rpms/gimp
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

version 2.8.2

Browse Source
This commit is contained in:
Nils Philippsen 2012-08-24 12:29:26 +02:00
parent cae01488c7
commit 6e76f37ff0
6 changed files with 7 additions and 618 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -10,3 +10,4 @@ gimp-2.6.10-1-autoreconf.patch.bz2
/gimp-2.8.0-RC1.tar.bz2
/gimp-2.8.0-RC1-gitff6c280.patch.bz2
/gimp-2.8.0.tar.bz2
/gimp-2.8.2.tar.bz2

501
gimp-2.8.0-CVE-2012-3403.patch
View File

@ -1,501 +0,0 @@
From 144265df9a25a18181a4e3206543488fe1565ab0 Mon Sep 17 00:00:00 2001
From: Nils Philippsen <nils@redhat.com>
Date: Mon, 20 Aug 2012 14:17:51 +0200
Subject: [PATCH] patch: CVE-2012-3403
Squashed commit of the following:
commit 6f4fceb2dc6ed6021d4d14ba19d4fb0b5ac74273
Author: Nils Philippsen <nils@redhat.com>
Date: Fri Jul 13 15:33:27 2012 +0200
file-cel: use g_set_error() for errors instead of g_message()
(cherry picked from commit 86f4cd39bd493c88a7a19b56d1827d8b911e07f6)
commit 288763736141624e8b3136cfff292b6107d35730
Author: Nils Philippsen <nils@redhat.com>
Date: Fri Jul 13 15:30:44 2012 +0200
file-cel: use statically allocated palette buffer
(cherry picked from commit 69b98191cf315bcf0f7b8878896c01600e67c124)
commit 48a7eb9a77b327777fbf01b0474c8adeb0d76b47
Author: Nils Philippsen <nils@redhat.com>
Date: Fri Jul 13 15:20:06 2012 +0200
file-cel: validate header data (CVE-2012-3403)
(cherry picked from commit b772d1b84c9272bb46ab9a21db4390e6263c9892)
commit 5ad4967eb6ad1893d2b8c1ef449e57d005fb22e4
Author: Nils Philippsen <nils@redhat.com>
Date: Thu Jul 12 15:50:02 2012 +0200
file-cel: check fread()/g_fopen() return values and pass on errors
(cherry picked from commit 797db58b94c64f418c35d38b7a608d933c8cebef)
---
plug-ins/common/file-cel.c | 282 +++++++++++++++++++++++++++++++++++++--------
1 file changed, 233 insertions(+), 49 deletions(-)
diff --git a/plug-ins/common/file-cel.c b/plug-ins/common/file-cel.c
index d285936..6292d7a 100644
--- a/plug-ins/common/file-cel.c
+++ b/plug-ins/common/file-cel.c
@@ -44,8 +44,10 @@ static void run (const gchar *name,
gint *nreturn_vals,
GimpParam **return_vals);
-static gint load_palette (FILE *fp,
- guchar palette[]);
+static gint load_palette (const gchar *file,
+ FILE *fp,
+ guchar palette[],
+ GError **error);
static gint32 load_image (const gchar *file,
const gchar *brief,
GError **error);
@@ -55,7 +57,8 @@ static gboolean save_image (const gchar *file,
gint32 layer,
GError **error);
static void palette_dialog (const gchar *title);
-static gboolean need_palette (const gchar *file);
+static gboolean need_palette (const gchar *file,
+ GError **error);
/* Globals... */
@@ -150,6 +153,7 @@ run (const gchar *name,
gint32 image;
GimpExportReturn export = GIMP_EXPORT_CANCEL;
GError *error = NULL;
+ gint needs_palette = 0;
run_mode = param[0].data.d_int32;
@@ -187,20 +191,32 @@ run (const gchar *name,
else if (run_mode == GIMP_RUN_INTERACTIVE)
{
/* Let user choose KCF palette (cancel ignores) */
- if (need_palette (param[1].data.d_string))
- palette_dialog (_("Load KISS Palette"));
+ needs_palette = need_palette (param[1].data.d_string, &error);
- gimp_set_data (SAVE_PROC, palette_file, data_length);
- }
+ if (! error)
+ {
+ if (needs_palette)
+ palette_dialog (_("Load KISS Palette"));
- image = load_image (param[1].data.d_string, param[2].data.d_string,
- &error);
+ gimp_set_data (SAVE_PROC, palette_file, data_length);
+ }
+ }
- if (image != -1)
+ if (! error)
{
- *nreturn_vals = 2;
- values[1].type = GIMP_PDB_IMAGE;
- values[1].data.d_image = image;
+ image = load_image (param[1].data.d_string, param[2].data.d_string,
+ &error);
+
+ if (image != -1)
+ {
+ *nreturn_vals = 2;
+ values[1].type = GIMP_PDB_IMAGE;
+ values[1].data.d_image = image;
+ }
+ else
+ {
+ status = GIMP_PDB_EXECUTION_ERROR;
+ }
}
else
{
@@ -263,18 +279,33 @@ run (const gchar *name,
/* Peek into the file to determine whether we need a palette */
static gboolean
-need_palette (const gchar *file)
+need_palette (const gchar *file,
+ GError **error)
{
FILE *fp;
guchar header[32];
+ size_t n_read;
fp = g_fopen (file, "rb");
- if (!fp)
- return FALSE;
