rpms
/
freeimage
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Compare commits

merge into: rpms:master
Branches Tags
rpms:master
rpms:master-riscv64
rpms:f28
rpms:f27
rpms:f26
rpms:f23
rpms:f24
rpms:f25
rpms:el6
rpms:epel7
rpms:f21
rpms:f22
rpms:f20
rpms:f19
rpms:f18
rpms:f17
rpms:f15
rpms:f16
rpms:f11
rpms:f9
rpms:f10
rpms:f14
rpms:f12
rpms:f13
rpms:f8
rpms:F-13-split
rpms:F-13-start
rpms:F-12-split
rpms:F-12-start
rpms:freeimage-3_10_0-3_fc12
rpms:F-11-split
rpms:F-11-start
rpms:freeimage-3_10_0-2_fc11
rpms:freeimage-3_10_0-1_fc8
rpms:F-9-split
rpms:F-9-start
rpms:F-10-split
rpms:F-10-start
rpms:freeimage-3_10_0-1_fc9
rpms:F-8-split
rpms:F-8-start
...
pull from: rpms:f22
Branches Tags
rpms:master-riscv64
rpms:f28
rpms:master
rpms:f27
rpms:f26
rpms:f23
rpms:f24
rpms:f25
rpms:el6
rpms:epel7
rpms:f21
rpms:f22
rpms:f20
rpms:f19
rpms:f18
rpms:f17
rpms:f15
rpms:f16
rpms:f11
rpms:f9
rpms:f10
rpms:f14
rpms:f12
rpms:f13
rpms:f8
rpms:F-13-split
rpms:F-13-start
rpms:F-12-split
rpms:F-12-start
rpms:freeimage-3_10_0-3_fc12
rpms:F-11-split
rpms:F-11-start
rpms:freeimage-3_10_0-2_fc11
rpms:freeimage-3_10_0-1_fc8
rpms:F-9-split
rpms:F-9-start
rpms:F-10-split
rpms:F-10-start
rpms:freeimage-3_10_0-1_fc9
rpms:F-8-split
rpms:F-8-start

1 Commits
master ... f22

Author SHA1 Message Date
Sandro Mani 2d18d3faf0 Add fix for CVE-2015-0852 (#1257859) 2015-09-17 16:26:12 +02:00
2 changed files with 168 additions and 1 deletions
Show Stats Expand all files Collapse all files

