rpms
/
imlib2
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

- Fix CVE-2006-4806, CVE-2006-4807, CVE-2006-4808, CVE-2006-4809, thanks to 

Ubuntu for the patch (bug 214676)
This commit is contained in:
Hans de Goede 2006-11-09 09:48:17 +00:00
parent 7efdd41e25
commit 673055ca30
2 changed files with 251 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

228
imlib2-1.3.0-loader_overflows.patch Normal file
View File

@ -0,0 +1,228 @@
diff -Nur imlib2-1.2.1/src/modules/loaders/loader_argb.c imlib2-1.2.1.new/src/modules/loaders/loader_argb.c
--- imlib2-1.2.1/src/modules/loaders/loader_argb.c 2006-11-06 01:27:59.000000000 -0800
+++ imlib2-1.2.1.new/src/modules/loaders/loader_argb.c 2006-11-06 01:30:41.000000000 -0800
@@ -23,7 +23,7 @@
load(ImlibImage * im, ImlibProgressFunction progress,
char progress_granularity, char immediate_load)
{
- int w, h, alpha;
+ int w=0, h=0, alpha=0;
FILE *f;
if (im->data)
@@ -36,13 +36,15 @@
{
char buf[256], buf2[256];
+ memset(buf, 0, sizeof(buf));
+ memset(buf2, 0, sizeof(buf));
if (!fgets(buf, 255, f))
{
fclose(f);
return 0;
}
sscanf(buf, "%s %i %i %i", buf2, &w, &h, &alpha);
- if (strcmp(buf2, "ARGB"))
+ if (strcmp(buf2, "ARGB") || w < 1 || h < 1 || w > 16383 || h > 16383)
{
fclose(f);
return 0;
diff -Nur imlib2-1.2.1/src/modules/loaders/loader_jpeg.c imlib2-1.2.1.new/src/modules/loaders/loader_jpeg.c
--- imlib2-1.2.1/src/modules/loaders/loader_jpeg.c 2006-11-06 01:27:59.000000000 -0800
+++ imlib2-1.2.1.new/src/modules/loaders/loader_jpeg.c 2006-11-06 01:33:01.000000000 -0800
@@ -104,8 +104,9 @@
im->w = w = cinfo.output_width;
im->h = h = cinfo.output_height;
- if (cinfo.rec_outbuf_height > 16)
+ if (cinfo.rec_outbuf_height > 16 || w < 1 || h < 1 || w > 16383 || h > 16383)
{
+ im->w = im->h = 0;
jpeg_destroy_decompress(&cinfo);
fclose(f);
return 0;
diff -Nur imlib2-1.2.1/src/modules/loaders/loader_lbm.c imlib2-1.2.1.new/src/modules/loaders/loader_lbm.c
--- imlib2-1.2.1/src/modules/loaders/loader_lbm.c 2006-11-06 01:27:59.000000000 -0800
+++ imlib2-1.2.1.new/src/modules/loaders/loader_lbm.c 2006-11-06 01:30:41.000000000 -0800
@@ -421,7 +421,7 @@
im->w = L2RWORD(ilbm.bmhd.data);
im->h = L2RWORD(ilbm.bmhd.data + 2);
- if (im->w <= 0 || im->h <= 0) ok = 0;
+ if (im->w <= 0 || im->h <= 0 || im->w > 16383 || im->h > 16383) ok = 0;
ilbm.depth = ilbm.bmhd.data[8];
if (ilbm.depth < 1 || (ilbm.depth > 8 && ilbm.depth != 24 && ilbm.depth != 32)) ok = 0; /* Only 1 to 8, 24, or 32 planes. */
@@ -453,6 +453,7 @@
}
}
if (!full || !ok) {
+ im->w = im->h = 0;
freeilbm(&ilbm);
return ok;
}
@@ -467,12 +468,13 @@
cancel = 0;
plane[0] = NULL;
+ n = ilbm.depth;
+ if (ilbm.mask == 1) n++;
+
im->data = malloc(im->w * im->h * sizeof(DATA32));
- if (im->data) {
- n = ilbm.depth;
- if (ilbm.mask == 1) n++;
+ plane[0] = malloc(((im->w + 15) / 16) * 2 * n);
+ if (im->data && plane[0]) {
- plane[0] = malloc(((im->w + 15) / 16) * 2 * n);
for (i = 1; i < n; i++) plane[i] = plane[i - 1] + ((im->w + 15) / 16) * 2;
z = ((im->w + 15) / 16) * 2 * n;
@@ -511,6 +513,7 @@
* the memory for im->data.
*----------*/
if (!ok) {
+ im->w = im->h = 0;
if (im->data) free(im->data);
im->data = NULL;
}
diff -Nur imlib2-1.2.1/src/modules/loaders/loader_png.c imlib2-1.2.1.new/src/modules/loaders/loader_png.c
--- imlib2-1.2.1/src/modules/loaders/loader_png.c 2006-11-06 01:27:59.000000000 -0800
+++ imlib2-1.2.1.new/src/modules/loaders/loader_png.c 2006-11-06 01:30:41.000000000 -0800
@@ -83,6 +83,13 @@
png_get_IHDR(png_ptr, info_ptr, (png_uint_32 *) (&w32),
(png_uint_32 *) (&h32), &bit_depth, &color_type,
&interlace_type, NULL, NULL);
+ if (w32 < 1 || h32 < 1 || w32 > 16383 || h32 > 16383)
+ {
+ png_read_end(png_ptr, info_ptr);
