cpet/openbsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Security fix for CVE-2009-3909

Browse Source 
Gimp PSD Image Parsing Integer Overflow Vulnerability

From upstream git.

ok giovanni@ (MAINTAINER)
This commit is contained in:
jasper 2009-11-17 19:15:05 +00:00
parent 036babf22d
commit 71d09c4ee1
3 changed files with 131 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
graphics/gimp/stable/Makefile
View File

@ -1,4 +1,4 @@
# $OpenBSD: Makefile,v 1.52 2009/11/12 16:35:56 jasper Exp $
# $OpenBSD: Makefile,v 1.53 2009/11/17 19:15:05 jasper Exp $
COMMENT= GNU Image Manipulation Program
@ -12,7 +12,7 @@ SHARED_LIBS= gimp-2.0 267.0 \
gimpthumb-2.0 267.0 \
gimpui-2.0 267.0 \
gimpwidgets-2.0 267.0
PKGNAME= ${DISTNAME}p0
PKGNAME= ${DISTNAME}p1
CATEGORIES= graphics
MAINTAINER= Giovanni Bechis <giovanni@openbsd.org>

74
graphics/gimp/stable/patches/patch-plug-ins_file-psd_psd-load_c Normal file
View File

@ -0,0 +1,74 @@
$OpenBSD: patch-plug-ins_file-psd_psd-load_c,v 1.1 2009/11/17 19:15:05 jasper Exp $
Security fix for CVE-2009-3909
Gimp PSD Image Parsing Integer Overflow Vulnerability
From upstream git:
- 9cc8d78ff33b7a36852b74e64b427489cad44d0e
- 0e440cb6d4d6ee029667363d244aff61b154c33c
--- plug-ins/file-psd/psd-load.c.orig Tue Nov 17 19:15:20 2009
+++ plug-ins/file-psd/psd-load.c Tue Nov 17 19:15:48 2009
@@ -542,10 +542,10 @@ read_layer_block (PSDimage *img_a,
psd_set_error (feof (f), errno, error);
return NULL;
}
- lyr_a[lidx]->top = GUINT32_FROM_BE (lyr_a[lidx]->top);
- lyr_a[lidx]->left = GUINT32_FROM_BE (lyr_a[lidx]->left);
- lyr_a[lidx]->bottom = GUINT32_FROM_BE (lyr_a[lidx]->bottom);
- lyr_a[lidx]->right = GUINT32_FROM_BE (lyr_a[lidx]->right);
+ lyr_a[lidx]->top = GINT32_FROM_BE (lyr_a[lidx]->top);
+ lyr_a[lidx]->left = GINT32_FROM_BE (lyr_a[lidx]->left);
+ lyr_a[lidx]->bottom = GINT32_FROM_BE (lyr_a[lidx]->bottom);
+ lyr_a[lidx]->right = GINT32_FROM_BE (lyr_a[lidx]->right);
lyr_a[lidx]->num_channels = GUINT16_FROM_BE (lyr_a[lidx]->num_channels);
if (lyr_a[lidx]->num_channels > MAX_CHANNELS)
@@ -691,13 +691,13 @@ read_layer_block (PSDimage *img_a,
return NULL;
}
lyr_a[lidx]->layer_mask.top =
- GUINT32_FROM_BE (lyr_a[lidx]->layer_mask.top);
+ GINT32_FROM_BE (lyr_a[lidx]->layer_mask.top);
lyr_a[lidx]->layer_mask.left =
- GUINT32_FROM_BE (lyr_a[lidx]->layer_mask.left);
+ GINT32_FROM_BE (lyr_a[lidx]->layer_mask.left);
lyr_a[lidx]->layer_mask.bottom =
- GUINT32_FROM_BE (lyr_a[lidx]->layer_mask.bottom);
+ GINT32_FROM_BE (lyr_a[lidx]->layer_mask.bottom);
lyr_a[lidx]->layer_mask.right =
- GUINT32_FROM_BE (lyr_a[lidx]->layer_mask.right);
+ GINT32_FROM_BE (lyr_a[lidx]->layer_mask.right);
lyr_a[lidx]->layer_mask.mask_flags.relative_pos =
lyr_a[lidx]->layer_mask.flags & 1 ? TRUE : FALSE;
lyr_a[lidx]->layer_mask.mask_flags.disabled =
@@ -723,21 +723,21 @@ read_layer_block (PSDimage *img_a,
return NULL;
}
lyr_a[lidx]->layer_mask_extra.top =
- GUINT32_FROM_BE (lyr_a[lidx]->layer_mask_extra.top);
+ GINT32_FROM_BE (lyr_a[lidx]->layer_mask_extra.top);
lyr_a[lidx]->layer_mask_extra.left =
- GUINT32_FROM_BE (lyr_a[lidx]->layer_mask_extra.left);
+ GINT32_FROM_BE (lyr_a[lidx]->layer_mask_extra.left);
lyr_a[lidx]->layer_mask_extra.bottom =
- GUINT32_FROM_BE (lyr_a[lidx]->layer_mask_extra.bottom);
+ GINT32_FROM_BE (lyr_a[lidx]->layer_mask_extra.bottom);
lyr_a[lidx]->layer_mask_extra.right =
- GUINT32_FROM_BE (lyr_a[lidx]->layer_mask_extra.right);
+ GINT32_FROM_BE (lyr_a[lidx]->layer_mask_extra.right);
lyr_a[lidx]->layer_mask.top =
- GUINT32_FROM_BE (lyr_a[lidx]->layer_mask.top);
+ GINT32_FROM_BE (lyr_a[lidx]->layer_mask.top);
lyr_a[lidx]->layer_mask.left =
- GUINT32_FROM_BE (lyr_a[lidx]->layer_mask.left);
+ GINT32_FROM_BE (lyr_a[lidx]->layer_mask.left);
lyr_a[lidx]->layer_mask.bottom =
- GUINT32_FROM_BE (lyr_a[lidx]->layer_mask.bottom);
+ GINT32_FROM_BE (lyr_a[lidx]->layer_mask.bottom);
lyr_a[lidx]->layer_mask.right =
- GUINT32_FROM_BE (lyr_a[lidx]->layer_mask.right);
+ GINT32_FROM_BE (lyr_a[lidx]->layer_mask.right);
lyr_a[lidx]->layer_mask.mask_flags.relative_pos =
lyr_a[lidx]->layer_mask.flags & 1 ? TRUE : FALSE;
lyr_a[lidx]->layer_mask.mask_flags.disabled =

