!48 [sync] PR-46: sync openEuler-22.03-LTS-SP2 patch

From: @openeuler-sync-bot 
Reviewed-by: @open-bot 
Signed-off-by: @open-bot

backport-CVE-2021-44648.patch

@@ -0,0 +1,40 @@
+From 19ebba03117aefc9d0312f675f3a210ffdcc4907 Mon Sep 17 00:00:00 2001
+From: Robert Ancell <Robert Ancell @robert.ancell>
+Date: Tue, 24 May 2022 14:36:15 +0800
+Subject: [PATCH] Fix overflow when reading GIF images with invalid LZW initial code size.
+ 
+Conflict:NA
+Reference:https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/130/diffs?commit_id=19ebba03117aefc9d0312f675f3a210ffdcc4907
+---
+ gdk-pixbuf/io-gif.c | 2 +-
+ gdk-pixbuf/lzw.c    | 2 ++
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+ 
+diff --git a/gdk-pixbuf/io-gif.c b/gdk-pixbuf/io-gif.c
+index 1befba1..3d2a7a9 100644
+--- a/gdk-pixbuf/io-gif.c
++++ b/gdk-pixbuf/io-gif.c
+@@ -500,7 +500,7 @@ gif_prepare_lzw (GifContext *context)
+ 		return -1;
+ 	}
+         
+-        if (context->lzw_set_code_size > 12) {
++        if (context->lzw_set_code_size >= 12) {
+                 g_set_error_literal (context->error,
+                                      GDK_PIXBUF_ERROR,
+                                      GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+diff --git a/gdk-pixbuf/lzw.c b/gdk-pixbuf/lzw.c
+index 105daf2..f3fae17 100644
+--- a/gdk-pixbuf/lzw.c
++++ b/gdk-pixbuf/lzw.c
+@@ -121,6 +121,8 @@ lzw_decoder_new (guint8 code_size)
+         LZWDecoder *self;
+         int i;
+ 
++        g_return_val_if_fail (code_size <= LZW_CODE_MAX, NULL);
++
+         self = g_object_new (lzw_decoder_get_type (), NULL);
+ 
+         self->min_code_size = code_size;
+-- 
+2.27.0

backport-CVE-2021-46829.patch

@@ -0,0 +1,61 @@
+From 6976bdc8ee9dd2c2954f91066f7b0f643769a379 Mon Sep 17 00:00:00 2001
+From: Robert Ancell <robert.ancell@canonical.com>
+Date: Thu, 3 Jun 2021 11:05:56 +1200
+Subject: [PATCH] gif: Check for overflow when compositing or clearing frames.
+
+Fixes: #190
+
+Similar to fix in 086e8adf4cc352cd11572f96066b001b545f354e
+---
+ gdk-pixbuf/io-gif-animation.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/gdk-pixbuf/io-gif-animation.c b/gdk-pixbuf/io-gif-animation.c
+index 8335cdd76..71d9265e6 100644
+--- a/gdk-pixbuf/io-gif-animation.c
++++ b/gdk-pixbuf/io-gif-animation.c
+@@ -369,7 +369,7 @@ composite_frame (GdkPixbufGifAnim *anim, GdkPixbufFrame *frame)
+         for (i = 0; i < n_indexes; i++) {
+                 guint8 index = index_buffer[i];
+                 guint x, y;
+-                int offset;
++                gsize offset;
+ 
+                 if (index == frame->transparent_index)
+                         continue;
+@@ -379,11 +379,13 @@ composite_frame (GdkPixbufGifAnim *anim, GdkPixbufFrame *frame)
+                 if (x >= anim->width || y >= anim->height)
+                         continue;
+ 
+-                offset = y * gdk_pixbuf_get_rowstride (anim->last_frame_data) + x * 4;
+-                pixels[offset + 0] = frame->color_map[index * 3 + 0];
+-                pixels[offset + 1] = frame->color_map[index * 3 + 1];
+-                pixels[offset + 2] = frame->color_map[index * 3 + 2];
+-                pixels[offset + 3] = 255;
++                if (g_size_checked_mul (&offset, gdk_pixbuf_get_rowstride (anim->last_frame_data), y) &&
++                    g_size_checked_add (&offset, offset, x * 4)) {
++                        pixels[offset + 0] = frame->color_map[index * 3 + 0];
++                        pixels[offset + 1] = frame->color_map[index * 3 + 1];
++                        pixels[offset + 2] = frame->color_map[index * 3 + 2];
++                        pixels[offset + 3] = 255;
++                }
+         }
+ 
+ out:
+@@ -448,8 +450,11 @@ gdk_pixbuf_gif_anim_iter_get_pixbuf (GdkPixbufAnimationIter *anim_iter)
+                         x_end = MIN (anim->last_frame->x_offset + anim->last_frame->width, anim->width);
+                         y_end = MIN (anim->last_frame->y_offset + anim->last_frame->height, anim->height);
+                         for (y = anim->last_frame->y_offset; y < y_end; y++) {
+-                                guchar *line = pixels + y * gdk_pixbuf_get_rowstride (anim->last_frame_data) + anim->last_frame->x_offset * 4;
+-                                memset (line, 0, (x_end - anim->last_frame->x_offset) * 4);
++                                gsize offset;
++                                if (g_size_checked_mul (&offset, gdk_pixbuf_get_rowstride (anim->last_frame_data), y) &&
++                                    g_size_checked_add (&offset, offset, anim->last_frame->x_offset * 4)) {
++                                         memset (pixels + offset, 0, (x_end - anim->last_frame->x_offset) * 4);
++                                }
+                         }
+                         break;
+                 case GDK_PIXBUF_FRAME_REVERT:
+-- 
+GitLab
+

