3 changed files with 4 additions and 66 deletions
--- a/backport-0001-CVE-2023-4863.patch
+++ b/backport-0001-CVE-2023-4863.patch
@ -1,43 +0,0 @@
-From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001
-From: Vincent Rabaud <vrabaud@google.com>
-Date: Mon, 11 Sep 2023 16:06:08 +0200
-Subject: [PATCH] Fix invalid incremental decoding check.
-
-The first condition is only necessary if we have not read enough
-(enough being defined by src_last, not src_end which is the end
-of the image).
-The second condition now fits the comment below: "if not
-incremental, and we are past the end of buffer".
-
-BUG=oss-fuzz:62136
-
-Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
---
-
-diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
-index 5ab34f5..809b1aa 100644
--- a/src/dec/vp8l_dec.c
-+++ b/src/dec/vp8l_dec.c
-@@ -1233,9 +1233,20 @@
-   }
- 
-   br->eos_ = VP8LIsEndOfStream(br);
-  if (dec->incremental_ && br->eos_ && src < src_end) {
-+  // In incremental decoding:
-+  // br->eos_ && src < src_last: if 'br' reached the end of the buffer and
-+  // 'src_last' has not been reached yet, there is not enough data. 'dec' has to
-+  // be reset until there is more data.
-+  // !br->eos_ && src < src_last: this cannot happen as either the buffer is
-+  // fully read, either enough has been read to reach 'src_last'.
-+  // src >= src_last: 'src_last' is reached, all is fine. 'src' can actually go
-+  // beyond 'src_last' in case the image is cropped and an LZ77 goes further.
-+  // The buffer might have been enough or there is some left. 'br->eos_' does
-+  // not matter.
-+  assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >= src_last);
-+  if (dec->incremental_ && br->eos_ && src < src_last) {
-     RestoreState(dec);
-  } else if (!br->eos_) {
-+  } else if ((dec->incremental_ && src >= src_last) || !br->eos_) {
-     // Process the remaining rows corresponding to last row-block.
-     if (process_func != NULL) {
-       process_func(dec, row > last_row ? last_row : row);
--- a/libwebp-1.3.0.tar.gz
+++ b/libwebp-1.3.0.tar.gz
--- a/libwebp.spec
+++ b/libwebp.spec
@ -1,13 +1,12 @@
 Name:          libwebp
-Version:       1.3.2
-Release:       3
-URL:           https://www.webmproject.org
+Version:       1.3.0
+Release:       1
+URL:           http://www.linuxfromscratch.org/blfs/view/svn/general/libwebp.html
 Summary:       Library and tools for the WebP graphics format
 License:       BSD
 Source0:       http://downloads.webmproject.org/releases/webp/%{name}-%{version}.tar.gz

 Patch6000:     libwebp-freeglut.patch
-Patch6001:     backport-0001-CVE-2023-4863.patch

 BuildRequires: libjpeg-devel libpng-devel giflib-devel libtiff-devel
 BuildRequires: java-devel jpackage-utils swig freeglut-devel
@ -67,7 +66,7 @@ swig -ignoremissing -I../src -java \
    -outdir java/com/google/webp \
    -o libwebp_java_wrap.c libwebp.swig

-%{__cc} %{__global_ldflags} %{optflags} -shared \
+gcc %{__global_ldflags} %{optflags} -shared \
    -I/usr/lib/jvm/java/include \
    -I/usr/lib/jvm/java/include/linux \
    -I../src \
@ -113,24 +112,6 @@ cp swig/*.jar swig/*.so %{buildroot}/%{_libdir}/%{name}-java/
 %{_mandir}/man*/*

 %changelog
-* Thu Feb 22 2024 luofng <luofeng13@huawei.com> - 1.3.2-3
- Type: enhencement
- CVE:NA
- SUG:NA
- DESC:support for building with clang
-
-* Tue Sep 26 2023 liweigang <liweiganga@uniontech.com> - 1.3.2-2
- backport CVE-2023-4863
-
-* Fri Sep 15 2023 Funda Wang <fundawang@yeah.net> - 1.3.2-1
- update to 1.3.2
-
-* Fri Jul 21 2023 zhangpan <zhangpan103@h-partners.com> - 1.3.1-1
- update to 1.3.1
-
-* Fri May 26 2023 zhangpan <zhangpan103@h-partners.com> - 1.3.0-2
- fix CVE-2023-1999
-
 * Fri Feb 03 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 1.3.0-1
 - update to 1.3.0