diff options
| author | salo <salo> | 2004-12-13 18:03:27 +0000 |
|---|---|---|
| committer | salo <salo> | 2004-12-13 18:03:27 +0000 |
| commit | 115199681a8fc6c9a0f481b8c6356ca2f16f9497 (patch) | |
| tree | 846a08b7ba5f2ad5abc5ca1bd8830c7b5f88e8df /graphics/imlib/patches/patch-ab | |
| parent | 87059dd0b93db92c2083f3806bfefc73817a5ea0 (diff) | |
| download | pkgsrc-115199681a8fc6c9a0f481b8c6356ca2f16f9497.tar.gz | |
Pullup ticket 171 - requested by Havard Eidnes
security fix for imlib
Module Name: pkgsrc
Committed By: tron
Date: Sat Nov 27 08:09:38 UTC 2004
Modified Files:
pkgsrc/graphics/imlib: Makefile
Log Message:
Remove me as maintainer of this package.
---
Module Name: pkgsrc
Committed By: adam
Date: Fri Dec 3 13:42:47 UTC 2004
Modified Files:
pkgsrc/graphics/imlib: Makefile distinfo
pkgsrc/graphics/imlib/patches: patch-ag patch-ah
Log Message:
Changes 1.9.15:
* Minor bug fixes
---
Module Name: pkgsrc
Committed By: salo
Date: Fri Dec 10 09:30:42 UTC 2004
Modified Files:
pkgsrc/graphics/imlib: Makefile buildlink3.mk distinfo
pkgsrc/graphics/imlib/patches: patch-ab patch-ai
Added Files:
pkgsrc/graphics/imlib/patches: patch-aj patch-ak patch-al
patch-am patch-an patch-ao
Log Message:
Bump PKGREVISION, security fix:
"Multiple buffer overflows in imlib 1.9.14 and earlier, which is
used by gkrellm and several window managers, allow remote attackers
to execute arbitrary code via certain image files." (1.9.15 is also
affected)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1026
Patch from Pavel Kankovsky.
Diffstat (limited to 'graphics/imlib/patches/patch-ab')
| -rw-r--r-- | graphics/imlib/patches/patch-ab | 169 |
1 files changed, 163 insertions, 6 deletions
diff --git a/graphics/imlib/patches/patch-ab b/graphics/imlib/patches/patch-ab index 572a759f4f0..40399903884 100644 --- a/graphics/imlib/patches/patch-ab +++ b/graphics/imlib/patches/patch-ab @@ -1,8 +1,37 @@ -$NetBSD: patch-ab,v 1.5 2002/03/19 16:16:08 wiz Exp $ +$NetBSD: patch-ab,v 1.5.16.1 2004/12/13 18:03:27 salo Exp $ ---- Imlib/load.c.orig Wed Mar 13 19:06:29 2002 -+++ Imlib/load.c -@@ -254,7 +254,8 @@ +--- Imlib/load.c.orig 2004-09-21 02:23:20.000000000 +0200 ++++ Imlib/load.c 2004-12-10 09:58:18.000000000 +0100 +@@ -4,6 +4,8 @@ + #include "Imlib_private.h" + #include <setjmp.h> + ++#define G_MAXINT ((int) 0x7fffffff) ++ + /* Split the ID - damages input */ + + static char * +@@ -41,13 +43,17 @@ + + /* + * Make sure we don't wrap on our memory allocations ++ * we check G_MAXINT/4 because rend.c malloc's w * h * bpp ++ * + 3 is safety margin + */ + + void * _imlib_malloc_image(unsigned int w, unsigned int h) + { +- if( w > 32767 || h > 32767) ++ if (w <= 0 || w > 32767 || ++ h <= 0 || h > 32767 || ++ h >= (G_MAXINT/4 - 1) / w) + return NULL; +- return malloc(w * h * 3); ++ return malloc(w * h * 3 + 3); + } + + #ifdef HAVE_LIBJPEG +@@ -254,7 +260,8 @@ png_read_image(png_ptr, lines); png_destroy_read_struct(&png_ptr, &info_ptr, NULL); ptr = data; @@ -12,7 +41,7 @@ $NetBSD: patch-ab,v 1.5 2002/03/19 16:16:08 wiz Exp $ { for (y = 0; y < *h; y++) { -@@ -279,6 +280,7 @@ +@@ -279,6 +286,7 @@ } } } @@ -20,7 +49,7 @@ $NetBSD: patch-ab,v 1.5 2002/03/19 16:16:08 wiz Exp $ else if (color_type == PNG_COLOR_TYPE_GRAY) { for (y = 0; y < *h; y++) -@@ -294,6 +296,7 @@ +@@ -294,6 +302,7 @@ } } } @@ -28,3 +57,131 @@ $NetBSD: patch-ab,v 1.5 2002/03/19 16:16:08 wiz Exp $ else { for (y = 0; y < *h; y++) +@@ -360,7 +369,9 @@ + npix = ww * hh; + *w = (int)ww; + *h = (int)hh; +- if(ww > 32767 || hh > 32767) ++ if (ww <= 0 || ww > 32767 || ++ hh <= 0 || hh > 32767 || ++ hh >= (G_MAXINT/sizeof(uint32)) / ww) + { + TIFFClose(tif); + return NULL; +@@ -463,7 +474,7 @@ + } + *w = gif->Image.Width; + *h = gif->Image.Height; +- if (*h > 32767 || *w > 32767) ++ if (*h <= 0 || *h > 32767 || *w <= 0 || *w > 32767) + { + return NULL; + } +@@ -1000,7 +1011,12 @@ + comment = 0; + quote = 0; + context = 0; ++ memset(lookup, 0, sizeof(lookup)); ++ + line = malloc(lsz); ++ if (!line) ++ return NULL; ++ + while (!done) + { + pc = c; +@@ -1029,25 +1045,25 @@ + { + /* Header */ + sscanf(line, "%i %i %i %i", w, h, &ncolors, &cpp); +- if (ncolors > 32766) ++ if (ncolors <= 0 || ncolors > 32766) + { + fprintf(stderr, "IMLIB ERROR: XPM files wth colors > 32766 not supported\n"); + free(line); + return NULL; + } +- if (cpp > 5) ++ if (cpp <= 0 || cpp > 5) + { + fprintf(stderr, "IMLIB ERROR: XPM files with characters per pixel > 5 not supported\n"); + free(line); + return NULL; + } +- if (*w > 32767) ++ if (*w <= 0 || *w > 32767) + { + fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for file\n"); + free(line); + return NULL; + } +- if (*h > 32767) ++ if (*h <= 0 || *h > 32767) + { + fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for file\n"); + free(line); +@@ -1080,11 +1096,13 @@ + { + int slen; + int hascolor, iscolor; ++ int space; + + iscolor = 0; + hascolor = 0; + tok[0] = 0; + col[0] = 0; ++ space = sizeof(col) - 1; + s[0] = 0; + len = strlen(line); + strncpy(cmap[j].str, line, cpp); +@@ -1107,10 +1125,10 @@ + { + if (k >= len) + { +- if (col[0]) +- strcat(col, " "); +- if (strlen(col) + strlen(s) < sizeof(col)) +- strcat(col, s); ++ if (col[0] && space > 0) ++ strcat(col, " "), space -= 1; ++ if (slen <= space) ++ strcat(col, s), space -= slen; + } + if (col[0]) + { +@@ -1140,14 +1158,17 @@ + } + } + } ++ if (slen < sizeof(tok)); + strcpy(tok, s); + col[0] = 0; ++ space = sizeof(col) - 1; + } + else + { +- if (col[0]) +- strcat(col, " "); +- strcat(col, s); ++ if (col[0] && space > 0) ++ strcat(col, " "), space -=1; ++ if (slen <= space) ++ strcat(col, s), space -= slen; + } + } + } +@@ -1376,12 +1397,12 @@ + sscanf(s, "%i %i", w, h); + a = *w; + b = *h; +- if (a > 32767) ++ if (a <= 0 || a > 32767) + { + fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for file\n"); + return NULL; + } +- if (b > 32767) ++ if (b <= 0 || b > 32767) + { + fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for file\n"); + return NULL; |