libraw: patch CVE-2025-43961 and CVE-2025-43962

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-43961
https://nvd.nist.gov/vuln/detail/CVE-2025-43962

Pick the patch that is mentioned by the nvd reports - the
same patch fixes both vulnerabilities.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>

meta-oe/recipes-support/libraw/libraw/CVE-2025-43961-43962.patch

@@ -0,0 +1,104 @@
+From f6587920471337158c058539c8e0353cbe0925d3 Mon Sep 17 00:00:00 2001
+From: Alex Tutubalin <lexa@lexa.ru>
+Date: Sat, 1 Feb 2025 15:32:39 +0300
+Subject: [PATCH] Prevent out-of-bounds read in fuji 0xf00c tag parser
+
+Prevent out-of-bounds read in fuji 0xf00c tag parser
+
+prevent OOB reads in phase_one_correct
+
+CVE: CVE-2025-43961 CVE-2025-43962
+Upstream-Status: Backport [https://github.com/LibRaw/LibRaw/commit/66fe663e02a4dd610b4e832f5d9af326709336c2]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/decoders/load_mfbacks.cpp | 18 ++++++++++++++----
+ src/metadata/tiff.cpp         | 22 ++++++++++++++--------
+ 2 files changed, 28 insertions(+), 12 deletions(-)
+
+diff --git a/src/decoders/load_mfbacks.cpp b/src/decoders/load_mfbacks.cpp
+index 9d7c0511..2def6d6e 100644
+--- a/src/decoders/load_mfbacks.cpp
++++ b/src/decoders/load_mfbacks.cpp
+@@ -331,6 +331,9 @@ int LibRaw::phase_one_correct()
+       fseek(ifp, off_412, SEEK_SET);
+       for (i = 0; i < 9; i++)
+         head[i] = get4() & 0x7fff;
++      unsigned w0 = head[1] * head[3], w1 = head[2] * head[4];
++      if (w0 > 10240000 || w1 > 10240000)
++        throw LIBRAW_EXCEPTION_ALLOC;
+       yval[0] = (float *)calloc(head[1] * head[3] + head[2] * head[4], 6);
+       merror(yval[0], "phase_one_correct()");
+       yval[1] = (float *)(yval[0] + head[1] * head[3]);
+@@ -356,10 +359,17 @@ int LibRaw::phase_one_correct()
+             for (k = j = 0; j < head[1]; j++)
+               if (num < xval[0][k = head[1] * i + j])
+                 break;
+-            frac = (j == 0 || j == head[1])
+-                       ? 0
+-                       : (xval[0][k] - num) / (xval[0][k] - xval[0][k - 1]);
+-            mult[i - cip] = yval[0][k - 1] * frac + yval[0][k] * (1 - frac);
++              if (j == 0 || j == head[1] || k < 1 || k >= w0+w1)
++                frac = 0;
++              else
++              {
++                int xdiv = (xval[0][k] - xval[0][k - 1]);
++                frac = xdiv ? (xval[0][k] - num) / (xval[0][k] - xval[0][k - 1]) : 0;
++              }
++              if (k < w0 + w1)
++                mult[i - cip] = yval[0][k > 0 ? k - 1 : 0] * frac + yval[0][k] * (1 - frac);
++              else
++                mult[i - cip] = 0;
+           }
+           i = ((mult[0] * (1 - cfrac) + mult[1] * cfrac) * row + num) * 2;
+           RAW(row, col) = LIM(i, 0, 65535);
+diff --git a/src/metadata/tiff.cpp b/src/metadata/tiff.cpp
+index cd2406d6..804ffa9c 100644
+--- a/src/metadata/tiff.cpp
++++ b/src/metadata/tiff.cpp
+@@ -980,17 +980,20 @@ int LibRaw::parse_tiff_ifd(int base)
+               if ((fwb[0] == rafdata[fi]) && (fwb[1] == rafdata[fi + 1]) &&
+                   (fwb[2] == rafdata[fi + 2]))
+               {
+-                if (rafdata[fi - 15] !=
++                if (fi > 14 && rafdata[fi - 15] !=
+                     fwb[0]) // 15 is offset of Tungsten WB from the first
+                             // preset, Fine Weather WB
+                   continue;
+-                for (int wb_ind = 0, ofst = fi - 15; wb_ind < Fuji_wb_list1.size();
+-                     wb_ind++, ofst += 3)
++                if (fi >= 15)
+                 {
+-                  icWBC[Fuji_wb_list1[wb_ind]][1] =
+-                      icWBC[Fuji_wb_list1[wb_ind]][3] = rafdata[ofst];
+-                  icWBC[Fuji_wb_list1[wb_ind]][0] = rafdata[ofst + 1];
+-                  icWBC[Fuji_wb_list1[wb_ind]][2] = rafdata[ofst + 2];
++                  for (int wb_ind = 0, ofst = fi - 15; wb_ind < (int)Fuji_wb_list1.size();
++                       wb_ind++, ofst += 3)
++                  {
++                    icWBC[Fuji_wb_list1[wb_ind]][1] =
++                          icWBC[Fuji_wb_list1[wb_ind]][3] = rafdata[ofst];
++                    icWBC[Fuji_wb_list1[wb_ind]][0] = rafdata[ofst + 1];
++                    icWBC[Fuji_wb_list1[wb_ind]][2] = rafdata[ofst + 2];
++                  }
+                 }
+ 
+                 if ((imFuji.RAFDataVersion == 0x0260) || // X-Pro3
+@@ -1000,6 +1003,8 @@ int LibRaw::parse_tiff_ifd(int base)
+                 fi += 96;
+                 for (fj = fi; fj < (fi + 15); fj += 3)
+                 {
++                  if (fj > libraw_internal_data.unpacker_data.lenRAFData - 3)
++                    break;
+                   if (rafdata[fj] != rafdata[fi])
+                   {
+                     fj -= 93;
+@@ -1009,7 +1014,8 @@ int LibRaw::parse_tiff_ifd(int base)
+                         (imFuji.RAFDataVersion == 0x0261) || // X100V
+                         (imFuji.RAFDataVersion == 0x0262))   // X-T4
+                       fj -= 9;
+-                    for (int iCCT = 0, ofst = fj; iCCT < 31;
++                    for (int iCCT = 0, ofst = fj; iCCT < 31
++                                                  && ofst < libraw_internal_data.unpacker_data.lenRAFData - 3;
+                          iCCT++, ofst += 3)
+                     {
+                       icWBCCTC[iCCT][0] = FujiCCT_K[iCCT];

meta-oe/recipes-support/libraw/libraw_0.20.2.bb

@@ -4,6 +4,7 @@ LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=74c9dffdc42805f9c0de2f97df6031fc"
 
 SRC_URI = "git://github.com/LibRaw/LibRaw.git;branch=master;protocol=https \
            file://CVE-2023-1729.patch \
+           file://CVE-2025-43961-43962.patch \
            "
 SRCREV = "0209b6a2caec189e6d1a9b21c10e9e49f46e5a92"
 S = "${WORKDIR}/git"