diff options
author | snj <snj> | 2017-02-20 08:00:42 +0000 |
---|---|---|
committer | snj <snj> | 2017-02-20 08:00:42 +0000 |
commit | 89de7fec71f99cdcb57c447edd2b390037e6f27f (patch) | |
tree | b407801a88f4b25c701e3d6ef177382a4afb9386 /graphics/freeimage | |
parent | 669e31f08808569ad2629b8e61ea04c1cd397a57 (diff) | |
download | pkgsrc-89de7fec71f99cdcb57c447edd2b390037e6f27f.tar.gz |
Fix CVE-2015-0852 and CVE-2016-5684.
Diffstat (limited to 'graphics/freeimage')
-rw-r--r-- | graphics/freeimage/Makefile | 3 | ||||
-rw-r--r-- | graphics/freeimage/distinfo | 4 | ||||
-rw-r--r-- | graphics/freeimage/patches/patch-Source_FreeImage_PluginPCX.cpp | 220 | ||||
-rw-r--r-- | graphics/freeimage/patches/patch-Source_FreeImage_PluginXPM.cpp | 33 |
4 files changed, 258 insertions, 2 deletions
diff --git a/graphics/freeimage/Makefile b/graphics/freeimage/Makefile index 46d30ddfafb..fe3801702ff 100644 --- a/graphics/freeimage/Makefile +++ b/graphics/freeimage/Makefile @@ -1,7 +1,8 @@ -# $NetBSD: Makefile,v 1.2 2015/05/27 21:59:26 markd Exp $ +# $NetBSD: Makefile,v 1.3 2017/02/20 08:00:42 snj Exp $ DISTNAME= FreeImage3170 PKGNAME= freeimage-3.17.0 +PKGREVISION= 1 CATEGORIES= devel graphics MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=freeimage/} EXTRACT_SUFX= .zip diff --git a/graphics/freeimage/distinfo b/graphics/freeimage/distinfo index 1ba55cb558d..370dde53306 100644 --- a/graphics/freeimage/distinfo +++ b/graphics/freeimage/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.3 2015/11/03 21:33:57 agc Exp $ +$NetBSD: distinfo,v 1.4 2017/02/20 08:00:42 snj Exp $ SHA1 (FreeImage3170.zip) = 6752c83798c2f81dee71a2e8bb11657068672669 RMD160 (FreeImage3170.zip) = c4e87846098327ee346c49ae81b6036f6d9ab36d @@ -6,4 +6,6 @@ SHA512 (FreeImage3170.zip) = 703c2626c0bcfe73eb40d720f45745208ca9650a7730759680a Size (FreeImage3170.zip) = 7020636 bytes SHA1 (patch-Makefile) = 719f3539d1e841761c8cf442634d71e792ea7231 SHA1 (patch-Makefile.fip) = 3a8bdc29a2249b5cb9e30ccfcc25eb6be99755d9 +SHA1 (patch-Source_FreeImage_PluginPCX.cpp) = 26853626d1dc6a52804f946fd0576269de380512 +SHA1 (patch-Source_FreeImage_PluginXPM.cpp) = eac7be24c3d64593feebdb548df8a404db66c113 SHA1 (patch-Source_LibOpenJPEG_opj__malloc.h) = 4ba7924e5ce04b98c9c249bc31df600b7fbdcde3 diff --git a/graphics/freeimage/patches/patch-Source_FreeImage_PluginPCX.cpp b/graphics/freeimage/patches/patch-Source_FreeImage_PluginPCX.cpp new file mode 100644 index 00000000000..54161d7067f --- /dev/null +++ b/graphics/freeimage/patches/patch-Source_FreeImage_PluginPCX.cpp @@ -0,0 +1,220 @@ +$NetBSD: patch-Source_FreeImage_PluginPCX.cpp,v 1.1 2017/02/20 08:00:42 snj Exp $ + +Fix CVE-2015-0852. + +http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginPCX.cpp?r1=1.17&r2=1.18&pathrev=MAIN + +--- Source/FreeImage/PluginPCX.cpp.orig 2015-03-02 02:07:08.000000000 -0800 ++++ Source/FreeImage/PluginPCX.cpp 2017-02-19 23:39:07.000000000 -0800 +@@ -30,7 +30,7 @@ + // Constants + headers + // ---------------------------------------------------------- + +-#define IO_BUF_SIZE 2048 ++#define PCX_IO_BUF_SIZE 2048 + + // ---------------------------------------------------------- + +@@ -120,17 +120,17 @@ readline(FreeImageIO &io, fi_handle hand + + while (length--) { + if (count == 0) { +- if (*ReadPos >= IO_BUF_SIZE - 1 ) { +- if (*ReadPos == IO_BUF_SIZE - 1) { ++ if (*ReadPos >= PCX_IO_BUF_SIZE - 1 ) { ++ if (*ReadPos == PCX_IO_BUF_SIZE - 1) { + // we still have one BYTE, copy it to the start pos + +- *ReadBuf = ReadBuf[IO_BUF_SIZE - 1]; ++ *ReadBuf = ReadBuf[PCX_IO_BUF_SIZE - 1]; + +- io.read_proc(ReadBuf + 1, 1, IO_BUF_SIZE - 1, handle); ++ io.read_proc(ReadBuf + 1, 1, PCX_IO_BUF_SIZE - 1, handle); + } else { + // read the complete buffer + +- io.read_proc(ReadBuf, 1, IO_BUF_SIZE, handle); ++ io.read_proc(ReadBuf, 1, PCX_IO_BUF_SIZE, handle); + } + + *ReadPos = 0; +@@ -346,19 +346,9 @@ Load(FreeImageIO *io, fi_handle handle, + BOOL header_only = (flags & FIF_LOAD_NOPIXELS) == FIF_LOAD_NOPIXELS; + + try { +- // check PCX identifier +- +- long start_pos = io->tell_proc(handle); +- BOOL validated = pcx_validate(io, handle); +- io->seek_proc(handle, start_pos, SEEK_SET); +- if(!validated) { +- throw FI_MSG_ERROR_MAGIC_NUMBER; +- } +- +- // process the header +- + PCXHEADER header; + ++ // process the header + if(io->read_proc(&header, sizeof(PCXHEADER), 1, handle) != 1) { + throw FI_MSG_ERROR_PARSING; + } +@@ -366,20 +356,38 @@ Load(FreeImageIO *io, fi_handle handle, + SwapHeader(&header); + #endif + +- // allocate a new DIB ++ // process the window ++ const WORD *window = header.window; // left, upper, right,lower pixel coord. ++ const int left = window[0]; ++ const int top = window[1]; ++ const int right = window[2]; ++ const int bottom = window[3]; + +- unsigned width = header.window[2] - header.window[0] + 1; +- unsigned height = header.window[3] - header.window[1] + 1; +- unsigned bitcount = header.bpp * header.planes; ++ // check image size ++ if((left >= right) || (top >= bottom)) { ++ throw FI_MSG_ERROR_PARSING; ++ } + +- if (bitcount == 24) { +- dib = FreeImage_AllocateHeader(header_only, width, height, bitcount, FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK); +- } else { +- dib = FreeImage_AllocateHeader(header_only, width, height, bitcount); ++ const unsigned width = right - left + 1; ++ const unsigned height = bottom - top + 1; ++ const unsigned bitcount = header.bpp * header.planes; ++ ++ // allocate a new dib ++ switch(bitcount) { ++ case 1: ++ case 4: ++ case 8: ++ dib = FreeImage_AllocateHeader(header_only, width, height, bitcount); ++ break; ++ case 24: ++ dib = FreeImage_AllocateHeader(header_only, width, height, bitcount, FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK); ++ break; ++ default: ++ throw FI_MSG_ERROR_DIB_MEMORY; ++ break; + } + + // if the dib couldn't be allocated, throw an error +- + if (!dib) { + throw FI_MSG_ERROR_DIB_MEMORY; + } +@@ -426,19 +434,23 @@ Load(FreeImageIO *io, fi_handle handle, + + if (palette_id == 0x0C) { + BYTE *cmap = (BYTE*)malloc(768 * sizeof(BYTE)); +- io->read_proc(cmap, 768, 1, handle); + +- pal = FreeImage_GetPalette(dib); +- BYTE *pColormap = &cmap[0]; ++ if(cmap) { ++ io->read_proc(cmap, 768, 1, handle); + +- for(int i = 0; i < 256; i++) { +- pal[i].rgbRed = pColormap[0]; +- pal[i].rgbGreen = pColormap[1]; +- pal[i].rgbBlue = pColormap[2]; +- pColormap += 3; ++ pal = FreeImage_GetPalette(dib); ++ BYTE *pColormap = &cmap[0]; ++ ++ for(int i = 0; i < 256; i++) { ++ pal[i].rgbRed = pColormap[0]; ++ pal[i].rgbGreen = pColormap[1]; ++ pal[i].rgbBlue = pColormap[2]; ++ pColormap += 3; ++ } ++ ++ free(cmap); + } + +- free(cmap); + } + + // wrong palette ID, perhaps a gray scale is needed ? +@@ -463,12 +475,12 @@ Load(FreeImageIO *io, fi_handle handle, + return dib; + } + +- // calculate the line length for the PCX and the DIB ++ // calculate the line length for the PCX and the dib + + // length of raster line in bytes +- unsigned linelength = header.bytes_per_line * header.planes; +- // length of DIB line (rounded to DWORD) in