From 11ee09f4bd5fa5f7d4db26e9fe40a3cdd772e612 Mon Sep 17 00:00:00 2001 From: salo Date: Sat, 26 Nov 2005 09:40:49 +0000 Subject: Security fixes for CVE-2005-2975, CVE-2005-2976 and CVE-2005-3186: "io-xpm.c in the gdk-pixbuf XPM image rendering library allows attackers to cause a denial of service (infinite loop) via a crafted XPM image with a large number of colors." "Integer overflow in io-xpm.c in gdk-pixbuf allows attackers to cause a denial of service (crash) or execute arbitrary code via an XPM file with large height, width, and colour values, a different vulnerability than CVE-2005-3186." "Integer overflow in the gdk-pixbuf XPM image rendering library allows attackers to execute arbitrary code via an XPM file with a number of colors that causes insufficient memory to be allocated, which leads to a heap-based buffer overflow." http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2975 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2976 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3186 --- graphics/gdk-pixbuf/Makefile | 4 +- graphics/gdk-pixbuf/distinfo | 3 +- graphics/gdk-pixbuf/patches/patch-am | 121 +++++++++++++++++++++++++++++++++++ 3 files changed, 125 insertions(+), 3 deletions(-) create mode 100644 graphics/gdk-pixbuf/patches/patch-am (limited to 'graphics') diff --git a/graphics/gdk-pixbuf/Makefile b/graphics/gdk-pixbuf/Makefile index 6f28f64daff..ba3f06c9793 100644 --- a/graphics/gdk-pixbuf/Makefile +++ b/graphics/gdk-pixbuf/Makefile @@ -1,10 +1,10 @@ -# $NetBSD: Makefile,v 1.31 2005/04/01 11:37:23 salo Exp $ +# $NetBSD: Makefile,v 1.32 2005/11/26 09:40:49 salo Exp $ # .include "Makefile.common" PKGNAME= ${DISTNAME} -PKGREVISION= 5 +PKGREVISION= 6 COMMENT= The GNOME image loading library # XXX hopefully there is no x.gnome-config.x in PATH diff --git a/graphics/gdk-pixbuf/distinfo b/graphics/gdk-pixbuf/distinfo index aed56bec53b..a240bedc665 100644 --- a/graphics/gdk-pixbuf/distinfo +++ b/graphics/gdk-pixbuf/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.18 2005/09/04 04:56:40 reed Exp $ +$NetBSD: distinfo,v 1.19 2005/11/26 09:40:49 salo Exp $ SHA1 (gdk-pixbuf-0.22.0.tar.bz2) = 495324afb5abebc14567ffd5a6cd72333bcc7f5b RMD160 (gdk-pixbuf-0.22.0.tar.bz2) = 0e56a0f883fd8e3fb4d49b9a38f984b95cd96ece @@ -15,3 +15,4 @@ SHA1 (patch-ai) = df681c98b2e265548504eeecbd5a2962b4d3359d SHA1 (patch-aj) = 107cbe0e9756818ae2529cc4791d7cd06d476a7c SHA1 (patch-ak) = 123b32f70b0feb91bb3e0c2ca8e705ff2ae381bf SHA1 (patch-al) = cf05f283c7676c9fa51b822f5ced66524dfa487e +SHA1 (patch-am) = 44180cb58cba4b5cc5663acc0215978001f82fa0 diff --git a/graphics/gdk-pixbuf/patches/patch-am b/graphics/gdk-pixbuf/patches/patch-am new file mode 100644 index 00000000000..b02eab7dd36 --- /dev/null +++ b/graphics/gdk-pixbuf/patches/patch-am @@ -0,0 +1,121 @@ +$NetBSD: patch-am,v 1.1 2005/11/26 09:40:49 salo Exp $ + +Security fixes for CVE-2005-2975, CVE-2005-2976 and CVE-2005-3186. + +--- gdk-pixbuf/io-xpm.c.orig 2001-03-01 21:16:28.000000000 +0100 ++++ gdk-pixbuf/io-xpm.c 2005-11-26 10:22:24.000000000 +0100 +@@ -243,8 +243,8 @@ xpm_extract_color (const gchar *buffer) + break; + else { + if (numnames > 0) { +- space -= 1; +- strcat (color, " "); ++ strncat (color, " ", space); ++ space -= MIN (space, 1); + } + + strncat (color, temp, space); +@@ -281,7 +281,8 @@ file_buffer (enum buf_op op, gpointer ha + /* Fall through to the xpm_read_string. */ + + case op_body: +- xpm_read_string (h->infile, &h->buffer, &h->buffer_size); ++ if(!xpm_read_string (h->infile, &h->buffer, &h->buffer_size)) ++ return NULL; + return h->buffer; + + default: +@@ -317,13 +318,6 @@ mem_buffer (enum buf_op op, gpointer han + return NULL; + } + +-/* Destroy notification function for the pixbuf */ +-static void +-free_buffer (guchar *pixels, gpointer data) +-{ +- free (pixels); +-} +- + static gboolean + xpm_color_parse (const char *spec, XColor *color) + { +@@ -342,7 +336,8 @@ pixbuf_create_from_xpm (const gchar * (* + gchar pixel_str[32]; + GHashTable *color_hash; + _XPMColor *colors, *color, *fallbackcolor; +- guchar *pixels, *pixtmp; ++ guchar *pixtmp; ++ GdkPixbuf* pixbuf; + + fallbackcolor = NULL; + +@@ -352,17 +347,31 @@ pixbuf_create_from_xpm (const gchar * (* + return NULL; + } + sscanf (buffer, "%d %d %d %d", &w, &h, &n_col, &cpp); +- if (cpp >= 32) { ++ if (cpp <= 0 || cpp >= 32) { + g_warning ("XPM has more than 31 chars per pixel."); + return NULL; + } ++ if (n_col <= 0 || n_col >= G_MAXINT / (cpp + 1) || ++ n_col >= G_MAXINT / sizeof (_XPMColor)) { ++ g_warning ("XPM file has invalid number of colors."); ++ return NULL; ++ } + + /* The hash is used for fast lookups of color from chars */ + color_hash = g_hash_table_new (g_str_hash, g_str_equal); + + name_buf = g_new (gchar, n_col * (cpp + 1)); +- colors = g_new (_XPMColor, n_col); +- ++ if (!name_buf) { ++ g_warning ("Cannot allocate memory for loading XPM image."); ++ g_hash_table_destroy (color_hash); ++ return NULL; ++ } ++ colors = (_XPMColor *) g_malloc (sizeof (_XPMColor) * n_col); ++ if (!colors) { ++ g_warning ("Cannot allocate memory for loading XPM image."); ++ g_hash_table_destroy (color_hash); ++ return NULL; ++ } + for (cnt = 0; cnt < n_col; cnt++) { + gchar *color_name; + +@@ -397,12 +406,8 @@ pixbuf_create_from_xpm (const gchar * (* + fallbackcolor = color; + } + +- if (is_trans) +- pixels = malloc (w * h * 4); +- else +- pixels = malloc (w * h * 3); +- +- if (!pixels) { ++ pixbuf = gdk_pixbuf_new(GDK_COLORSPACE_RGB, is_trans, 8, w, h); ++ if (!pixbuf) { + g_hash_table_destroy (color_hash); + g_free (colors); + g_free (name_buf); +@@ -410,7 +415,7 @@ pixbuf_create_from_xpm (const gchar * (* + } + + wbytes = w * cpp; +- pixtmp = pixels; ++ pixtmp = pixbuf->pixels; + + for (ycnt = 0; ycnt < h; ycnt++) { + buffer = (*get_buf) (op_body, handle); +@@ -443,9 +448,7 @@ pixbuf_create_from_xpm (const gchar * (* + g_free (colors); + g_free (name_buf); + +- return gdk_pixbuf_new_from_data (pixels, GDK_COLORSPACE_RGB, is_trans, 8, +- w, h, is_trans ? (w * 4) : (w * 3), +- free_buffer, NULL); ++ return pixbuf; + } + + /* Shared library entry point for file loading */ -- cgit v1.2.3