+ if (fp == NULL)
+ {
+ g_set_error (error, G_FILE_ERROR, g_file_error_from_errno (errno),
+ _("Could not open '%s' for reading: %s"),
+ gimp_filename_to_utf8 (file), g_strerror (errno));
+ return FALSE;
+ }
+
+ n_read = fread (header, 32, 1, fp);
- fread (header, 32, 1, fp);
fclose (fp);
+ if (n_read < 1)
+ {
+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+ _("EOF or error while reading image header"));
+ return FALSE;
+ }
+
return (header[5] < 32);
}
@@ -286,11 +317,12 @@ load_image (const gchar *file,
GError **error)
{
FILE *fp; /* Read file pointer */
- guchar header[32]; /* File header */
+ guchar header[32], /* File header */
+ file_mark, /* KiSS file type */
+ bpp; /* Bits per pixel */
gint height, width, /* Dimensions of image */
offx, offy, /* Layer offets */
- colours, /* Number of colours */
- bpp; /* Bits per pixel */
+ colours; /* Number of colours */
gint32 image, /* Image */
layer; /* Layer */
@@ -301,6 +333,7 @@ load_image (const gchar *file,
GimpPixelRgn pixel_rgn; /* Pixel region for layer */
gint i, j, k; /* Counters */
+ size_t n_read; /* Number of items read from file */
/* Open the file for reading */
@@ -319,7 +352,14 @@ load_image (const gchar *file,
/* Get the image dimensions and create the image... */
- fread (header, 4, 1, fp);
+ n_read = fread (header, 4, 1, fp);
+
+ if (n_read < 1)
+ {
+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+ _("EOF or error while reading image header"));
+ return -1;
+ }
if (strncmp ((const gchar *) header, "KiSS", 4))
{
@@ -332,18 +372,53 @@ load_image (const gchar *file,
}
else
{ /* New-style image file, read full header */
- fread (header, 28, 1, fp);
+ n_read = fread (header, 28, 1, fp);
+
+ if (n_read < 1)
+ {
+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+ _("EOF or error while reading image header"));
+ return -1;
+ }
+
+ file_mark = header[0];
+ if (file_mark != 0x20 && file_mark != 0x21)
+ {
+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+ _("is not a CEL image file"));
+ return -1;
+ }
+
bpp = header[1];
- if (bpp == 24)
- colours = -1;
- else
- colours = (1 << header[1]);
+ switch (bpp)
+ {
+ case 4:
+ case 8:
+ case 32:
+ colours = (1 << bpp);
+ break;
+ default:
+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+ _("illegal bpp value in image: %hhu"), bpp);
+ return -1;
+ }
+
width = header[4] + (256 * header[5]);
height = header[6] + (256 * header[7]);
offx = header[8] + (256 * header[9]);
offy = header[10] + (256 * header[11]);
}
+ if ((width == 0) || (height == 0) || (width + offx > GIMP_MAX_IMAGE_SIZE) ||
+ (height + offy > GIMP_MAX_IMAGE_SIZE))
+ {
+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+ _("illegal image dimensions: width: %d, horizontal offset: "
+ "%d, height: %d, vertical offset: %d"),
+ width, offx, height, offy);
+ return -1;
+ }
+
if (bpp == 32)
image = gimp_image_new (width + offx, height + offy, GIMP_RGB);
else
@@ -351,7 +426,7 @@ load_image (const gchar *file,
if (image == -1)
{
- g_message (_("Can't create a new image"));
+ g_set_error (error, 0, 0, _("Can't create a new image"));
fclose (fp);
return -1;
}
@@ -384,7 +459,15 @@ load_image (const gchar *file,
switch (bpp)
{
case 4:
- fread (buffer, (width+1)/2, 1, fp);
+ n_read = fread (buffer, (width+1)/2, 1, fp);
+
+ if (n_read < 1)
+ {
+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+ _("EOF or error while reading image data"));
+ return -1;
+ }
+
for (j = 0, k = 0; j < width*2; j+= 4, ++k)
{
if (buffer[k] / 16 == 0)
@@ -411,7 +494,15 @@ load_image (const gchar *file,
break;
case 8:
- fread (buffer, width, 1, fp);
+ n_read = fread (buffer, width, 1, fp);
+
+ if (n_read < 1)
+ {
+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+ _("EOF or error while reading image data"));
+ return -1;
+ }
+
for (j = 0, k = 0; j < width*2; j+= 2, ++k)
{
if (buffer[k] == 0)
@@ -428,7 +519,15 @@ load_image (const gchar *file,
break;
case 32:
- fread (line, width*4, 1, fp);
+ n_read = fread (line, width*4, 1, fp);
+
+ if (n_read < 1)
+ {
+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+ _("EOF or error while reading image data"));
+ return -1;
+ }
+
/* The CEL file order is BGR so we need to swap B and R
