From 673055ca308328185f7135a3ac6c079c033a1397 Mon Sep 17 00:00:00 2001 From: Hans de Goede Date: Thu, 9 Nov 2006 09:48:17 +0000 Subject: [PATCH] - Fix CVE-2006-4806, CVE-2006-4807, CVE-2006-4808, CVE-2006-4809, thanks to Ubuntu for the patch (bug 214676) --- imlib2-1.3.0-loader_overflows.patch | 228 ++++++++++++++++++++++++++++ imlib2.spec | 40 ++--- 2 files changed, 251 insertions(+), 17 deletions(-) create mode 100644 imlib2-1.3.0-loader_overflows.patch diff --git a/imlib2-1.3.0-loader_overflows.patch b/imlib2-1.3.0-loader_overflows.patch new file mode 100644 index 0000000..c0092c3 --- /dev/null +++ b/imlib2-1.3.0-loader_overflows.patch @@ -0,0 +1,228 @@ +diff -Nur imlib2-1.2.1/src/modules/loaders/loader_argb.c imlib2-1.2.1.new/src/modules/loaders/loader_argb.c +--- imlib2-1.2.1/src/modules/loaders/loader_argb.c 2006-11-06 01:27:59.000000000 -0800 ++++ imlib2-1.2.1.new/src/modules/loaders/loader_argb.c 2006-11-06 01:30:41.000000000 -0800 +@@ -23,7 +23,7 @@ + load(ImlibImage * im, ImlibProgressFunction progress, + char progress_granularity, char immediate_load) + { +- int w, h, alpha; ++ int w=0, h=0, alpha=0; + FILE *f; + + if (im->data) +@@ -36,13 +36,15 @@ + { + char buf[256], buf2[256]; + ++ memset(buf, 0, sizeof(buf)); ++ memset(buf2, 0, sizeof(buf)); + if (!fgets(buf, 255, f)) + { + fclose(f); + return 0; + } + sscanf(buf, "%s %i %i %i", buf2, &w, &h, &alpha); +- if (strcmp(buf2, "ARGB")) ++ if (strcmp(buf2, "ARGB") || w < 1 || h < 1 || w > 16383 || h > 16383) + { + fclose(f); + return 0; +diff -Nur imlib2-1.2.1/src/modules/loaders/loader_jpeg.c imlib2-1.2.1.new/src/modules/loaders/loader_jpeg.c +--- imlib2-1.2.1/src/modules/loaders/loader_jpeg.c 2006-11-06 01:27:59.000000000 -0800 ++++ imlib2-1.2.1.new/src/modules/loaders/loader_jpeg.c 2006-11-06 01:33:01.000000000 -0800 +@@ -104,8 +104,9 @@ + im->w = w = cinfo.output_width; + im->h = h = cinfo.output_height; + +- if (cinfo.rec_outbuf_height > 16) ++ if (cinfo.rec_outbuf_height > 16 || w < 1 || h < 1 || w > 16383 || h > 16383) + { ++ im->w = im->h = 0; + jpeg_destroy_decompress(&cinfo); + fclose(f); + return 0; +diff -Nur imlib2-1.2.1/src/modules/loaders/loader_lbm.c imlib2-1.2.1.new/src/modules/loaders/loader_lbm.c +--- imlib2-1.2.1/src/modules/loaders/loader_lbm.c 2006-11-06 01:27:59.000000000 -0800 ++++ imlib2-1.2.1.new/src/modules/loaders/loader_lbm.c 2006-11-06 01:30:41.000000000 -0800 +@@ -421,7 +421,7 @@ + + im->w = L2RWORD(ilbm.bmhd.data); + im->h = L2RWORD(ilbm.bmhd.data + 2); +- if (im->w <= 0 || im->h <= 0) ok = 0; ++ if (im->w <= 0 || im->h <= 0 || im->w > 16383 || im->h > 16383) ok = 0; + + ilbm.depth = ilbm.bmhd.data[8]; + if (ilbm.depth < 1 || (ilbm.depth > 8 && ilbm.depth != 24 && ilbm.depth != 32)) ok = 0; /* Only 1 to 8, 24, or 32 planes. */ +@@ -453,6 +453,7 @@ + } + } + if (!full || !ok) { ++ im->w = im->h = 0; + freeilbm(&ilbm); + return ok; + } +@@ -467,12 +468,13 @@ + cancel = 0; + plane[0] = NULL; + ++ n = ilbm.depth; ++ if (ilbm.mask == 1) n++; ++ + im->data = malloc(im->w * im->h * sizeof(DATA32)); +- if (im->data) { +- n = ilbm.depth; +- if (ilbm.mask == 1) n++; ++ plane[0] = malloc(((im->w + 15) / 16) * 2 * n); ++ if (im->data && plane[0]) { + +- plane[0] = malloc(((im->w + 15) / 16) * 2 * n); + for (i = 1; i < n; i++) plane[i] = plane[i - 1] + ((im->w + 15) / 16) * 2; + + z = ((im->w + 15) / 16) * 2 * n; +@@ -511,6 +513,7 @@ + * the memory for im->data. + *----------*/ + if (!ok) { ++ im->w = im->h = 0; + if (im->data) free(im->data); + im->data = NULL; + } +diff -Nur imlib2-1.2.1/src/modules/loaders/loader_png.c imlib2-1.2.1.new/src/modules/loaders/loader_png.c +--- imlib2-1.2.1/src/modules/loaders/loader_png.c 2006-11-06 01:27:59.000000000 -0800 ++++ imlib2-1.2.1.new/src/modules/loaders/loader_png.c 2006-11-06 01:30:41.000000000 -0800 +@@ -83,6 +83,13 @@ + png_get_IHDR(png_ptr, info_ptr, (png_uint_32 *) (&w32), + (png_uint_32 *) (&h32), &bit_depth, &color_type, + &interlace_type, NULL, NULL); ++ if (w32 < 1 || h32 < 1 || w32 > 16383 || h32 > 16383) ++ { ++ png_read_end(png_ptr, info_ptr); ++ png_destroy_read_struct(&png_ptr, &info_ptr, (png_infopp) NULL); ++ fclose(f); ++ return 0; ++ } + im->w = (int)w32; + im->h = (int)h32; + if (color_type == PNG_COLOR_TYPE_PALETTE) +diff -Nur imlib2-1.2.1/src/modules/loaders/loader_pnm.c imlib2-1.2.1.new/src/modules/loaders/loader_pnm.c +--- imlib2-1.2.1/src/modules/loaders/loader_pnm.c 2006-11-06 01:27:59.000000000 -0800 ++++ imlib2-1.2.1.new/src/modules/loaders/loader_pnm.c 2006-11-06 01:30:41.000000000 -0800 +@@ -80,7 +80,7 @@ + int i = 0; + + /* read numbers */ +- while (c != EOF && !isspace(c)) ++ while (c != EOF && i+1 < sizeof(buf) && !isspace(c)) + { + buf[i++] = c; + c = fgetc(f); +diff -Nur imlib2-1.2.1/src/modules/loaders/loader_tga.c imlib2-1.2.1.new/src/modules/loaders/loader_tga.c +--- imlib2-1.2.1/src/modules/loaders/loader_tga.c 2006-11-06 01:27:59.000000000 -0800 ++++ imlib2-1.2.1.new/src/modules/loaders/loader_tga.c 2006-11-06 01:30:41.000000000 -0800 +@@ -319,6 +319,7 @@ + { + unsigned long datasize; + unsigned char *bufptr; ++ unsigned char *bufend; + DATA32 *dataptr; + + int y, pl = 0; +@@ -348,6 +349,9 @@ + /* bufptr is the next byte to be read from the buffer */ + bufptr = filedata; + ++ /* bufend is one past the last byte to be read from the buffer */ ++ bufend = filedata + datasize; ++ + /* dataptr is the next 32-bit pixel to be filled in */ + dataptr = im->data; + +@@ -365,7 +369,9 @@ + else + dataptr = im->data + (y * im->w); + +- for (x = 0; x < im->w; x++) /* for each pixel in the row */ ++ for (x = 0; ++ x < im->w && bufptr+bpp/8 < bufend; ++ x++) /* for each pixel in the row */ + { + switch (bpp) + { +@@ -422,8 +428,8 @@ + unsigned char curbyte, red, green, blue, alpha; + DATA32 *final_pixel = dataptr + im->w * im->h; + +- /* loop until we've got all the pixels */ +- while (dataptr < final_pixel) ++ /* loop until we've got all the pixels or run out of input */ ++ while (dataptr < final_pixel && bufptr+1+bpp/8 < bufend) + { + int count; + +@@ -441,7 +447,7 @@ + green = *bufptr++; + red = *bufptr++; + alpha = *bufptr++; +- for (i = 0; i < count; i++) ++ for (i = 0; i < count && dataptr < final_pixel; i++) + { + WRITE_RGBA(dataptr, red, green, blue, alpha); + dataptr++; +@@ -452,7 +458,7 @@ + blue = *bufptr++; + green = *bufptr++; + red = *bufptr++; +- for (i = 0; i < count; i++) ++ for (i = 0; i < count && dataptr < final_pixel; i++) + { + WRITE_RGBA(dataptr, red, green, blue, + (char)0xff); +@@ -462,7 +468,7 @@ + + case 8: + alpha = *bufptr++; +- for (i = 0; i < count; i++) ++ for (i = 0; i < count && dataptr < final_pixel; i++) + { + WRITE_RGBA(dataptr, alpha, alpha, alpha, + (char)0xff); +@@ -477,7 +483,7 @@ + { + int i; + +- for (i = 0; i < count; i++) ++ for (i = 0; i < count && dataptr < final_pixel; i++) + { + switch (bpp) + { +diff -Nur imlib2-1.2.1/src/modules/loaders/loader_tiff.c