From 051e65a1bf255866532951a053f3956216d490a1 Mon Sep 17 00:00:00 2001 From: brad Date: Sun, 19 Sep 2004 23:41:32 +0000 Subject: [PATCH] fixes a DoS issue with the BMP decoder, integer overflow and heap-based buffer overflow with the XPM decoder, and integer overflow with the ICO decoder. CAN-2004-0753, CAN-2004-0782, CAN-2004-0788 --- graphics/gdk-pixbuf/Makefile | 3 +- .../patches/patch-gdk-pixbuf_io-bmp_c | 15 ++++++++ .../patches/patch-gdk-pixbuf_io-ico_c | 15 ++++++++ .../patches/patch-gdk-pixbuf_io-xpm_c | 37 +++++++++++++++++++ 4 files changed, 69 insertions(+), 1 deletion(-) create mode 100644 graphics/gdk-pixbuf/patches/patch-gdk-pixbuf_io-bmp_c create mode 100644 graphics/gdk-pixbuf/patches/patch-gdk-pixbuf_io-ico_c create mode 100644 graphics/gdk-pixbuf/patches/patch-gdk-pixbuf_io-xpm_c diff --git a/graphics/gdk-pixbuf/Makefile b/graphics/gdk-pixbuf/Makefile index 658b1ce8e98..35191e10395 100644 --- a/graphics/gdk-pixbuf/Makefile +++ b/graphics/gdk-pixbuf/Makefile @@ -1,10 +1,11 @@ -# $OpenBSD: Makefile,v 1.31 2004/06/20 20:00:18 naddy Exp $ +# $OpenBSD: Makefile,v 1.32 2004/09/19 23:41:32 brad Exp $ COMMENT= "GdkPixbuf graphics library" COMMENT-gnome= "GdkPixbuf graphics library (GNOME Canvas)" VERSION= 0.22.0 DISTNAME= gdk-pixbuf-${VERSION} +PKGNAME= ${DISTNAME}p1 PKGNAME-gnome= gdk-pixbuf-gnome-${VERSION} CATEGORIES= graphics diff --git a/graphics/gdk-pixbuf/patches/patch-gdk-pixbuf_io-bmp_c b/graphics/gdk-pixbuf/patches/patch-gdk-pixbuf_io-bmp_c new file mode 100644 index 00000000000..1b261eb84fb --- /dev/null +++ b/graphics/gdk-pixbuf/patches/patch-gdk-pixbuf_io-bmp_c @@ -0,0 +1,15 @@ +$OpenBSD: patch-gdk-pixbuf_io-bmp_c,v 1.1 2004/09/19 23:41:32 brad Exp $ +--- gdk-pixbuf/io-bmp.c.orig Sat Sep 18 22:08:18 2004 ++++ gdk-pixbuf/io-bmp.c Sat Sep 18 22:16:29 2004 +@@ -870,8 +870,10 @@ DoCompressed(struct bmp_progressive_stat + guchar c; + gint idx; + +- if (context->compr.y >= context->Header.height) ++ if (context->compr.y >= context->Header.height) { ++ context->BufferDone = 0; + return TRUE; ++ } + + y = context->compr.y; + diff --git a/graphics/gdk-pixbuf/patches/patch-gdk-pixbuf_io-ico_c b/graphics/gdk-pixbuf/patches/patch-gdk-pixbuf_io-ico_c new file mode 100644 index 00000000000..bd95bd88dfa --- /dev/null +++ b/graphics/gdk-pixbuf/patches/patch-gdk-pixbuf_io-ico_c @@ -0,0 +1,15 @@ +$OpenBSD: patch-gdk-pixbuf_io-ico_c,v 1.1 2004/09/19 23:41:32 brad Exp $ +--- gdk-pixbuf/io-ico.c.orig Sat Sep 18 22:16:41 2004 ++++ gdk-pixbuf/io-ico.c Sat Sep 18 22:17:54 2004 +@@ -330,6 +330,11 @@ DecodeHeader (guchar *Data, gint Bytes, + + State->HeaderSize+=I; + ++ if (State->HeaderSize < 0) { ++ g_error ("DecodeHeader(): Invalid header in icon"); ++ return; ++ } ++ + if (State->HeaderSize>State->BytesInHeaderBuf) { + guchar *tmp=realloc(State->HeaderBuf,State->HeaderSize); + if (!tmp) diff --git a/graphics/gdk-pixbuf/patches/patch-gdk-pixbuf_io-xpm_c b/graphics/gdk-pixbuf/patches/patch-gdk-pixbuf_io-xpm_c new file mode 100644 index 00000000000..da672521423 --- /dev/null +++ b/graphics/gdk-pixbuf/patches/patch-gdk-pixbuf_io-xpm_c @@ -0,0 +1,37 @@ +$OpenBSD: patch-gdk-pixbuf_io-xpm_c,v 1.1 2004/09/19 23:41:32 brad Exp $ +--- gdk-pixbuf/io-xpm.c.orig Sat Sep 18 22:04:13 2004 ++++ gdk-pixbuf/io-xpm.c Sat Sep 18 22:06:26 2004 +@@ -352,17 +352,30 @@ pixbuf_create_from_xpm (const gchar * (* + return NULL; + } + sscanf (buffer, "%d %d %d %d", &w, &h, &n_col, &cpp); +- if (cpp >= 32) { ++ if (cpp <= 0 || cpp >= 32) { + g_warning ("XPM has more than 31 chars per pixel."); + return NULL; + } ++ if (n_col <= 0 || n_col >= G_MAXINT / (cpp + 1)) { ++ g_warning ("XPM file has invalid number of colors."); ++ return NULL; ++ } + + /* The hash is used for fast lookups of color from chars */ + color_hash = g_hash_table_new (g_str_hash, g_str_equal); + + name_buf = g_new (gchar, n_col * (cpp + 1)); +- colors = g_new (_XPMColor, n_col); +- ++ if (!name_buf) { ++ g_warning ("Cannot allocate memory for loading XPM image."); ++ g_hash_table_destroy (color_hash); ++ return NULL; ++ } ++ colors = (_XPMColor *) g_malloc (sizeof (_XPMColor) * n_col); ++ if (!colors) { ++ g_warning ("Cannot allocate memory for loading XPM image."); ++ g_hash_table_destroy (color_hash); ++ return NULL; ++ } + for (cnt = 0; cnt < n_col; cnt++) { + gchar *color_name; +