Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/graphics/SDL_image SDL_image: Best effort attempt at g...
details: https://anonhg.NetBSD.org/pkgsrc/rev/207a15bc0f30
branches: trunk
changeset: 431535:207a15bc0f30
user: nia <nia%pkgsrc.org@localhost>
date: Thu May 14 16:08:06 2020 +0000
description:
SDL_image: Best effort attempt at grabbing fixes from upstream hg
Bump PKGREVISION
diffstat:
graphics/SDL_image/Makefile | 4 +-
graphics/SDL_image/distinfo | 6 +-
graphics/SDL_image/patches/patch-IMG__bmp.c | 92 ++++++++++++++++
graphics/SDL_image/patches/patch-IMG__lbm.c | 97 +++++++++++++++++
graphics/SDL_image/patches/patch-IMG__pcx.c | 154 ++++++++++++++++++++++++++++
graphics/SDL_image/patches/patch-IMG__xpm.c | 130 +++++++++++++++++++++++
6 files changed, 480 insertions(+), 3 deletions(-)
diffs (truncated from 518 to 300 lines):
diff -r 566bbaffc8a2 -r 207a15bc0f30 graphics/SDL_image/Makefile
--- a/graphics/SDL_image/Makefile Thu May 14 15:36:40 2020 +0000
+++ b/graphics/SDL_image/Makefile Thu May 14 16:08:06 2020 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.52 2020/01/26 17:31:19 rillig Exp $
+# $NetBSD: Makefile,v 1.53 2020/05/14 16:08:06 nia Exp $
DISTNAME= SDL_image-1.2.12
-PKGREVISION= 8
+PKGREVISION= 9
CATEGORIES= graphics devel
MASTER_SITES= http://www.libsdl.org/projects/SDL_image/release/
diff -r 566bbaffc8a2 -r 207a15bc0f30 graphics/SDL_image/distinfo
--- a/graphics/SDL_image/distinfo Thu May 14 15:36:40 2020 +0000
+++ b/graphics/SDL_image/distinfo Thu May 14 16:08:06 2020 +0000
@@ -1,7 +1,11 @@
-$NetBSD: distinfo,v 1.17 2015/11/03 21:33:52 agc Exp $
+$NetBSD: distinfo,v 1.18 2020/05/14 16:08:06 nia Exp $
SHA1 (SDL_image-1.2.12.tar.gz) = 5e3e393d4e366638048bbb10d6a269ea3f4e4cf2
RMD160 (SDL_image-1.2.12.tar.gz) = 206990959c6b225286c0a19bc05b991c6bc2c3e8
SHA512 (SDL_image-1.2.12.tar.gz) = 0e71b280abc2a7f15755e4480a3c1b52d41f9f8b0c9216a6f5bd9fc0e939456fb5d6c10419e1d1904785783f9a1891ead278c03e88b0466fecc6871c3ca40136
Size (SDL_image-1.2.12.tar.gz) = 2231074 bytes
+SHA1 (patch-IMG__bmp.c) = 7c89a5bdcc5d3e5c1c7e2ee635dd063364bb8319
+SHA1 (patch-IMG__lbm.c) = 798ff3bc672894d4676214af97dbf30c3e639ffe
+SHA1 (patch-IMG__pcx.c) = 622c3c369b6830aa6b8093e58427555a16304576
+SHA1 (patch-IMG__xpm.c) = aab5f6949bc56f1087b3ff54eb763dd7a1aa1809
SHA1 (patch-Makefile.in) = e8ae18e00af376676b292dc8419ed0d50c038db3
diff -r 566bbaffc8a2 -r 207a15bc0f30 graphics/SDL_image/patches/patch-IMG__bmp.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/SDL_image/patches/patch-IMG__bmp.c Thu May 14 16:08:06 2020 +0000
@@ -0,0 +1,92 @@
+$NetBSD: patch-IMG__bmp.c,v 1.1 2020/05/14 16:08:07 nia Exp $
+
+Various sanity fixes from upstream preventing potential
+security problems.
