Update to 0.2.44 for fix CVE-2025-2175

(cherry picked from commit 0043c5f4afbcb0c734783bf3d4260164ff22f243)

CVE-2025-2173.patch

@@ -1,35 +0,0 @@
-From 8def647eea27f7fd7ad33ff79c2d6d3e39948dce Mon Sep 17 00:00:00 2001
-From: Ileana Dumitrescu <ileanadumitrescu95@gmail.com>
-Date: Mon, 10 Mar 2025 20:36:05 +0200
-Subject: [PATCH] src/conv.c: Check src_length to avoid an unitinialized heap
- read
-
----
- src/conv.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/src/conv.c b/src/conv.c
-index 9a2a418..3099202 100644
---- a/src/conv.c
-+++ b/src/conv.c
-@@ -578,8 +578,8 @@ strndup_iconv_from_ucs2		(unsigned long *	out_size,
-  * @returns
-  * A pointer to the allocated buffer. You must free() the buffer
-  * when it is no longer needed. The function returns @c NULL when
-- * the conversion fails, when it runs out of memory or when @a src
-- * is @c NULL.
-+ * the conversion fails, when it runs out of memory, src_length is
-+ * set to zero, or when @a src is @c NULL.
-  *
-  * @since 0.2.23
-  */
-@@ -593,6 +593,9 @@ vbi_strndup_iconv_ucs2		(const char *		dst_codeset,
- 	char *result;
- 	unsigned long size;
- 
-+	if (0 == src_length)
-+		return NULL;
-+
- 	buffer = strndup_iconv_from_ucs2 (&size,
- 					  dst_codeset,
- 					  src, src_length,

