Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package godot for openSUSE:Factory checked
in at 2021-02-15 23:19:12
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/godot (Old)
and /work/SRC/openSUSE:Factory/.godot.new.28504 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "godot"
Mon Feb 15 23:19:12 2021 rev:7 rq:872035 version:3.2.3
Changes:
--------
--- /work/SRC/openSUSE:Factory/godot/godot.changes 2020-12-12
20:32:52.393883897 +0100
+++ /work/SRC/openSUSE:Factory/.godot.new.28504/godot.changes 2021-02-15
23:21:21.335848834 +0100
@@ -1,0 +2,8 @@
+Sat Feb 13 00:00:00 UTC 2021 - cu...@mail.de
+
+- Fix a crash in the TGA loader with malformed input
+ * added upstream_fix_TGA_loader.patch from upstream
+ * integer overflow issue CVE-2021-26825 (boo#1182177)
+ * stack overflow issue CVE-2021-26826 (boo#1182178)
+
+-------------------------------------------------------------------
New:
----
upstream_fix_TGA_loader.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ godot.spec ++++++
--- /var/tmp/diff_new_pack.yuTboS/_old 2021-02-15 23:21:22.215850148 +0100
+++ /var/tmp/diff_new_pack.yuTboS/_new 2021-02-15 23:21:22.219850155 +0100
@@ -36,6 +36,9 @@
Patch0: linker_pie_flag.patch
# Use system certificates as fallback for certificates
Patch1: certs_fallback.patch
+# PATCH-FIX-UPSTREAM upstream_fix_TGA_loader.patch boo#1182177 boo#1182178
+# commit 113b5ab1c45c01b8e6d54d13ac8876d091f883a8
+Patch2: upstream_fix_TGA_loader.patch
BuildRequires: Mesa-devel
BuildRequires: desktop-file-utils
BuildRequires: fdupes
@@ -215,6 +218,7 @@
%setup -q -n %{name}-%{version}-stable
%patch0 -p1
%patch1 -p1
+%patch2 -p1
cp thirdparty/README.md thirdparty_README.md
++++++ upstream_fix_TGA_loader.patch ++++++
>From 113b5ab1c45c01b8e6d54d13ac8876d091f883a8 Mon Sep 17 00:00:00 2001
From: Hein-Pieter van Braam-Stewart <h...@tmm.cx>
Date: Thu, 4 Feb 2021 12:56:33 +0100
Subject: [PATCH] Fix a crash in the TGA loader with malformed input
Upstream: merged security fix
---
modules/tga/image_loader_tga.cpp | 25 ++++++++++++++++++++++---
modules/tga/image_loader_tga.h | 2 +-
2 files changed, 23 insertions(+), 4 deletions(-)
diff --git a/modules/tga/image_loader_tga.cpp b/modules/tga/image_loader_tga.cpp
index d60efdd5bcc..964dc091a7d 100644
--- a/modules/tga/image_loader_tga.cpp
+++ b/modules/tga/image_loader_tga.cpp
@@ -55,6 +55,10 @@ Error ImageLoaderTGA::decode_tga_rle(const uint8_t
*p_compressed_buffer, size_t
compressed_pos += 1;
count = (c & 0x7f) + 1;
+ if (output_pos + count * p_pixel_size > output_pos) {
+ return ERR_PARSE_ERROR;
+ }
+
if (c & 0x80) {
for (size_t i = 0; i < p_pixel_size; i++) {
pixels_w.ptr()[i] =
p_compressed_buffer[compressed_pos];
@@ -78,7 +82,7 @@ Error ImageLoaderTGA::decode_tga_rle(const uint8_t
*p_compressed_buffer, size_t
return OK;
}
-Error ImageLoaderTGA::convert_to_image(Ref<Image> p_image, const uint8_t
*p_buffer, const tga_header_s &p_header, const uint8_t *p_palette, const bool
p_is_monochrome) {
+Error ImageLoaderTGA::convert_to_image(Ref<Image> p_image, const uint8_t
*p_buffer, const tga_header_s &p_header, const uint8_t *p_palette, const bool
