Version in base suite: 0.17.3-1

Base version: libass_0.17.3-1
Target version: libass_0.17.3-1+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/liba/libass/libass_0.17.3-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/liba/libass/libass_0.17.3-1+deb13u1.dsc

 changelog                                                           |    8 +
 gbp.conf                                                            |    3 
 patches/0001-render-wrap_lines_measure-fix-oob-read-and-write.patch |   66 ++++++++++
 patches/series                                                      |    1 
 4 files changed, 77 insertions(+), 1 deletion(-)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp7z6f853x/libass_0.17.3-1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp7z6f853x/libass_0.17.3-1+deb13u1.dsc: no acceptable signature found
diff -Nru libass-0.17.3/debian/changelog libass-0.17.3/debian/changelog
--- libass-0.17.3/debian/changelog	2024-07-04 17:58:16.000000000 +0000
+++ libass-0.17.3/debian/changelog	2026-06-24 17:36:02.000000000 +0000
@@ -1,3 +1,11 @@
+libass (1:0.17.3-1+deb13u1) trixie; urgency=medium
+
+  [ Oneric ]
+  * Backport security fixes from 0.15.5 to 0.17.3
+    - Out-of-bounds read and write in wrap_lines_measure (GHSA-pjjp-65r7-ppgm)
+
+ -- Sebastian Ramacher <sramacher@debian.org>  Wed, 24 Jun 2026 19:36:02 +0200
+
 libass (1:0.17.3-1) unstable; urgency=medium
 
   * New upstream version 0.17.3
diff -Nru libass-0.17.3/debian/gbp.conf libass-0.17.3/debian/gbp.conf
--- libass-0.17.3/debian/gbp.conf	2022-05-14 07:59:38.000000000 +0000
+++ libass-0.17.3/debian/gbp.conf	2026-06-24 17:08:12.000000000 +0000
@@ -1,3 +1,4 @@
 [DEFAULT]
 pristine-tar = True
-debian-branch = master
+debian-branch = debian/trixie
+upstream-branch = upstream.trixie
diff -Nru libass-0.17.3/debian/patches/0001-render-wrap_lines_measure-fix-oob-read-and-write.patch libass-0.17.3/debian/patches/0001-render-wrap_lines_measure-fix-oob-read-and-write.patch
--- libass-0.17.3/debian/patches/0001-render-wrap_lines_measure-fix-oob-read-and-write.patch	1970-01-01 00:00:00.000000000 +0000
+++ libass-0.17.3/debian/patches/0001-render-wrap_lines_measure-fix-oob-read-and-write.patch	2026-06-24 17:18:54.000000000 +0000
@@ -0,0 +1,66 @@
+From: Oneric <oneric@oneric.stub>
+Date: Wed, 27 May 2026 00:00:00 +0000
+Subject: render/wrap_lines_measure: fix oob read and write
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+If the last line of an event consisted entirely of skippable characters
+yet could not be trimmed away entirely early on in parsing the
+while loops in wrap_line_measure overshot the end of the glyph array
+by one entry.
+This can happen in wrap modes other than two if a line ends with a '\n'
+sequence and otherwise consists entirely of this sequence or spaces.
+
+If furthermore the total text size exactly matches the
+currently allocated size of the glyph array, this first
+lead to reading a 32-bit fixed-point value (pos.x)
+from uninitialised memory.
+
+By itself this would have been entirely harmless since
+the read value never ends up being used if the first loop
+overread and in the second loop the read value is not applied
+to any real glyph or line property and thus unobservable.
+
+However, the second while loop also writes two 32-bit fixed point
+values to the overread position (pos.x and pos.y).
+Due to using the overread value itself here this ended up
+zeroing out the first and adding an easily controllable offset
+to the second.
+
+A POC for the second out-of-bound read was originally reported
+by Ada Logics’ David Korczynski who in turn was validating
+scan reports generated by Anthropic using their Claude tool.
+
+Fixes: https://github.com/libass/libass/security/advisories/GHSA-pjjp-65r7-ppgm
+---
+ libass/ass_render.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/libass/ass_render.c b/libass/ass_render.c
+index d7f143d..4a4a58b 100644
+--- a/libass/ass_render.c
++++ b/libass/ass_render.c
+@@ -1881,13 +1881,21 @@ wrap_lines_measure(RenderContext *state, char *unibrks)
+ 
+     while (i < text_info->length && text_info->glyphs[i].skip)
+         ++i;
++
++    if (i == text_info->length) {
++        text_info->lines[0].len = 0;
++        text_info->lines[0].offset = 0;
++        return;
++    }
++
+     double pen_shift_x = d6_to_double(-text_info->glyphs[i].pos.x);
+     double pen_shift_y = 0.;
+ 
+     for (i = 0; i < text_info->length; ++i) {
+         GlyphInfo *cur = text_info->glyphs + i;
++
+         if (cur->linebreak) {
+-            while (i < text_info->length && cur->skip && !FORCEBREAK(cur->symbol, i))
++            while (i < text_info->length - 1 && cur->skip && !FORCEBREAK(cur->symbol, i))
+                 cur = text_info->glyphs + ++i;
+             double height =
+                 text_info->lines[cur_line - 1].desc +
diff -Nru libass-0.17.3/debian/patches/series libass-0.17.3/debian/patches/series
--- libass-0.17.3/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ libass-0.17.3/debian/patches/series	2026-06-24 17:18:54.000000000 +0000
@@ -0,0 +1 @@
+0001-render-wrap_lines_measure-fix-oob-read-and-write.patch