rpms/imlib2/FC-5 imlib2-1.3.0-loader_overflows.patch, NONE, 1.1 imlib2-1.3.0-multilib.patch, NONE, 1.1 .cvsignore, 1.4, 1.5 imlib2.spec, 1.19, 1.20 sources, 1.5, 1.6
Hans de Goede (jwrdegoede)
fedora-extras-commits at redhat.com
Thu Nov 9 09:54:56 UTC 2006
- Previous message (by thread): rpms/imlib2/FC-6 imlib2-1.3.0-loader_overflows.patch, NONE, 1.1 imlib2-1.3.0-multilib.patch, NONE, 1.1 .cvsignore, 1.5, 1.6 imlib2.spec, 1.22, 1.23 sources, 1.6, 1.7
- Next message (by thread): rpms/imlib2/FC-4 imlib2-1.3.0-loader_overflows.patch, NONE, 1.1 imlib2.spec, 1.15, 1.16
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: jwrdegoede
Update of /cvs/extras/rpms/imlib2/FC-5
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv9667
Modified Files:
.cvsignore imlib2.spec sources
Added Files:
imlib2-1.3.0-loader_overflows.patch
imlib2-1.3.0-multilib.patch
Log Message:
* Thu Nov 9 2006 Hans de Goede <j.w.r.degoede at hhs.nl> 1.3.0-3
- Fix CVE-2006-4806, CVE-2006-4807, CVE-2006-4808, CVE-2006-4809, thanks to
Ubuntu for the patch (bug 214676)
imlib2-1.3.0-loader_overflows.patch:
--- NEW FILE imlib2-1.3.0-loader_overflows.patch ---
diff -Nur imlib2-1.2.1/src/modules/loaders/loader_argb.c imlib2-1.2.1.new/src/modules/loaders/loader_argb.c
--- imlib2-1.2.1/src/modules/loaders/loader_argb.c 2006-11-06 01:27:59.000000000 -0800
+++ imlib2-1.2.1.new/src/modules/loaders/loader_argb.c 2006-11-06 01:30:41.000000000 -0800
@@ -23,7 +23,7 @@
load(ImlibImage * im, ImlibProgressFunction progress,
char progress_granularity, char immediate_load)
{
- int w, h, alpha;
+ int w=0, h=0, alpha=0;
FILE *f;
if (im->data)
@@ -36,13 +36,15 @@
{
char buf[256], buf2[256];
+ memset(buf, 0, sizeof(buf));
+ memset(buf2, 0, sizeof(buf));
if (!fgets(buf, 255, f))
{
fclose(f);
return 0;
}
sscanf(buf, "%s %i %i %i", buf2, &w, &h, &alpha);
- if (strcmp(buf2, "ARGB"))
+ if (strcmp(buf2, "ARGB") || w < 1 || h < 1 || w > 16383 || h > 16383)
{
fclose(f);
return 0;
diff -Nur imlib2-1.2.1/src/modules/loaders/loader_jpeg.c imlib2-1.2.1.new/src/modules/loaders/loader_jpeg.c
--- imlib2-1.2.1/src/modules/loaders/loader_jpeg.c 2006-11-06 01:27:59.000000000 -0800
+++ imlib2-1.2.1.new/src/modules/loaders/loader_jpeg.c 2006-11-06 01:33:01.000000000 -0800
@@ -104,8 +104,9 @@
im->w = w = cinfo.output_width;
im->h = h = cinfo.output_height;
- if (cinfo.rec_outbuf_height > 16)
+ if (cinfo.rec_outbuf_height > 16 || w < 1 || h < 1 || w > 16383 || h > 16383)
{
+ im->w = im->h = 0;
jpeg_destroy_decompress(&cinfo);
fclose(f);
return 0;
diff -Nur imlib2-1.2.1/src/modules/loaders/loader_lbm.c imlib2-1.2.1.new/src/modules/loaders/loader_lbm.c
--- imlib2-1.2.1/src/modules/loaders/loader_lbm.c 2006-11-06 01:27:59.000000000 -0800
+++ imlib2-1.2.1.new/src/modules/loaders/loader_lbm.c 2006-11-06 01:30:41.000000000 -0800
@@ -421,7 +421,7 @@
im->w = L2RWORD(ilbm.bmhd.data);
im->h = L2RWORD(ilbm.bmhd.data + 2);
- if (im->w <= 0 || im->h <= 0) ok = 0;