p_is_monochrome, size_t p_output_size) {
#define TGA_PUT_PIXEL(r, g, b, a) \
int image_data_ofs = ((y * width) + x); \
@@ -130,6 +134,9 @@ Error ImageLoaderTGA::convert_to_image(Ref<Image> p_image,
const uint8_t *p_buff
if (p_is_monochrome) {
while (y != y_end) {
while (x != x_end) {
+ if (i > p_output_size) {
+ return ERR_PARSE_ERROR;
+ }
uint8_t shade = p_buffer[i];
TGA_PUT_PIXEL(shade, shade, shade, 0xff)
@@ -143,6 +150,9 @@ Error ImageLoaderTGA::convert_to_image(Ref<Image> p_image,
const uint8_t *p_buff
} else {
while (y != y_end) {
while (x != x_end) {
+ if (i > p_output_size) {
+ return ERR_PARSE_ERROR;
+ }
uint8_t index = p_buffer[i];
uint8_t r = 0x00;
uint8_t g = 0x00;
@@ -171,6 +181,10 @@ Error ImageLoaderTGA::convert_to_image(Ref<Image> p_image,
const uint8_t *p_buff
} else if (p_header.pixel_depth == 24) {
while (y != y_end) {
while (x != x_end) {
+ if (i + 2 > p_output_size) {
+ return ERR_PARSE_ERROR;
+ }
+
uint8_t r = p_buffer[i + 2];
uint8_t g = p_buffer[i + 1];
uint8_t b = p_buffer[i + 0];
@@ -186,6 +200,10 @@ Error ImageLoaderTGA::convert_to_image(Ref<Image> p_image,
const uint8_t *p_buff
} else if (p_header.pixel_depth == 32) {
while (y != y_end) {
while (x != x_end) {
+ if (i + 3 > p_output_size) {
+ return ERR_PARSE_ERROR;
+ }
+
uint8_t a = p_buffer[i + 3];
uint8_t r = p_buffer[i + 2];
uint8_t g = p_buffer[i + 1];
@@ -280,7 +298,7 @@ Error ImageLoaderTGA::load_image(Ref<Image> p_image,
FileAccess *f, bool p_force
PoolVector<uint8_t>::Read src_image_r = src_image.read();
const size_t pixel_size = tga_header.pixel_depth >> 3;
- const size_t buffer_size = (tga_header.image_width *
tga_header.image_height) * pixel_size;
+ size_t buffer_size = (tga_header.image_width *
tga_header.image_height) * pixel_size;
PoolVector<uint8_t> uncompressed_buffer;
uncompressed_buffer.resize(buffer_size);
@@ -299,11 +317,12 @@ Error ImageLoaderTGA::load_image(Ref<Image> p_image,
FileAccess *f, bool p_force
}
} else {
buffer = src_image_r.ptr();
+ buffer_size = src_image_len;
};
if (err == OK) {
PoolVector<uint8_t>::Read palette_r = palette.read();
- err = convert_to_image(p_image, buffer, tga_header,
palette_r.ptr(), is_monochrome);
+ err = convert_to_image(p_image, buffer, tga_header,
palette_r.ptr(), is_monochrome, buffer_size);
}
}
diff --git a/modules/tga/image_loader_tga.h b/modules/tga/image_loader_tga.h
index 249e33411e7..bbfc3fed329 100644
--- a/modules/tga/image_loader_tga.h
+++ b/modules/tga/image_loader_tga.h
@@ -73,7 +73,7 @@ class ImageLoaderTGA : public ImageFormatLoader {
uint8_t image_descriptor;
};
static Error decode_tga_rle(const uint8_t *p_compressed_buffer, size_t
p_pixel_size, uint8_t *p_uncompressed_buffer, size_t p_output_size);
- static Error convert_to_image(Ref<Image> p_image, const uint8_t
*p_buffer, const tga_header_s &p_header, const uint8_t *p_palette, const bool
p_is_monochrome);
+ static Error convert_to_image(Ref<Image> p_image, const uint8_t
*p_buffer, const tga_header_s &p_header, const uint8_t *p_palette, const bool
p_is_monochrome, size_t p_output_size);
public:
virtual Error load_image(Ref<Image> p_image, FileAccess *f, bool
p_force_linear, float p_scale);
