fixes for CVE-2011-5326, CVE-2016-3993, CVE-2016-3994, CVE-2016-4024

2016-07-01 13:04:32 +00:00 · 2016-07-01 13:04:32 +00:00 · f5805595b3
commit f5805595b3
parent 345a8a226d
5 changed files with 176 additions and 2 deletions
--- a/graphics/imlib2/Makefile
+++ b/graphics/imlib2/Makefile
@ -1,9 +1,9 @@
-# $OpenBSD: Makefile,v 1.38 2016/03/27 15:31:24 naddy Exp $
+# $OpenBSD: Makefile,v 1.39 2016/07/01 13:04:32 jasper Exp $

 COMMENT=	image manipulation library

 DISTNAME=	imlib2-1.4.7
-REVISION=	0
+REVISION=	1
 SHARED_LIBS=	Imlib2	6.0	# .5.7
 CATEGORIES=	graphics

--- a/graphics/imlib2/patches/patch-src_lib_ellipse_c
+++ b/graphics/imlib2/patches/patch-src_lib_ellipse_c
@ -0,0 +1,87 @@
+$OpenBSD: patch-src_lib_ellipse_c,v 1.1 2016/07/01 13:04:32 jasper Exp $
+
+CVE-2011-5326
+https://git.enlightenment.org/legacy/imlib2.git/commit/?id=c94d83ccab15
+
+--- src/lib/ellipse.c.orig	Sun Dec 22 05:20:31 2013
+++ src/lib/ellipse.c	Fri Jul  1 14:58:32 2016
+@@ -71,6 +71,9 @@ __imlib_Ellipse_DrawToData(int xc, int yc, int a, int 
+         if (IN_RANGE(rx, by, clw, clh))
+            pfunc(color, bp + len);
+ 
+        if (dx < 1)
+           dx = 1;
+
+         dy += b2;
+         yy -= ((dy << 16) / dx);
+         lx--;
+@@ -123,6 +126,9 @@ __imlib_Ellipse_DrawToData(int xc, int yc, int a, int 
+         if (IN_RANGE(rx, by, clw, clh))
+            pfunc(color, bp + len);
+ 
+        if (dy < 1)
+           dy = 1;
+
+         dx -= a2;
+         xx += ((dx << 16) / dy);
+         ty++;
+@@ -222,6 +228,9 @@ __imlib_Ellipse_DrawToData_AA(int xc, int yc, int a, i
+         if (IN_RANGE(rx, by, clw, clh))
+            pfunc(col1, bp + len);
+ 
+        if (dx < 1)
+           dx = 1;
+
+         dy += b2;
+         yy -= ((dy << 16) / dx);
+         lx--;
+@@ -295,6 +304,9 @@ __imlib_Ellipse_DrawToData_AA(int xc, int yc, int a, i
+         if (IN_RANGE(rx, by, clw, clh))
+            pfunc(col1, bp + len);
+ 
+        if (dy < 1)
+           dy = 1;
+
+         dx -= a2;
+         xx += ((dx << 16) / dy);
+         ty++;
+@@ -395,6 +407,9 @@ __imlib_Ellipse_FillToData(int xc, int yc, int a, int 
+         if (IN_RANGE(rx, by, clw, clh))
+            pfunc(color, bp + len);
+ 
+        if (dx < 1)
+           dx = 1;
+
+         dy += b2;
+         yy -= ((dy << 16) / dx);
+         lx--;
+@@ -453,6 +468,9 @@ __imlib_Ellipse_FillToData(int xc, int yc, int a, int 
+         if (((unsigned)by < (unsigned)clh) && (len > 0))
+            sfunc(color, bpp, len);
+ 
+        if (dy < 1)
+           dy = 1;
+
+         dx -= a2;
+         xx += ((dx << 16) / dy);
+         ty++;
+@@ -556,6 +574,9 @@ __imlib_Ellipse_FillToData_AA(int xc, int yc, int a, i
+         if (IN_RANGE(rx, by, clw, clh))
+            pfunc(col1, bp + len);
+ 
+        if (dx < 1)
+           dx = 1;
+
+         dy += b2;
+         yy -= ((dy << 16) / dx);
+         lx--;
+@@ -628,6 +649,9 @@ __imlib_Ellipse_FillToData_AA(int xc, int yc, int a, i
+            pfunc(col1, bp);
+         if (IN_RANGE(rx, by, clw, clh))
+            pfunc(col1, bp + len);
+
+        if (dy < 1)
+           dy = 1;
+ 
+         dx -= a2;
+         xx += ((dx << 16) / dy);
--- a/graphics/imlib2/patches/patch-src_lib_image_h
+++ b/graphics/imlib2/patches/patch-src_lib_image_h
@ -0,0 +1,17 @@
+$OpenBSD: patch-src_lib_image_h,v 1.1 2016/07/01 13:04:32 jasper Exp $
+
+CVE-2016-4024
+https://git.enlightenment.org/legacy/imlib2.git/commit/?id=7eba2e4c8ac0e20838947f10f29d0efe1add8227
+
+--- src/lib/image.h.orig	Fri Jul  1 14:59:56 2016
+++ src/lib/image.h	Fri Jul  1 15:00:21 2016
+@@ -188,7 +188,8 @@ void                __imlib_SaveImage(ImlibImage * im,
+ 
+ /* The maximum pixmap dimension is 65535. */
+ /* However, for now, use 46340 (46340^2 < 2^31) to avoid buffer overflow issues. */
