diff options
author | hauke <hauke@pkgsrc.org> | 2012-04-27 14:37:37 +0000 |
---|---|---|
committer | hauke <hauke@pkgsrc.org> | 2012-04-27 14:37:37 +0000 |
commit | 738b624311a993f63a338b74ea41fa214ca3e6eb (patch) | |
tree | 0f9153cd7635a5bf3ead9661e8be406cbb067c1f /editors/xemacs-current | |
parent | de900cd1645bfd6121ea125819180309ad1fdafc (diff) | |
download | pkgsrc-738b624311a993f63a338b74ea41fa214ca3e6eb.tar.gz |
Fix CVE-2009-2688, via <https://bugzilla.redhat.com/show_bug.cgi?id=511994>
Note xemacs 21.5 still dumps core during the build.
Diffstat (limited to 'editors/xemacs-current')
-rw-r--r-- | editors/xemacs-current/Makefile | 4 | ||||
-rw-r--r-- | editors/xemacs-current/distinfo | 4 | ||||
-rw-r--r-- | editors/xemacs-current/patches/patch-src_glyphs-eimage.c | 90 |
3 files changed, 86 insertions, 12 deletions
diff --git a/editors/xemacs-current/Makefile b/editors/xemacs-current/Makefile index 2c85f56277a..28c28faa3b0 100644 --- a/editors/xemacs-current/Makefile +++ b/editors/xemacs-current/Makefile @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.75 2012/02/06 12:40:05 wiz Exp $ +# $NetBSD: Makefile,v 1.76 2012/04/27 14:37:37 hauke Exp $ PKGNAME?= ${DISTNAME} COMMENT?= *BETA* XEmacs text editor version ${PKGVERSION_NOREV} @@ -6,7 +6,7 @@ COMMENT?= *BETA* XEmacs text editor version ${PKGVERSION_NOREV} DISTNAME= xemacs-21.5.27 EMACSVERSION= 21.5-b27 EMACS_DISTNAME= xemacs-${EMACSVERSION} -PKGREVISION= 12 +PKGREVISION= 13 CATEGORIES= editors MASTER_SITES= ${MASTER_SITE_XEMACS:=${DISTNAME:C/[.][^.]*$//}/} diff --git a/editors/xemacs-current/distinfo b/editors/xemacs-current/distinfo index 3a034269b54..155c67b70e1 100644 --- a/editors/xemacs-current/distinfo +++ b/editors/xemacs-current/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.23 2011/04/01 13:00:32 wiz Exp $ +$NetBSD: distinfo,v 1.24 2012/04/27 14:37:37 hauke Exp $ SHA1 (xemacs-21.5.27.tar.gz) = 55fc3e9c8fe3cac92791ffe1a0870aeae1baf0b8 RMD160 (xemacs-21.5.27.tar.gz) = ee0caff8730c999d37aa3a19b19f23d5756837ad @@ -17,4 +17,4 @@ SHA1 (patch-ak) = c8a3369efdd4af32b1a65cdb3d798724d63b3ed5 SHA1 (patch-al) = 33000a300de6358c0ba3260708d6d625dcd625a2 SHA1 (patch-am) = 0ccbead4be5da92e73a15432ff1b063da13cf0b4 SHA1 (patch-an) = f382865087f011ea3806d707cbf784fac81ad746 -SHA1 (patch-src_glyphs-eimage.c) = 9c5990cf2f806072aeb706bba8aba6133feb9509 +SHA1 (patch-src_glyphs-eimage.c) = a382113190a65d27747a90e58294a41f3bb6df42 diff --git a/editors/xemacs-current/patches/patch-src_glyphs-eimage.c b/editors/xemacs-current/patches/patch-src_glyphs-eimage.c index f82fcc2e97a..be3059c99d8 100644 --- a/editors/xemacs-current/patches/patch-src_glyphs-eimage.c +++ b/editors/xemacs-current/patches/patch-src_glyphs-eimage.c @@ -1,21 +1,69 @@ -$NetBSD: patch-src_glyphs-eimage.c,v 1.1 2011/04/01 13:00:32 wiz Exp $ +$NetBSD: patch-src_glyphs-eimage.c,v 1.2 2012/04/27 14:37:37 hauke Exp $ -Fix build with png-1.5. +Fix CVE-2009-2688, via <https://bugzilla.redhat.com/show_bug.cgi?id=511994> + +Adapt to new libpng 1.5 interfaces --- src/glyphs-eimage.c.orig 2005-11-26 11:46:08.000000000 +0000 +++ src/glyphs-eimage.c -@@ -929,8 +929,8 @@ png_instantiate (Lisp_Object image_insta +@@ -401,6 +401,7 @@ jpeg_instantiate (Lisp_Object image_inst + */ + + { ++ UINT_64_BIT pixels_sq; + int jpeg_gray = 0; /* if we're dealing with a grayscale */ + /* Step 4: set parameters for decompression. */ + +@@ -423,7 +424,10 @@ jpeg_instantiate (Lisp_Object image_inst + jpeg_start_decompress (&cinfo); + + /* Step 6: Read in the data and put into EImage format (8bit RGB triples)*/ +- ++ pixels_sq = ++ (UINT_64_BIT) cinfo.output_width * (UINT_64_BIT) cinfo.output_height; ++ if (pixels_sq > ((size_t) -1) / 