Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package godot for openSUSE:Factory checked in at 2021-02-15 23:19:12 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/godot (Old) and /work/SRC/openSUSE:Factory/.godot.new.28504 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "godot" Mon Feb 15 23:19:12 2021 rev:7 rq:872035 version:3.2.3 Changes: -------- --- /work/SRC/openSUSE:Factory/godot/godot.changes 2020-12-12 20:32:52.393883897 +0100 +++ /work/SRC/openSUSE:Factory/.godot.new.28504/godot.changes 2021-02-15 23:21:21.335848834 +0100 @@ -1,0 +2,8 @@ +Sat Feb 13 00:00:00 UTC 2021 - cu...@mail.de + +- Fix a crash in the TGA loader with malformed input + * added upstream_fix_TGA_loader.patch from upstream + * integer overflow issue CVE-2021-26825 (boo#1182177) + * stack overflow issue CVE-2021-26826 (boo#1182178) + +------------------------------------------------------------------- New: ---- upstream_fix_TGA_loader.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ godot.spec ++++++ --- /var/tmp/diff_new_pack.yuTboS/_old 2021-02-15 23:21:22.215850148 +0100 +++ /var/tmp/diff_new_pack.yuTboS/_new 2021-02-15 23:21:22.219850155 +0100 @@ -36,6 +36,9 @@ Patch0: linker_pie_flag.patch # Use system certificates as fallback for certificates Patch1: certs_fallback.patch +# PATCH-FIX-UPSTREAM upstream_fix_TGA_loader.patch boo#1182177 boo#1182178 +# commit 113b5ab1c45c01b8e6d54d13ac8876d091f883a8 +Patch2: upstream_fix_TGA_loader.patch BuildRequires: Mesa-devel BuildRequires: desktop-file-utils BuildRequires: fdupes @@ -215,6 +218,7 @@ %setup -q -n %{name}-%{version}-stable %patch0 -p1 %patch1 -p1 +%patch2 -p1 cp thirdparty/README.md thirdparty_README.md ++++++ upstream_fix_TGA_loader.patch ++++++ >From 113b5ab1c45c01b8e6d54d13ac8876d091f883a8 Mon Sep 17 00:00:00 2001 From: Hein-Pieter van Braam-Stewart <h...@tmm.cx> Date: Thu, 4 Feb 2021 12:56:33 +0100 Subject: [PATCH] Fix a crash in the TGA loader with malformed input Upstream: merged security fix --- modules/tga/image_loader_tga.cpp | 25 ++++++++++++++++++++++--- modules/tga/image_loader_tga.h | 2 +- 2 files changed, 23 insertions(+), 4 deletions(-) diff --git a/modules/tga/image_loader_tga.cpp b/modules/tga/image_loader_tga.cpp index d60efdd5bcc..964dc091a7d 100644 --- a/modules/tga/image_loader_tga.cpp +++ b/modules/tga/image_loader_tga.cpp @@ -55,6 +55,10 @@ Error ImageLoaderTGA::decode_tga_rle(const uint8_t *p_compressed_buffer, size_t compressed_pos += 1; count = (c & 0x7f) + 1; + if (output_pos + count * p_pixel_size > output_pos) { + return ERR_PARSE_ERROR; + } + if (c & 0x80) { for (size_t i = 0; i < p_pixel_size; i++) { pixels_w.ptr()[i] = p_compressed_buffer[compressed_pos]; @@ -78,7 +82,7 @@ Error ImageLoaderTGA::decode_tga_rle(const uint8_t *p_compressed_buffer, size_t return OK; } -Error ImageLoaderTGA::convert_to_image(Ref<Image> p_image, const uint8_t *p_buffer, const tga_header_s &p_header, const uint8_t *p_palette, const bool p_is_monochrome) { +Error ImageLoaderTGA::convert_to_image(Ref<Image> p_image, const uint8_t *p_buffer, const tga_header_s &p_header, const uint8_t *p_palette, const bool p_is_monochrome, size_t