+ if (im->w <= 0 || im->h <= 0 || im->w > 16383 || im->h > 16383) ok = 0;
ilbm.depth = ilbm.bmhd.data[8];
if (ilbm.depth < 1 || (ilbm.depth > 8 && ilbm.depth != 24 && ilbm.depth != 32)) ok = 0; /* Only 1 to 8, 24, or 32 planes. */
@@ -453,6 +453,7 @@
}
}
if (!full || !ok) {
+ im->w = im->h = 0;
freeilbm(&ilbm);
return ok;
}
@@ -467,12 +468,13 @@
cancel = 0;
plane[0] = NULL;
+ n = ilbm.depth;
+ if (ilbm.mask == 1) n++;
+
im->data = malloc(im->w * im->h * sizeof(DATA32));
- if (im->data) {
- n = ilbm.depth;
- if (ilbm.mask == 1) n++;
+ plane[0] = malloc(((im->w + 15) / 16) * 2 * n);
+ if (im->data && plane[0]) {
- plane[0] = malloc(((im->w + 15) / 16) * 2 * n);
for (i = 1; i < n; i++) plane[i] = plane[i - 1] + ((im->w + 15) / 16) * 2;
z = ((im->w + 15) / 16) * 2 * n;
@@ -511,6 +513,7 @@
* the memory for im->data.
*----------*/
if (!ok) {
+ im->w = im->h = 0;
if (im->data) free(im->data);
im->data = NULL;
}
diff -Nur imlib2-1.2.1/src/modules/loaders/loader_png.c imlib2-1.2.1.new/src/modules/loaders/loader_png.c
--- imlib2-1.2.1/src/modules/loaders/loader_png.c 2006-11-06 01:27:59.000000000 -0800
+++ imlib2-1.2.1.new/src/modules/loaders/loader_png.c 2006-11-06 01:30:41.000000000 -0800
@@ -83,6 +83,13 @@
png_get_IHDR(png_ptr, info_ptr, (png_uint_32 *) (&w32),
(png_uint_32 *) (&h32), &bit_depth, &color_type,
&interlace_type, NULL, NULL);
+ if (w32 < 1 || h32 < 1 || w32 > 16383 || h32 > 16383)
+ {
+ png_read_end(png_ptr, info_ptr);
+ png_destroy_read_struct(&png_ptr, &info_ptr, (png_infopp) NULL);
+ fclose(f);
+ return 0;
+ }
im->w = (int)w32;
im->h = (int)h32;
if (color_type == PNG_COLOR_TYPE_PALETTE)
diff -Nur imlib2-1.2.1/src/modules/loaders/loader_pnm.c imlib2-1.2.1.new/src/modules/loaders/loader_pnm.c
--- imlib2-1.2.1/src/modules/loaders/loader_pnm.c 2006-11-06 01:27:59.000000000 -0800
+++ imlib2-1.2.1.new/src/modules/loaders/loader_pnm.c 2006-11-06 01:30:41.000000000 -0800
@@ -80,7 +80,7 @@
int i = 0;
/* read numbers */
- while (c != EOF && !isspace(c))
+ while (c != EOF && i+1 < sizeof(buf) && !isspace(c))
{
buf[i++] = c;
c = fgetc(f);
diff -Nur imlib2-1.2.1/src/modules/loaders/loader_tga.c imlib2-1.2.1.new/src/modules/loaders/loader_tga.c
--- imlib2-1.2.1/src/modules/loaders/loader_tga.c 2006-11-06 01:27:59.000000000 -0800
+++ imlib2-1.2.1.new/src/modules/loaders/loader_tga.c 2006-11-06 01:30:41.000000000 -0800
@@ -319,6 +319,7 @@
{
unsigned long datasize;
unsigned char *bufptr;
+ unsigned char *bufend;
DATA32 *dataptr;
int y, pl = 0;
@@ -348,6 +349,9 @@
/* bufptr is the next byte to be read from the buffer */
bufptr = filedata;
+ /* bufend is one past the last byte to be read from the buffer */
+ bufend = filedata + datasize;
+
/* dataptr is the next 32-bit pixel to be filled in */
dataptr = im->data;
@@ -365,7 +369,9 @@
else
dataptr = im->data + (y * im->w);
- for (x = 0; x < im->w; x++) /* for each pixel in the row */
+ for (x = 0;
+ x < im->w && bufptr+bpp/8 < bufend;
