Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package mozjs140 for openSUSE:Factory checked in at 2026-06-04 18:53:54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mozjs140 (Old) and /work/SRC/openSUSE:Factory/.mozjs140.new.2375 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mozjs140" Thu Jun 4 18:53:54 2026 rev:13 rq:1356902 version:140.10.1 Changes: -------- --- /work/SRC/openSUSE:Factory/mozjs140/mozjs140.changes 2026-05-05 15:15:42.028002603 +0200 +++ /work/SRC/openSUSE:Factory/.mozjs140.new.2375/mozjs140.changes 2026-06-04 18:56:01.069090454 +0200 @@ -1,0 +2,7 @@ +Mon Jun 1 21:40:34 UTC 2026 - Michael Gorse <[email protected]> + +- Add mozjs140-CVE-2025-70103.patch: libjxl: take EC into account + when checking required PNM input length (bsc#1266463 + CVE-2025-70103). + +------------------------------------------------------------------- New: ---- mozjs140-CVE-2025-70103.patch ----------(New B)---------- New: - Add mozjs140-CVE-2025-70103.patch: libjxl: take EC into account when checking required PNM input length (bsc#1266463 ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mozjs140.spec ++++++ --- /var/tmp/diff_new_pack.QefHlP/_old 2026-06-04 18:56:05.909290370 +0200 +++ /var/tmp/diff_new_pack.QefHlP/_new 2026-06-04 18:56:05.909290370 +0200 @@ -83,6 +83,8 @@ Patch22: mozjs140-CVE-2026-32777.patch # PATCH-FIX-UPSTREAM mozjs140-CVE-2026-32778.patch bsc#1259731 [email protected] -- libexpat: NULL pointer dereference in `setContext` on retry after an out-of-memory condition Patch23: mozjs140-CVE-2026-32778.patch +# PATCH-FIX-UPSTREAM mozjs140-CVE-2025-70103.patch bsc#1266463 [email protected] -- libjxl: Take EC into account when checking required PNM input length. +Patch24: mozjs140-CVE-2025-70103.patch BuildRequires: cargo BuildRequires: ccache BuildRequires: clang @@ -169,6 +171,7 @@ %patch -P 21 -p1 %patch -P 22 -p1 %patch -P 23 -p1 +%patch -P 24 -p1 %if %{pkg_vcmp libicu-devel >= 76.1} sed -i 's/icu-i18n/icu-uc &/' js/moz.configure ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.QefHlP/_old 2026-06-04 18:56:05.969292849 +0200 +++ /var/tmp/diff_new_pack.QefHlP/_new 2026-06-04 18:56:05.973293014 +0200 @@ -1,6 +1,6 @@ -mtime: 1777465768 -commit: afb968694b8694946132511edee521893e53fad65f4a4187e6e32b957772e14a +mtime: 1780392405 +commit: ea51983c495674fd197edce321d765491ee015a37d90a7226c49e5ba1008f6d6 url: https://src.opensuse.org/GNOME/mozjs140 -revision: afb968694b8694946132511edee521893e53fad65f4a4187e6e32b957772e14a +revision: ea51983c495674fd197edce321d765491ee015a37d90a7226c49e5ba1008f6d6 projectscmsync: https://src.opensuse.org/GNOME/_ObsPrj ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-06-02 11:26:45.000000000 +0200 @@ -0,0 +1,4 @@ +*.obscpio +*.osc +_build.* +.pbuild ++++++ mozjs140-CVE-2025-70103.patch ++++++ >From 49fb89f23473e57fa1dac416adce7c7679e5d051 Mon Sep 17 00:00:00 2001 From: Eugene Kliuchnikov <[email protected]> Date: Fri, 8 Aug 2025 12:29:08 +0200 Subject: [PATCH] Take EC into accound when checking required PNM inmput length (#4380) Based on #4338 --- lib/extras/dec/pnm.cc | 66 +++++++++++++++++++++++++++---------------- 1 file changed, 42 insertions(+), 24 deletions(-) diff -urp firefox-140.10.1.orig/third_party/jpeg-xl/lib/extras/dec/pnm.cc firefox-140.10.1/third_party/jpeg-xl/lib/extras/dec/pnm.cc --- firefox-140.10.1.orig/third_party/jpeg-xl/lib/extras/dec/pnm.cc 2026-04-27 11:09:05.000000000 -0500 +++ firefox-140.10.1/third_party/jpeg-xl/lib/extras/dec/pnm.cc 2026-06-01 16:29:03.649767993 -0500 @@ -497,13 +497,26 @@ Status DecodeImagePNM(const