Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libaec for openSUSE:Factory checked in at 2026-02-25 21:13:22 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libaec (Old) and /work/SRC/openSUSE:Factory/.libaec.new.1977 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libaec" Wed Feb 25 21:13:22 2026 rev:11 rq:1335098 version:1.1.6 Changes: -------- --- /work/SRC/openSUSE:Factory/libaec/libaec.changes 2026-01-29 17:49:43.661520617 +0100 +++ /work/SRC/openSUSE:Factory/.libaec.new.1977/libaec.changes 2026-02-25 21:23:34.210269814 +0100 @@ -1,0 +2,7 @@ +Tue Feb 24 11:12:46 UTC 2026 - Manfred Schwarb <[email protected]> + +- Update to version 1.1.6: + * CMake fixes + * Buffer overflow in decoder + +------------------------------------------------------------------- Old: ---- libaec-v1.1.5.tar.gz New: ---- libaec-v1.1.6.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libaec.spec ++++++ --- /var/tmp/diff_new_pack.uk4Vuy/_old 2026-02-25 21:23:34.790293721 +0100 +++ /var/tmp/diff_new_pack.uk4Vuy/_new 2026-02-25 21:23:34.790293721 +0100 @@ -17,7 +17,7 @@ Name: libaec -Version: 1.1.5 +Version: 1.1.6 Release: 0 Summary: Adaptive Entropy Coding library License: BSD-2-Clause @@ -109,7 +109,7 @@ %files -n libsz2 %license LICENSE.txt -%doc README.SZIP +%doc doc/README.SZIP %{_libdir}/libsz.so.2* %files -n sz2-devel ++++++ libaec-v1.1.5.tar.gz -> libaec-v1.1.6.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libaec-v1.1.5/CHANGELOG.md new/libaec-v1.1.6/CHANGELOG.md --- old/libaec-v1.1.5/CHANGELOG.md 2026-01-23 09:42:36.000000000 +0100 +++ new/libaec-v1.1.6/CHANGELOG.md 2026-02-24 10:19:36.000000000 +0100 @@ -1,6 +1,12 @@ # libaec Changelog All notable changes to libaec will be documented in this file. +## [1.1.6] - 2026-06-16 + +### Fixed +- CMake fixes by Adrien Wu +- Buffer overflow in decoder reported by Even Rouault + ## [1.1.5] - 2026-01-23 ### Changed diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libaec-v1.1.5/CMakeLists.txt new/libaec-v1.1.6/CMakeLists.txt --- old/libaec-v1.1.5/CMakeLists.txt 2026-01-23 09:42:36.000000000 +0100 +++ new/libaec-v1.1.6/CMakeLists.txt 2026-02-24 10:19:36.000000000 +0100 @@ -1,5 +1,5 @@ cmake_minimum_required(VERSION 3.26...3.31) -project(libaec LANGUAGES C VERSION 1.1.5) +project(libaec LANGUAGES C VERSION 1.1.6) option(BUILD_SHARED_LIBS "OFF: do not build shared libraries. ON (default): build shared libraries" ON) option(BUILD_STATIC_LIBS "OFF: do not build static libraries. ON (default): build static libraries" ON) @@ -61,8 +61,10 @@ add_subdirectory(fuzzing) set(FUZZ_TARGET_SAN_FLAGS -fsanitize=fuzzer-no-link,address,undefined) - target_compile_options(aec PUBLIC -g -O1 ${FUZZ_TARGET_SAN_FLAGS}) - target_link_options(aec PUBLIC ${FUZZ_TARGET_SAN_FLAGS}) + target_compile_options(aec-shared-objects PUBLIC -g -O1 ${FUZZ_TARGET_SAN_FLAGS}) + target_link_options(aec-shared PUBLIC ${FUZZ_TARGET_SAN_FLAGS}) + target_compile_options(sz-shared-objects PUBLIC -g -O1 ${FUZZ_TARGET_SAN_FLAGS}) + target_link_options(sz-shared PUBLIC ${FUZZ_TARGET_SAN_FLAGS}) endif() # Include the install rules if the user wanted them (included by diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libaec-v1.1.5/INSTALL.md new/libaec-v1.1.6/INSTALL.md --- old/libaec-v1.1.5/INSTALL.md 2026-01-23 09:42:36.000000000 +0100 +++ new/libaec-v1.1.6/INSTALL.md 2026-02-24 10:19:36.000000000 +0100 @@ -7,16 +7,16 @@ The latest