deleted file mode 100644
@@ -1,84 +0,0 @@
-From bfa786a260bfd4660e8186ebad8778718e85e8cd Mon Sep 17 00:00:00 2001
-From: Khem Raj <khem.raj@oss.qualcomm.com>
-Date: Sat, 4 Apr 2026 14:56:01 -0700
-Subject: [PATCH] libgphoto2: fix const-correctness for c23 builds
-
-C23 treats the return values of strrchr() and strchr() as const char *
-when the input string is const-qualified. Update local variables to use
-const char * where appropriate to avoid discarded-qualifier warnings and
-build failures with -std=gnu23.
-
-No functional change intended.
-
-Upstream-Status: Submitted [https://github.com/gphoto/libgphoto2/pull/1235]
-Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
----
- camlibs/directory/directory.c | 2 +-
- libgphoto2/gphoto2-file.c | 6 +++---
- libgphoto2/gphoto2-filesys.c | 2 +-
- packaging/generic/print-camera-list.c | 2 +-
- 4 files changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/camlibs/directory/directory.c b/camlibs/directory/directory.c
-index 790405d54..cc63c6684 100644
---- a/camlibs/directory/directory.c
-+++ b/camlibs/directory/directory.c
-@@ -125,7 +125,7 @@ static const char *
- get_mime_type (const char *filename)
- {
-
-- char *dot;
-+ const char *dot;
- int x=0;
-
- dot = strrchr(filename, '.');
-diff --git a/libgphoto2/gphoto2-file.c b/libgphoto2/gphoto2-file.c
-index 04d4d5e3e..1a9dbc193 100644
---- a/libgphoto2/gphoto2-file.c
-+++ b/libgphoto2/gphoto2-file.c
-@@ -610,7 +610,7 @@ int
- gp_file_open (CameraFile *file, const char *filename)
- {
- FILE *fp;
-- char *name, *dot;
-+ const char *name, *dot;
- long size, size_read;
- int i;
- struct stat s;
-@@ -906,8 +906,8 @@ gp_file_get_name (CameraFile *file, const char **name)
- int
- gp_file_get_name_by_type (CameraFile *file, const char *basename, CameraFileType type, char **newname)
- {
-- char *prefix = NULL, *s, *new, *slash = NULL;
-- const char *suffix = NULL;
-+ char *prefix = NULL, *new;
-+ const char *suffix = NULL, *s, *slash = NULL;
- int i;
-
- C_PARAMS (file && basename && newname);
-diff --git a/libgphoto2/gphoto2-filesys.c b/libgphoto2/gphoto2-filesys.c
-index 45f957292..07decff24 100644
---- a/libgphoto2/gphoto2-filesys.c
-+++ b/libgphoto2/gphoto2-filesys.c
-@@ -521,7 +521,7 @@ append_to_folder (CameraFilesystemFolder *folder,
- CameraFilesystemFolder **newfolder
- ) {
- CameraFilesystemFolder *f;
-- char *s;
-+ const char *s;
-
- GP_LOG_D ("Append to folder %p/%s - %s", folder, folder->name, foldername);
- /* Handle multiple slashes, and slashes at the end */
-diff --git a/packaging/generic/print-camera-list.c b/packaging/generic/print-camera-list.c
-index 1707b4e87..44530b4ae 100644
---- a/packaging/generic/print-camera-list.c
-+++ b/packaging/generic/print-camera-list.c
-@@ -1138,7 +1138,7 @@ escape_html(const char *str) {
- newstr = malloc(strlen(str)+1+inc);
- s = str; ns = newstr;
- do {
-- char *x;
-+ const char *x;
- x = strchr(s,'&');
- if (x) {
- memcpy (ns, s, x-s);
deleted file mode 100644
@@ -1,150 +0,0 @@
-From 8fefd2da7b9e2c7c448086cd251b108c0ebf1262 Mon Sep 17 00:00:00 2001
-From: Marcus Meissner <marcus@jet.franken.de>
-Date: Wed, 8 Apr 2026 15:18:42 +0200
-Subject: [PATCH] Fixed EOS ImageFormat/CustomFuncEx Parsers Lack Length
- Parameter
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-ptp_unpack_EOS_ImageFormat() and ptp_unpack_EOS_CustomFuncEx() accept
-const unsigned char** data but no length/size parameter. They perform
-unbounded reads via dtoh32o calls (up to 36 bytes for ImageFormat,
-up to 1024 bytes for CustomFuncEx). Callers in ptp_unpack_EOS_events()
-have xsize available but never pass it.
