pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/pkgsrc-2005Q3]: pkgsrc/graphics/gdk-pixbuf Pullup ticket 925 - reques...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/ae43f30059f2
branches:  pkgsrc-2005Q3
changeset: 499710:ae43f30059f2
user:      snj <snj%pkgsrc.org@localhost>
date:      Sun Nov 27 21:14:26 2005 +0000

description:
Pullup ticket 925 - requested by Lubomir Sedlacik
security fix for gdk-pixbuf

Revisions pulled up:
- pkgsrc/graphics/gdk-pixbuf/Makefile           1.32
- pkgsrc/graphics/gdk-pixbuf/distinfo           1.19
- pkgsrc/graphics/gdk-pixbuf/patches/patch-am   1.1

   Module Name:    pkgsrc
   Committed By:   salo
   Date:           Sat Nov 26 09:40:50 UTC 2005

   Modified Files:
           pkgsrc/graphics/gdk-pixbuf: Makefile distinfo
   Added Files:
           pkgsrc/graphics/gdk-pixbuf/patches: patch-am

   Log Message:
   Security fixes for CVE-2005-2975, CVE-2005-2976 and CVE-2005-3186:

   "io-xpm.c in the gdk-pixbuf XPM image rendering library allows attackers
   to cause a denial of service (infinite loop) via a crafted XPM image
   with a large number of colors."

   "Integer overflow in io-xpm.c in gdk-pixbuf allows attackers to cause a
   denial of service (crash) or execute arbitrary code via an XPM file with
   large height, width, and colour values, a different vulnerability than
   CVE-2005-3186."

   "Integer overflow in the gdk-pixbuf XPM image rendering library allows
   attackers to execute arbitrary code via an XPM file with a number of
   colors that causes insufficient memory to be allocated, which leads to
   a heap-based buffer overflow."

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2975
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2976
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3186

diffstat:

 graphics/gdk-pixbuf/Makefile         |    4 +-
 graphics/gdk-pixbuf/distinfo         |    3 +-
 graphics/gdk-pixbuf/patches/patch-am |  121 +++++++++++++++++++++++++++++++++++
 3 files changed, 125 insertions(+), 3 deletions(-)

diffs (155 lines):

diff -r 93a0a7406539 -r ae43f30059f2 graphics/gdk-pixbuf/Makefile
--- a/graphics/gdk-pixbuf/Makefile      Sat Nov 26 15:33:34 2005 +0000
+++ b/graphics/gdk-pixbuf/Makefile      Sun Nov 27 21:14:26 2005 +0000
@@ -1,10 +1,10 @@
-# $NetBSD: Makefile,v 1.31 2005/04/01 11:37:23 salo Exp $
+# $NetBSD: Makefile,v 1.31.4.1 2005/11/27 21:14:26 snj Exp $
 #
 
 .include "Makefile.common"
 
 PKGNAME=       ${DISTNAME}
-PKGREVISION=   5
+PKGREVISION=   6
 COMMENT=       The GNOME image loading library
 
 # XXX hopefully there is no x.gnome-config.x in PATH
diff -r 93a0a7406539 -r ae43f30059f2 graphics/gdk-pixbuf/distinfo
--- a/graphics/gdk-pixbuf/distinfo      Sat Nov 26 15:33:34 2005 +0000
+++ b/graphics/gdk-pixbuf/distinfo      Sun Nov 27 21:14:26 2005 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.18 2005/09/04 04:56:40 reed Exp $
+$NetBSD: distinfo,v 1.18.2.1 2005/11/27 21:14:26 snj Exp $
 
