Pullup ticket 3028 - requested by taca

security patch

Revisions pulled up:
- pkgsrc/x11/wxGTK26/Makefile		1.5
- pkgsrc/x11/wxGTK26/distinfo		1.4

Files added:
pkgsrc/x11/wxGTK26/patches/patch-ae
pkgsrc/x11/wxGTK26/patches/patch-af
pkgsrc/x11/wxGTK26/patches/patch-ag
pkgsrc/x11/wxGTK26/patches/patch-ah

   --------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   taca
   Date:           Tue Feb 16 17:35:34 UTC 2010

   Modified Files:
           pkgsrc/x11/wxGTK26: Makefile distinfo
   Added Files:
           pkgsrc/x11/wxGTK26/patches: patch-ae patch-af patch-ag patch-ah

   Log Message:
   Add patches for CVE-2009-2369 and CVE-2009-2625.

   Bump PKGREVISION.


   To generate a diff of this commit:
   cvs rdiff -u -r1.4 -r1.5 pkgsrc/x11/wxGTK26/Makefile
   cvs rdiff -u -r1.3 -r1.4 pkgsrc/x11/wxGTK26/distinfo
   cvs rdiff -u -r0 -r1.1 pkgsrc/x11/wxGTK26/patches/patch-ae \
       pkgsrc/x11/wxGTK26/patches/patch-af pkgsrc/x11/wxGTK26/patches/patch-ag \
       pkgsrc/x11/wxGTK26/patches/patch-ah

6 files changed, 102 insertions, 3 deletions

diff --git a/x11/wxGTK26/Makefile b/x11/wxGTK26/Makefile
index a6380b8120a..5113d284eb9 100644
--- a/x11/wxGTK26/Makefile
+++ b/x11/wxGTK26/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.3 2009/08/26 20:24:12 sno Exp $
+# $NetBSD: Makefile,v 1.3.4.1 2010/02/28 13:34:22 spz Exp $
 #
 
 .include "Makefile.common"
 
-PKGREVISION=		4
+PKGREVISION=		6
 COMMENT=		GTK-based implementation of the wxWidgets GUI library
 
 post-build:
diff --git a/x11/wxGTK26/distinfo b/x11/wxGTK26/distinfo
index f400cc69d39..043658df8bd 100644
--- a/x11/wxGTK26/distinfo
+++ b/x11/wxGTK26/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.3 2009/10/23 11:16:55 plunky Exp $
+$NetBSD: distinfo,v 1.3.2.1 2010/02/28 13:34:22 spz Exp $
 