-
- CVE-2026-40333
-
-Reported-By: Sebastián Alba <sebasjosue84@gmail.com>
-
-CVE: CVE-2026-40333
-Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/1817ecead20c2aafa7549dac9619fe38f47b2f53]
-Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
----
- camlibs/ptp2/ptp-pack.c | 53 ++++++++++++++++++++++++++++++++++-------
- 1 file changed, 44 insertions(+), 9 deletions(-)
-
-diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c
-index 09421b7..09dcc24 100644
---- a/camlibs/ptp2/ptp-pack.c
-+++ b/camlibs/ptp2/ptp-pack.c
-@@ -1448,7 +1448,7 @@ ptp_unpack_Canon_EOS_FE (PTPParams *params, const unsigned char* data, unsigned
-
-
- static inline uint16_t
--ptp_unpack_EOS_ImageFormat (PTPParams* params, const unsigned char** data )
-+ptp_unpack_EOS_ImageFormat (PTPParams* params, const unsigned char** data, unsigned int *size )
- {
- /*
- EOS ImageFormat entries look are a sequence of u32 values:
-@@ -1492,30 +1492,57 @@ ptp_unpack_EOS_ImageFormat (PTPParams* params, const unsigned char** data )
-
- const uint8_t* d = *data;
- uint32_t offset = 0;
-- uint32_t n = dtoh32o (d, offset);
-+ uint32_t n;
- uint32_t l, t1, s1, c1, t2 = 0, s2 = 0, c2 = 0;
-
-+ if (*size < sizeof(uint32_t)) {
-+ ptp_debug (params, "parsing EOS ImageFormat property failed 1 (size %d)", *size);
-+ return 0;
-+ }
-+ n = dtoh32o (d, offset);
-+ *size -= sizeof(uint32_t);
-+
- if (n != 1 && n !=2) {
- ptp_debug (params, "parsing EOS ImageFormat property failed (n != 1 && n != 2: %d)", n);
- return 0;
- }
--
-+ if (*size < sizeof(uint32_t)) {
-+ ptp_debug (params, "parsing EOS ImageFormat property failed 2 (size %d)", *size);
-+ return 0;
-+ }
- l = dtoh32o (d, offset);
-+ *size -= sizeof(uint32_t);
-+
- if (l != 0x10) {
- ptp_debug (params, "parsing EOS ImageFormat property failed (l != 0x10: 0x%x)", l);
- return 0;
- }
-
-+ if (*size < 3*sizeof(uint32_t)) {
-+ ptp_debug (params, "parsing EOS ImageFormat property failed 3 (size %d)", *size);
-+ return 0;
-+ }
- t1 = dtoh32o (d, offset);
- s1 = dtoh32o (d, offset);
- c1 = dtoh32o (d, offset);
-+ *size -= 3*sizeof(uint32_t);
-
- if (n == 2) {
-+ if (*size < sizeof(uint32_t)) {
-+ ptp_debug (params, "parsing EOS ImageFormat property failed 4 (size %d)", *size);
-+ return 0;
-+ }
- l = dtoh32o (d, offset);
-+ *size -= sizeof(uint32_t);
-+
- if (l != 0x10) {
- ptp_debug (params, "parsing EOS ImageFormat property failed (l != 0x10: 0x%x)", l);
- return 0;
- }
-+ if (*size < 3*sizeof(uint32_t)) {
-+ ptp_debug (params, "parsing EOS ImageFormat property failed 5 (size %d)", *size);
-+ return 0;
-+ }
- t2 = dtoh32o (d, offset);
- s2 = dtoh32o (d, offset);
- c2 = dtoh32o (d, offset);
-@@ -1668,12 +1695,20 @@ ptp_unpack_EOS_FocusInfoEx (PTPParams* params, const unsigned char** data, uint3
-
-
- static inline char*
