diff options
| author | adam <adam@pkgsrc.org> | 2007-02-16 20:37:52 +0000 |
|---|---|---|
| committer | adam <adam@pkgsrc.org> | 2007-02-16 20:37:52 +0000 |
| commit | 9c65cc2150399c23285cab1ef885b2fd8c215d27 (patch) | |
| tree | 3255ad767fdc6c4f80ab11ac80314cd676184412 /graphics/gd/patches | |
| parent | d343352cff3d72d797a24fa8688e5191b613c213 (diff) | |
| download | pkgsrc-9c65cc2150399c23285cab1ef885b2fd8c215d27.tar.gz | |
Changes 2.0.34:
* 32-bit multiplication overflow vulnerabilities along with a number of similar
issues
* Memory allocation errors that were not checked
* Multiple issues in the GIF loader. Corrupt gif images would cause a segfault
or infinite loop
* Malformed or empty PNG image also may have caused segfaults
* gdImageFillToBorder segfaulted when the color was not opaque (alpha > 0)
* Antialiased lines drawn on an images edge caused a segfault
* gdImageFill segfaulted when used with patterns or invalid arguments
* gdImageFilledEllipse did not respect transparency
Diffstat (limited to 'graphics/gd/patches')
| -rw-r--r-- | graphics/gd/patches/patch-ac | 26 |
1 files changed, 12 insertions, 14 deletions
diff --git a/graphics/gd/patches/patch-ac b/graphics/gd/patches/patch-ac index c24ea41f312..4dfb993b0c9 100644 --- a/graphics/gd/patches/patch-ac +++ b/graphics/gd/patches/patch-ac @@ -1,10 +1,8 @@ -$NetBSD: patch-ac,v 1.3 2006/06/14 21:42:33 salo Exp $ +$NetBSD: patch-ac,v 1.4 2007/02/16 20:37:52 adam Exp $ -Security fix for CVE-2006-2906, from Xavier Roche via Ubuntu. - ---- gd_gif_in.c.orig 2004-11-01 19:28:56.000000000 +0100 -+++ gd_gif_in.c 2006-06-14 23:30:38.000000000 +0200 -@@ -118,6 +118,7 @@ +--- gd_gif_in.c.orig 2007-02-03 02:41:00.000000000 +0100 ++++ gd_gif_in.c +@@ -118,6 +118,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFro char version[4]; /* 2.0.28: threadsafe storage */ int ZeroDataBlock = FALSE; @@ -12,7 +10,7 @@ Security fix for CVE-2006-2906, from Xavier Roche via Ubuntu. gdImagePtr im = 0; if (! ReadOK(fd,buf,6)) { -@@ -164,6 +165,8 @@ +@@ -166,6 +167,8 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFro } if (c != ',') { /* Not a valid start character */ @@ -21,7 +19,7 @@ Security fix for CVE-2006-2906, from Xavier Roche via Ubuntu. continue; } -@@ -242,6 +245,7 @@ +@@ -253,6 +256,7 @@ static int DoExtension(gdIOCtx *fd, int label, int *Transparent, int *ZeroDataBlockP) { static unsigned char buf[256]; @@ -29,23 +27,23 @@ Security fix for CVE-2006-2906, from Xavier Roche via Ubuntu. switch (label) { case 0xf9: /* Graphic Control Extension */ -@@ -254,13 +258,13 @@ +@@ -265,13 +269,13 @@ DoExtension(gdIOCtx *fd, int label, int if ((buf[0] & 0x1) != 0) *Transparent = buf[3]; -- while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) != 0) -+ while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) != 0 && --maxcount >= 0) +- while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) > 0) ++ while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) > 0 && --maxcount > 0) ; return FALSE; default: break; } -- while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) != 0) -+ while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) != 0 && --maxcount >= 0) +- while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) > 0) ++ while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) > 0 && --maxcount > 0) ; return FALSE; -@@ -419,14 +423,15 @@ +@@ -430,14 +434,15 @@ LWZReadByte_(gdIOCtx *fd, int flag, int } else if (code == end_code) { int count; unsigned char buf[260]; |