diff options
| author | salo <salo@pkgsrc.org> | 2004-12-13 18:03:27 +0000 |
|---|---|---|
| committer | salo <salo@pkgsrc.org> | 2004-12-13 18:03:27 +0000 |
| commit | 449d56297d201eb9a8fe689dbc8f14b9e241907b (patch) | |
| tree | 846a08b7ba5f2ad5abc5ca1bd8830c7b5f88e8df | |
| parent | cec02c0dff6b7ee0a90fc7fc59d4b96ab4f8a9a6 (diff) | |
| download | pkgsrc-449d56297d201eb9a8fe689dbc8f14b9e241907b.tar.gz | |
Pullup ticket 171 - requested by Havard Eidnes
security fix for imlib
Module Name: pkgsrc
Committed By: tron
Date: Sat Nov 27 08:09:38 UTC 2004
Modified Files:
pkgsrc/graphics/imlib: Makefile
Log Message:
Remove me as maintainer of this package.
---
Module Name: pkgsrc
Committed By: adam
Date: Fri Dec 3 13:42:47 UTC 2004
Modified Files:
pkgsrc/graphics/imlib: Makefile distinfo
pkgsrc/graphics/imlib/patches: patch-ag patch-ah
Log Message:
Changes 1.9.15:
* Minor bug fixes
---
Module Name: pkgsrc
Committed By: salo
Date: Fri Dec 10 09:30:42 UTC 2004
Modified Files:
pkgsrc/graphics/imlib: Makefile buildlink3.mk distinfo
pkgsrc/graphics/imlib/patches: patch-ab patch-ai
Added Files:
pkgsrc/graphics/imlib/patches: patch-aj patch-ak patch-al
patch-am patch-an patch-ao
Log Message:
Bump PKGREVISION, security fix:
"Multiple buffer overflows in imlib 1.9.14 and earlier, which is
used by gkrellm and several window managers, allow remote attackers
to execute arbitrary code via certain image files." (1.9.15 is also
affected)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1026
Patch from Pavel Kankovsky.
| -rw-r--r-- | graphics/imlib/Makefile | 24 | ||||
| -rw-r--r-- | graphics/imlib/PLIST | 6 | ||||
| -rw-r--r-- | graphics/imlib/buildlink3.mk | 3 | ||||
| -rw-r--r-- | graphics/imlib/distinfo | 20 | ||||
| -rw-r--r-- | graphics/imlib/patches/patch-ab | 169 | ||||
| -rw-r--r-- | graphics/imlib/patches/patch-ag | 18 | ||||
| -rw-r--r-- | graphics/imlib/patches/patch-ah | 18 | ||||
| -rw-r--r-- | graphics/imlib/patches/patch-ai | 20 | ||||
| -rw-r--r-- | graphics/imlib/patches/patch-aj | 89 | ||||
| -rw-r--r-- | graphics/imlib/patches/patch-ak | 13 | ||||
| -rw-r--r-- | graphics/imlib/patches/patch-al | 15 | ||||
| -rw-r--r-- | graphics/imlib/patches/patch-am | 97 | ||||
| -rw-r--r-- | graphics/imlib/patches/patch-an | 23 | ||||
| -rw-r--r-- | graphics/imlib/patches/patch-ao | 98 |
14 files changed, 561 insertions, 52 deletions
diff --git a/graphics/imlib/Makefile b/graphics/imlib/Makefile index eb830640966..6f04349f2f9 100644 --- a/graphics/imlib/Makefile +++ b/graphics/imlib/Makefile @@ -1,23 +1,23 @@ -# $NetBSD: Makefile,v 1.86 2004/04/23 16:24:14 minskim Exp $ -# +# $NetBSD: Makefile,v 1.86.4.1 2004/12/13 18:03:27 salo Exp $ -DISTNAME= imlib-1.9.14 -PKGREVISION= 6 -CATEGORIES= graphics -MASTER_SITES= ${MASTER_SITE_GNOME:=sources/imlib/1.9/} +DISTNAME= imlib-1.9.15 +PKGREVISION= 1 +CATEGORIES= graphics +MASTER_SITES= ${MASTER_SITE_GNOME:=sources/imlib/1.9/} +EXTRACT_SUFX= .tar.bz2 -MAINTAINER= tron@NetBSD.org -HOMEPAGE= http://www.nl.rasterman.com/imlib.html -COMMENT= Image manipulation library for X11 +MAINTAINER= tech-pkg@NetBSD.org +HOMEPAGE= http://www.nl.rasterman.com/imlib.html +COMMENT= Image manipulation library for X11 PKG_INSTALLATION_TYPES= overwrite pkgviews USE_BUILDLINK3= yes -USE_X11= yes +USE_GNU_TOOLS+= make USE_LIBTOOL= yes -PKGCONFIG_OVERRIDE= imlib.pc.in +USE_X11= yes GNU_CONFIGURE= yes -USE_GNU_TOOLS+= make +PKGCONFIG_OVERRIDE= imlib.pc.in UNLIMIT_RESOURCES= datasize CPPFLAGS+= -DENABLE_NLS diff --git a/graphics/imlib/PLIST b/graphics/imlib/PLIST index d024e1b948b..183d5748877 100644 --- a/graphics/imlib/PLIST +++ b/graphics/imlib/PLIST @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.7 2004/04/23 16:24:14 minskim Exp $ +@comment $NetBSD: PLIST,v 1.7.4.1 2004/12/13 18:03:27 salo Exp $ bin/imlib_config bin/imlib-config include/gdk_imlib.h @@ -11,12 +11,12 @@ lib/libImlib.a lib/libImlib.la lib/libImlib.so lib/libImlib.so.10 -lib/libImlib.so.10.14 +lib/libImlib.so.10.15 lib/libgdk_imlib.a lib/libgdk_imlib.la lib/libgdk_imlib.so lib/libgdk_imlib.so.10 -lib/libgdk_imlib.so.10.14 +lib/libgdk_imlib.so.10.15 lib/libimlib-bmp.a lib/libimlib-bmp.la lib/libimlib-bmp.so diff --git a/graphics/imlib/buildlink3.mk b/graphics/imlib/buildlink3.mk index 6ade02def1f..54f3aaecde8 100644 --- a/graphics/imlib/buildlink3.mk +++ b/graphics/imlib/buildlink3.mk @@ -1,4 +1,4 @@ -# $NetBSD: buildlink3.mk,v 1.4 2004/03/18 09:12:11 jlam Exp $ +# $NetBSD: buildlink3.mk,v 1.4.6.1 2004/12/13 18:03:27 salo Exp $ BUILDLINK_DEPTH:= ${BUILDLINK_DEPTH}+ IMLIB_BUILDLINK3_MK:= ${IMLIB_BUILDLINK3_MK}+ @@ -12,6 +12,7 @@ BUILDLINK_PACKAGES+= imlib .if !empty(IMLIB_BUILDLINK3_MK:M+) BUILDLINK_DEPENDS.imlib+= imlib>=1.9.14nb5 +BUILDLINK_RECOMMENDED.imlib+= imlib>=1.9.15nb1 BUILDLINK_PKGSRCDIR.imlib?= ../../graphics/imlib .endif # IMLIB_BUILDLINK3_MK diff --git a/graphics/imlib/distinfo b/graphics/imlib/distinfo index fd0644c0822..f64c400f1f0 100644 --- a/graphics/imlib/distinfo +++ b/graphics/imlib/distinfo @@ -1,10 +1,16 @@ -$NetBSD: distinfo,v 1.14 2004/03/13 17:35:54 cube Exp $ +$NetBSD: distinfo,v 1.14.6.1 2004/12/13 18:03:27 salo Exp $ -SHA1 (imlib-1.9.14.tar.gz) = 3c8c8c3aaec3cc5a9fc924060a71223862a313f6 -Size (imlib-1.9.14.tar.gz) = 748591 bytes +SHA1 (imlib-1.9.15.tar.bz2) = c9a732a354fbb3c7e1a426e5d19fc92d73f8f720 +Size (imlib-1.9.15.tar.bz2) = 683242 bytes SHA1 (patch-aa) = 185a5229af781d3dbc57978a3f4acd8308ca4c14 -SHA1 (patch-ab) = df9f9f7c85f0794748a4ca6f58836f8dd230c805 +SHA1 (patch-ab) = d1daff101bec77680f3e17cb776285976a7b5c7a SHA1 (patch-ae) = 3ed6fff2e73f04ec83c27dc6e3f2db2fa446abbb -SHA1 (patch-ag) = 0ed464cb26492f3eebb8812efdb49ee83ef4ae6b -SHA1 (patch-ah) = 703f83ad25e0a8af8427ccd4d8492f7fa83f26a3 -SHA1 (patch-ai) = 4c1ab5bd72cd3a5070a84b08e7870591d5a3b309 +SHA1 (patch-ag) = 961a92dfedc79570aacdd75102e63a32171ece55 +SHA1 (patch-ah) = edee5311a47d552f9d1b9dcb96f256518040c538 +SHA1 (patch-ai) = df13b72272f754375348437b99d962cb17732619 +SHA1 (patch-aj) = 2769e304deb93dd413fa3c44d53d1d67e92d5d00 +SHA1 (patch-ak) = 4d7ae79f23bf0c64fd85ffebc086b7bb43207718 +SHA1 (patch-al) = 4ad51c7128f7d6a5ecc67f51c745caf53a4def06 +SHA1 (patch-am) = 73c62e11f5b6ac6774e51f8183987b2b4db01465 +SHA1 (patch-an) = 260aeece3eb74d3ec11deed4e38fd46d3f1cde79 +SHA1 (patch-ao) = d4e3df56d2f743e53e73d72551ccd03491bf1c44 diff --git a/graphics/imlib/patches/patch-ab b/graphics/imlib/patches/patch-ab index 572a759f4f0..40399903884 100644 --- a/graphics/imlib/patches/patch-ab +++ b/graphics/imlib/patches/patch-ab @@ -1,8 +1,37 @@ -$NetBSD: patch-ab,v 1.5 2002/03/19 16:16:08 wiz Exp $ +$NetBSD: patch-ab,v 1.5.16.1 2004/12/13 18:03:27 salo Exp $ ---- Imlib/load.c.orig Wed Mar 13 19:06:29 2002 -+++ Imlib/load.c -@@ -254,7 +254,8 @@ +--- Imlib/load.c.orig 2004-09-21 02:23:20.000000000 +0200 ++++ Imlib/load.c 2004-12-10 09:58:18.000000000 +0100 +@@ -4,6 +4,8 @@ + #include "Imlib_private.h" + #include <setjmp.h> + ++#define G_MAXINT ((int) 0x7fffffff) ++ + /* Split the ID - damages input */ + + static char * +@@ -41,13 +43,17 @@ + + /* + * Make sure we don't wrap on our memory allocations ++ * we check G_MAXINT/4 because rend.c malloc's w * h * bpp ++ * + 3 is safety margin + */ + + void * _imlib_malloc_image(unsigned int w, unsigned int h) + { +- if( w > 32767 || h > 32767) ++ if (w <= 0 || w > 32767 || ++ h <= 0 || h > 32767 || ++ h >= (G_MAXINT/4 - 1) / w) + return NULL; +- return malloc(w * h * 3); ++ return malloc(w * h * 3 + 3); + } + + #ifdef HAVE_LIBJPEG +@@ -254,7 +260,8 @@ png_read_image(png_ptr, lines); png_destroy_read_struct(&png_ptr, &info_ptr, NULL); ptr = data; @@ -12,7 +41,7 @@ $NetBSD: patch-ab,v 1.5 2002/03/19 16:16:08 wiz Exp $ { for (y = 0; y < *h; y++) { -@@ -279,6 +280,7 @@ +@@ -279,6 +286,7 @@ } } } @@ -20,7 +49,7 @@ $NetBSD: patch-ab,v 1.5 2002/03/19 16:16:08 wiz Exp $ else if (color_type == PNG_COLOR_TYPE_GRAY) { for (y = 0; y < *h; y++) -@@ -294,6 +296,7 @@ +@@ -294,6 +302,7 @@ } } } @@ -28,3 +57,131 @@ $NetBSD: patch-ab,v 1.5 2002/03/19 16:16:08 wiz Exp $ else { for (y = 0; y < *h; y++) +@@ -360,7 +369,9 @@ + npix = ww * hh; + *w = (int)ww; + *h = (int)hh; +- if(ww > 32767 || hh > 32767) ++ if (ww <= 0 || ww > 32767 || ++ hh <= 0 || hh > 32767 || ++ hh >= (G_MAXINT/sizeof(uint32)) / ww) + { + TIFFClose(tif); + return NULL; +@@ -463,7 +474,7 @@ + } + *w = gif->Image.Width; + *h = gif->Image.Height; +- if (*h > 