--ptp_unpack_EOS_CustomFuncEx (PTPParams* params, const unsigned char** data )
-+ptp_unpack_EOS_CustomFuncEx (PTPParams* params, const unsigned char** data, unsigned int *size )
- {
-- uint32_t s = dtoh32a( *data );
-- uint32_t n = s/4, i;
-+ uint32_t s, n, i;
- char *str, *p;
-
-+ if (*size < sizeof(uint32_t))
-+ return strdup("bad length");
-+
-+ s = dtoh32a( *data );
-+ n = s/4;
-+
-+ if (*size < 4+s)
-+ return strdup("bad length");
-+
- if (s > 1024) {
- ptp_debug (params, "customfuncex data is larger than 1k / %d... unexpected?", s);
- return strdup("bad length");
-@@ -1962,7 +1997,7 @@ ptp_unpack_EOS_events (PTPParams *params, const unsigned char* data, unsigned in
- case PTP_DPC_CANON_EOS_ImageFormatExtHD:
- /* special handling of ImageFormat properties */
- for (j=0;j<dpd_count;j++) {
-- dpd->FORM.Enum.SupportedValue[j].u16 = ptp_unpack_EOS_ImageFormat( params, &xdata );
-+ dpd->FORM.Enum.SupportedValue[j].u16 = ptp_unpack_EOS_ImageFormat( params, &xdata, &xsize );
- ptp_debug (params, INDENT "prop %x option[%2d] == 0x%04x", dpc, j, dpd->FORM.Enum.SupportedValue[j].u16);
- }
- break;
-@@ -2267,7 +2302,7 @@ ptp_unpack_EOS_events (PTPParams *params, const unsigned char* data, unsigned in
- case PTP_DPC_CANON_EOS_ImageFormatSD:
- case PTP_DPC_CANON_EOS_ImageFormatExtHD:
- dpd->DataType = PTP_DTC_UINT16;
-- dpd->DefaultValue.u16 = ptp_unpack_EOS_ImageFormat( params, &xdata );
-+ dpd->DefaultValue.u16 = ptp_unpack_EOS_ImageFormat( params, &xdata, &xsize );
- dpd->CurrentValue.u16 = dpd->DefaultValue.u16;
- ptp_debug (params, INDENT "prop %x value == 0x%04x (u16)", dpc, dpd->CurrentValue.u16);
- break;
-@@ -2275,7 +2310,7 @@ ptp_unpack_EOS_events (PTPParams *params, const unsigned char* data, unsigned in
- dpd->DataType = PTP_DTC_STR;
- free (dpd->DefaultValue.str);
- free (dpd->CurrentValue.str);
-- dpd->DefaultValue.str = ptp_unpack_EOS_CustomFuncEx( params, &xdata );
-+ dpd->DefaultValue.str = ptp_unpack_EOS_CustomFuncEx( params, &xdata, &xsize );
- dpd->CurrentValue.str = strdup( (char*)dpd->DefaultValue.str );
- ptp_debug (params, INDENT "prop %x value == %s", dpc, dpd->CurrentValue.str);
- break;
deleted file mode 100644
@@ -1,37 +0,0 @@
-From 20b33a26b2efdbf2c35c5cacc54a041855ec764b Mon Sep 17 00:00:00 2001
-From: Marcus Meissner <marcus@jet.franken.de>
-Date: Wed, 8 Apr 2026 15:15:54 +0200
-Subject: [PATCH] Fixed Canon FolderEntry Missing Null Termination
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-ptp_unpack_Canon_FE() copies filename with strncpy into a 13-byte
-buffer without explicit null termination. The EOS variant at line
-1451–1452 correctly adds fe->Filename[PTP_CANON_FilenameBufferLen-1]
-= 0; confirming this was recognized as necessary but not applied to the
-original Canon path.
