SECURITY FIX:
A voluntary security review of the importers by infamous41md has turned up three buffer overflow errors in the xfig import code. Details: http://mail.gnome.org/archives/dia-list/2006-March/msg00149.html
This commit is contained in:
parent
394abc9ebe
commit
a24b504344
@ -1,9 +1,9 @@
|
||||
# $OpenBSD: Makefile,v 1.34 2006/01/20 07:15:22 steven Exp $
|
||||
# $OpenBSD: Makefile,v 1.35 2006/04/03 16:21:47 steven Exp $
|
||||
|
||||
COMMENT= "technical diagrams drawing tool"
|
||||
|
||||
DISTNAME= dia-0.94
|
||||
PKGNAME= ${DISTNAME}p3
|
||||
PKGNAME= ${DISTNAME}p4
|
||||
CATEGORIES= graphics
|
||||
|
||||
HOMEPAGE= http://www.gnome.org/projects/dia/
|
||||
|
193
graphics/dia/patches/patch-plug-ins_xfig_xfig-import_c
Normal file
193
graphics/dia/patches/patch-plug-ins_xfig_xfig-import_c
Normal file
@ -0,0 +1,193 @@
|
||||
$OpenBSD: patch-plug-ins_xfig_xfig-import_c,v 1.1 2006/04/03 16:21:47 steven Exp $
|
||||
--- plug-ins/xfig/xfig-import.c.orig Mon Aug 16 09:56:21 2004
|
||||
+++ plug-ins/xfig/xfig-import.c Mon Apr 3 18:16:09 2006
|
||||
@@ -441,11 +441,17 @@ create_standard_group(GList *items, Diag
|
||||
static Color
|
||||
fig_color(int color_index)
|
||||
{
|
||||
- if (color_index == -1)
|
||||
+ if (color_index <= -1)
|
||||
return color_black; /* Default color */
|
||||
- if (color_index < FIG_MAX_DEFAULT_COLORS)
|
||||
+ else if (color_index < FIG_MAX_DEFAULT_COLORS)
|
||||
return fig_default_colors[color_index];
|
||||
- else return fig_colors[color_index-FIG_MAX_DEFAULT_COLORS];
|
||||
+ else if (color_index < FIG_MAX_USER_COLORS)
|
||||
+ return fig_colors[color_index-FIG_MAX_DEFAULT_COLORS];
|
||||
+ else {
|
||||
+ message_error(_("Color index %d too high, only 512 colors allowed. Using black instead."),
|
||||
+ color_index);
|
||||
+ return color_black;
|
||||
+ }
|
||||
}
|
||||
|
||||
static Color
|
||||
@@ -563,23 +569,25 @@ fig_simple_properties(DiaObject *obj,
|
||||
static int
|
||||
fig_read_n_points(FILE *file, int n, Point **points) {
|
||||
int i;
|
||||
- Point *new_points;
|
||||
+ GArray *points_list = g_array_sized_new(FALSE, FALSE, sizeof(Point), n);
|
||||
|
||||
- new_points = (Point*)g_malloc(sizeof(Point)*n);
|
||||
-
|
||||
for (i = 0; i < n; i++) {
|
||||
int x,y;
|
||||
+ Point p;
|
||||
if (fscanf(file, " %d %d ", &x, &y) != 2) {
|
||||
message_error(_("Error while reading %dth of %d points: %s\n"),
|
||||
i, n, strerror(errno));
|
||||
- free(new_points);
|
||||
+ g_array_free(points_list, TRUE);
|
||||
return FALSE;
|
||||
}
|
||||
- new_points[i].x = x/FIG_UNIT;
|
||||
- new_points[i].y = y/FIG_UNIT;
|
||||
+ p.x = x/FIG_UNIT;
|
||||
+ p.y = y/FIG_UNIT;
|
||||
+ g_array_append_val(points_list, p);
|
||||
}
|
||||
fscanf(file, "\n");
|
||||
- *points = new_points;
|
||||
+
|
||||
+ *points = (Point *)points_list->data;
|
||||
+ g_array_free(points_list, FALSE);
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
@@ -683,7 +691,7 @@ fig_read_text_line(FILE *file) {
|
||||
return text_buf;
|
||||
}
|
||||
|
||||
-static GList *depths[1000];
|
||||
+static GList *depths[FIG_MAX_DEPTHS];
|
||||
|
||||
/* If there's something in the compound stack, we ignore the depth field,
|
||||
as it will be determined by the group anyway */
|
||||
@@ -693,6 +701,26 @@ static GSList *compound_stack = NULL;
|
||||
level. Best we can do now. */
|
||||
static int compound_depth;
|
||||
|
||||
+/** Add an object at a given depth. This function checks for depth limits
|
||||
+ * and updates the compound depth if needed.
