cpet/openbsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Security fix for CVE-2007-0243:

Browse Source 
Buffer overflow allows applets to gain privileges via a GIF image with a
block with a 0 width field, which triggers memory corruption and possible
execution of arbitrary code.
This commit is contained in:
kurt 2007-01-28 04:45:04 +00:00
parent 0d506d9988
commit 10c96fb157
6 changed files with 68 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
devel/jdk/1.3/Makefile
View File

@ -1,4 +1,4 @@
# $OpenBSD: Makefile,v 1.22 2006/11/22 14:58:03 kurt Exp $
# $OpenBSD: Makefile,v 1.23 2007/01/28 04:46:48 kurt Exp $
# $FreeBSD: ports/java/jdk12/Makefile,v 1.11 2002/08/19 20:47:04 glewis Exp $
ONLY_FOR_ARCHS= arm i386 powerpc sparc
@ -7,8 +7,9 @@ COMMENT-main= "Java2(TM) Standard Edition Dev Kit v${V}"
COMMENT-jre= "Java2(TM) Standard Edition Runtime Environment v${V}"
V= 1.3.1
DISTNAME= j2sdk-1_3_1-src
PKGNAME-main= jdk-${V}p9
PKGNAME-jre= jre-${V}p9
PKGNAME= jdk-${V}p10
PKGNAME-main= jdk-${V}p10
PKGNAME-jre= jre-${V}p10
CATEGORIES= devel/jdk java

18
devel/jdk/1.3/patches/patch-j2sdk1_3_1_src_share_classes_sun_awt_image_GifImageDecoder_java Normal file
View File

@ -0,0 +1,18 @@
$OpenBSD: patch-j2sdk1_3_1_src_share_classes_sun_awt_image_GifImageDecoder_java,v 1.1 2007/01/28 04:46:48 kurt Exp $
--- j2sdk1.3.1/src/share/classes/sun/awt/image/GifImageDecoder.java.orig Sat Jan 27 17:18:05 2007
+++ j2sdk1.3.1/src/share/classes/sun/awt/image/GifImageDecoder.java Sat Jan 27 17:18:55 2007
@@ -499,6 +499,14 @@ public class GifImageDecoder extends Ima
int y = ExtractWord(block, 2);
int width = ExtractWord(block, 4);
int height = ExtractWord(block, 6);
+
+ if (width == 0 && global_width != 0) {
+ width = global_width - x;
+ }
+ if (height == 0 && global_height != 0) {
+ height = global_height - y;
+ }
+
boolean interlace = (block[8] & INTERLACEMASK) != 0;
IndexColorModel model = global_model;

12
devel/jdk/1.3/patches/patch-j2sdk1_3_1_src_share_native_sun_awt_image_gif_gifdecoder_c Normal file
View File

@ -0,0 +1,12 @@
$OpenBSD: patch-j2sdk1_3_1_src_share_native_sun_awt_image_gif_gifdecoder_c,v 1.1 2007/01/28 04:46:48 kurt Exp $
--- j2sdk1.3.1/src/share/native/sun/awt/image/gif/gifdecoder.c.orig Sat Jan 27 17:17:07 2007
+++ j2sdk1.3.1/src/share/native/sun/awt/image/gif/gifdecoder.c Sat Jan 27 17:17:44 2007
@@ -369,7 +369,7 @@ Java_sun_awt_image_GifImageDecoder_parse
* been stacked LIFO, so deal with it that way...
*/
len = OUTCODELENGTH - outCount;
- while (--len >= 0) {
+ while ((width > 0) && (--len >= 0)) {
rasline[off++] = outCode[outCount++];
/* Update the X-coordinate, and if it overflows, update the

7
devel/jdk/1.4/Makefile
View File

@ -1,4 +1,4 @@
# $OpenBSD: Makefile,v 1.20 2006/12/14 09:07:55 steven Exp $
# $OpenBSD: Makefile,v 1.21 2007/01/28 04:45:04 kurt Exp $
# $FreeBSD: /repoman/r/pcvs/ports/java/jdk14/Makefile,v 1.79 2004/08/18 07:06:03 glewis Exp $
ONLY_FOR_ARCHS= i386
@ -7,8 +7,9 @@ COMMENT-main= "Java2(TM) Standard Edition Dev Kit v${V}"
COMMENT-jre= "Java2(TM) Standard Edition Runtime Environment v${V}"
V= 1.4.2
DISTNAME= j2sdk-1_4_2
PKGNAME-main= jdk-${V}p11
PKGNAME-jre= jre-${V}p11
PKGNAME= jdk-${V}p12
PKGNAME-main= jdk-${V}p12
PKGNAME-jre= jre-${V}p12
CATEGORIES= devel/jdk java

18
devel/jdk/1.4/patches/patch-j2se_src_share_classes_sun_awt_image_GifImageDecoder_java Normal file
View File

@ -0,0 +1,18 @@
$OpenBSD: patch-j2se_src_share_classes_sun_awt_image_GifImageDecoder_java,v 1.1 2007/01/28 04:45:04 kurt Exp $
--- j2se/src/share/classes/sun/awt/image/GifImageDecoder.java.orig Sat Jan 27 17:10:00 2007
+++ j2se/src/share/classes/sun/awt/image/GifImageDecoder.java Sat Jan 27 17:11:11 2007
@@ -497,6 +497,14 @@ public class GifImageDecoder extends Ima
int y = ExtractWord(block, 2);
int width = ExtractWord(block, 4);
int height = ExtractWord(block, 6);
+
+ if (width == 0 && global_width != 0) {
+ width = global_width - x;
+ }
+ if (height == 0 && global_height != 0) {
+ height = global_height - y;
+ }
+
boolean interlace = (block[8] & INTERLACEMASK) != 0;
IndexColorModel model = global_model;

12
devel/jdk/1.4/patches/patch-j2se_src_share_native_sun_awt_image_gif_gifdecoder_c Normal file
View File

@ -0,0 +1,12 @@
$OpenBSD: patch-j2se_src_share_native_sun_awt_image_gif_gifdecoder_c,v 1.1 2007/01/28 04:45:04 kurt Exp $
--- j2se/src/share/native/sun/awt/image/gif/gifdecoder.c.orig Sat Jan 27 17:11:30 2007
+++ j2se/src/share/native/sun/awt/image/gif/gifdecoder.c Sat Jan 27 17:12:02 2007
@@ -366,7 +366,7 @@ Java_sun_awt_image_GifImageDecoder_parse
* been stacked LIFO, so deal with it that way...
*/
len = OUTCODELENGTH - outCount;
- while (--len >= 0) {
+ while ((width > 0) && (--len >= 0)) {
rasline[off++] = outCode[outCount++];
/* Update the X-coordinate, and if it overflows, update the