-
- CVE-2026-40334
-
-Reported-By: Sebastián Alba <sebasjosue84@gmail.com>
-
-CVE: CVE-2026-40334
-Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/259fc7d3bfe534ce4b114c464f55b448670ab873]
-Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
----
- camlibs/ptp2/ptp-pack.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c
-index 09dcc24..982b4f4 100644
---- a/camlibs/ptp2/ptp-pack.c
-+++ b/camlibs/ptp2/ptp-pack.c
-@@ -1369,6 +1369,7 @@ ptp_unpack_Canon_FE (PTPParams *params, const unsigned char* data, PTPCANONFolde
- fe->ObjectSize = dtoh32a(data + PTP_cfe_ObjectSize);
- fe->Time = (time_t)dtoh32a(data + PTP_cfe_Time);
- strncpy(fe->Filename, (char*)data + PTP_cfe_Filename, PTP_CANON_FilenameBufferLen);
-+ fe->Filename[PTP_CANON_FilenameBufferLen-1] = '\0';
- }
-
- /*
deleted file mode 100644
@@ -1,43 +0,0 @@
-From edcdf804662eb4340fdc371af4853d6579e969ab Mon Sep 17 00:00:00 2001
-From: Marcus Meissner <marcus@jet.franken.de>
-Date: Wed, 8 Apr 2026 15:07:38 +0200
-Subject: [PATCH] =?UTF-8?q?Fixed=20UINT128/INT128=20Unchecked=20Offset=20A?=
- =?UTF-8?q?dvance=20(CWE-125)=20=E2=80=94=20MEDIUM?=
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Finding 5: UINT128/INT128 Unchecked Offset Advance (CWE-125) — MEDIUM
-
-In ptp_unpack_DPV(), the PTP_DTC_UINT128 and PTP_DTC_INT128 cases advance *offset += 16 without verifying 16 bytes remain. The entry check at line 609 only guarantees *offset < total (at least 1 byte available). After the unchecked advance, *offset can exceed total, and the CTVAL macro's bounds check (total - *offset < sizeof(target)) wraps due to unsigned arithmetic.
-
-CVE-2026-40335
-
-Reported-By: Sebastián Alba <sebasjosue84@gmail.com>
-
-CVE: CVE-2026-40335
-Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/433bde9888d70aa726e32744cd751d7dbe94379a]
-Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
----
- camlibs/ptp2/ptp-pack.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c
-index 982b4f4..7fc120d 100644
---- a/camlibs/ptp2/ptp-pack.c
-+++ b/camlibs/ptp2/ptp-pack.c
-@@ -614,10 +614,14 @@ ptp_unpack_DPV (
- case PTP_DTC_UINT64: CTVAL(value->u64,dtoh64a); break;
-
- case PTP_DTC_UINT128:
-+ if (total - *offset < 16)
-+ return 0;
- *offset += 16;
- /*fprintf(stderr,"unhandled unpack of uint128n");*/
- break;
- case PTP_DTC_INT128:
-+ if (total - *offset < 16)
-+ return 0;
- *offset += 16;
- /*fprintf(stderr,"unhandled unpack of int128n");*/
- break;
deleted file mode 100644
@@ -1,44 +0,0 @@
-From e19c45d3530f1585805711e14aa4ea788e499f46 Mon Sep 17 00:00:00 2001
-From: Marcus Meissner <marcus@jet.franken.de>
-Date: Wed, 8 Apr 2026 15:13:51 +0200
-Subject: [PATCH] Fixed Sony DPD Secondary Enum List Memory Leak
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Finding 4: Sony DPD Secondary Enum List Memory Leak (CWE-401) — LOW
-
-File: ptp-pack.c:884-885
-
-When processing a secondary enumeration list (2024+ Sony cameras), line
-884–885 overwrites dpd->FORM.Enum.SupportedValue with a new calloc()
-without freeing the previous allocation from line 857. The original
-array and any string values it contains are leaked.
