From d4b15370e62e2ef10c47c79f98430252b9d18f1f Mon Sep 17 00:00:00 2001
From: hdliu <dev03108@linx-info.com>
Date: Mon, 21 Apr 2025 17:56:48 +0800
Subject: [PATCH] Fix CVE-2025-43963

Signed-off-by: hdliu <dev03108@linx-info.com>
---
 LibRaw.spec                            |  7 +++++-
 backport-upstream_CVE-2025-43963.patch | 35 ++++++++++++++++++++++++++
 2 files changed, 41 insertions(+), 1 deletion(-)
 create mode 100644 backport-upstream_CVE-2025-43963.patch

diff --git a/LibRaw.spec b/LibRaw.spec
index 820f1f7..0eda615 100644
--- a/LibRaw.spec
+++ b/LibRaw.spec
@@ -1,6 +1,6 @@
 Name:          LibRaw
 Version:       0.20.2
-Release:       6
+Release:       7
 Summary:       Library for reading RAW files obtained from digital photo cameras
 License:       BSD and (CDDL-1.0 or LGPLv2)
 URL:           http://www.libraw.org
@@ -11,6 +11,8 @@ Patch0002:     fix-use-of-uninitialized-value.patch
 Patch0003:     CVE-2023-1729.patch
 # https://github.com/LibRaw/LibRaw/commit/bc3aaf4223fdb70d52d470dae65c5a7923ea2a49
 Patch0004:     CVE-2021-32142.patch
+Patch0005:     backport-upstream_CVE-2025-43963.patch
+
 BuildRequires: gcc-c++ pkgconfig(lcms2) pkgconfig(libjpeg)
 BuildRequires: autoconf automake libtool
 Provides:      bundled(dcraw) = 9.25
@@ -71,6 +73,9 @@ rm -rfv samples/.deps samples/.dirstamp samples/*.o
 %exclude %{_docdir}/libraw/*
 
 %changelog
+* Tue Apr 22 2025 hdliu <dev03108@linx-info.com> - 0.20.2-7
+- Fix CVE-2025-43963
+
 * Tue Mar 26 2024 yaoxin <yao_xin001@hoperun.com> - 0.20.2-6
 - Fix CVE-2021-32142
 
diff --git a/backport-upstream_CVE-2025-43963.patch b/backport-upstream_CVE-2025-43963.patch
new file mode 100644
index 0000000..68e170f
--- /dev/null
+++ b/backport-upstream_CVE-2025-43963.patch
@@ -0,0 +1,35 @@
+From 511c586dd6267e26ccdb61c16b98566a05c6e01e Mon Sep 17 00:00:00 2001
+From: hdliu <dev03108@linx-info.com>
+Date: Mon, 21 Apr 2025 17:43:18 +0800
+Subject: [PATCH] prevent out-of-buffer access in phase_one_correct()
+
+Signed-off-by: hdliu <dev03108@linx-info.com>
+---
+ src/decoders/load_mfbacks.cpp | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/decoders/load_mfbacks.cpp b/src/decoders/load_mfbacks.cpp
+index 9d7c051..a8f2c6d 100644
+--- a/src/decoders/load_mfbacks.cpp
++++ b/src/decoders/load_mfbacks.cpp
+@@ -211,7 +211,7 @@ int LibRaw::phase_one_correct()
+           off_412 = ftell(ifp) - 38;
+         }
+       }
+-      else if (tag == 0x041f && !qlin_applied)
++      else if (tag == 0x041f && !qlin_applied && ph1.split_col > 0 && ph1.split_col < raw_width && ph1.split_row > 0 && ph1.split_row < raw_height)
+       { /* Quadrant linearization */
+         ushort lc[2][2][16], ref[16];
+         int qr, qc;
+@@ -288,7 +288,7 @@ int LibRaw::phase_one_correct()
+         }
+         qmult_applied = 1;
+       }
+-      else if (tag == 0x0431 && !qmult_applied)
++      else if (tag == 0x0431 && !qmult_applied && ph1.split_col > 0 && ph1.split_col < raw_width && ph1.split_row > 0 && ph1.split_row < raw_height)
+       { /* Quadrant combined */
+         ushort lc[2][2][7], ref[7];
+         int qr, qc;
+-- 
+2.33.0
+
-- 
Gitee