From e9f5c65c81a23aa18d72444f10457f2dc7847a62 Mon Sep 17 00:00:00 2001
From: pkgagent <pkgagent@tencent.com>
Date: Thu, 7 May 2026 15:08:38 +0800
Subject: [PATCH] fix CVE-2026-20884

---
 LibRaw-0.21.2-CVE-2026-20884.patch | 58 ++++++++++++++++++++++++++++++
 LibRaw.spec                        |  7 +++-
 2 files changed, 64 insertions(+), 1 deletion(-)
 create mode 100644 LibRaw-0.21.2-CVE-2026-20884.patch

diff --git a/LibRaw-0.21.2-CVE-2026-20884.patch b/LibRaw-0.21.2-CVE-2026-20884.patch
new file mode 100644
index 0000000..8d2fb1c
--- /dev/null
+++ b/LibRaw-0.21.2-CVE-2026-20884.patch
@@ -0,0 +1,58 @@
+From 39873163faa29ed5dfc3bb5aab1b46ed807b210f Mon Sep 17 00:00:00 2001
+From: Alex Tutubalin <lexa@lexa.ru>
+Date: Fri, 13 Mar 2026 17:43:47 +0300
+Subject: [PATCH] Fix for data size calculation integer overflow in
+ float/deflated DNG loader (TALOS-2026-2364); Check for read results
+
+Adapted-by: PkgAgent/deepseek-v4-flash (modified to adapt to opencloudos-stream)
+
+---
+ src/decoders/fp_dng.cpp |   27 +++++++++++++++++++++++++--
+ 1 file changed, 25 insertions(+), 2 deletions(-)
+
+diff --git a/src/decoders/fp_dng.cpp b/src/decoders/fp_dng.cpp
+index 5fe1eaa..87a73cd 100644
+--- a/src/decoders/fp_dng.cpp
++++ b/src/decoders/fp_dng.cpp
+@@ -349,8 +349,29 @@ void LibRaw::deflate_dng_load_raw()
+   tiles.init(ifd, imgdata.sizes, libraw_internal_data.unpacker_data, libraw_internal_data.unpacker_data.order,
+       libraw_internal_data.internal_data.input);
+ 
++  if (tiles.tBytes.size() < 1)
++	  throw LIBRAW_EXCEPTION_IO_CORRUPT;
++
++  // Ensure less then 2GB per compressed tile
++  INT64 maxcomprlen = tiles.tBytes[0];
++  for (int i = 1; i < tiles.tBytes.size(); i++)
++	  maxcomprlen = MAX(maxcomprlen, tiles.tBytes[i]);
++
++  if(maxcomprlen >= (1LL << 31) || maxcomprlen < 0)
++	  throw LIBRAW_EXCEPTION_TOOBIG;
++  
++  // Max bytes: 2^16 raw width * 2^2 bytes/pixel * 2^2 channels = 2^20, so check against 2^22
++  INT64 rowbytes = INT64(MAX(tiles.tileWidth, imgdata.sizes.raw_width)) * 4ULL * INT64(ifd->samples);
++  if (rowbytes > (1LL << 22))
++    throw LIBRAW_EXCEPTION_TOOBIG;
++
+   if (ifd->sample_format == 3)
+-      float_raw_image = (float *)calloc(tiles.tileCnt * tiles.tileWidth * tiles.tileHeight *ifd->samples, sizeof(float));
++  {
++    INT64 raw_bytes = INT64(tiles.tileCnt) * INT64(tiles.tileWidth) * INT64(tiles.tileHeight) * INT64(ifd->samples) * sizeof(float);
++    if (raw_bytes > INT64(imgdata.rawparams.max_raw_memory_mb) * INT64(1024 * 1024))
++      throw LIBRAW_EXCEPTION_TOOBIG;
++    float_raw_image = (float *)calloc(raw_bytes, 1);
++  }
+   else
+     throw LIBRAW_EXCEPTION_DECODE_RAW; // Only float deflated supported
+ 
+@@ -385,7 +406,9 @@ void LibRaw::deflate_dng_load_raw()
+       for (size_t x = 0; x < imgdata.sizes.raw_width; x += tiles.tileWidth, ++t)
+       {
+         libraw_internal_data.internal_data.input->seek(tiles.tOffsets[t], SEEK_SET);
+-        libraw_internal_data.internal_data.input->read(cBuffer.data(), 1, tiles.tBytes[t]);
++        int bytesread = libraw_internal_data.internal_data.input->read(cBuffer.data(), 1, tiles.tBytes[t]);
++		if (bytesread < tiles.tBytes[t])
++			derror();
+         unsigned long dstLen = tileBytes;
+         int err =
+             uncompress(uBuffer.data() + tileRowBytes, &dstLen, cBuffer.data(), (unsigned long)tiles.tBytes[t]);
diff --git a/LibRaw.spec b/LibRaw.spec
index a711ec4..0d541dc 100644
--- a/LibRaw.spec
+++ b/LibRaw.spec
@@ -3,7 +3,7 @@
 Summary: Library for reading RAW files obtained from digital photo cameras
 Name: LibRaw
 Version: 0.21.2
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: BSD and (CDDL-1.0 or LGPLv2)
 URL: http://www.libraw.org
 Source0: http://github.com/LibRaw/LibRaw/archive/%{version}.tar.gz
@@ -15,6 +15,7 @@ Patch0005: LibRaw-0.21.2-CVE-2026-5342.patch
 Patch0006: LibRaw-0.21.2-CVE-2026-24660.patch
 Patch0007: LibRaw-0.21.2-CVE-2026-21413.patch
 Patch0008: LibRaw-0.21.2-CVE-2026-20889.patch
+Patch0009: LibRaw-0.21.2-CVE-2026-20884.patch
 Patch3000: LibRaw-pkgconfig.patch
 
 BuildRequires: make gcc-c++
@@ -95,6 +96,10 @@ rm -fv %{buildroot}%{_libdir}/lib*.la
 %{_bindir}/*
 
 %changelog
+* Thu May 07 2026 PkgAgent Robot <pkgagent@opencloudos.tech> - 0.21.2-7
+- [Type] security
+- [DESC] Fix CVE-2026-20884 vulnerability: integer overflow in data size calculation in float/deflated DNG loader
+
 * Thu Apr 09 2026 PkgAgent Robot <pkgagent@opencloudos.tech> - 0.21.2-6
 - [Type] security
 - [DESC] Fix multiple security vulnerabilities:
-- 
Gitee