-
-CVE-2026-40336
-
-Reported-By: Sebastián Alba <sebasjosue84@gmail.com>
-
-CVE: CVE-2026-40336
-Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/404ff02c75f3cb280196fc260a63c4d26cf1a8f6]
-Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
----
- camlibs/ptp2/ptp-pack.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c
-index 7fc120d..fc51d77 100644
---- a/camlibs/ptp2/ptp-pack.c
-+++ b/camlibs/ptp2/ptp-pack.c
-@@ -879,6 +879,11 @@ ptp_unpack_Sony_DPD (PTPParams *params, const unsigned char* data, PTPDeviceProp
- /* check if we have a secondary list of items, this is for newer Sonys (2024) */
- if (val < 0x200) { /* if a secondary list is not provided, this will be the next property code - 0x5XXX or 0xDxxx */
- if (dpd->FormFlag == PTP_DPFF_Enumeration) {
-+ /* free old enum variables */
-+ for (i=0;i<dpd->FORM.Enum.NumberOfValues;i++)
-+ ptp_free_propvalue (dpd->DataType, dpd->FORM.Enum.SupportedValue+i);
-+ free (dpd->FORM.Enum.SupportedValue);
-+
- N = dtoh16o(data, *poffset);
- dpd->FORM.Enum.SupportedValue = calloc(N,sizeof(dpd->FORM.Enum.SupportedValue[0]));
- if (!dpd->FORM.Enum.SupportedValue)
deleted file mode 100644
@@ -1,34 +0,0 @@
-From 43cc20e807cd2935869617a7d8b9488070712c0e Mon Sep 17 00:00:00 2001
-From: Marcus Meissner <marcus@jet.franken.de>
-Date: Sat, 11 Apr 2026 10:47:52 +0200
-Subject: [PATCH] =?UTF-8?q?Fixed=20Sony=20DPD=20Enum=20Count=20OOB=20Read?=
- =?UTF-8?q?=20(CWE-125)=20=E2=80=94=20MEDIUM?=
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-In the PTP_DPFF_Enumeration case of ptp_unpack_Sony_DPD(), dtoh16o(data, *poffset) reads 2 bytes for enumeration count N without verifying 2 bytes remain. The standard parser at line 704 has this check.
-
-CVE-2026-40338
-
-Reported-By: Sebastián Alba <sebasjosue84@gmail.com>
-
-CVE: CVE-2026-40338
-Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/3b9f9696be76ae51dca983d9dd8ce586a2561845]
-Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
----
- camlibs/ptp2/ptp-pack.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c
-index fc51d77..f90d2a5 100644
---- a/camlibs/ptp2/ptp-pack.c
-+++ b/camlibs/ptp2/ptp-pack.c
-@@ -851,6 +851,7 @@ ptp_unpack_Sony_DPD (PTPParams *params, const unsigned char* data, PTPDeviceProp
- break;
- case PTP_DPFF_Enumeration: {
- #define N dpd->FORM.Enum.NumberOfValues
-+ if (*poffset + sizeof(uint16_t) > dpdlen) goto outofmemory;
- N = dtoh16o(data, *poffset);
- dpd->FORM.Enum.SupportedValue = calloc(N,sizeof(dpd->FORM.Enum.SupportedValue[0]));
- if (!dpd->FORM.Enum.SupportedValue)
deleted file mode 100644
@@ -1,41 +0,0 @@
-From 585e8113b541469347d09c341c2e8b468b431adb Mon Sep 17 00:00:00 2001
-From: Marcus Meissner <marcus@jet.franken.de>
-Date: Sat, 11 Apr 2026 10:50:47 +0200
-Subject: [PATCH] =?UTF-8?q?Fixed=20Sony=20DPD=20FormFlag=20OOB=20Read=20(C?=
- =?UTF-8?q?WE-125)=20=E2=80=94=20MEDIUM?=
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-ptp_unpack_Sony_DPD() reads the FormFlag byte via dtoh8o(data, *poffset)
-without a prior bounds check. The standard ptp_unpack_DPD() at line
-686–687 correctly validates *offset + sizeof(uint8_t) > dpdlen before
-this same read, but the Sony variant omits this check.