|
||||
+ *
|
||||
+ * @param newobj An object to add. If we're inside a compound, this
|
||||
+ * doesn't really add the object.
|
||||
+ * @param depth A depth as in the Fig format, max 999
|
||||
+ */
|
||||
+static void
|
||||
+add_at_depth(DiaObject *newobj, int depth) {
|
||||
+ if (depth < 0 || depth >= FIG_MAX_DEPTHS) {
|
||||
+ message_error(_("Depth %d of of range, only 0-%d allowed.\n"),
|
||||
+ depth, FIG_MAX_DEPTHS-1);
|
||||
+ depth = FIG_MAX_DEPTHS - 1;
|
||||
+ }
|
||||
+ if (compound_stack == NULL)
|
||||
+ depths[depth] = g_list_append(depths[depth], newobj);
|
||||
+ else
|
||||
+ if (compound_depth > depth) compound_depth = depth;
|
||||
+}
|
||||
+
|
||||
static DiaObject *
|
||||
fig_read_ellipse(FILE *file, DiagramData *dia) {
|
||||
int sub_type;
|
||||
@@ -749,10 +777,7 @@ fig_read_ellipse(FILE *file, DiagramData
|
||||
/* Angle -- can't rotate yet */
|
||||
|
||||
/* Depth field */
|
||||
- if (compound_stack == NULL)
|
||||
- depths[depth] = g_list_append(depths[depth], newobj);
|
||||
- else
|
||||
- if (compound_depth > depth) compound_depth = depth;
|
||||
+ add_at_depth(newobj, depth);
|
||||
|
||||
return newobj;
|
||||
}
|
||||
@@ -885,10 +910,7 @@ fig_read_polyline(FILE *file, DiagramDat
|
||||
/* Cap style */
|
||||
|
||||
/* Depth field */
|
||||
- if (compound_stack == NULL)
|
||||
- depths[depth] = g_list_append(depths[depth], newobj);
|
||||
- else
|
||||
- if (compound_depth > depth) compound_depth = depth;
|
||||
+ add_at_depth(newobj, depth);
|
||||
exit:
|
||||
prop_list_free(props);
|
||||
g_free(forward_arrow_info);
|
||||
@@ -1111,10 +1133,7 @@ fig_read_spline(FILE *file, DiagramData
|
||||
/* Cap style */
|
||||
|
||||
/* Depth field */
|
||||
- if (compound_stack == NULL)
|
||||
- depths[depth] = g_list_append(depths[depth], newobj);
|
||||
- else
|
||||
- if (compound_depth > depth) compound_depth = depth;
|
||||
+ add_at_depth(newobj, depth);
|
||||
exit:
|
||||
prop_list_free(props);
|
||||
g_free(forward_arrow_info);
|
||||
@@ -1202,10 +1221,7 @@ fig_read_arc(FILE *file, DiagramData *di
|
||||
/* Cap style */
|
||||
|
||||
/* Depth field */
|
||||
- if (compound_stack == NULL)
|
||||
- depths[depth] = g_list_append(depths[depth], newobj);
|
||||
- else
|
||||
- if (compound_depth > depth) compound_depth = depth;
|
||||
+ add_at_depth(newobj, depth);
|
||||
|
||||
exit:
|
||||
g_free(forward_arrow_info);
|
||||
@@ -1298,10 +1314,7 @@ fig_read_text(FILE *file, DiagramData *d
|
||||
newobj->ops->set_props(newobj, props);
