From 5b171484f0e8a5ab05f960a28d2dde9abe3b59e3 Mon Sep 17 00:00:00 2001 From: drochner Date: Tue, 10 Apr 2007 12:19:40 +0000 Subject: plug integer overflows in skin handling (CVE-2007-0653, CVE-2007-0654), patch from Debian --- audio/xmms/Makefile | 4 ++-- audio/xmms/distinfo | 3 ++- audio/xmms/patches/patch-aq | 46 +++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 50 insertions(+), 3 deletions(-) create mode 100644 audio/xmms/patches/patch-aq (limited to 'audio') diff --git a/audio/xmms/Makefile b/audio/xmms/Makefile index ed022afc07d..73963735181 100644 --- a/audio/xmms/Makefile +++ b/audio/xmms/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.64 2007/02/01 16:55:58 drochner Exp $ +# $NetBSD: Makefile,v 1.65 2007/04/10 12:19:40 drochner Exp $ # -PKGREVISION= 7 +PKGREVISION= 8 .include "Makefile.common" diff --git a/audio/xmms/distinfo b/audio/xmms/distinfo index a2d90a378bc..3715fe01d93 100644 --- a/audio/xmms/distinfo +++ b/audio/xmms/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.30 2007/03/08 15:01:50 rillig Exp $ +$NetBSD: distinfo,v 1.31 2007/04/10 12:19:40 drochner Exp $ SHA1 (xmms-1.2.10.tar.bz2) = a3c3d3756d5263183c27b3c50a7f5404cba8bfaf RMD160 (xmms-1.2.10.tar.bz2) = 0360cbb8c326b3325bd8ebb3343c69a9788d7084 @@ -19,3 +19,4 @@ SHA1 (patch-am) = 6474ef355b194189345008e35a4efc9648c26397 SHA1 (patch-an) = 3abc68bd37018800dc70b151a5b419211a727a02 SHA1 (patch-ao) = 2cadee08e6db7b802d1b700559705a8fe591f2dd SHA1 (patch-ap) = 101c54e2ce0e575893b8d3880ca54a021e89a8dd +SHA1 (patch-aq) = 1b5e0b7a2f3e9c529deffad63f24a498b11d96f6 diff --git a/audio/xmms/patches/patch-aq b/audio/xmms/patches/patch-aq new file mode 100644 index 00000000000..17524c30cdd --- /dev/null +++ b/audio/xmms/patches/patch-aq @@ -0,0 +1,46 @@ +$NetBSD: patch-aq,v 1.3 2007/04/10 12:19:40 drochner Exp $ + +--- ./xmms/bmp.c.orig 2002-02-12 00:15:56.000000000 +0100 ++++ ./xmms/bmp.c +@@ -19,6 +19,12 @@ + */ + #include "xmms.h" + ++#if HAVE_STDINT_H ++#include ++#elif !defined(UINT32_MAX) ++#define UINT32_MAX 0xffffffffU ++#endif ++ + typedef struct tagRGBQUAD + { + guchar rgbBlue; +@@ -184,7 +190,7 @@ GdkPixmap *read_bmp(gchar * filename) + } + else if (bitcount != 24 && bitcount != 16 && bitcount != 32) + { +- gint ncols, i; ++ guint32 ncols, i; + + ncols = offset - headSize - 14; + if (headSize == 12) +@@ -200,10 +206,18 @@ GdkPixmap *read_bmp(gchar * filename) + } + } + fseek(file, offset, SEEK_SET); ++ /* verify buffer size */ ++ if (!h || !w || ++ w > (((UINT32_MAX - 3) / 3) / h) || ++ h > (((UINT32_MAX - 3) / 3) / w)) { ++ g_warning("read_bmp(): width(%u)*height(%u) too large", w, h); ++ fclose(file); ++ return NULL; ++ } ++ data = g_malloc0((w * 3 * h) + 3); /* +3 is just for safety */ + buffer = g_malloc(imgsize); + fread(buffer, imgsize, 1, file); + fclose(file); +- data = g_malloc0((w * 3 * h) + 3); /* +3 is just for safety */ + + if (bitcount == 1) + read_1b_rgb(buffer, imgsize, data, w, h, rgb_quads); -- cgit v1.2.3