Security fix for CVE-2009-2688, xemacs: multiple integer overflow flaws.
This commit is contained in:
parent
c225562c7c
commit
9fcf2469b9
@ -1,8 +1,8 @@
|
|||||||
# $OpenBSD: Makefile,v 1.6 2009/08/10 06:31:09 kili Exp $
|
# $OpenBSD: Makefile,v 1.7 2009/12/15 10:05:55 jasper Exp $
|
||||||
|
|
||||||
BRANCH= 21.4
|
BRANCH= 21.4
|
||||||
VERSION= 19
|
VERSION= 19
|
||||||
PKGNAME= ${DISTNAME}p9
|
PKGNAME= ${DISTNAME}p10
|
||||||
|
|
||||||
WANTLIB= c m ncurses util
|
WANTLIB= c m ncurses util
|
||||||
|
|
||||||
|
98
editors/xemacs21/stable/patches/patch-src_glyphs-eimage_c
Normal file
98
editors/xemacs21/stable/patches/patch-src_glyphs-eimage_c
Normal file
@ -0,0 +1,98 @@
|
|||||||
|
$OpenBSD: patch-src_glyphs-eimage_c,v 1.1 2009/12/15 10:05:55 jasper Exp $
|
||||||
|
|
||||||
|
Security fix for CVE-2009-2688, xemacs: multiple integer overflow flaws.
|
||||||
|
|
||||||
|
Patch from gentoo.
|
||||||
|
|
||||||
|
--- src/glyphs-eimage.c.orig Mon Jan 31 03:55:17 2005
|
||||||
|
+++ src/glyphs-eimage.c Tue Dec 15 10:57:11 2009
|
||||||
|
@@ -407,6 +407,7 @@ jpeg_instantiate (Lisp_Object image_instance, Lisp_Obj
|
||||||
|
*/
|
||||||
|
|
||||||
|
{
|
||||||
|
+ UINT_64_BIT pixels_sq;
|
||||||
|
int jpeg_gray = 0; /* if we're dealing with a grayscale */
|
||||||
|
/* Step 4: set parameters for decompression. */
|
||||||
|
|
||||||
|
@@ -429,7 +430,10 @@ jpeg_instantiate (Lisp_Object image_instance, Lisp_Obj
|
||||||
|
jpeg_start_decompress (&cinfo);
|
||||||
|
|
||||||
|
/* Step 6: Read in the data and put into EImage format (8bit RGB triples)*/
|
||||||
|
-
|
||||||
|
+ pixels_sq =
|
||||||
|
+ (UINT_64_BIT) cinfo.output_width * (UINT_64_BIT) cinfo.output_height;
|
||||||
|
+ if (pixels_sq > ((size_t) -1) / 3)
|
||||||
|
+ signal_image_error ("JPEG image too large to instantiate", instantiator);
|
||||||
|
unwind.eimage = (unsigned char*) xmalloc (cinfo.output_width * cinfo.output_height * 3);
|
||||||
|
if (!unwind.eimage)
|
||||||
|
signal_image_error("Unable to allocate enough memory for image", instantiator);
|
||||||
|
@@ -671,6 +675,7 @@ gif_instantiate (Lisp_Object image_instance, Lisp_Obje
|
||||||
|
{
|
||||||
|
ColorMapObject *cmo = unwind.giffile->SColorMap;
|
||||||
|
int i, j, row, pass, interlace, slice;
|
||||||
|
+ UINT_64_BIT pixels_sq;
|
||||||
|
unsigned char *eip;
|
||||||
|
/* interlaced gifs have rows in this order:
|
||||||
|
0, 8, 16, ..., 4, 12, 20, ..., 2, 6, 10, ..., 1, 3, 5, ... */
|
||||||
|
@@ -679,6 +684,9 @@ gif_instantiate (Lisp_Object image_instance, Lisp_Obje
|
||||||
|
|
||||||
|
height = unwind.giffile->SHeight;
|
||||||
|
width = unwind.giffile->SWidth;
|
||||||
|
+ pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height;
|
||||||
|
+ if (pixels_sq > ((size_t) -1) / (3 * unwind.giffile->ImageCount))
|
||||||
|
+ signal_image_error ("GIF image too large to instantiate", instantiator);
|
||||||
|
unwind.eimage = (unsigned char*)
|
||||||
|
xmalloc (width * height * 3 * unwind.giffile->ImageCount);
|
||||||
|
if (!unwind.eimage)
|
||||||
|
@@ -929,11 +937,15 @@ png_instantiate (Lisp_Object image_instance, Lisp_Obje
|
||||||
|
{
|
||||||
|
int y;
|
||||||
|
unsigned char **row_pointers;
|
||||||
|
+ UINT_64_BIT pixels_sq;
|
||||||
|
height = info_ptr->height;
|
||||||
|
width = info_ptr->width;
|
||||||
|
+ pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height;
|
||||||
|
+ if (pixels_sq > ((size_t) -1) / 3)
|
||||||
|
+ signal_image_error ("PNG image too large to instantiate", instantiator);
|
||||||
|
|
||||||
|
/* Wow, allocate all the memory. Truly, exciting. */
|
||||||
|
- unwind.eimage = xnew_array_and_zero (unsigned char, width * height * 3);
|
||||||
|
+ unwind.eimage = xnew_array_and_zero (unsigned char, pixels_sq * 3);
|
||||||
|
/* libpng expects that the image buffer passed in contains a
|
||||||
|
picture to draw on top of if the png has any transparencies.