releases of libaec can be downloaded at the following locations: - https://gitlab.dkrz.de/k202009/libaec/-/releases + https://github.com//Deutsches-Klimarechenzentrum/libaec/releases or - https://github.com/MathisRosenhauer/libaec/releases + https://gitlab.dkrz.de/dkrz-sw/libaec/-/releases ## Developer snapshot ```shell - git clone https://gitlab.dkrz.de/k202009/libaec.git + git clone https://github.com//Deutsches-Klimarechenzentrum/libaec ``` # Installation diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libaec-v1.1.5/Makefile.am new/libaec-v1.1.6/Makefile.am --- old/libaec-v1.1.5/Makefile.am 2026-01-23 09:42:36.000000000 +0100 +++ new/libaec-v1.1.6/Makefile.am 2026-02-24 10:19:36.000000000 +0100 @@ -1,9 +1,9 @@ ACLOCAL_AMFLAGS = -I m4 SUBDIRS = src tests -EXTRA_DIST = doc/patent.txt CMakeLists.txt include/config.h.in \ +EXTRA_DIST = CMakeLists.txt include/config.h.in \ packaging/libaec-config.cmake packaging/CMakeLists.txt \ fuzzing/CMakeLists.txt fuzzing/fuzz_target.cc \ -INSTALL.md README.md README.SZIP CHANGELOG.md LICENSE.txt data +INSTALL.md README.md CHANGELOG.md LICENSE.txt data sampledata = 121B2TestData sampledata_url = https://cwe.ccsds.org/sls/docs/SLS-DC/BB121B2TestData/$(sampledata).zip diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libaec-v1.1.5/README.SZIP new/libaec-v1.1.6/README.SZIP --- old/libaec-v1.1.5/README.SZIP 2026-01-23 09:42:36.000000000 +0100 +++ new/libaec-v1.1.6/README.SZIP 1970-01-01 01:00:00.000000000 +0100 @@ -1,15 +0,0 @@ -********************************************************************** - SZIP compatibility -********************************************************************** - -Libaec includes a free drop-in replacement for the SZIP -library[1]. Just replace SZIP's shared library libsz.so* with -libaec.so* and libsz.so* from libaec. For Windows the DLLs are called -SZIP.DLL and AEC.DLL. Code which is dynamically linked with SZIP such -as HDF5 should continue to work with libaec. No re-compilation -required. - -HDF5 files which contain SZIP encoded data can be decoded by HDF5 -using libaec and vice versa. - -[1] http://www.hdfgroup.org/doc_resource/SZIP/ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libaec-v1.1.5/README.md new/libaec-v1.1.6/README.md --- old/libaec-v1.1.5/README.md 2026-01-23 09:42:36.000000000 +0100 +++ new/libaec-v1.1.6/README.md 2026-02-24 10:19:36.000000000 +0100 @@ -18,7 +18,14 @@ ## Downloads -Source code and binary installer can be [downloaded here](https://gitlab.dkrz.de/k202009/libaec/tags) [or here](https://github.com/MathisRosenhauer/libaec). +The source code is available from the git repository at + +https://github.com/Deutsches-Klimarechenzentrum/libaec + +or + +https://gitlab.dkrz.de/dkrz-sw/libaec. + ## Patent considerations diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libaec-v1.1.5/configure.ac new/libaec-v1.1.6/configure.ac --- old/libaec-v1.1.5/configure.ac 2026-01-23 09:42:36.000000000 +0100 +++ new/libaec-v1.1.6/configure.ac 2026-02-24 10:19:36.000000000 +0100 @@ -2,7 +2,7 @@ m4_define([VERSION_MAJOR], [1]) m4_define([VERSION_MINOR], [1]) -m4_define([VERSION_PATCH], [5]) +m4_define([VERSION_PATCH], [6]) AC_INIT([libaec],[VERSION_MAJOR.VERSION_MINOR.VERSION_PATCH],[[email protected]]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libaec-v1.1.5/doc/README new/libaec-v1.1.6/doc/README --- old/libaec-v1.1.5/doc/README 2026-01-23 09:42:36.000000000 +0100 +++ new/libaec-v1.1.6/doc/README 1970-01-01 01:00:00.000000000 +0100 @@ -1,13 +0,0 @@ ---------------------- - 32 bits vs. 64 bits ---------------------- - -libaec compiles and runs both in 32 and 64 bits. For encoding and -decoding I see a performance degradation with 32 bit binaries of 38% -and 33% resp. - -The main reason for this is that encoding and decoding use a buffer of -type uin64_t to align a potentially 32 bit wide sample with the output -(encoding) or input (decoding) stream. Avoiding the use of this -uin64_t buffer variable would degrade 64 bit performance for a modest -gain in 32 bit performance so I decided against it. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libaec-v1.1.5/doc/README.SZIP new/libaec-v1.1.6/doc/README.SZIP --- old/libaec-v1.1.5/doc/README.SZIP 1970-01-01 01:00:00.000000000 +0100 +++ new/libaec-v1.1.6/doc/README.SZIP 2026-02-24 10:19:36.000000000 +0100 @@ -0,0 +1,15 @@ +********************************************************************** + SZIP compatibility +********************************************************************** + +Libaec includes a free drop-in replacement for the SZIP +library[1]. Just replace SZIP's shared library libsz.so* with +libaec.so* and libsz.so* from libaec. For Windows the DLLs are called +SZIP.DLL and AEC.DLL. Code which is dynamically linked with SZIP such +as HDF5 should continue to work with libaec. No re-compilation +required. + +HDF5 files which contain SZIP encoded data can be decoded by HDF5 +using libaec and vice versa. + +[1] http://www.hdfgroup.org/doc_resource/SZIP/ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libaec-v1.1.5/doc/patent.txt new/libaec-v1.1.6/doc/patent.txt --- old/libaec-v1.1.5/doc/patent.txt 2026-01-23 09:42:36.000000000 +0100 +++ new/libaec-v1.1.6/doc/patent.txt 1970-01-01 01:00:00.000000000 +0100 @@ -1,57 +0,0 @@ -------------------------------------------------------------------- -Lossless Data Compression, Recommended Standard, Issue 2, May 2012, -CCSDS 121.0-B-2 -------------------------------------------------------------------- -Patent Considerations, Section A3, page 37 - -With respect to this issue we got the following information from -NASA's Chief Patent Counsel: - -From: Geurts, Bryan A. (GSFC-1401) -Sent: Tuesday, April 21, 2009 12:14 PM -To: Yeh, Pen-Shu (GSFC-5670) -Subject: RE: Need help from you again - -Pen-Shu, - -The license agreement with ICs, LLC, for Patent Numbers US 5,448,642, -US 5,687,255 and US 5,822,457, has been terminated effective March 31, -2009. NASA has no other licensee of these patents. It is NASA's intent -to not pay the remaining maintenance fees owing on these patents, -thereby allowing them to eventually become abandoned, and to not -enforce the patents. - -If you have any questions or concerns, please do not hesitate to contact me. - -Bryan A. Geurts -Chief Patent Counsel -NASA Goddard Space Flight Center -Code 140.1, 8800 Greenbelt Road -Greenbelt, MD 20771 -Phone: (301) 286-7352 -Fax: (301) 286-9502 - -Reassuring this information in August 2012 because of the patent -considerations in the above referenced CCSDS standard: - -From: Geurts, Bryan A. (GSFC-1401) -Sent: Friday, August 31, 2012 10:36 AM -To: Luis Kornblueh -Subject: RE: Patent 5448642 - -Dear Mr. Kornblueh - -Per my email cited above, NASA has no interest in licensing or -maintaining US Patent No. 5448642 and therefore