SECURITY for CVE-2012-4405, from Redhat.

Note that our ghostscript port isn't affected by this bug (because
it doesn't build/use libicc).

ok jasper@
This commit is contained in:
kili 2012-09-25 19:51:31 +00:00
parent 7405d8333e
commit 421c7c8791
2 changed files with 22 additions and 2 deletions

View File

@ -1,11 +1,11 @@
# $OpenBSD: Makefile,v 1.2 2011/11/13 13:54:04 ajacoutot Exp $
# $OpenBSD: Makefile,v 1.3 2012/09/25 19:51:31 kili Exp $
COMMENT= ICC compatible color management system
V= 1.1.0-20100201
DISTNAME= hargyllcms-${V}
PKGNAME= argyll-${V:S/-/./}
REVISION= 0
REVISION= 1
CATEGORIES= graphics sysutils

View File

@ -0,0 +1,20 @@
$OpenBSD: patch-icc_icc_c,v 1.1 2012/09/25 19:51:31 kili Exp $
Fix for CVE-2012-4405 (heap-based buffer overflow). From Redhat.
https://bugzilla.redhat.com/show_bug.cgi?id=854227
--- icc/icc.c.orig Sun Jan 17 05:04:35 2010
+++ icc/icc.c Tue Sep 25 20:18:11 2012
@@ -6050,6 +6050,11 @@ static int icmLut_read(
p->clutPoints = read_UInt8Number(bp+10);
/* Sanity check */
+ if (p->inputChan < 1) {
+ sprintf(icp->err,"icmLut_read: No input channels!");
+ return icp->errc = 1;
+ }
+
if (p->inputChan > MAX_CHAN) {
sprintf(icp->err,"icmLut_read: Can't handle > %d input channels\n",MAX_CHAN);
return icp->errc = 1;