CVE-2025-2174_CVE-2025-2176_CVE-2025-2177.patch

@@ -1,116 +0,0 @@
-From ca1672134b3e2962cd392212c73f44f8f4cb489f Mon Sep 17 00:00:00 2001
-From: Ileana Dumitrescu <ileanadumitrescu95@gmail.com>
-Date: Mon, 10 Mar 2025 20:36:32 +0200
-Subject: [PATCH] src/conv.c, src/io-sim.c, src/search.c: Avoid integer
- overflow leading to heap overflow
-
----
- src/conv.c   | 18 ++++++++++++++----
- src/io-sim.c |  5 ++++-
- src/search.c | 13 ++++++++++---
- 3 files changed, 28 insertions(+), 8 deletions(-)
-
-diff --git a/src/conv.c b/src/conv.c
-index 3099202..aa8fb8d 100644
---- a/src/conv.c
-+++ b/src/conv.c
-@@ -338,7 +338,8 @@ vbi_strlen_ucs2			(const uint16_t *	src)
-  * @returns
-  * A pointer to the allocated buffer. You must free() the buffer
-  * when it is no longer needed. The function returns @c NULL when
-- * it runs out of memory, or when @a src is @c NULL.
-+ * it runs out of memory, src_size is too large, or when @a src
-+ * is @c NULL.
-  *
-  * @since 0.2.23
-  */
-@@ -349,7 +350,11 @@ strndup_identity		(unsigned long *	out_size,
- {
- 	char *buffer;
- 
--	buffer = vbi_malloc (src_size + 4);
-+	unsigned long check_buffer_size = (src_size + 4);
-+	if (src_size > check_buffer_size)
-+		return NULL;
-+
-+	buffer = vbi_malloc (check_buffer_size);
- 	if (NULL == buffer) {
- 		if (NULL != out_size)
- 			*out_size = 0;
-@@ -381,7 +386,8 @@ strndup_identity		(unsigned long *	out_size,
-  * @returns
-  * A pointer to the allocated buffer. You must free() the buffer
-  * when it is no longer needed. The function returns @c NULL when
-- * it runs out of memory, or when @a src is @c NULL.
-+ * it runs out of memory, src_length is too large, or when @a src
-+ * is @c NULL.
-  *
-  * @since 0.2.23
-  */
-@@ -403,7 +409,11 @@ strndup_utf8_ucs2		(unsigned long *	out_size,
- 	if (src_length < 0)
- 		src_length = vbi_strlen_ucs2 (src);
- 
--	buffer = vbi_malloc (src_length * 3 + 1);
-+	unsigned long check_buffer_size = (src_length * 3 + 1);
-+	if (src_length > check_buffer_size)
-+		return NULL;
-+
-+	buffer = vbi_malloc (check_buffer_size);
- 	if (NULL == buffer)
- 		return NULL;
- 
-diff --git a/src/io-sim.c b/src/io-sim.c
-index 831c668..f5a48eb 100644
---- a/src/io-sim.c
-+++ b/src/io-sim.c
-@@ -1898,7 +1898,10 @@ vbi_capture_sim_load_caption	(vbi_capture *		cap,
- 		}
- 
- 		if (b->size >= b->capacity) {
--			if (!extend_buffer (b, b->capacity + 256))
-+			unsigned int check_buffer_size = (b->capacity + 256);
-+			if (b->capacity > check_buffer_size)
-+				return FALSE;
-+			if (!extend_buffer (b, check_buffer_size))
- 				return FALSE;
- 		}
- 
-diff --git a/src/search.c b/src/search.c
-index b325eed..f0feada 100644
---- a/src/search.c
-+++ b/src/search.c
-@@ -2,7 +2,7 @@
-  *  libzvbi -- Teletext page cache search functions
-  *
-  *  Copyright (C) 2000, 2001, 2002 Michael H. Schimek
-- *  Copyright (C) 2000, 2001 Iñaki G. Etxebarria
-+ *  Copyright (C) 2000, 2001 I�aki G. Etxebarria
-  *
-  *  Originally based on AleVT 1.5.1 by Edgar Toernig
-  *
-@@ -470,7 +470,8 @@ ucs2_strlen(const void *string)
-  * All this has yet to be addressed.
-  *
-  * @return
-- * A vbi_search context or @c NULL on error.
-+ * A vbi_search context or @c NULL on error or pattern string length
-+ * is too large.
-  */
- vbi_search *
- vbi_search_new(vbi_decoder *vbi,
-@@ -490,7 +491,13 @@ vbi_search_new(vbi_decoder *vbi,
- 		return NULL;
- 
- 	if (!regexp) {
--		if (!(esc_pat = malloc(sizeof(ucs2_t) * pat_len * 2))) {
-+		unsigned int check_size = (sizeof(ucs2_t) * pat_len * 2);
-+		if (pat_len > check_size) {
-+			free(s);
-+			return NULL;
-+		}
-+
-+		if (!(esc_pat = malloc(check_size))) {
- 			free(s);
- 			return NULL;
- 		}

zvbi.spec

@@ -1,15 +1,13 @@
 Name:               zvbi
-Version:            0.2.42
-Release:            4
+Version:            0.2.44
+Release:            1
 Summary:            A library provides functions to capture and decode VBI data
-License:            LGPLv2+ and GPLv2+ and BSD
+License:            GPL-2.0-or-later AND LGPL-2.0-or-later AND LGPL-2.1-or-later AND BSD-2-Clause AND MIT
 URL:                https://github.com/zapping-vbi/zvbi
 Source0:            %{url}/archive/v%{version}/%{name}-%{version}.tar.gz
 
 Patch0001:          %{name}-0.2.24-tvfonts.patch
 Patch0002:          %{name}-0.2.25-openfix.patch
-Patch0003:          CVE-2025-2173.patch
-Patch0004:          CVE-2025-2174_CVE-2025-2176_CVE-2025-2177.patch
 
 BuildRequires:      gcc-c++ doxygen fontconfig gettext >= 0.21.0 libpng-devel
 BuildRequires:      libICE-devel xorg-x11-font-utils systemd-units
@@ -138,6 +136,9 @@ fi
 %{_mandir}/man1/*
 
 %changelog
+* Wed Mar 26 2025 yaoxin <1024769339@qq.com> - 0.2.44-1
+- Update to 0.2.44 for fix CVE-2025-2175
+
 * Tue Mar 18 2025 yaoxin <1024769339@qq.com> - 0.2.42-4
 - Fix CVE-2025-2173,CVE-2025-2174,CVE-2025-2176 and CVE-2025-2177