Pullup ticket 3027 - requested by taca

security patch

Revisions pulled up:
- pkgsrc/x11/wxGTK24/Makefile		1.11
- pkgsrc/x11/wxGTK24/distinfo		1.10

Files added:
pkgsrc/x11/wxGTK24/patches/patch-am
pkgsrc/x11/wxGTK24/patches/patch-an
pkgsrc/x11/wxGTK24/patches/patch-ao
pkgsrc/x11/wxGTK24/patches/patch-ap

   --------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   taca
   Date:           Tue Feb 16 17:33:39 UTC 2010

   Modified Files:
           pkgsrc/x11/wxGTK24: Makefile distinfo
   Added Files:
           pkgsrc/x11/wxGTK24/patches: patch-am patch-an patch-ao patch-ap

   Log Message:
   Add patches for CVE-2009-2625 and CVE-2009-2369.

   Bump PKGREVISION.


   To generate a diff of this commit:
   cvs rdiff -u -r1.10 -r1.11 pkgsrc/x11/wxGTK24/Makefile
   cvs rdiff -u -r1.9 -r1.10 pkgsrc/x11/wxGTK24/distinfo
   cvs rdiff -u -r0 -r1.1 pkgsrc/x11/wxGTK24/patches/patch-am \
       pkgsrc/x11/wxGTK24/patches/patch-an pkgsrc/x11/wxGTK24/patches/patch-ao \
       pkgsrc/x11/wxGTK24/patches/patch-ap

6 files changed, 102 insertions, 3 deletions

diff --git a/x11/wxGTK24/Makefile b/x11/wxGTK24/Makefile
index 4e1d921080e..82e8a5015fa 100644
--- a/x11/wxGTK24/Makefile
+++ b/x11/wxGTK24/Makefile
@@ -1,11 +1,11 @@
-# $NetBSD: Makefile,v 1.9 2009/11/29 20:16:20 joerg Exp $
+# $NetBSD: Makefile,v 1.9.2.1 2010/02/28 13:15:01 spz Exp $
 #
 
 PKG_DESTDIR_SUPPORT=	user-destdir
 
 .include "Makefile.common"
 
-PKGREVISION=		14
+PKGREVISION=		16
 COMMENT=		GTK-based implementation of the wxWidgets GUI library
 CONFLICTS+=		wxGTK<=2.4.2nb5
 
diff --git a/x11/wxGTK24/distinfo b/x11/wxGTK24/distinfo
index bc7972ef9ba..b1b560a72c2 100644
--- a/x11/wxGTK24/distinfo
+++ b/x11/wxGTK24/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.9 2009/11/29 20:16:20 joerg Exp $
+$NetBSD: distinfo,v 1.9.2.1 2010/02/28 13:15:02 spz Exp $
 