+ x++) /* for each pixel in the row */
{
switch (bpp)
{
@@ -422,8 +428,8 @@
unsigned char curbyte, red, green, blue, alpha;
DATA32 *final_pixel = dataptr + im->w * im->h;
- /* loop until we've got all the pixels */
- while (dataptr < final_pixel)
+ /* loop until we've got all the pixels or run out of input */
+ while (dataptr < final_pixel && bufptr+1+bpp/8 < bufend)
{
int count;
@@ -441,7 +447,7 @@
green = *bufptr++;
red = *bufptr++;
alpha = *bufptr++;
- for (i = 0; i < count; i++)
+ for (i = 0; i < count && dataptr < final_pixel; i++)
{
WRITE_RGBA(dataptr, red, green, blue, alpha);
dataptr++;
@@ -452,7 +458,7 @@
blue = *bufptr++;
green = *bufptr++;
red = *bufptr++;
- for (i = 0; i < count; i++)
+ for (i = 0; i < count && dataptr < final_pixel; i++)
{
WRITE_RGBA(dataptr, red, green, blue,
(char)0xff);
@@ -462,7 +468,7 @@
case 8:
alpha = *bufptr++;
- for (i = 0; i < count; i++)
+ for (i = 0; i < count && dataptr < final_pixel; i++)
{
WRITE_RGBA(dataptr, alpha, alpha, alpha,
(char)0xff);
@@ -477,7 +483,7 @@
{
int i;
- for (i = 0; i < count; i++)
+ for (i = 0; i < count && dataptr < final_pixel; i++)
{
switch (bpp)
{
diff -Nur imlib2-1.2.1/src/modules/loaders/loader_tiff.c imlib2-1.2.1.new/src/modules/loaders/loader_tiff.c
--- imlib2-1.2.1/src/modules/loaders/loader_tiff.c 2006-11-06 01:27:59.000000000 -0800
+++ imlib2-1.2.1.new/src/modules/loaders/loader_tiff.c 2006-11-06 01:30:41.000000000 -0800
@@ -75,7 +75,7 @@
raster(TIFFRGBAImage_Extra * img, uint32 * rast,
uint32 x, uint32 y, uint32 w, uint32 h)
{
- uint32 image_width, image_height;
+ int image_width, image_height;
uint32 *pixel, pixel_value;
int i, j, dy, rast_offset;
DATA32 *buffer_pixel, *buffer = img->image->data;
@@ -192,8 +192,16 @@
}
rgba_image.image = im;
- im->w = width = rgba_image.rgba.width;
- im->h = height = rgba_image.rgba.height;
+ width = rgba_image.rgba.width;
+ height = rgba_image.rgba.height;
+ if (width < 1 || height < 1 || width >= 16384 || height >= 16384)
+ {
+ TIFFRGBAImageEnd((TIFFRGBAImage *) & rgba_image);
+ TIFFClose(tif);
+ return 0;
+ }
+ im->w = width;
+ im->h = height;
rgba_image.num_pixels = num_pixels = width * height;
if (rgba_image.rgba.alpha != EXTRASAMPLE_UNSPECIFIED)
SET_FLAG(im->flags, F_HAS_ALPHA);
imlib2-1.3.0-multilib.patch:
--- NEW FILE imlib2-1.3.0-multilib.patch ---
--- imlib2-1.3.0/configure.in~ 2006-10-27 00:18:39.000000000 +0200
+++ imlib2-1.3.0/configure.in 2006-10-27 00:18:39.000000000 +0200
@@ -190,7 +190,7 @@
AC_PATH_XTRA
x_dir=${x_dir:-/usr/X11R6}
x_cflags=${x_cflags:--I${x_includes:-$x_dir/include}}
- x_libs="${x_libs:--L${x_libraries:-$x_dir/lib}} -lX11 -lXext"
+ x_libs="-lX11 -lXext"
AM_CONDITIONAL(BUILD_X11, true)
AC_DEFINE(BUILD_X11, 1, [enabling X11 support])
else
--- imlib2-1.3.0/configure~ 2006-10-27 00:18:25.000000000 +0200
+++ imlib2-1.3.0/configure 2006-10-27 00:18:25.000000000 +0200
@@ -23117,7 +23117,7 @@
x_dir=${x_dir:-/usr/X11R6}
