Security fix for CVE-2009-2688, xemacs: multiple integer overflow flaws.

2009-12-15 10:05:55 +00:00 · 2009-12-15 10:05:55 +00:00 · 9fcf2469b9
commit 9fcf2469b9
parent c225562c7c
3 changed files with 120 additions and 2 deletions
--- a/editors/xemacs21/stable/Makefile
+++ b/editors/xemacs21/stable/Makefile
@ -1,8 +1,8 @@
-# $OpenBSD: Makefile,v 1.6 2009/08/10 06:31:09 kili Exp $
+# $OpenBSD: Makefile,v 1.7 2009/12/15 10:05:55 jasper Exp $

 BRANCH=		21.4
 VERSION=	19
-PKGNAME=	${DISTNAME}p9
+PKGNAME=	${DISTNAME}p10

 WANTLIB=	c m ncurses util

--- a/editors/xemacs21/stable/patches/patch-src_glyphs-eimage_c
+++ b/editors/xemacs21/stable/patches/patch-src_glyphs-eimage_c
@ -0,0 +1,98 @@
+$OpenBSD: patch-src_glyphs-eimage_c,v 1.1 2009/12/15 10:05:55 jasper Exp $
+
+Security fix for CVE-2009-2688, xemacs: multiple integer overflow flaws.
+
+Patch from gentoo.
+
+--- src/glyphs-eimage.c.orig	Mon Jan 31 03:55:17 2005
+++ src/glyphs-eimage.c	Tue Dec 15 10:57:11 2009
+@@ -407,6 +407,7 @@ jpeg_instantiate (Lisp_Object image_instance, Lisp_Obj
+    */
+ 
+   {
+    UINT_64_BIT pixels_sq;
+     int jpeg_gray = 0;		/* if we're dealing with a grayscale */
+     /* Step 4: set parameters for decompression.   */
+ 
+@@ -429,7 +430,10 @@ jpeg_instantiate (Lisp_Object image_instance, Lisp_Obj
+     jpeg_start_decompress (&cinfo);
+ 
+     /* Step 6: Read in the data and put into EImage format (8bit RGB triples)*/
+-
+    pixels_sq =
+      (UINT_64_BIT) cinfo.output_width * (UINT_64_BIT) cinfo.output_height;
+    if (pixels_sq > ((size_t) -1) / 3)
+      signal_image_error ("JPEG image too large to instantiate", instantiator);
+     unwind.eimage = (unsigned char*) xmalloc (cinfo.output_width * cinfo.output_height * 3);
+     if (!unwind.eimage)
+       signal_image_error("Unable to allocate enough memory for image", instantiator);
+@@ -671,6 +675,7 @@ gif_instantiate (Lisp_Object image_instance, Lisp_Obje
+   {
+     ColorMapObject *cmo = unwind.giffile->SColorMap;
+     int i, j, row, pass, interlace, slice;
+    UINT_64_BIT pixels_sq;
+     unsigned char *eip;
+     /* interlaced gifs have rows in this order:
+        0, 8, 16, ..., 4, 12, 20, ..., 2, 6, 10, ..., 1, 3, 5, ...  */
+@@ -679,6 +684,9 @@ gif_instantiate (Lisp_Object image_instance, Lisp_Obje
+ 
+     height = unwind.giffile->SHeight;
+     width = unwind.giffile->SWidth;
+    pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height;
+    if (pixels_sq > ((size_t) -1) / (3 * unwind.giffile->ImageCount))
+      signal_image_error ("GIF image too large to instantiate", instantiator);
+     unwind.eimage = (unsigned char*)
+       xmalloc (width * height * 3 * unwind.giffile->ImageCount);
+     if (!unwind.eimage)
+@@ -929,11 +937,15 @@ png_instantiate (Lisp_Object image_instance, Lisp_Obje
+   {
+     int y;
+     unsigned char **row_pointers;
+    UINT_64_BIT pixels_sq;
+     height = info_ptr->height;
+     width = info_ptr->width;
+    pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height;
+    if (pixels_sq > ((size_t) -1) / 3)
+      signal_image_error ("PNG image too large to instantiate", instantiator);
+ 
+     /* Wow, allocate all the memory.  Truly, exciting. */
+-    unwind.eimage = xnew_array_and_zero (unsigned char, width * height * 3);
+    unwind.eimage = xnew_array_and_zero (unsigned char, pixels_sq * 3);
+     /* libpng expects that the image buffer passed in contains a
+        picture to draw on top of if the png has any transparencies.
+        This could be a good place to pass that in... */
+@@ -986,7 +998,7 @@ png_instantiate (Lisp_Object image_instance, Lisp_Obje
+       png_set_expand (png_ptr);
+     /* send grayscale images to RGB too */
+     if (info_ptr->color_type == PNG_COLOR_TYPE_GRAY ||
+-        info_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
+	info_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
+       png_set_gray_to_rgb (png_ptr);
+     /* we can't handle alpha values */
+     if (info_ptr->color_type & PNG_COLOR_MASK_ALPHA)
+@@ -1260,6 +1272,7 @@ tiff_instantiate (Lisp_Object image_instance, Lisp_Obj
+ 
+     uint32 *raster;
+     unsigned char *ep;
+    UINT_64_BIT pixels_sq;
+ 
+     assert (!NILP (data));
+ 
+@@ -1282,12 +1295,15 @@ tiff_instantiate (Lisp_Object image_instance, Lisp_Obj
+ 
+     TIFFGetField (unwind.tiff, TIFFTAG_IMAGEWIDTH, &width);
+     TIFFGetField (unwind.tiff, TIFFTAG_IMAGELENGTH, &height);
+-    unwind.eimage = (unsigned char *) xmalloc (width * height * 3);
+    pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height;
+    if (pixels_sq >= 1 << 29)
+      signal_image_error ("TIFF image too large to instantiate", instantiator);
+    unwind.eimage = (unsigned char *) xmalloc (pixels_sq * 3);
+ 
+     /* #### This is little more than proof-of-concept/function testing.
+        It needs to be reimplemented via scanline reads for both memory
+        compactness. */
+-    raster = (uint32*) _TIFFmalloc (width * height * sizeof (uint32));
+    raster = (uint32*) _TIFFmalloc ((tsize_t) (pixels_sq * sizeof (uint32)));
+     if (raster != NULL)
+       {
+ 	int i,j;
--- a/editors/xemacs21/stable/patches/patch-src_lisp_h
+++ b/editors/xemacs21/stable/patches/patch-src_lisp_h
@ -0,0 +1,20 @@
+$OpenBSD: patch-src_lisp_h,v 1.1 2009/12/15 10:05:55 jasper Exp $
+
+Security fix for CVE-2009-2688, xemacs: multiple integer overflow flaws.
+
+Patch from gentoo.
+
+--- src/lisp.h.orig	Tue Dec 15 10:57:22 2009
+++ src/lisp.h	Tue Dec 15 10:57:44 2009
+@@ -265,6 +265,11 @@ void assert_failed (const char *, int, const char *);
+ /*#define REGISTER register*/
+ /*#endif*/
+ 
+#if SIZEOF_LONG == 8
+#define UINT_64_BIT unsigned long
+#elif SIZEOF_LONG_LONG == 8
+#define UINT_64_BIT unsigned long long
+#endif
+ 
+ /* EMACS_INT is the underlying integral type into which a Lisp_Object must fit.
+    In particular, it must be large enough to contain a pointer.