|
||||
|
||||
/* Depth field */
|
||||
- if (compound_stack == NULL)
|
||||
- depths[depth] = g_list_append(depths[depth], newobj);
|
||||
- else
|
||||
- if (compound_depth > depth) compound_depth = depth;
|
||||
+ add_at_depth(newobj, depth);
|
||||
|
||||
exit:
|
||||
if (text_buf != NULL) free(text_buf);
|
||||
@@ -1347,6 +1360,12 @@ fig_read_object(FILE *file, DiagramData
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
+ if (colornumber < 32 || colornumber > FIG_MAX_USER_COLORS) {
|
||||
+ message_error(_("Color number %d out of range 0..%d. Discarding color.\n"),
|
||||
+ colornumber, FIG_MAX_USER_COLORS);
|
||||
+ return FALSE;
|
||||
+ }
|
||||
+
|
||||
color.red = ((colorvalues & 0x00ff0000)>>16) / 255.0;
|
||||
color.green = ((colorvalues & 0x0000ff00)>>8) / 255.0;
|
||||
color.blue = (colorvalues & 0x000000ff) / 255.0;
|
||||
@@ -1393,7 +1412,7 @@ fig_read_object(FILE *file, DiagramData
|
||||
}
|
||||
/* Group extends don't really matter */
|
||||
if (compound_stack == NULL)
|
||||
- compound_depth = 999;
|
||||
+ compound_depth = FIG_MAX_DEPTHS - 1;
|
||||
compound_stack = g_slist_append(compound_stack, NULL);
|
||||
return TRUE;
|
||||
break;
|
||||
@@ -1551,7 +1570,7 @@ import_fig(const gchar *filename, Diagra
|
||||
for (i = 0; i < FIG_MAX_USER_COLORS; i++) {
|
||||
fig_colors[i] = color_black;
|
||||
}
|
||||
- for (i = 0; i < 1000; i++) {
|
||||
+ for (i = 0; i < FIG_MAX_DEPTHS; i++) {
|
||||
depths[i] = NULL;
|
||||
}
|
||||
|
||||
@@ -1606,7 +1625,7 @@ import_fig(const gchar *filename, Diagra
|
||||
} while (TRUE);
|
||||
|
||||
/* Now we can reorder for the depth fields */
|
||||
- for (i = 0; i < 1000; i++) {
|
||||
+ for (i = 0; i < FIG_MAX_DEPTHS; i++) {
|
||||
if (depths[i] != NULL)
|
||||
layer_add_objects_first(dia->active_layer, depths[i]);
|
||||
}
|
11
graphics/dia/patches/patch-plug-ins_xfig_xfig_h
Normal file
11
graphics/dia/patches/patch-plug-ins_xfig_xfig_h
Normal file
@ -0,0 +1,11 @@
|
||||
$OpenBSD: patch-plug-ins_xfig_xfig_h,v 1.1 2006/04/03 16:21:47 steven Exp $
|
||||
--- plug-ins/xfig/xfig.h.orig Mon Aug 16 09:56:21 2004
|
||||
+++ plug-ins/xfig/xfig.h Mon Apr 3 18:16:09 2006
|
||||
@@ -6,6 +6,7 @@ extern char *fig_fonts[];
|
||||
|
||||
#define FIG_MAX_DEFAULT_COLORS 32
|
||||
#define FIG_MAX_USER_COLORS 512
|
||||
+#define FIG_MAX_DEPTHS 1000
|
||||
/* 1200 PPI */
|
||||
#define FIG_UNIT 472.440944881889763779527559055118
|
||||
/* 1/80 inch */
|
Loading…
Reference in New Issue
Block a user