diff options
Diffstat (limited to 'editors/xemacs/patches/patch-src_glyphs-eimage.c')
| -rw-r--r-- | editors/xemacs/patches/patch-src_glyphs-eimage.c | 95 |
1 files changed, 0 insertions, 95 deletions
diff --git a/editors/xemacs/patches/patch-src_glyphs-eimage.c b/editors/xemacs/patches/patch-src_glyphs-eimage.c deleted file mode 100644 index c59154ddfbc..00000000000 --- a/editors/xemacs/patches/patch-src_glyphs-eimage.c +++ /dev/null @@ -1,95 +0,0 @@ -$NetBSD: patch-src_glyphs-eimage.c,v 1.2 2015/02/04 09:19:20 hauke Exp $ - -Fix CVE-2009-2688, via <https://bugzilla.redhat.com/show_bug.cgi?id=511994> - ---- src/glyphs-eimage.c.orig 2015-01-29 15:04:29.000000000 +0000 -+++ src/glyphs-eimage.c -@@ -407,6 +407,7 @@ jpeg_instantiate (Lisp_Object image_inst - */ - - { -+ UINT_64_BIT pixels_sq; - int jpeg_gray = 0; /* if we're dealing with a grayscale */ - /* Step 4: set parameters for decompression. */ - -@@ -429,7 +430,10 @@ jpeg_instantiate (Lisp_Object image_inst - jpeg_start_decompress (&cinfo); - - /* Step 6: Read in the data and put into EImage format (8bit RGB triples)*/ -- -+ pixels_sq = -+ (UINT_64_BIT) cinfo.output_width * (UINT_64_BIT) cinfo.output_height; -+ if (pixels_sq > ((size_t) -1) / 3) -+ signal_image_error ("JPEG image too large to instantiate", instantiator); - unwind.eimage = (unsigned char*) xmalloc (cinfo.output_width * cinfo.output_height * 3); - if (!unwind.eimage) - signal_image_error("Unable to allocate enough memory for image", instantiator); -@@ -671,6 +675,7 @@ gif_instantiate (Lisp_Object image_insta - { - ColorMapObject *cmo = unwind.giffile->SColorMap; - int i, j, row, pass, interlace, slice; -+ UINT_64_BIT pixels_sq; - unsigned char *eip; - /* interlaced gifs have rows in this order: - 0, 8, 16, ..., 4, 12, 20, ..., 2, 6, 10, ..., 1, 3, 5, ... */ -@@ -679,6 +684,9 @@ gif_instantiate (Lisp_Object image_insta - - height = unwind.giffile->SHeight; - width = unwind.giffile->SWidth; -+ pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height; -+ if (pixels_sq > ((size_t) -1) / (3 * unwind.giffile->ImageCount)) -+ signal_image_error ("GIF image too large to instantiate", instantiator); - unwind.eimage = (unsigned char*) - xmalloc (width * height * 3 * unwind.giffile->ImageCount); - if (!unwind.eimage) -@@ -939,7 +947,14 @@ png_instantiate (Lisp_Object image_insta - unsigned char **row_pointers; - height = png_get_image_height(png_ptr, info_ptr); - width = png_get_image_width(png_ptr, info_ptr); -+ UINT_64_BIT pixels_sq; - -+ pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height; -+ if (pixels_sq > ((size_t) -1) / 3) { -+ signal_image_error ("PNG image too large to instantiate", -+ instantiator); -+ } -+ - /* Wow, allocate all the memory. Truly, exciting. - Well, yes, there's excitement to be had. It turns out that libpng - strips in place, so the last row overruns the buffer if depth is 16 -@@ -949,7 +964,7 @@ png_instantiate (Lisp_Object image_insta - - padding = 5 * width; - unwind.eimage = xnew_array_and_zero (unsigned char, -- width * height * 3 + padding); -+ pixels_sq * 3 + padding); - - /* libpng expects that the image buffer passed in contains a - picture to draw on top of if the png has any transparencies. -@@ -1286,6 +1301,7 @@ tiff_instantiate (Lisp_Object image_inst - - uint32 *raster; - unsigned char *ep; -+ UINT_64_BIT pixels_sq; - - assert (!NILP (data)); - -@@ -1308,12 +1324,16 @@ tiff_instantiate (Lisp_Object image_inst - - TIFFGetField (unwind.tiff, TIFFTAG_IMAGEWIDTH, &width); - TIFFGetField (unwind.tiff, TIFFTAG_IMAGELENGTH, &height); -- unwind.eimage = (unsigned char *) xmalloc (width * height * 3); -+ pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height; -+ if (pixels_sq >= 1 << 29) -+ signal_image_error ("TIFF image too large to instantiate", instantiator); -+ unwind.eimage = (unsigned char *) xmalloc (pixels_sq * 3); -+ - - /* #### This is little more than proof-of-concept/function testing. - It needs to be reimplemented via scanline reads for both memory - compactness. */ -- raster = (uint32*) _TIFFmalloc (width * height * sizeof (uint32)); -+ raster = (uint32*) _TIFFmalloc ((tsize_t) (pixels_sq * sizeof (uint32))); - if (raster != NULL) - { - int i,j; |