From a41e552a4e28d4762b395f09dd08ca59cbb35b2b Mon Sep 17 00:00:00 2001
From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com>
Date: Fri, 18 Oct 2024 14:54:26 -0400
Subject: [PATCH] [AUTO-CHERRYPICK] Patch CVE-2022-28506 and CVE-2023-48161 in
 giflib - branch main (#10733)

Co-authored-by: suresh-thelkar <suresh.thelkar@yahoo.com>
---
 SPECS/giflib/CVE-2022-28506.patch | 30 +++++++++++++++++++++
 SPECS/giflib/CVE-2023-48161.patch | 43 +++++++++++++++++++++++++++++++
 SPECS/giflib/giflib.spec          |  7 ++++-
 3 files changed, 79 insertions(+), 1 deletion(-)
 create mode 100644 SPECS/giflib/CVE-2022-28506.patch
 create mode 100644 SPECS/giflib/CVE-2023-48161.patch

diff --git a/SPECS/giflib/CVE-2022-28506.patch b/SPECS/giflib/CVE-2022-28506.patch
new file mode 100644
index 00000000000..c5293f68425
--- /dev/null
+++ b/SPECS/giflib/CVE-2022-28506.patch
@@ -0,0 +1,30 @@
+From 006158597ac945d1992c9411f393eb228fb9c7bc Mon Sep 17 00:00:00 2001
+From: Suresh Thelkar <sthelkar@microsoft.com>
+Date: Fri, 11 Oct 2024 10:39:07 +0530
+Subject: [PATCH] Patch for CVE-2022-28506
+
+Upstream patch details are given below.
+https://sourceforge.net/u/mmuzila/giflib/ci/5b74cdd9c1285514eaa4675347ba3eea81d32c65/
+---
+ gif2rgb.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/gif2rgb.c b/gif2rgb.c
+index 9d16664..82f1130 100644
+--- a/gif2rgb.c
++++ b/gif2rgb.c
+@@ -294,6 +294,11 @@ static void DumpScreen2RGB(char *FileName, int OneFileFlag,
+             GifRow = ScreenBuffer[i];
+             GifQprintf("\b\b\b\b%-4d", ScreenHeight - i);
+             for (j = 0, BufferP = Buffer; j < ScreenWidth; j++) {
++                /* Check if color is within color palete */
++                if (GifRow[j] >= ColorMap->ColorCount)
++                {
++                   GIF_EXIT(GifErrorString(D_GIF_ERR_IMAGE_DEFECT));
++                }
+                 ColorMapEntry = &ColorMap->Colors[GifRow[j]];
+                 *BufferP++ = ColorMapEntry->Red;
+                 *BufferP++ = ColorMapEntry->Green;
+-- 
+2.34.1
+
diff --git a/SPECS/giflib/CVE-2023-48161.patch b/SPECS/giflib/CVE-2023-48161.patch
new file mode 100644
index 00000000000..2349854a5bd
--- /dev/null
+++ b/SPECS/giflib/CVE-2023-48161.patch
@@ -0,0 +1,43 @@
+From e9ed0342ff3da16c646e355c1bb8a37ab0c93240 Mon Sep 17 00:00:00 2001
+From: Bogdan Codres <bogdan.codres@windriver.com>
+Date: Fri, 8 Mar 2024 01:30:45 +0800
+Subject: [PATCH] Free Buffers from DumpScreen2RGB in error case
+
+==581==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000002bfc at pc 0x557cbdc9b28d bp 0x7ffde35804b0 sp 0x7ffde35804a0
+READ of size 1 at 0x602000002bfc thread T0
+    #0 0x557cbdc9b28c in DumpScreen2RGB ../../giflib-5.1.4/util/gif2rgb.c:323
+    #1 0x557cbdc9b28c in GIF2RGB ../../giflib-5.1.4/util/gif2rgb.c:480
+    #2 0x557cbdc9b28c in main ../../giflib-5.1.4/util/gif2rgb.c:538
+    #3 0x7fb09ad8214a in __libc_start_main (/lib64/libc.so.6+0x391602414a)
+    #4 0x557cbdc9bb19 in _start (/usr/bin/gif2rgb+0x5b19)
+
+0x602000002bfc is located 0 bytes to the right of 12-byte region [0x602000002bf0,0x602000002bfc)
+allocated by thread T0 here:
+    #0 0x7fb09b021138 in __interceptor_calloc (/usr/lib64/libasan.so.5+0xee138)
+    #1 0x7fb09af2ab1e in GifMakeMapObject ../../giflib-5.1.4/lib/gifalloc.c:55
+
+SUMMARY: AddressSanitizer: heap-buffer-overflow ../../giflib-5.1.4/util/gif2rgb.c:323 in DumpScreen2RGB
+
+Signed-off-by: Bogdan Codres <bogdan.codres@windriver.com>
+---
+ util/gif2rgb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/gif2rgb.c b/gif2rgb.c
+index bdc861f..9916fde 100644
+--- a/gif2rgb.c
++++ b/gif2rgb.c
+@@ -327,6 +327,9 @@ static void DumpScreen2RGB(char *FileName, int OneFileFlag,
+             if (fwrite(Buffers[0], ScreenWidth, 1, rgbfp[0]) != 1 ||
+                 fwrite(Buffers[1], ScreenWidth, 1, rgbfp[1]) != 1 ||
+                 fwrite(Buffers[2], ScreenWidth, 1, rgbfp[2]) != 1)
++		free((char *) Buffers[0]);
++		free((char *) Buffers[1]);
++		free((char *) Buffers[2]);
+                 GIF_EXIT("Write to file(s) failed.");
+         }
+ 
+-- 
+2.26.1
+
+
diff --git a/SPECS/giflib/giflib.spec b/SPECS/giflib/giflib.spec
index 174bc84dc71..a44b87f0a96 100644
--- a/SPECS/giflib/giflib.spec
+++ b/SPECS/giflib/giflib.spec
@@ -1,7 +1,7 @@
 Name:           giflib
 Summary:        A library and utilities for processing GIFs
 Version:        5.2.1
-Release:        6%{?dist}
+Release:        7%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -9,6 +9,8 @@ URL:            http://www.sourceforge.net/projects/giflib/
 Source0:        http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz
 # Move quantize.c back into libgif.so (#1750122)
 Patch0:         giflib_quantize.patch
+Patch1:         CVE-2023-48161.patch
+Patch2:         CVE-2022-28506.patch
 BuildRequires:  gcc
 BuildRequires:  make
 BuildRequires:  xmlto
@@ -59,6 +61,9 @@ find %{buildroot} -name '*.a' -print -delete
 %{_mandir}/man1/*.1*
 
 %changelog
+* Fri Oct 11 2024 Suresh Thelkar <sthelkar@microsoft.com> - 5.2.1-7
+- Patch CVE-2023-48161 and CVE-2022-28506
+
 * Mon Jul 11 2022 Olivia Crain <oliviacrain@microsoft.com> - 5.2.1-6
 - Promote to mariner-official-base repo
 - Lint spec