!54 [sync] PR-50: Fix CVE-2022-48622

From: @openeuler-sync-bot 
Reviewed-by: @technology208, @open-bot 
Signed-off-by: @technology208, @open-bot

backport-CVE-2021-44648.patch

@@ -0,0 +1,40 @@
+From 19ebba03117aefc9d0312f675f3a210ffdcc4907 Mon Sep 17 00:00:00 2001
+From: Robert Ancell <Robert Ancell @robert.ancell>
+Date: Tue, 24 May 2022 14:36:15 +0800
+Subject: [PATCH] Fix overflow when reading GIF images with invalid LZW initial code size.
+ 
+Conflict:NA
+Reference:https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/130/diffs?commit_id=19ebba03117aefc9d0312f675f3a210ffdcc4907
+---
+ gdk-pixbuf/io-gif.c | 2 +-
+ gdk-pixbuf/lzw.c    | 2 ++
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+ 
+diff --git a/gdk-pixbuf/io-gif.c b/gdk-pixbuf/io-gif.c
+index 1befba1..3d2a7a9 100644
+--- a/gdk-pixbuf/io-gif.c
++++ b/gdk-pixbuf/io-gif.c
+@@ -500,7 +500,7 @@ gif_prepare_lzw (GifContext *context)
+ 		return -1;
+ 	}
+         
+-        if (context->lzw_set_code_size > 12) {
++        if (context->lzw_set_code_size >= 12) {
+                 g_set_error_literal (context->error,
+                                      GDK_PIXBUF_ERROR,
+                                      GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+diff --git a/gdk-pixbuf/lzw.c b/gdk-pixbuf/lzw.c
+index 105daf2..f3fae17 100644
+--- a/gdk-pixbuf/lzw.c
++++ b/gdk-pixbuf/lzw.c
+@@ -121,6 +121,8 @@ lzw_decoder_new (guint8 code_size)
+         LZWDecoder *self;
+         int i;
+ 
++        g_return_val_if_fail (code_size <= LZW_CODE_MAX, NULL);
++
+         self = g_object_new (lzw_decoder_get_type (), NULL);
+ 
+         self->min_code_size = code_size;
+-- 
+2.27.0

backport-CVE-2021-46829.patch

@@ -0,0 +1,61 @@
+From 6976bdc8ee9dd2c2954f91066f7b0f643769a379 Mon Sep 17 00:00:00 2001
+From: Robert Ancell <robert.ancell@canonical.com>
+Date: Thu, 3 Jun 2021 11:05:56 +1200
+Subject: [PATCH] gif: Check for overflow when compositing or clearing frames.
+
+Fixes: #190
+
+Similar to fix in 086e8adf4cc352cd11572f96066b001b545f354e
+---
+ gdk-pixbuf/io-gif-animation.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/gdk-pixbuf/io-gif-animation.c b/gdk-pixbuf/io-gif-animation.c
+index 8335cdd76..71d9265e6 100644
+--- a/gdk-pixbuf/io-gif-animation.c
++++ b/gdk-pixbuf/io-gif-animation.c
+@@ -369,7 +369,7 @@ composite_frame (GdkPixbufGifAnim *anim, GdkPixbufFrame *frame)
+         for (i = 0; i < n_indexes; i++) {
+                 guint8 index = index_buffer[i];
+                 guint x, y;
+-                int offset;
++                gsize offset;
+ 
+                 if (index == frame->transparent_index)
+                         continue;
+@@ -379,11 +379,13 @@ composite_frame (GdkPixbufGifAnim *anim, GdkPixbufFrame *frame)
+                 if (x >= anim->width || y >= anim->height)
+                         continue;
+ 
+-                offset = y * gdk_pixbuf_get_rowstride (anim->last_frame_data) + x * 4;
+-                pixels[offset + 0] = frame->color_map[index * 3 + 0];
+-                pixels[offset + 1] = frame->color_map[index * 3 + 1];
+-                pixels[offset + 2] = frame->color_map[index * 3 + 2];
+-                pixels[offset + 3] = 255;
++                if (g_size_checked_mul (&offset, gdk_pixbuf_get_rowstride (anim->last_frame_data), y) &&
++                    g_size_checked_add (&offset, offset, x * 4)) {
++                        pixels[offset + 0] = frame->color_map[index * 3 + 0];
++                        pixels[offset + 1] = frame->color_map[index * 3 + 1];
++                        pixels[offset + 2] = frame->color_map[index * 3 + 2];
++                        pixels[offset + 3] = 255;
++                }
+         }
+ 
+ out:
+@@ -448,8 +450,11 @@ gdk_pixbuf_gif_anim_iter_get_pixbuf (GdkPixbufAnimationIter *anim_iter)
+                         x_end = MIN (anim->last_frame->x_offset + anim->last_frame->width, anim->width);
+                         y_end = MIN (anim->last_frame->y_offset + anim->last_frame->height, anim->height);
+                         for (y = anim->last_frame->y_offset; y < y_end; y++) {
+-                                guchar *line = pixels + y * gdk_pixbuf_get_rowstride (anim->last_frame_data) + anim->last_frame->x_offset * 4;
+-                                memset (line, 0, (x_end - anim->last_frame->x_offset) * 4);
++                                gsize offset;
++                                if (g_size_checked_mul (&offset, gdk_pixbuf_get_rowstride (anim->last_frame_data), y) &&
++                                    g_size_checked_add (&offset, offset, anim->last_frame->x_offset * 4)) {
++                                         memset (pixels + offset, 0, (x_end - anim->last_frame->x_offset) * 4);
++                                }
+                         }
+                         break;
+                 case GDK_PIXBUF_FRAME_REVERT:
+-- 
+GitLab
+

