rpms/gdk-pixbuf/FC-3 gdk-pixbuf-0.22.0-xpm-largecol.patch, NONE, 1.1 gdk-pixbuf-0.22.0-xpm-ncol-overflow.patch, NONE, 1.1 gdk-pixbuf-0.22.0-xpm-whc-overflow.patch, NONE, 1.1 gdk-pixbuf.spec, 1.27, 1.28
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Nov 16 15:51:15 UTC 2005
- Previous message (by thread): rpms/mc/FC-3 mc.spec,1.45,1.46
- Next message (by thread): rpms/gdk-pixbuf/FC-4 gdk-pixbuf-0.22.0-xpm-largecol.patch, NONE, 1.1 gdk-pixbuf-0.22.0-xpm-ncol-overflow.patch, NONE, 1.1 gdk-pixbuf-0.22.0-xpm-whc-overflow.patch, NONE, 1.1 gdk-pixbuf.spec, 1.29, 1.30
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: mclasen
Update of /cvs/dist/rpms/gdk-pixbuf/FC-3
In directory cvs.devel.redhat.com:/tmp/cvs-serv30224
Modified Files:
gdk-pixbuf.spec
Added Files:
gdk-pixbuf-0.22.0-xpm-largecol.patch
gdk-pixbuf-0.22.0-xpm-ncol-overflow.patch
gdk-pixbuf-0.22.0-xpm-whc-overflow.patch
Log Message:
Merge embargo branch
gdk-pixbuf-0.22.0-xpm-largecol.patch:
io-xpm.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletion(-)
--- NEW FILE gdk-pixbuf-0.22.0-xpm-largecol.patch ---
--- gdk-pixbuf-0.22.0/gdk-pixbuf/io-xpm.c.largecol 2005-10-31 10:12:13.000000000 -0500
+++ gdk-pixbuf-0.22.0/gdk-pixbuf/io-xpm.c 2005-10-31 10:13:40.000000000 -0500
@@ -281,7 +281,8 @@
/* Fall through to the xpm_read_string. */
case op_body:
- xpm_read_string (h->infile, &h->buffer, &h->buffer_size);
+ if(!xpm_read_string (h->infile, &h->buffer, &h->buffer_size))
+ return NULL;
return h->buffer;
default:
gdk-pixbuf-0.22.0-xpm-ncol-overflow.patch:
io-xpm.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletion(-)
--- NEW FILE gdk-pixbuf-0.22.0-xpm-ncol-overflow.patch ---
--- gdk-pixbuf-0.22.0/gdk-pixbuf/io-xpm.c.xpm-ncol-overflow 2005-10-19 10:51:26.000000000 -0400
+++ gdk-pixbuf-0.22.0/gdk-pixbuf/io-xpm.c 2005-10-19 10:52:16.000000000 -0400
@@ -356,7 +356,9 @@
g_warning ("XPM has invalid number of chars per pixel.");
return NULL;
}
- if (n_col <= 0 || n_col >= G_MAXINT / (cpp + 1)) {
+ if (n_col <= 0 ||
+ n_col >= G_MAXINT / (cpp + 1) ||
+ n_col >= G_MAXINT / sizeof (_XPMColor)) {
g_warning ("XPM file has invalid number of colors");
return NULL;
}
gdk-pixbuf-0.22.0-xpm-whc-overflow.patch:
io-xpm.c | 24 ++++++------------------
1 files changed, 6 insertions(+), 18 deletions(-)
--- NEW FILE gdk-pixbuf-0.22.0-xpm-whc-overflow.patch ---
--- gdk-pixbuf-0.22.0/gdk-pixbuf/io-xpm.c.xpm-whc-overflow 2005-10-31 10:11:03.000000000 -0500
+++ gdk-pixbuf-0.22.0/gdk-pixbuf/io-xpm.c 2005-10-31 10:11:18.000000000 -0500
@@ -317,13 +317,6 @@
return NULL;
}
-/* Destroy notification function for the pixbuf */
-static void
-free_buffer (guchar *pixels, gpointer data)
-{
- free (pixels);
-}
-
static gboolean
xpm_color_parse (const char *spec, XColor *color)
{
@@ -342,7 +335,8 @@
gchar pixel_str[32];
GHashTable *color_hash;
_XPMColor *colors, *color, *fallbackcolor;
- guchar *pixels, *pixtmp;
+ guchar *pixtmp;
+ GdkPixbuf* pixbuf;
fallbackcolor = NULL;
@@ -414,12 +408,8 @@
fallbackcolor = color;
