summaryrefslogtreecommitdiff
path: root/graphics
diff options
context:
space:
mode:
authorsalo <salo@pkgsrc.org>2005-11-26 09:40:49 +0000
committersalo <salo@pkgsrc.org>2005-11-26 09:40:49 +0000
commit37bb3a534f1082d9a2216d2c0b7e6fbc836d24a0 (patch)
tree5d56963cfe8fa518dccdbf249cb3ae5ae5f34177 /graphics
parentff2dd3ad372e792307b75f1dd266dc22e613c99b (diff)
downloadpkgsrc-37bb3a534f1082d9a2216d2c0b7e6fbc836d24a0.tar.gz
Security fixes for CVE-2005-2975, CVE-2005-2976 and CVE-2005-3186:
"io-xpm.c in the gdk-pixbuf XPM image rendering library allows attackers to cause a denial of service (infinite loop) via a crafted XPM image with a large number of colors." "Integer overflow in io-xpm.c in gdk-pixbuf allows attackers to cause a denial of service (crash) or execute arbitrary code via an XPM file with large height, width, and colour values, a different vulnerability than CVE-2005-3186." "Integer overflow in the gdk-pixbuf XPM image rendering library allows attackers to execute arbitrary code via an XPM file with a number of colors that causes insufficient memory to be allocated, which leads to a heap-based buffer overflow." http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2975 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2976 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3186
Diffstat (limited to 'graphics')
-rw-r--r--graphics/gdk-pixbuf/Makefile4
-rw-r--r--graphics/gdk-pixbuf/distinfo3
-rw-r--r--graphics/gdk-pixbuf/patches/patch-am121
3 files changed, 125 insertions, 3 deletions
diff --git a/graphics/gdk-pixbuf/Makefile b/graphics/gdk-pixbuf/Makefile
index 6f28f64daff..ba3f06c9793 100644
--- a/graphics/gdk-pixbuf/Makefile
+++ b/graphics/gdk-pixbuf/Makefile
@@ -1,10 +1,10 @@
-# $NetBSD: Makefile,v 1.31 2005/04/01 11:37:23 salo Exp $
+# $NetBSD: Makefile,v 1.32 2005/11/26 09:40:49 salo Exp $
#
.include "Makefile.common"
PKGNAME= ${DISTNAME}
-PKGREVISION= 5
+PKGREVISION= 6
COMMENT= The GNOME image loading library
# XXX hopefully there is no x.gnome-config.x in PATH
diff --git a/graphics/gdk-pixbuf/distinfo b/graphics/gdk-pixbuf/distinfo
index aed56bec53b..a240bedc665 100644
--- a/graphics/gdk-pixbuf/distinfo
+++ b/graphics/gdk-pixbuf/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.18 2005/09/04 04:56:40 reed Exp $
+$NetBSD: distinfo,v 1.19 2005/11/26 09:40:49 salo Exp $
SHA1 (gdk-pixbuf-0.22.0.tar.bz2) = 495324afb5abebc14567ffd5a6cd72333bcc7f5b
RMD160 (gdk-pixbuf-0.22.0.tar.bz2) = 0e56a0f883fd8e3fb4d49b9a38f984b95cd96ece
@@ -15,3 +15,4 @@ SHA1 (patch-ai) = df681c98b2e265548504eeecbd5a2962b4d3359d
SHA1 (patch-aj) = 107cbe0e9756818ae2529cc4791d7cd06d476a7c
SHA1 (patch-ak) = 123b32f70b0feb91bb3e0c2ca8e705ff2ae381bf
SHA1 (patch-al) = cf05f283c7676c9fa51b822f5ced66524dfa487e
+SHA1 (patch-am) = 44180cb58cba4b5cc5663acc0215978001f82fa0
diff --git a/graphics/gdk-pixbuf/patches/patch-am b/graphics/gdk-pixbuf/patches/patch-am
new file mode 100644
index 00000000000..b02eab7dd36
--- /dev/null
+++ b/graphics/gdk-pixbuf/patches/patch-am
@@ -0,0 +1,121 @@
+$NetBSD: patch-am,v 1.1 2005/11/26 09:40:49 salo Exp $
+
+Security fixes for CVE-2005-2975, CVE-2005-2976 and CVE-2005-3186.
