Add patches for CVE-2009-2369 and CVE-2009-2625.

Bump PKGREVISION.

6 files changed, 102 insertions, 3 deletions

diff --git a/x11/wxGTK26/Makefile b/x11/wxGTK26/Makefile
index 92d87b21438..4d1afe935e7 100644
--- a/x11/wxGTK26/Makefile
+++ b/x11/wxGTK26/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.4 2010/01/18 09:59:45 wiz Exp $
+# $NetBSD: Makefile,v 1.5 2010/02/16 17:35:34 taca Exp $
 #
 
 .include "Makefile.common"
 
-PKGREVISION=		5
+PKGREVISION=		6
 COMMENT=		GTK-based implementation of the wxWidgets GUI library
 
 post-build:
diff --git a/x11/wxGTK26/distinfo b/x11/wxGTK26/distinfo
index f400cc69d39..04b6f3fea91 100644
--- a/x11/wxGTK26/distinfo
+++ b/x11/wxGTK26/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.3 2009/10/23 11:16:55 plunky Exp $
+$NetBSD: distinfo,v 1.4 2010/02/16 17:35:34 taca Exp $
 
 SHA1 (wxGTK-2.6.3-libtool.diff3.bz2) = 657566a9384a4bc160dffd26678b5e0c6a1cb5b2
 RMD160 (wxGTK-2.6.3-libtool.diff3.bz2) = 233af8dd61317ed1771c1862c6cec65f131b6de0
@@ -10,3 +10,7 @@ SHA1 (patch-aa) = 0ef5ae28b70a3290e37363193248365f4cf03cec
 SHA1 (patch-ab) = 3e9c6bc0df33e466390a4f6483b1c84e2eb9257b
 SHA1 (patch-ac) = 50bd7d4291e44dac1d2bbbae1b12167177f5ef01
 SHA1 (patch-ad) = fb51bb80451d39ba2bba53d42722327888b4a0be
+SHA1 (patch-ae) = d6fcc9b21fd457e79c32f2dc47166dc7afbd65b1
+SHA1 (patch-af) = 96e29001bcf1fbc33f4cb185f25f53a6901ce9d2
+SHA1 (patch-ag) = ccaac341ecd589dbde465f49064dd2ab480fc639
+SHA1 (patch-ah) = e7da6aacd004048d0d07965df09e97cef5a76551
diff --git a/x11/wxGTK26/patches/patch-ae b/x11/wxGTK26/patches/patch-ae
new file mode 100644
index 00000000000..bb318721eaf
--- /dev/null
+++ b/x11/wxGTK26/patches/patch-ae
@@ -0,0 +1,17 @@
+$NetBSD: patch-ae,v 1.1 2010/02/16 17:35:34 taca Exp $
+
+deal with CVE-2009-2369.
+
+--- src/common/image.cpp.orig	2006-03-21 23:42:10.000000000 +0000
++++ src/common/image.cpp
+@@ -192,6 +192,10 @@ bool wxImage::Create( int width, int hei
+ 
+     m_refData = new wxImageRefData();
+ 
++    if (width <= 0 || height <= 0 || width > INT_MAX / 3 / height) {
++	UnRef();
++	return false;
++    }
+     M_IMGDATA->m_data = (unsigned char *) malloc( width*height*3 );
+     if (!M_IMGDATA->m_data)
+     {
diff --git a/x11/wxGTK26/patches/patch-af b/x11/wxGTK26/patches/patch-af
new file mode 100644
index 00000000000..32ff807c1dc
--- /dev/null
+++ b/x11/wxGTK26/patches/patch-af
@@ -0,0 +1,28 @@
+$NetBSD: patch-af,v 1.1 2010/02/16 17:35:34 taca Exp $
+
+deal with CVE-2009-2369.
+
+--- src/common/imagpng.cpp.orig	2006-03-21 23:42:10.000000000 +0000
++++ src/common/imagpng.cpp
+@@ -570,18 +570,16 @@ wxPNGHandler::LoadFile(wxImage *image,
+     if (!image->Ok())
+         goto error;
+ 
+-    lines = (unsigned char **)malloc( (size_t)(height * sizeof(unsigned char *)) );
++    // initialize all line pointers to NULL to ensure that they can be safely
++    // free()d if an error occurs before all of them could be allocated
++    lines = (unsigned char **)calloc(height, sizeof(unsigned char *));
+     if ( !lines )
+         goto error;
+ 
+     for (i = 0; i < height; i++)
+     {
+         if ((lines[i] = (unsigned char *)malloc( (size_t)(width * (sizeof(unsigned char) * 4)))) == NULL)
+-        {
+-            for ( unsigned int n = 0; n < i; n++ )
+-                free( lines[n] );
+             goto error;
+-        }
+     }
+ 
+     png_read_image( png_ptr, lines );
diff --git a/x11/wxGTK26/patches/patch-ag b/x11/wxGTK26/patches/patch-ag
new file mode 100644
index 00000000000..57da90631cf
--- /dev/null
+++ b/x11/wxGTK26/patches/patch-ag
@@ -0,0 +1,35 @@
+$NetBSD: patch-ag,v 1.1 2010/02/16 17:35:34 taca Exp $
+
+deal with CVE-2009-2369.
+
+--- src/common/imagtiff.cpp.orig	2006-03-21 23:42:10.000000000 +0000
++++ src/common/imagtiff.cpp
+@@ -232,15 +232,25 @@ bool wxTIFFHandler::LoadFile( wxImage *i
+     }
+ 
+     uint32 w, h;
+-    uint32 npixels;
+     uint32 *raster;
+ 
+     TIFFGetField( tif, TIFFTAG_IMAGEWIDTH, &w );
+     TIFFGetField( tif, TIFFTAG_IMAGELENGTH, &h );
+ 
+-    npixels = w * h;
++    // guard against integer overflow during multiplication which could result
++    // in allocating a too small buffer and then overflowing it
++    const double bytesNeeded = (double)w * (double)h * sizeof(uint32);
++    if ( bytesNeeded >= 4294967295U /* UINT32_MAX */ )
++    {
++	if ( verbose )
++	    wxLogError( _("TIFF: Image size is abnormally big.") );
++
++	TIFFClose(tif);
++
++	return false;
++    }
+ 
+-    raster = (uint32*) _TIFFmalloc( npixels * sizeof(uint32) );
++    raster = (uint32*) _TIFFmalloc( bytesNeeded );
+ 
+     if (!raster)
+     {
diff --git a/x11/wxGTK26/patches/patch-ah b/x11/wxGTK26/patches/patch-ah
new file mode 100644
index 00000000000..afcfd151810
--- /dev/null
+++ b/x11/wxGTK26/patches/patch-ah
@@ -0,0 +1,15 @@
+$NetBSD: patch-ah,v 1.1 2010/02/16 17:35:34 taca Exp $
+
+deal with CVE-2009-2625.
+
+--- src/expat/lib/xmltok_impl.c.orig	2006-03-21 23:42:06.000000000 +0000
++++ src/expat/lib/xmltok_impl.c
+@@ -1741,7 +1741,7 @@ PREFIX(updatePosition)(const ENCODING *e
+                        const char *end,
+                        POSITION *pos)
+ {
+-  while (ptr != end) {
++  while (ptr <= end) {
+     switch (BYTE_TYPE(enc, ptr)) {
+ #define LEAD_CASE(n) \
+     case BT_LEAD ## n: \