diff --git a/editors/xemacs21/stable/Makefile b/editors/xemacs21/stable/Makefile index 8f274e46dc2..f0d4cc9ecce 100644 --- a/editors/xemacs21/stable/Makefile +++ b/editors/xemacs21/stable/Makefile @@ -1,8 +1,8 @@ -# $OpenBSD: Makefile,v 1.6 2009/08/10 06:31:09 kili Exp $ +# $OpenBSD: Makefile,v 1.7 2009/12/15 10:05:55 jasper Exp $ BRANCH= 21.4 VERSION= 19 -PKGNAME= ${DISTNAME}p9 +PKGNAME= ${DISTNAME}p10 WANTLIB= c m ncurses util diff --git a/editors/xemacs21/stable/patches/patch-src_glyphs-eimage_c b/editors/xemacs21/stable/patches/patch-src_glyphs-eimage_c new file mode 100644 index 00000000000..1a0b60b9149 --- /dev/null +++ b/editors/xemacs21/stable/patches/patch-src_glyphs-eimage_c @@ -0,0 +1,98 @@ +$OpenBSD: patch-src_glyphs-eimage_c,v 1.1 2009/12/15 10:05:55 jasper Exp $ + +Security fix for CVE-2009-2688, xemacs: multiple integer overflow flaws. + +Patch from gentoo. + +--- src/glyphs-eimage.c.orig Mon Jan 31 03:55:17 2005 ++++ src/glyphs-eimage.c Tue Dec 15 10:57:11 2009 +@@ -407,6 +407,7 @@ jpeg_instantiate (Lisp_Object image_instance, Lisp_Obj + */ + + { ++ UINT_64_BIT pixels_sq; + int jpeg_gray = 0; /* if we're dealing with a grayscale */ + /* Step 4: set parameters for decompression. */ + +@@ -429,7 +430,10 @@ jpeg_instantiate (Lisp_Object image_instance, Lisp_Obj + jpeg_start_decompress (&cinfo); + + /* Step 6: Read in the data and put into EImage format (8bit RGB triples)*/ +- ++ pixels_sq = ++ (UINT_64_BIT) cinfo.output_width * (UINT_64_BIT) cinfo.output_height; ++ if (pixels_sq > ((size_t) -1) / 3) ++ signal_image_error ("JPEG image too large to instantiate", instantiator); + unwind.eimage = (unsigned char*) xmalloc (cinfo.output_width * cinfo.output_height * 3); + if (!unwind.eimage) + signal_image_error("Unable to allocate enough memory for image", instantiator); +@@ -671,6 +675,7 @@ gif_instantiate (Lisp_Object image_instance, Lisp_Obje + { + ColorMapObject *cmo = unwind.giffile->SColorMap; + int i, j, row, pass, interlace, slice; ++ UINT_64_BIT pixels_sq; + unsigned char *eip; + /* interlaced gifs have rows in this order: + 0, 8, 16, ..., 4, 12, 20, ..., 2, 6, 10, ..., 1, 3, 5, ... */ +@@ -679,6 +684,9 @@ gif_instantiate (Lisp_Object image_instance, Lisp_Obje + + height = unwind.giffile->SHeight; + width = unwind.giffile->SWidth; ++ pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height; ++ if (pixels_sq > ((size_t) -1) / (3 * unwind.giffile->ImageCount)) ++ signal_image_error ("GIF image too large to instantiate", instantiator); + unwind.eimage = (unsigned char*) + xmalloc (width * height * 3 * unwind.giffile->ImageCount); + if (!unwind.eimage) +@@ -929,11 +937,15 @@ png_instantiate (Lisp_Object image_instance, Lisp_Obje + { + int y; + unsigned char **row_pointers; ++ UINT_64_BIT pixels_sq; + height = info_ptr->height; + width = info_ptr->width; ++ pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height; ++ if (pixels_sq > ((size_t) -1) / 3) ++ signal_image_error ("PNG image too large to instantiate", instantiator); + + /* Wow, allocate all the memory. Truly, exciting. */ +- unwind.eimage = xnew_array_and_zero (unsigned char, width * height * 3); ++ unwind.eimage = xnew_array_and_zero (unsigned char, pixels_sq * 3); + /* libpng expects that the image buffer passed in contains a + picture to draw on top of if the png has any transparencies. + This could be a good place to pass that in... */ +@@ -986,7 +998,7 @@ png_instantiate (Lisp_Object image_instance, Lisp_Obje + png_set_expand (png_ptr); + /* send grayscale images to RGB too */ + if (info_ptr->color_type == PNG_COLOR_TYPE_GRAY || +- info_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) ++ info_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) + png_set_gray_to_rgb (png_ptr); + /* we can't handle alpha values */ + if (info_ptr->color_type & PNG_COLOR_MASK_ALPHA) +@@ -1260,6 +1272,7 @@ tiff_instantiate (Lisp_Object image_instance, Lisp_Obj + + uint32 *raster; + unsigned char *ep; ++ UINT_64_BIT pixels_sq; + + assert (!NILP (data)); + +@@ -1282,12 +1295,15 @@ tiff_instantiate (Lisp_Object image_instance, Lisp_Obj + + TIFFGetField (unwind.tiff, TIFFTAG_IMAGEWIDTH, &width); + TIFFGetField (unwind.tiff, TIFFTAG_IMAGELENGTH, &height); +- unwind.eimage = (unsigned char *) xmalloc (width * height * 3); ++ pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height; ++ if (pixels_sq >= 1 << 29) ++ signal_image_error ("TIFF image too large to instantiate", instantiator); ++ unwind.eimage = (unsigned char *) xmalloc (pixels_sq * 3); + + /* #### This is little more than proof-of-concept/function testing. + It needs to be reimplemented via scanline reads for both memory + compactness. */ +- raster = (uint32*) _TIFFmalloc (width * height * sizeof (uint32)); ++ raster = (uint32*) _TIFFmalloc ((tsize_t) (pixels_sq * sizeof (uint32))); + if (raster != NULL) + { + int i,j; diff --git a/editors/xemacs21/stable/patches/patch-src_lisp_h b/editors/xemacs21/stable/patches/patch-src_lisp_h new file mode 100644 index 00000000000..38b4657e773 --- /dev/null +++ b/editors/xemacs21/stable/patches/patch-src_lisp_h @@ -0,0 +1,20 @@ +$OpenBSD: patch-src_lisp_h,v 1.1 2009/12/15 10:05:55 jasper Exp $ + +Security fix for CVE-2009-2688, xemacs: multiple integer overflow flaws. + +Patch from gentoo. + +--- src/lisp.h.orig Tue Dec 15 10:57:22 2009 ++++ src/lisp.h Tue Dec 15 10:57:44 2009 +@@ -265,6 +265,11 @@ void assert_failed (const char *, int, const char *); + /*#define REGISTER register*/ + /*#endif*/ + ++#if SIZEOF_LONG == 8 ++#define UINT_64_BIT unsigned long ++#elif SIZEOF_LONG_LONG == 8 ++#define UINT_64_BIT unsigned long long ++#endif + + /* EMACS_INT is the underlying integral type into which a Lisp_Object must fit. + In particular, it must be large enough to contain a pointer.