+ png_destroy_read_struct(&png_ptr, &info_ptr, (png_infopp) NULL);
+ fclose(f);
+ return 0;
+ }
im->w = (int)w32;
im->h = (int)h32;
if (color_type == PNG_COLOR_TYPE_PALETTE)
diff -Nur imlib2-1.2.1/src/modules/loaders/loader_pnm.c imlib2-1.2.1.new/src/modules/loaders/loader_pnm.c
--- imlib2-1.2.1/src/modules/loaders/loader_pnm.c 2006-11-06 01:27:59.000000000 -0800
+++ imlib2-1.2.1.new/src/modules/loaders/loader_pnm.c 2006-11-06 01:30:41.000000000 -0800
@@ -80,7 +80,7 @@
int i = 0;
/* read numbers */
- while (c != EOF && !isspace(c))
+ while (c != EOF && i+1 < sizeof(buf) && !isspace(c))
{
buf[i++] = c;
c = fgetc(f);
diff -Nur imlib2-1.2.1/src/modules/loaders/loader_tga.c imlib2-1.2.1.new/src/modules/loaders/loader_tga.c
--- imlib2-1.2.1/src/modules/loaders/loader_tga.c 2006-11-06 01:27:59.000000000 -0800
+++ imlib2-1.2.1.new/src/modules/loaders/loader_tga.c 2006-11-06 01:30:41.000000000 -0800
@@ -319,6 +319,7 @@
{
unsigned long datasize;
unsigned char *bufptr;
+ unsigned char *bufend;
DATA32 *dataptr;
int y, pl = 0;
@@ -348,6 +349,9 @@
/* bufptr is the next byte to be read from the buffer */
bufptr = filedata;
+ /* bufend is one past the last byte to be read from the buffer */
+ bufend = filedata + datasize;
+
/* dataptr is the next 32-bit pixel to be filled in */
dataptr = im->data;
@@ -365,7 +369,9 @@
else
dataptr = im->data + (y * im->w);
- for (x = 0; x < im->w; x++) /* for each pixel in the row */
+ for (x = 0;
+ x < im->w && bufptr+bpp/8 < bufend;
+ x++) /* for each pixel in the row */
{
switch (bpp)
{
@@ -422,8 +428,8 @@
unsigned char curbyte, red, green, blue, alpha;
DATA32 *final_pixel = dataptr + im->w * im->h;
- /* loop until we've got all the pixels */
- while (dataptr < final_pixel)
+ /* loop until we've got all the pixels or run out of input */
+ while (dataptr < final_pixel && bufptr+1+bpp/8 < bufend)
{
int count;
@@ -441,7 +447,7 @@
green = *bufptr++;
red = *bufptr++;
alpha = *bufptr++;
- for (i = 0; i < count; i++)
+ for (i = 0; i < count && dataptr < final_pixel; i++)
{
WRITE_RGBA(dataptr, red, green, blue, alpha);
dataptr++;
@@ -452,7 +458,7 @@
blue = *bufptr++;
green = *bufptr++;
red = *bufptr++;
- for (i = 0; i < count; i++)
+ for (i = 0; i < count && dataptr < final_pixel; i++)
{
WRITE_RGBA(dataptr, red, green, blue,
(char)0xff);
@@ -462,7 +468,7 @@
case 8:
alpha = *bufptr++;
- for (i = 0; i < count; i++)
+ for (i = 0; i < count && dataptr < final_pixel; i++)
{
WRITE_RGBA(dataptr, alpha, alpha, alpha,
(char)0xff);
@@ -477,7 +483,7 @@
{
int i;
- for (i = 0; i < count; i++)
+ for (i = 0; i < count && dataptr < final_pixel; i++)
{
switch (bpp)
{
diff -Nur imlib2-1.2.1/src/modules/loaders/loader_tiff.c imlib2-1.2.1.new/src/modules/loaders/loader_tiff.c
--- imlib2-1.2.1/src/modules/loaders/loader_tiff.c 2006-11-06 01:27:59.000000000 -0800
+++ imlib2-1.2.1.new/src/modules/loaders/loader_tiff.c 2006-11-06 01:30:41.000000000 -0800
@@ -75,7 +75,7 @@
raster(TIFFRGBAImage_Extra * img, uint32 * rast,
uint32 x, uint32 y, uint32 w, uint32 h)
{
- uint32 image_width, image_height;
+ int image_width, image_height;
uint32 *pixel, pixel_value;
int i, j, dy, rast_offset;
DATA32 *buffer_pixel, *buffer = img->image->data;
@@ -192,8 +192,16 @@
}
rgba_image.image = im;
- im->w = width = rgba_image.rgba.width;
- im->h = height = rgba_image.rgba.height;
+ width = rgba_image.rgba.width;
+ height = rgba_image.rgba.height;
+ if (width < 1 || height < 1 || width >= 16384 || height >= 16384)
+ {
+ TIFFRGBAImageEnd((TIFFRGBAImage *) & rgba_image);
+ TIFFClose(tif);
+ return 0;
+ }
+ im->w = width;
+ im->h = height;
rgba_image.num_pixels = num_pixels = width * height;
if (rgba_image.rgba.alpha != EXTRASAMPLE_UNSPECIFIED)
SET_FLAG(im->flags, F_HAS_ALPHA);

