pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/editors/xemacs-current Fix CVE-2009-2688, via <https:/...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/194b0f4f1e96
branches:  trunk
changeset: 603047:194b0f4f1e96
user:      hauke <hauke%pkgsrc.org@localhost>
date:      Fri Apr 27 14:37:37 2012 +0000

description:
Fix CVE-2009-2688, via <https://bugzilla.redhat.com/show_bug.cgi?id=511994>

Note xemacs 21.5 still dumps core during the build.

diffstat:

 editors/xemacs-current/Makefile                          |   4 +-
 editors/xemacs-current/distinfo                          |   4 +-
 editors/xemacs-current/patches/patch-src_glyphs-eimage.c |  90 ++++++++++++++-
 3 files changed, 86 insertions(+), 12 deletions(-)

diffs (161 lines):

diff -r c07e9534ec60 -r 194b0f4f1e96 editors/xemacs-current/Makefile
--- a/editors/xemacs-current/Makefile   Fri Apr 27 13:53:46 2012 +0000
+++ b/editors/xemacs-current/Makefile   Fri Apr 27 14:37:37 2012 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.75 2012/02/06 12:40:05 wiz Exp $
+# $NetBSD: Makefile,v 1.76 2012/04/27 14:37:37 hauke Exp $
 
 PKGNAME?=      ${DISTNAME}
 COMMENT?=      *BETA* XEmacs text editor version ${PKGVERSION_NOREV}
@@ -6,7 +6,7 @@
 DISTNAME=      xemacs-21.5.27
 EMACSVERSION=  21.5-b27
 EMACS_DISTNAME=        xemacs-${EMACSVERSION}
-PKGREVISION=   12
+PKGREVISION=   13
 CATEGORIES=    editors
 MASTER_SITES=  ${MASTER_SITE_XEMACS:=${DISTNAME:C/[.][^.]*$//}/}
 
diff -r c07e9534ec60 -r 194b0f4f1e96 editors/xemacs-current/distinfo
--- a/editors/xemacs-current/distinfo   Fri Apr 27 13:53:46 2012 +0000
+++ b/editors/xemacs-current/distinfo   Fri Apr 27 14:37:37 2012 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.23 2011/04/01 13:00:32 wiz Exp $
+$NetBSD: distinfo,v 1.24 2012/04/27 14:37:37 hauke Exp $
 
 SHA1 (xemacs-21.5.27.tar.gz) = 55fc3e9c8fe3cac92791ffe1a0870aeae1baf0b8
 RMD160 (xemacs-21.5.27.tar.gz) = ee0caff8730c999d37aa3a19b19f23d5756837ad
@@ -17,4 +17,4 @@
 SHA1 (patch-al) = 33000a300de6358c0ba3260708d6d625dcd625a2
 SHA1 (patch-am) = 0ccbead4be5da92e73a15432ff1b063da13cf0b4
 SHA1 (patch-an) = f382865087f011ea3806d707cbf784fac81ad746
-SHA1 (patch-src_glyphs-eimage.c) = 9c5990cf2f806072aeb706bba8aba6133feb9509
+SHA1 (patch-src_glyphs-eimage.c) = a382113190a65d27747a90e58294a41f3bb6df42
diff -r c07e9534ec60 -r 194b0f4f1e96 editors/xemacs-current/patches/patch-src_glyphs-eimage.c
--- a/editors/xemacs-current/patches/patch-src_glyphs-eimage.c  Fri Apr 27 13:53:46 2012 +0000
+++ b/editors/xemacs-current/patches/patch-src_glyphs-eimage.c  Fri Apr 27 14:37:37 2012 +0000
@@ -1,21 +1,69 @@
-$NetBSD: patch-src_glyphs-eimage.c,v 1.1 2011/04/01 13:00:32 wiz Exp $
+$NetBSD: patch-src_glyphs-eimage.c,v 1.2 2012/04/27 14:37:37 hauke Exp $
 
-Fix build with png-1.5.
+Fix CVE-2009-2688, via <https://bugzilla.redhat.com/show_bug.cgi?id=511994>
+
+Adapt to new libpng 1.5 interfaces
 
