3 changed files with 67 additions and 2 deletions
--- a/lz4-CVE-2025-62813.patch
+++ b/lz4-CVE-2025-62813.patch
@@ -0,0 +1,55 @@
+Index: lz4-1.10.0/lib/lz4frame.c
+===================================================================
+--- lz4-1.10.0.orig/lib/lz4frame.c
+++ lz4-1.10.0/lib/lz4frame.c
+@@ -539,9 +539,16 @@ LZ4F_CDict*
+ LZ4F_createCDict_advanced(LZ4F_CustomMem cmem, const void* dictBuffer, size_t dictSize)
+ {
+     const char* dictStart = (const char*)dictBuffer;
+-    LZ4F_CDict* const cdict = (LZ4F_CDict*)LZ4F_malloc(sizeof(*cdict), cmem);
+    LZ4F_CDict* cdict = NULL;
+
+     DEBUGLOG(4, "LZ4F_createCDict_advanced");
+-    if (!cdict) return NULL;
+
+    if (!dictStart)
+        return NULL;
+    cdict = (LZ4F_CDict*)LZ4F_malloc(sizeof(*cdict), cmem);
+    if (!cdict)
+        return NULL;
+
+     cdict->cmem = cmem;
+     if (dictSize > 64 KB) {
+         dictStart += dictSize - 64 KB;
+@@ -1486,6 +1493,10 @@ LZ4F_errorCode_t LZ4F_getFrameInfo(LZ4F_
+                                    LZ4F_frameInfo_t* frameInfoPtr,
+                              const void* srcBuffer, size_t* srcSizePtr)
+ {
+    assert(dctx != NULL);
+    RETURN_ERROR_IF(frameInfoPtr == NULL, parameter_null);
+    RETURN_ERROR_IF(srcSizePtr == NULL, parameter_null);
+
+     LZ4F_STATIC_ASSERT(dstage_getFrameHeader < dstage_storeFrameHeader);
+     if (dctx->dStage > dstage_storeFrameHeader) {
+         /* frameInfo already decoded */
+Index: lz4-1.10.0/tests/frametest.c
+===================================================================
+--- lz4-1.10.0.orig/tests/frametest.c
+++ lz4-1.10.0/tests/frametest.c
+@@ -714,10 +714,13 @@ static int unitTests(U32 seed, double co
+         size_t const srcSize = 65 KB; /* must be > 64 KB to avoid short-size optimizations */
+         size_t const dstCapacity = LZ4F_compressFrameBound(srcSize, NULL);
+         size_t cSizeNoDict, cSizeWithDict;
+-        LZ4F_CDict* const cdict = LZ4F_createCDict(CNBuffer, dictSize);
+-        if (cdict == NULL) goto _output_error;
+-        CHECK( LZ4F_createCompressionContext(&cctx, LZ4F_VERSION) );
+        LZ4F_CDict* cdict = NULL;
+ 
+        CHECK( LZ4F_createCompressionContext(&cctx, LZ4F_VERSION) );
+        cdict = LZ4F_createCDict(CNBuffer, dictSize);
+        if (cdict == NULL)
+            goto _output_error;
+
+         DISPLAYLEVEL(3, "Testing LZ4F_createCDict_advanced : ");
+         {   LZ4F_CDict* const cda = LZ4F_createCDict_advanced(lz4f_cmem_test, CNBuffer, dictSize);
+             if (cda == NULL) goto _output_error;
--- a/lz4.changes
+++ b/lz4.changes
@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Wed Oct 29 10:49:47 UTC 2025 - pgajdos@suse.com
+
+- security update
+- added patches
+  CVE-2025-62813 [bsc#1252557], incorrect error handling when passing
+   a NULL pointer to lz4frame functions allows for application crash
+   when processing untrusted LZ4 frames
+  * lz4-CVE-2025-62813.patch
+
 -------------------------------------------------------------------
 Wed Aug 14 16:09:45 UTC 2024 - Ben Greiner <code@bnavigator.de>

--- a/lz4.spec
+++ b/lz4.spec
@@ -29,6 +29,7 @@ URL:            https://lz4.github.io/lz4/
 Source:         https://github.com/lz4/lz4/archive/v%version.tar.gz
 Source99:       baselibs.conf
 Patch2:         lz-export.diff
+Patch3:         lz4-CVE-2025-62813.patch
 BuildRequires:  pkgconfig
 BuildRequires:  cmake
 BuildRequires:  fdupes
@@ -84,8 +85,7 @@ applications that want to make use of liblz4.

 %check
 LD_LIBRARY_PATH="%buildroot/%_libdir" ldd -r "%buildroot/%_bindir/lz4"
-# TS fails on its own help output
-%make_build check -k || :
+%make_build check -k

 %post   -n %lname -p /sbin/ldconfig
 %postun -n %lname -p /sbin/ldconfig