Accepting request 976218 from home:pgajdos

- security update
- added patches
  fix CVE-2022-27114 [bsc#1199370], image_load_jpeg can cause integer overflow
  + htmldoc-CVE-2022-27114.patch

OBS-URL: https://build.opensuse.org/request/show/976218
OBS-URL: https://build.opensuse.org/package/show/Publishing/htmldoc?expand=0&rev=34

htmldoc-CVE-2022-27114.patch

@@ -0,0 +1,72 @@
+diff --git a/htmldoc/image.cxx b/htmldoc/image.cxx
+index 8aeccced..9b4d11de 100644
+--- a/htmldoc/image.cxx
++++ b/htmldoc/image.cxx
+@@ -26,6 +26,13 @@ extern "C" {		/* Workaround for JPEG header problems... */
+ #endif // HAVE_LIBPNG
+ 
+ 
++/*
++ * Limits...
++ */
++
++#define IMAGE_MAX_DIM	37837		// Maximum dimension - sqrt(4GiB / 3)
++
++
+ /*
+  * GIF definitions...
+  */
+@@ -926,7 +933,7 @@ image_load_bmp(image_t *img,	/* I - Image to load into */
+   colors_used      = (int)read_dword(fp);
+   read_dword(fp);
+ 
+-  if (img->width <= 0 || img->width > 8192 || img->height <= 0 || img->height > 8192 || info_size < 0)
++  if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM || info_size < 0)
+     return (-1);
+ 
+   if (info_size > 40)
+@@ -1278,7 +1285,7 @@ image_load_gif(image_t *img,	/* I - Image pointer */
+   img->height = (buf[9] << 8) | buf[8];
+   ncolors     = 2 << (buf[10] & 0x07);
+ 
+-  if (img->width <= 0 || img->width > 32767 || img->height <= 0 || img->height > 32767)
++  if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM)
+     return (-1);
+ 
+   // If we are writing an encrypted PDF file, bump the use count so we create
+@@ -1326,7 +1333,7 @@ image_load_gif(image_t *img,	/* I - Image pointer */
+           img->height = (buf[7] << 8) | buf[6];
+           img->depth  = gray ? 1 : 3;
+ 
+-	  if (img->width <= 0 || img->width > 32767 || img->height <= 0 || img->height > 32767)
++	  if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM)
+ 	    return (-1);
+ 
+           if (transparent >= 0)
+@@ -1443,6 +1450,12 @@ JSAMPROW			row;		/* Sample row pointer */
+   img->height = (int)cinfo.output_height;
+   img->depth  = (int)cinfo.output_components;
+ 
++  if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM)
++  {
++    jpeg_destroy_decompress(&cinfo);
++    return (-1);
++  }
++
+   if (!load_data)
+   {
+     jpeg_destroy_decompress(&cinfo);
+@@ -1598,6 +1611,12 @@ image_load_png(image_t *img,	/* I - Image pointer */
+   img->width  = (int)png_get_image_width(pp, info);
+   img->height = (int)png_get_image_height(pp, info);
+ 
++  if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM)
++  {
++    png_destroy_read_struct(&pp, &info, NULL);
++    return (-1);
++  }
++
+   if (color_type & PNG_COLOR_MASK_ALPHA)
+   {
+     if ((PSLevel == 0 && PDFVersion >= 14) || PSLevel == 3)
+

htmldoc.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Wed May 11 07:35:17 UTC 2022 - pgajdos@suse.com
+
+- security update
+- added patches
+  fix CVE-2022-27114 [bsc#1199370], image_load_jpeg can cause integer overflow
+  + htmldoc-CVE-2022-27114.patch
+
 -------------------------------------------------------------------
 Fri Apr 29 06:02:30 UTC 2022 - pgajdos@suse.com
 

htmldoc.spec

@@ -26,6 +26,8 @@ URL:            https://michaelrsweet.github.io/htmldoc/index.html
 Source:         https://github.com/michaelrsweet/htmldoc/releases/download/v%{version}/htmldoc-%{version}-source.tar.gz
 # CVE-2022-28085 [bsc#1198933], Heap buffer overflow in function pdf_write_names in ps-pdf.cxx
 Patch0:         htmldoc-CVE-2022-28085.patch
+# CVE-2022-27114 [bsc#1199370], image_load_jpeg can cause integer overflow
+Patch1:         htmldoc-CVE-2022-27114.patch
 BuildRequires:  fltk-devel
 BuildRequires:  gcc-c++
 BuildRequires:  hicolor-icon-theme