imlib2-1.2.1.new/src/modules/loaders/loader_tiff.c +--- imlib2-1.2.1/src/modules/loaders/loader_tiff.c 2006-11-06 01:27:59.000000000 -0800 ++++ imlib2-1.2.1.new/src/modules/loaders/loader_tiff.c 2006-11-06 01:30:41.000000000 -0800 +@@ -75,7 +75,7 @@ + raster(TIFFRGBAImage_Extra * img, uint32 * rast, + uint32 x, uint32 y, uint32 w, uint32 h) + { +- uint32 image_width, image_height; ++ int image_width, image_height; + uint32 *pixel, pixel_value; + int i, j, dy, rast_offset; + DATA32 *buffer_pixel, *buffer = img->image->data; +@@ -192,8 +192,16 @@ + } + + rgba_image.image = im; +- im->w = width = rgba_image.rgba.width; +- im->h = height = rgba_image.rgba.height; ++ width = rgba_image.rgba.width; ++ height = rgba_image.rgba.height; ++ if (width < 1 || height < 1 || width >= 16384 || height >= 16384) ++ { ++ TIFFRGBAImageEnd((TIFFRGBAImage *) & rgba_image); ++ TIFFClose(tif); ++ return 0; ++ } ++ im->w = width; ++ im->h = height; + rgba_image.num_pixels = num_pixels = width * height; + if (rgba_image.rgba.alpha != EXTRASAMPLE_UNSPECIFIED) + SET_FLAG(im->flags, F_HAS_ALPHA); diff --git a/imlib2.spec b/imlib2.spec index 8455da6..482da1a 100644 --- a/imlib2.spec +++ b/imlib2.spec @@ -1,23 +1,24 @@ -Summary: Image loading, saving, rendering, and manipulation library -Name: imlib2 -Version: 1.3.0 -Release: 2%{?dist} -License: BSD -Group: System Environment/Libraries -URL: http://www.enlightenment.org/Libraries/Imlib2/ -Source0: http://download.sf.net/enlightenment/%{name}-%{version}.tar.gz -Patch0: imlib2-1.2.1-X11-path.patch +Summary: Image loading, saving, rendering, and manipulation library +Name: imlib2 +Version: 1.3.0 +Release: 3%{?dist} +License: BSD +Group: System Environment/Libraries +URL: http://www.enlightenment.org/Libraries/Imlib2/ +Source0: http://download.sf.net/enlightenment/%{name}-%{version}.tar.gz +Patch0: imlib2-1.2.1-X11-path.patch Patch1: imlib2-1.3.0-multilib.patch -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot -BuildRequires: libjpeg-devel libpng-devel libtiff-devel -BuildRequires: giflib-devel freetype-devel >= 2.1.9-4 libtool bzip2-devel -BuildRequires: libX11-devel libXext-devel libid3tag-devel pkgconfig +Patch2: imlib2-1.3.0-loader_overflows.patch +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot +BuildRequires: libjpeg-devel libpng-devel libtiff-devel +BuildRequires: giflib-devel freetype-devel >= 2.1.9-4 libtool bzip2-devel +BuildRequires: libX11-devel libXext-devel libid3tag-devel pkgconfig %package devel -Summary: Development package for %{name} -Group: Development/Libraries -Requires: %{name} = %{version}-%{release} -Requires: libX11-devel libXext-devel freetype-devel >= 2.1.9-4 pkgconfig +Summary: Development package for %{name} +Group: Development/Libraries +Requires: %{name} = %{version}-%{release} +Requires: libX11-devel libXext-devel freetype-devel >= 2.1.9-4 pkgconfig %description @@ -45,6 +46,7 @@ flexible. %setup -q %patch0 -p1 -b .x11-path %patch1 -p1 -b .multilib +%patch2 -p1 -b .overflow # sigh stop autoxxx from rerunning because of our patches above. touch aclocal.m4 touch configure @@ -114,6 +116,10 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Thu Nov 9 2006 Hans de Goede 1.3.0-3 +- Fix CVE-2006-4806, CVE-2006-4807, CVE-2006-4808, CVE-2006-4809, thanks to + Ubuntu for the patch (bug 214676) + * Thu Oct 26 2006 Hans de Goede 1.3.0-2 - Multilib devel goodness (make -devel i386 and x86_64 parallel installable) - Fix bug 212469