32767 || *w > 32767) ++ if (*h <= 0 || *h > 32767 || *w <= 0 || *w > 32767) + { + return NULL; + } +@@ -1000,7 +1011,12 @@ + comment = 0; + quote = 0; + context = 0; ++ memset(lookup, 0, sizeof(lookup)); ++ + line = malloc(lsz); ++ if (!line) ++ return NULL; ++ + while (!done) + { + pc = c; +@@ -1029,25 +1045,25 @@ + { + /* Header */ + sscanf(line, "%i %i %i %i", w, h, &ncolors, &cpp); +- if (ncolors > 32766) ++ if (ncolors <= 0 || ncolors > 32766) + { + fprintf(stderr, "IMLIB ERROR: XPM files wth colors > 32766 not supported\n"); + free(line); + return NULL; + } +- if (cpp > 5) ++ if (cpp <= 0 || cpp > 5) + { + fprintf(stderr, "IMLIB ERROR: XPM files with characters per pixel > 5 not supported\n"); + free(line); + return NULL; + } +- if (*w > 32767) ++ if (*w <= 0 || *w > 32767) + { + fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for file\n"); + free(line); + return NULL; + } +- if (*h > 32767) ++ if (*h <= 0 || *h > 32767) + { + fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for file\n"); + free(line); +@@ -1080,11 +1096,13 @@ + { + int slen; + int hascolor, iscolor; ++ int space; + + iscolor = 0; + hascolor = 0; + tok[0] = 0; + col[0] = 0; ++ space = sizeof(col) - 1; + s[0] = 0; + len = strlen(line); + strncpy(cmap[j].str, line, cpp); +@@ -1107,10 +1125,10 @@ + { + if (k >= len) + { +- if (col[0]) +- strcat(col, " "); +- if (strlen(col) + strlen(s) < sizeof(col)) +- strcat(col, s); ++ if (col[0] && space > 0) ++ strcat(col, " "), space -= 1; ++ if (slen <= space) ++ strcat(col, s), space -= slen; + } + if (col[0]) + { +@@ -1140,14 +1158,17 @@ + } + } + } ++ if (slen < sizeof(tok)); + strcpy(tok, s); + col[0] = 0; ++ space = sizeof(col) - 1; + } + else + { +- if (col[0]) +- strcat(col, " "); +- strcat(col, s); ++ if (col[0] && space > 0) ++ strcat(col, " "), space -=1; ++ if (slen <= space) ++ strcat(col, s), space -= slen; + } + } + } +@@ -1376,12 +1397,12 @@ + sscanf(s, "%i %i", w, h); + a = *w; + b = *h; +- if (a > 32767) ++ if (a <= 0 || a > 32767) + { + fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for file\n"); + return NULL; + } +- if (b > 32767) ++ if (b <= 0 || b > 32767) + { + fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for file\n"); + return NULL; diff --git a/graphics/imlib/patches/patch-ag b/graphics/imlib/patches/patch-ag index 1cdc3167638..d0b4cbe5ec8 100644 --- a/graphics/imlib/patches/patch-ag +++ b/graphics/imlib/patches/patch-ag @@ -1,15 +1,15 @@ -$NetBSD: patch-ag,v 1.4 2002/08/25 18:39:13 jlam Exp $ +$NetBSD: patch-ag,v 1.4.10.1 2004/12/13 18:03:27 salo Exp $ ---- configure.orig Mon Mar 25 11:45:33 2002 +--- configure.orig 2004-09-23 01:15:44.000000000 +0000 +++ configure -@@ -7670,8 +7670,8 @@ +@@ -23645,8 +23645,8 @@ echo "${ECHO_T}$ac_cv_header_tiffio_h" > + fi - if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then - echo "$ac_t""yes" 1>&6 + if test $ac_cv_header_tiffio_h = yes; then - TIFFLIBS="-ltiff" -- SUPPORT_LIBS="$SUPPORT_LIBS -ltiff"; cat >> confdefs.h <<\EOF +- SUPPORT_LIBS="$SUPPORT_LIBS -ltiff"; + TIFFLIBS="-ltiff -ljpeg -lz" -+ SUPPORT_LIBS="$SUPPORT_LIBS $TIFFLIBS"; cat >> confdefs.h <<\EOF ++ SUPPORT_LIBS="$SUPPORT_LIBS -ltiff -ljpeg -lz"; + cat >>confdefs.h <<\_ACEOF #define HAVE_LIBTIFF 1 - EOF - + _ACEOF diff --git a/graphics/imlib/patches/patch-ah b/graphics/imlib/patches/patch-ah index bf1841071ef..db147ff2163 100644 --- a/graphics/imlib/patches/patch-ah +++ b/graphics/imlib/patches/patch-ah @@ -1,18 +1,18 @@ -$NetBSD: patch-ah,v 1.1 2002/11/26 12:32:21 jmmv Exp $ +$NetBSD: patch-ah,v 1.1.10.1 2004/12/13 18:03:27 salo Exp $ ---- config/Makefile.in.orig Mon Mar 25 17:50:27 2002 +--- config/Makefile.in.orig 2004-09-23 01:16:17.000000000 +0000 +++ config/Makefile.in -@@ -23,7 +23,8 @@ bindir = @bindir@ +@@ -158,7 +158,8 @@ prefix = @prefix@ + program_transform_name = @program_transform_name@ sbindir = @sbindir@ - libexecdir = @libexecdir@ - datadir = @datadir@ + sharedstatedir = @sharedstatedir@ -sysconfdir = @sysconfdir@ +realsysconfdir = @sysconfdir@ +sysconfdir = @datadir@/examples/@PACKAGE@ - sharedstatedir = @sharedstatedir@ - localstatedir = @localstatedir@ - libdir = @libdir@ -@@ -219,7 +220,7 @@ maintainer-clean-generic clean mostlycle + target_alias = @target_alias@ + EXTRA_DIST = imrc.in im_palette.pal im_palette-small.pal im_palette-tiny.pal + sysconf_DATA = imrc im_palette.pal im_palette-small.pal im_palette-tiny.pal +@@ -331,7 +332,7 @@ uninstall-am: uninstall-info-am uninstal imrc: imrc.in diff --git a/graphics/imlib/patches/patch-ai b/graphics/imlib/patches/patch-ai index d694b7f1b37..c8fb21c2388 100644 --- a/graphics/imlib/patches/patch-ai +++ b/graphics/imlib/patches/patch-ai @@ -1,8 +1,8 @@ -$NetBSD: patch-ai,v 1.1 2004/03/13 17:35:54 cube Exp $ +$NetBSD: patch-ai,v 1.1.6.1 2004/12/13 18:03:27 salo Exp $ --- gdk_imlib/io-ppm.c.orig 2002-03-04 18:06:29.000000000 +0100 -+++ gdk_imlib/io-ppm.c -@@ -50,7 +50,7 @@ loader_ppm (FILE * f, int *w, int *h, in ++++ gdk_imlib/io-ppm.c 2004-12-10 10:00:56.000000000 +0100 +@@ -50,15 +50,15 @@ if (s[0] != '#') { done = 0; @@ -10,8 +10,18 @@ $NetBSD: patch-ai,v 1.1 2004/03/13 17:35:54 cube Exp $ + sscanf(s, "%d %d", w, h); a = *w; b = *h; - if (a > 32767) -@@ -66,7 +66,7 @@ loader_ppm (FILE * f, int *w, int *h, in +- if (a > 32767) ++ if (a <= 0 || a > 32767) + { + fprintf(stderr, "gdk_imlib ERROR: Image width > 32767 pixels for file\n"); + return NULL; + } +- if (b > 32767) ++ if (b <= 0 || b > 32767) + { + fprintf(stderr, "gdk_imlib ERROR: Image height > 32767 pixels for file\n"); + return NULL; +@@ -66,7 +66,7 @@ if (!bw) { fgets(s, 