has no objection to -your use of its teachings and claims. However, while NASA has -effectively abandoned this patent, any use of the subject matter is at -your own risk and NASA cannot warrant that its use will satisfy your -particular needs or that your use will not infringe on another's -intellectual property rights. - -------------------------------------------------------------------- - -The cited CCSDS standard does not refer to any other intellectual -property rights. - -------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libaec-v1.1.5/fuzzing/CMakeLists.txt new/libaec-v1.1.6/fuzzing/CMakeLists.txt --- old/libaec-v1.1.5/fuzzing/CMakeLists.txt 2026-01-23 09:42:36.000000000 +0100 +++ new/libaec-v1.1.6/fuzzing/CMakeLists.txt 2026-02-24 10:19:36.000000000 +0100 @@ -1,5 +1,11 @@ add_executable(fuzz_target fuzz_target.cc) -target_link_libraries(fuzz_target aec) +target_link_libraries(fuzz_target PUBLIC libaec::aec) # Actually link libFuzzer target_link_options(fuzz_target PRIVATE -fsanitize=fuzzer) + +add_executable(fuzz_target_sz fuzz_target_sz.cc) +target_link_libraries(fuzz_target_sz PUBLIC libaec::sz) + +# Actually link libFuzzer +target_link_options(fuzz_target_sz PRIVATE -fsanitize=fuzzer) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libaec-v1.1.5/fuzzing/fuzz_target.cc new/libaec-v1.1.6/fuzzing/fuzz_target.cc --- old/libaec-v1.1.5/fuzzing/fuzz_target.cc 2026-01-23 09:42:36.000000000 +0100 +++ new/libaec-v1.1.6/fuzzing/fuzz_target.cc 2026-02-24 10:19:36.000000000 +0100 @@ -5,35 +5,26 @@ #include "libaec.h" extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { - if (Size < 2) + if (Size < 4) return 0; std::vector<unsigned char> dest(Size * 4); aec_stream strm; - strm.bits_per_sample = (Data[0] & 0x1f) | 1; - strm.block_size = 8 << (Data[1] & 3); - strm.rsi = 2; - - strm.flags = AEC_DATA_PREPROCESS; - if (Data[1] & 0x80) - strm.flags |= AEC_DATA_MSB; - if (Data[1] & 0x40) - strm.flags |= AEC_DATA_SIGNED; - if (strm.bits_per_sample <= 24 && - strm.bits_per_sample > 16 && - Data[1] & 0x10) - strm.flags |= AEC_DATA_3BYTE; + strm.bits_per_sample = Data[0]; + strm.block_size = Data[1]; + strm.flags = Data[2]; + strm.rsi = Data[3]; // Decode data - strm.next_in = reinterpret_cast<const unsigned char *>(Data) + 2; - strm.avail_in = Size - 2; + strm.next_in = reinterpret_cast<const unsigned char *>(Data) + 4; + strm.avail_in = Size - 4; strm.next_out = dest.data(); strm.avail_out = dest.size(); aec_buffer_decode(&strm); // Encode data - strm.next_in = reinterpret_cast<const unsigned char *>(Data) + 2; - strm.avail_in = Size - 2; + strm.next_in = reinterpret_cast<const unsigned char *>(Data) + 4; + strm.avail_in = Size - 4; strm.next_out = dest.data(); strm.avail_out = dest.size(); aec_buffer_encode(&strm); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libaec-v1.1.5/fuzzing/fuzz_target_sz.cc new/libaec-v1.1.6/fuzzing/fuzz_target_sz.cc --- old/libaec-v1.1.5/fuzzing/fuzz_target_sz.cc 1970-01-01 01:00:00.000000000 +0100 +++ new/libaec-v1.1.6/fuzzing/fuzz_target_sz.cc 2026-02-24 10:19:36.000000000 +0100 @@ -0,0 +1,29 @@ +#include <cstddef> +#include <cstdint> +#include <cstdlib> +#include <vector> +#include "szlib.h" + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { + if (Size < 4) + return 0; + + std::vector<unsigned char> dest(Size * 4); + size_t dest_len; + SZ_com_t sz_param; + sz_param.bits_per_pixel = Data[0]; + sz_param.pixels_per_block = Data[1]; + sz_param.options_mask = Data[2]; + sz_param.pixels_per_scanline = Data[3]; + + // Decode data + SZ_BufftoBuffDecompress(dest.data(), &dest_len, + reinterpret_cast<const unsigned char *>(Data) + 4, + Size - 4, &sz_param); + + // Encode data + SZ_BufftoBuffCompress(dest.data(), &dest_len, + reinterpret_cast<const unsigned char *>(Data) + 4, + Size - 4, &sz_param); + return 0; +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libaec-v1.1.5/include/szlib.h new/libaec-v1.1.6/include/szlib.h --- old/libaec-v1.1.5/include/szlib.h 2026-01-23 09:42:36.000000000 +0100 +++ new/libaec-v1.1.6/include/szlib.h 2026-02-24 10:19:36.000000000 +0100 @@ -60,6 +60,10 @@ #define SZ_MAX_PIXELS_PER_SCANLINE \ (SZ_MAX_BLOCKS_PER_SCANLINE) * (SZ_MAX_PIXELS_PER_BLOCK) +#ifdef __cplusplus +extern "C"{ +#endif + typedef struct SZ_com_t_s { int options_mask; @@ -79,4 +83,9 @@ LIBAEC_DLL_EXPORTED int SZ_encoder_enabled(void); +#ifdef __cplusplus +} +#endif + + #endif /* SZLIB_H */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libaec-v1.1.5/packaging/CMakeLists.txt new/libaec-v1.1.6/packaging/CMakeLists.txt --- old/libaec-v1.1.5/packaging/CMakeLists.txt 2026-01-23 09:42:36.000000000 +0100 +++ new/libaec-v1.1.6/packaging/CMakeLists.txt 2026-02-24 10:19:36.000000000 +0100 @@ -35,7 +35,7 @@ EXPORT libaec_static_targets PUBLIC_HEADER DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}") - install(EXPORT libaec_shared_targets + install(EXPORT libaec_static_targets DESTINATION "${libaec_INSTALL_CMAKEDIR}" NAMESPACE libaec:: FILE libaec_static-targets.cmake) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libaec-v1.1.5/packaging/libaec-config.cmake new/libaec-v1.1.6/packaging/libaec-config.cmake --- old/libaec-v1.1.5/packaging/libaec-config.cmake 2026-01-23 09:42:36.000000000 +0100 +++ new/libaec-v1.1.6/packaging/libaec-config.cmake 2026-02-24 10:19:36.000000000 +0100 @@ -38,9 +38,11 @@ # Alias static or shared targets depending on libaec_USE_STATIC_LIBS if(libaec_USE_STATIC_LIBS) include(${CMAKE_CURRENT_LIST_DIR}/libaec_static-targets.cmake) - if(TARGET libaec::aec-static AND TARGET libaec::sz-static AND NOT TARGET libaec::aec AND NOT TARGET libaec::sz) - add_library(libaec::aec ALIAS libaec::aec-static) - add_library(libaec::sz ALIAS libaec::sz-static) + if(TARGET libaec::aec-static AND TARGET libaec::sz-static) + if(NOT TARGET libaec::aec AND NOT TARGET libaec::sz) + add_library(libaec::aec ALIAS libaec::aec-static) + add_library(libaec::sz ALIAS libaec::sz-static) + endif() else() set(${CMAKE_FIND_PACKAGE_NAME}_NOT_FOUND_MESSAGE "STATIC versions of libaec::aec and libaec::sz not found.") @@ -49,9 +51,11 @@ else() include(${CMAKE_CURRENT_LIST_DIR}/libaec_shared-targets.cmake) - if(TARGET libaec::aec-shared AND TARGET libaec::sz-shared AND NOT TARGET libaec::aec AND NOT TARGET libaec::sz) - add_library(libaec::aec ALIAS libaec::aec-shared) - add_library(libaec::sz ALIAS libaec::sz-shared) + if(TARGET libaec::aec-shared AND TARGET libaec::sz-shared) + if(NOT TARGET libaec::aec AND NOT TARGET libaec::sz) + add_library(libaec::aec ALIAS libaec::aec-shared) + add_library(libaec::sz ALIAS libaec::sz-shared) + endif() else() set(${CMAKE_FIND_PACKAGE_NAME}_NOT_FOUND_MESSAGE "SHARED versions of libaec::aec and libaec::sz not found.") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libaec-v1.1.5/src/CMakeLists.txt new/libaec-v1.1.6/src/CMakeLists.txt --- old/libaec-v1.1.5/src/CMakeLists.txt 2026-01-23 09:42:36.000000000 +0100 +++ new/libaec-v1.1.6/src/CMakeLists.txt 2026-02-24 10:19:36.000000000 +0100 @@ -43,7 +43,7 @@ # Shared libaec versioning set(libaec_VERSION_MAJOR 0) set(libaec_VERSION_MINOR 1) - set(libaec_VERSION_PATCH 5) + set(libaec_VERSION_PATCH 6) # libtool compatible versioning for Mach-O math(EXPR libaec_MACHO_COMPATIBILITY_VERSION diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libaec-v1.1.5/src/Makefile.am new/libaec-v1.1.6/src/Makefile.am --- old/libaec-v1.1.5/src/Makefile.am 2026-01-23 09:42:36.000000000 +0100 +++ new/libaec-v1.1.6/src/Makefile.am 2026-02-24 10:19:36.000000000 +0100 @@ -5,7 +5,7 @@ libaec_la_SOURCES = encode.c encode_accessors.c decode.c vector.c\ encode.h encode_accessors.h decode.h vector.h libaec_la_CPPFLAGS = $(AM_CPPFLAGS) -DLIBAEC_BUILD $(LIBAEC_SHARED) -libaec_la_LDFLAGS = -version-info 1:5:1 -no-undefined +libaec_la_LDFLAGS = -version-info 1:6:1 -no-undefined libsz_la_SOURCES = sz_compat.c libsz_la_LIBADD = libaec.la libsz_la_CPPFLAGS = $(AM_CPPFLAGS) -DLIBAEC_BUILD $(LIBAEC_SHARED) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libaec-v1.1.5/src/decode.c new/libaec-v1.1.6/src/decode.c --- old/libaec-v1.1.5/src/decode.c 2026-01-23 09:42:36.000000000 +0100 +++ new/libaec-v1.1.6/src/decode.c 2026-02-24 10:19:36.000000000 +0100 @@ -672,7 +672,11 @@ struct internal_state *state; int modi; - if (strm->bits_per_sample > 32 || strm->bits_per_sample == 0) + if (strm->bits_per_sample > 32 + || strm->bits_per_sample == 0 + || strm->rsi == 0 + || strm->block_size & 1 + || strm->block_size == 0) return AEC_CONF_ERROR; state = malloc(sizeof(struct internal_state)); @@ -718,6 +722,7 @@ else state->id_len = 2; } else { + free(state); return AEC_CONF_ERROR; } } else { @@ -742,8 +747,10 @@ modi = 1UL << state->id_len; state->id_table = malloc(modi * sizeof(int (*)(struct aec_stream *))); - if (state->id_table == NULL) + if (state->id_table == NULL) { + free(state); return AEC_MEM_ERROR; + } state->id_table[0] = m_low_entropy; for (int i = 1; i < modi - 1; i++) { @@ -753,8 +760,11 @@ state->rsi_size = strm->rsi * strm->block_size; state->rsi_buffer = malloc(state->rsi_size * sizeof(uint32_t)); - if (state->rsi_buffer == NULL) + if (state->rsi_buffer == NULL) { + free(state->id_table); + free(state); return AEC_MEM_ERROR; + } state->pp = strm->flags & AEC_DATA_PREPROCESS; if (state->pp) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libaec-v1.1.5/src/encode.c new/libaec-v1.1.6/src/encode.c --- old/libaec-v1.1.5/src/encode.c 2026-01-23 09:42:36.000000000 +0100 +++ new/libaec-v1.1.6/src/encode.c 2026-02-24 10:19:36.000000000 +0100 @@ -424,7 +424,7 @@ struct internal_state *state = strm->state; - if (strm->avail_out > CDSLEN) { + if (strm->avail_out > state->cds_len) { if (!state->direct_out) { state->direct_out = 1; *strm->next_out = *state->cds; @@ -749,6 +749,8 @@ free(state->data_raw); if (state->data_pp) free(state->data_pp); + if (state->cds_buf) + free(state->cds_buf); free(state); } @@ -762,12 +764,17 @@ { struct internal_state *state; - if (strm->bits_per_sample > 32 || strm->bits_per_sample == 0) + if (strm->bits_per_sample > 32 + || strm->bits_per_sample == 0 + || strm->rsi > 4096 + || strm->rsi == 0) return AEC_CONF_ERROR; if (strm->flags & AEC_NOT_ENFORCE) { - /* All even block sizes are allowed. */ - if (strm->block_size & 