gdk-pixbuf2.spec

@@ -2,11 +2,15 @@
 
 Name:           gdk-pixbuf2
 Version:        2.42.6
-Release:        1
+Release:        6
 Summary:        gdk is a multi-platform toolkit for creating graphical user interfaces.
 License:        LGPLv2+
 URL:            https://gitlab.gnome.org/GNOME/gdk-pixbuf
 Source0:        https://download-fallback.gnome.org/sources/gdk-pixbuf/2.42/gdk-pixbuf-%{version}.tar.xz
+Source1:        invalid-colors.gif
+
+Patch6000:	backport-CVE-2021-46829.patch
+Patch6001:	backport-CVE-2021-44648.patch
 
 BuildRequires:  docbook-style-xsl
 BuildRequires:  gettext
@@ -63,6 +67,7 @@ developing applications that uses gdk-pixbuf2 xlib and test.
 
 %prep
 %autosetup -n gdk-pixbuf-%{version} -p1
+cp %{SOURCE1} ./tests/test-images/gif-test-suite/invalid-colors.gif
 
 %build
 %meson \
@@ -125,10 +130,25 @@ gdk-pixbuf-query-loaders-%{__isa_bits} --update-cache
 %{_mandir}/man1/gdk-pixbuf-csource.1*
 
 %changelog
+* Tue Jun 20 2023 zhangpan <zhangpan103@h-partners.com> - 2.42.6-6
+- fix CVE-2021-44648
+
+* Thu Dec 01 2022 zhouwenpei <zhouwenpei1@h-partners.com> - 2.42.6-5
+- disable make check
+
+* Thu Aug 25 2022 wangkerong <wangkerong@h-partners.com> - 2.42.6-4
+- fix CVE-2021-46829
+
+* Wed May 18 2022 loong_C <loong_c@yeah.net> - 2.42.6-3
+- fix spec changelog date
+
+* Wed Mar 30 2022 liuyumeng <liuyumeng5@h-partners.com> - 2.42.6-2
+- enable tests
+
 * Thu Dec 2 2021 hanhui <hanhui15@huawei.com> - 2.42.6-1
 - update to 2.42.6
 
-* Thu Jul 20 2021 liuyumeng <liuyumeng5@huawei.com> - 2.40.0-2
+* Tue Jul 20 2021 liuyumeng <liuyumeng5@huawei.com> - 2.40.0-2
 - delete gdb in buildrequires
 
 * Mon Jul 20 2020 wangye <wangye70@huawei.com> - 2.40.0-1