diff --git a/cve-2023-4863.patch b/backport-0001-CVE-2023-4863.patch similarity index 100% rename from cve-2023-4863.patch rename to backport-0001-CVE-2023-4863.patch diff --git a/backport-0002-CVE-2023-4863.patch b/backport-0002-CVE-2023-4863.patch new file mode 100644 index 0000000000000000000000000000000000000000..46471b8f04d17fe3e94436172cac5abc2b6a20c9 --- /dev/null +++ b/backport-0002-CVE-2023-4863.patch @@ -0,0 +1,45 @@ +From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001 +From: Vincent Rabaud +Date: Mon, 11 Sep 2023 16:06:08 +0200 +Subject: [PATCH] Fix invalid incremental decoding check. + +The first condition is only necessary if we have not read enough +(enough being defined by src_last, not src_end which is the end +of the image). +The second condition now fits the comment below: "if not +incremental, and we are past the end of buffer". + +BUG=oss-fuzz:62136 + +Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f +--- + src/dec/vp8l_dec.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c +index 5ab34f56c..809b1aa98 100644 +--- a/src/dec/vp8l_dec.c ++++ b/src/dec/vp8l_dec.c +@@ -1233,9 +1233,20 @@ static int DecodeImageData(VP8LDecoder* const dec, uint32_t* const data, + } + + br->eos_ = VP8LIsEndOfStream(br); +- if (dec->incremental_ && br->eos_ && src < src_end) { ++ // In incremental decoding: ++ // br->eos_ && src < src_last: if 'br' reached the end of the buffer and ++ // 'src_last' has not been reached yet, there is not enough data. 'dec' has to ++ // be reset until there is more data. ++ // !br->eos_ && src < src_last: this cannot happen as either the buffer is ++ // fully read, either enough has been read to reach 'src_last'. ++ // src >= src_last: 'src_last' is reached, all is fine. 'src' can actually go ++ // beyond 'src_last' in case the image is cropped and an LZ77 goes further. ++ // The buffer might have been enough or there is some left. 'br->eos_' does ++ // not matter. ++ assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >= src_last); ++ if (dec->incremental_ && br->eos_ && src < src_last) { + RestoreState(dec); +- } else if (!br->eos_) { ++ } else if ((dec->incremental_ && src >= src_last) || !br->eos_) { + // Process the remaining rows corresponding to last row-block. + if (process_func != NULL) { + process_func(dec, row > last_row ? last_row : row); diff --git a/libwebp.spec b/libwebp.spec index 05d96996bc06d9cd9bfa50458d0061ffb0e47fce..b262764a1f1f3e829de8f9591b1c8bb68d711dab 100644 --- a/libwebp.spec +++ b/libwebp.spec @@ -1,6 +1,6 @@ Name: libwebp Version: 1.2.1 -Release: 4 +Release: 5 URL: http://www.linuxfromscratch.org/blfs/view/svn/general/libwebp.html Summary: Library and tools for the WebP graphics format License: BSD @@ -8,7 +8,8 @@ Source0: http://downloads.webmproject.org/releases/webp/%{name}-%{version} Patch6000: libwebp-freeglut.patch Patch6001: backport-CVE-2023-1999.patch -Patch6002: cve-2023-4863.patch +Patch6002: backport-0001-CVE-2023-4863.patch +Patch6003: backport-0002-CVE-2023-4863.patch BuildRequires: libjpeg-devel libpng-devel giflib-devel libtiff-devel BuildRequires: java-devel jpackage-utils swig freeglut-devel @@ -113,6 +114,9 @@ cp swig/*.jar swig/*.so %{buildroot}/%{_libdir}/%{name}-java/ %{_mandir}/man*/* %changelog +* Tue Sep 26 2023 zhouwenpei - 1.2.1-5 +- add missing patch + * Fri Sep 15 2023 Funda Wang - 1.2.1-4 - fix cve-2023-4863