openbsd-ports/graphics/gdk-pixbuf/patches/patch-gdk-pixbuf_io-bmp_c
naddy 1626ccb155 SECURITY:
Fix
- double free() in BMP handler (CVE-2005-0891),
- endless loop (CVE-2005-2975) and
- integer overflows in XPM loader (CVE-2005-2976, CVE-2005-3186).

From Ubuntu.
2005-11-21 20:20:53 +00:00

33 lines
865 B
Plaintext

$OpenBSD: patch-gdk-pixbuf_io-bmp_c,v 1.2 2005/11/21 20:20:54 naddy Exp $
--- gdk-pixbuf/io-bmp.c.orig Fri Sep 27 23:12:40 2002
+++ gdk-pixbuf/io-bmp.c Sat Nov 19 18:23:36 2005
@@ -245,7 +245,15 @@ lsb_16 (guchar *src)
static gboolean
grow_buffer (struct bmp_progressive_state *State)
{
- guchar *tmp = realloc (State->buff, State->BufferSize);
+ guchar *tmp;
+
+ if (State->BufferSize == 0) {
+ State->read_state = READ_STATE_ERROR;
+ return FALSE;
+ }
+
+ tmp = realloc (State->buff, State->BufferSize);
+
if (!tmp) {
State->read_state = READ_STATE_ERROR;
return FALSE;
@@ -870,8 +878,10 @@ DoCompressed(struct bmp_progressive_stat
guchar c;
gint idx;
- if (context->compr.y >= context->Header.height)
+ if (context->compr.y >= context->Header.height) {
+ context->BufferDone = 0;
return TRUE;
+ }
y = context->compr.y;