-
-CVE-2026-40339
-
-Reported-By: Sebastián Alba <sebasjosue84@gmail.com>
-
-CVE: CVE-2026-40339
-Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/09f8a940b1e418b5693f5c11e3016a1ad2cea62d]
-Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
----
- camlibs/ptp2/ptp-pack.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c
-index f90d2a5..28648a5 100644
---- a/camlibs/ptp2/ptp-pack.c
-+++ b/camlibs/ptp2/ptp-pack.c
-@@ -833,9 +833,10 @@ ptp_unpack_Sony_DPD (PTPParams *params, const unsigned char* data, PTPDeviceProp
- code or the Data Type is a string (with two empty strings as
- values). In both cases Form Flag should be set to 0x00 and FORM is
- not present. */
--
- if (*poffset==PTP_dpd_Sony_DefaultValue)
- return 1;
-+ if (*poffset + sizeof(uint8_t) > dpdlen)
-+ return 1;
-
- dpd->FormFlag = dtoh8o(data, *poffset);
- ptp_debug (params, "formflag 0x%04x", dpd->FormFlag);
deleted file mode 100644
@@ -1,40 +0,0 @@
-From fd9f234df894caec6c65144b5a4f0264aadf0989 Mon Sep 17 00:00:00 2001
-From: Marcus Meissner <marcus@jet.franken.de>
-Date: Wed, 8 Apr 2026 16:01:48 +0200
-Subject: [PATCH] Fixed ObjectInfo Parser OOB Read
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-ptp_unpack_OI() validates len < PTP_oi_SequenceNumber (i.e., len < 48) but then accesses:
-
- Offsets 48–51: dtoh32a(data + PTP_oi_SequenceNumber) at line 563 (4 bytes OOB)
- Offset 52: data[PTP_oi_filenamelen] at line 547 (5 bytes OOB)
- Offset 56: data[PTP_oi_filenamelen+4] at line 547 (9 bytes OOB)
-
-The Samsung Galaxy 64-bit objectsize detection heuristic reads up to 9 bytes beyond the validated boundary.
-
- CVE-2026-40340
-
-Reported-By: Sebastián Alba <sebasjosue84@gmail.com>
-
-CVE: CVE-2026-40340
-Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/7c7f515bc88c3d0c4098ac965d313518e0ccbe33]
-Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
----
- camlibs/ptp2/ptp-pack.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c
-index 28648a5..9eba06f 100644
---- a/camlibs/ptp2/ptp-pack.c
-+++ b/camlibs/ptp2/ptp-pack.c
-@@ -526,7 +526,7 @@ ptp_unpack_OI (PTPParams *params, const unsigned char* data, PTPObjectInfo *oi,
- {
- char *capture_date;
-
-- if (!data || len < PTP_oi_SequenceNumber)
-+ if (!data || len < PTP_oi_filenamelen + 5)
- return;
-
- oi->Filename = oi->Keywords = NULL;
deleted file mode 100644
@@ -1,69 +0,0 @@
-From 3674dbeafa5157a264ca5e562ffdbef159a2185f Mon Sep 17 00:00:00 2001
-From: Marcus Meissner <marcus@jet.franken.de>
-Date: Wed, 8 Apr 2026 15:28:52 +0200
-Subject: [PATCH] Fixed OOB read in ptp_unpack_EOS_FocusInfoEx
-
-Do not read out values before checking there is sufficient size
-
-CVE-2026-40341
-
-CVE: CVE-2026-40341
-Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/c385b34af260595dfbb5f9329526be5158985987]
-Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
----
- camlibs/ptp2/ptp-pack.c | 34 +++++++++++++++++++++++++---------