bytes +- unsigned pitch = FreeImage_GetPitch(dib); ++ const unsigned linelength = header.bytes_per_line * header.planes; ++ // length of dib line (rounded to DWORD) in bytes ++ const unsigned pitch = FreeImage_GetPitch(dib); + + // run-length encoding ? + +@@ -478,14 +490,18 @@ Load(FreeImageIO *io, fi_handle handle, + // --------------- + + line = (BYTE*)malloc(linelength * sizeof(BYTE)); +- if(!line) throw FI_MSG_ERROR_MEMORY; ++ if(!line) { ++ throw FI_MSG_ERROR_MEMORY; ++ } + +- ReadBuf = (BYTE*)malloc(IO_BUF_SIZE * sizeof(BYTE)); +- if(!ReadBuf) throw FI_MSG_ERROR_MEMORY; ++ ReadBuf = (BYTE*)malloc(PCX_IO_BUF_SIZE * sizeof(BYTE)); ++ if(!ReadBuf) { ++ throw FI_MSG_ERROR_MEMORY; ++ } + + bits = FreeImage_GetScanLine(dib, height - 1); + +- int ReadPos = IO_BUF_SIZE; ++ int ReadPos = PCX_IO_BUF_SIZE; + + if ((header.planes == 1) && ((header.bpp == 1) || (header.bpp == 8))) { + BYTE skip; +@@ -497,7 +513,7 @@ Load(FreeImageIO *io, fi_handle handle, + // skip trailing garbage at the end of the scanline + + for (unsigned count = written; count < linelength; count++) { +- if (ReadPos < IO_BUF_SIZE) { ++ if (ReadPos < PCX_IO_BUF_SIZE) { + ReadPos++; + } else { + io->read_proc(&skip, sizeof(BYTE), 1, handle); +@@ -513,7 +529,9 @@ Load(FreeImageIO *io, fi_handle handle, + unsigned x, y, written; + + buffer = (BYTE*)malloc(width * sizeof(BYTE)); +- if(!buffer) throw FI_MSG_ERROR_MEMORY; ++ if(!buffer) { ++ throw FI_MSG_ERROR_MEMORY; ++ } + + for (y = 0; y < height; y++) { + written = readline(*io, handle, line, linelength, bIsRLE, ReadBuf, &ReadPos); +@@ -532,7 +550,7 @@ Load(FreeImageIO *io, fi_handle handle, + } + } + +- // then write the DIB row ++ // then write the dib row + + for (x = 0; x < width / 2; x++) { + bits[x] = (buffer[2*x] << 4) | buffer[2*x+1]; +@@ -541,7 +559,7 @@ Load(FreeImageIO *io, fi_handle handle, + // skip trailing garbage at the end of the scanline + + for (unsigned count = written; count < linelength; count++) { +- if (ReadPos < IO_BUF_SIZE) { ++ if (ReadPos < PCX_IO_BUF_SIZE) { + ReadPos++; + } else { + io->read_proc(&skip, sizeof(BYTE), 1, handle); diff --git a/graphics/freeimage/patches/patch-Source_FreeImage_PluginXPM.cpp b/graphics/freeimage/patches/patch-Source_FreeImage_PluginXPM.cpp new file mode 100644 index 00000000000..fcbf627d844 --- /dev/null +++ b/graphics/freeimage/patches/patch-Source_FreeImage_PluginXPM.cpp @@ -0,0 +1,33 @@ +$NetBSD: patch-Source_FreeImage_PluginXPM.cpp,v 1.1 2017/02/20 08:00:42 snj Exp $ + +Fix CVE-2016-5684. + +http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginXPM.cpp?r1=1.17&r2=1.18 + +and + +http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginXPM.cpp?r1=1.18&r2=1.19 + +--- Source/FreeImage/PluginXPM.cpp.orig 2015-03-02 02:07:08.000000000 -0800 ++++ Source/FreeImage/PluginXPM.cpp 2017-02-19 11:37:34.000000000 -0800 +@@ -181,6 +181,11 @@ Load(FreeImageIO *io, fi_handle handle, + } + free(str); + ++ // check info string ++ if((width <= 0) || (height <= 0) || (colors <= 0) || (cpp <= 0)) { ++ throw "Improperly formed info string"; ++ } ++ + if (colors > 256) { + dib = FreeImage_AllocateHeader(header_only, width, height, 24, FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK); + } else { +@@ -193,7 +198,7 @@ Load(FreeImageIO *io, fi_handle handle, + FILE_RGBA rgba; + + str = ReadString(io, handle); +- if(!str) ++ if(!str || (strlen(str) < (size_t)cpp)) + throw "Error reading color strings"; + + std::string chrs(str,cpp); //create a string for the color chars using the first cpp chars |