Version in base suite: 0.1+dfsg-4.2+deb13u1 Base version: rlottie_0.1+dfsg-4.2+deb13u1 Target version: rlottie_0.1+dfsg-4.2+deb13u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/r/rlottie/rlottie_0.1+dfsg-4.2+deb13u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/r/rlottie/rlottie_0.1+dfsg-4.2+deb13u2.dsc changelog | 13 ++ patches/Fix-crash-on-invalid-data.patch | 12 -- patches/Fix-heap-buffer-overflow-from-short-truncation.patch | 31 +++++ patches/Fixed-signed-shift-issue.patch | 64 +++++++++++ patches/Fixed-vpath-potential-issue.patch | 29 ++++ patches/Fortify-FreeType-raster.patch | 4 patches/Limit-recursion-in-LOTLayerItem.patch | 39 ++++++ patches/series | 4 8 files changed, 183 insertions(+), 13 deletions(-) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpvrny25lp/rlottie_0.1+dfsg-4.2+deb13u1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpvrny25lp/rlottie_0.1+dfsg-4.2+deb13u2.dsc: no acceptable signature found diff -Nru rlottie-0.1+dfsg/debian/changelog rlottie-0.1+dfsg/debian/changelog --- rlottie-0.1+dfsg/debian/changelog 2025-11-25 11:05:10.000000000 +0000 +++ rlottie-0.1+dfsg/debian/changelog 2026-07-03 11:01:02.000000000 +0000 @@ -1,3 +1,16 @@ +rlottie (0.1+dfsg-4.2+deb13u2) trixie; urgency=medium + + * Fix off-by-one error in Fortify-FreeType-raster.patch. + * Add Fixed-vpath-potential-issue.patch to fix CVE-2026-47319. + (Closes: #1138919) + * Add Limit-recursion-in-LOTLayerItem.patch to fix CVE-2026-47320. + (Closes: #1138920) + * New Fixed-signed-shift-issue.patch probably fixes CVE-2026-10305. + (Closes: #1139179) + * New Fix-heap-buffer-overflow-from-short-truncation.patch. + + -- Nicholas Guriev Fri, 03 Jul 2026 14:01:02 +0300 + rlottie (0.1+dfsg-4.2+deb13u1) trixie; urgency=medium * Non-maintainer upload by the LTS Team. diff -Nru rlottie-0.1+dfsg/debian/patches/Fix-crash-on-invalid-data.patch rlottie-0.1+dfsg/debian/patches/Fix-crash-on-invalid-data.patch --- rlottie-0.1+dfsg/debian/patches/Fix-crash-on-invalid-data.patch 2021-05-22 16:07:06.000000000 +0000 +++ rlottie-0.1+dfsg/debian/patches/Fix-crash-on-invalid-data.patch 2026-07-01 14:17:45.000000000 +0000 @@ -52,17 +52,7 @@ void LOTGradient::update(std::unique_ptr &grad, int frameNo) --- a/src/vector/vdrawhelper.cpp +++ b/src/vector/vdrawhelper.cpp -@@ -146,6 +146,9 @@ bool VGradientCache::generateGradientCol - float opacity, - uint32_t *colorTable, int size) - { -+ if (stops.empty()) { -+ return false; -+ } - int dist, idist, pos = 0; - size_t i; - bool alpha = false; -@@ -165,7 +168,7 @@ bool VGradientCache::generateGradientCol +@@ -165,7 +165,7 @@ bool VGradientCache::generateGradientCol colorTable[pos++] = curColor; diff -Nru rlottie-0.1+dfsg/debian/patches/Fix-heap-buffer-overflow-from-short-truncation.patch rlottie-0.1+dfsg/debian/patches/Fix-heap-buffer-overflow-from-short-truncation.patch --- rlottie-0.1+dfsg/debian/patches/Fix-heap-buffer-overflow-from-short-truncation.patch 1970-01-01 