backport-CVE-2022-48622.patch

@@ -0,0 +1,113 @@
+From 00c071dd11f723ca608608eef45cb1aa98da89cc Mon Sep 17 00:00:00 2001
+From: Benjamin Gilbert <bgilbert@backtick.net>
+Date: Tue, 30 Apr 2024 07:26:54 -0500
+Subject: [PATCH 1/3] ANI: Reject files with multiple anih chunks
+
+An anih chunk causes us to initialize a bunch of state, which we only
+expect to do once per file.
+
+Fixes: #202
+Fixes: CVE-2022-48622
+---
+ gdk-pixbuf/io-ani.c                       |   9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c
+index c6c4642cf4..a78ea7ace4 100644
+--- a/gdk-pixbuf/io-ani.c
++++ b/gdk-pixbuf/io-ani.c
+@@ -295,6 +295,15 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
+         
+         if (context->chunk_id == TAG_anih) 
+ 	{
++		if (context->animation)
++		{
++			g_set_error_literal (error,
++                                             GDK_PIXBUF_ERROR,
++                                             GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
++                                             _("Invalid header in animation"));
++			return FALSE;
++		}
++
+ 		context->HeaderSize = read_int32 (context);
+ 		context->NumFrames = read_int32 (context);
+ 		context->NumSteps = read_int32 (context);
+-- 
+GitLab
+
+
+From d52134373594ff76614fb415125b0d1c723ddd56 Mon Sep 17 00:00:00 2001
+From: Benjamin Gilbert <bgilbert@backtick.net>
+Date: Tue, 30 Apr 2024 07:13:37 -0500
+Subject: [PATCH 2/3] ANI: Reject files with multiple INAM or IART chunks
+
+There should be at most one chunk each.  These would cause memory leaks
+otherwise.
+---
+ gdk-pixbuf/io-ani.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c
+index a78ea7ace4..8e8414117c 100644
+--- a/gdk-pixbuf/io-ani.c
++++ b/gdk-pixbuf/io-ani.c
+@@ -445,7 +445,7 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
+ 	}
+         else if (context->chunk_id == TAG_INAM) 
+ 	{
+-		if (!context->animation) 
++		if (!context->animation || context->title)
+ 		{
+ 			g_set_error_literal (error,
+                                              GDK_PIXBUF_ERROR,
+@@ -472,7 +472,7 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
+ 	}
+         else if (context->chunk_id == TAG_IART) 
+ 	{
+-		if (!context->animation) 
++		if (!context->animation || context->author)
+ 		{
+ 			g_set_error_literal (error,
+                                              GDK_PIXBUF_ERROR,
+-- 
+GitLab
+
+
+From 91b8aa5cd8a0eea28acb51f0e121827ca2e7eb78 Mon Sep 17 00:00:00 2001
+From: Benjamin Gilbert <bgilbert@backtick.net>
+Date: Tue, 30 Apr 2024 08:17:25 -0500
+Subject: [PATCH 3/3] ANI: Validate anih chunk size
+
+Before reading a chunk, we verify that enough bytes are available to match
+the chunk size declared by the file.  However, uniquely, the anih chunk
+loader doesn't verify that this size matches the number of bytes it
+actually intends to read.  Thus, if the chunk size is too small and the
+file ends in the middle of the chunk, we populate some context fields with
+stack garbage.  (But we'd still fail later on because the file doesn't
+contain any images.)  Fix this.
+---
+ gdk-pixbuf/io-ani.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c
+index 8e8414117c..cfafd7b196 100644
+--- a/gdk-pixbuf/io-ani.c
++++ b/gdk-pixbuf/io-ani.c
+@@ -295,6 +295,14 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
+         
+         if (context->chunk_id == TAG_anih) 
+ 	{
++		if (context->chunk_size < 36)
++		{
++			g_set_error_literal (error,
++                                             GDK_PIXBUF_ERROR,
++                                             GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
++                                             _("Malformed chunk in animation"));
++			return FALSE;
++		}
+ 		if (context->animation)
+ 		{
+ 			g_set_error_literal (error,
+-- 
+GitLab
+