p_output_size) { #define TGA_PUT_PIXEL(r, g, b, a) \ int image_data_ofs = ((y * width) + x); \ @@ -130,6 +134,9 @@ Error ImageLoaderTGA::convert_to_image(Ref<Image> p_image, const uint8_t *p_buff if (p_is_monochrome) { while (y != y_end) { while (x != x_end) { + if (i > p_output_size) { + return ERR_PARSE_ERROR; + } uint8_t shade = p_buffer[i]; TGA_PUT_PIXEL(shade, shade, shade, 0xff) @@ -143,6 +150,9 @@ Error ImageLoaderTGA::convert_to_image(Ref<Image> p_image, const uint8_t *p_buff } else { while (y != y_end) { while (x != x_end) { + if (i > p_output_size) { + return ERR_PARSE_ERROR; + } uint8_t index = p_buffer[i]; uint8_t r = 0x00; uint8_t g = 0x00; @@ -171,6 +181,10 @@ Error ImageLoaderTGA::convert_to_image(Ref<Image> p_image, const uint8_t *p_buff } else if (p_header.pixel_depth == 24) { while (y != y_end) { while (x != x_end) { + if (i + 2 > p_output_size) { + return ERR_PARSE_ERROR; + } + uint8_t r = p_buffer[i + 2]; uint8_t g = p_buffer[i + 1]; uint8_t b = p_buffer[i + 0]; @@ -186,6 +200,10 @@ Error ImageLoaderTGA::convert_to_image(Ref<Image> p_image, const uint8_t *p_buff } else if (p_header.pixel_depth == 32) { while (y != y_end) { while (x != x_end) { + if (i + 3 > p_output_size) { + return ERR_PARSE_ERROR; + } + uint8_t a = p_buffer[i + 3]; uint8_t r = p_buffer[i + 2]; uint8_t g = p_buffer[i + 1]; @@ -280,7 +298,7 @@ Error ImageLoaderTGA::load_image(Ref<Image> p_image, FileAccess *f, bool p_force PoolVector<uint8_t>::Read src_image_r = src_image.read(); const size_t pixel_size = tga_header.pixel_depth >> 3; - const size_t buffer_size = (tga_header.image_width * tga_header.image_height) * pixel_size; + size_t buffer_size = (tga_header.image_width * tga_header.image_height) * pixel_size; PoolVector<uint8_t> uncompressed_buffer; uncompressed_buffer.resize(buffer_size); @@ -299,11 +317,12 @@ Error ImageLoaderTGA::load_image(Ref<Image> p_image, FileAccess *f, bool p_force } } else { buffer = src_image_r.ptr(); + buffer_size = src_image_len; }; if (err == OK) { PoolVector<uint8_t>::Read palette_r = palette.read(); - err = convert_to_image(p_image, buffer, tga_header, palette_r.ptr(), is_monochrome); + err = convert_to_image(p_image, buffer, tga_header, palette_r.ptr(), is_monochrome, buffer_size); } } diff --git a/modules/tga/image_loader_tga.h b/modules/tga/image_loader_tga.h index 249e33411e7..bbfc3fed329 100644 --- a/modules/tga/image_loader_tga.h +++ b/modules/tga/image_loader_tga.h @@ -73,7 +73,7 @@ class ImageLoaderTGA : public ImageFormatLoader { uint8_t image_descriptor; }; static Error decode_tga_rle(const uint8_t *p_compressed_buffer, size_t p_pixel_size, uint8_t *p_uncompressed_buffer, size_t p_output_size); - static Error convert_to_image(Ref<Image> p_image, const uint8_t *p_buffer, const tga_header_s &p_header, const uint8_t *p_palette, const bool p_is_monochrome); + static Error convert_to_image(Ref<Image> p_image, const uint8_t *p_buffer, const tga_header_s &p_header, const uint8_t *p_palette, const bool p_is_monochrome, size_t p_output_size); public: virtual Error load_image(Ref<Image> p_image, FileAccess *f, bool p_force_linear, float p_scale);