From f564d4c27bcbb0a83f3dca8567e4a40bfbc60445 Mon Sep 17 00:00:00 2001
From: Tomas Smetana <tomas@smetana.name>
Date: May 21 2020 07:57:38 +0000
Subject: New upstream version

Fix rhbz#1834969 - CVE-2020-12761 integer overflow in ICO color maps handling

---

diff --git a/.gitignore b/.gitignore
index ffeed74..d9f3de7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,3 +6,4 @@ imlib2-1.4.3.tar.bz2
 /imlib2-1.4.8.tar.bz2
 /imlib2-1.4.9.tar.bz2
 /imlib2-1.5.1.tar.bz2
+/imlib2-1.6.1.tar.bz2
diff --git a/imlib2-1.6.1-ico-overflow.patch b/imlib2-1.6.1-ico-overflow.patch
new file mode 100644
index 0000000..cea031e
--- /dev/null
+++ b/imlib2-1.6.1-ico-overflow.patch
@@ -0,0 +1,30 @@
+diff -up imlib2-1.6.1/src/modules/loaders/loader_ico.c.overflow imlib2-1.6.1/src/modules/loaders/loader_ico.c
+--- imlib2-1.6.1/src/modules/loaders/loader_ico.c.overflow	2020-05-21 09:42:21.592650197 +0200
++++ imlib2-1.6.1/src/modules/loaders/loader_ico.c	2020-05-21 09:45:06.339214806 +0200
+@@ -8,6 +8,7 @@
+ #include "loader_common.h"
+ 
+ #include <string.h>
++#include <limits.h>
+ 
+ #define DEBUG 0
+ #if DEBUG
+@@ -168,6 +169,8 @@ ico_read_icon(ico_t * ico, int ino)
+      case 4:
+      case 8:
+         D("Allocating a %d slot colormap\n", ie->bih.colors);
++        if (UINT_MAX / sizeof(DATA32) < ie->bih.colors)
++           goto bail;
+         size = ie->bih.colors * sizeof(DATA32);
+         ie->cmap = malloc(size);
+         nr = fread(ie->cmap, 1, size, ico->fp);
+@@ -183,6 +186,9 @@ ico_read_icon(ico_t * ico, int ino)
+      }
+ 
+    size = ((ie->bih.bpp * ie->w + 31) / 32 * 4) * ie->h;
++   if (!IMAGE_DIMENSIONS_OK(ie->w, ie->h) || ie->bih.bpp == 0 ||
++       UINT_MAX / ie->bih.bpp < ie->w * ie->h)
++      goto bail;
+    ie->pxls = malloc(size);
+    nr = fread(ie->pxls, 1, size, ico->fp);
+    if (nr != size)
diff --git a/imlib2.spec b/imlib2.spec
index 98f8721..7aee880 100644
--- a/imlib2.spec
+++ b/imlib2.spec
@@ -1,12 +1,14 @@
 Summary:        Image loading, saving, rendering, and manipulation library
 Name:           imlib2
-Version:        1.5.1
-Release:        4%{?dist}
+Version:        1.6.1
+Release:        1%{?dist}
 License:        Imlib2
 URL:            http://docs.enlightenment.org/api/imlib2/html/
 Source0:        http://downloads.sourceforge.net/enlightenment/%{name}-%{version}.tar.bz2
 # Fedora specific multilib hack, upstream should switch to pkgconfig one day
 Patch0:         imlib2-1.4.7-multilib.patch
+# Fix for CVE-1834969, backport from upstream
+Patch1:         imlib2-1.6.1-ico-overflow.patch
 
 BuildRequires:  libjpeg-devel
 BuildRequires:  libpng-devel
@@ -65,6 +67,7 @@ conditions of the GPL version 2 (or at your option) any later version.
 %prep
 %setup -q
 %patch0 -p1 -b .multilib
+%patch1 -p1 -b .overflow
 
 %build
 asmopts="--disable-mmx --disable-amd64"
@@ -124,6 +127,10 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -f \{\} \;
 
 
 %changelog
+* Thu May 21 2020 Tomas Smetana <tsmetana@redhat.com> - 1.6.1-1
+- New upstream version
+- Fix rhbz#1834969 - CVE-2020-12761 integer overflow in ICO color maps handling
+
 * Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.5.1-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 
diff --git a/sources b/sources
index ef238ee..febb2b9 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (imlib2-1.5.1.tar.bz2) = f9d971674887d4af067c6921e34b6fe598db0317052bc864b676c526b36373ce021d9d49cad95aa64dbbd8e74f1831ddf3ed105900e3df2b66a6b53f7f27c732
+SHA512 (imlib2-1.6.1.tar.bz2) = ecdbdbfe8767ec2b1f22ce664cbab5e1d3f75be7a3c8f37488f5243b3c31dbc433414b8d50d2d1b70c67a80e31e42cc5398161991ce3955e991c114c82ddd58f