Pullup ticket #3909 - requested by wiz

graphics/gimp: security patch

Revisions pulled up:
- graphics/gimp/Makefile                                        1.218 via patch
- graphics/gimp/distinfo                                        1.68
- graphics/gimp/patches/patch-plug-ins_common_file-gif-load.c   1.1

---
   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Mon Aug 20 12:54:01 UTC 2012

   Modified Files:
   	pkgsrc/graphics/gimp: Makefile distinfo
   Added Files:
   	pkgsrc/graphics/gimp/patches: patch-plug-ins_common_file-gif-load.c

   Log Message:
   Fix CVE-2012-3481 using Nils Philippsen's patch.
   Bump PKGREVISION.

3 files changed, 43 insertions, 3 deletions

diff --git a/graphics/gimp/Makefile b/graphics/gimp/Makefile
index b2f9ff99f71..4079648c9da 100644
--- a/graphics/gimp/Makefile
+++ b/graphics/gimp/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.214 2012/06/14 07:43:24 sbd Exp $
+# $NetBSD: Makefile,v 1.214.2.1 2012/08/20 18:56:04 tron Exp $
 
 DISTNAME=	gimp-2.8.0
-PKGREVISION=	1
+PKGREVISION=	3
 CATEGORIES=	graphics
 MASTER_SITES=	ftp://ftp.gimp.org/pub/gimp/v${PKGVERSION_NOREV:R}/ \
 		${MASTER_SITE_GNU:=gimp/v${PKGVERSION_NOREV:R}/} \
diff --git a/graphics/gimp/distinfo b/graphics/gimp/distinfo
index 1b28d919fe8..589ba8b4955 100644
--- a/graphics/gimp/distinfo
+++ b/graphics/gimp/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.67 2012/05/07 08:40:08 adam Exp $
+$NetBSD: distinfo,v 1.67.2.1 2012/08/20 18:56:04 tron Exp $
 
 SHA1 (gimp-2.8.0.tar.bz2) = 3b20d3dd10d971acbbc9345eb5cb93378c398ebc
 RMD160 (gimp-2.8.0.tar.bz2) = aeff9275461d0171e22b2281aae28ca4fb4bc63f
@@ -10,4 +10,5 @@ SHA1 (patch-app_Makefile.in) = efbd9e592cdbc154e5a6402279c7d54f3946c65c
 SHA1 (patch-app_base_base-utils.c) = 18dfa09c1d63530ff79cd4c3515d9f1077182d64
 SHA1 (patch-app_config_Makefile.in) = a2fcebd994831fbe0f911efb84c1fecdf2e59198
 SHA1 (patch-devel-docs_app_Makefile.in) = 1eb97f779d5151b9e89b4ae47afb44d1bb3b6a48
+SHA1 (patch-plug-ins_common_file-gif-load.c) = 44a83ad0e2ddc7d4601ee96b0c524121a1b29bf8
 SHA1 (patch-plug-ins_script-fu_script-fu-server.c) = 4932d82711c8010cf7b1ff5bfb12031946273c2b
diff --git a/graphics/gimp/patches/patch-plug-ins_common_file-gif-load.c b/graphics/gimp/patches/patch-plug-ins_common_file-gif-load.c
new file mode 100644
index 00000000000..ae9f2ff769a
--- /dev/null
+++ b/graphics/gimp/patches/patch-plug-ins_common_file-gif-load.c
@@ -0,0 +1,39 @@
+$NetBSD: patch-plug-ins_common_file-gif-load.c,v 1.1.2.2 2012/08/20 18:56:05 tron Exp $
+
+From: Jan Lieskovsky <jlieskov@redhat.com>
+Date: Tue, 14 Aug 2012 12:18:22 +0200
+Subject: [PATCH 1/2] file-gif-load: limit len and height (CVE-2012-3481)
+
+Ensure values of len and height can't overflow g_malloc() argument type.
+(cherry picked from commit d95c2f0bcb6775bdee2bef35b7d84f6dfd490783)
+
+From: Nils Philippsen <nils@redhat.com>
+Date: Tue, 14 Aug 2012 15:27:39 +0200
+Subject: [PATCH 2/2] file-gif-load: fix type overflow (CVE-2012-3481)
+
+Cast variables properly to avoid overflowing when computing how much
+memory to allocate.
+(cherry picked from commit 43fc9dbd8e2196944c8a71321e525b89b7df9f5c)
+
+--- plug-ins/common/file-gif-load.c.orig	2012-03-12 19:18:10.000000000 +0000
++++ plug-ins/common/file-gif-load.c
+@@ -1057,10 +1057,17 @@ ReadImage (FILE        *fd,
+   cur_progress = 0;
+   max_progress = height;
+ 
++  if (len > (G_MAXSIZE / height / (alpha_frame ? (promote_to_rgb ? 4 : 2) : 1)))
++  {
++    g_message ("'%s' has a larger image size than GIMP can handle.",
++               gimp_filename_to_utf8 (filename));
++    return -1;
++  }
++
+   if (alpha_frame)
+-    dest = (guchar *) g_malloc (len * height * (promote_to_rgb ? 4 : 2));
++    dest = (guchar *) g_malloc ((gsize)len * (gsize)height * (promote_to_rgb ? 4 : 2));
+   else
+-    dest = (guchar *) g_malloc (len * height);
++    dest = (guchar *) g_malloc ((gsize)len * (gsize)height);
+ 
+ #ifdef GIFDEBUG
+     g_print ("GIF: reading %d by %d%s GIF image, ncols=%d\n",