55
graphics/gimp/stable/patches/patch-plug-ins_file-psd_psd_h Normal file
View File

@ -0,0 +1,55 @@
$OpenBSD: patch-plug-ins_file-psd_psd_h,v 1.1 2009/11/17 19:15:05 jasper Exp $
Security fix for CVE-2009-3909
Gimp PSD Image Parsing Integer Overflow Vulnerability
From upstream git:
- 9cc8d78ff33b7a36852b74e64b427489cad44d0e
- 0e440cb6d4d6ee029667363d244aff61b154c33c
--- plug-ins/file-psd/psd.h.orig Mon Jul 20 22:20:51 2009
+++ plug-ins/file-psd/psd.h Tue Nov 17 19:15:48 2009
@@ -447,10 +447,10 @@ typedef struct
/* PSD Layer mask data (length 20) */
typedef struct
{
- guint32 top; /* Layer top */
- guint32 left; /* Layer left */
- guint32 bottom; /* Layer bottom */
- guint32 right; /* Layer right */
+ gint32 top; /* Layer top */
+ gint32 left; /* Layer left */
+ gint32 bottom; /* Layer bottom */
+ gint32 right; /* Layer right */
guchar def_color; /* Default background colour */
guchar flags; /* Layer flags */
guchar extra_def_color; /* Real default background colour */
@@ -461,20 +461,20 @@ typedef struct
/* PSD Layer mask data (length 36) */
typedef struct
{
- guint32 top; /* Layer top */
- guint32 left; /* Layer left */
- guint32 bottom; /* Layer bottom */
- guint32 right; /* Layer right */
+ gint32 top; /* Layer top */
+ gint32 left; /* Layer left */
+ gint32 bottom; /* Layer bottom */
+ gint32 right; /* Layer right */
} LayerMaskExtra;
/* PSD Layer data structure */
typedef struct
{
gboolean drop; /* Do not add layer to GIMP image */
- guint32 top; /* Layer top */
- guint32 left; /* Layer left */
- guint32 bottom; /* Layer bottom */
- guint32 right; /* Layer right */
+ gint32 top; /* Layer top */
+ gint32 left; /* Layer left */
+ gint32 bottom; /* Layer bottom */
+ gint32 right; /* Layer right */
guint16 num_channels; /* Number of channels */
ChannelLengthInfo *chn_info; /* Channel length info */
gchar mode_key[4]; /* Blend mode key */