gdk-pixbuf2.spec

@@ -2,11 +2,16 @@
 
 Name:           gdk-pixbuf2
 Version:        2.42.6
-Release:        2
+Release:        7
 Summary:        gdk is a multi-platform toolkit for creating graphical user interfaces.
 License:        LGPLv2+
 URL:            https://gitlab.gnome.org/GNOME/gdk-pixbuf
 Source0:        https://download-fallback.gnome.org/sources/gdk-pixbuf/2.42/gdk-pixbuf-%{version}.tar.xz
+Source1:        invalid-colors.gif
+
+Patch6000:	backport-CVE-2021-46829.patch
+Patch6001:	backport-CVE-2021-44648.patch
+Patch6002:	backport-CVE-2022-48622.patch
 
 BuildRequires:  docbook-style-xsl
 BuildRequires:  gettext
@@ -63,6 +68,7 @@ developing applications that uses gdk-pixbuf2 xlib and test.
 
 %prep
 %autosetup -n gdk-pixbuf-%{version} -p1
+cp %{SOURCE1} ./tests/test-images/gif-test-suite/invalid-colors.gif
 
 %build
 %meson \
@@ -73,9 +79,6 @@ developing applications that uses gdk-pixbuf2 xlib and test.
 %global _smp_mflags -j1
 %meson_build
 
-%check
-%meson_test
-
 %install
 %meson_install
 
@@ -128,13 +131,28 @@ gdk-pixbuf-query-loaders-%{__isa_bits} --update-cache
 %{_mandir}/man1/gdk-pixbuf-csource.1*
 
 %changelog
+* Wed Jun 26 2024 liningjie <liningjie@xfusion.com> - 2.42.6-7
+- Fix CVE-2022-48622
+
+* Tue Jun 20 2023 zhangpan <zhangpan103@h-partners.com> - 2.42.6-6
+- fix CVE-2021-44648
+
+* Thu Dec 01 2022 zhouwenpei <zhouwenpei1@h-partners.com> - 2.42.6-5
+- disable make check
+
+* Thu Aug 25 2022 wangkerong <wangkerong@h-partners.com> - 2.42.6-4
+- fix CVE-2021-46829
+
+* Wed May 18 2022 loong_C <loong_c@yeah.net> - 2.42.6-3
+- fix spec changelog date
+
 * Wed Mar 30 2022 liuyumeng <liuyumeng5@h-partners.com> - 2.42.6-2
 - enable tests
 
 * Thu Dec 2 2021 hanhui <hanhui15@huawei.com> - 2.42.6-1
 - update to 2.42.6
 
-* Thu Jul 20 2021 liuyumeng <liuyumeng5@huawei.com> - 2.40.0-2
+* Tue Jul 20 2021 liuyumeng <liuyumeng5@huawei.com> - 2.40.0-2
 - delete gdb in buildrequires
 
 * Mon Jul 20 2020 wangye <wangye70@huawei.com> - 2.40.0-1