Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package raylib for openSUSE:Factory checked in at 2026-01-19 18:39:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/raylib (Old) and /work/SRC/openSUSE:Factory/.raylib.new.1928 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "raylib" Mon Jan 19 18:39:06 2026 rev:14 rq:1328092 version:5.5 Changes: -------- --- /work/SRC/openSUSE:Factory/raylib/raylib.changes 2024-11-27 22:15:35.483141172 +0100 +++ /work/SRC/openSUSE:Factory/.raylib.new.1928/raylib.changes 2026-01-19 18:43:11.234675287 +0100 @@ -1,0 +2,10 @@ +Mon Jan 19 13:05:48 UTC 2026 - Michael Vetter <[email protected]> + +- security update: + * CVE-2025-15533 [bsc#1256900] + Fix heap-based buffer overflow via GenImageFontAtlas function manipulation + * CVE-2025-15534 [bsc#1256901] + Fix integer overflow vulnerability in LoadFontData + * Add raylib-CVE-2025-15533-CVE-2025-15534.patch + +------------------------------------------------------------------- New: ---- raylib-CVE-2025-15533-CVE-2025-15534.patch ----------(New B)---------- New: Fix integer overflow vulnerability in LoadFontData * Add raylib-CVE-2025-15533-CVE-2025-15534.patch ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ raylib.spec ++++++ --- /var/tmp/diff_new_pack.dR2f08/_old 2026-01-19 18:43:12.094710872 +0100 +++ /var/tmp/diff_new_pack.dR2f08/_new 2026-01-19 18:43:12.098711038 +0100 @@ -1,7 +1,7 @@ # # spec file for package raylib # -# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -24,6 +24,7 @@ Group: Development/Libraries/C and C++ URL: https://www.raylib.com Source: raylib-%{version}.tar.xz +Patch0: raylib-CVE-2025-15533-CVE-2025-15534.patch BuildRequires: Mesa-libGL-devel BuildRequires: cmake BuildRequires: gcc-c++ @@ -57,7 +58,7 @@ A C library for learning video game programming. %prep -%setup -q +%autosetup -p1 %build %cmake \ ++++++ raylib-5.5.obscpio ++++++ ++++ 148957 lines of diff (skipped) ++++++ raylib-CVE-2025-15533-CVE-2025-15534.patch ++++++ Fix CVE-2025-15533 and CVE-2025-15534 Based on 5a3391fdce046bc5473e52afbd835dd2dc127146. Change glyphs[k] -> chars[i]. Index: raylib-5.5/src/rtext.c =================================================================== --- raylib-5.5.orig/src/rtext.c +++ raylib-5.5/src/rtext.c @@ -695,8 +695,11 @@ GlyphInfo *LoadFontData(const unsigned c stbtt_GetCodepointHMetrics(&fontInfo, ch, &chars[i].advanceX, NULL); chars[i].advanceX = (int)((float)chars[i].advanceX*scaleFactor); + if (chars[i].advanceX < 0) chars[i].advanceX = 0; + Image imSpace = { .data = RL_CALLOC(chars[i].advanceX*fontSize, 2), + .data = (chars[i].advanceX > 0) ? RL_CALLOC(chars[i].advanceX*fontSize, 2) : NULL, .width = chars[i].advanceX, .height = fontSize, .mipmaps = 1, @@ -796,7 +799,8 @@ Image GenImageFontAtlas(const GlyphInfo } #endif - atlas.data = (unsigned char *)RL_CALLOC(1, atlas.width*atlas.height); // Create a bitmap to store characters (8 bpp) + int atlasDataSize = atlas.width * atlas.height; // Save total size for bounds checking + atlas.data = (unsigned char *)RL_CALLOC(1, atlasDataSize); // Create a bitmap to store characters (8 bpp) atlas.format = PIXELFORMAT_UNCOMPRESSED_GRAYSCALE; atlas.mipmaps = 1; @@ -841,7 +845,17 @@ Image GenImageFontAtlas(const GlyphInfo { for (int x = 0; x < glyphs[i].image.width; x++) { - ((unsigned char *)atlas.data)[(offsetY + y)*atlas.width + (offsetX + x)] = ((unsigned char *)glyphs[i].image.data)[y*glyphs[i].image.width + x]; + int destX = offsetX + x; + int destY = offsetY + y; + + // Security fix: check both lower and upper bounds + // destX >= 0: prevent heap underflow (#5434) + // destX < atlas.width: prevent heap overflow (#5433) + if (destX >= 0 && destX < atlas.width && destY >= 0 && destY < atlas.height) + { + ((unsigned char *)atlas.data)[destY * atlas.width + destX] = + ((unsigned char *)glyphs[i].image.data)[y * glyphs[i].image.width + x]; + } } } @@ -889,7 +903,15 @@ Image GenImageFontAtlas(const GlyphInfo { for (int x = 0; x < glyphs[i].image.width; x++) { - ((unsigned char *)atlas.data)[(rects[i].y + padding + y)*atlas.width + (rects[i].x + padding + x)] = ((unsigned char *)glyphs[i].image.data)[y*glyphs[i].image.width + x]; + int destX = rects[i].x + padding + x; + int destY = rects[i].y + padding + y; + + // Security fix: check both lower and upper bounds + if (destX >= 0 && destX < atlas.width && destY >= 0 && destY < atlas.height) + { + ((unsigned char *)atlas.data)[destY * atlas.width + destX] = + ((unsigned char *)glyphs[i].image.data)[y * glyphs[i].image.width + x]; + } } } } @@ -903,14 +925,18 @@ Image GenImageFontAtlas(const GlyphInfo #if defined(SUPPORT_FONT_ATLAS_WHITE_REC) // Add a 3x3 white rectangle at the bottom-right corner of the generated atlas, - // useful to use as the white texture to draw shapes with raylib, using this rectangle - // shapes and text can be backed into a single draw call: SetShapesTexture() - for (int i = 0, k = atlas.width*atlas.height - 1; i < 3; i++) - { - ((unsigned char *)atlas.data)[k - 0] = 255; - ((unsigned char *)atlas.data)[k - 1] = 255; - ((unsigned char *)atlas.data)[k - 2] = 255; - k -= atlas.width; + // useful to use as the white texture to draw shapes with raylib. + // [Security Fix] Ensure the atlas is large enough to hold a 3x3 rectangle. + // This prevents heap underflow when width < 3 or height < 3 (Fixes #5434 variant) + if (atlas.width >= 3 && atlas.height >= 3) + { + for (int i = 0, k = atlas.width*atlas.height - 1; i < 3; i++) + { + ((unsigned char *)atlas.data)[k - 0] = 255; + ((unsigned char *)atlas.data)[k - 1] = 255; + ((unsigned char *)atlas.data)[k - 2] = 255; + k -= atlas.width; + } } #endif
