diff options
author | hauke <hauke@pkgsrc.org> | 2012-04-27 13:53:46 +0000 |
---|---|---|
committer | hauke <hauke@pkgsrc.org> | 2012-04-27 13:53:46 +0000 |
commit | de900cd1645bfd6121ea125819180309ad1fdafc (patch) | |
tree | 3b6f94435085fc1600312f35d6d18f16970db189 /editors | |
parent | 99dc9c311a0077bf524317a8db2dfcc57e7dea15 (diff) | |
download | pkgsrc-de900cd1645bfd6121ea125819180309ad1fdafc.tar.gz |
Fix CVE-2009-2688, via <https://bugzilla.redhat.com/show_bug.cgi?id=511994>
Diffstat (limited to 'editors')
-rw-r--r-- | editors/xemacs/Makefile | 4 | ||||
-rw-r--r-- | editors/xemacs/distinfo | 5 | ||||
-rw-r--r-- | editors/xemacs/patches/patch-aj | 45 | ||||
-rw-r--r-- | editors/xemacs/patches/patch-src_glyphs-eimage.c | 123 | ||||
-rw-r--r-- | editors/xemacs/patches/patch-src_lisp.h | 18 |
5 files changed, 146 insertions, 49 deletions
diff --git a/editors/xemacs/Makefile b/editors/xemacs/Makefile index 1950794f7ad..28b24f993ba 100644 --- a/editors/xemacs/Makefile +++ b/editors/xemacs/Makefile @@ -1,10 +1,10 @@ -# $NetBSD: Makefile,v 1.102 2012/04/25 11:56:42 hauke Exp $ +# $NetBSD: Makefile,v 1.103 2012/04/27 13:53:46 hauke Exp $ PKGNAME?= ${DISTNAME} COMMENT?= XEmacs text editor version 21 DISTNAME= xemacs-21.4.22 -PKGREVISION= 6 +PKGREVISION= 7 CATEGORIES= editors MASTER_SITES= ${MASTER_SITE_XEMACS:=${DISTNAME:C/[.][^.]*$//}/} diff --git a/editors/xemacs/distinfo b/editors/xemacs/distinfo index d519a4367ff..6e02c3bf307 100644 --- a/editors/xemacs/distinfo +++ b/editors/xemacs/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.16 2011/01/19 16:04:00 tnn Exp $ +$NetBSD: distinfo,v 1.17 2012/04/27 13:53:46 hauke Exp $ SHA1 (xemacs/xemacs-21.4.22.tar.gz) = 24ed9b13d80c53c06bba60c7bb68387f692b7373 RMD160 (xemacs/xemacs-21.4.22.tar.gz) = f7d71d3607c3301760df8f7ae5a93d1d37df56ba @@ -12,6 +12,7 @@ SHA1 (patch-af) = 97cd3d340f349a645a7be9a683879528d9f4c5f2 SHA1 (patch-ag) = 0ccbead4be5da92e73a15432ff1b063da13cf0b4 SHA1 (patch-ah) = 9a02b989a6d45cdfead22ea703acceca722cf313 SHA1 (patch-ai) = ea752473a56d20907201763966ecdeaaeffac84a -SHA1 (patch-aj) = 8e8eaaa0eece7a5ee09a7645ae05db35efa081bb SHA1 (patch-ak) = bfbd285a1cc7d4e93a2fc884e03492dec9302e55 SHA1 (patch-al) = 247826009110453a868525e711e084b7dee49664 +SHA1 (patch-src_glyphs-eimage.c) = f013013d467d32dfac63287dd5a565153855a751 +SHA1 (patch-src_lisp.h) = 7b4c7984cfbfe1e3a30aac2009f777b8d95c013c diff --git a/editors/xemacs/patches/patch-aj b/editors/xemacs/patches/patch-aj deleted file mode 100644 index bf834c8e5b8..00000000000 --- a/editors/xemacs/patches/patch-aj +++ /dev/null @@ -1,45 +0,0 @@ -$NetBSD: patch-aj,v 1.3 2011/01/19 16:04:01 tnn Exp $ - ---- src/glyphs-eimage.c.orig 2007-08-20 19:52:28.000000000 +0000 -+++ src/glyphs-eimage.c -@@ -937,8 +937,8 @@ png_instantiate (Lisp_Object image_insta - { - int y; - unsigned char **row_pointers; -- height = info_ptr->height; -- width = info_ptr->width; -+ height = png_get_image_height(png_ptr, info_ptr); -+ width = png_get_image_width(png_ptr, info_ptr); - - /* Wow, allocate all the memory. Truly, exciting. */ - unwind.eimage = xnew_array_and_zero (unsigned char, width * height * 3); -@@ -990,22 +990,22 @@ png_instantiate (Lisp_Object image_insta - /* Now that we're using EImage, ask for 8bit RGB triples for any type - of image*/ - /* convert palette images to full RGB */ -- if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) -+ if (png_get_color_type(png_ptr, info_ptr) == PNG_COLOR_TYPE_PALETTE) - png_set_expand (png_ptr); - /* send grayscale images to RGB too */ -- if (info_ptr->color_type == PNG_COLOR_TYPE_GRAY || -- info_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) -+ if (png_get_color_type(png_ptr, info_ptr) == PNG_COLOR_TYPE_GRAY || -+ png_get_color_type(png_ptr, info_ptr) == PNG_COLOR_TYPE_GRAY_ALPHA) - png_set_gray_to_rgb (png_ptr); - /* we can't handle alpha values */ -- if (info_ptr->color_type & PNG_COLOR_MASK_ALPHA) -+ if (png_get_color_type(png_ptr, info_ptr) & PNG_COLOR_MASK_ALPHA) - png_set_strip_alpha (png_ptr); - /* tell libpng to strip 16 bit depth files down to 8 bits */ -- if (info_ptr->bit_depth == 16) -+ if (png_get_bit_depth(png_ptr, info_ptr) == 16) - png_set_strip_16 (png_ptr); - /* if the image is < 8 bits, pad it out */ -- if (info_ptr->bit_depth < 8) -+ if (png_get_bit_depth(png_ptr, info_ptr) < 8) - { -- if (info_ptr->color_type == PNG_COLOR_TYPE_GRAY) -+ if (png_get_color_type(png_ptr, info_ptr) == PNG_COLOR_TYPE_GRAY) - png_set_expand (png_ptr); - else - png_set_packing (png_ptr); diff --git a/editors/xemacs/patches/patch-src_glyphs-eimage.c b/editors/xemacs/patches/patch-src_glyphs-eimage.c new file mode 100644 index 00000000000..ae70f5acaba --- /dev/null +++ b/editors/xemacs/patches/patch-src_glyphs-eimage.c @@ -0,0 +1,123 @@ +$NetBSD: patch-src_glyphs-eimage.c,v 1.1 2012/04/27 13:53:46 hauke Exp $ + +Fix CVE-2009-2688, via <https://bugzilla.redhat.com/show_bug.cgi?id=511994> + +Adapt to new libpng 1.5 interfaces + +--- src/glyphs-eimage.c.orig 2007-08-20 19:52:28.000000000 +0000 ++++ src/glyphs-eimage.c +@@ -407,6 +407,7 @@ jpeg_instantiate (Lisp_Object image_inst + */ + + { ++ UINT_64_BIT pixels_sq; + int jpeg_gray = 0; /* if we're dealing with a grayscale */ + /* Step 4: set parameters for decompression. */ + +@@ -429,7 +430,10 @@ jpeg_instantiate (Lisp_Object image_inst + jpeg_start_decompress (&cinfo); + + /* Step 6: Read in the data and put into EImage format (8bit RGB triples)*/ +- ++ pixels_sq = ++ (UINT_64_BIT) cinfo.output_width * (UINT_64_BIT) cinfo.output_height; ++ if (pixels_sq > ((size_t) -1) / 3) ++ signal_image_error ("JPEG image too large to instantiate", instantiator); + unwind.eimage = (unsigned char*) xmalloc (cinfo.output_width * cinfo.output_height * 3); + if (!unwind.eimage) + signal_image_error("Unable to allocate enough memory for image", instantiator); +@@ -671,6 +675,7 @@ gif_instantiate (Lisp_Object image_insta + { + ColorMapObject *cmo = unwind.giffile->SColorMap; + int i, j, row, pass, interlace, slice; ++ UINT_64_BIT pixels_sq; + unsigned char *eip; + /* interlaced gifs have rows in this order: + 0, 8, 16, ..., 4, 12, 20, ..., 2, 6, 10, ..., 1, 3, 5, ... */ +@@ -679,6 +684,9 @@ gif_instantiate (Lisp_Object image_insta + + height = unwind.giffile->SHeight; + width = unwind.giffile->SWidth; ++ pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height; ++ if (pixels_sq > ((size_t) -1) / (3 * unwind.giffile->ImageCount)) ++ signal_image_error ("GIF image too large to instantiate", instantiator); + unwind.eimage = (unsigned char*) + xmalloc (width * height * 3 * unwind.giffile->ImageCount); + if (!unwind.eimage) +@@ -937,11 +945,15 @@ png_instantiate (Lisp_Object image_insta + { + int y; + unsigned char **row_pointers; +- height = info_ptr->height; +- width = info_ptr->width; +- ++ UINT_64_BIT pixels_sq; ++ height = png_get_image_height(png_ptr, info_ptr); ++ width = png_get_image_width(png_ptr, info_ptr); ++ ++ pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height; ++ if (pixels_sq > ((size_t) -1) / 3) ++ signal_image_error ("PNG image too large to instantiate", instantiator); + /* Wow, allocate