* to get the Gimp RGB order.
*/
@@ -441,7 +540,8 @@ load_image (const gchar *file,
break;
default:
- g_message (_("Unsupported bit depth (%d)!"), bpp);
+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+ _("Unsupported bit depth (%d)!"), bpp);
return -1;
}
@@ -459,7 +559,7 @@ load_image (const gchar *file,
if (bpp != 32)
{
/* Use palette from file or otherwise default grey palette */
- palette = g_new (guchar, colours*3);
+ guchar palette[256*3];
/* Open the file for reading if user picked one */
if (palette_file == NULL)
@@ -469,12 +569,23 @@ load_image (const gchar *file,
else
{
fp = g_fopen (palette_file, "r");
+
+ if (fp == NULL)
+ {
+ g_set_error (error, G_FILE_ERROR, g_file_error_from_errno (errno),
+ _("Could not open '%s' for reading: %s"),
+ gimp_filename_to_utf8 (palette_file),
+ g_strerror (errno));
+ return -1;
+ }
}
if (fp != NULL)
{
- colours = load_palette (fp, palette);
+ colours = load_palette (palette_file, fp, palette, error);
fclose (fp);
+ if (colours < 0 || *error)
+ return -1;
}
else
{
@@ -485,10 +596,6 @@ load_image (const gchar *file,
}
gimp_image_set_colormap (image, palette + 3, colours - 1);
-
- /* Close palette file, give back allocated memory */
-
- g_free (palette);
}
/* Now get everything redrawn and hand back the finished image */
@@ -500,32 +607,100 @@ load_image (const gchar *file,
}
static gint
-load_palette (FILE *fp,
- guchar palette[])
+load_palette (const gchar *file,
+ FILE *fp,
+ guchar palette[],
+ GError **error)
{
guchar header[32]; /* File header */
guchar buffer[2];
- int i, bpp, colours= 0;
+ guchar file_mark, bpp;
+ gint i, colours = 0;
+ size_t n_read;
+
+ n_read = fread (header, 4, 1, fp);
+
+ if (n_read < 1)
+ {
+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+ _("'%s': EOF or error while reading palette header"),
+ gimp_filename_to_utf8 (file));
+ return -1;
+ }
- fread (header, 4, 1, fp);
if (!strncmp ((const gchar *) header, "KiSS", 4))
{
- fread (header+4, 28, 1, fp);
+ n_read = fread (header+4, 28, 1, fp);
+
+ if (n_read < 1)
+ {
+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+ _("'%s': EOF or error while reading palette header"),
+ gimp_filename_to_utf8 (file));
+ return -1;
+ }
+
+ file_mark = header[4];
+ if (file_mark != 0x10)
+ {
+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+ _("'%s': is not a KCF palette file"),
+ gimp_filename_to_utf8 (file));
+ return -1;
+ }
+
bpp = header[5];
+ if (bpp != 12 && bpp != 24)
+ {
+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+ _("'%s': illegal bpp value in palette: %hhu"),
+ gimp_filename_to_utf8 (file), bpp);
+ return -1;
+ }
+
colours = header[8] + header[9] * 256;
- if (bpp == 12)
+ if (colours != 16 && colours != 256)
+ {
+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+ _("'%s': illegal number of colors: %u"),
+ gimp_filename_to_utf8 (file), colours);
+ return -1;
+ }
+
+ switch (bpp)
{
+ case 12:
for (i = 0; i < colours; ++i)
{
- fread (buffer, 1, 2, fp);
+ n_read = fread (buffer, 1, 2, fp);
+
+ if (n_read < 2)
+ {
+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+ _("'%s': EOF or error while reading "
+ "palette data"),
+ gimp_filename_to_utf8 (file));
+ return -1;
+ }
+
palette[i*3]= buffer[0] & 0xf0;
palette[i*3+1]= (buffer[1] & 0x0f) * 16;
palette[i*3+2]= (buffer[0] & 0x0f) * 16;
}
- }
- else
- {
- fread (palette, colours, 3, fp);
+ break;
+ case 24:
+ n_read = fread (palette, colours, 3, fp);
+
+ if (n_read < 3)
+ {
+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+ _("'%s': EOF or error while reading palette data"),
+ gimp_filename_to_utf8 (file));
+ return -1;
+ }
+ break;
+ default:
+ g_assert_not_reached ();
}
}
else
@@ -534,7 +709,16 @@ load_palette (FILE *fp,
fseek (fp, 0, SEEK_SET);
for (i= 0; i < colours; ++i)
{
- fread (buffer, 1, 2, fp);
+ n_read = fread (buffer, 1, 2, fp);
+
+ if (n_read < 2)
+ {
+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+ _("'%s': EOF or error while reading palette data"),
+ gimp_filename_to_utf8 (file));
+ return -1;
+ }
+
palette[i*3] = buffer[0] & 0xf0;
palette[i*3+1] = (buffer[1] & 0x0f) * 16;
palette[i*3+2] = (buffer[0] & 0x0f) * 16;
--
1.7.11.4