00:00:00.000000000 +0000 +++ rlottie-0.1+dfsg/debian/patches/Fix-heap-buffer-overflow-from-short-truncation.patch 2026-07-02 05:27:08.000000000 +0000 @@ -0,0 +1,31 @@ +Description: Fix heap buffer overflow from short truncation of span Y coordinate + SW_FT_Span.y is a 16-bit short, so limit our coordinates appropriately. The + clamp (and its "is an integer" comment) was inherited from upstream FreeType's + ftgrays.c, where FT_Span has no y field and the scanline y is carried + separately as an int. rLottie added a `short y` to the span struct without + adapting the clamp, so the INT_MAX bound never prevented the (short) narrowing + at the store site. + . + This patch based on Michal Maciola's pull request with the numeral literals + replaced by the standard macro from the header. +Forwarded: https://github.com/Samsung/rlottie/pull/595 +Author: Michal Maciola +Acked-By: Nicholas Guriev +Last-Updated: Thu, 02 Jul 2026 07:55:03 +0300 + +--- a/src/vector/freetype/v_ft_raster.cpp ++++ b/src/vector/freetype/v_ft_raster.cpp +@@ -935,10 +935,10 @@ static void gray_hline(RAS_ARG_ TCoord x + x += (TCoord)ras.min_ex; + + /* SW_FT_Span.x is a 16-bit short, so limit our coordinates appropriately */ +- if (x >= 32767) x = 32767; ++ if (x >= SHRT_MAX) x = SHRT_MAX; + +- /* SW_FT_Span.y is an integer, so limit our coordinates appropriately */ +- if (y >= SW_FT_INT_MAX) y = SW_FT_INT_MAX; ++ /* SW_FT_Span.y is a 16-bit short, so limit our coordinates appropriately */ ++ if (y >= SHRT_MAX) y = SHRT_MAX; + + if (coverage) { + SW_FT_Span* span; diff -Nru rlottie-0.1+dfsg/debian/patches/Fixed-signed-shift-issue.patch rlottie-0.1+dfsg/debian/patches/Fixed-signed-shift-issue.patch --- rlottie-0.1+dfsg/debian/patches/Fixed-signed-shift-issue.patch 1970-01-01 00:00:00.000000000 +0000 +++ rlottie-0.1+dfsg/debian/patches/Fixed-signed-shift-issue.patch 2026-07-01 14:17:45.000000000 +0000 @@ -0,0 +1,64 @@ +Description: Fixed signed shift issue, CVE-2026-10305 +Author: Michal Szczecinski +Origin: https://github.com/Samsung/rlottie/commit/b4f5101a4d1a8da60cc14cfd05608551b3448c77 +Forwarded: https://github.com/Samsung/rlottie/pull/587 +Bug-Debian: https://bugs.debian.org/1139179 +Acked-By: Nicholas Guriev +Last-Update: Tue, 09 Jun 2026 16:16:06 +0300 + +--- a/src/vector/freetype/v_ft_raster.cpp ++++ b/src/vector/freetype/v_ft_raster.cpp +@@ -198,17 +198,17 @@ typedef struct SW_FT_Outline_Funcs_ { + #define ONE_PIXEL (1L << PIXEL_BITS) + #define PIXEL_MASK (-1L << PIXEL_BITS) + #define TRUNC(x) ((TCoord)((x) >> PIXEL_BITS)) +-#define SUBPIXELS(x) ((TPos)(x) << PIXEL_BITS) ++#define SUBPIXELS(x) ((TPos)((unsigned long)(x) << PIXEL_BITS)) + #define FLOOR(x) ((x) & -ONE_PIXEL) + #define CEILING(x) (((x) + ONE_PIXEL - 1) & -ONE_PIXEL) + #define ROUND(x) (((x) + ONE_PIXEL / 2) & -ONE_PIXEL) + + #if PIXEL_BITS >= 6 +-#define UPSCALE(x) ((x) << (PIXEL_BITS - 6)) ++#define UPSCALE(x) ((TPos)((unsigned long)(x) << (PIXEL_BITS - 