x_cflags=${x_cflags:--I${x_includes:-$x_dir/include}}
- x_libs="${x_libs:--L${x_libraries:-$x_dir/lib}} -lX11 -lXext"
+ x_libs="-lX11 -lXext"
if true; then
--- imlib2-1.3.0/imlib2-config.in~ 2006-10-27 00:17:29.000000000 +0200
+++ imlib2-1.3.0/imlib2-config.in 2006-10-27 00:17:29.000000000 +0200
@@ -45,8 +45,7 @@
echo $includes
;;
--libs)
- libdirs=-L at libdir@
- echo $libdirs -lImlib2 @my_libs@
+ echo -lImlib2 @my_libs@
;;
*)
echo "${usage}" 1>&2
Index: .cvsignore
===================================================================
RCS file: /cvs/extras/rpms/imlib2/FC-5/.cvsignore,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- .cvsignore 20 Sep 2005 19:09:39 -0000 1.4
+++ .cvsignore 9 Nov 2006 09:54:26 -0000 1.5
@@ -1 +1 @@
-imlib2-1.2.1.tar.gz
+imlib2-1.3.0.tar.gz
Index: imlib2.spec
===================================================================
RCS file: /cvs/extras/rpms/imlib2/FC-5/imlib2.spec,v
retrieving revision 1.19
retrieving revision 1.20
diff -u -r1.19 -r1.20
--- imlib2.spec 23 Jul 2006 08:19:55 -0000 1.19
+++ imlib2.spec 9 Nov 2006 09:54:26 -0000 1.20
@@ -1,22 +1,24 @@
-Summary: Image loading, saving, rendering, and manipulation library
-Name: imlib2
-Version: 1.2.1
-Release: 6%{?dist}
-License: BSD
-Group: System Environment/Libraries
-URL: http://www.enlightenment.org/Libraries/Imlib2/
-Source0: http://download.sf.net/enlightenment/%{name}-%{version}.tar.gz
-Patch0: imlib2-1.2.1-X11-path.patch
-BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot
-BuildRequires: libjpeg-devel libpng-devel libtiff-devel
-BuildRequires: libungif-devel freetype-devel >= 2.1.9-4 libtool bzip2-devel
-BuildRequires: libX11-devel libXext-devel
+Summary: Image loading, saving, rendering, and manipulation library
+Name: imlib2
+Version: 1.3.0
+Release: 3%{?dist}
+License: BSD
+Group: System Environment/Libraries
+URL: http://www.enlightenment.org/Libraries/Imlib2/
+Source0: http://download.sf.net/enlightenment/%{name}-%{version}.tar.gz
+Patch0: imlib2-1.2.1-X11-path.patch
+Patch1: imlib2-1.3.0-multilib.patch
+Patch2: imlib2-1.3.0-loader_overflows.patch
+BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot
+BuildRequires: libjpeg-devel libpng-devel libtiff-devel
+BuildRequires: giflib-devel freetype-devel >= 2.1.9-4 libtool bzip2-devel
+BuildRequires: libX11-devel libXext-devel libid3tag-devel pkgconfig
%package devel
-Summary: Development package for %{name}
-Group: Development/Libraries
-Requires: %{name} = %{version}-%{release}
-Requires: libX11-devel libXext-devel freetype-devel >= 2.1.9-4 pkgconfig
+Summary: Development package for %{name}
+Group: Development/Libraries
+Requires: %{name} = %{version}-%{release}
+Requires: libX11-devel libXext-devel freetype-devel >= 2.1.9-4 pkgconfig
%description
@@ -43,6 +45,13 @@
%prep
%setup -q
%patch0 -p1 -b .x11-path
+%patch1 -p1 -b .multilib
+%patch2 -p1 -b .overflow
+# sigh stop autoxxx from rerunning because of our patches above.