256, f); diff --git a/graphics/imlib/patches/patch-aj b/graphics/imlib/patches/patch-aj new file mode 100644 index 00000000000..792086b441c --- /dev/null +++ b/graphics/imlib/patches/patch-aj @@ -0,0 +1,89 @@ +$NetBSD: patch-aj,v 1.1.2.2 2004/12/13 18:03:27 salo Exp $ + +--- Imlib/utils.c.orig 2004-09-21 02:22:59.000000000 +0200 ++++ Imlib/utils.c 2004-12-10 09:58:18.000000000 +0100 +@@ -1496,36 +1496,56 @@ + context = 0; + ptr = NULL; + end = NULL; ++ memset(lookup, 0, sizeof(lookup)); + + while (!done) + { + line = data[count++]; ++ if (!line) ++ break; ++ line = strdup(line); ++ if (!line) ++ break; ++ len = strlen(line); ++ for (i = 0; i < len; ++i) ++ { ++ c = line[i]; ++ if (c < 32) ++ line[i] = 32; ++ else if (c > 127) ++ line[i] = 127; ++ } ++ + if (context == 0) + { + /* Header */ + sscanf(line, "%i %i %i %i", &w, &h, &ncolors, &cpp); +- if (ncolors > 32766) ++ if (ncolors <= 0 || ncolors > 32766) + { + fprintf(stderr, "IMLIB ERROR: XPM data wth colors > 32766 not supported\n"); + free(im); ++ free(line); + return NULL; + } +- if (cpp > 5) ++ if (cpp <= 0 || cpp > 5) + { + fprintf(stderr, "IMLIB ERROR: XPM data with characters per pixel > 5 not supported\n"); + free(im); ++ free(line); + return NULL; + } +- if (w > 32767) ++ if (w <= 0 || w > 32767) + { + fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for data\n"); + free(im); ++ free(line); + return NULL; + } +- if (h > 32767) ++ if (h <= 0 || h > 32767) + { + fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for data\n"); + free(im); ++ free(line); + return NULL; + } + cmap = malloc(sizeof(struct _cmap) * ncolors); +@@ -1533,6 +1553,7 @@ + if (!cmap) + { + free(im); ++ free(line); + return NULL; + } + im->rgb_width = w; +@@ -1542,6 +1563,7 @@ + { + free(cmap); + free(im); ++ free(line); + return NULL; + } + im->alpha_data = NULL; +@@ -1817,6 +1839,7 @@ + } + if ((ptr) && ((ptr - im->rgb_data) >= w * h * 3)) + done = 1; ++ free(line); + } + if (!transp) + { diff --git a/graphics/imlib/patches/patch-ak b/graphics/imlib/patches/patch-ak new file mode 100644 index 00000000000..de0fb0ca529 --- /dev/null +++ b/graphics/imlib/patches/patch-ak @@ -0,0 +1,13 @@ +$NetBSD: patch-ak,v 1.1.2.2 2004/12/13 18:03:27 salo Exp $ + +--- gdk_imlib/io-gif.c.orig 2002-03-04 18:06:29.000000000 +0100 ++++ gdk_imlib/io-gif.c 2004-12-10 10:00:56.000000000 +0100 +@@ -55,7 +55,7 @@ + } + *w = gif->Image.Width; + *h = gif->Image.Height; +- if(*h > 32767 || *w > 32767) ++ if(*h <= 0 || *h > 32767 || *w <= 0 || *w > 32767) + { + return NULL; + } diff --git a/graphics/imlib/patches/patch-al b/graphics/imlib/patches/patch-al new file mode 100644 index 00000000000..86215cc416a --- /dev/null +++ b/graphics/imlib/patches/patch-al @@ -0,0 +1,15 @@ +$NetBSD: patch-al,v 1.1.2.2 2004/12/13 18:03:27 