Fix CVE-2009-2688, via <https://bugzilla.redhat.com/show_bug.cgi?id=511994>

Note xemacs 21.5 still dumps core during the build.
author: hauke <hauke@pkgsrc.org> 2012-04-27 14:37:37 +0000
committer: hauke <hauke@pkgsrc.org> 2012-04-27 14:37:37 +0000
commit: 8ffcf2ad73e57281d7cc12e45fb082816d08dea4 (patch)
tree: 0f9153cd7635a5bf3ead9661e8be406cbb067c1f /editors
parent: 11a740c73f12d0d56ea4c91b3fbd4db902ecb0cb (diff)
download: pkgsrc-8ffcf2ad73e57281d7cc12e45fb082816d08dea4.tar.gz
3 files changed, 86 insertions, 12 deletions
diff --git a/editors/xemacs-current/Makefile b/editors/xemacs-current/Makefile
index 2c85f56277a..28c28faa3b0 100644
--- a/editors/xemacs-current/Makefile
+++ b/editors/xemacs-current/Makefile
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.75 2012/02/06 12:40:05 wiz Exp $
+# $NetBSD: Makefile,v 1.76 2012/04/27 14:37:37 hauke Exp $
 
 PKGNAME?=	${DISTNAME}
 COMMENT?=	*BETA* XEmacs text editor version ${PKGVERSION_NOREV}
@@ -6,7 +6,7 @@ COMMENT?=	*BETA* XEmacs text editor version ${PKGVERSION_NOREV}
 DISTNAME=	xemacs-21.5.27
 EMACSVERSION=	21.5-b27
 EMACS_DISTNAME=	xemacs-${EMACSVERSION}
-PKGREVISION=	12
+PKGREVISION=	13
 CATEGORIES=	editors
 MASTER_SITES=	${MASTER_SITE_XEMACS:=${DISTNAME:C/[.][^.]*$//}/}
 
diff --git a/editors/xemacs-current/distinfo b/editors/xemacs-current/distinfo
index 3a034269b54..155c67b70e1 100644
--- a/editors/xemacs-current/distinfo
+++ b/editors/xemacs-current/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.23 2011/04/01 13:00:32 wiz Exp $
+$NetBSD: distinfo,v 1.24 2012/04/27 14:37:37 hauke Exp $
 
 SHA1 (xemacs-21.5.27.tar.gz) = 55fc3e9c8fe3cac92791ffe1a0870aeae1baf0b8
 RMD160 (xemacs-21.5.27.tar.gz) = ee0caff8730c999d37aa3a19b19f23d5756837ad
@@ -17,4 +17,4 @@ SHA1 (patch-ak) = c8a3369efdd4af32b1a65cdb3d798724d63b3ed5
 SHA1 (patch-al) = 33000a300de6358c0ba3260708d6d625dcd625a2
 SHA1 (patch-am) = 0ccbead4be5da92e73a15432ff1b063da13cf0b4
 SHA1 (patch-an) = f382865087f011ea3806d707cbf784fac81ad746
-SHA1 (patch-src_glyphs-eimage.c) = 9c5990cf2f806072aeb706bba8aba6133feb9509
+SHA1 (patch-src_glyphs-eimage.c) = a382113190a65d27747a90e58294a41f3bb6df42
diff --git a/editors/xemacs-current/patches/patch-src_glyphs-eimage.c b/editors/xemacs-current/patches/patch-src_glyphs-eimage.c
index f82fcc2e97a..be3059c99d8 100644
--- a/editors/xemacs-current/patches/patch-src_glyphs-eimage.c
+++ b/editors/xemacs-current/patches/patch-src_glyphs-eimage.c
@@ -1,21 +1,69 @@
-$NetBSD: patch-src_glyphs-eimage.c,v 1.1 2011/04/01 13:00:32 wiz Exp $
+$NetBSD: patch-src_glyphs-eimage.c,v 1.2 2012/04/27 14:37:37 hauke Exp $
 
-Fix build with png-1.5.
+Fix CVE-2009-2688, via <https://bugzilla.redhat.com/show_bug.cgi?id=511994>
+
+Adapt to new libpng 1.5 interfaces
 