- 1 file changed, 25 insertions(+), 9 deletions(-)
-
-diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c
-index 9eba06f..11428ab 100644
---- a/camlibs/ptp2/ptp-pack.c
-+++ b/camlibs/ptp2/ptp-pack.c
-@@ -1629,23 +1629,39 @@ ptp_pack_EOS_ImageFormat (PTPParams* params, unsigned char* data, uint16_t value
- static inline char*
- ptp_unpack_EOS_FocusInfoEx (PTPParams* params, const unsigned char** data, uint32_t datasize)
- {
-- uint32_t size = dtoh32a( *data );
-- uint32_t halfsize = dtoh16a( (*data) + 4);
-- uint32_t version = dtoh16a( (*data) + 6);
-- uint32_t focus_points_in_struct = dtoh16a( (*data) + 8);
-- uint32_t focus_points_in_use = dtoh16a( (*data) + 10);
-- uint32_t sizeX = dtoh16a( (*data) + 12);
-- uint32_t sizeY = dtoh16a( (*data) + 14);
-- uint32_t size2X = dtoh16a( (*data) + 16);
-- uint32_t size2Y = dtoh16a( (*data) + 18);
-+ uint32_t size;
-+ uint32_t halfsize;
-+ uint32_t version;
-+ uint32_t focus_points_in_struct;
-+ uint32_t focus_points_in_use;
-+ uint32_t sizeX;
-+ uint32_t sizeY;
-+ uint32_t size2X;
-+ uint32_t size2Y;
- uint32_t i;
- uint32_t maxlen;
- char *str, *p;
-
-+ if (datasize<4) {
-+ ptp_error(params, "FocusInfoEx has invalid size (%d)", datasize);
-+ return strdup("bad size 0");
-+ }
-+
-+ size = dtoh32a( *data );
- if ((size > datasize) || (size < 20)) {
- ptp_error(params, "FocusInfoEx has invalid size (%d) vs datasize (%d)", size, datasize);
- return strdup("bad size 1");
- }
-+
-+ halfsize = dtoh16a( (*data) + 4);
-+ version = dtoh16a( (*data) + 6);
-+ focus_points_in_struct = dtoh16a( (*data) + 8);
-+ focus_points_in_use = dtoh16a( (*data) + 10);
-+ sizeX = dtoh16a( (*data) + 12);
-+ sizeY = dtoh16a( (*data) + 14);
-+ size2X = dtoh16a( (*data) + 16);
-+ size2Y = dtoh16a( (*data) + 18);
-+
- /* If data is zero-filled, then it is just a placeholder, so nothing
- useful, but also not an error */
- if (!focus_points_in_struct || !focus_points_in_use) {
similarity index 75%
rename from meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb
rename to meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.34.bb
@@ -12,17 +12,8 @@ DEPENDS = "libtool jpeg virtual/libusb0 libexif zlib libxml2"
SRC_URI = "${SOURCEFORGE_MIRROR}/gphoto/${BP}.tar.xz;name=libgphoto2 \
file://40-libgphoto2.rules \
file://0001-configure-Filter-out-buildpaths-from-CC.patch \
- file://0001-libgphoto2-fix-const-correctness-for-c23-builds.patch \
- file://CVE-2026-40333.patch \
- file://CVE-2026-40334.patch \
- file://CVE-2026-40335.patch \
- file://CVE-2026-40336.patch \
- file://CVE-2026-40338.patch \
- file://CVE-2026-40339.patch \
- file://CVE-2026-40340.patch \
- file://CVE-2026-40341.patch \
"
-SRC_URI[libgphoto2.sha256sum] = "28825f767a85544cb58f6e15028f8e53a5bb37a62148b3f1708b524781c3bef2"
+SRC_URI[libgphoto2.sha256sum] = "51993f5d9bfb6b4e5925cbbe5883085791bff6f81bcacb8ffe1b783ce76d586a"
UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/gphoto/files/libgphoto/"