salo Exp $ + +--- gdk_imlib/io-tiff.c.orig 2002-03-04 18:06:29.000000000 +0100 ++++ gdk_imlib/io-tiff.c 2004-12-10 10:00:56.000000000 +0100 +@@ -36,7 +36,9 @@ + npix = ww * hh; + *w = (int)ww; + *h = (int)hh; +- if(ww > 32767 || hh > 32767) ++ if (ww <= 0 || ww > 32767 || ++ hh <= 0 || hh > 32767 || ++ hh >= (G_MAXINT/sizeof(uint32)) / ww) + { + TIFFClose(tif); + return NULL; diff --git a/graphics/imlib/patches/patch-am b/graphics/imlib/patches/patch-am new file mode 100644 index 00000000000..703a7041039 --- /dev/null +++ b/graphics/imlib/patches/patch-am @@ -0,0 +1,97 @@ +$NetBSD: patch-am,v 1.1.2.2 2004/12/13 18:03:27 salo Exp $ + +--- gdk_imlib/io-xpm.c.orig 2002-03-04 18:06:29.000000000 +0100 ++++ gdk_imlib/io-xpm.c 2004-12-10 10:00:56.000000000 +0100 +@@ -40,8 +40,12 @@ + context = 0; + i = j = 0; + cmap = NULL; ++ memset(lookup, 0, sizeof(lookup)); + + line = malloc(lsz); ++ if (!line) ++ return NULL; ++ + while (!done) + { + pc = c; +@@ -70,25 +74,25 @@ + { + /* Header */ + sscanf(line, "%i %i %i %i", w, h, &ncolors, &cpp); +- if (ncolors > 32766) ++ if (ncolors <= 0 || ncolors > 32766) + { + fprintf(stderr, "gdk_imlib ERROR: XPM files wth colors > 32766 not supported\n"); + free(line); + return NULL; + } +- if (cpp > 5) ++ if (cpp <= 0 || cpp > 5) + { + fprintf(stderr, "gdk_imlib ERROR: XPM files with characters per pixel > 5 not supported\n"); + free(line); + return NULL; + } +- if (*w > 32767) ++ if (*w <= 0 || *w > 32767) + { + fprintf(stderr, "gdk_imlib ERROR: Image width > 32767 pixels for file\n"); + free(line); + return NULL; + } +- if (*h > 32767) ++ if (*h <= 0 || *h > 32767) + { + fprintf(stderr, "gdk_imlib ERROR: Image height > 32767 pixels for file\n"); + free(line); +@@ -120,11 +124,13 @@ + { + int slen; + int hascolor, iscolor; ++ int space; + + hascolor = 0; + iscolor = 0; + tok[0] = 0; + col[0] = 0; ++ space = sizeof(col) - 1; + s[0] = 0; + len = strlen(line); + strncpy(cmap[j].str, line, cpp); +@@ -147,10 +153,10 @@ + { + if (k >= len) + { +- if (col[0]) +- strcat(col, " "); +- if (strlen(col) + strlen(s) < sizeof(col)) +- strcat(col, s); ++ if (col[0] && space > 0) ++ strncat(col, " ", space), space -= 1; ++ if (slen <= space) ++ strcat(col, s), space -= slen; + } + if (col[0]) + { +@@ -180,14 +186,17 @@ + } + } + } ++ if (slen < sizeof(tok)) + strcpy(tok, s); + col[0] = 0; ++ space = sizeof(col) - 1; + } + else + { +- if (col[0]) +- strcat(col, " "); +- strcat(col, s); ++ if (col[0] && space > 0) ++ strcat(col, " "), space -= 1; ++ if (slen <= space) ++ strcat(col, s), space -= slen; + } + } + } diff --git a/graphics/imlib/patches/patch-an b/graphics/imlib/patches/patch-an new file mode 100644 index 00000000000..7c056e8a577 --- /dev/null +++ b/graphics/imlib/patches/patch-an @@ -0,0 +1,23 @@ +$NetBSD: patch-an,v 1.1.2.2 2004/12/13 18:03:27 salo Exp $ + +--- gdk_imlib/misc.c.orig 2002-03-04 18:06:32.000000000 +0100 ++++ gdk_imlib/misc.c 2004-12-10 10:15:22.000000000 +0100 +@@ -1355,11 +1355,16 @@ + + /* + * Make sure we don't wrap on our memory allocations ++ * we check G_MAX_INT/4 because rend.c malloc's w * h * bpp ++ * + 3 is safety margin + */ + + void *_gdk_malloc_image(unsigned int w, unsigned int h) + { +- if( w > 32767 || h > 32767) ++ if (w <= 0 || w > 32767 || ++ h <= 0 || h > 32767 || ++ h >= (G_MAXINT/4 - 1) / w) + return NULL; +- return malloc(w * h * 3); ++ return malloc(w * h * 3 + 3); + } ++ diff --git a/graphics/imlib/patches/patch-ao b/graphics/imlib/patches/patch-ao new file mode 100644 index 00000000000..bdaad8c3485 --- /dev/null +++ b/graphics/imlib/patches/patch-ao @@ -0,0 +1,98 @@ +$NetBSD: patch-ao,v 1.1.2.2 2004/12/13 18:03:27 salo Exp $ + +--- gdk_imlib/utils.c.orig 2002-03-22 15:43:29.000000000 +0100 ++++ gdk_imlib/utils.c 2004-12-10 10:15:22.000000000 +0100 +@@ -1236,36 +1236,56 @@ + context = 0; + ptr = NULL; + end = NULL; ++ memset(lookup, 0, sizeof(lookup)); + + while (!done) + { + line = data[count++]; ++ if (!line) ++ break; ++ line = strdup(line); ++ if (!line) ++ break; ++ len = strlen(line); ++ for (i = 0; i < len; ++i) ++ { ++ c = line[i]; ++ if (c < 32) ++ line[i] = 32; ++ else if (c > 127) ++ line[i] = 127; ++ } ++ + if (context == 0) + { + /* Header */ + sscanf(line, "%i %i %i %i", &w, &h, &ncolors, &cpp); +- if (ncolors > 32766) ++ if (ncolors <= 0 || ncolors > 32766) + { + fprintf(stderr, "gdk_imlib ERROR: XPM data wth colors > 32766 not supported\n"); + free(im); ++ free(line); + return NULL; + } +- if (cpp > 5) ++ if (cpp <= 0 || cpp > 5) + { + fprintf(stderr, "gdk_imlib ERROR: XPM data with characters per pixel > 5 not supported\n"); + free(im); ++ free(line); + return NULL; + } +- if (w > 32767) ++ if (w <= 0 || w > 32767) + { + fprintf(stderr, "gdk_imlib ERROR: Image width > 32767 pixels for data\n"); + free(im); ++ free(line); + return NULL; + } +- if (h > 32767) ++ if (h <= 0 || h > 32767) + { + fprintf(stderr, "gdk_imlib ERROR: Image height > 32767 pixels for data\n"); + free(im); ++ free(line); + return NULL; + } + cmap = malloc(sizeof(struct _cmap) * ncolors); +@@ -1273,6 +1293,7 @@ + if (!cmap) + { + free(im); ++ free(line); + return NULL; + } + im->rgb_width = w; +@@ -1282,6 +1303,7 @@ + { + free(cmap); + free(im); ++ free(line); + return NULL; + } + im->alpha_data = NULL; +@@ -1355,7 +1377,7 @@ + strcpy(col + colptr, " "); + colptr++; + } +- if (colptr + ls <= sizeof(col)) ++ if (colptr + ls < sizeof(col)) + { + strcpy(col + colptr, s); + colptr += ls; +@@ -1558,6 +1580,7 @@ + } + if ((ptr) && ((ptr - im->rgb_data) >= w * h * 3)) + done = 1; ++ free(line); + } + if (!transp) + { |