diff options
author | kwm <kwm@FreeBSD.org> | 2015-07-22 20:03:22 +0800 |
---|---|---|
committer | kwm <kwm@FreeBSD.org> | 2015-07-22 20:03:22 +0800 |
commit | d5c7afdc4621de20ece8dd478f5759de92dc2677 (patch) | |
tree | 197e87b1308d6383f3144f4a45410364a1d7b648 /graphics/gdk-pixbuf2 | |
parent | decb87f08af2ed800c8f706f47474fadd2ba314b (diff) | |
download | freebsd-ports-gnome-d5c7afdc4621de20ece8dd478f5759de92dc2677.tar.gz freebsd-ports-gnome-d5c7afdc4621de20ece8dd478f5759de92dc2677.tar.zst freebsd-ports-gnome-d5c7afdc4621de20ece8dd478f5759de92dc2677.zip |
Fix heap overflow vulnability.
Be more careful about integer overflow.
While here: fix possible divide-by-zero.
Notified by: feld@
MFH: 2015Q3
Diffstat (limited to 'graphics/gdk-pixbuf2')
-rw-r--r-- | graphics/gdk-pixbuf2/Makefile | 3 | ||||
-rw-r--r-- | graphics/gdk-pixbuf2/files/patch-gdk-pixbuf_gdk-pixbuf-loader.c | 25 | ||||
-rw-r--r-- | graphics/gdk-pixbuf2/files/patch-gdk-pixbuf_pixops_pixops.c | 82 |
3 files changed, 108 insertions, 2 deletions
diff --git a/graphics/gdk-pixbuf2/Makefile b/graphics/gdk-pixbuf2/Makefile index 05e4f6d0dc00..d7a560aa88c7 100644 --- a/graphics/gdk-pixbuf2/Makefile +++ b/graphics/gdk-pixbuf2/Makefile @@ -1,10 +1,9 @@ # Created by: Ade Lovett <ade@lovett.com> # $FreeBSD$ -# $MCom: ports/trunk/graphics/gdk-pixbuf2/Makefile 20031 2014-11-02 21:47:55Z kwm $ PORTNAME= gdk-pixbuf PORTVERSION= 2.31.2 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= graphics MASTER_SITES= GNOME PKGNAMESUFFIX= 2 diff --git a/graphics/gdk-pixbuf2/files/patch-gdk-pixbuf_gdk-pixbuf-loader.c b/graphics/gdk-pixbuf2/files/patch-gdk-pixbuf_gdk-pixbuf-loader.c new file mode 100644 index 000000000000..b62f8fc62666 --- /dev/null +++ b/graphics/gdk-pixbuf2/files/patch-gdk-pixbuf_gdk-pixbuf-loader.c @@ -0,0 +1,25 @@ +From 74c418ba2e41ab9e2287420378a6192788b1fab6 Mon Sep 17 00:00:00 2001 +From: Sarita Rawat <sarita.rawat@samsung.com> +Date: Fri, 5 Jun 2015 06:56:00 +0000 +Subject: Avoid a possible divide-by-zero + +Pointed out in + +https://bugzilla.gnome.org/show_bug.cgi?id=750440 + +diff --git a/gdk-pixbuf/gdk-pixbuf-loader.c b/gdk-pixbuf/gdk-pixbuf-loader.c +index 65845ed..668b703 100644 +--- gdk-pixbuf/gdk-pixbuf-loader.c ++++ gdk-pixbuf/gdk-pixbuf-loader.c +@@ -330,7 +330,7 @@ gdk_pixbuf_loader_prepare (GdkPixbuf *pixbuf, + else + anim = gdk_pixbuf_non_anim_new (pixbuf); + +- if (priv->needs_scale) { ++ if (priv->needs_scale && width != 0 && height != 0) { + priv->animation = GDK_PIXBUF_ANIMATION (_gdk_pixbuf_scaled_anim_new (anim, + (double) priv->width / width, + (double) priv->height / height, +-- +cgit v0.10.2 + diff --git a/graphics/gdk-pixbuf2/files/patch-gdk-pixbuf_pixops_pixops.c b/graphics/gdk-pixbuf2/files/patch-gdk-pixbuf_pixops_pixops.c new file mode 100644 index 000000000000..009c15b42ca0 --- /dev/null +++ b/graphics/gdk-pixbuf2/files/patch-gdk-pixbuf_pixops_pixops.c @@ -0,0 +1,82 @@ +From ffec86ed5010c5a2be14f47b33bcf4ed3169a199 Mon Sep 17 00:00:00 2001 +From: Matthias Clasen <mclasen@redhat.com> +Date: Mon, 13 Jul 2015 00:33:40 -0400 +Subject: pixops: Be more careful about integer overflow + +Our loader code is supposed to handle out-of-memory and overflow +situations gracefully, reporting errors instead of aborting. But +if you load an image at a specific size, we also execute our +scaling code, which was not careful enough about overflow in some +places. + +This commit makes the scaling code silently return if it fails to +allocate filter tables. This is the best we can do, since +gdk_pixbuf_scale() is not taking a GError. + +https://bugzilla.gnome.org/show_bug.cgi?id=752297 + +diff --git a/gdk-pixbuf/pixops/pixops.c b/gdk-pixbuf/pixops/pixops.c +index 29a1c14..ce51745 100644 +--- gdk-pixbuf/pixops/pixops.c ++++ gdk-pixbuf/pixops/pixops.c +@@ -1272,7 +1272,16 @@ make_filter_table (PixopsFilter *filter) + int i_offset, j_offset; + int n_x = filter->x.n; + int n_y = filter->y.n; +- int *weights = g_new (int, SUBSAMPLE * SUBSAMPLE * n_x * n_y); ++ gsize n_weights; ++ int *weights; ++ ++ n_weights = SUBSAMPLE * SUBSAMPLE * n_x * n_y; ++ if (n_weights / (SUBSAMPLE * SUBSAMPLE * n_x) != n_y) ++ return NULL; /* overflow, bail */ ++ ++ weights = g_try_new (int, n_weights); ++ if (!weights) ++ return NULL; /* overflow, bail */ + + for (i_offset=0; i_offset < SUBSAMPLE; i_offset++) + for (j_offset=0; j_offset < SUBSAMPLE; j_offset++) +@@ -1347,8 +1356,11 @@ pixops_process (guchar *dest_buf, + if (x_step == 0 || y_step == 0) + return; /* overflow, bail out */ + +- line_bufs = g_new (guchar *, filter->y.n); + filter_weights = make_filter_table (filter); ++ if (!filter_weights) ++ return; /* overflow, bail out */ ++ ++ line_bufs = g_new (guchar *, filter->y.n); + + check_shift = check_size ? get_check_shift (check_size) : 0; + +@@ -1468,7 +1480,7 @@ tile_make_weights (PixopsFilterDimension *dim, + double scale) + { + int n = ceil (1 / scale + 1); +- double *pixel_weights = g_new (double, SUBSAMPLE * n); ++ double *pixel_weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n); + int offset; + int i; + +@@ -1526,7 +1538,7 @@ bilinear_magnify_make_weights (PixopsFilterDimension *dim, + } + + dim->n = n; +- dim->weights = g_new (double, SUBSAMPLE * n); ++ dim->weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n); + + pixel_weights = dim->weights; + +@@ -1617,7 +1629,7 @@ bilinear_box_make_weights (PixopsFilterDimension *dim, + double scale) + { + int n = ceil (1/scale + 3.0); +- double *pixel_weights = g_new (double, SUBSAMPLE * n); ++ double *pixel_weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n); + double w; + int offset, i; + +-- +cgit v0.10.2 + |