diff options
| author |   Olivier Crête <tester@gentoo.org> | 2009-06-07 14:24:25 +0000 |
|---|---|---|
| committer | Olivier Crête <tester@gentoo.org> | 2009-06-07 14:24:25 +0000 |
| commit | 56faf076003b0ef3a0f9dbf3edff642ff9d386d4 (patch) | |
| tree | e51baee384a6ce5456b6c712c157ddf54bfdb6a4 /media-plugins | |
| parent | Add ~arm/~ia64/~s390/~sh wrt #269087 (diff) | |
| download | gentoo-2-56faf076003b0ef3a0f9dbf3edff642ff9d386d4.tar.gz gentoo-2-56faf076003b0ef3a0f9dbf3edff642ff9d386d4.tar.bz2 gentoo-2-56faf076003b0ef3a0f9dbf3edff642ff9d386d4.zip | |
Add patch for pngdec bug, CVE-2009-1932, bug #272972
(Portage version: 2.1.6.11/cvs/Linux i686)
Diffstat (limited to 'media-plugins')
3 files changed, 92 insertions, 1 deletions
diff --git a/media-plugins/gst-plugins-libpng/ChangeLog b/media-plugins/gst-plugins-libpng/ChangeLog index 3a0f3b1e9f05..26db12acfd56 100644 --- a/media-plugins/gst-plugins-libpng/ChangeLog +++ b/media-plugins/gst-plugins-libpng/ChangeLog @@ -1,6 +1,13 @@ # ChangeLog for media-plugins/gst-plugins-libpng # Copyright 1999-2009 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/media-plugins/gst-plugins-libpng/ChangeLog,v 1.104 2009/05/21 19:01:38 ranger Exp $ +# $Header: /var/cvsroot/gentoo-x86/media-plugins/gst-plugins-libpng/ChangeLog,v 1.105 2009/06/07 14:24:25 tester Exp $ + +*gst-plugins-libpng-0.10.14-r1 (07 Jun 2009) + + 07 Jun 2009; Olivier Crête <tester@gentoo.org> + +files/gst-plugins-good-0.10.15-CVE-2009-1932.patch, + +gst-plugins-libpng-0.10.14-r1.ebuild: + Add patch for pngdec bug, CVE-2009-1932, bug #272972 21 May 2009; Brent Baude <ranger@gentoo.org> ChangeLog: Marking gst-plugins-libpng-0.10.14 ppc64 stable for bug 266986 diff --git a/media-plugins/gst-plugins-libpng/files/gst-plugins-good-0.10.15-CVE-2009-1932.patch b/media-plugins/gst-plugins-libpng/files/gst-plugins-good-0.10.15-CVE-2009-1932.patch new file mode 100644 index 000000000000..e07289bc0fd0 --- /dev/null +++ b/media-plugins/gst-plugins-libpng/files/gst-plugins-good-0.10.15-CVE-2009-1932.patch @@ -0,0 +1,63 @@ +From d9544bcc44adcef769cbdf7f6453e140058a3adc Mon Sep 17 00:00:00 2001 +From: Jan Schmidt <thaytan@noraisin.net> +Date: Wed, 27 May 2009 16:06:34 +0000 +Subject: pngdec: Avoid possible overflow in calculations + +A malformed (or simply huge) PNG file can lead to integer overflow in +calculating the size of the output buffer, leading to crashes or buffer +overflows later. Fixes SA35205 security advisory. +--- +diff --git a/ext/libpng/gstpngdec.c b/ext/libpng/gstpngdec.c +index 524b468..dde459d 100644 +--- a/ext/libpng/gstpngdec.c ++++ b/ext/libpng/gstpngdec.c +@@ -201,7 +201,14 @@ user_info_callback (png_structp png_ptr, png_infop info) + + /* Allocate output buffer */ + pngdec->rowbytes = png_get_rowbytes (pngdec->png, pngdec->info); +- buffer_size = pngdec->height * GST_ROUND_UP_4 (pngdec->rowbytes); ++ if (pngdec->rowbytes > (G_MAXUINT32 - 3) ++ || pngdec->height > G_MAXUINT32 / pngdec->rowbytes) { ++ ret = GST_FLOW_ERROR; ++ goto beach; ++ } ++ pngdec->rowbytes = GST_ROUND_UP_4 (pngdec->rowbytes); ++ buffer_size = pngdec->height * pngdec->rowbytes; ++ + ret = + gst_pad_alloc_buffer_and_set_caps (pngdec->srcpad, GST_BUFFER_OFFSET_NONE, + buffer_size, GST_PAD_CAPS (pngdec->srcpad), &buffer); +@@ -228,7 +235,7 @@ user_endrow_callback (png_structp png_ptr, png_bytep new_row, + /* If buffer_out doesn't exist, it means buffer_alloc failed, which + * will already have set the return code */ + if (GST_IS_BUFFER (pngdec->buffer_out)) { +- size_t offset = row_num * GST_ROUND_UP_4 (pngdec->rowbytes); ++ size_t offset = row_num * pngdec->rowbytes; + + GST_LOG ("got row %u, copying in buffer %p at offset %" G_GSIZE_FORMAT, + (guint) row_num, pngdec->buffer_out, offset); +@@ -496,7 +503,12 @@ gst_pngdec_task (GstPad * pad) + + /* Allocate output buffer */ + rowbytes = png_get_rowbytes (pngdec->png, pngdec->info); +- buffer_size = pngdec->height * GST_ROUND_UP_4 (rowbytes); ++ if (rowbytes > (G_MAXUINT32 - 3) || pngdec->height > G_MAXUINT32 / rowbytes) { ++ ret = GST_FLOW_ERROR; ++ goto pause; ++ } ++ rowbytes = GST_ROUND_UP_4 (rowbytes); ++ buffer_size = pngdec->height * rowbytes; + ret = + gst_pad_alloc_buffer_and_set_caps (pngdec->srcpad, GST_BUFFER_OFFSET_NONE, + buffer_size, GST_PAD_CAPS (pngdec->srcpad), &buffer); +@@ -509,7 +521,7 @@ gst_pngdec_task (GstPad * pad) + + for (i = 0; i < pngdec->height; i++) { + rows[i] = inp; +- inp += GST_ROUND_UP_4 (rowbytes); ++ inp += rowbytes; + } + + /* Read the actual picture */ +-- +cgit v0.8.2 diff --git a/media-plugins/gst-plugins-libpng/gst-plugins-libpng-0.10.14-r1.ebuild b/media-plugins/gst-plugins-libpng/gst-plugins-libpng-0.10.14-r1.ebuild new file mode 100644 index 000000000000..d4c7fdcfb1c3 --- /dev/null +++ b/media-plugins/gst-plugins-libpng/gst-plugins-libpng-0.10.14-r1.ebuild @@ -0,0 +1,21 @@ +# Copyright 1999-2009 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/media-plugins/gst-plugins-libpng/gst-plugins-libpng-0.10.14-r1.ebuild,v 1.1 2009/06/07 14:24:25 tester Exp $ + +inherit gst-plugins-good + +DESCRIPTION="plug-in to encode png images" +KEYWORDS="~alpha ~amd64 ~arm ~ppc ~ppc64 ~sparc ~x86" +IUSE="" + +DEPEND=">=media-libs/libpng-1.2 + >=media-libs/gstreamer-0.10.22 + >=media-libs/gst-plugins-base-0.10.22" + +src_unpack () +{ + gst-plugins-good_src_unpack + + cd "${S}" + epatch "${FILESDIR}/gst-plugins-good-0.10.15-CVE-2009-1932.patch" +} |