 --- src/glyphs-eimage.c.orig	2005-11-26 11:46:08.000000000 +0000
 +++ src/glyphs-eimage.c
-@@ -929,8 +929,8 @@ png_instantiate (Lisp_Object image_insta
+@@ -401,6 +401,7 @@ jpeg_instantiate (Lisp_Object image_inst
+    */
+ 
+   {
++    UINT_64_BIT pixels_sq;
+     int jpeg_gray = 0;		/* if we're dealing with a grayscale */
+     /* Step 4: set parameters for decompression.   */
+ 
+@@ -423,7 +424,10 @@ jpeg_instantiate (Lisp_Object image_inst
+     jpeg_start_decompress (&cinfo);
+ 
+     /* Step 6: Read in the data and put into EImage format (8bit RGB triples)*/
+-
++    pixels_sq =
++      (UINT_64_BIT) cinfo.output_width * (UINT_64_BIT) cinfo.output_height;
++    if (pixels_sq > ((size_t) -1) / 3)
++      signal_image_error ("JPEG image too large to instantiate", instantiator);
+     unwind.eimage =
+       xnew_binbytes (cinfo.output_width * cinfo.output_height * 3);
+     if (!unwind.eimage)
+@@ -669,6 +673,7 @@ gif_instantiate (Lisp_Object image_insta
+   {
+     ColorMapObject *cmo = unwind.giffile->SColorMap;
+     int i, j, row, pass, interlace, slice;
++    UINT_64_BIT pixels_sq;
+     Binbyte *eip;
+     /* interlaced gifs have rows in this order:
+        0, 8, 16, ..., 4, 12, 20, ..., 2, 6, 10, ..., 1, 3, 5, ...  */
+@@ -677,6 +682,9 @@ gif_instantiate (Lisp_Object image_insta
+ 
+     height = unwind.giffile->SHeight;
+     width = unwind.giffile->SWidth;
++    pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height;
++    if (pixels_sq > ((size_t) -1) / (3 * unwind.giffile->ImageCount))
++      signal_image_error ("GIF image too large to instantiate", instantiator);
+     unwind.eimage =
+       xnew_binbytes (width * height * 3 * unwind.giffile->ImageCount);
+     if (!unwind.eimage)
+@@ -929,11 +937,15 @@ png_instantiate (Lisp_Object image_insta
    {
      int y;
      Binbyte **row_pointers;
 -    height = info_ptr->height;
 -    width = info_ptr->width;
++    UINT_64_BIT pixels_sq;
 +    height = png_get_image_height(png_ptr, info_ptr);
 +    width = png_get_image_width(png_ptr, info_ptr);
++    pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height;
++    if (pixels_sq > ((size_t) -1) / 3)
++      signal_image_error ("PNG image too large to instantiate", instantiator);
  
      /* Wow, allocate all the memory.  Truly, exciting. */
-     unwind.eimage = xnew_array_and_zero (Binbyte, width * height * 3);
-@@ -982,22 +982,22 @@ png_instantiate (Lisp_Object image_insta
+-    unwind.eimage = xnew_array_and_zero (Binbyte, width * height * 3);
++    unwind.eimage = xnew_array_and_zero (Binbyte, (size_t) (pixels_sq * 3));
+     /* libpng expects that the image buffer passed in contains a
+        picture to draw on top of if the png has any transparencies.
+        This could be a good place to pass that in... */
+@@ -982,22 +994,22 @@ png_instantiate (Lisp_Object image_insta
      /* Now that we're using EImage, ask for 8bit RGB triples for any type
         of image*/
      /* convert palette images to full RGB */
@@ -45,16 +93,16 @@ Fix build with png-1.5.
  	  png_set_expand (png_ptr);
  	else
  	  png_set_packing (png_ptr);
-@@ -1018,16 +1018,20 @@ png_instantiate (Lisp_Object image_insta
+@@ -1018,16 +1030,20 @@ png_instantiate (Lisp_Object image_insta
         unobtrusive. */
      {
        int i;
 +      png_textp text_ptr;
 +      int num_text;
++
++      png_get_text(png_ptr, info_ptr, &text_ptr, &num_text);
  
 -      for (i = 0 ; i < info_ptr->num_text ; i++)
-+      png_get_text(png_ptr, info_ptr, &text_ptr, &num_text);
-+
 +      for (i = 0 ; i < num_text ; i++)
  	{
  	  /* How paranoid do I have to be about no trailing NULLs, and
@@ -70,3 +118,29 @@ Fix build with png-1.5.
  	}
      }
  #endif
+@@ -1268,6 +1284,7 @@ tiff_instantiate (Lisp_Object image_inst
+ 
+     uint32 *raster;
+     Binbyte *ep;
++    UINT_64_BIT pixels_sq;
+ 
+     assert (!NILP (data));
+ 
+@@ -1290,12 +1307,15 @@ tiff_instantiate (Lisp_Object image_inst
+ 
+     TIFFGetField (unwind.tiff, TIFFTAG_IMAGEWIDTH, &width);
+     TIFFGetField (unwind.tiff, TIFFTAG_IMAGELENGTH, &height);
+-    unwind.eimage = xnew_binbytes (width * height * 3);
++    pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height;
++    if (pixels_sq >= 1 << 29)
++      signal_image_error ("TIFF image too large to instantiate", instantiator);
++    unwind.eimage = xnew_binbytes (pixels_sq * 3);
+ 
+     /* #### This is little more than proof-of-concept/function testing.
+        It needs to be reimplemented via scanline reads for both memory
+        compactness. */
+-    raster = (uint32*) _TIFFmalloc (width * height * sizeof (uint32));
++    raster = (uint32*) _TIFFmalloc ((tsize_t) (pixels_sq * sizeof (uint32)));
+     if (raster != NULL)
+       {
+ 	int i, j;
author	hauke <hauke@pkgsrc.org>	2012-04-27 14:37:37 +0000
committer	hauke <hauke@pkgsrc.org>	2012-04-27 14:37:37 +0000
commit	8ffcf2ad73e57281d7cc12e45fb082816d08dea4 (patch)
tree	0f9153cd7635a5bf3ead9661e8be406cbb067c1f /editors
parent	11a740c73f12d0d56ea4c91b3fbd4db902ecb0cb (diff)
download	pkgsrc-8ffcf2ad73e57281d7cc12e45fb082816d08dea4.tar.gz