+-#define X_MAX_DIM 46340
+/* Reduced further to 32767, so that (w * h * sizeof(DATA32)) won't exceed ULONG_MAX */
+#define X_MAX_DIM 32767
+ 
+ #define IMAGE_DIMENSIONS_OK(w, h) \
+    ( ((w) > 0) && ((h) > 0) && ((w) < X_MAX_DIM) && ((h) < X_MAX_DIM) )
--- a/graphics/imlib2/patches/patch-src_lib_updates_c
+++ b/graphics/imlib2/patches/patch-src_lib_updates_c
@ -0,0 +1,16 @@
+$OpenBSD: patch-src_lib_updates_c,v 1.1 2016/07/01 13:04:32 jasper Exp $
+
+CVE-2016-3993
+https://git.enlightenment.org/legacy/imlib2.git/commit/?id=ce94edca1ccfbe314cb7cd9453433fad404ec7ef
+
+--- src/lib/updates.c.orig	Fri Jul  1 14:56:42 2016
+++ src/lib/updates.c	Fri Jul  1 14:57:03 2016
+@@ -112,7 +112,7 @@ __imlib_MergeUpdate(ImlibUpdate * u, int w, int h, int
+                   int                 xx, yy, ww, hh, ok;
+ 
+                   for (xx = x + 1, ww = 1;
+-                       (T(xx, y).used & T_USED) && (xx < tw); xx++, ww++);
+                       (xx < tw) && (T(xx, y).used & T_USED); xx++, ww++);
+                   for (yy = y + 1, hh = 1, ok = 1;
+                        (yy < th) && (ok); yy++, hh++)
+                     {
--- a/graphics/imlib2/patches/patch-src_modules_loaders_loader_gif_c
+++ b/graphics/imlib2/patches/patch-src_modules_loaders_loader_gif_c
@ -0,0 +1,54 @@
+$OpenBSD: patch-src_modules_loaders_loader_gif_c,v 1.6 2016/07/01 13:04:32 jasper Exp $
+
+CVE-2016-3994
+https://git.enlightenment.org/legacy/imlib2.git/commit/?id=37a96801663b7b4cd3fbe56cc0eb8b6a17e766a8
+
+--- src/modules/loaders/loader_gif.c.orig	Sat Dec 20 17:39:11 2014
+++ src/modules/loaders/loader_gif.c	Fri Jul  1 14:57:48 2016
+@@ -141,8 +141,24 @@ load(ImlibImage * im, ImlibProgressFunction progress, 
+ 
+    if (im->loader || immediate_load || progress)
+      {
+        DATA32 colormap[256];
+
+         bg = gif->SBackGroundColor;
+         cmap = (gif->Image.ColorMap ? gif->Image.ColorMap : gif->SColorMap);
+        memset (colormap, 0, sizeof(colormap));
+        if (cmap != NULL)
+           {
+              for (i = cmap->ColorCount > 256 ? 256 : cmap->ColorCount; i-- > 0;)
+                 {
+                    r = cmap->Colors[i].Red;
+                    g = cmap->Colors[i].Green;
+                    b = cmap->Colors[i].Blue;
+                    colormap[i] = (0xff << 24) | (r << 16) | (g << 8) | b;
+                 }
+              /* if bg > cmap->ColorCount, it is transparent black already */
+              if (transp >= 0 && transp < 256)
+                 colormap[transp] = bg >= 0 && bg < 256 ? colormap[bg] & 0x00ffffff : 0x00000000;
+           }
+         im->data = (DATA32 *) malloc(sizeof(DATA32) * w * h);
+         if (!im->data)
+            goto quit;
+@@ -161,20 +177,7 @@ load(ImlibImage * im, ImlibProgressFunction progress, 
+           {
+              for (j = 0; j < w; j++)
+                {
+-                  if (rows[i][j] == transp)
+-                    {
+-                       r = cmap->Colors[bg].Red;
+-                       g = cmap->Colors[bg].Green;
+-                       b = cmap->Colors[bg].Blue;
+-                       *ptr++ = 0x00ffffff & ((r << 16) | (g << 8) | b);
+-                    }
+-                  else
+-                    {
+-                       r = cmap->Colors[rows[i][j]].Red;
+-                       g = cmap->Colors[rows[i][j]].Green;
+-                       b = cmap->Colors[rows[i][j]].Blue;
+-                       *ptr++ = (0xff << 24) | (r << 16) | (g << 8) | b;
+-                    }
+                  *ptr++ = colormap[rows[i][j]];
+                   per += per_inc;
+                   if (progress && (((int)per) != last_per)
+                       && (((int)per) % progress_granularity == 0))