fixes a DoS issue with the BMP decoder, integer overflow and heap-based
buffer overflow with the XPM decoder, and integer overflow with the ICO decoder. CAN-2004-0753, CAN-2004-0782, CAN-2004-0788
This commit is contained in:
parent
be6617f5f7
commit
051e65a1bf
@ -1,10 +1,11 @@
|
||||
# $OpenBSD: Makefile,v 1.31 2004/06/20 20:00:18 naddy Exp $
|
||||
# $OpenBSD: Makefile,v 1.32 2004/09/19 23:41:32 brad Exp $
|
||||
|
||||
COMMENT= "GdkPixbuf graphics library"
|
||||
COMMENT-gnome= "GdkPixbuf graphics library (GNOME Canvas)"
|
||||
|
||||
VERSION= 0.22.0
|
||||
DISTNAME= gdk-pixbuf-${VERSION}
|
||||
PKGNAME= ${DISTNAME}p1
|
||||
PKGNAME-gnome= gdk-pixbuf-gnome-${VERSION}
|
||||
CATEGORIES= graphics
|
||||
|
||||
|
15
graphics/gdk-pixbuf/patches/patch-gdk-pixbuf_io-bmp_c
Normal file
15
graphics/gdk-pixbuf/patches/patch-gdk-pixbuf_io-bmp_c
Normal file
@ -0,0 +1,15 @@
|
||||
$OpenBSD: patch-gdk-pixbuf_io-bmp_c,v 1.1 2004/09/19 23:41:32 brad Exp $
|
||||
--- gdk-pixbuf/io-bmp.c.orig Sat Sep 18 22:08:18 2004
|
||||
+++ gdk-pixbuf/io-bmp.c Sat Sep 18 22:16:29 2004
|
||||
@@ -870,8 +870,10 @@ DoCompressed(struct bmp_progressive_stat
|
||||
guchar c;
|
||||
gint idx;
|
||||
|
||||
- if (context->compr.y >= context->Header.height)
|
||||
+ if (context->compr.y >= context->Header.height) {
|
||||
+ context->BufferDone = 0;
|
||||
return TRUE;
|
||||
+ }
|
||||
|
||||
y = context->compr.y;
|
||||
|
15
graphics/gdk-pixbuf/patches/patch-gdk-pixbuf_io-ico_c
Normal file
15
graphics/gdk-pixbuf/patches/patch-gdk-pixbuf_io-ico_c
Normal file
@ -0,0 +1,15 @@
|
||||
$OpenBSD: patch-gdk-pixbuf_io-ico_c,v 1.1 2004/09/19 23:41:32 brad Exp $
|
||||
--- gdk-pixbuf/io-ico.c.orig Sat Sep 18 22:16:41 2004
|
||||
+++ gdk-pixbuf/io-ico.c Sat Sep 18 22:17:54 2004
|
||||
@@ -330,6 +330,11 @@ DecodeHeader (guchar *Data, gint Bytes,
|
||||
|
||||
State->HeaderSize+=I;
|
||||
|
||||
+ if (State->HeaderSize < 0) {
|
||||
+ g_error ("DecodeHeader(): Invalid header in icon");
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
if (State->HeaderSize>State->BytesInHeaderBuf) {
|
||||
guchar *tmp=realloc(State->HeaderBuf,State->HeaderSize);
|
||||
if (!tmp)
|
37
graphics/gdk-pixbuf/patches/patch-gdk-pixbuf_io-xpm_c
Normal file
37
graphics/gdk-pixbuf/patches/patch-gdk-pixbuf_io-xpm_c
Normal file
@ -0,0 +1,37 @@
|
||||
$OpenBSD: patch-gdk-pixbuf_io-xpm_c,v 1.1 2004/09/19 23:41:32 brad Exp $
|
||||
--- gdk-pixbuf/io-xpm.c.orig Sat Sep 18 22:04:13 2004
|
||||
+++ gdk-pixbuf/io-xpm.c Sat Sep 18 22:06:26 2004
|
||||
@@ -352,17 +352,30 @@ pixbuf_create_from_xpm (const gchar * (*
|
||||
return NULL;
|
||||
}
|
||||
sscanf (buffer, "%d %d %d %d", &w, &h, &n_col, &cpp);
|
||||
- if (cpp >= 32) {
|
||||
+ if (cpp <= 0 || cpp >= 32) {
|
||||
g_warning ("XPM has more than 31 chars per pixel.");
|
||||
return NULL;
|
||||
}
|
||||
+ if (n_col <= 0 || n_col >= G_MAXINT / (cpp + 1)) {
|
||||
+ g_warning ("XPM file has invalid number of colors.");
|
||||
+ return NULL;
|
||||
+ }
|
||||
|
||||
/* The hash is used for fast lookups of color from chars */
|
||||
color_hash = g_hash_table_new (g_str_hash, g_str_equal);
|
||||
|
||||
name_buf = g_new (gchar, n_col * (cpp + 1));
|
||||
- colors = g_new (_XPMColor, n_col);
|
||||
-
|
||||
+ if (!name_buf) {
|
||||
+ g_warning ("Cannot allocate memory for loading XPM image.");
|
||||
+ g_hash_table_destroy (color_hash);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ colors = (_XPMColor *) g_malloc (sizeof (_XPMColor) * n_col);
|
||||
+ if (!colors) {
|
||||
+ g_warning ("Cannot allocate memory for loading XPM image.");
|
||||
+ g_hash_table_destroy (color_hash);
|
||||
+ return NULL;
|
||||
+ }
|
||||
for (cnt = 0; cnt < n_col; cnt++) {
|
||||
gchar *color_name;
|
||||
|
Loading…
Reference in New Issue
Block a user