+
+--- gdk-pixbuf/io-xpm.c.orig 2001-03-01 21:16:28.000000000 +0100
++++ gdk-pixbuf/io-xpm.c 2005-11-26 10:22:24.000000000 +0100
+@@ -243,8 +243,8 @@ xpm_extract_color (const gchar *buffer)
+ break;
+ else {
+ if (numnames > 0) {
+- space -= 1;
+- strcat (color, " ");
++ strncat (color, " ", space);
++ space -= MIN (space, 1);
+ }
+
+ strncat (color, temp, space);
+@@ -281,7 +281,8 @@ file_buffer (enum buf_op op, gpointer ha
+ /* Fall through to the xpm_read_string. */
+
+ case op_body:
+- xpm_read_string (h->infile, &h->buffer, &h->buffer_size);
++ if(!xpm_read_string (h->infile, &h->buffer, &h->buffer_size))
++ return NULL;
+ return h->buffer;
+
+ default:
+@@ -317,13 +318,6 @@ mem_buffer (enum buf_op op, gpointer han
+ return NULL;
+ }
+
+-/* Destroy notification function for the pixbuf */
+-static void
+-free_buffer (guchar *pixels, gpointer data)
+-{
+- free (pixels);
+-}
+-
+ static gboolean
+ xpm_color_parse (const char *spec, XColor *color)
+ {
+@@ -342,7 +336,8 @@ pixbuf_create_from_xpm (const gchar * (*
+ gchar pixel_str[32];
+ GHashTable *color_hash;
+ _XPMColor *colors, *color, *fallbackcolor;
+- guchar *pixels, *pixtmp;
++ guchar *pixtmp;
++ GdkPixbuf* pixbuf;
+
+ fallbackcolor = NULL;
+
+@@ -352,17 +347,31 @@ pixbuf_create_from_xpm (const gchar * (*
+ return NULL;
+ }
+ sscanf (buffer, "%d %d %d %d", &w, &h, &n_col, &cpp);
+- if (cpp >= 32) {
++ if (cpp <= 0 || cpp >= 32) {
+ g_warning ("XPM has more than 31 chars per pixel.");
+ return NULL;
+ }
++ if (n_col <= 0 || n_col >= G_MAXINT / (cpp + 1) ||
++ n_col >= G_MAXINT / sizeof (_XPMColor)) {
++ g_warning ("XPM file has invalid number of colors.");
++ return NULL;
++ }
+
+ /* The hash is used for fast lookups of color from chars */
+ color_hash = g_hash_table_new (g_str_hash, g_str_equal);
+
+ name_buf = g_new (gchar, n_col * (cpp + 1));
+- colors = g_new (_XPMColor, n_col);
+-
++ if (!name_buf) {
++ g_warning ("Cannot allocate memory for loading XPM image.");
++ g_hash_table_destroy (color_hash);
++ return NULL;
++ }
++ colors = (_XPMColor *) g_malloc (sizeof (_XPMColor) * n_col);
++ if (!colors) {
++ g_warning ("Cannot allocate memory for loading XPM image.");
++ g_hash_table_destroy (color_hash);
++ return NULL;
++ }
+ for (cnt = 0; cnt < n_col; cnt++) {
+ gchar *color_name;
+
+@@ -397,12 +406,8 @@ pixbuf_create_from_xpm (const gchar * (*
+ fallbackcolor = color;
+ }
+
+- if (is_trans)
+- pixels = malloc (w * h * 4);
+- else
+- pixels = malloc (w * h * 3);
+-
+- if (!pixels) {
++ pixbuf = gdk_pixbuf_new(GDK_COLORSPACE_RGB, is_trans, 8, w, h);
++ if (!pixbuf) {
+ g_hash_table_destroy (color_hash);
+ g_free (colors);
+ g_free (name_buf);
+@@ -410,7 +415,7 @@ pixbuf_create_from_xpm (const gchar * (*
+ }
+
+ wbytes = w * cpp;
+- pixtmp = pixels;
++ pixtmp = pixbuf->pixels;
+
+ for (ycnt = 0; ycnt < h; ycnt++) {
+ buffer = (*get_buf) (op_body, handle);
+@@ -443,9 +448,7 @@ pixbuf_create_from_xpm (const gchar * (*
+ g_free (colors);
+ g_free (name_buf);
+
+- return gdk_pixbuf_new_from_data (pixels, GDK_COLORSPACE_RGB, is_trans, 8,
+- w, h, is_trans ? (w * 4) : (w * 3),
+- free_buffer, NULL);
++ return pixbuf;
+ }
+
+ /* Shared library entry point for file loading */