 SHA1 (wxGTK-2.6.3-libtool.diff3.bz2) = 657566a9384a4bc160dffd26678b5e0c6a1cb5b2
 RMD160 (wxGTK-2.6.3-libtool.diff3.bz2) = 233af8dd61317ed1771c1862c6cec65f131b6de0
@@ -10,3 +10,7 @@ SHA1 (patch-aa) = 0ef5ae28b70a3290e37363193248365f4cf03cec
 SHA1 (patch-ab) = 3e9c6bc0df33e466390a4f6483b1c84e2eb9257b
 SHA1 (patch-ac) = 50bd7d4291e44dac1d2bbbae1b12167177f5ef01
 SHA1 (patch-ad) = fb51bb80451d39ba2bba53d42722327888b4a0be
+SHA1 (patch-ae) = d6fcc9b21fd457e79c32f2dc47166dc7afbd65b1
+SHA1 (patch-af) = 96e29001bcf1fbc33f4cb185f25f53a6901ce9d2
+SHA1 (patch-ag) = ccaac341ecd589dbde465f49064dd2ab480fc639
+SHA1 (patch-ah) = e7da6aacd004048d0d07965df09e97cef5a76551
diff --git a/x11/wxGTK26/patches/patch-ae b/x11/wxGTK26/patches/patch-ae
new file mode 100644
index 00000000000..6a6e7c05afa
--- /dev/null
+++ b/x11/wxGTK26/patches/patch-ae
@@ -0,0 +1,17 @@
+$NetBSD: patch-ae,v 1.1.2.2 2010/02/28 13:34:22 spz Exp $
+
+deal with CVE-2009-2369.
+
+--- src/common/image.cpp.orig	2006-03-21 23:42:10.000000000 +0000
++++ src/common/image.cpp
+@@ -192,6 +192,10 @@ bool wxImage::Create( int width, int hei
+ 
+     m_refData = new wxImageRefData();
+ 
++    if (width <= 0 || height <= 0 || width > INT_MAX / 3 / height) {
++	UnRef();
++	return false;
++    }
+     M_IMGDATA->m_data = (unsigned char *) malloc( width*height*3 );
+     if (!M_IMGDATA->m_data)
+     {
diff --git a/x11/wxGTK26/patches/patch-af b/x11/wxGTK26/patches/patch-af
new file mode 100644
index 00000000000..5224acab7c7
--- /dev/null
+++ b/x11/wxGTK26/patches/patch-af
@@ -0,0 +1,28 @@
+$NetBSD: patch-af,v 1.1.2.2 2010/02/28 13:34:22 spz Exp $
+
+deal with CVE-2009-2369.
+
+--- src/common/imagpng.cpp.orig	2006-03-21 23:42:10.000000000 +0000
++++ src/common/imagpng.cpp
+@@ -570,18 +570,16 @@ wxPNGHandler::LoadFile(wxImage *image,
+     if (!image->Ok())
+         goto error;
+ 
+-    lines = (unsigned char **)malloc( (size_t)(height * sizeof(unsigned char *)) );
++    // initialize all line pointers to NULL to ensure that they can be safely
++    // free()d if an error occurs before all of them could be allocated
++    lines = (unsigned char **)calloc(height, sizeof(unsigned char *));
+     if ( !lines )
+         goto error;
+ 
+     for (i = 0; i < height; i++)
+     {
+         if ((lines[i] = (unsigned char *)malloc( (size_t)(width * (sizeof(unsigned char) * 4)))) == NULL)
+-        {
+-            for ( unsigned int n = 0; n < i; n++ )
+-                free( lines[n] );
+             goto error;
+-        }
+     }
+ 
+     png_read_image( png_ptr, lines );
diff --git a/x11/wxGTK26/patches/patch-ag b/x11/wxGTK26/patches/patch-ag
new file mode 100644
index 00000000000..012fbc576f0
--- /dev/null
+++ b/x11/wxGTK26/patches/patch-ag
@@ -0,0 +1,35 @@
+$NetBSD: patch-ag,v 1.1.2.2 2010/02/28 13:34:22 spz Exp $
+
+deal with CVE-2009-2369.
+
+--- src/common/imagtiff.cpp.orig	2006-03-21 23:42:10.000000000 +0000
++++ src/common/imagtiff.cpp
+@@ -232,15 +232,25 @@ bool wxTIFFHandler::LoadFile( wxImage *i
+     }
+ 
+     uint32 w, h;
+-    uint32 npixels;
+     uint32 *raster;
+ 
+     TIFFGetField( tif, TIFFTAG_IMAGEWIDTH, &w );
+     TIFFGetField( tif, TIFFTAG_IMAGELENGTH, &h );
+ 
+-    npixels = w * h;
++    // guard against integer overflow during multiplication which could result
++    // in allocating a too small buffer and then overflowing it
++    const double bytesNeeded = (double)w * (double)h * sizeof(uint32);
++    if ( bytesNeeded >= 4294967295U /* UINT32_MAX */ )
++    {
++	if ( verbose )
++	    wxLogError( _("TIFF: Image size is abnormally big.") );
++
++	TIFFClose(tif);
++
++	return false;
++    }
+ 
+-    raster = (uint32*) _TIFFmalloc( npixels * sizeof(uint32) );
++    raster = (uint32*) _TIFFmalloc( bytesNeeded );
+ 
+     if (!raster)
+     {
diff --git a/x11/wxGTK26/patches/patch-ah b/x11/wxGTK26/patches/patch-ah
new file mode 100644
index 00000000000..78f55cc8c77
--- /dev/null
+++ b/x11/wxGTK26/patches/patch-ah
@@ -0,0 +1,15 @@
+$NetBSD: patch-ah,v 1.1.2.2 2010/02/28 13:34:22 spz Exp $
+
+deal with CVE-2009-2625.
+
+--- src/expat/lib/xmltok_impl.c.orig	2006-03-21 23:42:06.000000000 +0000
++++ src/expat/lib/xmltok_impl.c
+@@ -1741,7 +1741,7 @@ PREFIX(updatePosition)(const ENCODING *e
+                        const char *end,
+                        POSITION *pos)
+ {
+-  while (ptr != end) {
++  while (ptr <= end) {
+     switch (BYTE_TYPE(enc, ptr)) {
+ #define LEAD_CASE(n) \
+     case BT_LEAD ## n: \