 SHA1 (wxGTK-2.4.2.tar.bz2) = 3f1ebacaaf8eb5510c14ee10bafbc5f225be842c
 RMD160 (wxGTK-2.4.2.tar.bz2) = 8076d1ba31c9b23becb241cbad5a83763fee776e
@@ -15,3 +15,7 @@ SHA1 (patch-ai) = c5d301c2cb45397329d9a817d9278707a2d3b97f
 SHA1 (patch-aj) = 9f74442617e6a869c5ff253591bba3f9da3a9e0c
 SHA1 (patch-ak) = 3f26086c8f16ac972db89c21f665c187570937cc
 SHA1 (patch-al) = bceed88db708c83afca0fe3adb5c923f9bc661b0
+SHA1 (patch-am) = 445ae223a6fd88b86efafa7c13dbcf3f359f364f
+SHA1 (patch-an) = a9d276244cac87fa00a3c3338179e68084b72b1d
+SHA1 (patch-ao) = 7fb559c8662b20a61d39b308d3b6723b0dde6673
+SHA1 (patch-ap) = b1217506bfffe9ed7a282c960a99921c61d76dbd
diff --git a/x11/wxGTK24/patches/patch-am b/x11/wxGTK24/patches/patch-am
new file mode 100644
index 00000000000..5d320829dbf
--- /dev/null
+++ b/x11/wxGTK24/patches/patch-am
@@ -0,0 +1,15 @@
+$NetBSD: patch-am,v 1.1.2.2 2010/02/28 13:15:02 spz Exp $
+
+deal with CVE-2009-2625.
+
+--- contrib/src/xrc/expat/xmltok/xmltok_impl.c.orig	2003-09-21 11:32:55.000000000 +0000
++++ contrib/src/xrc/expat/xmltok/xmltok_impl.c
+@@ -1753,7 +1753,7 @@ void PREFIX(updatePosition)(const ENCODI
+ 			    const char *end,
+ 			    POSITION *pos)
+ {
+-  while (ptr != end) {
++  while (ptr < end) {
+     switch (BYTE_TYPE(enc, ptr)) {
+ #define LEAD_CASE(n) \
+     case BT_LEAD ## n: \
diff --git a/x11/wxGTK24/patches/patch-an b/x11/wxGTK24/patches/patch-an
new file mode 100644
index 00000000000..cea462b1c4a
--- /dev/null
+++ b/x11/wxGTK24/patches/patch-an
@@ -0,0 +1,17 @@
+$NetBSD: patch-an,v 1.1.2.2 2010/02/28 13:15:02 spz Exp $
+
+deal with CVE-2009-2369.
+
+--- src/common/image.cpp.orig	2003-09-21 11:31:39.000000000 +0000
++++ src/common/image.cpp
+@@ -147,6 +147,10 @@ void wxImage::Create( int width, int hei
+ 
+     m_refData = new wxImageRefData();
+ 
++    if (width <= 0 || height <= 0 || width > INT_MAX / 3 / height) {
++	UnRef();
++	return;
++    }
+     M_IMGDATA->m_data = (unsigned char *) malloc( width*height*3 );
+     if (M_IMGDATA->m_data)
+     {
diff --git a/x11/wxGTK24/patches/patch-ao b/x11/wxGTK24/patches/patch-ao
new file mode 100644
index 00000000000..686b15c5840
--- /dev/null
+++ b/x11/wxGTK24/patches/patch-ao
@@ -0,0 +1,28 @@
+$NetBSD: patch-ao,v 1.1.2.2 2010/02/28 13:15:02 spz Exp $
+
+deal with CVE-2009-2369.
+
+--- src/common/imagpng.cpp.orig	2003-09-21 11:31:39.000000000 +0000
++++ src/common/imagpng.cpp
+@@ -213,18 +213,16 @@ bool wxPNGHandler::LoadFile( wxImage *im
+     if (!image->Ok())
+         goto error_nolines;
+ 
+-    lines = (unsigned char **)malloc( (size_t)(height * sizeof(unsigned char *)) );
++    // initialize all line pointers to NULL to ensure that they can be safely
++    // free()d if an error occurs before all of them could be allocated
++    lines = (unsigned char **)calloc(height, sizeof(unsigned char *));
+     if (lines == NULL)
+         goto error_nolines;
+ 
+     for (i = 0; i < height; i++)
+     {
+         if ((lines[i] = (unsigned char *)malloc( (size_t)(width * (sizeof(unsigned char) * 4)))) == NULL)
+-        {
+-            for ( unsigned int n = 0; n < i; n++ )
+-                free( lines[n] );
+             goto error;
+-        }
+     }
+ 
+     // loaded successfully!
diff --git a/x11/wxGTK24/patches/patch-ap b/x11/wxGTK24/patches/patch-ap
new file mode 100644
index 00000000000..d167fb379a2
--- /dev/null
+++ b/x11/wxGTK24/patches/patch-ap
@@ -0,0 +1,35 @@
+$NetBSD: patch-ap,v 1.1.2.2 2010/02/28 13:15:02 spz Exp $
+
+deal with CVE-2009-2369.
+
+--- src/common/imagtiff.cpp.orig	2003-09-21 11:31:39.000000000 +0000
++++ src/common/imagtiff.cpp
+@@ -188,15 +188,25 @@ bool wxTIFFHandler::LoadFile( wxImage *i
+     }
+ 
+     uint32 w, h;
+-    uint32 npixels;
+     uint32 *raster;
+ 
+     TIFFGetField( tif, TIFFTAG_IMAGEWIDTH, &w );
+     TIFFGetField( tif, TIFFTAG_IMAGELENGTH, &h );
+ 
+-    npixels = w * h;
++    // guard against integer overflow during multiplication which could result
++    // in allocating a too small buffer and then overflowing it
++    const double bytesNeeded = (double)w * (double)h * sizeof(uint32);
++    if ( bytesNeeded >= 4294967295U /* UINT32_MAX */ )
++    {
++	if ( verbose )
++	    wxLogError( _("TIFF: Image size is abnormally big.") );
++
++	TIFFClose(tif);
++
++	return false;
++    }
+ 
+-    raster = (uint32*) _TIFFmalloc( npixels * sizeof(uint32) );
++    raster = (uint32*) _TIFFmalloc( bytesNeeded );
+ 
+     if (!raster)
+     {