+
+--- IMG_bmp.c.orig 2012-01-21 01:51:33.000000000 +0000
++++ IMG_bmp.c
+@@ -272,6 +272,11 @@ static SDL_Surface *LoadBMP_RW (SDL_RWop
+ biClrUsed = SDL_ReadLE32(src);
+ biClrImportant = SDL_ReadLE32(src);
+ }
++ if (biWidth <= 0 || biHeight == 0) {
++ IMG_SetError("BMP file with bad dimensions (%dx%d)", biWidth, biHeight);
++ was_error = SDL_TRUE;
++ goto done;
++ }
+ if (biHeight < 0) {
+ topDown = SDL_TRUE;
+ biHeight = -biHeight;
+@@ -292,6 +297,15 @@ static SDL_Surface *LoadBMP_RW (SDL_RWop
+ ExpandBMP = biBitCount;
+ biBitCount = 8;
+ break;
++ case 0:
++ case 2:
++ case 3:
++ case 5:
++ case 6:
++ case 7:
++ IMG_SetError("%d-bpp BMP images are not supported", biBitCount);
++ was_error = SDL_TRUE;
++ goto done;
+ default:
+ ExpandBMP = 0;
+ break;
+@@ -444,7 +458,12 @@ static SDL_Surface *LoadBMP_RW (SDL_RWop
+ goto done;
+ }
+ }
+- *(bits+i) = (pixel>>shift);
++ bits[i] = (pixel >> shift);
++ if (bits[i] >= biClrUsed) {
++ IMG_SetError("A BMP image contains a pixel with a color out of the palette");
++ was_error = SDL_TRUE;
++ goto done;
++ }
+ pixel <<= ExpandBMP;
+ } }
+ break;
+@@ -456,6 +475,15 @@ static SDL_Surface *LoadBMP_RW (SDL_RWop
+ was_error = SDL_TRUE;
+ goto done;
+ }
++ if (biBitCount == 8 && palette && biClrUsed < (1 << biBitCount)) {
++ for (i = 0; i < surface->w; ++i) {
++ if (bits[i] >= biClrUsed) {
++ IMG_SetError("A BMP image contains a pixel with a color out of the palette");
++ was_error = SDL_TRUE;
++ goto done;
++ }
++ }
++ }
+ #if SDL_BYTEORDER == SDL_BIG_ENDIAN
+ /* Byte-swap the pixels if needed. Note that the 24bpp
+ case has already been taken care of above. */
+@@ -662,6 +690,14 @@ LoadICOCUR_RW(SDL_RWops * src, int type,
+ goto done;
+ }
+
++ /* sanity check image size, so we don't overflow integers, etc. */
++ if ((biWidth < 0) || (biWidth > 0xFFFFFF) ||
++ (biHeight < 0) || (biHeight > 0xFFFFFF)) {
++ IMG_SetError("Unsupported or invalid ICO dimensions");
++ was_error = SDL_TRUE;
++ goto done;
++ }
++
+ /* Create a RGBA surface */
+ biHeight = biHeight >> 1;
+ //printf("%d x %d\n", biWidth, biHeight);
+@@ -679,6 +715,11 @@ LoadICOCUR_RW(SDL_RWops * src, int type,
+ if (biClrUsed == 0) {
+ biClrUsed = 1 << biBitCount;
+ }
++ if (biClrUsed > (sizeof(palette)/sizeof(palette[0]))) {
++ IMG_SetError("Unsupported or incorrect biClrUsed field");
++ was_error = SDL_TRUE;
++ goto done;
++ }
+ for (i = 0; i < (int) biClrUsed; ++i) {
+ SDL_RWread(src, &palette[i], 4, 1);
+ }
diff -r 566bbaffc8a2 -r 207a15bc0f30 graphics/SDL_image/patches/patch-IMG__lbm.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/SDL_image/patches/patch-IMG__lbm.c Thu May 14 16:08:06 2020 +0000
@@ -0,0 +1,97 @@
+$NetBSD: patch-IMG__lbm.c,v 1.1 2020/05/14 16:08:07 nia Exp $
+
+Various sanity fixes from upstream preventing potential
+security problems.