3) ++ signal_image_error ("JPEG image too large to instantiate", instantiator); + unwind.eimage = + xnew_binbytes (cinfo.output_width * cinfo.output_height * 3); + if (!unwind.eimage) +@@ -669,6 +673,7 @@ gif_instantiate (Lisp_Object image_insta + { + ColorMapObject *cmo = unwind.giffile->SColorMap; + int i, j, row, pass, interlace, slice; ++ UINT_64_BIT pixels_sq; + Binbyte *eip; + /* interlaced gifs have rows in this order: + 0, 8, 16, ..., 4, 12, 20, ..., 2, 6, 10, ..., 1, 3, 5, ... */ +@@ -677,6 +682,9 @@ gif_instantiate (Lisp_Object image_insta + + height = unwind.giffile->SHeight; + width = unwind.giffile->SWidth; ++ pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height; ++ if (pixels_sq > ((size_t) -1) / (3 * unwind.giffile->ImageCount)) ++ signal_image_error ("GIF image too large to instantiate", instantiator); + unwind.eimage = + xnew_binbytes (width * height * 3 * unwind.giffile->ImageCount); + if (!unwind.eimage) +@@ -929,11 +937,15 @@ png_instantiate (Lisp_Object image_insta { int y; Binbyte **row_pointers; - height = info_ptr->height; - width = info_ptr->width; ++ UINT_64_BIT pixels_sq; + height = png_get_image_height(png_ptr, info_ptr); + width = png_get_image_width(png_ptr, info_ptr); ++ pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height; ++ if (pixels_sq > ((size_t) -1) / 3) ++ signal_image_error ("PNG image too large to instantiate", instantiator); /* Wow, allocate all the memory. Truly, exciting. */ - unwind.eimage = xnew_array_and_zero (Binbyte, width * height * 3); -@@ -982,22 +982,22 @@ png_instantiate (Lisp_Object image_insta +- unwind.eimage = xnew_array_and_zero (Binbyte, width * height * 3); ++ unwind.eimage = xnew_array_and_zero (Binbyte, (size_t) (pixels_sq * 3)); + /* libpng expects that the image buffer passed in contains a + picture to draw on top of if the png has any transparencies. + This could be a good place to pass that in... */ +@@ -982,22 +994,22 @@ png_instantiate (Lisp_Object image_insta /* Now that we're using EImage, ask for 8bit RGB triples for any type of image*/ /* convert palette images to full RGB */ @@ -45,16 +93,16 @@ Fix build with png-1.5. png_set_expand (png_ptr); else png_set_packing (png_ptr); -@@ -1018,16 +1018,20 @@ png_instantiate (Lisp_Object image_insta +@@ -1018,16 +1030,20 @@ png_instantiate (Lisp_Object image_insta unobtrusive. */ { int i; + png_textp text_ptr; + int num_text; ++ ++ png_get_text(png_ptr, info_ptr, &text_ptr, &num_text); - for (i = 0 ; i < info_ptr->num_text ; i++) -+ png_get_text(png_ptr, info_ptr, &text_ptr, &num_text); -+ + for (i = 0 ; i < num_text ; i++) { /* How paranoid do I have to be about no trailing NULLs, and @@ -70,3 +118,29 @@ Fix build with png-1.5. } } #endif +@@ -1268,6 +1284,7 @@ tiff_instantiate (Lisp_Object image_inst + + uint32 *raster; + Binbyte *ep; ++ UINT_64_BIT pixels_sq; + + assert (!NILP (data)); + +@@ -1290,12 +1307,15 @@ tiff_instantiate (Lisp_Object image_inst + + TIFFGetField (unwind.tiff, TIFFTAG_IMAGEWIDTH, &width); + TIFFGetField (unwind.tiff, TIFFTAG_IMAGELENGTH, &height); +- unwind.eimage = xnew_binbytes (width * height * 3); ++ pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height; ++ if (pixels_sq >= 1 << 29) ++ signal_image_error ("TIFF image too large to instantiate", instantiator); ++ unwind.eimage = xnew_binbytes (pixels_sq * 3); + + /* #### This is little more than proof-of-concept/function testing. + It needs to be reimplemented via scanline reads for both memory + compactness. */ +- raster = (uint32*) _TIFFmalloc (width * height * sizeof (uint32)); ++ raster = (uint32*) _TIFFmalloc ((tsize_t) (pixels_sq * sizeof (uint32))); + if (raster != NULL) + { + int i, j; |