 --- src/glyphs-eimage.c.orig   2005-11-26 11:46:08.000000000 +0000
 +++ src/glyphs-eimage.c
-@@ -929,8 +929,8 @@ png_instantiate (Lisp_Object image_insta
+@@ -401,6 +401,7 @@ jpeg_instantiate (Lisp_Object image_inst
+    */
+ 
+   {
++    UINT_64_BIT pixels_sq;
+     int jpeg_gray = 0;                /* if we're dealing with a grayscale */
+     /* Step 4: set parameters for decompression.   */
+ 
+@@ -423,7 +424,10 @@ jpeg_instantiate (Lisp_Object image_inst
+     jpeg_start_decompress (&cinfo);
+ 
+     /* Step 6: Read in the data and put into EImage format (8bit RGB triples)*/
+-
++    pixels_sq =
++      (UINT_64_BIT) cinfo.output_width * (UINT_64_BIT) cinfo.output_height;
++    if (pixels_sq > ((size_t) -1) / 3)
++      signal_image_error ("JPEG image too large to instantiate", instantiator);
+     unwind.eimage =
+       xnew_binbytes (cinfo.output_width * cinfo.output_height * 3);
+     if (!unwind.eimage)
+@@ -669,6 +673,7 @@ gif_instantiate (Lisp_Object image_insta
+   {
+     ColorMapObject *cmo = unwind.giffile->SColorMap;
+     int i, j, row, pass, interlace, slice;
++    UINT_64_BIT pixels_sq;
+     Binbyte *eip;
+     /* interlaced gifs have rows in this order:
+        0, 8, 16, ..., 4, 12, 20, ..., 2, 6, 10, ..., 1, 3, 5, ...  */
+@@ -677,6 +682,9 @@ gif_instantiate (Lisp_Object image_insta
+ 
+     height = unwind.giffile->SHeight;
+     width = unwind.giffile->SWidth;
++    pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height;
++    if (pixels_sq > ((size_t) -1) / (3 * unwind.giffile->ImageCount))
++      signal_image_error ("GIF image too large to instantiate", instantiator);
+     unwind.eimage =
+       xnew_binbytes (width * height * 3 * unwind.giffile->ImageCount);
+     if (!unwind.eimage)
+@@ -929,11 +937,15 @@ png_instantiate (Lisp_Object image_insta
    {
      int y;
      Binbyte **row_pointers;
 -    height = info_ptr->height;
 -    width = info_ptr->width;
++    UINT_64_BIT pixels_sq;
 +    height = png_get_image_height(png_ptr, info_ptr);
 +    width = png_get_image_width(png_ptr, info_ptr);
++    pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height;
++    if (pixels_sq > ((size_t) -1) / 3)
++      signal_image_error ("PNG image too large to instantiate", instantiator);
  
      /* Wow, allocate all the memory.  Truly, exciting. */
-     unwind.eimage = xnew_array_and_zero (Binbyte, width * height * 3);
-@@ -982,22 +982,22 @@ png_instantiate (Lisp_Object image_insta
+-    unwind.eimage = xnew_array_and_zero (Binbyte, width * height * 3);
++    unwind.eimage = xnew_array_and_zero (Binbyte, (size_t) (pixels_sq * 3));
+     /* libpng expects that the image buffer passed in contains a
+        picture to draw on top of if the png has any transparencies.
+        This could be a good place to pass that in... */
+@@ -982,22 +994,22 @@ png_instantiate (Lisp_Object image_insta
      /* Now that we're using EImage, ask for 8bit RGB triples for any type
         of image*/
      /* convert palette images to full RGB */
@@ -45,16 +93,16 @@
          png_set_expand (png_ptr);
        else
          png_set_packing (png_ptr);
-@@ -1018,16 +1018,20 @@ png_instantiate (Lisp_Object image_insta
+@@ -1018,16 +1030,20 @@ png_instantiate (Lisp_Object image_insta
         unobtrusive. */
      {
        int i;
 +      png_textp text_ptr;
 +      int num_text;
++
++      png_get_text(png_ptr, info_ptr, &text_ptr, &num_text);
  
 -      for (i = 0 ; i < info_ptr->num_text ; i++)
-+      png_get_text(png_ptr, info_ptr, &text_ptr, &num_text);
-+
 +      for (i = 0 ; i < num_text ; i++)
        {
          /* How paranoid do I have to be about no trailing NULLs, and
@@ -70,3 +118,29 @@
        }
      }
  #endif
+@@ -1268,6 +1284,7 @@ tiff_instantiate (Lisp_Object image_inst
+ 
+     uint32 *raster;
+     Binbyte *ep;
++    UINT_64_BIT pixels_sq;
+ 
+     assert (!NILP (data));
+ 
+@@ -1290,12 +1307,15 @@ tiff_instantiate (Lisp_Object image_inst
+ 
+     TIFFGetField (unwind.tiff, TIFFTAG_IMAGEWIDTH, &width);
+     TIFFGetField (unwind.tiff, TIFFTAG_IMAGELENGTH, &height);
+-    unwind.eimage = xnew_binbytes (width * height * 3);
++    pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height;
++    if (pixels_sq >= 1 << 29)
++      signal_image_error ("TIFF image too large to instantiate", instantiator);
++    unwind.eimage = xnew_binbytes (pixels_sq * 3);
+ 
+     /* #### This is little more than proof-of-concept/function testing.
+        It needs to be reimplemented via scanline reads for both memory
+        compactness. */
+-    raster = (uint32*) _TIFFmalloc (width * height * sizeof (uint32));
++    raster = (uint32*) _TIFFmalloc ((tsize_t) (pixels_sq * sizeof (uint32)));
+     if (raster != NULL)
+       {
+       int i, j;



Home | Main Index | Thread Index | Old Index