}
- if (is_trans)
- pixels = malloc (w * h * 4);
- else
- pixels = malloc (w * h * 3);
-
- if (!pixels) {
+ pixbuf = gdk_pixbuf_new(GDK_COLORSPACE_RGB, is_trans, 8, w, h);
+ if (!pixbuf) {
g_hash_table_destroy (color_hash);
free (colors);
free (name_buf);
@@ -427,7 +417,7 @@
}
wbytes = w * cpp;
- pixtmp = pixels;
+ pixtmp = pixbuf->pixels;
for (ycnt = 0; ycnt < h; ycnt++) {
buffer = (*get_buf) (op_body, handle);
@@ -460,9 +450,7 @@
free (colors);
free (name_buf);
- return gdk_pixbuf_new_from_data (pixels, GDK_COLORSPACE_RGB, is_trans, 8,
- w, h, is_trans ? (w * 4) : (w * 3),
- free_buffer, NULL);
+ return pixbuf;
}
/* Shared library entry point for file loading */
Index: gdk-pixbuf.spec
===================================================================
RCS file: /cvs/dist/rpms/gdk-pixbuf/FC-3/gdk-pixbuf.spec,v
retrieving revision 1.27
retrieving revision 1.28
diff -u -r1.27 -r1.28
--- gdk-pixbuf.spec 28 Mar 2005 15:14:07 -0000 1.27
+++ gdk-pixbuf.spec 16 Nov 2005 15:51:12 -0000 1.28
@@ -1,6 +1,6 @@
Name: gdk-pixbuf
Version: 0.22.0
-Release: 16.fc3
+Release: 16.fc3.3
Epoch: 1
Summary: An image loading library used with GNOME.
License: LGPL
@@ -39,6 +39,10 @@
# http://bugzilla.gnome.org/show_bug.cgi?id=130711
Patch10: gdk-pixbuf-0.22.0-loaders.patch
Patch11: gdk-pixbuf-0.22.0-bmpcrash.patch
+Patch12: gtk+-2.2.2-noexecstack.patch
+Patch13: gdk-pixbuf-0.22.0-xpm-ncol-overflow.patch
+Patch14: gdk-pixbuf-0.22.0-xpm-whc-overflow.patch
+Patch15: gdk-pixbuf-0.22.0-xpm-largecol.patch
URL: http://www.gnome.org/
BuildRoot: %{_tmppath}/%{name}-%{version}-root
@@ -111,6 +115,10 @@
%patch10 -p1 -b .loaders
%patch11 -p1 -b .bmpcrash
+%patch12 -p1 -b .noexecstack
+%patch13 -p1 -b .xpm-ncol-overflow
+%patch14 -p1 -b .xpm-whc-overflow
+%patch15 -p1 -b .xpm-largecol
perl -p -i.bak -e 's/gmodule.h/gmodule-local.h/g; s/g_module/local_hack_g_module/g; s/GModule/LocalHackGModule/g; s/G_MODULE/LOCAL_HACK_G_MODULE/g' gdk-pixbuf/gdk-pixbuf-io.c gdk-pixbuf/gdk-pixbuf-io.h
perl -pi -e 's/-static//g' gdk-pixbuf/local-hack-gmodule/Makefile
@@ -186,6 +194,14 @@
%{_datadir}/gnome/html/*
%changelog
+* Mon Oct 31 2005 Matthias Clasen <mclasen at redhat.com> - 1:0.22.0-16.fc3.3
+- Prevent another integer overflow in the xpm loader (#171901, CVE-2005-2976)
+- Prevent an infinite loop in the xpm loader (#171901, CVE-2005-2976)
+
+* Wed Oct 19 2005 Matthias Clasen <mclasen at redhat.com> - 1:0.22.0-16.fc3.2
+- Prevent an integer overflow in the xpm loader (#171073, CVE-2005-3186)
+- Backport the noexecstack patch from FC-4
+
* Mon Mar 28 2005 Matthias Clasen <mclasen at redhat.com> - 1:0.22.0-16.fc3
- Fix a double free in the bmp loader
- Previous message (by thread): rpms/mc/FC-3 mc.spec,1.45,1.46
- Next message (by thread): rpms/gdk-pixbuf/FC-4 gdk-pixbuf-0.22.0-xpm-largecol.patch, NONE, 1.1 gdk-pixbuf-0.22.0-xpm-ncol-overflow.patch, NONE, 1.1 gdk-pixbuf-0.22.0-xpm-whc-overflow.patch, NONE, 1.1 gdk-pixbuf.spec, 1.29, 1.30
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list