Span<const u } } + // No align - pixels are tightly packed. + constexpr size_t kAlign = 0; + size_t twidth = PackedImage::BitsPerChannel(data_type) / 8; const JxlPixelFormat format{ /*num_channels=*/num_interleaved_channels, /*data_type=*/data_type, /*endianness=*/header.big_endian ? JXL_BIG_ENDIAN : JXL_LITTLE_ENDIAN, - /*align=*/0, + kAlign, }; - const JxlPixelFormat ec_format{1, format.data_type, format.endianness, 0}; + // EC format is same as color, but 1-channel. + JxlPixelFormat ec_format = format; + ec_format.num_channels = 1; + size_t required_pnm_size = + header.ysize * header.xsize * + (num_interleaved_channels + header.ec_types.size()) * twidth; + size_t pnm_remaining_size = bytes.data() + bytes.size() - pos; + if (pnm_remaining_size < required_pnm_size) { + return JXL_FAILURE("PNM file too small"); + } + ppf->frames.clear(); { JXL_ASSIGN_OR_RETURN( @@ -512,42 +525,47 @@ Status DecodeImagePNM(const Span<const u ppf->frames.emplace_back(std::move(frame)); } auto* frame = &ppf->frames.back(); + uint8_t* out = reinterpret_cast<uint8_t*>(frame->color.pixels()); + std::vector<uint8_t*> ec_out; for (size_t i = 0; i < header.ec_types.size(); ++i) { JXL_ASSIGN_OR_RETURN( PackedImage ec, PackedImage::Create(header.xsize, header.ysize, ec_format)); frame->extra_channels.emplace_back(std::move(ec)); + ec_out.emplace_back( + reinterpret_cast<uint8_t*>(frame->extra_channels.back().pixels())); + JXL_DASSERT(frame->extra_channels.back().stride == header.xsize * twidth); } - size_t pnm_remaining_size = bytes.data() + bytes.size() - pos; - if (pnm_remaining_size < frame->color.pixels_size) { - return JXL_FAILURE("PNM file too small"); - } - - uint8_t* out = reinterpret_cast<uint8_t*>(frame->color.pixels()); - std::vector<uint8_t*> ec_out(header.ec_types.size()); - for (size_t i = 0; i < ec_out.size(); ++i) { - ec_out[i] = reinterpret_cast<uint8_t*>(frame->extra_channels[i].pixels()); - } + JXL_DASSERT(frame->color.stride == + header.xsize * num_interleaved_channels * twidth); if (ec_out.empty()) { - const bool flipped_y = header.bits_per_sample == 32; // PFMs are flipped - for (size_t y = 0; y < header.ysize; ++y) { - size_t y_in = flipped_y ? header.ysize - 1 - y : y; - const uint8_t* row_in = &pos[y_in * frame->color.stride]; - uint8_t* row_out = &out[y * frame->color.stride]; - memcpy(row_out, row_in, frame->color.stride); + const bool flipped_y = (header.bits_per_sample == 32); // PFMs are flipped + if (!flipped_y) { + // When there are no EC and input is not flipped we can copy the whole + // image at once. + memcpy(out, pos, header.ysize * frame->color.stride); + } else { + // Otherwise copy row-by-row. + for (size_t y = 0; y < header.ysize; ++y) { + size_t y_out = header.ysize - 1 - y; + const uint8_t* row_in = pos + y * frame->color.stride; + uint8_t* row_out = out + y_out * frame->color.stride; + memcpy(row_out, row_in, frame->color.stride); + } } } else { + // In case there are EC, we have to deinterleave data pixel-wise. JXL_RETURN_IF_ERROR(PackedImage::ValidateDataType(data_type)); - size_t pwidth = PackedImage::BitsPerChannel(data_type) / 8; + size_t color_stride = twidth * num_interleaved_channels; for (size_t y = 0; y < header.ysize; ++y) { for (size_t x = 0; x < header.xsize; ++x) { memcpy(out, pos, frame->color.pixel_stride()); - out += frame->color.pixel_stride(); - pos += frame->color.pixel_stride(); + out += color_stride; + pos += color_stride; for (auto& p : ec_out) { - memcpy(p, pos, pwidth); - pos += pwidth; - p += pwidth; + memcpy(p, pos, twidth); + pos += twidth; + p += twidth; } } }