 SHA1 (gdk-pixbuf-0.22.0.tar.bz2) = 495324afb5abebc14567ffd5a6cd72333bcc7f5b
 RMD160 (gdk-pixbuf-0.22.0.tar.bz2) = 0e56a0f883fd8e3fb4d49b9a38f984b95cd96ece
@@ -15,3 +15,4 @@
 SHA1 (patch-aj) = 107cbe0e9756818ae2529cc4791d7cd06d476a7c
 SHA1 (patch-ak) = 123b32f70b0feb91bb3e0c2ca8e705ff2ae381bf
 SHA1 (patch-al) = cf05f283c7676c9fa51b822f5ced66524dfa487e
+SHA1 (patch-am) = 44180cb58cba4b5cc5663acc0215978001f82fa0
diff -r 93a0a7406539 -r ae43f30059f2 graphics/gdk-pixbuf/patches/patch-am
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/gdk-pixbuf/patches/patch-am      Sun Nov 27 21:14:26 2005 +0000
@@ -0,0 +1,121 @@
+$NetBSD: patch-am,v 1.1.2.2 2005/11/27 21:14:26 snj Exp $
+
+Security fixes for CVE-2005-2975, CVE-2005-2976 and CVE-2005-3186.
+
+--- gdk-pixbuf/io-xpm.c.orig   2001-03-01 21:16:28.000000000 +0100
++++ gdk-pixbuf/io-xpm.c        2005-11-26 10:22:24.000000000 +0100
+@@ -243,8 +243,8 @@ xpm_extract_color (const gchar *buffer)
+                       break;
+               else {
+                       if (numnames > 0) {
+-                              space -= 1;
+-                              strcat (color, " ");
++                              strncat (color, " ", space);
++                              space -= MIN (space, 1);
+                       }
+ 
+                       strncat (color, temp, space);
+@@ -281,7 +281,8 @@ file_buffer (enum buf_op op, gpointer ha
+               /* Fall through to the xpm_read_string. */
+ 
+       case op_body:
+-              xpm_read_string (h->infile, &h->buffer, &h->buffer_size);
++              if(!xpm_read_string (h->infile, &h->buffer, &h->buffer_size))
++                      return NULL;
+               return h->buffer;
+ 
+       default:
+@@ -317,13 +318,6 @@ mem_buffer (enum buf_op op, gpointer han
+       return NULL;
+ }
+ 
+-/* Destroy notification function for the pixbuf */
+-static void
+-free_buffer (guchar *pixels, gpointer data)
+-{
+-      free (pixels);
+-}
+-
+ static gboolean
+ xpm_color_parse (const char *spec, XColor *color)
+ {
+@@ -342,7 +336,8 @@ pixbuf_create_from_xpm (const gchar * (*
+       gchar pixel_str[32];
+       GHashTable *color_hash;
+       _XPMColor *colors, *color, *fallbackcolor;
+-      guchar *pixels, *pixtmp;
++      guchar *pixtmp;
++      GdkPixbuf* pixbuf;
+ 
+       fallbackcolor = NULL;
+ 
+@@ -352,17 +347,31 @@ pixbuf_create_from_xpm (const gchar * (*
+               return NULL;
+       }
+       sscanf (buffer, "%d %d %d %d", &w, &h, &n_col, &cpp);
+-      if (cpp >= 32) {
++      if (cpp <= 0 || cpp >= 32) {
+               g_warning ("XPM has more than 31 chars per pixel.");
+               return NULL;
+       }
++      if (n_col <= 0 || n_col >= G_MAXINT / (cpp + 1) ||
++            n_col >= G_MAXINT / sizeof (_XPMColor)) {
++              g_warning ("XPM file has invalid number of colors.");
++              return NULL;
++      }
+ 
+       /* The hash is used for fast lookups of color from chars */
+       color_hash = g_hash_table_new (g_str_hash, g_str_equal);
+ 
+       name_buf = g_new (gchar, n_col * (cpp + 1));
+-      colors = g_new (_XPMColor, n_col);
+-
++      if (!name_buf) {
++              g_warning ("Cannot allocate memory for loading XPM image.");
++              g_hash_table_destroy (color_hash);
++              return NULL;
++      }
++      colors = (_XPMColor *) g_malloc (sizeof (_XPMColor) * n_col);
++      if (!colors) {
++              g_warning ("Cannot allocate memory for loading XPM image.");
++              g_hash_table_destroy (color_hash);
++              return NULL;
++      }
+       for (cnt = 0; cnt < n_col; cnt++) {
+               gchar *color_name;
+ 
+@@ -397,12 +406,8 @@ pixbuf_create_from_xpm (const gchar * (*
+                       fallbackcolor = color;
+       }
+ 
+-      if (is_trans)
+-              pixels = malloc (w * h * 4);
+-      else
+-              pixels = malloc (w * h * 3);
+-
+-      if (!pixels) {
++      pixbuf = gdk_pixbuf_new(GDK_COLORSPACE_RGB, is_trans, 8, w, h);
++      if (!pixbuf) {
+               g_hash_table_destroy (color_hash);
+               g_free (colors);
+               g_free (name_buf);
+@@ -410,7 +415,7 @@ pixbuf_create_from_xpm (const gchar * (*
+       }
+ 
+       wbytes = w * cpp;
+-      pixtmp = pixels;
++      pixtmp = pixbuf->pixels;
+ 
+       for (ycnt = 0; ycnt < h; ycnt++) {
+               buffer = (*get_buf) (op_body, handle);
+@@ -443,9 +448,7 @@ pixbuf_create_from_xpm (const gchar * (*
+       g_free (colors);
+       g_free (name_buf);
+ 
+-      return gdk_pixbuf_new_from_data (pixels, GDK_COLORSPACE_RGB, is_trans, 8,
+-                                       w, h, is_trans ? (w * 4) : (w * 3),
+-                                       free_buffer, NULL);
++      return pixbuf;
+ }
+ 
+ /* Shared library entry point for file loading */



Home | Main Index | Thread Index | Old Index