all the memory. Truly, exciting. */ +- unwind.eimage = xnew_array_and_zero (unsigned char, width * height * 3); ++ unwind.eimage = xnew_array_and_zero (unsigned char, pixels_sq * 3); + /* libpng expects that the image buffer passed in contains a + picture to draw on top of if the png has any transparencies. + This could be a good place to pass that in... */ +@@ -990,22 +1002,22 @@ png_instantiate (Lisp_Object image_insta + /* Now that we're using EImage, ask for 8bit RGB triples for any type + of image*/ + /* convert palette images to full RGB */ +- if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ++ if (png_get_color_type(png_ptr, info_ptr) == PNG_COLOR_TYPE_PALETTE) + png_set_expand (png_ptr); + /* send grayscale images to RGB too */ +- if (info_ptr->color_type == PNG_COLOR_TYPE_GRAY || +- info_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) ++ if (png_get_color_type(png_ptr, info_ptr) == PNG_COLOR_TYPE_GRAY || ++ png_get_color_type(png_ptr, info_ptr) == PNG_COLOR_TYPE_GRAY_ALPHA) + png_set_gray_to_rgb (png_ptr); + /* we can't handle alpha values */ +- if (info_ptr->color_type & PNG_COLOR_MASK_ALPHA) ++ if (png_get_color_type(png_ptr, info_ptr) & PNG_COLOR_MASK_ALPHA) + png_set_strip_alpha (png_ptr); + /* tell libpng to strip 16 bit depth files down to 8 bits */ +- if (info_ptr->bit_depth == 16) ++ if (png_get_bit_depth(png_ptr, info_ptr) == 16) + png_set_strip_16 (png_ptr); + /* if the image is < 8 bits, pad it out */ +- if (info_ptr->bit_depth < 8) ++ if (png_get_bit_depth(png_ptr, info_ptr) < 8) + { +- if (info_ptr->color_type == PNG_COLOR_TYPE_GRAY) ++ if (png_get_color_type(png_ptr, info_ptr) == PNG_COLOR_TYPE_GRAY) + png_set_expand (png_ptr); + else + png_set_packing (png_ptr); +@@ -1268,6 +1280,7 @@ tiff_instantiate (Lisp_Object image_inst + + uint32 *raster; + unsigned char *ep; ++ UINT_64_BIT pixels_sq; + + assert (!NILP (data)); + +@@ -1290,12 +1303,16 @@ tiff_instantiate (Lisp_Object image_inst + + TIFFGetField (unwind.tiff, TIFFTAG_IMAGEWIDTH, &width); + TIFFGetField (unwind.tiff, TIFFTAG_IMAGELENGTH, &height); +- unwind.eimage = (unsigned char *) xmalloc (width * height * 3); ++ pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height; ++ if (pixels_sq >= 1 << 29) ++ signal_image_error ("TIFF image too large to instantiate", instantiator); ++ unwind.eimage = (unsigned char *) xmalloc (pixels_sq * 3); ++ + + /* #### This is little more than proof-of-concept/function testing. + It needs to be reimplemented via scanline reads for both memory + compactness. */ +- raster = (uint32*) _TIFFmalloc (width * height * sizeof (uint32)); ++ raster = (uint32*) _TIFFmalloc ((tsize_t) (pixels_sq * sizeof (uint32))); + if (raster != NULL) + { + int i,j; diff --git a/editors/xemacs/patches/patch-src_lisp.h b/editors/xemacs/patches/patch-src_lisp.h new file mode 100644 index 00000000000..4e5482d8d76 --- /dev/null +++ b/editors/xemacs/patches/patch-src_lisp.h @@ -0,0 +1,18 @@ +$NetBSD: patch-src_lisp.h,v 1.1 2012/04/27 13:53:46 hauke Exp $ + +Fix CVE-2009-2688, via <https://bugzilla.redhat.com/show_bug.cgi?id=511994> + +--- src/lisp.h.orig 2005-02-01 03:55:02.000000000 +0000 ++++ src/lisp.h +@@ -265,6 +265,11 @@ void assert_failed (const char *, int, c + /*#define REGISTER register*/ + /*#endif*/ + ++#if SIZEOF_LONG == 8 ++#define UINT_64_BIT unsigned long ++#elif SIZEOF_LONG_LONG == 8 ++#define UINT_64_BIT unsigned long long ++#endif + + /* EMACS_INT is the underlying integral type into which a Lisp_Object must fit. + In particular, it must be large enough to contain a pointer. |