|
||||||
|
This could be a good place to pass that in... */
|
||||||
|
@@ -986,7 +998,7 @@ png_instantiate (Lisp_Object image_instance, Lisp_Obje
|
||||||
|
png_set_expand (png_ptr);
|
||||||
|
/* send grayscale images to RGB too */
|
||||||
|
if (info_ptr->color_type == PNG_COLOR_TYPE_GRAY ||
|
||||||
|
- info_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
|
||||||
|
+ info_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
|
||||||
|
png_set_gray_to_rgb (png_ptr);
|
||||||
|
/* we can't handle alpha values */
|
||||||
|
if (info_ptr->color_type & PNG_COLOR_MASK_ALPHA)
|
||||||
|
@@ -1260,6 +1272,7 @@ tiff_instantiate (Lisp_Object image_instance, Lisp_Obj
|
||||||
|
|
||||||
|
uint32 *raster;
|
||||||
|
unsigned char *ep;
|
||||||
|
+ UINT_64_BIT pixels_sq;
|
||||||
|
|
||||||
|
assert (!NILP (data));
|
||||||
|
|
||||||
|
@@ -1282,12 +1295,15 @@ tiff_instantiate (Lisp_Object image_instance, Lisp_Obj
|
||||||
|
|
||||||
|
TIFFGetField (unwind.tiff, TIFFTAG_IMAGEWIDTH, &width);
|
||||||
|
TIFFGetField (unwind.tiff, TIFFTAG_IMAGELENGTH, &height);
|
||||||
|
- unwind.eimage = (unsigned char *) xmalloc (width * height * 3);
|
||||||
|
+ pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height;
|
||||||
|
+ if (pixels_sq >= 1 << 29)
|
||||||
|
+ signal_image_error ("TIFF image too large to instantiate", instantiator);
|
||||||
|
+ unwind.eimage = (unsigned char *) xmalloc (pixels_sq * 3);
|
||||||
|
|
||||||
|
/* #### This is little more than proof-of-concept/function testing.
|
||||||
|
It needs to be reimplemented via scanline reads for both memory
|
||||||
|
compactness. */
|
||||||
|
- raster = (uint32*) _TIFFmalloc (width * height * sizeof (uint32));
|
||||||
|
+ raster = (uint32*) _TIFFmalloc ((tsize_t) (pixels_sq * sizeof (uint32)));
|
||||||
|
if (raster != NULL)
|
||||||
|
{
|
||||||
|
int i,j;
|
20
editors/xemacs21/stable/patches/patch-src_lisp_h
Normal file
20
editors/xemacs21/stable/patches/patch-src_lisp_h
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
$OpenBSD: patch-src_lisp_h,v 1.1 2009/12/15 10:05:55 jasper Exp $
|
||||||
|
|
||||||
|
Security fix for CVE-2009-2688, xemacs: multiple integer overflow flaws.
|
||||||
|
|
||||||
|
Patch from gentoo.
|
||||||
|
|
||||||
|
--- src/lisp.h.orig Tue Dec 15 10:57:22 2009
|
||||||
|
+++ src/lisp.h Tue Dec 15 10:57:44 2009
|
||||||
|
@@ -265,6 +265,11 @@ void assert_failed (const char *, int, const char *);
|
||||||
|
/*#define REGISTER register*/
|
||||||
|
/*#endif*/
|
||||||
|
|
||||||
|
+#if SIZEOF_LONG == 8
|
||||||
|
+#define UINT_64_BIT unsigned long
|
||||||
|
+#elif SIZEOF_LONG_LONG == 8
|
||||||
|
+#define UINT_64_BIT unsigned long long
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
/* EMACS_INT is the underlying integral type into which a Lisp_Object must fit.
|
||||||
|
In particular, it must be large enough to contain a pointer.
|
Loading…
Reference in New Issue
Block a user