1