Backport upstream fix for CVE-2023-5129

2023-09-28 20:50:22 +02:00 · 2023-09-28 20:50:22 +02:00 · 6404a7c172
commit 6404a7c172
parent e6f530d5ed
6 changed files with 40 additions and 9 deletions
--- a/95ea5226c870449522240ccff26f0b006037c520.patch
+++ b/95ea5226c870449522240ccff26f0b006037c520.patch
@ -0,0 +1,26 @@
+diff -rupN --no-dereference libwebp-1.3.2/src/dec/vp8l_dec.c libwebp-1.3.2-new/src/dec/vp8l_dec.c
+--- libwebp-1.3.2/src/dec/vp8l_dec.c	2023-09-14 00:11:07.000000000 +0200
+++ libwebp-1.3.2-new/src/dec/vp8l_dec.c	2023-09-28 20:47:39.648154201 +0200
+@@ -1241,9 +1241,20 @@ static int DecodeImageData(VP8LDecoder*
+   }
+ 
+   br->eos_ = VP8LIsEndOfStream(br);
+-  if (dec->incremental_ && br->eos_ && src < src_end) {
+  // In incremental decoding:
+  // br->eos_ && src < src_last: if 'br' reached the end of the buffer and
+  // 'src_last' has not been reached yet, there is not enough data. 'dec' has to
+  // be reset until there is more data.
+  // !br->eos_ && src < src_last: this cannot happen as either the buffer is
+  // fully read, either enough has been read to reach 'src_last'.
+  // src >= src_last: 'src_last' is reached, all is fine. 'src' can actually go
+  // beyond 'src_last' in case the image is cropped and an LZ77 goes further.
+  // The buffer might have been enough or there is some left. 'br->eos_' does
+  // not matter.
+  assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >= src_last);
+  if (dec->incremental_ && br->eos_ && src < src_last) {
+     RestoreState(dec);
+-  } else if (!br->eos_) {
+  } else if ((dec->incremental_ && src >= src_last) || !br->eos_) {
+     // Process the remaining rows corresponding to last row-block.
+     if (process_func != NULL) {
+       process_func(dec, row > last_row ? last_row : row);
--- a/libwebp-cmakedir.patch
+++ b/libwebp-cmakedir.patch
@ -1,6 +1,6 @@
 diff -rupN --no-dereference libwebp-1.3.2/CMakeLists.txt libwebp-1.3.2-new/CMakeLists.txt
--- libwebp-1.3.2/CMakeLists.txt	2023-09-18 09:27:52.188176972 +0200
-+++ libwebp-1.3.2-new/CMakeLists.txt	2023-09-18 09:27:52.193176946 +0200
+--- libwebp-1.3.2/CMakeLists.txt	2023-09-28 20:47:39.567153346 +0200
+++ libwebp-1.3.2-new/CMakeLists.txt	2023-09-28 20:47:39.573153410 +0200
@@ -738,7 +738,7 @@ install(
   ARCHIVE DESTINATION ${CMAKE_INSTALL_LIBDIR}
   LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR}
--- a/libwebp-freeglut.patch
+++ b/libwebp-freeglut.patch
@ -1,6 +1,6 @@
 diff -rupN --no-dereference libwebp-1.3.2/CMakeLists.txt libwebp-1.3.2-new/CMakeLists.txt
 --- libwebp-1.3.2/CMakeLists.txt	2023-09-14 00:11:07.000000000 +0200
-+++ libwebp-1.3.2-new/CMakeLists.txt	2023-09-18 09:27:52.107177379 +0200
+++ libwebp-1.3.2-new/CMakeLists.txt	2023-09-28 20:47:39.497152607 +0200
@@ -564,8 +564,8 @@ endif()
 
 if(WEBP_BUILD_VWEBP)
@ -23,7 +23,7 @@ diff -rupN --no-dereference libwebp-1.3.2/CMakeLists.txt libwebp-1.3.2-new/CMake
       webpdemux)
 diff -rupN --no-dereference libwebp-1.3.2/examples/vwebp.c libwebp-1.3.2-new/examples/vwebp.c
 --- libwebp-1.3.2/examples/vwebp.c	2023-09-14 00:11:07.000000000 +0200
-+++ libwebp-1.3.2-new/examples/vwebp.c	2023-09-18 09:27:52.107177379 +0200
+++ libwebp-1.3.2-new/examples/vwebp.c	2023-09-28 20:47:39.498152618 +0200
@@ -27,7 +27,7 @@
 #if defined(HAVE_GLUT_GLUT_H)
 #include <GLUT/glut.h>
--- a/libwebp-mingw-libsuffix.patch
+++ b/libwebp-mingw-libsuffix.patch
@ -1,6 +1,6 @@
 diff -rupN --no-dereference libwebp-1.3.2/CMakeLists.txt libwebp-1.3.2-new/CMakeLists.txt
--- libwebp-1.3.2/CMakeLists.txt	2023-09-18 09:27:52.142177203 +0200
-+++ libwebp-1.3.2-new/CMakeLists.txt	2023-09-18 09:27:52.149177168 +0200
+--- libwebp-1.3.2/CMakeLists.txt	2023-09-28 20:47:39.529152945 +0200
+++ libwebp-1.3.2-new/CMakeLists.txt	2023-09-28 20:47:39.535153009 +0200
@@ -286,6 +286,9 @@ macro(set_version FILE TARGET_NAME NAME_
                  MACHO_CURRENT_VERSION
                  ${LIBWEBP_MACHO_COMPATIBILITY_VERSION}.${LT_REVISION})
--- a/libwebp-rpath.patch
+++ b/libwebp-rpath.patch
@ -1,6 +1,6 @@
 diff -rupN --no-dereference libwebp-1.3.2/CMakeLists.txt libwebp-1.3.2-new/CMakeLists.txt
--- libwebp-1.3.2/CMakeLists.txt	2023-09-18 09:27:52.232176750 +0200
-+++ libwebp-1.3.2-new/CMakeLists.txt	2023-09-18 09:27:52.236176730 +0200
+--- libwebp-1.3.2/CMakeLists.txt	2023-09-28 20:47:39.607153769 +0200
+++ libwebp-1.3.2-new/CMakeLists.txt	2023-09-28 20:47:39.610153800 +0200
@@ -112,11 +112,11 @@ endif()
 include(cmake/deps.cmake)
 include(GNUInstallDirs)
--- a/libwebp.spec
+++ b/libwebp.spec
@ -14,7 +14,7 @@

 Name:          libwebp
 Version:       1.3.2
-Release:       1%{?dist}
+Release:       2%{?dist}
 URL:           http://webmproject.org/
 Summary:       Library and tools for the WebP graphics format
 # Additional IPR is licensed as well. See PATENTS file for details
@ -29,6 +29,8 @@ Patch1:        libwebp-mingw-libsuffix.patch
 Patch2:        libwebp-cmakedir.patch
 # Kill rpath
 Patch3:        libwebp-rpath.patch
+# Backport upstream fix for CVE-2023-5129
+Patch5:        https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520.patch

 BuildRequires: cmake
 BuildRequires: freeglut-devel
@ -285,6 +287,9 @@ cp swig/*.jar swig/*.so %{buildroot}/%{_libdir}/%{name}-java/


 %changelog
+* Thu Sep 28 2023 Sandro Mani <manisandro@gmail.com> - 1.3.2-2
+- Backport upstream fix for CVE-2023-5129
+
 * Mon Sep 18 2023 Sandro Mani <manisandro@gmail.com> - 1.3.2-1
 - Update to 1.3.2