6))) + #define DOWNSCALE(x) ((x) >> (PIXEL_BITS - 6)) + #else +-#define UPSCALE(x) ((x) >> (6 - PIXEL_BITS)) +-#define DOWNSCALE(x) ((x) << (6 - PIXEL_BITS)) ++#define UPSCALE(x) ((x) >> (6 - PIXEL_BITS)) ++#define DOWNSCALE(x) ((TPos)((unsigned long)(x) << (6 - PIXEL_BITS))) + #endif + + /* Compute `dividend / divisor' and return both its quotient and */ +@@ -1072,7 +1072,7 @@ static int SW_FT_Outline_Decompose(const + void* user) + { + #undef SCALED +-#define SCALED(x) (((x) << shift) - delta) ++#define SCALED(x) ((TPos)((unsigned long)(x) << shift) - delta) + + SW_FT_Vector v_last; + SW_FT_Vector v_control; +--- a/src/vector/vdrawhelper.cpp ++++ b/src/vector/vdrawhelper.cpp +@@ -156,6 +156,11 @@ bool VGradientCache::generateGradientCol + + if (!vCompare(opacity, 1.0f)) alpha = true; + ++ if (stopCount == 0) { ++ for (int j = 0; j < size; ++j) colorTable[j] = 0; ++ return alpha; ++ } ++ + start = stops.data(); + curr = start; + if (!curr->second.isOpaque()) alpha = true; +@@ -171,7 +176,7 @@ bool VGradientCache::generateGradientCol + fpos += incr; + } + +- for (i = 0; i < stopCount - 1; ++i) { ++ for (i = 0; i + 1 < stopCount; ++i) { + curr = (start + i); + next = (start + i + 1); + delta = 1 / (next->first - curr->first); diff -Nru rlottie-0.1+dfsg/debian/patches/Fixed-vpath-potential-issue.patch rlottie-0.1+dfsg/debian/patches/Fixed-vpath-potential-issue.patch --- rlottie-0.1+dfsg/debian/patches/Fixed-vpath-potential-issue.patch 1970-01-01 00:00:00.000000000 +0000 +++ rlottie-0.1+dfsg/debian/patches/Fixed-vpath-potential-issue.patch 2026-07-01 14:17:45.000000000 +0000 @@ -0,0 +1,29 @@ +Description: Fix potential huge memory allocation in VPath + Fixes CVE-2026-47319 +Author: Michal Szczecinski +Origin: https://github.com/Samsung/rlottie/commit/5def9f402b1cb5b09f52655e414f0afba4ffd959 +Forwarded: https://github.com/Samsung/rlottie/pull/588 +Bug-Debian: https://bugs.debian.org/1138919 +Acked-By: Nicholas Guriev +Last-Update: Tue, 09 Jun 2026 16:16:04 +0300 + +--- a/src/vector/vpath.cpp ++++ b/src/vector/vpath.cpp +@@ -514,6 +514,8 @@ void VPath::VPathData::addPolystar(float + float outerRoundness, float startAngle, + float cx, float cy, VPath::Direction dir) + { ++ constexpr float MAX_POLY_POINTS = 1024.0f; ++ if (points > MAX_POLY_POINTS) points = MAX_POLY_POINTS; + const static float POLYSTAR_MAGIC_NUMBER = 0.47829f / 0.28f; + float currentAngle = (startAngle - 90.0f) * K_PI / 180.0f; + float x; +@@ -619,6 +621,8 @@ void VPath::VPathData::addPolygon(float + VPath::Direction dir) + { + // TODO: Need to support floating point number for number of points ++ constexpr float MAX_POLY_POINTS = 1024.0f; ++ if (points > MAX_POLY_POINTS) points = MAX_POLY_POINTS; + const static float POLYGON_MAGIC_NUMBER = 0.25; + float currentAngle = (startAngle - 90.0f) * K_PI / 180.0f; + float x; diff -Nru rlottie-0.1+dfsg/debian/patches/Fortify-FreeType-raster.patch rlottie-0.1+dfsg/debian/patches/Fortify-FreeType-raster.patch --- rlottie-0.1+dfsg/debian/patches/Fortify-FreeType-raster.patch 2022-03-04 15:11:16.000000000 +0000 +++ rlottie-0.1+dfsg/debian/patches/Fortify-FreeType-raster.patch 2026-07-01 14:17:45.000000000 +0000 @@ -4,7 +4,7 @@ . Also check the number of ycells in gray_find_cell(). Author: Nicholas Guriev -Last-Update: Wed, 02 Mar 2022 19:12:30 +0300 +Last-Update: Thu, 23 Apr 2026 13:06:37 +0300 --- a/src/vector/freetype/v_ft_raster.cpp +++ b/src/vector/freetype/v_ft_raster.cpp @@ -56,7 +56,7 @@ } Split: -+ if (arc + 6 > std::end(ras.bez_stack)) return; ++ if (arc + 6 >= std::end(ras.bez_stack)) return; + gray_split_cubic(arc); arc += 3; diff -Nru rlottie-0.1+dfsg/debian/patches/Limit-recursion-in-LOTLayerItem.patch rlottie-0.1+dfsg/debian/patches/Limit-recursion-in-LOTLayerItem.patch --- rlottie-0.1+dfsg/debian/patches/Limit-recursion-in-LOTLayerItem.patch 1970-01-01 00:00:00.000000000 +0000 +++ rlottie-0.1+dfsg/debian/patches/Limit-recursion-in-LOTLayerItem.patch 2026-07-01 14:17:45.000000000 +0000 @@ -0,0 +1,39 @@ +Description: Limit recurion depth in LOTLayerItem + This patch is based on Michal Szczecinski's commit and adapted to version 0.1 + before Lottie model refactoring. Should fix CVE-2026-47320. + . + https://github.com/Samsung/rlottie/commit/bf689b72b8482c5ea674235854bd11b6d1b42588 +Author: Nicholas Guriev +Forwarded: not-needed +Bug-Debian: https://bugs.debian.org/1138920 +Last-Update: Tue, 09 Jun 2026 16:16:05 +0300 + +--- a/src/lottie/lottieitem.cpp ++++ b/src/lottie/lottieitem.cpp +@@ -419,8 +419,13 @@ void LOTLayerItem::update(int frameNumbe + + VMatrix LOTLayerItem::matrix(int frameNo) const + { +- return mParentLayer +- ? (mLayerData->matrix(frameNo) * mParentLayer->matrix(frameNo)) ++ return matrix(frameNo, 0); ++} ++ ++VMatrix LOTLayerItem::matrix(int frameNo, int depth) const ++{ ++ return mParentLayer && depth < 64 ++ ? mLayerData->matrix(frameNo) * mParentLayer->matrix(frameNo, depth + 1) + : mLayerData->matrix(frameNo); + } + +--- a/src/lottie/lottieitem.h ++++ b/src/lottie/lottieitem.h +@@ -180,6 +180,8 @@ protected: + float opacity(int frameNo) const {return mLayerData->opacity(frameNo);} + inline DirtyFlag flag() const {return mDirtyFlag;} + bool skipRendering() const {return (!visible() || vIsZero(combinedAlpha()));} ++private: ++ VMatrix matrix(int frameNo, int depth) const; + protected: + std::unique_ptr mLayerMask; + LOTLayerData *mLayerData{nullptr}; diff -Nru rlottie-0.1+dfsg/debian/patches/series rlottie-0.1+dfsg/debian/patches/series --- rlottie-0.1+dfsg/debian/patches/series 2025-11-18 18:02:45.000000000 +0000 +++ rlottie-0.1+dfsg/debian/patches/series 2026-07-02 05:27:08.000000000 +0000 @@ -27,3 +27,7 @@ fix-static-variable-delete.patch CVE-2025-0634-CVE-2025-53074-CVE-2025-53075.patch +Fixed-vpath-potential-issue.patch +Limit-recursion-in-LOTLayerItem.patch +Fixed-signed-shift-issue.patch +Fix-heap-buffer-overflow-from-short-truncation.patch