1) + /* Allow non-standard block sizes */ + if (strm->block_size & 1 + || strm->block_size == 0 + || strm->block_size > 256) return AEC_CONF_ERROR; } else { /* Only allow standard conforming block sizes */ @@ -778,9 +785,6 @@ return AEC_CONF_ERROR; } - if (strm->rsi > 4096) - return AEC_CONF_ERROR; - state = malloc(sizeof(struct internal_state)); if (state == NULL) return AEC_MEM_ERROR; @@ -835,6 +839,7 @@ else state->id_len = 2; } else { + free(state); return AEC_CONF_ERROR; } } else { @@ -859,6 +864,14 @@ state->kmax = (1U << state->id_len) - 3; + /* Maximum CDS length. We need extra 8 bytes for copy64() */ + state->cds_len = (state->id_len + strm->block_size + * strm->bits_per_sample) / 8 + 1 + 8; + state->cds_buf = malloc(state->cds_len); + if (state->cds_buf == NULL) { + cleanup(strm); + return AEC_MEM_ERROR; + } state->data_pp = malloc(strm->rsi * strm->block_size * sizeof(uint32_t)); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libaec-v1.1.5/src/encode.h new/libaec-v1.1.6/src/encode.h --- old/libaec-v1.1.5/src/encode.h 2026-01-23 09:42:36.000000000 +0100 +++ new/libaec-v1.1.6/src/encode.h 2026-02-24 10:19:36.000000000 +0100 @@ -47,10 +47,6 @@ #define M_EXIT 0 #define MIN(a, b) (((a) < (b))? (a): (b)) -/* Maximum CDS length in bytes: 5 bits ID, 64 * 32 bits samples, 7 - * bits carry from previous CDS */ -#define CDSLEN ((5 + 64 * 32 + 7 + 7) / 8) - /* Marker for Remainder Of Segment condition in zero block encoding */ #define ROS -1 @@ -95,8 +91,8 @@ uint8_t *cds; /* buffer for one CDS (only used if strm->next_out cannot hold - * full CDS) */ - uint8_t cds_buf[CDSLEN]; + * a full CDS) */ + uint8_t *cds_buf; /* cds points to strm->next_out (1) or cds_buf (0) */ int direct_out; @@ -139,9 +135,12 @@ /* 1 if flushing was successful */ int flushed; - /* length of uncompressed CDS */ + /* length of an uncompressed block */ uint32_t uncomp_len; + /* maximum length of a CDS */ + uint32_t cds_len; + /* RSI offsets container */ struct vector_t *offsets; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libaec-v1.1.5/src/sz_compat.c new/libaec-v1.1.6/src/sz_compat.c --- old/libaec-v1.1.5/src/sz_compat.c 2026-01-23 09:42:36.000000000 +0100 +++ new/libaec-v1.1.6/src/sz_compat.c 2026-02-24 10:19:36.000000000 +0100 @@ -144,6 +144,14 @@ size_t padbuf_size; size_t padding_size; + if (param->pixels_per_scanline == 0 + || param->pixels_per_scanline > 4096 + || param->pixels_per_block == 0 + || param->pixels_per_block & 1 + || param->bits_per_pixel == 0 + || (param->bits_per_pixel > 32 && param->bits_per_pixel != 64)) + return SZ_PARAM_ERROR; + strm.block_size = param->pixels_per_block; strm.rsi = (param->pixels_per_scanline + param->pixels_per_block - 1) / param->pixels_per_block; @@ -166,6 +174,10 @@ } pixel_size = bits_to_bytes(strm.bits_per_sample); + if (sourceLen % pixel_size != 0) { + status = SZ_PARAM_ERROR; + goto CLEANUP; + } scanlines = (sourceLen / pixel_size + param->pixels_per_scanline - 1) / param->pixels_per_scanline; @@ -216,6 +228,13 @@ size_t total_out; size_t scanlines; + if (param->pixels_per_scanline == 0 + || param->pixels_per_block == 0 + || param->pixels_per_block & 1 + || param->bits_per_pixel == 0 + || (param->bits_per_pixel > 32 && param->bits_per_pixel != 64)) + return SZ_PARAM_ERROR; + strm.block_size = param->pixels_per_block; strm.rsi = (param->pixels_per_scanline + param->pixels_per_block - 1) / param->pixels_per_block;