56
gimp-2.8.0-CVE-2012-3481.patch
View File

@ -1,56 +0,0 @@
From b39f4582b80984f86701ab56f355c911cd448e15 Mon Sep 17 00:00:00 2001
From: Nils Philippsen <nils@redhat.com>
Date: Mon, 20 Aug 2012 14:18:49 +0200
Subject: [PATCH] patch: CVE-2012-3481
Squashed commit of the following:
commit 52cce706d3d490d96e81d9cebff8c9796f33ff67
Author: Nils Philippsen <nils@redhat.com>
Date: Tue Aug 14 15:27:39 2012 +0200
file-gif-load: fix type overflow (CVE-2012-3481)
Cast variables properly to avoid overflowing when computing how much
memory to allocate.
(cherry picked from commit 43fc9dbd8e2196944c8a71321e525b89b7df9f5c)
commit 562eefae83d6da5b70aaaccddd54c1f17c42f1b3
Author: Jan Lieskovsky <jlieskov@redhat.com>
Date: Tue Aug 14 12:18:22 2012 +0200
file-gif-load: limit len and height (CVE-2012-3481)
Ensure values of len and height can't overflow g_malloc() argument type.
(cherry picked from commit d95c2f0bcb6775bdee2bef35b7d84f6dfd490783)
---
plug-ins/common/file-gif-load.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c
index 4fdbe7a..0bb9bc4 100644
--- a/plug-ins/common/file-gif-load.c
+++ b/plug-ins/common/file-gif-load.c
@@ -1057,10 +1057,17 @@ ReadImage (FILE *fd,
cur_progress = 0;
max_progress = height;
+ if (len > (G_MAXSIZE / height / (alpha_frame ? (promote_to_rgb ? 4 : 2) : 1)))
+ {
+ g_message ("'%s' has a larger image size than GIMP can handle.",
+ gimp_filename_to_utf8 (filename));
+ return -1;
+ }
+
if (alpha_frame)
- dest = (guchar *) g_malloc (len * height * (promote_to_rgb ? 4 : 2));
+ dest = (guchar *) g_malloc ((gsize)len * (gsize)height * (promote_to_rgb ? 4 : 2));
else
- dest = (guchar *) g_malloc (len * height);
+ dest = (guchar *) g_malloc ((gsize)len * (gsize)height);
#ifdef GIFDEBUG
g_print ("GIF: reading %d by %d%s GIF image, ncols=%d\n",
--
1.7.11.4