+
+--- IMG_lbm.c.orig 2012-01-21 01:51:33.000000000 +0000
++++ IMG_lbm.c
+@@ -187,7 +187,12 @@ SDL_Surface *IMG_LoadLBM_RW( SDL_RWops *
+
+ if ( !memcmp( id, "CMAP", 4 ) ) /* palette ( Color Map ) */
+ {
+- if ( !SDL_RWread( src, &colormap, size, 1 ) )
++ if (size > sizeof (colormap)) {
++ error="colormap size is too large";
++ goto done;
++ }
++
++ if ( !SDL_RWread( src, colormap, size, 1 ) )
+ {
+ error="error reading CMAP chunk";
+ goto done;
+@@ -242,14 +247,14 @@ SDL_Surface *IMG_LoadLBM_RW( SDL_RWops *
+ /* Allocate memory for a temporary buffer ( used for
+ decompression/deinterleaving ) */
+
+- MiniBuf = (void *)malloc( bytesperline * (nbplanes + stencil) );
++ MiniBuf = (Uint8 *)malloc( bytesperline * (nbplanes + stencil) );
+ if ( MiniBuf == NULL )
+ {
+- error="no enough memory for temporary buffer";
++ error="not enough memory for temporary buffer";
+ goto done;
+ }
+
+- if ( ( Image = SDL_CreateRGBSurface( SDL_SWSURFACE, width, bmhd.h, (bmhd.planes==24 || flagHAM==1)?24:8, 0, 0, 0, 0 ) ) == NULL )
++ if ( ( Image = SDL_CreateRGBSurface( SDL_SWSURFACE, width, bmhd.h, (nbplanes==24 || flagHAM==1)?24:8, 0, 0, 0, 0 ) ) == NULL )
+ goto done;
+
+ if ( bmhd.mask & 2 ) /* There is a transparent color */
+@@ -276,7 +281,7 @@ SDL_Surface *IMG_LoadLBM_RW( SDL_RWops *
+ /* The 32 last colors are the same but divided by 2 */
+ /* Some Amiga pictures save 64 colors with 32 last wrong colors, */
+ /* they shouldn't !, and here we overwrite these 32 bad colors. */
+- if ( (nbcolors==32 || flagEHB ) && (1<<bmhd.planes)==64 )
++ if ( (nbcolors==32 || flagEHB ) && (1<<nbplanes)==64 )
+ {
+ nbcolors = 64;
+ ptr = &colormap[0];
+@@ -290,8 +295,8 @@ SDL_Surface *IMG_LoadLBM_RW( SDL_RWops *
+
+ /* If nbcolors < 2^nbplanes, repeat the colormap */
+ /* This happens when pictures have a stencil mask */
+- if ( nbrcolorsfinal > (1<<bmhd.planes) ) {
+- nbrcolorsfinal = (1<<bmhd.planes);
++ if ( nbrcolorsfinal > (1<<nbplanes) ) {
++ nbrcolorsfinal = (1<<nbplanes);
+ }
+ for ( i=nbcolors; i < (Uint32)nbrcolorsfinal; i++ )
+ {
+@@ -365,7 +370,7 @@ SDL_Surface *IMG_LoadLBM_RW( SDL_RWops *
+
+ /* One line has been read, store it ! */
+
+- ptr = Image->pixels;
++ ptr = (Uint8 *)Image->pixels;
+ if ( nbplanes==24 || flagHAM==1 )
+ ptr += h * width * 3;
+ else
+@@ -449,19 +454,15 @@ SDL_Surface *IMG_LoadLBM_RW( SDL_RWops *
+ {
+ finalcolor = pixelcolor;
+ }
+- if ( SDL_BYTEORDER == SDL_LIL_ENDIAN )
+- {
+- *ptr++ = (Uint8)(finalcolor>>16);
+- *ptr++ = (Uint8)(finalcolor>>8);
+- *ptr++ = (Uint8)(finalcolor);