161
FreeImage-3.10.0_CVE-2015-0852.patch Normal file
View File

@ -0,0 +1,161 @@
diff -rupN FreeImage/Source/FreeImage/PluginPCX.cpp FreeImage-new/Source/FreeImage/PluginPCX.cpp
--- FreeImage/Source/FreeImage/PluginPCX.cpp 2007-05-08 20:04:18.000000000 +0200
+++ FreeImage-new/Source/FreeImage/PluginPCX.cpp 2015-09-17 16:19:19.862693426 +0200
@@ -30,7 +30,7 @@
// Constants + headers
// ----------------------------------------------------------
-#define IO_BUF_SIZE 2048
+#define PCX_IO_BUF_SIZE 2048
// ----------------------------------------------------------
@@ -95,17 +95,17 @@ readline(FreeImageIO &io, fi_handle hand
while (length--) {
if (count == 0) {
- if (*ReadPos >= IO_BUF_SIZE - 1 ) {
- if (*ReadPos == IO_BUF_SIZE - 1) {
+ if (*ReadPos >= PCX_IO_BUF_SIZE - 1 ) {
+ if (*ReadPos == PCX_IO_BUF_SIZE - 1) {
// we still have one BYTE, copy it to the start pos
- *ReadBuf = ReadBuf[IO_BUF_SIZE - 1];
+ *ReadBuf = ReadBuf[PCX_IO_BUF_SIZE - 1];
- io.read_proc(ReadBuf + 1, 1, IO_BUF_SIZE - 1, handle);
+ io.read_proc(ReadBuf + 1, 1, PCX_IO_BUF_SIZE - 1, handle);
} else {
// read the complete buffer
- io.read_proc(ReadBuf, 1, IO_BUF_SIZE, handle);
+ io.read_proc(ReadBuf, 1, PCX_IO_BUF_SIZE, handle);
}
*ReadPos = 0;
@@ -333,19 +333,38 @@ Load(FreeImageIO *io, fi_handle handle,
if ((header.manufacturer != 0x0A) || (header.version > 5))
throw "Invalid PCX file";
- // allocate a new DIB
+ // process the window
+ const WORD *window = header.window; // left, upper, right,lower pixel coord.
+ const int left = window[0];
+ const int top = window[1];
+ const int right = window[2];
+ const int bottom = window[3];
+
+ // check image size
+ if((left >= right) || (top >= bottom)) {
+ throw "Parsing error";
+ }
- WORD width = header.window[2] - header.window[0] + 1;
- WORD height = header.window[3] - header.window[1] + 1;
+ WORD width = right - left + 1;
+ WORD height = bottom - top + 1;
WORD bitcount = header.bpp * header.planes;
- if (bitcount == 24)
- dib = FreeImage_Allocate(width, height, bitcount, FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK);
- else
- dib = FreeImage_Allocate(width, height, bitcount);
+ // allocate a new dib
+ switch(bitcount) {
+ case 1:
+ case 4:
+ case 8:
+ dib = FreeImage_Allocate(width, height, bitcount);
+ break;
+ case 24:
+ dib = FreeImage_Allocate(width, height, bitcount, FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK);
+ break;
+ default:
+ throw "DIB allocation failed, maybe caused by an invalid image size or by a lack of memory";
+ break;
+ }
// if the dib couldn't be allocated, throw an error
-
if (!dib)
throw "DIB allocation failed";
@@ -392,19 +411,21 @@ Load(FreeImageIO *io, fi_handle handle,
if (palette_id == 0x0C) {
BYTE *cmap = (BYTE*)malloc(768 * sizeof(BYTE));
- io->read_proc(cmap, 768, 1, handle);
+ if(cmap) {
+ io->read_proc(cmap, 768, 1, handle);
- pal = FreeImage_GetPalette(dib);
- BYTE *pColormap = &cmap[0];
+ pal = FreeImage_GetPalette(dib);
+ BYTE *pColormap = &cmap[0];
- for(int i = 0; i < 256; i++) {
- pal[i].rgbRed = pColormap[0];
- pal[i].rgbGreen = pColormap[1];
- pal[i].rgbBlue = pColormap[2];
- pColormap += 3;
- }
+ for(int i = 0; i < 256; i++) {
+ pal[i].rgbRed = pColormap[0];
+ pal[i].rgbGreen = pColormap[1];
+ pal[i].rgbBlue = pColormap[2];
+ pColormap += 3;
+ }
- free(cmap);
+ free(cmap);
+ }
}
// wrong palette ID, perhaps a gray scale is needed ?
@@ -437,10 +458,16 @@ Load(FreeImageIO *io, fi_handle handle,
// ---------------
line = new BYTE[linelength];
+ if(!line) {
+ throw "Memory allocation failed";
+ }
bits = FreeImage_GetScanLine(dib, height - 1);
- ReadBuf = new BYTE[IO_BUF_SIZE];
+ ReadBuf = new BYTE[PCX_IO_BUF_SIZE];
+ if(!ReadBuf) {
+ throw "Memory allocation failed";
+ }
- int ReadPos = IO_BUF_SIZE;
+ int ReadPos = PCX_IO_BUF_SIZE;
if ((header.planes == 1) && ((header.bpp == 1) || (header.bpp == 8))) {
BYTE skip;
@@ -452,7 +479,7 @@ Load(FreeImageIO *io, fi_handle handle,
// skip trailing garbage at the end of the scanline
for (int count = written; count < linelength; count++) {
- if (ReadPos < IO_BUF_SIZE) {
+ if (ReadPos < PCX_IO_BUF_SIZE) {
ReadPos++;
} else {
io->read_proc(&skip, sizeof(BYTE), 1, handle);
@@ -468,6 +495,9 @@ Load(FreeImageIO *io, fi_handle handle,
WORD x, y, written;
buffer = new BYTE[width];
+ if(!buffer) {
+ throw "Memory allocation failed";
+ }
for (y = 0; y < height; y++) {
written = readline(*io, handle, line, linelength, rle, ReadBuf, &ReadPos);
@@ -494,7 +524,7 @@ Load(FreeImageIO *io, fi_handle handle,
// skip trailing garbage at the end of the scanline
for (int count = written; count < linelength; count++) {
- if (ReadPos < IO_BUF_SIZE) {
+ if (ReadPos < PCX_IO_BUF_SIZE) {
ReadPos++;
} else {
io->read_proc(&skip, sizeof(BYTE), 1, handle);

8
freeimage.spec
View File

@ -3,7 +3,7 @@
Name: freeimage
Version: 3.10.0
Release: 22%{?dist}
Release: 23%{?dist}
Summary: Multi-format image decoder library
Group: System Environment/Libraries
# freeimage is dual-licensed, see Whatsnew.txt (search for license) or:
@ -15,6 +15,8 @@ Patch0: FreeImage-3.10.0-syslibs.patch
Patch1: FreeImage-3.10.0-doxygen.patch
Patch2: FreeImage-3.10.0-libpng15.patch
Patch3: FreeImage-3.10.0-libtiff4.patch
# Fix CVE-2015-0852 (#1257859)
Patch4: FreeImage-3.10.0_CVE-2015-0852.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: libjpeg-devel libpng-devel libtiff-devel OpenEXR-devel
BuildRequires: libmng-devel openjpeg-devel doxygen
@ -41,6 +43,7 @@ developing applications that use %{name}.
%patch1 -p1
%patch2 -p0
%patch3 -p1
%patch4 -p1
touch -r Source/FreeImage.h.syslibs Source/FreeImage.h
# remove all included libs to make sure these don't get used during compile
@ -118,6 +121,9 @@ rm -rf $RPM_BUILD_ROOT
%changelog
* Thu Sep 17 2015 Sandro Mani <manisandro@gmail.com> - 3.10.0-23
- Add fix for CVE-2015-0852 (#1257859)
* Wed Nov 26 2014 Rex Dieter <rdieter@fedoraproject.org> 3.10.0-22
- rebuild (openexr), tighten subpkg deps via %%{?_isa}