From 595ca232329d74f0f7d41b15979c927e4e109627 Mon Sep 17 00:00:00 2001
From: liningjie <liningjie@xfusion.com>
Date: Wed, 26 Jun 2024 12:07:52 +0800
Subject: [PATCH] Fix CVE-2022-48622

(cherry picked from commit 29602f8096f0f2fe4b33a6f30de2289ec4057514)
---
 backport-CVE-2022-48622.patch | 113 ++++++++++++++++++++++++++++++++++
 gdk-pixbuf2.spec              |   7 ++-
 2 files changed, 119 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2022-48622.patch

diff --git a/backport-CVE-2022-48622.patch b/backport-CVE-2022-48622.patch
new file mode 100644
index 0000000..bbbd994
--- /dev/null
+++ b/backport-CVE-2022-48622.patch
@@ -0,0 +1,113 @@
+From 00c071dd11f723ca608608eef45cb1aa98da89cc Mon Sep 17 00:00:00 2001
+From: Benjamin Gilbert <bgilbert@backtick.net>
+Date: Tue, 30 Apr 2024 07:26:54 -0500
+Subject: [PATCH 1/3] ANI: Reject files with multiple anih chunks
+
+An anih chunk causes us to initialize a bunch of state, which we only
+expect to do once per file.
+
+Fixes: #202
+Fixes: CVE-2022-48622
+---
+ gdk-pixbuf/io-ani.c                       |   9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c
+index c6c4642cf4..a78ea7ace4 100644
+--- a/gdk-pixbuf/io-ani.c
++++ b/gdk-pixbuf/io-ani.c
+@@ -295,6 +295,15 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
+         
+         if (context->chunk_id == TAG_anih) 
+ 	{
++		if (context->animation)
++		{
++			g_set_error_literal (error,
++                                             GDK_PIXBUF_ERROR,
++                                             GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
++                                             _("Invalid header in animation"));
++			return FALSE;
++		}
++
+ 		context->HeaderSize = read_int32 (context);
+ 		context->NumFrames = read_int32 (context);
+ 		context->NumSteps = read_int32 (context);
+-- 
+GitLab
+
+
+From d52134373594ff76614fb415125b0d1c723ddd56 Mon Sep 17 00:00:00 2001
+From: Benjamin Gilbert <bgilbert@backtick.net>
+Date: Tue, 30 Apr 2024 07:13:37 -0500
+Subject: [PATCH 2/3] ANI: Reject files with multiple INAM or IART chunks
+
+There should be at most one chunk each.  These would cause memory leaks
+otherwise.
+---
+ gdk-pixbuf/io-ani.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c
+index a78ea7ace4..8e8414117c 100644
+--- a/gdk-pixbuf/io-ani.c
++++ b/gdk-pixbuf/io-ani.c
+@@ -445,7 +445,7 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
+ 	}
+         else if (context->chunk_id == TAG_INAM) 
+ 	{
+-		if (!context->animation) 
++		if (!context->animation || context->title)
+ 		{
+ 			g_set_error_literal (error,
+                                              GDK_PIXBUF_ERROR,
+@@ -472,7 +472,7 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
+ 	}
+         else if (context->chunk_id == TAG_IART) 
+ 	{
+-		if (!context->animation) 
++		if (!context->animation || context->author)
+ 		{
+ 			g_set_error_literal (error,
+                                              GDK_PIXBUF_ERROR,
+-- 
+GitLab
+
+
+From 91b8aa5cd8a0eea28acb51f0e121827ca2e7eb78 Mon Sep 17 00:00:00 2001
+From: Benjamin Gilbert <bgilbert@backtick.net>
+Date: Tue, 30 Apr 2024 08:17:25 -0500
+Subject: [PATCH 3/3] ANI: Validate anih chunk size
+
+Before reading a chunk, we verify that enough bytes are available to match
+the chunk size declared by the file.  However, uniquely, the anih chunk
+loader doesn't verify that this size matches the number of bytes it
+actually intends to read.  Thus, if the chunk size is too small and the
+file ends in the middle of the chunk, we populate some context fields with
+stack garbage.  (But we'd still fail later on because the file doesn't
+contain any images.)  Fix this.
+---
+ gdk-pixbuf/io-ani.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c
+index 8e8414117c..cfafd7b196 100644
+--- a/gdk-pixbuf/io-ani.c
++++ b/gdk-pixbuf/io-ani.c
+@@ -295,6 +295,14 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
+         
+         if (context->chunk_id == TAG_anih) 
+ 	{
++		if (context->chunk_size < 36)
++		{
++			g_set_error_literal (error,
++                                             GDK_PIXBUF_ERROR,
++                                             GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
++                                             _("Malformed chunk in animation"));
++			return FALSE;
++		}
+ 		if (context->animation)
+ 		{
+ 			g_set_error_literal (error,
+-- 
+GitLab
+
diff --git a/gdk-pixbuf2.spec b/gdk-pixbuf2.spec
index fa5255e..19b557a 100644
--- a/gdk-pixbuf2.spec
+++ b/gdk-pixbuf2.spec
@@ -2,12 +2,14 @@
 
 Name:           gdk-pixbuf2
 Version:        2.42.10
-Release:        2
+Release:        3
 Summary:        gdk is a multi-platform toolkit for creating graphical user interfaces.
 License:        LGPLv2+
 URL:            https://gitlab.gnome.org/GNOME/gdk-pixbuf
 Source0:        https://download.gnome.org/sources/gdk-pixbuf/2.42/gdk-pixbuf-%{version}.tar.xz
 
+Patch6000:	backport-CVE-2022-48622.patch
+
 BuildRequires:  docbook-style-xsl
 BuildRequires:  gettext
 BuildRequires:  pkgconfig(gio-2.0) >= %{glib2_version}
@@ -129,6 +131,9 @@ gdk-pixbuf-query-loaders-%{__isa_bits} --update-cache
 %{_datadir}/doc
 
 %changelog
+* Wed Jun 26 2024 liningjie <liningjie@xfusion.com> - 2.42.10-3
+- Fix CVE-2022-48622
+
 * Tue Mar 07 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 2.42.10-2
 - disable make check
 
-- 
Gitee