+- }
+- else
+- {
+- *ptr++ = (Uint8)(finalcolor);
+- *ptr++ = (Uint8)(finalcolor>>8);
+- *ptr++ = (Uint8)(finalcolor>>16);
+- }
+-
++#if SDL_BYTEORDER == SDL_LIL_ENDIAN
++ *ptr++ = (Uint8)(finalcolor>>16);
++ *ptr++ = (Uint8)(finalcolor>>8);
++ *ptr++ = (Uint8)(finalcolor);
++#else
++ *ptr++ = (Uint8)(finalcolor);
++ *ptr++ = (Uint8)(finalcolor>>8);
++ *ptr++ = (Uint8)(finalcolor>>16);
++#endif
+ maskBit = maskBit>>1;
+ }
+ }
diff -r 566bbaffc8a2 -r 207a15bc0f30 graphics/SDL_image/patches/patch-IMG__pcx.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/SDL_image/patches/patch-IMG__pcx.c Thu May 14 16:08:06 2020 +0000
@@ -0,0 +1,154 @@
+$NetBSD: patch-IMG__pcx.c,v 1.1 2020/05/14 16:08:07 nia Exp $
+
+Various sanity fixes from upstream preventing potential
+security problems.
+
+--- IMG_pcx.c.orig 2012-01-21 01:51:33.000000000 +0000
++++ IMG_pcx.c
+@@ -100,6 +100,8 @@ SDL_Surface *IMG_LoadPCX_RW(SDL_RWops *s
+ Uint8 *row, *buf = NULL;
+ char *error = NULL;
+ int bits, src_bits;
++ int count = 0;
++ Uint8 ch;
+
+ if ( !src ) {
+ /* The error message has been set in SDL_RWFromFile */
+@@ -127,37 +129,37 @@ SDL_Surface *IMG_LoadPCX_RW(SDL_RWops *s
+ bits = 8;
+ } else if(pcxh.BitsPerPixel == 8 && pcxh.NPlanes == 3) {
+ bits = 24;
+- if ( SDL_BYTEORDER == SDL_LIL_ENDIAN ) {
+- Rmask = 0x000000FF;
+- Gmask = 0x0000FF00;
+- Bmask = 0x00FF0000;
+- } else {
+- Rmask = 0xFF0000;
+- Gmask = 0x00FF00;
+- Bmask = 0x0000FF;
+- }
++#if SDL_BYTEORDER == SDL_LIL_ENDIAN
++ Rmask = 0x000000FF;
++ Gmask = 0x0000FF00;
++ Bmask = 0x00FF0000;
++#else
++ Rmask = 0xFF0000;
++ Gmask = 0x00FF00;
++ Bmask = 0x0000FF;
++#endif
+ } else {
+ error = "unsupported PCX format";
+ goto done;
+ }
+ surface = SDL_AllocSurface(SDL_SWSURFACE, width, height,
+ bits, Rmask, Gmask, Bmask, Amask);
+- if ( surface == NULL )
++ if ( surface == NULL ) {
+ goto done;
++ }
+
+ bpl = pcxh.NPlanes * pcxh.BytesPerLine;
+- if (bpl > surface->pitch) {
+- error = "bytes per line is too large (corrupt?)";
++ buf = (Uint8 *)calloc(bpl, 1);
++ if (!buf) {
++ error = "Out of memory";
++ goto done;
+ }
+- buf = malloc(bpl);
+- row = surface->pixels;
++ row = (Uint8 *)surface->pixels;
+ for ( y=0; y<surface->h; ++y ) {
+ /* decode a scan line to a temporary buffer first */
+- int i, count = 0;
+- Uint8 ch;
+- Uint8 *dst = (src_bits == 8) ? row : buf;
++ int i;
+ if ( pcxh.Encoding == 0 ) {
+- if(!SDL_RWread(src, dst, bpl, 1)) {
++ if(!SDL_RWread(src, buf, bpl, 1)) {
+ error = "file truncated";
Home |
Main Index |
Thread Index |
Old Index