50
gimp-2.8.0-fits.patch
View File

@ -1,50 +0,0 @@
From 202a4d52bcc6a69889c9f475a74a6570081e5cf6 Mon Sep 17 00:00:00 2001
From: Nils Philippsen <nils@redhat.com>
Date: Thu, 28 Jun 2012 13:54:50 +0200
Subject: [PATCH] patch: fits
Squashed commit of the following:
commit c66982caadfad47db632647bcc19bcf480008bfc
Author: Michael Natterer <mitch@gimp.org>
Date: Wed Jun 6 21:21:10 2012 +0200
Bug 676804 - file handling DoS for fit file format
Apply patch from joe@reactionis.co.uk which fixes a buffer overflow on
broken/malicious fits files.
(cherry picked from commit ace45631595e8781a1420842582d67160097163c)
---
plug-ins/file-fits/fits-io.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/plug-ins/file-fits/fits-io.c b/plug-ins/file-fits/fits-io.c
index 03d9652..ed77318 100644
--- a/plug-ins/file-fits/fits-io.c
+++ b/plug-ins/file-fits/fits-io.c
@@ -1054,10 +1054,18 @@ static FITS_HDU_LIST *fits_decode_header (FITS_RECORD_LIST *hdr,
hdulist->used.simple = (strncmp (hdr->data, "SIMPLE ", 8) == 0);
hdulist->used.xtension = (strncmp (hdr->data, "XTENSION", 8) == 0);
if (hdulist->used.xtension)
- {
- fdat = fits_decode_card (fits_search_card (hdr, "XTENSION"), typ_fstring);
- strcpy (hdulist->xtension, fdat->fstring);
- }
+ {
+ fdat = fits_decode_card (fits_search_card (hdr, "XTENSION"), typ_fstring);
+ if (fdat != NULL)
+ {
+ strcpy (hdulist->xtension, fdat->fstring);
+ }
+ else
+ {
+ strcpy (errmsg, "No valid XTENSION header found.");
+ goto err_return;
+ }
+ }
FITS_DECODE_CARD (hdr, "NAXIS", fdat, typ_flong);
hdulist->naxis = fdat->flong;
--
1.7.10.2

15
gimp.spec
View File

@ -70,8 +70,8 @@
Summary: GNU Image Manipulation Program
Name: gimp
Epoch: 2
Version: 2.8.0
Release: %{?prerelprefix}3%{dotprerel}%{dotgitrev}%{?dist}
Version: 2.8.2
Release: %{?prerelprefix}1%{dotprerel}%{dotgitrev}%{?dist}
# Compute some version related macros
# Ugly hack, you need to get your quoting backslashes/percent signs straight
@ -186,10 +186,6 @@ Source0: ftp://ftp.gimp.org/pub/gimp/v%{binver}/gimp-%{version}%{dashprer
Patch0: gimp-%{version}%{dashprerel}-git%{gitrev}.patch.bz2
%endif
Patch1: gimp-2.8.0-fits.patch
Patch2: gimp-2.8.0-CVE-2012-3403.patch
Patch3: gimp-2.8.0-CVE-2012-3481.patch
%description
GIMP (GNU Image Manipulation Program) is a powerful image composition and
editing program, which can be extremely useful for creating logos and other
@ -271,10 +267,6 @@ EOF
%patch0 -p1 -b .git%{gitrev}
%endif
%patch1 -p1 -b .fits
%patch2 -p1 -b .CVE-2012-3403
%patch3 -p1 -b .CVE-2012-3481
%build
%if %{with hardening}
# Use hardening compiler/linker flags because gimp is likely to deal with files
@ -546,6 +538,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
%{_libdir}/gimp/%{lib_api_version}/plug-ins/help-browser
%changelog
* Fri Aug 24 2012 Nils Philippsen <nils@redhat.com> - 2:2.8.2-1
- version 2.8.2
* Mon Aug 20 2012 Nils Philippsen <nils@redhat.com> - 2:2.8.0-3
- fix crash in fits loader (#834627)
- fix overflow in CEL plug-in (CVE-2012-3403)

2
sources
View File

@ -1 +1 @@
28997d14055f15db063eb92e1c8a7ebb gimp-2.8.0.tar.bz2
b542138820ca3a41cbd63fc331907955 gimp-2.8.2.tar.bz2