diff options
| author |   Sebastian Pipping <sping@gentoo.org> | 2012-11-06 19:39:50 +0000 |
|---|---|---|
| committer | Sebastian Pipping <sping@gentoo.org> | 2012-11-06 19:39:50 +0000 |
| commit | 76b2a3c3069cf812fb6f0c679ec33e46e4a26f36 (patch) | |
| tree | b200af3f401ec05b99ffcb46e19517f3666e54ca /media-libs/gegl/files | |
| parent | Fix dependencies. (diff) | |
| download | gentoo-2-76b2a3c3069cf812fb6f0c679ec33e46e4a26f36.tar.gz gentoo-2-76b2a3c3069cf812fb6f0c679ec33e46e4a26f36.tar.bz2 gentoo-2-76b2a3c3069cf812fb6f0c679ec33e46e4a26f36.zip | |
media-libs/gegl: CVE-2012-4433 (bug #442016)
(Portage version: 2.1.10.65/cvs/Linux x86_64)
Diffstat (limited to 'media-libs/gegl/files')
| -rw-r--r-- | media-libs/gegl/files/gegl-0.2.0-cve-2012-4433-1e92e523.patch | 68 | ||||
| -rw-r--r-- | media-libs/gegl/files/gegl-0.2.0-cve-2012-4433-4757cdf7.patch | 70 |
2 files changed, 138 insertions, 0 deletions
diff --git a/media-libs/gegl/files/gegl-0.2.0-cve-2012-4433-1e92e523.patch b/media-libs/gegl/files/gegl-0.2.0-cve-2012-4433-1e92e523.patch new file mode 100644 index 000000000000..0babb0f41c1b --- /dev/null +++ b/media-libs/gegl/files/gegl-0.2.0-cve-2012-4433-1e92e523.patch @@ -0,0 +1,68 @@ +From 1e92e5235ded0415d555aa86066b8e4041ee5a53 Mon Sep 17 00:00:00 2001 +From: Nils Philippsen <nils@redhat.com> +Date: Tue, 16 Oct 2012 14:58:27 +0000 +Subject: ppm-load: CVE-2012-4433: don't overflow memory allocation + +Carefully selected width/height values could cause the size of a later +allocation to overflow, resulting in a buffer much too small to store +the data which would then written beyond its end. +--- +diff --git a/operations/external/ppm-load.c b/operations/external/ppm-load.c +index efe6d56..3d6bce7 100644 +--- a/operations/external/ppm-load.c ++++ b/operations/external/ppm-load.c +@@ -84,7 +84,6 @@ ppm_load_read_header(FILE *fp, + /* Get Width and Height */ + img->width = strtol (header,&ptr,0); + img->height = atoi (ptr); +- img->numsamples = img->width * img->height * CHANNEL_COUNT; + + fgets (header,MAX_CHARS_IN_ROW,fp); + maxval = strtol (header,&ptr,0); +@@ -109,6 +108,16 @@ ppm_load_read_header(FILE *fp, + g_warning ("%s: Programmer stupidity error", G_STRLOC); + } + ++ /* Later on, img->numsamples is multiplied with img->bpc to allocate ++ * memory. Ensure it doesn't overflow. */ ++ if (!img->width || !img->height || ++ G_MAXSIZE / img->width / img->height / CHANNEL_COUNT < img->bpc) ++ { ++ g_warning ("Illegal width/height: %ld/%ld", img->width, img->height); ++ return FALSE; ++ } ++ img->numsamples = img->width * img->height * CHANNEL_COUNT; ++ + return TRUE; + } + +@@ -229,12 +238,24 @@ process (GeglOperation *operation, + if (!ppm_load_read_header (fp, &img)) + goto out; + +- rect.height = img.height; +- rect.width = img.width; +- + /* Allocating Array Size */ ++ ++ /* Should use g_try_malloc(), but this causes crashes elsewhere because the ++ * error signalled by returning FALSE isn't properly acted upon. Therefore ++ * g_malloc() is used here which aborts if the requested memory size can't be ++ * allocated causing a controlled crash. */ + img.data = (guchar*) g_malloc (img.numsamples * img.bpc); + ++ /* No-op without g_try_malloc(), see above. */ ++ if (! img.data) ++ { ++ g_warning ("Couldn't allocate %" G_GSIZE_FORMAT " bytes, giving up.", ((gsize)img.numsamples * img.bpc)); ++ goto out; ++ } ++ ++ rect.height = img.height; ++ rect.width = img.width; ++ + switch (img.bpc) + { + case 1: +-- +cgit v0.9.0.2 diff --git a/media-libs/gegl/files/gegl-0.2.0-cve-2012-4433-4757cdf7.patch b/media-libs/gegl/files/gegl-0.2.0-cve-2012-4433-4757cdf7.patch new file mode 100644 index 000000000000..f78557f5772a --- /dev/null +++ b/media-libs/gegl/files/gegl-0.2.0-cve-2012-4433-4757cdf7.patch @@ -0,0 +1,70 @@ +From 4757cdf73d3675478d645a3ec8250ba02168a230 Mon Sep 17 00:00:00 2001 +From: Nils Philippsen <nils@redhat.com> +Date: Tue, 16 Oct 2012 14:56:40 +0000 +Subject: ppm-load: CVE-2012-4433: add plausibility checks for header fields + +Refuse values that are non-decimal, negative or overflow the target +type. +--- +diff --git a/operations/external/ppm-load.c b/operations/external/ppm-load.c +index 3d6bce7..465096d 100644 +--- a/operations/external/ppm-load.c ++++ b/operations/external/ppm-load.c +@@ -36,6 +36,7 @@ gegl_chant_file_path (path, _("File"), "", _("Path of file to load.")) + #include "gegl-chant.h" + #include <stdio.h> + #include <stdlib.h> ++#include <errno.h> + + typedef enum { + PIXMAP_ASCII = 51, +@@ -44,8 +45,8 @@ typedef enum { + + typedef struct { + map_type type; +- gint width; +- gint height; ++ glong width; ++ glong height; + gsize numsamples; /* width * height * channels */ + gsize bpc; /* bytes per channel */ + guchar *data; +@@ -82,11 +83,33 @@ ppm_load_read_header(FILE *fp, + } + + /* Get Width and Height */ +- img->width = strtol (header,&ptr,0); +- img->height = atoi (ptr); ++ errno = 0; ++ img->width = strtol (header,&ptr,10); ++ if (errno) ++ { ++ g_warning ("Error reading width: %s", strerror(errno)); ++ return FALSE; ++ } ++ else if (img->width < 0) ++ { ++ g_warning ("Error: width is negative"); ++ return FALSE; ++ } ++ ++ img->height = strtol (ptr,&ptr,10); ++ if (errno) ++ { ++ g_warning ("Error reading height: %s", strerror(errno)); ++ return FALSE; ++ } ++ else if (img->width < 0) ++ { ++ g_warning ("Error: height is negative"); ++ return FALSE; ++ } + + fgets (header,MAX_CHARS_IN_ROW,fp); +- maxval = strtol (header,&ptr,0); ++ maxval = strtol (header,&ptr,10); + + if ((maxval != 255) && (maxval != 65535)) + { +-- +cgit v0.9.0.2 |