+touch aclocal.m4
+touch configure
+touch config.h.in
+touch `find -name Makefile.in`
%build
@@ -83,12 +92,7 @@
%files
%defattr(-,root,root,-)
%doc COPYING AUTHORS README ChangeLog TODO
-%{_bindir}/imlib2_view
-%{_bindir}/imlib2_bumpmap
-%{_bindir}/imlib2_colorspace
-%{_bindir}/imlib2_conv
-%{_bindir}/imlib2_poly
-%{_bindir}/imlib2_show
+%{_bindir}/imlib2_*
%{_libdir}/libImlib2.so.*
%dir %{_datadir}/imlib2/
%{_datadir}/imlib2/data/
@@ -112,6 +116,24 @@
%changelog
+* Thu Nov 9 2006 Hans de Goede <j.w.r.degoede at hhs.nl> 1.3.0-3
+- Fix CVE-2006-4806, CVE-2006-4807, CVE-2006-4808, CVE-2006-4809, thanks to
+ Ubuntu for the patch (bug 214676)
+
+* Thu Oct 26 2006 Hans de Goede <j.w.r.degoede at hhs.nl> 1.3.0-2
+- Multilib devel goodness (make -devel i386 and x86_64 parallel installable)
+- Fix bug 212469
+- Add libid3tag-devel to the BR's so id3tag support gets build in
+
+* Tue Oct 24 2006 Hans de Goede <j.w.r.degoede at hhs.nl> 1.3.0-1
+- New upstream release 1.3.0
+
+* Mon Aug 28 2006 Hans de Goede <j.w.r.degoede at hhs.nl> 1.2.2-2
+- FE6 Rebuild
+
+* Sun Jul 23 2006 Hans de Goede <j.w.r.degoede at hhs.nl> 1.2.2-1
+- New upstream release 1.2.2
+
* Sun Jul 23 2006 Hans de Goede <j.w.r.degoede at hhs.nl> 1.2.1-6
- Taking over as maintainer since Anvil has other priorities
- Long long due rebuild with new gcc for FC-5 (bug 185871)
Index: sources
===================================================================
RCS file: /cvs/extras/rpms/imlib2/FC-5/sources,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- sources 20 Sep 2005 19:09:39 -0000 1.5
+++ sources 9 Nov 2006 09:54:26 -0000 1.6
@@ -1 +1 @@
-e32970d03d8aee2885782312d0a7f15f imlib2-1.2.1.tar.gz
+00b724fc6d2dcfa3045bb6a554bb2c8a imlib2-1.3.0.tar.gz
- Previous message (by thread): rpms/imlib2/FC-6 imlib2-1.3.0-loader_overflows.patch, NONE, 1.1 imlib2-1.3.0-multilib.patch, NONE, 1.1 .cvsignore, 1.5, 1.6 imlib2.spec, 1.22, 1.23 sources, 1.6, 1.7
- Next message (by thread): rpms/imlib2/FC-4 imlib2-1.3.0-loader_overflows.patch, NONE, 1.1 imlib2.spec, 1.15, 1.16
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list