40
imlib2.spec
View File

@ -1,23 +1,24 @@
Summary: Image loading, saving, rendering, and manipulation library
Name: imlib2
Version: 1.3.0
Release: 2%{?dist}
License: BSD
Group: System Environment/Libraries
URL: http://www.enlightenment.org/Libraries/Imlib2/
Source0: http://download.sf.net/enlightenment/%{name}-%{version}.tar.gz
Patch0: imlib2-1.2.1-X11-path.patch
Summary: Image loading, saving, rendering, and manipulation library
Name: imlib2
Version: 1.3.0
Release: 3%{?dist}
License: BSD
Group: System Environment/Libraries
URL: http://www.enlightenment.org/Libraries/Imlib2/
Source0: http://download.sf.net/enlightenment/%{name}-%{version}.tar.gz
Patch0: imlib2-1.2.1-X11-path.patch
Patch1: imlib2-1.3.0-multilib.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot
BuildRequires: libjpeg-devel libpng-devel libtiff-devel
BuildRequires: giflib-devel freetype-devel >= 2.1.9-4 libtool bzip2-devel
BuildRequires: libX11-devel libXext-devel libid3tag-devel pkgconfig
Patch2: imlib2-1.3.0-loader_overflows.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot
BuildRequires: libjpeg-devel libpng-devel libtiff-devel
BuildRequires: giflib-devel freetype-devel >= 2.1.9-4 libtool bzip2-devel
BuildRequires: libX11-devel libXext-devel libid3tag-devel pkgconfig
%package devel
Summary: Development package for %{name}
Group: Development/Libraries
Requires: %{name} = %{version}-%{release}
Requires: libX11-devel libXext-devel freetype-devel >= 2.1.9-4 pkgconfig
Summary: Development package for %{name}
Group: Development/Libraries
Requires: %{name} = %{version}-%{release}
Requires: libX11-devel libXext-devel freetype-devel >= 2.1.9-4 pkgconfig
%description
@ -45,6 +46,7 @@ flexible.
%setup -q
%patch0 -p1 -b .x11-path
%patch1 -p1 -b .multilib
%patch2 -p1 -b .overflow
# sigh stop autoxxx from rerunning because of our patches above.
touch aclocal.m4
touch configure
@ -114,6 +116,10 @@ rm -rf $RPM_BUILD_ROOT
%changelog
* Thu Nov 9 2006 Hans de Goede <j.w.r.degoede@hhs.nl> 1.3.0-3
- Fix CVE-2006-4806, CVE-2006-4807, CVE-2006-4808, CVE-2006-4809, thanks to
Ubuntu for the patch (bug 214676)
* Thu Oct 26 2006 Hans de Goede <j.w.r.degoede@hhs.nl> 1.3.0-2
- Multilib devel goodness (make -devel i386 and x86_64 parallel installable)
- Fix bug 212469